Re: Need help with PGP signature verification
On Sun, Oct 8, 2023 at 14:39 Thomas Schmitt wrote: > Hi, Thanks, Thomas. I did get the signers key fingeprints from their personal github pages. I would go the full security route if it were only my use I'm concerned with, but I'm working on a Raku module for others and I don't want them to be held up by having to fumble with key trust before at least downloading the files with a first order check with data I can provide. I'll make sure to document exactly what I'm providing. Best regards, -Tom
Re: Need help with PGP signature verification
"Thomas Schmitt" wrote: > Hi, > > Tom Browder wrote: > > I'm willing to trust published PGP key fingerprints for signers of > > Rakudo downloadable files. > > Do i get it right that you talk about https://rakudo.org/downloads ? > > > Question: How can I get the fingerprint from the downloads? > > The products I download are (1) the file of interest, (2) a PGP > > signed checksums file with various shaX hashes for the file, and > > (3) a separate file containing a PGP signature. > > The "Verify" button at above web page leads to > https://rakudo.org/downloads/verifying > which explains how to use sha256 and gpg2 for verification. > Most importantly it lists the fingerprints of the four "Keys of the > releasers". If gpg2 --verify reports any other fingerprint, then > the .asc file cannot be trusted. > > (It is not overly trustworthy that fingerprints and the signed files > are offered on the same web site. Once the site is compromised, both > can be manipulated by the attacker.) That's why the page suggests that the developers' also list their fingerprints on their github pages, I suspect. Which they do.
Re: Need help with PGP signature verification
Hi, Tom Browder wrote: > I found a usable answer. Run "gpg file.asc" and the output shows the two > fingerprints: the primary key fingerprint and the subkey fingerprint. Wow, that's surprising. But indeed the man page says: COMMANDS ... gpg may be run with no commands, in which case it will perform a rea‐ sonable action depending on the type of file it is given as input (an encrypted message is decrypted, a signature is verified, a file con‐ taining keys is listed). Have a nice day :) Thomas
Re: Need help with PGP signature verification
On Sun, Oct 8, 2023 at 05:13 Tom Browder wrote: > On Sun, Oct 8, 2023 at 3:29 AM DdB > wrote: > > Am 08.10.2023 um 01:16 schrieb Tom Browder: > > > I'm willing to trust published PGP key fingerprints for signers of > > > Rakudo downloadable files. > > > Question: How can I get the fingerprint from the downloads? I found a usable answer. Run "gpg file.asc" and the output shows the two fingerprints: the primary key fingerprint and the subkey fingerprint. I wish there was a PGP cookbook around somewhere. Thanks, all. -Tom
Re: Need help with PGP signature verification
Hi, maybe gpg --keyid-format long --verify signature_file.asc /some/dummy/file this gives me the last 16 characters of the fingerprint. Like: gpg:using key E9CBDFC0ABC0A854 with a matching payload file i get something like: Primary key fingerprint: 44BC 9FD0 D688 EB00 7C4D D029 E9CB DFC0 ABC0 A854 Have a nice day :) Thomas
Re: Need help with PGP signature verification
On Oct 08, 2023, Tom Browder wrote: > On Sun, Oct 8, 2023 at 3:29 AM DdB > wrote: > > Am 08.10.2023 um 01:16 schrieb Tom Browder: > > > I'm willing to trust published PGP key fingerprints for signers of > > > Rakudo downloadable files. > > > Question: How can I get the fingerprint from the downloads? > > There is more than just one way to archieve this, first result from > > I should have been more specific. I have the following: > > -BEGIN PGP SIGNATURE- > > iHUEABYKAB0WIQTdpb2j9c3OmfntVsEsxulzgY84awUCZQ1GBgAKCRAsxulzgY84 > a+jhAQCZ0lLh1EnB1AwrgW0zPBp801OOeJ2QUiDBOGXBbrl/7QD/ZQe738sF2tCR > 43SAvJOfT3b4YpGdfSUj9F7XNDoovQM= > =mNqK > -END PGP SIGNATURE- > > I need the fingerprint from that to compare with the fingerprints I > know from Github to see if it's from the same key. No, you just need the key(s) from the developer(s). Assuming you've not accidentally tampered with the files, you'll be able to verify this signature with a command like "gpg --verify shasum.txt.gpg shasum.txt". You'll get a message to the effect of Signature made [some-date-here] using RSA Key [fingerprint-here] Good signature from "Some Person's GPG Key Name" NOTE -- you MAY also receive some lines to the effect of WARNING: This key is not trusted, the authenticity of the signature cannot be verified. As with checking a Debian ISO (or other Linux distro that uses this style of verification), this is nothing to be worried about, it's just GPG informing you that it doesn't have any information as to whether you actually "trust" the key (either through you explicitly signing / trusting the key, or trust being derived through the GPG Web of Trust). It's roughly the GPG equivalent of a web browser going "WARNING - Self Signed Certificate". Anyway, once you're done with this; then you know the sha256 checksum file is the one the developers intended you to get; and you can use it to check the *iso file. Probably something like "sha256sum --ignore-missing -c sha256sum.txt" HTH :) -- |_|O|_| |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860 signature.asc Description: PGP signature
Re: Need help with PGP signature verification
On Sun, Oct 8, 2023 at 3:29 AM DdB wrote: > Am 08.10.2023 um 01:16 schrieb Tom Browder: > > I'm willing to trust published PGP key fingerprints for signers of > > Rakudo downloadable files. > > Question: How can I get the fingerprint from the downloads? > There is more than just one way to archieve this, first result from I should have been more specific. I have the following: -BEGIN PGP SIGNATURE- iHUEABYKAB0WIQTdpb2j9c3OmfntVsEsxulzgY84awUCZQ1GBgAKCRAsxulzgY84 a+jhAQCZ0lLh1EnB1AwrgW0zPBp801OOeJ2QUiDBOGXBbrl/7QD/ZQe738sF2tCR 43SAvJOfT3b4YpGdfSUj9F7XNDoovQM= =mNqK -END PGP SIGNATURE- I need the fingerprint from that to compare with the fingerprints I know from Github to see if it's from the same key. I think using openssl might be the easiest, but all the tools seem to have a huge number of options and a vocabulary that's very malleable. Thanks. -Tom
Re: Need help with PGP signature verification
Hi, Tom Browder wrote: > I'm willing to trust published PGP key fingerprints for signers of Rakudo > downloadable files. Do i get it right that you talk about https://rakudo.org/downloads ? > Question: How can I get the fingerprint from the downloads? > The products I download are (1) the file of interest, (2) a PGP signed > checksums file with various shaX hashes for the file, and (3) a separate > file containing a PGP signature. The "Verify" button at above web page leads to https://rakudo.org/downloads/verifying which explains how to use sha256 and gpg2 for verification. Most importantly it lists the fingerprints of the four "Keys of the releasers". If gpg2 --verify reports any other fingerprint, then the .asc file cannot be trusted. (It is not overly trustworthy that fingerprints and the signed files are offered on the same web site. Once the site is compromised, both can be manipulated by the attacker.) Have a nice day :) Thomas
Re: Need help with PGP signature verification
Am 08.10.2023 um 01:16 schrieb Tom Browder: > I'm willing to trust published PGP key fingerprints for signers of > Rakudo downloadable files. > > Question: How can I get the fingerprint from the downloads? > > The products I download are (1) the file of interest, (2) a PGP signed > checksums file with various shaX hashes for the file, and (3) a separate > file containing a PGP signature. > > Thanks so much. > > -Tom > > > There is more than just one way to archieve this, first result from G**-search returns: https://superuser.com/questions/1297670/how-do-i-check-gpg-signature-given-only-the-fingerprint-and-key-id which also contains security related warnings and hints. HTH, DdB
Need help with PGP signature verification
I'm willing to trust published PGP key fingerprints for signers of Rakudo downloadable files. Question: How can I get the fingerprint from the downloads? The products I download are (1) the file of interest, (2) a PGP signed checksums file with various shaX hashes for the file, and (3) a separate file containing a PGP signature. Thanks so much. -Tom
Re: PGP-Schluessel auf keys.openpgp.org?
Hi, sorry for this german mail which i sent to debian-user by mistake. (I was asked by the xorriso maintainer of another distro to upload my public PGP key to the keyserver which the distro uses. Hopefully i was able to fulfill that wish and did not publish any secrets of mine.) Have a nice day :) Thomas
Re: PGP-Schluessel auf keys.openpgp.org?
Hi, > siehst Du eine Möglichkeit Deinen PGP-Schlüssel auf keys.openpgp.org zu > verwalten und die E-Mail-Adresse freizugeben? Ich habe die Ausgabe von gpg --export scdbac...@gmx.net hochgeladen. (Ich haette ja gerne inspiziert, was in dem Ausgabefile steht, aber soweit bringt mich "man gpg" nicht.) Nach Aufforderung per Mail habe ich eine Verifications-URL angesteuert. Diese URL fuehrt dann zu einer Seite mit dem Text keys.openpgp.org Your key 44BC9FD0D688EB007C4DD029E9CBDFC0ABC0A854 is now published for the identity scdbac...@gmx.net. Eine Suche mit meiner Mail Adresse auf keys.openpgp.org bringt: We found an entry for scdbac...@gmx.net. Schau mal, ob das jetzt so ist, wie der RPM-Paketbau es braucht. Have a nice day :) Thomas
Re: PGP: difference between Kleopatra and Kgpg, both from KDE
Marco Möller wrote: > So, unfortunately I am still in need to find more information about the > two different (or in the end not different?) GUI tools concerning their > PGP functionality. > Focus on kgpg for now and start with PGP and OpenGPG (gnupg) https://www.openpgp.org/ There are also many other sites that explain use of PGP. Kleopatra can be seen as KDE specific tool for managing certificates and keys (GPGsM) but in different context. My advise: Forget it for now! > Many thanks for all the other explanations which you also gave in your > answer, they have been helpful! > Marco. welcome
Re: PGP: difference between Kleopatra and Kgpg, both from KDE
On 31.05.21 22:57, deloptes wrote: apt-cache show kleopatra apt-cache show kgpg I think the above parts of the package description explains quite well the use cases. With kleopatra you manage certificates in KDE (such like SSL) With Kgpg you manage GPG keys and you can encrypt/decrypt GUI style text Well, these descriptions partly cause my question. Following the package descriptions, Kgpg appears as the GUI frontend to GnuPG and in addition having a feature to input text into a field and to encrypt it right there instead of having to receive the input from a file, while Kleopatra appears to be kind of a GUI database manager for managing PGP keys and also X.509 certificates. But installing them both and comparing there PGP related offers without understanding too much about the topic, Kleopatra seems, like Kgpg, the same being a GUI frontend to GnuPG, also including the feature for generating key pairs, and like Kgpg also having in addition a feature to input text into a field and to encrypt it right there instead of having to receive the input from a file. To this extend it could simply be, that Kleopatra includes all Kgpg functionality and then as an extra adds management of also X.509 functionality to it. But if I compare the PGP settings which are offered in the GUI for creating a PGP key, then in detail this looks different in Kgpg and Kleopatra. Kleopatra seems to offer more options and is using more technical names for them, while Kgpg seems to offer a smaller amount of options and describes them more verbosely instead of using so much technical abbreviations. As a beginner it is very difficult to foresee if they are finally the same, with Kleopatra simply enhancing the amount of offered features in comparison to smaller Kgpg, Kgpg being kind of the tool for beginners and Kleopatra being the tool for experts, or if Kgpg is actually targeting work cases by its options in its GUI which are not addressed by Kleopatra like this. It could even be that under the hood one is known to work more reliable or working closer to the openPGP standard or being more compatible to interface with other PGP tools or Apps wanting to use PGP. I am here specially watching out for the PGP functionality and not considering that Kleopatra as an extra also offers X.509 functionality. So, unfortunately I am still in need to find more information about the two different (or in the end not different?) GUI tools concerning their PGP functionality. Many thanks for all the other explanations which you also gave in your answer, they have been helpful! Marco.
