Re: [SOLVED] Re: thunderbird can not import gpg-key

[Probably like]

On Sat, Mar 25, 2023 at 04:18:28PM +0100, Hans wrote:
> I am answering myself.
>...
> Then I could export the keys using the correct syntax (name of the key, not 
> some filename).

Probably like

  gpg --export-secret-key 8A7F208C6D9E73291657414D2135D123D8C19BEC > precious


> Such I got a new file, which could be imported into thunderbird.
> 
> So, one mistake led to another, however, now its working and I learnt 
> something.

Challenge for next time:

 Share the actual (and exact) command.

[SOLVED] Re: thunderbird can not import gpg-key

[Hans]

Am Samstag, 25. März 2023, 15:52:03 CET schrieb Hans:
I am answering myself.

It is now working. Problem was, that I first tried to use the 
"lkhjpoqwrpoqfjiah.key" files below ".gnupg/private-keys--v1.d/, which did not 
work.

Then, during testings, I changed permissions of .gnupg, which led to a new 
error.

Reverting this, I tried "gpg -K" and then saw the keys with its name.

Then I could export the keys using the correct syntax (name of the key, not 
some filename). Such I got a new file, which could be imported into 
thunderbird.

So, one mistake led to another, however, now its working and I learnt 
something.

Thanks for all the help.

Best regards

Hans

> Hmm, maybe it is because I changed the permissions during my testing
> purposes.
> 
> I reset them to original and tried again.
> 
> The error is gone, but nothing is exported.
> 
> Ok, thanks guys, I will try some more. Maybe kleopatra is interfeering with
> my keys.
> 
> If I know more, I will let you know.
> 
> Best regards
> 
> Hans
> 
> > Did you read the output of the command? You have unsafe permissions on
> > your
> > .gnupg directory, therefore nothing was exported.
> > 
> > Not strange at all...
> > 
> > Cheers,
> > Tom

Re: thunderbird can not import gpg-key

[Teemu Likonen]

* 2023-03-25 14:37:10+0100, Hans wrote:

> I tried, but ran into the same issue:
>
> LANG=C gpg --export-secret-key 
> /home/ullhan63/.gnupg/private-keys-v1.d/123456789.key  > testkey 

Wrong argument. "gpg --export-secret-key" does not want filename
argument. It wants key id, key fingerprint or user id argument(s).

I suggest that you check your key's fingerprint with "gpg -K" command
and then use the fingerprint the select the key for export.

gpg --output key.gpg --export-secret-key 
F514B7B57C2960FA7D6FF4E15BA322F72BEF564B

-- 
/// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/
// OpenPGP: 6965F03973F0D4CA22B9410F0F2CAE0E07608462


signature.asc
Description: PGP signature

Re: thunderbird can not import gpg-key

[Hans]

Hmm, maybe it is because I changed the permissions during my testing purposes. 

I reset them to original and tried again. 

The error is gone, but nothing is exported.

Ok, thanks guys, I will try some more. Maybe kleopatra is interfeering with my 
keys.

If I know more, I will let you know.

Best regards

Hans



> Did you read the output of the command? You have unsafe permissions on your
> .gnupg directory, therefore nothing was exported.
> 
> Not strange at all...
> 
> Cheers,
> Tom

Re: thunderbird can not import gpg-key

[Tom Furie]

On Sat, Mar 25, 2023 at 02:37:10PM +0100, Hans wrote:

> LANG=C gpg --export-secret-key 
> /home/ullhan63/.gnupg/private-keys-v1.d/123456789.key  > 
> testkey 
> gpg: WARNING: unsafe permissions on homedir '/home/myusername/.gnupg' 
> gpg: WARNING: nothing exported
> 
> Strange.

Did you read the output of the command? You have unsafe permissions on your
.gnupg directory, therefore nothing was exported.

Not strange at all...