Re: PGP: difference between Kleopatra and Kgpg, both from KDE
On Lu, 31 mai 21, 22:57:26, deloptes wrote: > > gnupg is the mother of all open source pgp stuff. In fact you must know that > PGP is the commercial implementation of a standard for symetric encryption > (I hope I am not wrong in my wording while citing from memory) PGP supports asymmetric encryption as well (also known as public-key cryptography), otherwise it wouldn't be very usable for e-mail ;) https://en.wikipedia.org/wiki/Public-key_cryptography > Gnupg is the opensource equivalent of PGP and it is great :) command line > utility and set of libraries that makes it possible to use encryption on > numerous of devices. The application is called gpg. > Kgpg is a front end to gnupg. Go to the home page of gpg and read, get > familiar to it. It definitely needs understanding before using. I'll have to disagree with the "great" here. In my (not so humble) opinion GnuPG's (the software) difficulty to use is one the reasons we still don't have encrypted, or at least signed email for everybody[1]. Getting public-key cryptography right is already difficult enough[2], it would be great if the tools wouldn't add another layer of difficulty on top. [1] signing all email by default could potentially make spam and phishing mostly go away [2] https://wiki.debian.org/GnuPG/AirgappedMasterKey Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser signature.asc Description: PGP signature
Re: PGP: difference between Kleopatra and Kgpg, both from KDE
Marco Möller wrote: > Could someone explain for a raw beginner concerning the usage of PGP the > difference between Kleopatra and Kgpg, what the typical work case is for > the one and the other, what important feature the one and the other is > missing? > apt-cache show kleopatra Description-en: Certificate Manager and Unified Crypto GUI Kleopatra is a certificate manager and a universal crypto GUI. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers. Description-md5: e5d6fc989907b80b691c99f2d8834cf5 Homepage: https://www.kde.org/applications/utilities/kleopatra/ apt-cache show kgpg Description-en: graphical front end for GNU Privacy Guard Kgpg manages cryptographic keys for the GNU Privacy Guard, and can encrypt, decrypt, sign, and verify files. It features a simple editor for applying cryptography to short pieces of text, and can also quickly apply cryptography to the contents of the clipboard. . This package is part of the KDE Utilities module. Description-md5: c2c30394bb363998b52a8fcc2caeb33c Homepage: http://www.kde.org/ > > Sorry for the related but low specific questions in the following. Being > a raw beginner in the topic of PGP signing of email messages, it is > difficult to even know what exactly to ask for. My internet search > engine of choice and the KDE web sites both unfortunately did not guide > me to a nice reading about the differences of Kleopatra and Kgpg, and > adding Thunderbird to this does not make the topic easier to grasp. > Therefore please allow me to add the following complex of questions: > The background to my questions is, that I am aiming to soon use PGP > signatures when working with Thunderbird, but I would not know if > Kleopatra or if Kpgp would be better suited to support this. Besides, as > a raw beginner in the topic of PGP, I am not even sure right now if I > might find good usage of PGP for whatever else in the future (maybe > authentication for a ssh access?), and if for this I should right away > start to get comfortable with the one or the other tool, Kleopatra or > Kpgp, or if anyway both will be needed because they target different > work cases or complement each other? I think the above parts of the package description explains quite well the use cases. With kleopatra you manage certificates in KDE (such like SSL) With Kgpg you manage GPG keys and you can encrypt/decrypt GUI style text > At the moment my impression is that Thunderbird even comes with its own > PGP implementation and is not using any other PGP parts of the rest of > my Debian? Will Kleopatra or Kpgp then be of any help for me at all > right now? Don't know thunderbird or it's ability to use GPG, but it makes sense that it uses it's own implementation. The answer here is probably no. However you could use Kgpg to create and manage your keys and keyring (I would recommend it) > I find package "gnupg" (maybe for the package manager apt to work > fine?), but no package which in its package name would explicitly > contain the word openpgp. Is there a special openpgp package which I > should install in order to get well prepared for a typical PGP future? gnupg is the mother of all open source pgp stuff. In fact you must know that PGP is the commercial implementation of a standard for symetric encryption (I hope I am not wrong in my wording while citing from memory) Gnupg is the opensource equivalent of PGP and it is great :) command line utility and set of libraries that makes it possible to use encryption on numerous of devices. The application is called gpg. Kgpg is a front end to gnupg. Go to the home page of gpg and read, get familiar to it. It definitely needs understanding before using.
PGP: difference between Kleopatra and Kgpg, both from KDE
Hello, Could someone explain for a raw beginner concerning the usage of PGP the difference between Kleopatra and Kgpg, what the typical work case is for the one and the other, what important feature the one and the other is missing? Sorry for the related but low specific questions in the following. Being a raw beginner in the topic of PGP signing of email messages, it is difficult to even know what exactly to ask for. My internet search engine of choice and the KDE web sites both unfortunately did not guide me to a nice reading about the differences of Kleopatra and Kgpg, and adding Thunderbird to this does not make the topic easier to grasp. Therefore please allow me to add the following complex of questions: The background to my questions is, that I am aiming to soon use PGP signatures when working with Thunderbird, but I would not know if Kleopatra or if Kpgp would be better suited to support this. Besides, as a raw beginner in the topic of PGP, I am not even sure right now if I might find good usage of PGP for whatever else in the future (maybe authentication for a ssh access?), and if for this I should right away start to get comfortable with the one or the other tool, Kleopatra or Kpgp, or if anyway both will be needed because they target different work cases or complement each other? At the moment my impression is that Thunderbird even comes with its own PGP implementation and is not using any other PGP parts of the rest of my Debian? Will Kleopatra or Kpgp then be of any help for me at all right now? I find package "gnupg" (maybe for the package manager apt to work fine?), but no package which in its package name would explicitly contain the word openpgp. Is there a special openpgp package which I should install in order to get well prepared for a typical PGP future? Thanks a lot! Marco.
PGP & Protonmail (Was: Encrypted e-mails?)
On Mon, 10 Sep 2018, pjw wrote: Since July ProtonMail is now fully interoperable with other PGP mail clients. Now that is a nice piece of news. -- Fraught with portent
Re: PGP Email Client
On 2018-07-08 18:18, HP Garcia wrote: Can anyone recommend an email client that can handle PGP? I'm currently using Claws-Mail 3.14.1 Thanks in advance roundcube with enigma plugin dunno if it is working mick -- Key ID4BFEBB31 0x4BFEBB31.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: PGP Email Client
On 18-07-08 14:42:54, Jude DaShiell wrote: If you can live with the configuration mutt or neomutt can fill the bill. I can never truly recommend mutt to people who aren't used to terminal apps. That said, it's a great piece of software and the PGP handling in particular is really nice with a little config. signature.asc Description: PGP signature
Re: PGP Email Client
On Sun, 8 Jul 2018, HP Garcia wrote: > Date: Sun, 8 Jul 2018 13:18:25 > From: HP Garcia > To: debian-user@lists.debian.org > Subject: PGP Email Client > Resent-Date: Sun, 8 Jul 2018 17:18:45 + (UTC) > Resent-From: debian-user@lists.debian.org > > Can anyone recommend an email client that can handle PGP? I'm currently > using Claws-Mail 3.14.1 > > Thanks in advance > If you can live with the configuration mutt or neomutt can fill the bill. > --
Re: PGP Email Client
On Sun, 8 Jul 2018 10:18:25 -0700, HP Garcia wrote: >Can anyone recommend an email client that can handle PGP? I'm currently >using Claws-Mail 3.14.1 > Why not Claws-Mail? With the correct plugins (claws-mail-pgpinline or claws-mail-pgpmime) that should be packaged in Debian it handles pgp just fine. -- Andreas Rönnquist mailingli...@gusnan.se andr...@ronnquist.net pgpuTTeXWuCA8.pgp Description: OpenPGP digital signatur
Re: PGP Email Client
On Sun, 8 Jul 2018 10:18:25 -0700 HP Garcia wrote: Hello HP, >Can anyone recommend an email client that can handle PGP? I'm currently >using Claws-Mail 3.14.1 CM; Install the relevant plugin(s) and you're ready. -- Regards _ / ) "The blindingly obvious is / _)radnever immediately apparent" If we're working class, why ain't we got jobs? Insane Society - Menace pgp_CZDb6YBM0.pgp Description: OpenPGP digital signature
Re: PGP Email Client
On 7/8/2018 7:18 PM, HP Garcia wrote: Can anyone recommend an email client that can handle PGP? I'm currently using Claws-Mail 3.14.1 https://www.claws-mail.org/plugin.php?plugin=gpg Thunderbird with enigmail. https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages -- John Doe
PGP Email Client
Can anyone recommend an email client that can handle PGP? I'm currently using Claws-Mail 3.14.1 Thanks in advance -- HP Garcia KM6JBI www.HPGPhotography.com
Re: How to get a PGP SIGNED MESSAGE
Hi, GC wrote: > I would like to get a PGP SIGNED MESSAGE. How do I do that? For production, see chapter 1 of GPG documentatio, "Getting Started": https://www.gnupg.org/gph/en/manual/c14.html (note the swapping of "g" and "p" in comparison to PGP.) The manual of gpg is quite rich in detail information: man gpg When posting official announcements to info-...@gnu.org, i use gpg --clearsign my_file to get a new file my_file.asc which looks like -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, ... -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFVWdQp6cvfwKvAqFQRAkWDAJwMwJS89XAq2npLv0iYdmCT6fv8LACgoRVW csBodn7iN9YzXO2sHZgthFc= =FlQN -END PGP SIGNATURE- This can be verified by getting my public key gpg --keyserver keys.gnupg.net --recv-keys ABC0A854 and running gpg --verify on my signed cleartext message gpg --verify my_file.asc An example message can be found at http://lists.gnu.org/archive/html/info-gnu/2015-05/msg9.html Have a nice day :) Thomas
Re: How to get a PGP SIGNED MESSAGE
On 18/11/15 18:19, GC wrote: > I would like to get a PGP SIGNED MESSAGE. How do I do that? Could you be more specific? If it was just your goal in life to have someone send an OpenPGP signed email, you can cross that off your "bucket list". I suspect that was not your aim though. Are you intending to generate signed messages or merely verify them? -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere. signature.asc Description: OpenPGP digital signature
Re: How to get a PGP SIGNED MESSAGE
On Wed, 18 Nov 2015 00:19:24 -0800 GC wrote: Hello GC, >I would like to get a PGP SIGNED MESSAGE. How do I do that? Wait for somebody to send you one. -- Regards _ / ) "The blindingly obvious is / _)radnever immediately apparent" Well you tried it just the once and found it alright for kicks Orgasm Addict - Buzzcocks pgplRla61QyIa.pgp Description: OpenPGP digital signature
How to get a PGP SIGNED MESSAGE
I would like to get a PGP SIGNED MESSAGE. How do I do that?
Re: Strange PGP signature
Marko Randjelovic writes: > $ gpg --verify SHA512SUMS.sign SHA512SUMS # attached file > gpg: Signature made Sun 13 Oct 2013 11:19:32 PM CEST using RSA key ID 6294BE9B > gpg: Good signature from "Debian CD signing key " > > $ gpg --verify SHA512SUMS.sign2 SHA512SUMS # > http://cdimage.debian.org/debian-cd/7.2.0/amd64/iso-dvd/SHA512SUMS.sign > gpg: Signature made Sun 13 Oct 2013 11:19:31 PM CEST using RSA key ID 6294BE9B > gpg: Good signature from "Debian CD signing key " > > But both signatures are 'Good', but time differs in 1 second. Wow. How did it happen? Where did he take previous signature? pgpDyPp3ooIlV.pgp Description: PGP signature
Re: Strange PGP signature
On Tue, 15 Oct 2013 13:08:43 +0400 Dmitrii Kashin wrote: > "Aort Conda" writes: > > > What is this? The file on official cd mirror is different. > > Did not get what you are talking about. > Everything is normal, see: > > > % gpg --verify SHA512SUMS.sign SHA512SUMS > gpg: Signature made Mon Oct 14 01:19:32 2013 MSK using RSA key ID 6294BE9B > gpg: Good signature from "Debian CD signing key " > Probably he meant about .sign file. It is really different from that on cdimage.debian.org http://cdimage.debian.org/debian-cd/7.2.0/amd64/iso-dvd/SHA512SUMS.sign: -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAABCAAGBQJSWw5jAAoJENqH6A1ilL6bQ80QAOBDh5Sot0bcIPLXE0L7T8kU KJUSdQRcjTvwpW76BB7ekC6/gAfyHO7hd857vO6SI+78seLlbh3MBJ6swmn3WAcS YmxhDPDToPgerxwgKOXAby7hqenodrFyy/V79whFf1MA9TUbPS1veByERbgH/Rkt /qPD5oVNYqhD1NPOaF67+lDNZuyJlb82uNrBc7STApwfVIVNiqbcPhaQY6Z02L0r M5S9pqI8ReX56AWVYqnOjAVOxDyUmyKw4hXIIIk5Sj9NWZeUOu3vTv0CA7vdHLc2 a2vIc6WMxWMUqHaDwWOpJYIg+g7ti11UQUhn3qyJPwvH/P1LOCA35TcUsS7EllKs 6hfLdkwlaDlTK335aJliSo1T4fVtaQqOIHngencZcmUkhg061UIc+wZKH6a6CepW 1MkLzTbWK6u0EpHYUVlx/973kzkDIDGhFVbohEX82oSFg+3QTYGiL5UNQDYmMShx dS566ZTxwvSFwMitAmv9s3he/GIRj2c/MwchBHcFoMdixs0+snfH7aUGYJ8VjNEd QTZdSjuv/NtJImbHukhUjm0I+8wqJQRnahhDzqfWAHnursX1EsjCcxB/+n/SHqXQ gp46AePXbPEosFRXpjIBnInzYQyA9WbWSt26RH/f3mTV6XikMYEHQP80/chYJuxw oVQyLOsM5J6omBx44rbX =3eMw -END PGP SIGNATURE- attached file: -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAABCAAGBQJSWw5kAAoJENqH6A1ilL6bcioP/RQN87G5mx68QX8eWR+Gec2u ueRlXL4O63cQQI0G849KW5bag+4HUaUIvxEO1K0j0A3mnGKxYNfjiMtJ0uqx9dA6 ADWPubdMMtvuT8Yn+OvUyyK7Z5N3lh6ut7twSMF4EgMRz+IYnL43mIkjGTSb2r1F Ug9Ppr4J9tbZXViv5EtEx3swnXCvndus2ABhP8TjXwqUV1P4wc2tgj4c7OcyaCBW BVDQrFFbSDqOmD+ckyXZC1sv/Zsfb0WCVYfGeTBiTl0RjUQehJLLQcs7+yAQWiQ7 S3rDI+mdUB3oeIi5vatpjZwc5XqLTbNgTUy3nWGxBULbWFNoSSygbx98RuAXXCA/ QzNwBO8SHPcpO0VabEpqSrrhDw8fP9WosG9OzkqbYiTckis+QU9qE9Z2tKKw1DJe RWwtBngX8ELsr08AgSStNhXg+j0yR8nxHzPx2coQujx28O8OWrJkdYhiihQeV+C7 FYyXtZeC6l1/tC1EqAKGUNsZPclgk4VmJ0G9vakeRSSQ2PLeyTfMlExh5Q+RDixV CWClhIH5V73+tmIFOUPyI7LsdaIrfBUsY1yyoIyijxQrr3oz04ckhkpU5cQG4+Uw mveFFoxM/D2gFgyrd5h63bbs6JnUKhDIb0mDbJtrt2I9BV0JjOuz0iMsZfRodyRB J8WzUm/mZBewt+PPOA6v =hPTE -END PGP SIGNATURE- $ gpg --verify SHA512SUMS.sign SHA512SUMS # attached file gpg: Signature made Sun 13 Oct 2013 11:19:32 PM CEST using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key " $ gpg --verify SHA512SUMS.sign2 SHA512SUMS # http://cdimage.debian.org/debian-cd/7.2.0/amd64/iso-dvd/SHA512SUMS.sign gpg: Signature made Sun 13 Oct 2013 11:19:31 PM CEST using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key " But both signatures are 'Good', but time differs in 1 second. -- http://mr.flossdaily.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131015120349.71aad...@eunet.rs
Re: Strange PGP signature
"Aort Conda" writes: > What is this? The file on official cd mirror is different. Did not get what you are talking about. Everything is normal, see: % gpg --verify SHA512SUMS.sign SHA512SUMS gpg: Signature made Mon Oct 14 01:19:32 2013 MSK using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key " -------- pgpmUa8nf05o5.pgp Description: PGP signature
Strange PGP signature
What is this? The file on official cd mirror is different. SHA512SUMS Description: Attachment: SHA512SUMS SHA512SUMS.sign Description: Attachment: SHA512SUMS.sign
Re: gpg/pgp noise
13.05.2012 10:26, Andrei POPESCU kirjoitti: > @Mika: > At least in my experience Mailman is NOT breaking GPG/MIME. I know of at > least 4 different Mailman installations (including > lists.alioth.debian.org) that work fine. At least it doesn't work on gnupg-user nor enigmail nor lists.ubuntu.com mailing lists. > Assuming the issues with Mailman + GPG/MIME are not at your end[1], did > you consider signing inline only to those specific lists? I'd be amazed > if Thunderbird/Icedove can't do this (for mutt it's trivial with a send- > or a folder-hook). This is little hard to remember to do with 4 computers and 7 different OSes. > [1] You could BCC yourself and compare the message with the one received > from the mailing list. Also consider any mail server on the way, I've > read rumors of Microsoft Exchange messing with messages (especially > encodings). When I have time. I have been busy lately. > Kind regards, > Andrei -- [Mika Suomalainen](https://mkaysi.github.com/) || [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [Please don't toppost](http://mkaysi.github.com/articles/complaining/topposting.html) || [This signature](https://gist.github.com/2643070) || signature.asc Description: OpenPGP digital signature
Re: gpg/pgp noise
Hopefully not reigniting this... On Ma, 08 mai 12, 05:43:17, Indulekha wrote: > Hi, > > I'm getting this with most gog/pgp-signed mails received > from this list (using mutt): This part has been solved, but since it is highly unlikely for you to have a trust path to my key you'll still get a block of 5 or so lines telling you that the message is properly signed, but there is no indication that the key belongs to the user (i.e. no trust path). Sorry, I'm trying to get my key in the Debian web-of-trust soonish, but I understand you already have filters for that. I have a few other technical remarks that I'm adding here instead of digging a specific message to reply: @Indulekha and other squeeze+mutt users: beware of a bug where mutt incorrectly sends GPG/MIME signatures with "disposition=inline". This is not a problem for mutt itself, but for example Gmail will (correctly) quote the entire GPG signature on reply to such messages. Fixed in 1.5.21 (available from squeeze-backports). @Mika: At least in my experience Mailman is NOT breaking GPG/MIME. I know of at least 4 different Mailman installations (including lists.alioth.debian.org) that work fine. Assuming the issues with Mailman + GPG/MIME are not at your end[1], did you consider signing inline only to those specific lists? I'd be amazed if Thunderbird/Icedove can't do this (for mutt it's trivial with a send- or a folder-hook). [1] You could BCC yourself and compare the message with the one received from the mailing list. Also consider any mail server on the way, I've read rumors of Microsoft Exchange messing with messages (especially encodings). Kind regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: Things we should know about PGP
This is an interesting thread for me. I can see (I think!) the various points that have been made, but as it is, I feel, it's mostly trivial. If I write to this list, or others, or friends, or colleagues, why do I need to identify myself? Or require someone to find my public key to read or confirm what I've written? If I need such cryptographic security only the people I wish to know my public key will have it. For my personal secure connections et al, I use Tails on a 16Gb usb stick. Those who attach their public key to this list are the equivalent in my book to those who append "humourous" signatures to their posts: it's there, it's naff. it's ignored. At end of the day, you believe what you want. My bank and other important communications arrive through the post, and on line. If I doubt it, I check it. I do the same with my public phone lines. and my on-line use. If you don't need to publicise your public key ( because, after all. very few if any, are going to use it) don't add it to every e-mail, along with an irrelevant "sig block" which does nothing except confirm your self-esteem (Look at me, Ma, top of the world) and the opinion of your readers which is probably the reverse of that which you hope and believe. Keep it simple, keep it sane, keep away from paranoia, they're not out get you (why should they be bothered?), keep a sense of perspective ( vide The Hitchhiker's Guide To The Galaxy" as to why this may be a good idea). Hi, again, Camaleon, long time! Saki -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cafg91engyepb8yrc3av0x3lyhq9pn6gvqqlm0+k9utycdxm...@mail.gmail.com
Re: Things we should know about PGP
On Thu, May 10, 2012 at 07:36:14PM +0200, Ralf Mardorf wrote: > And why do we need this? We could notarized emails + use or computer > readable ID cards, anyway, this in addition won't make mailing list > mails more true or less true. There's more untruth for notarized papers > than for non-notarized papers. Why should things become better with > openPGP signing? I can't recall anyone arguing that it would improve the quality of discourse. All it does is help to prove who wrote what. Some see value in that, others do not. > Again, I don't care, even if I would see cryptic lines at the bottom of > my mails, but IMO we should avoid photos as thumbnails, PGP, HTML. You are entitled to that opinion ☺ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120511132931.GC1319@debian
Re: Things we should know about PGP
The Signature from someone else: "Confidence is what you have before you understand a problem" - Woody Allen -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336671506.5199.15.camel@precise
Re: Things we should know about PGP
On Thu, 2012-05-10 at 17:11 +0100, Jon Dowland wrote: > On Wed, May 09, 2012 at 09:17:17PM +0200, Ralf Mardorf wrote: > > Regarding to security. Assumed somebody always sign the mails to a > > mailing list. Isn't it possible that somebody hacks the view of a > > mailing list archive? Make it look like if a nice guy said odd things > > for signed mails. He never did, the mails were not hacked, just the view > > of the web page is hacked. > > They could, if you were relying on the mailing list archives to verify > the signatures, but they don't. You can fetch the signature and the > original message (awkward from a web mailing list archive, but Camaleón > has shown a way of doing it with gmane in the past) and perform the > verification yourself. And why do we need this? We could notarized emails + use or computer readable ID cards, anyway, this in addition won't make mailing list mails more true or less true. There's more untruth for notarized papers than for non-notarized papers. Why should things become better with openPGP signing? Again, I don't care, even if I would see cryptic lines at the bottom of my mails, but IMO we should avoid photos as thumbnails, PGP, HTML. - Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336671374.5199.14.camel@precise
Re: Things we should know about PGP
On Wed, May 09, 2012 at 09:17:17PM +0200, Ralf Mardorf wrote: > Regarding to security. Assumed somebody always sign the mails to a > mailing list. Isn't it possible that somebody hacks the view of a > mailing list archive? Make it look like if a nice guy said odd things > for signed mails. He never did, the mails were not hacked, just the view > of the web page is hacked. They could, if you were relying on the mailing list archives to verify the signatures, but they don't. You can fetch the signature and the original message (awkward from a web mailing list archive, but Camaleón has shown a way of doing it with gmane in the past) and perform the verification yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120510161127.GB14319@debian
Re: [OT] Re: Things we should know about PGP
On Thu, 2012-05-10 at 14:56 +, Camaleón wrote: > On Wed, 09 May 2012 23:22:09 +0200, Ralf Mardorf wrote: > > > On Wed, 2012-05-09 at 20:22 +, Camaleón wrote: > > >> What is what you understand by "dirty"? > >> > >> I can send the same spam, virus-inside or crap message with a signature > >> or without it. That changes nothing. > >> > >> > > dirty {adj} [fig.] e.g. remove words, add words. > > So you meant that the content of the messages can't become "faked/ > manipulated" when they are signed. If that's what you wanted to say, then > yes, signatures are also aimed for that. > > But the problem still remains: in the event you can check the validity of > the signature you still can't be sure about its real author. > > >> You can still get false-positives that make the signature cannot be > >> properly verified so you think the message is not legitimate while it > >> is. > > > > I did wrote something similar off-list to whomever, but it wasn't only > > about computers and signing mails: > > (...) > > > As I already pointed out. Somebody e.g. could hack the view of a > > mailing list archive, seemingly signed mails with edited > > contend. Than this wrong information is in the Internet, > > pretending to be the signed original. The mob will believe this > > is absolute truth. They are hungry for absolute truth. This is a > > loss of civilization. > > It's even simpler than that, is that any piece of the software involved > in the message distribution chain can fail, i.e., they can have bugs that > render the signature verification proccess invalid. > > > OTOH there are valid situations to sign messages. > > Of course. Moreover, it should be "a must". > > As I see it, the concept of verifying the author of a message is > completely valid and right, it's the implementation that fails because of > the way you have to trust the user you want to validate (human beings > have not developed a system to differ between a fake and a true thing, > our brains are very limited in that field and also very influenceable by > external sources). > > Greetings, I guess we agree. - ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336663538.2307.58.camel@precise