Cheers,
Tom

-- 
I'm a soldier, not a diplomat.  I can only tell the truth.
-- Kirk, "Errand of Mercy", stardate 3198.9


signature.asc
Description: PGP signature

Re: thunderbird can not import gpg-key

[Hans]

Hi Geert,

I tried, but ran into the same issue:

LANG=C gpg --export-secret-key 
/home/ullhan63/.gnupg/private-keys-v1.d/123456789.key  > 
testkey 
gpg: WARNING: unsafe permissions on homedir '/home/myusername/.gnupg' 
gpg: WARNING: nothing exported

Strange.

Best regards

Hans


 
> If I recall correct,  I did something like
> 
>   gpg --export-secret-key  0x123456  >   sleutel
> 
> 
> at the command line and then the TB import.
> 
> > Thanks for any hints.
> 
> Thanks for reporting back.
> 
> > Best regards
> > Hans
> 
> Groeten
> Geert Stappers

Re: thunderbird can not import gpg-key

[Geert Stappers]

On Sat, Mar 25, 2023 at 11:21:25AM +0100, Hans wrote:
> Hi folks, 
> 
> I wanted to import my secret key into thunderbird, but thunderbird
> can not read the directory.
> 
> What an I doing wrong?
> 
> I do (my thunderbird is in German, so my English translation might
> not be quite accurate):
> 
> - starting thunderbird
> - chose  in "Open PGP" the option "add key"
> - click "add existing key"
> - click "files for import"
> - now chose in my /home the folder .gnupg/private-keys-v1.d
> 
> and then I get
> 
> Error opening /home/myusername/.gnupg/private-keys-v1.d
> Access not granted
> 
> ---
> 
> the settings for these are set:
> 
> drwxr-xr-x   6 myusername myusername 20480 24. Mär 17:51 .gnupg
> drwxr-xr-x   6 myusername myusername 20480 24. Mär 17:51 
> .gnupg/private-keys-v1.d/
> 
> The keys themselves are set "rw" and owner is "myusername:myusername"
> 
> The only explanation I have, that thunderbird is calling a plugin with
> another owner than me, as thunderbird itself is started with ownership
> "myusername".
> 
> However, even if I set the rights to "everybody can read it" (what is
> of course only set for testing purposes!) it does not work.
> 
> Anything else, where I should take a look?

If I recall correct,  I did something like

  gpg --export-secret-key  0x123456  >   sleutel


at the command line and then the TB import.

 
> Thanks for any hints.

Thanks for reporting back.

 
> Best regards
> Hans

Groeten
Geert Stappers
-- 
Silence is hard to parse

thunderbird can not import gpg-key

[Hans]

Hi folks, 

I wanted to import my secret key into thunderbird, but thunderbird can not read 
the directory. 

What an I doing wrong?

I do (my thunderbird is in German, so my English translation might not be quite 
accurate): 

- starting thunderbird
- chose  in "Open PGP" the option "add key"
- click "add existing key"
- click "files for import"
- now chose in my /home the folder .gnupg/private-keys-v1.d

and then I get

Error opening /home/myusername/.gnupg/private-keys-v1.d
Access not granted

---

the settings for these are set:

drwxr-xr-x   6 myusername myusername 20480 24. Mär 17:51 .gnupg
drwxr-xr-x   6 myusername myusername 20480 24. Mär 17:51 
.gnupg/private-keys-v1.d/

The keys themselves are set "rw" and owner is "myusername:myusername"

The only explanation I have, that thunderbird is calling a plugin with another 
owner than me, as 
thunderbird itself is started with ownership "myusername".

However, even if I set the rights to "everybody can read it" (what is of course 
only set for testing 
purposes!) it does not work.

Anything else, where I should take a look?

Thanks for any hints.

Best regards

Hans

Re: Error importing gpg key - Solved!

[Dennis Wicks]

Reco wrote on 5/16/20 6:14 PM:

sed -i '/^keyserver-options/d' ~/.gnupg/gpg.conf

Thanks! Solves the problem!

Re: Error importing gpg key

[Reco]

Hi.