Re: [OT] Re: Things we should know about PGP
On Wed, 2012-05-09 at 20:22 +, Camaleón wrote: > On Wed, 09 May 2012 19:33:52 +0200, Ralf Mardorf wrote: > > > On Wed, 2012-05-09 at 17:26 +, Camaleón wrote: > >> Exactly. For instance, those who think that PGP signed messages will > >> improve security when reading/posting e-mails >;-) > > > > AFAIK a signed message can't become dirty. > > What is what you understand by "dirty"? > > I can send the same spam, virus-inside or crap message with a signature > or without it. That changes nothing. > dirty {adj} [fig.] e.g. remove words, add words. > > So it's secure that nobody add a word, removed a word or completely > > edited the message. This might be a kind of security some people wish > > to have. > > You can still get false-positives that make the signature cannot be > properly verified so you think the message is not legitimate while it is. I did wrote something similar off-list to whomever, but it wasn't only about computers and signing mails: A lot of stuff that seems to make "things" more clear, don't make "things" more clear. Signing emails tend to give the impression, that this would ensure security, but it doesn't. Nobody can hack a signed message in a valid time, without much luck. The needed prime factorization or what ever should be needed can't be done, anyway. As I already pointed out. Somebody e.g. could hack the view of a mailing list archive, seemingly signed mails with edited contend. Than this wrong information is in the Internet, pretending to be the signed original. The mob will believe this is absolute truth. They are hungry for absolute truth. This is a loss of civilization. Instead of thinking their selfs or at least reading stuff like "Plato's allegory of the cave", they declare absolute illusion to absolute truth, but it's the absolute untruth. OTOH there are valid situations to sign messages. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336598529.2994.141.camel@precise
Re: [OT] Re: Things we should know about PGP
On Wed, 09 May 2012 19:33:52 +0200, Ralf Mardorf wrote: > On Wed, 2012-05-09 at 17:26 +, Camaleón wrote: >> Exactly. For instance, those who think that PGP signed messages will >> improve security when reading/posting e-mails >;-) > > AFAIK a signed message can't become dirty. What is what you understand by "dirty"? I can send the same spam, virus-inside or crap message with a signature or without it. That changes nothing. > So it's secure that nobody add a word, removed a word or completely > edited the message. This might be a kind of security some people wish > to have. You can still get false-positives that make the signature cannot be properly verified so you think the message is not legitimate while it is. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/joejm2$bci$1...@dough.gmane.org
Re: Things we should know about PGP
Regarding to security. Assumed somebody always sign the mails to a mailing list. Isn't it possible that somebody hacks the view of a mailing list archive? Make it look like if a nice guy said odd things for signed mails. He never did, the mails were not hacked, just the view of the web page is hacked. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336591037.2994.90.camel@precise
Re: Things we should know about PGP
"The signature is evidence that message comes from me. If I sign all my messages, I can say that I sign all my messages and possibly unsigned offensive content, which is spoofed to "come" from my address, isn't sent by me." You also could lie and anyway send unsigned mails. And why is it needed? If you call a friend do you have some code words, questions to ensure that you don't speak with a voice imitator. And do you record the phone calls and rewind to prove what your friend or you said in case of a disagreement? This is a loss of civilization! We don't need this. An employer might google my name and find posts of a doppelgänger of mine. Less likely, I only found my own posts, but I also found somebody with the same name, living in another German city, IIRC I found just the snake mail address of the doppelgänger, no posts. FWIW you mails are ok here. This is only visible if I explicitly view the source: --enigD875626BE35FED68C9AA150D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPqrT/AAoJEE21PP6CpGcoW74P/if7HwzhmNUGYp2YSCC9S+sT Rl+DwyLHVnDWdeF/dTFaqfB7Vt4I/4T+lstj5z9/l89fUpDcafEuv3CDGzk7BAGZ 0QdG2/DOGBqR3AAuL0L83+KYv9tgVRPcQ8JBLQOqDBpp23OC4mlJEcKGJRWthEKR M7pmbQnb861ieYu7fzN0oAokuRiz7CZ2nA9FOiKIKHBc+b2b05/U8L40MfNa4PI8 vRdobT67rX0+8z4o4Bi+RghA3P5EyLrW6y8GQyzb6TKckb1/iT0r8iPIqwFppNzu mQnWUKsnKAlrma8zmDM+DpflLIiSNLrapoJzGuYmEWKCTpd65AoaDu0SJcMprMeR z2RgWr1o3FhaRnSlCR5sGtNSEqbr+5gl+xe/Qyn40eP/ZPCjxI2vpcV6beCkVfKX 0wc/xYnfWz5Yi31rkLpBKTtB0BHOPPqh31DE2tPzyKaHEkbI4yusXSWL2B7zwnv+ rSdJm/13rVDks+Utev8fEM8/2TcmFHNT+JhsT+E58F9pp+6UC0gAkxbQ9t++fo6J xIee1CyVTWnRQABuSfnVYk7sysKBiOpId6XVCupb4eOw3y95hDMGgV+Mb/4O6sIN gVNRhCR5kfF4fSBOoPpL6sjcBenspLjwX66Nb/nBqetWzrg1HdlrBlMB23lQ4P/f 4wdJFGYtYwp+b23oUTjQ =QhSC -END PGP SIGNATURE- --enigD875626BE35FED68C9AA150D-- This is what I see as the email: 09.05.2012 21:09, Jon Dowland kirjoitti: > I didn't check beyond the other person: if they have sigs on their key, > then it's feasible Mika is joined to a/the web of trust. Rather than > try to manually construct such a path, I fed Mikka's key into pathfinder > web sites, but his key is not widespread enough, and the ones I tried > didn't know about him. I did not rule him out of the web of trust, nor > prove him in. Please feel free to put my key on those path finder services (gpg --keyserver --send-keys 4DB53CFE82A46728. I'm sorry, but you won't probably find any relation to my key, because of https://github.com/Mkaysi/mkaysi.github.com/blob/master/PGP/WhyDoISignEmails.html.md#your-signature-doesnt-mean-anything-anyway-because-you-arent-part-of-any-trust-web . I will now continue this policy, https://github.com/Mkaysi/mkaysi.github.com/blob/master/PGP/WhyDoISignEmails.html.md#why-did-you-write-this-page . PS. My name is written with one "k" letter, Mika, not "Mikka". PS of PS. If anyone happens to visit near this city and want to meet me to sign my key, that might be possible too, but I don't see any reason why anyone would be interested about this city. -- [Mika Suomalainen](https://mkaysi.github.com/) || [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [Please don't toppost](http://mkaysi.github.com/articles/complaining/topposting.html) || [This signature](https://gist.github.com/2643070) || -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336589505.2994.86.camel@precise
Re: Things we should know about PGP
09.05.2012 21:09, Jon Dowland kirjoitti: > I didn't check beyond the other person: if they have sigs on their key, > then it's feasible Mika is joined to a/the web of trust. Rather than > try to manually construct such a path, I fed Mikka's key into pathfinder > web sites, but his key is not widespread enough, and the ones I tried > didn't know about him. I did not rule him out of the web of trust, nor > prove him in. Please feel free to put my key on those path finder services (gpg --keyserver --send-keys 4DB53CFE82A46728. I'm sorry, but you won't probably find any relation to my key, because of https://github.com/Mkaysi/mkaysi.github.com/blob/master/PGP/WhyDoISignEmails.html.md#your-signature-doesnt-mean-anything-anyway-because-you-arent-part-of-any-trust-web . I will now continue this policy, https://github.com/Mkaysi/mkaysi.github.com/blob/master/PGP/WhyDoISignEmails.html.md#why-did-you-write-this-page . PS. My name is written with one "k" letter, Mika, not "Mikka". PS of PS. If anyone happens to visit near this city and want to meet me to sign my key, that might be possible too, but I don't see any reason why anyone would be interested about this city. -- [Mika Suomalainen](https://mkaysi.github.com/) || [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [Please don't toppost](http://mkaysi.github.com/articles/complaining/topposting.html) || [This signature](https://gist.github.com/2643070) || signature.asc Description: OpenPGP digital signature
Re: Things we should know about PGP
On Wed, May 09, 2012 at 01:32:12PM +0200, Ralf Mardorf wrote: > When the subject was "gpg/pgp noise" Jon Dowland wrote: "I clearly > explained that his key was signed by another he owned, which in turn was > signed by *someone else entirely*." > > A chain of unsigned keys for one and the same person, with one key at > the end of this chain, that is signed by one person only or even enough > persons signing it, is useless. This isn't the correct way to sign a > key, since it's not secure and not handy. I didn't check beyond the other person: if they have sigs on their key, then it's feasible Mika is joined to a/the web of trust. Rather than try to manually construct such a path, I fed Mikka's key into pathfinder web sites, but his key is not widespread enough, and the ones I tried didn't know about him. I did not rule him out of the web of trust, nor prove him in. > OTOH, when do you really need signing? More likely is that you will > encrypt mails, e.g. to ensure that if you write to a family with young > children, using the same computer, only the parents can read mails with > contents that aren't good for children. In such a case it's not needed > to ensure that the key is trusted. It's only important that the parents > know how to decrypt and the children don't know it. This anyway prevents > against manipulating the mails content, without signing. IME I've signed many mails and verified many signed mails and very rarely encrypted messages. In fact the only times I have encrypted or decrypted mail was when sending signatures of someone's key to themselves. I suppose different people have different use-cases. -- Jon Dowland -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120509180958.GF8272@debian
Re: [OT] Re: Things we should know about PGP
On Wed, 2012-05-09 at 17:26 +, Camaleón wrote: > Exactly. For instance, those who think that PGP signed messages will > improve security when reading/posting e-mails >;-) AFAIK a signed message can't become dirty. So it's secure that nobody add a word, removed a word or completely edited the message. This might be a kind of security some people wish to have. - Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336584832.2994.64.camel@precise
[OT] Re: Things we should know about PGP
On Wed, 09 May 2012 13:32:12 +0200, Ralf Mardorf wrote: > If this discussion can't be stopped, than perhaps we can make it a > useful thread, by not talking about how to behave or not to behave on a > mailing list, by not talking about if we won't signed emails or not. (...) > If you really need security, than you need to take care about many > things using PGP. I only use openPGP from time to time, to ensure that > just a special person can read this mail, but not to be completely > secure. I don't need knowledge about how to handle PGP correct and I > don't have got this knowledge. But security has nothing to do with a signed message. You use GPG/PGP signatures when you want other people can verify that you are the author of that message. And you encrypt your message when you want to prevent others can access its content, no more and no less. > Seemingly some people have completely wrong perceptions about e.g. > signing a key. Exactly. For instance, those who think that PGP signed messages will improve security when reading/posting e-mails >;-) > Instead of having something similar to a flame-war, some useful > information belongs to this list. I only see one big flaw in GPG/PGP signatures current methodology: their "keyring" system of trust relies on people and people -by definition- is nothing but unreliable. That's why I don't sign my own messages and I don't care about others signatures. To my understanding is a waste of time and resources with little-to-nothing gain. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/joe9cc$bci$1...@dough.gmane.org
Re: gpg/pgp noise