On Sat, May 16, 2020 at 04:08:18PM -0500, Dennis Wicks wrote:
> The tor website says to use the command
> 
> > gpg --auto-key-locate nodefault,wkd --locate-keys torbrow...@torproject.org
> 
> When I do that I get an error message
> 
> > gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' 
> > in dirmngr.conf
> 
> I have searched the net and man pages and I can't figure out how to solve 
> this.

sed -i '/^keyserver-options/d' ~/.gnupg/gpg.conf

See [1] for the explanation.

Reco

[1] https://github.com/riseupnet/riseup_help/issues/294

Error importing gpg key

[Dennis Wicks]

The tor website says to use the command


gpg --auto-key-locate nodefault,wkd --locate-keys torbrow...@torproject.org


When I do that I get an error message


gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' in 
dirmngr.conf


I have searched the net and man pages and I can't figure out 
how to solve this.
I can't find any file on my system the contains the string 
'ca-cert-file', with or without quotes!


TIA for any pointers or other help!
Dennis

Re: GPG key expiry questions?

[likcoras]

On 03/14/2018 09:14 PM, Daniel Bareiro wrote:
> On 14/03/18 03:26, Ansgar Burchardt wrote:
>> Just run `gpg --refresh-keys` from time to time.
> 
> Thanks for the suggestion. I have updated my keyring:
> 
> GNUPG seems to have found 9 new signatures ('firmas' in spanish)  from
> Richard.
> 
> The output in English would be something like this:
> 
> Total amount processed: 193
> without changes: 196
> new identifiers: 14
> new subkeys: 14
> new signatures: 3201
> 
> These 'signatures' are new public keys?
> 
> Still Thunderbird is showing the expired key. Should I restart it to
> take the changes?
> 

The "identifiers" (UIDs) are the new identities (name-email pairs) added
to keys by the key owners.

Subkeys are just subkeys, added by the key owners. These are more like
the new public keys, not the signature count below.

Signatures are published signatures on the key in question, not just the
self-signatures but by other keys as well. In this case, most probably 9
other people signed the key, and the signatures were published to the
keyserver. Not selfsigs, those are less common.

Enigmail just runs gpg(2) under the hood, so if gpg reports the correct
results, a restart should be enough, unless it has a separate cache for
some reason.

Re: GPG key expiry questions?

[Daniel Bareiro]

Hi, Ansgar.

On 14/03/18 03:26, Ansgar Burchardt wrote:

>>> You can change the expiry date of your own key, but for other people to
>>> be able to see it and avoid having your key show up as expired, you must
>>> publish the new (key? signature? not sure...) and others must fetch it
>>> before the expiry date hits.
>>>
>>> I think what happened is that you edited the expiration date of your key
>>> and published it, but the other person didn't get the updated version
>>> before their copy of your key expired.

>> Ah, that sounds plausible. I think I actually edited it after it had
>> expired, so very likely, if that causes a problem. I have a newer one as
>> well (4096 instead of 2048 bit) - though apparently with no signatures
>> on it yet. Not sure if that will suffer the same problem? I can't
>> remember if that one also expired and was posthumously edited ... If it
>> hasn't actually been used much, will that mean nobody's got it 'cached'?

> Editing the key is no problem, the other side just has to update their
> copy from time to time.  But this is necessary anyway: if they do not
> look for updates to the key, they will never know about key revocations
> either and continue to trust a revoked key.
> 
> Just run `gpg --refresh-keys` from time to time.

Thanks for the suggestion. I have updated my keyring:
(spanish output)

--
viper@orion:~$ gpg --refresh-keys
gpg: refreshing 195 keys from hkp://keys.gnupg.net
(...)
gpg: clave B4A2F08FEC70168D: "Richard Hector " 9
firmas nuevas
(...)
gpg: Cantidad total procesada: 193
gpg:  sin cambios: 106
gpg:  nuevos identificativos: 29
gpg:nuevas subclaves: 14
gpg:   nuevas firmas: 3201
gpg: public key C11141521FA7D0B8 is 74797 seconds newer than the signature
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: public key C11141521FA7D0B8 is 74797 seconds newer than the signature
gpg: nivel: 0  validez:   2  firmada:   0  confianza: 0-, 0q, 0n, 0m, 0f, 2u
--

GNUPG seems to have found 9 new signatures ('firmas' in spanish)  from
Richard.