On Wed, May 09, 2012 at 12:20:08PM +0300, Mika Suomalainen wrote: > 09.05.2012 11:56, Jon Dowland kirjoitti: > > On Wed, May 09, 2012 at 12:29:31PM +1000, Scott Ferguson wrote: > >> Bob's PGP signature is valid - yours is not > >> You waste our time and bandwidth. > > > > In what way? I can verify Mika's signatures just fine. The signatures > > are valid. > > > >> Bob's key validates his identity - yours does not. > >> I can verify that "Bob" is "Bob" through a chain of trust. > > > > Why does Mikka's not? It's not impossible for someone to have a trust > > path to Mikka. Albeit one step removed, since the signing key he uses > > has one signature, from another of his keys - but that one has at > > least one. (I haven't managed to construct a trust path to Mikka > > myself, since most of the public pathfinder servers don't have his > > key) > > > > > > Because nobody else near Kotka, Finland uses PGP and the nearest CAcert > assurers are after 110KMs from me. > > PS. I am back to weird long signatures. I won't comment to this thread > anymore nor to anything else which I haven't written in my signature or > elsewhere. > Bye. -- ❤ ♫ ❤ ♫ ❤ ♫ ❤ Indulekha -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120509125701.GB11415@radhesyama
Re: gpg/pgp noise
On Tue, May 08, 2012 at 02:45:59PM +0100, Jon Dowland wrote: > On Tue, May 08, 2012 at 08:28:35AM -0500, Indulekha wrote: > > You must be from up north, LOL! > > Now *that's* rude. Only if you're from up north, and from where I'm sitting that includes just about everyone. :(=) -- "Religion is excellent stuff for keeping common people quiet." -- Napoleon Bonaparte -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120509124852.GB27325@tal
Re: gpg/pgp noise
On Wed, May 9, 2012 at 5:20 AM, Mika Suomalainen wrote: > 09.05.2012 11:56, Jon Dowland kirjoitti: >> On Wed, May 09, 2012 at 12:29:31PM +1000, Scott Ferguson wrote: >>> Bob's PGP signature is valid - yours is not >>> You waste our time and bandwidth. >> >> In what way? I can verify Mika's signatures just fine. The signatures >> are valid. >> >>> Bob's key validates his identity - yours does not. >>> I can verify that "Bob" is "Bob" through a chain of trust. >> >> Why does Mikka's not? It's not impossible for someone to have a trust >> path to Mikka. Albeit one step removed, since the signing key he uses >> has one signature, from another of his keys - but that one has at >> least one. (I haven't managed to construct a trust path to Mikka >> myself, since most of the public pathfinder servers don't have his >> key) > > Because nobody else near Kotka, Finland uses PGP and the nearest CAcert > assurers are after 110KMs from me. > > PS. I am back to weird long signatures. I won't comment to this thread > anymore nor to anything else which I haven't written in my signature or > elsewhere. So your reaction to being told that your signature's too long is to lengthen it. Thanks. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=szlrrs-d_z+m+8ry3cnmyvu0e6h_d6jjskmh2wtzvv...@mail.gmail.com
Things we should know about PGP
If this discussion can't be stopped, than perhaps we can make it a useful thread, by not talking about how to behave or not to behave on a mailing list, by not talking about if we won't signed emails or not. When the subject was "gpg/pgp noise" Jon Dowland wrote: "I clearly explained that his key was signed by another he owned, which in turn was signed by *someone else entirely*." A chain of unsigned keys for one and the same person, with one key at the end of this chain, that is signed by one person only or even enough persons signing it, is useless. This isn't the correct way to sign a key, since it's not secure and not handy. You will handle the key directly by a web of trust, not by a chain of own keys and not only signed by one person. You can do this by visiting parties, where this is done. OTOH, when do you really need signing? More likely is that you will encrypt mails, e.g. to ensure that if you write to a family with young children, using the same computer, only the parents can read mails with contents that aren't good for children. In such a case it's not needed to ensure that the key is trusted. It's only important that the parents know how to decrypt and the children don't know it. This anyway prevents against manipulating the mails content, without signing. If you really need security, than you need to take care about many things using PGP. I only use openPGP from time to time, to ensure that just a special person can read this mail, but not to be completely secure. I don't need knowledge about how to handle PGP correct and I don't have got this knowledge. Seemingly some people have completely wrong perceptions about e.g. signing a key. Instead of having something similar to a flame-war, some useful information belongs to this list. - Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336563132.7752.25.camel@precise
Re: gpg/pgp noise
On Wed, May 09, 2012 at 11:37:23AM +0200, Ralf Mardorf wrote: > The signature of Tiberius was trusted by Pilatus and Herodes. The > signature of Philippus wasn't trusted by Lysanias or anybody els. > > I couldn't find a key on public servers for Hannas and Kaiphas, but > fortunately the key of Johannes is available and the signature is > trusted by Zacharias. > > I've got some nice examples for signatures similar to this one: I don't know what you are trying to demonstrate. Can you please elaborate? > Or would it be a good idea t close this thread? You can't "close" a thread. You are always entirely free to ignore it. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120509105718.GE8272@debian
Re: gpg/pgp noise
On Wed, May 09, 2012 at 08:18:56PM +1000, Scott Ferguson wrote: > >(you've trimmed my initial investigation which indicates he > > has at least one signatory.) > > "investigation"? > > Huh? > > How hard was it to see the key is signed by... the key holder (or > another person called Mika?), using a key that was signed... by (Mika). > > That's *not* a chain of trust. I clearly explained that his key was signed by another he owned, which in turn was signed by *someone else entirely*. You are committing a more serious mailing list sin than inline-PGP: failing to properly read the thread before replying to it. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120509105612.GD8272@debian
Re: gpg/pgp noise
On 09/05/12 19:39, Jon Dowland wrote: > On Wed, May 09, 2012 at 07:20:15PM +1000, Scott Ferguson wrote: >> On 09/05/12 18:56, Jon Dowland wrote: >>> In what way? I can verify Mika's signatures just fine. The signatures >>> are valid. >> >> All his posts? >> Is cutting and pasting a hobby? >> Do you between "some" and "all"? > > The ones I've bothered to verify Most of his original ones did not verify. >, via '|gpg --verify' in mutt. So you didn't cut and paste - you just hand processed each post. I can't match your dedication to validating his posts - nor can I muster your enthusiasm for defending them. I'll side with the others that find them an unnecessary annoyance. > >> Because there's no chain of trust. > > Confirmed? >(you've trimmed my initial investigation which indicates he > has at least one signatory.) "investigation"? Huh? How hard was it to see the key is signed by... the key holder (or another person called Mika?), using a key that was signed... by (Mika). That's *not* a chain of trust. It's not even the issue. More noise, no signal. Regards -- Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding answers to questions about Debian:- https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4faa4490.4070...@gmail.com
OT: +5, was: gpg/pgp noise
On Wed, 09 May 2012 11:37:23 +0200, Ralf wrote in message <1336556243.2171.373.camel@precise>: > Or would it be a good idea t close this thread? > > Regards, > Ralf ..+5. ;o) -- ..med vennlig hilsen = with Kind Regards from Arnt Karlsen ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120509121523.3747a...@celsius.lan
Re: gpg/pgp noise
On Wed, 2012-05-09 at 10:39 +0100, Jon Dowland wrote: > we can then verify his signed messages in the past Why should anybody be interested in verifying any mailing list mail? Somebody might change the content of mails without signature? So we should ensure that somebody really finished the mail with "Cheers" and not with "Ciao"? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336557090.2171.384.camel@precise
Re: gpg/pgp noise
On Wed, 2012-05-09 at 09:56 +0100, Jon Dowland wrote: > On Wed, May 09, 2012 at 12:29:31PM +1000, Scott Ferguson wrote: > > Bob's PGP signature is valid - yours is not > > You waste our time and bandwidth. > > In what way? I can verify Mika's signatures just fine. The signatures > are valid. > > > Bob's key validates his identity - yours does not. > > I can verify that "Bob" is "Bob" through a chain of trust. > > Why does Mikka's not? It's not impossible for someone to have a trust > path to Mikka. Albeit one step removed, since the signing key he uses > has one signature, from another of his keys - but that one has at > least one. (I haven't managed to construct a trust path to Mikka > myself, since most of the public pathfinder servers don't have his > key) The signature of Tiberius was trusted by Pilatus and Herodes. The signature of Philippus wasn't trusted by Lysanias or anybody els. I couldn't find a key on public servers for Hannas and Kaiphas, but fortunately the key of Johannes is available and the signature is trusted by Zacharias. I've got some nice examples for signatures similar to this one: On Wed, 2012-05-09 at 08:23 +0200, Frank Lanitz wrote: Am 08.05.2012 13:11, schrieb Indulekha: > > -BEGIN PGP SIGNATURE- > >> Version: GnuPG v1.4.11 (GNU/Linux) > >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > >> > >> iQEcBAEBAgAGBQJPqPsiAAoJECPmYW6gk8JjitcH/RGtSdn39OPewwyXYgebGiUy > >> Ws29uZkfae4LlD9LRQeGQujHVW7bzMVCW2EXdRsCGIbpU0+KUjYGJebXKtwzNmLU > >> C1Uc7tVGUtACQ/S9DgFX1oBD4C7Siirdgokk+8HggVcqvGYs2jnxg5tetU+G18pE > >> UQ9jxxaf48EANwHDgildQ85xHJk3DnWvfsvUASlobQIDq/vRmbLNPjdfBe1rp7R/ > >> Y8m7+3vxIsnSYrT8oeAGoDGJe3PrdJ6EP96VFJBjXARportrx+8YowUyEKeRyqf6 > >> EUNcXZILLpPJOqcyUsyxRALmGoTYqhHne6TQwZ6ZcGxihNl3+i/WFYQmHNBdTSU= > >> =M9O6 > >> -END PGP SIGNATURE- I'll post my top 100 tomorrow on this list. Would this be ok for you? If not, would it be ok if I just post my top 50? Or would it be a good idea t close this thread? Regards, Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336556243.2171.373.camel@precise
Re: gpg/pgp noise
On Wed, May 09, 2012 at 07:20:15PM +1000, Scott Ferguson wrote: > On 09/05/12 18:56, Jon Dowland wrote: > > In what way? I can verify Mika's signatures just fine. The signatures > > are valid. > > All his posts? > Is cutting and pasting a hobby? > Do you between "some" and "all"? The ones I've bothered to verify, via '|gpg --verify' in mutt. So not all of them. I haven't done any copy-and-pasting. Or do you mean something else? > Because there's no chain of trust. Confirmed? (you've trimmed my initial investigation which indicates he has at least one signatory.) > > It's not impossible for someone to have a trust > > path to Mikka. > > Either there is a chain of trust, or there isn't. Indeed, but > Care to commit an opinion? As I think my message made quite clear, I haven't ruled it out as possible nor seen anyone else do so. Please correct me if I'm wrong. It's also worth pointing out that, if Mikka manages to strengthen his web of trust in the future, we can then verify his signed messages in the past. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120509093944.GC8272@debian
Re: gpg/pgp noise
09.05.2012 11:56, Jon Dowland kirjoitti: > On Wed, May 09, 2012 at 12:29:31PM +1000, Scott Ferguson wrote: >> Bob's PGP signature is valid - yours is not >> You waste our time and bandwidth. > > In what way? I can verify Mika's signatures just fine. The signatures > are valid. > >> Bob's key validates his identity - yours does not. >> I can verify that "Bob" is "Bob" through a chain of trust. > > Why does Mikka's not? It's not impossible for someone to have a trust > path to Mikka. Albeit one step removed, since the signing key he uses > has one signature, from another of his keys - but that one has at > least one. (I haven't managed to construct a trust path to Mikka > myself, since most of the public pathfinder servers don't have his > key) > > Because nobody else near Kotka, Finland uses PGP and the nearest CAcert assurers are after 110KMs from me. PS. I am back to weird long signatures. I won't comment to this thread anymore nor to anything else which I haven't written in my signature or elsewhere. -- [Mika Suomalainen](https://mkaysi.github.com/) || [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [Please don't toppost](http://mkaysi.github.com/articles/complaining/topposting.html) || [This signature](https://gist.github.com/2643070) || signature.asc Description: OpenPGP digital signature
Re: gpg/pgp noise
On 09/05/12 18:56, Jon Dowland wrote: > On Wed, May 09, 2012 at 12:29:31PM +1000, Scott Ferguson wrote: >> Bob's PGP signature is valid - yours is not >> You waste our time and bandwidth. > > In what way? I can verify Mika's signatures just fine. The signatures > are valid. All his posts? Is cutting and pasting a hobby? Do you between "some" and "all"? > Why does Mikka's not? Is that a serious question? Because there's no chain of trust. > It's not impossible for someone to have a trust > path to Mikka. Either there is a chain of trust, or there isn't. Care to commit an opinion? Regards -- Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding answers to questions about Debian:- https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4faa36cf.7060...@gmail.com
Re: gpg/pgp noise