The output in English would be something like this:

Total amount processed: 193
without changes: 196
new identifiers: 14
new subkeys: 14
new signatures: 3201

These 'signatures' are new public keys?

Still Thunderbird is showing the expired key. Should I restart it to
take the changes?

Kind regards,
Daniel



signature.asc
Description: OpenPGP digital signature

Re: GPG key expiry questions?

[Ansgar Burchardt]

Richard Hector writes:
> On 14/03/18 15:50, likcoras wrote:
>> You can change the expiry date of your own key, but for other people to
>> be able to see it and avoid having your key show up as expired, you must
>> publish the new (key? signature? not sure...) and others must fetch it
>> before the expiry date hits.
>> 
>> I think what happened is that you edited the expiration date of your key
>> and published it, but the other person didn't get the updated version
>> before their copy of your key expired.
>
> Ah, that sounds plausible. I think I actually edited it after it had
> expired, so very likely, if that causes a problem. I have a newer one as
> well (4096 instead of 2048 bit) - though apparently with no signatures
> on it yet. Not sure if that will suffer the same problem? I can't
> remember if that one also expired and was posthumously edited ... If it
> hasn't actually been used much, will that mean nobody's got it 'cached'?

Editing the key is no problem, the other side just has to update their
copy from time to time.  But this is necessary anyway: if they do not
look for updates to the key, they will never know about key revocations
either and continue to trust a revoked key.

Just run `gpg --refresh-keys` from time to time.

Ansgar

Re: GPG key expiry questions?

[john doe]

On 3/14/2018 4:20 AM, Richard Hector wrote:

On 14/03/18 15:50, likcoras wrote:

On 03/14/2018 11:39 AM, Richard Hector wrote:

And if I search for my key here:

https://pgp.surfnet.nl/pks/lookup?op=vindex&fingerprint=on&search=0xb4a2f08fec70168d

... I can see that there is a self-sig with the expiry date Daniel
mentioned, but also one for the one I'm seeing.


You can change the expiry date of your own key, but for other people to
be able to see it and avoid having your key show up as expired, you must
publish the new (key? signature? not sure...) and others must fetch it
before the expiry date hits.

I think what happened is that you edited the expiration date of your key
and published it, but the other person didn't get the updated version
before their copy of your key expired.



Ah, that sounds plausible. I think I actually edited it after it had
expired, so very likely, if that causes a problem. I have a newer one as
well (4096 instead of 2048 bit) - though apparently with no signatures
on it yet. Not sure if that will suffer the same problem? I can't
remember if that one also expired and was posthumously edited ... If it
hasn't actually been used much, will that mean nobody's got it 'cached'?



You should assume that the key is already cached somewhere! :)


Maybe I should just start from scratch :-(



Key transition is the way to go here:

https://www.apache.org/dev/key-transition.html

--
John Doe

Re: GPG key expiry questions?

[Richard Hector]

On 14/03/18 15:50, likcoras wrote:
> On 03/14/2018 11:39 AM, Richard Hector wrote:
>> And if I search for my key here:
>>
>> https://pgp.surfnet.nl/pks/lookup?op=vindex&fingerprint=on&search=0xb4a2f08fec70168d
>>
>> ... I can see that there is a self-sig with the expiry date Daniel
>> mentioned, but also one for the one I'm seeing.
> 
> You can change the expiry date of your own key, but for other people to
> be able to see it and avoid having your key show up as expired, you must
> publish the new (key? signature? not sure...) and others must fetch it
> before the expiry date hits.
> 
> I think what happened is that you edited the expiration date of your key
> and published it, but the other person didn't get the updated version
> before their copy of your key expired.
> 

Ah, that sounds plausible. I think I actually edited it after it had
expired, so very likely, if that causes a problem. I have a newer one as
well (4096 instead of 2048 bit) - though apparently with no signatures
on it yet. Not sure if that will suffer the same problem? I can't
remember if that one also expired and was posthumously edited ... If it
hasn't actually been used much, will that mean nobody's got it 'cached'?