On Wed, May 09, 2012 at 08:23:06AM +0200, Frank Lanitz wrote: > Am 08.05.2012 13:11, schrieb Indulekha: > > -----BEGIN PGP SIGNATURE- > >> Version: GnuPG v1.4.11 (GNU/Linux) > >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > >> > >> iQEcBAEBAgAGBQJPqPsiAAoJECPmYW6gk8JjitcH/RGtSdn39OPewwyXYgebGiUy > >> Ws29uZkfae4LlD9LRQeGQujHVW7bzMVCW2EXdRsCGIbpU0+KUjYGJebXKtwzNmLU > >> C1Uc7tVGUtACQ/S9DgFX1oBD4C7Siirdgokk+8HggVcqvGYs2jnxg5tetU+G18pE > >> UQ9jxxaf48EANwHDgildQ85xHJk3DnWvfsvUASlobQIDq/vRmbLNPjdfBe1rp7R/ > >> Y8m7+3vxIsnSYrT8oeAGoDGJe3PrdJ6EP96VFJBjXARportrx+8YowUyEKeRyqf6 > >> EUNcXZILLpPJOqcyUsyxRALmGoTYqhHne6TQwZ6ZcGxihNl3+i/WFYQmHNBdTSU= > >> =M9O6 > >> -END PGP SIGNATURE- > > This is an inline PGP-signature-block. You only can get rid of in case > of your mail client is understanding inline signatures. There are other ways to get rid of it, such as the display_filter techniques for mutt (which yes, can understand/decode PGP, but you may not configure it to do so - you may not wish it to!) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120509090050.GC8326@debian
Re: gpg/pgp noise
On Tue, May 08, 2012 at 04:15:28PM -0400, Celejar wrote: > I'm no expert in all this, but can you explain and document what you > mean by the claim that "headers ... must be verified"? All emails have > their headers modified en route (e.g., "Received:" and "Delivered-To" > are added, as are all kinds of "X-stuff" ones). Does PGP/MIME really > protect all headers (beyond the MIME ones)? It really breaks if *any* > headers are modified? Please provide documentation. Writing off the top of my head, you may wish to verify everything I say ☺ PGP/MIME does not verify the headers, but your mail is a multipart/mime mail, and it does verify the specific MIME headers that define the encoding for the signed part. If the message is decoded, or re-encoded, then these headers can change (either semantically, if the re-encoding is via a different scheme, or simply syntactically, afaik whitespace changes etc.) There's a related problem where you can't get at the original mail (so: web archives of mailing lists only give you the decoded bits; I think RT is similar, which is why when someone needs to submit a ticket to the Debian RT queue, they are told to use inline PGP: http://keyring.debian.org/) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120509085922.GB8326@debian
Re: gpg/pgp noise
On Wed, May 09, 2012 at 12:29:31PM +1000, Scott Ferguson wrote: > Bob's PGP signature is valid - yours is not > You waste our time and bandwidth. In what way? I can verify Mika's signatures just fine. The signatures are valid. > Bob's key validates his identity - yours does not. > I can verify that "Bob" is "Bob" through a chain of trust. Why does Mikka's not? It's not impossible for someone to have a trust path to Mikka. Albeit one step removed, since the signing key he uses has one signature, from another of his keys - but that one has at least one. (I haven't managed to construct a trust path to Mikka myself, since most of the public pathfinder servers don't have his key) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120509085636.GA8326@debian
Re: gpg/pgp noise
Am 08.05.2012 13:11, schrieb Indulekha: > -BEGIN PGP SIGNATURE- >> Version: GnuPG v1.4.11 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iQEcBAEBAgAGBQJPqPsiAAoJECPmYW6gk8JjitcH/RGtSdn39OPewwyXYgebGiUy >> Ws29uZkfae4LlD9LRQeGQujHVW7bzMVCW2EXdRsCGIbpU0+KUjYGJebXKtwzNmLU >> C1Uc7tVGUtACQ/S9DgFX1oBD4C7Siirdgokk+8HggVcqvGYs2jnxg5tetU+G18pE >> UQ9jxxaf48EANwHDgildQ85xHJk3DnWvfsvUASlobQIDq/vRmbLNPjdfBe1rp7R/ >> Y8m7+3vxIsnSYrT8oeAGoDGJe3PrdJ6EP96VFJBjXARportrx+8YowUyEKeRyqf6 >> EUNcXZILLpPJOqcyUsyxRALmGoTYqhHne6TQwZ6ZcGxihNl3+i/WFYQmHNBdTSU= >> =M9O6 >> -END PGP SIGNATURE- This is an inline PGP-signature-block. You only can get rid of in case of your mail client is understanding inline signatures. This block includes a checksum crypted with the private key of the sender so you can check, whether someone has e.g. modified the text or the text is really sent by, in this case it seems to be Phil, by the author. Cheers, Frank -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4faa0d4a.5040...@frank.uvena.de
Re: gpg/pgp noise
On 08/05/12 23:21, Mika Suomalainen wrote: > 08.05.2012 16:16, Indulekha kirjoitti: >> I think they've come a long way in mediactions to address paranoia >> these last few years... Seriously, why the devil would anyone want >> to spoof your email?! What are you, Black Ops? > > If I recall correctly, Bob has told that his email address has been > spoofed to this list and he signs everything what he sends (as far as > I can see). Seven reasons you shouldn't compare your posts, or your use of PGP with Bob (Proulx):- Bob's PGP signature is valid - yours is not You waste our time and bandwidth. Bob uses signatures selectively - you don't You could, but you enjoy upsetting people. Bob uses unobtrusive signatures - you don't. Bob's signature doesn't contain redundant material (fingerprint, location) - yours does. Bob's key validates his identity - yours does not. I can verify that "Bob" is "Bob" through a chain of trust. Bob uses PGP to verify the identity of the poster, and the integrity of the message - you just make digital noise. and then there's the difference in post content Regards -- Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding answers to questions about Debian:- https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fa9d68b.4040...@gmail.com
Re: gpg/pgp noise
Indulekha wrote: > Anyone know a way to simply filter out all that annoying gpg/pgp noise? > I don't actually care if it really works, just don't want to see the garbage > huge > blocks of text and error messages. If you don't care about signatures, tell mutt to not check them: set pgp_verify_sig=no (Won't do anything to hide inline signatures, but there are procmail recipes to convert those to attachments.) -- see shy jo signature.asc Description: Digital signature
Re: gpg/pgp noise
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Celejar wrote: >On Tue, 08 May 2012 14:53:30 +0300 >Mika Suomalainen wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> 08.05.2012 14:45, Jochen Spieker kirjoitti: >> > Indulekha: >> >> >> >> No, I think you may have an incorrect or incomplete >> >> configuration >> > >> > This is inline vs. MIME: >> > >> > http://www.phildev.net/pgp/pgp_clear_vs_mime.html >> > >> > J. >> >> And that page forgets the problems in MIME. >> >> PGP/MIME requires headers, message and the signature.asc to be >> verified. Some mailing list programs mess up with the headers and >this >> way make PGP/MIME signatures unverifiable. > >I'm no expert in all this, but can you explain and document what you >mean by the claim that "headers ... must be verified"? All emails have >their headers modified en route (e.g., "Received:" and "Delivered-To" >are added, as are all kinds of "X-stuff" ones). Does PGP/MIME really >protect all headers (beyond the MIME ones)? It really breaks if *any* >headers are modified? Please provide documentation. > >http://www.ietf.org/rfc/rfc1847.txt >http://www.imc.org/ietf-openpgp/mail-archive/msg01938.html > >This stuff is old, but do you have anyth, PGP/MIME emails add some headers. ing more current? > >Celejar MYbinformation is based on wht others answered when I asked what caused that problem at enigmail-user. As far as I understand, pgp/mime adds some headers to messages which AAAre signed with it. PS. I crosslisted this so people who know about this cAAAn answer. Debian-user allows everyone to post on it, but I don't know aboutt Enigmail. - -- Mika Suomalainen gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728 Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 http://mkaysi.github.com/ I apologize for possible "reply all" button usage on mailing list. This email client doesn't have "reply list" button, please see (and star) https://code.google.com/p/k9mail/issues/detail?id=2797 Sent from Ciblia (my Samsung Galaxy 5) with K9 Mail. -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iQIuBAEBCAAYBQJPqYH/ERxNaWthIFN1b21hbGFpbmVuAAoJEE21PP6CpGco/HEP /3N9pdazrR0zRtOToOUdJmxjFwrBEbj4hHfgkHwnMMuwcMjz+gu5m1td/dP32udi 6miWtG2yfJWzXDnsp3DaDDBLjstndJ3d3pen+h2FT6yrD2YShqlHv1CY8W08LuWR SQTeCdG2Erh2k3LCvfPCpMF/8JD/Wn3GvlCzdLNP3WiEkVbQg8/+tm0PjUC8DLlW Y4w9wS2159weptSbcZGXlC9TvD6jpzRbeen/RvKOc7kDNUH3+kq4G8j+iirX1kUO qNzGq/cx9V/Q9gvAaQPNVLF2r8WDgpBrtJ2CQtm6r+LRxLWYBurXdcn/CrPot4aC ZZikbTxVfyxVRvV/dvM2wjEpoXVs2/dg0m6GRCrCEFMiXb4/esXgsTziJZoYJk4i XRR/GafTz7yfhdyIfNpClL8tl3FoS66l/NQ+f9xSdWnlUBlXA0vacwrqpZL8/D/E eiMNDRKQjw9KeUUHyT19peR4ijYLSUtIbJFz02ou0JGmtxHfGH98B7iR6r/mvIY8 bj49BS/st5zIgw37yVeSLuecwn0C6Ma6Jsv4RpAOPOxELYiJVCUlPe3vYkna6YJW Ix+ny3vRcJeSAU/DOBzi5tYuo5KHigs9WSNjtRvY7BWKh5NeXa8LvqZl/vJCmtlm GQ5ZiNu+Tv0mZDiJ+Q4DZ/opQmwGWlwEDTv91V7gUna9 =y7/i -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aebb6b4d-2e8e-43b7-b731-7e873c6a1...@email.android.com
Re: gpg/pgp noise
On Tue, 08 May 2012 14:53:30 +0300 Mika Suomalainen wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > 08.05.2012 14:45, Jochen Spieker kirjoitti: > > Indulekha: > >> > >> No, I think you may have an incorrect or incomplete > >> configuration > > > > This is inline vs. MIME: > > > > http://www.phildev.net/pgp/pgp_clear_vs_mime.html > > > > J. > > And that page forgets the problems in MIME. > > PGP/MIME requires headers, message and the signature.asc to be > verified. Some mailing list programs mess up with the headers and this > way make PGP/MIME signatures unverifiable. I'm no expert in all this, but can you explain and document what you mean by the claim that "headers ... must be verified"? All emails have their headers modified en route (e.g., "Received:" and "Delivered-To" are added, as are all kinds of "X-stuff" ones). Does PGP/MIME really protect all headers (beyond the MIME ones)? It really breaks if *any* headers are modified? Please provide documentation. http://www.ietf.org/rfc/rfc1847.txt http://www.imc.org/ietf-openpgp/mail-archive/msg01938.html This stuff is old, but do you have anything more current? Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120508161528.c7de9440.cele...@gmail.com
Re: gpg/pgp noise
On Tue, 2012-05-08 at 21:13 +0200, Ralf Mardorf wrote: > *chuckle* > > Perhaps I'm now unsubscribed to debian-users too?! This mail didn't came > through the list or simply wasn't forwarded to myself by the list. Everything is ok. So at least at the moment subscribing and unsubscribing is easy to do and there are no technical issues. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336504844.2171.285.camel@precise
Re: gpg/pgp noise
On Tue, 2012-05-08 at 21:07 +0200, Ralf Mardorf wrote: > On Tue, 2012-05-08 at 20:37 +0200, Ralf Mardorf wrote: > > On Tue, 2012-05-08 at 20:25 +0200, Ralf Mardorf wrote: > > > On Tue, 2012-05-08 at 18:32 +0200, an unknown sender wrote: > > > > Doesn't digest send only one email in 24 hours? > > > > > > No, it belongs to the volume, how many digest a day will be send. > > > > > > FWIW I again reversed my subscription by > > > > > > http://www.debian.org/MailingLists/unsubscribe > > > [x] debian-user-digest > > > Your E-Mail address: [snip] > > > http://www.debian.org/MailingLists/subscribe > > > [x] debian-user > > > Your E-Mail address: [snip] > > > > > > and kept a "Re:" in the subject lines for the confirmation mails. > > > > > > I didn't read what kind of issues people had with unsubscribing, so I > > > wonder what will happen now. > > > > > > Interesting I'm already subscribed to debian-user, but I got no > > confirmation that I'm unsubscribed to debian-user-digest, but received a > > digest instead. Perhaps it takes a while. > > Now I received that I'm removed from list debian-user-digest. > > Seems to be idiot-proof, as long as there isn't a serious issue for the > web sites or the browser. *chuckle* Perhaps I'm now unsubscribed to debian-users too?! This mail didn't came through the list or simply wasn't forwarded to myself by the list. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336504427.2171.283.camel@precise
Re: gpg/pgp noise
On Tue, 2012-05-08 at 20:37 +0200, Ralf Mardorf wrote: > On Tue, 2012-05-08 at 20:25 +0200, Ralf Mardorf wrote: > > On Tue, 2012-05-08 at 18:32 +0200, an unknown sender wrote: > > > Doesn't digest send only one email in 24 hours? > > > > No, it belongs to the volume, how many digest a day will be send. > > > > FWIW I again reversed my subscription by > > > > http://www.debian.org/MailingLists/unsubscribe > > [x] debian-user-digest > > Your E-Mail address: [snip] > > http://www.debian.org/MailingLists/subscribe > > [x] debian-user > > Your E-Mail address: [snip] > > > > and kept a "Re:" in the subject lines for the confirmation mails. > > > > I didn't read what kind of issues people had with unsubscribing, so I > > wonder what will happen now. > > > Interesting I'm already subscribed to debian-user, but I got no > confirmation that I'm unsubscribed to debian-user-digest, but received a > digest instead. Perhaps it takes a while. Now I received that I'm removed from list debian-user-digest. Seems to be idiot-proof, as long as there isn't a serious issue for the web sites or the browser. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336504065.2171.281.camel@precise
Re: gpg/pgp noise