Maybe I should just start from scratch :-(

Secure distribution and collecting signatures always seems to be the
problem.

Thanks,
Richard



signature.asc
Description: OpenPGP digital signature

Re: GPG key expiry questions?

[likcoras]

On 03/14/2018 11:39 AM, Richard Hector wrote:
> And if I search for my key here:
> 
> https://pgp.surfnet.nl/pks/lookup?op=vindex&fingerprint=on&search=0xb4a2f08fec70168d
> 
> ... I can see that there is a self-sig with the expiry date Daniel
> mentioned, but also one for the one I'm seeing.

You can change the expiry date of your own key, but for other people to
be able to see it and avoid having your key show up as expired, you must
publish the new (key? signature? not sure...) and others must fetch it
before the expiry date hits.

I think what happened is that you edited the expiration date of your key
and published it, but the other person didn't get the updated version
before their copy of your key expired.

GPG key expiry questions?

[Richard Hector]

Hi all,

Daniel Bareiro recently pointed out that he sees my GPG key as being
expired:

On 14/03/18 15:14, Daniel Bareiro wrote:
> This is the information I see in Thunderbird with Enigmail:
>
> Fingerprint: 9E11 77C0 8F96 98B8 82EF 70E4 B4A2 F08F EC70 168D
> Created: 05/09/2010
> Expiration: 10/05/2015

gpg --list-secret-keys shows an expiry of 2018-08-05.

And if I search for my key here:

https://pgp.surfnet.nl/pks/lookup?op=vindex&fingerprint=on&search=0xb4a2f08fec70168d

... I can see that there is a self-sig with the expiry date Daniel
mentioned, but also one for the one I'm seeing.

Can someone help clarify what's going on?

Thanks,
Richard
P.S. the web of trust reveals quite a bit about me, doesn't it ...



signature.asc
Description: OpenPGP digital signature

howto import gpg key (was ... Re: debootstrap etch unknown key)

[Chris Bannister]

On Wed, Feb 19, 2014 at 10:38:47AM -0500, Dan Purgert wrote:
> Tried "gpg --keyserver pgp.mit.edu --recv-keys B5D0C804ADB11277" and it pulled
> down the "Etch Stable Release Key " key.
> 
> $ gpg --fingerprint ADB11277
> pub   1024D/ADB11277 2006-09-17
>   Key fingerprint = 7EA3 91D7 2477 203B 58C0  4FBC B5D0 C804 ADB1 1277
> uid  Etch Stable Release Key 

Thanks for that. I keep forgetting the option/values.

-- 
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the 
oppressing." --- Malcolm X


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140221003932.GD12466@tal

Re: gpg key

[Brad Rogers]

On Sun, 6 Mar 2011 09:44:01 -0600
"mike cutie and maia"  wrote:

Hello mike,

> I have looked on http://debian-multimedia.fx-services.com

Doesn't look right to me, try;  http://www.debian-multimedia.org/

> And can not find a gpg key for it. Can someone help in this matter.

You'll find instructions for copying the gpg key into your set up.

-- 
 Regards  _
 / )   "The blindingly obvious is
/ _)radnever immediately apparent"
I'm surfing on a wave of nostalgia for an age yet to come
Nostalgia - Buzzcocks


signature.asc
Description: PGP signature

Re: gpg key

[Camaleón]

On Sun, 06 Mar 2011 09:44:01 -0600, mike cutie and maia wrote:

> I have looked on http://debian-multimedia.fx-services.com
> 
> And can not find a gpg key for it. Can someone help in this matter.
> 
> I am using debian sid 64

You mean this? :-?

http://debian-multimedia.fx-services.com/dists/sid/

(it seems older than D-M repo)

Greetings,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/pan.2011.03.06.15.58...@gmail.com

Re: gpg key

[Andrei Popescu]

On Du, 06 mar 11, 09:44:01, mike cutie and maia wrote:
> Hi al,
> 
> I have looked on http://debian-multimedia.fx-services.com
> 
> And can not find a gpg key for it. Can someone help in this matter.

Looks like a mirror for http://www.debian-multimedia.org/ so just follow 
the instructions from there (basically just install 
debian-multimedia-keyring by overriding the warning).

Regards,
Andrei
-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic


signature.asc
Description: Digital signature

gpg key

[mike cutie and maia]

Hi al,

 

I have looked on http://debian-multimedia.fx-services.com

 

And can not find a gpg key for it. Can someone help in this matter.

 

I am using debian sid 64 

 

Thanks much

mike

[Semi-SOLVED] GPG Key-Server setup

[Michelle Konzack]

Shit...

While I was continue to read the message sin my mailfolder 
I found the answer in another message:  onak

Stay only, how do I sync my Key-Sever with the ublic ones and  how  much
disk space do I need=?

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
+49/177/935194750, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

GPG Key-Server setup

[Michelle Konzack]

Hello,

last weekend I have again created a  Debian  Package  for  my  customers
which correct the user settings in gnupg (keysever) on  all  FileServers
(nfs:/home) because the previosly kesever does not more exist... 

ON, now I want to know, HOW  to  install  my  own  Key-Server  which  is
exclusively availlable for my customers  (~530  but  over  140.000 USER)
which should be always Up-To-Date and availlable (Downtime nearly ZERO).

I think, the Harware could  be  a  Singel-Opteron  with  300 GByte  SCSI
Raid-1 (is not so expensive).

But, what server do I need and what is the real diskspace I need?

Note:   My ~/.gnupg/pubring.gpg is arround 136 MByte in size
and has stored 17326 Keys.  If I extract all of them,
I get a Diskspace of 187 MByte.


Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
+49/177/935194750, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

OCR friendly fonts - saving GPG key safely

[Osamu Aoki]

Hi,

Does anyone know OCR friendly fonts.  

I am trying to print things like gnupg keys and recover it by OCR.
It has to be fixed width font.

(Experiment was done via PDF(OOffice)->graphic(Gimp). gocr was usable
but tesseract was not at first try.)

Bitstream was best but F was converted to f.
Courier caused more mistakes.
OCR A font was  much worse.

Osamu


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: debian multimedia gpg key changed location

[Alan Ianson]

On Sun February 24 2008 10:59:52 am Jude DaShiell wrote:
> I just remembered to download the debian-keyring package and should have
> done that earlier.  It seems to have a pgp key in it for debian multimedia
> too.

debian-multimedia-keyring is the one you need for the debian-multimedia.org 
multimedia archive, up to now anyway.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

re: debian multimedia gpg key changed location

[Jude DaShiell]

I just remembered to download the debian-keyring package and should have 
done that earlier.  It seems to have a pgp key in it for debian multimedia 
too.




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: PUBLIC GPG KEY REVOCATION FOR DAVID DOWNEY

[john hacker]

If this is David Downey or you know David Downey, please call John  
Hacker at (904) 759-2765 or (800) 499-2502 ASAP.  Thanks so much for  
your time.  We miss you, and just want to see what's up and how  
you're doing.  Might have something right up your alley, but none the  
less would love to say Hi and see what's new in your corner of the  
world.  Definitely have some cool info for you!


John & Chrissy
(Mr Chips Computers


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: gpg key error in unstable

[Andreas Janssen]

Hello

L.V.Gandhi (<[EMAIL PROTECTED]>) wrote:
> On 2/9/06, Andreas Janssen <[EMAIL PROTECTED]> wrote:
> 
>> You can get official debian keys from the debian-archive-keyring
>> package. Never just download keys from some gpg server just because
>> someone tells you some key id, only get the keys from the project
>> servers directly, or at least get the key id from there to make sure
>> it is the correct key.
> I have both sid and sarge on my dell 600m. In sid I could get
> debian-archive-keyring. But in sarge that is not there. I installed
> apt from bacports in sarge. How to get debian-archive-keyring for
> sarge?