On Tue, 2012-05-08 at 20:25 +0200, Ralf Mardorf wrote: > On Tue, 2012-05-08 at 18:32 +0200, an unknown sender wrote: > > Doesn't digest send only one email in 24 hours? > > No, it belongs to the volume, how many digest a day will be send. > > FWIW I again reversed my subscription by > > http://www.debian.org/MailingLists/unsubscribe > [x] debian-user-digest > Your E-Mail address: [snip] > http://www.debian.org/MailingLists/subscribe > [x] debian-user > Your E-Mail address: [snip] > > and kept a "Re:" in the subject lines for the confirmation mails. > > I didn't read what kind of issues people had with unsubscribing, so I > wonder what will happen now. Interesting I'm already subscribed to debian-user, but I got no confirmation that I'm unsubscribed to debian-user-digest, but received a digest instead. Perhaps it takes a while. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336502273.2171.265.camel@precise
Re: gpg/pgp noise
On Tue, 2012-05-08 at 18:32 +0200, an (not really) unknown sender (Camaleón) wrote: > On Tue, 08 May 2012 16:57:51 +0200, Ralf Mardorf wrote: > > (...) > > > Btw. if people wish to sign mails to Linux mailing lists, they should > > do. IMO it's nonsense to sign mails to Linux mailing lists. For what do > > you need signing? > > +5 > > I also find it senseless and not just for mailing lists. > > Greetings, High five, Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336501803.2171.253.camel@precise
Re: gpg/pgp noise
On Tue, 2012-05-08 at 18:32 +0200, an unknown sender wrote: > Doesn't digest send only one email in 24 hours? No, it belongs to the volume, how many digest a day will be send. FWIW I again reversed my subscription by http://www.debian.org/MailingLists/unsubscribe [x] debian-user-digest Your E-Mail address: [snip] http://www.debian.org/MailingLists/subscribe [x] debian-user Your E-Mail address: [snip] and kept a "Re:" in the subject lines for the confirmation mails. I didn't read what kind of issues people had with unsubscribing, so I wonder what will happen now. Regards, Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336501537.2171.251.camel@precise
Re: gpg/pgp noise
On Tue, 08 May 2012 16:57:51 +0200, Ralf Mardorf wrote: (...) > Btw. if people wish to sign mails to Linux mailing lists, they should > do. IMO it's nonsense to sign mails to Linux mailing lists. For what do > you need signing? +5 I also find it senseless and not just for mailing lists. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jobg5f$vio$1...@dough.gmane.org
Re: gpg/pgp noise
On Tue, 08 May 2012 09:35:08 -0500, Indulekha wrote: > On Tue, May 08, 2012 at 02:11:32PM +, Camaleón wrote: >> > Anyone know a way to simply filter out all that annoying gpg/pgp >> > noise? >> >> (...) >> >> IIRC, Mutt does not automatically verifies the signatures unless you >> explicitly configure to do it so. Just disable that option. >> >> > Yes, it's always so simple to fix it in mutt when you don't actually use > mutt. ;) I do use Mutt and have no problem with signed messages. > Fortunately, this is now solved-- thanks to Jochen Spieker's generously > sharing his .mutt/display-filter recipe. Hopefully, more people found > this whole thread useful than were offended, frightened, or confused by > it... I know I STFW long and hard, and the filters stubbornly eluded me > for several days. I have not followed the whole thread, sorry :-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jobf70$vio$9...@dough.gmane.org
Re: gpg/pgp noise
Could you all please discuss this off-list? Thank you! I receive digest, because I wish to have less traffic. But now I receive tons of digest just about this discussion. Since digest isn't correct formated anymore, it already isn't a pleasure to read it, resp. to sort out what I won't read isn't easy to do anymore. Btw. if people wish to sign mails to Linux mailing lists, they should do. IMO it's nonsense to sign mails to Linux mailing lists. For what do you need signing? Since it can't be regarding to security, it must be regarding to A: "He called me an idiot and said it will repair my MBR, if I burn my monitor and it won't harm the monitor" B: "No, I didn't, the mail wasn't signed, somebody faked the envelope of the mail" Isn't this ... have forgotten the Internet term I don't like ;). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1336489071.2171.169.camel@precise
Re: gpg/pgp noise
08.05.2012 17:57, Ralf Mardorf kirjoitti: > Could you all please discuss this off-list? Thank you! I receive digest, > because I wish to have less traffic. But now I receive tons of digest > just about this discussion. Since digest isn't correct formated anymore, > it already isn't a pleasure to read it, resp. to sort out what I won't > read isn't easy to do anymore. Doesn't digest send only one email in 24 hours? -- Mika Suomalainen gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728 Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 http://mkaysi.github.com/ signature.asc Description: OpenPGP digital signature
Re: gpg/pgp noise
08.05.2012 17:19, Lars Noodén kirjoitti: > My guess would be somewhere here: > https://launchpad.net/ubuntu/ > The response from IRC might be more precise. But once it is entered, it > is easier to find out if it is really an upstream problem. > > Regards > /Lars This bug is now reported. Please set it as affecting you and subscribe to all changes related to it to get maximum heat to it. https://bugs.launchpad.net/ubuntu/+bug/996581 Affected user increases the heat by 4, subscriber of all messages by 2. Lars, thanks for giving that workaround offlist, I did this with it. -- Mika Suomalainen gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728 Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 http://mkaysi.github.com/ signature.asc Description: OpenPGP digital signature
Re: gpg/pgp noise
On Tue, 08 May 2012 13:00:26 +0100, Phil wrote in message <4fa90ada.80...@gmail.com>: > -----BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 08/05/12 12:57, Indulekha wrote: > > On Tue, May 08, 2012 at 02:53:30PM +0300, Mika Suomalainen wrote: > > 08.05.2012 14:45, Jochen Spieker kirjoitti: > >>>> Indulekha: > >>>>> > >>>>> No, I think you may have an incorrect or incomplete > >>>>> configuration > >>>> > >>>> This is inline vs. MIME: > >>>> > >>>> http://www.phildev.net/pgp/pgp_clear_vs_mime.html > >>>> > >>>> J. > > > > And that page forgets the problems in MIME. > > > > PGP/MIME requires headers, message and the signature.asc to be > > verified. Some mailing list programs mess up with the headers and > > this way make PGP/MIME signatures unverifiable. > > > > In INLINE, the signature is in message and it doesn't require > > headers to be verified so it's harder to be messed up by mailing > > list software. > > > >> > > > > Well, all I know is that Jochen Spieker is able to use it without > > being intrusive Maybe you should try to follow his example? :) > > > I'm getting the distinct impression you're not quite following this > thread as it's written :-) ..me, I follow it in the exact threaded way, my fetchmail fed procmail filtered claws-mail presents my d-u mail list folder to me at the very time I hop in there. ;o) -- ..med vennlig hilsen = with Kind Regards from Arnt Karlsen ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120508164539.55663...@celsius.lan
Re: gpg/pgp noise
08.05.2012 17:19, Lars Noodén kirjoitti: > On 5/8/12 4:35 PM, Mika Suomalainen wrote: >> 08.05.2012 16:09, Lars Noodén kirjoitti: > [snip] >>> For Canonical's products, the bug should be in in Launchpad. If >>> you point to it, we can add to it. > [snip] >> What would be the correct project at Launchpad to report this bug? I >> have just pinged people at IRC. > [snip] > > My guess would be somewhere here: > https://launchpad.net/ubuntu/ > The response from IRC might be more precise. But once it is entered, it > is easier to find out if it is really an upstream problem. > > Regards > /Lars > > That page links to wiki page, which asks running reportbug . PS. My emails to this list should be signed with PGP/MIME with instructions form someone who is reading this list with newsgroup and cannot post to list directly. That feature hasn't ever worked for me, but lets hope that it works now. -- Mika Suomalainen gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728 Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 http://mkaysi.github.com/ signature.asc Description: OpenPGP digital signature
Re: gpg/pgp noise
On 5/8/12 4:35 PM, Mika Suomalainen wrote: > 08.05.2012 16:09, Lars Noodén kirjoitti: [snip] >> For Canonical's products, the bug should be in in Launchpad. If >> you point to it, we can add to it. [snip] > What would be the correct project at Launchpad to report this bug? I > have just pinged people at IRC. [snip] My guess would be somewhere here: https://launchpad.net/ubuntu/ The response from IRC might be more precise. But once it is entered, it is easier to find out if it is really an upstream problem. Regards /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fa92b77.9040...@gmail.com
Re: gpg/pgp noise
On Tue, May 08, 2012 at 02:11:32PM +, Camaleón wrote: > On Tue, 08 May 2012 05:43:17 -0500, Indulekha wrote: > > > I'm getting this with most gog/pgp-signed mails received from this list > > (using mutt): > > > > [-- PGP output follows (current time: Tue 08 May 2012 05:35:27 AM CDT) --] > > gpgkeys: key 7356B378DEA22DE9 not found on keyserver > > gpg: Signature made Tue 08 May 2012 02:04:44 AM CDT using RSA key ID > > DEA22DE9 > > gpg: requesting key DEA22DE9 from ldap server keyserver.pgp.com > > And that's true. That key does not exist in the server. > > > gpg: no valid OpenPGP data found. > > gpg: Total number processed: 0 > > gpg: Can't check signature: public key not found > > [-- End of PGP output --] > > > > [-- The following data is signed --] > > > > PGP signature could NOT be verified. > > --- > > So what's wrong? I think all of the above is okay. > > > My public key has been published, > > Is it your own signature key? Then some step is missing or you made > something wrong. > > > and I followed the exact procedure I used last time in muttrc to make > > this crap work. > > If you think GPG/PGP is "crap", I wonder why is that you are using it. > > > Am I powerless over other peoples' misconfigured gpg here, or does this > > indicate some error on my part? > > Most probably, the latter. > > > Anyone know a way to simply filter out all that annoying gpg/pgp noise? > > (...) > > IIRC, Mutt does not automatically verifies the signatures unless you > explicitly configure to do it so. Just disable that option. > Yes, it's always so simple to fix it in mutt when you don't actually use mutt. ;) Fortunately, this is now solved-- thanks to Jochen Spieker's generously sharing his .mutt/display-filter recipe. Hopefully, more people found this whole thread useful than were offended, frightened, or confused by it... I know I STFW long and hard, and the filters stubbornly eluded me for several days. -- ❤ ♫ ❤ ♫ ❤ ♫ ❤ Indulekha -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120508143508.GA12943@radhesyama
Re: gpg/pgp noise
On 05/08/2012 08:50 AM, Mika Suomalainen wrote: > 08.05.2012 15:33, Johann Spies kirjoitti: >> On Tue, May 08, 2012 at 01:20:21PM +0200, Jochen Spieker wrote: > Are you receiving the missing keys from keyserver automatically? You > can do this by adding >> keyserver-options auto-key-retrieve > to ~/.gnupg/gpg.conf . > > PS. If anyone is interested, my gpg.conf can be found at > https://github.com/Mkaysi/shell-things/blob/master/gnupg/gpg.conf . > This is my configuration and it's never had a problem with a single mailing list. I'm also able to retrieve any GPG/PGP key that is properly published and publicly available. The only change I've had to make to my configuration is removal of the "sig-keyserver-url" option after I found that the Debian backend DAK software does not know how to properly handle this subpacket type and would reject any package uploads. This has still been an issue even after I've since submitted a patch which would correct the behavior and handle the subpackets correctly per the OpenPGP RFC and GnuPG documentation. https://gist.github.com/2635431 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fa92ba4.9080...@undergrid.net
Re: gpg/pgp noise
On Tue, 08 May 2012 05:43:17 -0500, Indulekha wrote: > I'm getting this with most gog/pgp-signed mails received from this list > (using mutt): > > [-- PGP output follows (current time: Tue 08 May 2012 05:35:27 AM CDT) --] > gpgkeys: key 7356B378DEA22DE9 not found on keyserver > gpg: Signature made Tue 08 May 2012 02:04:44 AM CDT using RSA key ID DEA22DE9 > gpg: requesting key DEA22DE9 from ldap server keyserver.pgp.com And that's true. That key does not exist in the server. > gpg: no valid OpenPGP data found. > gpg: Total number processed: 0 > gpg: Can't check signature: public key not found > [-- End of PGP output --] > > [-- The following data is signed --] > > PGP signature could NOT be verified. > --- So what's wrong? I think all of the above is okay. > My public key has been published, Is it your own signature key? Then some step is missing or you made something wrong. > and I followed the exact procedure I used last time in muttrc to make > this crap work. If you think GPG/PGP is "crap", I wonder why is that you are using it. > Am I powerless over other peoples' misconfigured gpg here, or does this > indicate some error on my part? Most probably, the latter. > Anyone know a way to simply filter out all that annoying gpg/pgp noise? (...) IIRC, Mutt does not automatically verifies the signatures unless you explicitly configure to do it so. Just disable that option. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/job9ik$vio$5...@dough.gmane.org
Re: gpg/pgp noise
Okay, yes I'm top-posting get over it... Are you fraking kidding me? All this fscking drivel filling up the Debian mailing list because Ubuntu and other mailing lists don't properly handle PGP/MIME open standard signed email messages? Is that why my mailbox is getting the crap blown up about? Bitch to the mailing lists to upgrade their old, broken, busted ass software! Bitch to the mailing list software developers if their old, broken, busted ass software doesn't properly support MIME. But for the love of all that's holy stop this mindless bullshit thread about something that does not affect the Debian project or mailing lists! And my message isn't signed because my GPG key is on a smartcard and I'm accessing my computer remotely so obviously can't put the smartcard in the reader to sign this message. On 05/08/2012 08:05 AM, Mika Suomalainen wrote: > 08.05.2012 15:03, Indulekha kirjoitti: >> On Tue, May 08, 2012 at 03:00:16PM +0300, Mika Suomalainen wrote: >> If I used PGP/MIME, my signatures couldn't be verified on Ubuntu >> mailing lists (I am on 5 of them if I recall correctly), nor >> Enigmail mailing list nor gnupg-user mailing lists nor many >> others. This is small list of those MLs, which I mean with >> http://mkaysi.github.com/PGP/Clearsigning.html . > > >> I see... so the people on the *proper* msiling lists will just >> have to suffer then, eh? :\ > > > I don't understand how those other mailing lists are inproper. > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fa928b7.1010...@undergrid.net
Re: gpg/pgp noise
On Tue, May 08, 2012 at 02:41:29PM +0100, Phil Dobbin wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 08/05/12 14:35, Indulekha wrote: > > > On Tue, May 08, 2012 at 09:26:47AM -0400, Tom H wrote: > >> On Tue, May 8, 2012 at 9:06 AM, Mika Suomalainen > >> wrote: > >>> > >>> And if someone spoofs email from my address to this list and it's > >>> unsigned and my messages to this list are always unsigned, I cannot > >>> say that I always sign my emails and that isn't sent by me. > >> > >> What a life-threatening problem! ;) > >> > > > > I know, right? > > When someone figures out how to spoof his gpg crap he'll probably have a > > stroke! > > Well, that's our friend gone to the great > bitbucket in the Sky. I suggest Mika, you do the same... > Ok then, c ya! Tolerating dissenting opinions is a valuable social skill you might want to pick up, but it's totally up to you. :) -- ❤ ♫ ❤ ♫ ❤ ♫ ❤ Indulekha -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120508140449.GC12598@radhesyama
Re: gpg/pgp noise
On Tue, May 08, 2012 at 02:45:59PM +0100, Jon Dowland wrote: > On Tue, May 08, 2012 at 08:28:35AM -0500, Indulekha wrote: > > And on top of it, everyone else on the list gets held hostage > > and is forced to jump through so many hoopes just to avoid being > > inconvenienced. > > > > So rude... > > With respect, I don't think you have the right to speak for 'everyone else' on > the list. You may be inconvenienced by inline-signed messages, but that > doesn't mean everyone is. > Plenty of people on this list have agreed with me on this issue before... > > You must be from up north, LOL! > > Now *that's* rude. > Well, it's always rude to tell people they're rude, of course. I was attempting to use humor, but as everyone's sense of humor is unique, it can be a bit hazardous... -- ❤ ♫ ❤ ♫ ❤ ♫ ❤ Indulekha -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120508135811.GB12598@radhesyama
Re: gpg/pgp noise
On Tue, May 08, 2012 at 02:46:40PM +0100, Jon Dowland wrote: > On Tue, May 08, 2012 at 07:38:49AM -0500, Indulekha wrote: > > They don't support the considerate version of gpg/pgp. > > Now that I know that people using this actually have a choice and > > choose to be rude, it does make it rather tempting to set up an > > autoresponder and filter to nag them... > > Why not invest the time in fixing your mail client(s) to strip the stuf you > don't want, instead? That would be infinitely more productive, and much less > likely to see you banned from Debian mailing lists. That's what I finally did, as you'll see when you're up to date. I think getting banned is almost impossible, but I was never actually going to do the autoresponder thing -- I merely said it was "tempting". :) -- ❤ ♫ ❤ ♫ ❤ ♫ ❤ Indulekha -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120508135149.GA12598@radhesyama
Re: gpg/pgp noise
On Tue, May 08, 2012 at 02:50:22PM +0200, Mika Suomalainen wrote: > > Are you receiving the missing keys from keyserver automatically? You > can do this by adding > > keyserver-options auto-key-retrieve > to ~/.gnupg/gpg.conf . > > PS. If anyone is interested, my gpg.conf can be found at > https://github.com/Mkaysi/shell-things/blob/master/gnupg/gpg.conf . Thanks. Regards Johann -- Johann SpiesTelefoon: 021-808 4699 Databestuurder / Data manager Sentrum vir Navorsing oor Evaluasie, Wetenskap en Tegnologie Centre for Research on Evaluation, Science and Technology Universiteit Stellenbosch. "Follow peace with all men, and holiness, without which no man shall see the Lord." Hebrews 12:14 signature.asc Description: Digital signature
Re: gpg/pgp noise
On Tue, May 08, 2012 at 07:38:49AM -0500, Indulekha wrote: > They don't support the considerate version of gpg/pgp. > Now that I know that people using this actually have a choice and > choose to be rude, it does make it rather tempting to set up an > autoresponder and filter to nag them... Why not invest the time in fixing your mail client(s) to strip the stuf you don't want, instead? That would be infinitely more productive, and much less likely to see you banned from Debian mailing lists. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120508134640.GD18828@debian
Re: gpg/pgp noise
On Tue, May 08, 2012 at 08:28:35AM -0500, Indulekha wrote: > And on top of it, everyone else on the list gets held hostage > and is forced to jump through so many hoopes just to avoid being > inconvenienced. > > So rude... With respect, I don't think you have the right to speak for 'everyone else' on the list. You may be inconvenienced by inline-signed messages, but that doesn't mean everyone is. > You must be from up north, LOL! Now *that's* rude. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120508134559.GC18828@debian
Re: gpg/pgp noise
On Tue, May 08, 2012 at 03:34:55PM +0200, Jochen Spieker wrote: > Johann Spies: > > On Tue, May 08, 2012 at 01:20:21PM +0200, Jochen Spieker wrote: > > > >> > >> muttrc: > >> > >> set display_filter='sed -f ~/.mutt/display-filter' > >> > >> ~/.mutt/display-filter: > >> > >> /^gpg:/d > > > > Thanks. I have learnt something new in this thread. > > JFTR, my actual display-filter contains this for PGP signatures: > > # wipe secondary gpg user ids > /^gpg:[ ]\+aka/d > /^gpg:[ ]\+There is no indication that the signature belongs to the owner\.$/d > /^gpg: please do a --check-trustdb/d > /^Primary key fingerprint:/d > > That removes most of the noise from GnuPG. > Very useful stuff, thanks a million! -- ❤ ♫ ❤ ♫ ❤ ♫ ❤ Indulekha -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120508134325.GA12393@radhesyama
Re: gpg/pgp noise
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/05/12 14:35, Indulekha wrote: > On Tue, May 08, 2012 at 09:26:47AM -0400, Tom H wrote: >> On Tue, May 8, 2012 at 9:06 AM, Mika Suomalainen >> wrote: >>> >>> And if someone spoofs email from my address to this list and it's >>> unsigned and my messages to this list are always unsigned, I cannot >>> say that I always sign my emails and that isn't sent by me. >> >> What a life-threatening problem! ;) >> > > I know, right? > When someone figures out how to spoof his gpg crap he'll probably have a > stroke! Well, that's our friend gone to the great bitbucket in the Sky. I suggest Mika, you do the same... Cheers, Phil.. - -- currently (ab)using Debian Squeeze, Fedora Verne, OS X Snow Leopard, Ubuntu Oneiric -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPqSKJAAoJECPmYW6gk8JjyAMH/2B5eTXZqXDHP5Q9y0I3AtwB C3a3W3vNIwQHhH8b8StELNRSUWuTEGvseWSf/J6XmMvnsgW2l5d9a92fP/qUVyoV JVziBmLscBnGnP/ZCdqNZqaGlvdP9vI88l5VpTHBfDFZQxBuqRvoV5qeyo7oDNJt 4Nakrt4pHNg0HcldcrlvP8gdu+oaX0EVuJXXIJZwVlimhC7q6U7uyEAaDo4LthFt zY1stwy38BkAWsT7OkumjBzVSYLgT7pUzmkRpu4tyS2B5iiLi/VDg8PV9SigM+F8 GTDj/CO3PPA57m707WGaIvVEQtT8x4HTW5dDUKPIjwA6SnX+MnyhOw2pC/LQjWQ= =sGPr -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fa92289.1010...@gmail.com
Re: gpg/pgp noise
On Tue, May 08, 2012 at 06:07:25AM -0500, Indulekha wrote: > On Tue, May 08, 2012 at 01:51:48PM +0300, Mika Suomalainen wrote: > > > > That keyserver which you are using seems to be offline and I don't > > know how used it is. The recommended keyserver is > > pool.sks-keyservers.net according to gnupg-user mailing list. > > > > You probably have line like this in your ~/.gnupg/gpg.conf: > > > keyserver keyserver.pgp.com > > > > Try replacing it with > > > keyserver hkp://pool.sks-keyservers.net > > > > Thanks! > That fixed the upfront error messages, but I still have to see > this at the end: snip Try installing t-prot. Your message looked like this, to me (note: unquoted): Thanks! That fixed the upfront error messages, but I still have to see this at the end: [---=| TOFU protection by t-prot: 25 lines snipped |=---] -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120508133955.GB18828@debian
Re: gpg/pgp noise
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 08.05.2012 16:09, Lars Noodén kirjoitti: > On 5/8/12 4:02 PM, Mika Suomalainen wrote: >> 08.05.2012 15:43, Lars Noodén kirjoitti: >>> On 5/8/12 3:41 PM, Mika Suomalainen wrote: >>>> Note that gnupg mailing lists are also affected and they >>>> aren't lists themselves, the problem is in mailing list >>>> software. I think that they all use GNU Mailman, which is >>>> very popular among mailing lists. >>>> >>>> People don't have a choice if they are on mailing lists, >>>> which force this by having this bug, but do as you want. >> >>> Have you filed a bug report for the lists or the list >>> management software itself? >> >>> Regards /Lars >> >> According to gnupg-user, it's known problem with Mailman and it >> seems to be ignored at #canonical-sysadmin in IRC (freenode). > > For Canonical's products, the bug should be in in Launchpad. If > you point to it, we can add to it. > > For Mailman itself, that should be at Savannah: > > https://savannah.gnu.org/ > > Regards /Lars > > What would be the correct project at Launchpad to report this bug? I have just pinged people at IRC. I'm not sure does Mailman cause this and I cannot test, so I cannot report a bug to them. - -- Mika Suomalainen gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728 Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 http://mkaysi.github.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPqSE9AAoJEE21PP6CpGcop6IP/22qRpoD0XHMCaDOLxgqMgVs M8t/cxZ8ViI9P6uV3Bg0T+LhKLTRj0nkh6T+hmkBKpxFJLCmCAGyhYxBomhgbB6z Ua6mlcBwh4fIgI7/0QtIxSNjVg63DIBvDIa6V3liMIaZxJnlr26mJiIQPp+rl8Op NLYA/2o/Y0kC2xPufC5c8O9nV/6VaXDpSZhWYL8lkp+w9Tln2JBUN6jP5nkXpHaM LgeZtdFoD+j3AbgmYer1WLOROehsV2LgQZ/QmTRQvNN8530kZf4nCIOwMSkA0Uh9 ECp2e4mlHoZaUIHU9HdM429MUn5UozFo+3DUxVUNDeJIO2uJUNEmKWGkEJazyBk/ 5TeWk96l4DZlmSIUYMcfX8MSC4BMe/b75hP3B6kUYQrOngr5gH0vv21jlfJKw2Cn sDoEWTHFrNs0MU5Wn+Hqon43pi2ci+ez9iZdKzOCpZsHD7cuPGsssOOgRjmglubx nCM47zQP23qt7fX1mL3s5EzJW1XTmBHh+ele5/tlSBx7n4Zil4f7HnhxwKWhn2O3 /fFAi2Xqcf9kiXtHhdGTo0JmUVFVPOqAh55a4BbnODS00CZk/XysuvJKHPb7+YgY 1CHX85DHJYDsKJbVOFsqofCJ7B0BE1KYXajNNyCQOCFtpSgxbuiR/knBl7DtTjBi c4mYAe3ag4r4f3f6WSSG =2jbz -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fa9213f.1070...@hotmail.com
Re: gpg/pgp noise
Johann Spies: > On Tue, May 08, 2012 at 01:20:21PM +0200, Jochen Spieker wrote: > >> >> muttrc: >> >> set display_filter='sed -f ~/.mutt/display-filter' >> >> ~/.mutt/display-filter: >> >> /^gpg:/d > > Thanks. I have learnt something new in this thread. JFTR, my actual display-filter contains this for PGP signatures: # wipe secondary gpg user ids /^gpg:[ ]\+aka/d /^gpg:[ ]\+There is no indication that the signature belongs to the owner\.$/d /^gpg: please do a --check-trustdb/d /^Primary key fingerprint:/d That removes most of the noise from GnuPG. J. -- The houses of parliament make me think of school bullies. [Agree] [Disagree] <http://www.slowlydownward.com/NODATA/data_enter2.html> signature.asc Description: Digital signature
Re: gpg/pgp noise
On Tue, May 08, 2012 at 09:26:47AM -0400, Tom H wrote: > On Tue, May 8, 2012 at 9:06 AM, Mika Suomalainen > wrote: > > > > And if someone spoofs email from my address to this list and it's > > unsigned and my messages to this list are always unsigned, I cannot > > say that I always sign my emails and that isn't sent by me. > > What a life-threatening problem! ;) > I know, right? When someone figures out how to spoof his gpg crap he'll probably have a stroke! -- ❤ ♫ ❤ ♫ ❤ ♫ ❤ Indulekha -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120508133503.GB12117@radhesyama