Either you get it from backports.org, or from unstable/testing, or you
download the keys manually from the Debian ftp-master server:

http://ftp-master.debian.org/ziyi_key_2006.asc

best regards
Andreas Janssen

-- 
Andreas Janssen <[EMAIL PROTECTED]>
PGP-Key-ID: 0xDC801674 ICQ #17079270
Registered Linux User #267976
http://www.andreas-janssen.de/debian-tipps-sarge.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: gpg key error in unstable

[Andreas Janssen]

Hello

L.V.Gandhi (<[EMAIL PROTECTED]>) wrote:

> On 2/9/06, Andreas Janssen <[EMAIL PROTECTED]> wrote:
> 
>> The first time you tried to export the key from gpg to apt, but you
>> didn't have the key in your gpg keyring. The second time, you
>> imported the key to gpg, but didn't feed it to apt.
> 
> Thanks Andreas. Clear explanation.
> How to get keys for various sites?

You can get official debian keys from the debian-archive-keyring
package. Never just download keys from some gpg server just because
someone tells you some key id, only get the keys from the project
servers directly, or at least get the key id from there to make sure it
is the correct key.

best regards
Andreas Janssen

-- 
Andreas Janssen <[EMAIL PROTECTED]>
PGP-Key-ID: 0xDC801674 ICQ #17079270
Registered Linux User #267976
http://www.andreas-janssen.de/debian-tipps-sarge.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: gpg key error in unstable

[L.V.Gandhi]

On 2/9/06, Andreas Janssen <[EMAIL PROTECTED]> wrote:

> You can get official debian keys from the debian-archive-keyring
> package. Never just download keys from some gpg server just because
> someone tells you some key id, only get the keys from the project
> servers directly, or at least get the key id from there to make sure it
> is the correct key.
I have both sid and sarge on my dell 600m. In sid I could get
debian-archive-keyring. But in sarge that is not there. I installed
apt from bacports in sarge. How to get debian-archive-keyring for
sarge?
--
L.V.Gandhi
http://lvgandhi.tripod.com/
linux user No.205042

Re: gpg key error in unstable

[L.V.Gandhi]

On 2/9/06, Andreas Janssen <[EMAIL PROTECTED]> wrote:

> The first time you tried to export the key from gpg to apt, but you
> didn't have the key in your gpg keyring. The second time, you imported
> the key to gpg, but didn't feed it to apt.

Thanks Andreas. Clear explanation.
How to get keys for various sites?
--
L.V.Gandhi
http://lvgandhi.tripod.com/
linux user No.205042

Re: gpg key error in unstable

[Andreas Janssen]

Hello

L.V.Gandhi (<[EMAIL PROTECTED]>) wrote:

> I have sarge system. I use other repositories like
> http://ftp.nerim.net, http://ftp.debian-unofficial.org,
> http://www.backports.org. I upgraded apt to 0.6.43. it needs gpg keys
> for all. I went to nerim and saw merillat key. I did
> lvgdell600m:~# gpg --armor --export 1F41B907 | apt-key add -
> gpg: directory `/root/.gnupg' created
> [...]
> gpg: WARNING: nothing exported

> gpg: no valid OpenPGP data found.
^^^
> even then I got warning during apt-get update. then I tried
> lvgdell600m:~# gpg --keyserver hkp://wwwkeys.eu.pgp.net --recv-keys
> 1F41B907 gpg: requesting key 1F41B907 from hkp server
> wwwkeys.eu.pgp.net gpg: /root/.gnupg/trustdb.gpg: trustdb created
> gpg: key 1F41B907: public key "Christian Marillat
> <[EMAIL PROTECTED]>" imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg:   imported: 1
> even now I got warning during apt-get update
> what to do?

The first time you tried to export the key from gpg to apt, but you
didn't have the key in your gpg keyring. The second time, you imported
the key to gpg, but didn't feed it to apt.

best regards
Andreas Janssen

-- 
Andreas Janssen <[EMAIL PROTECTED]>
PGP-Key-ID: 0xDC801674 ICQ #17079270
Registered Linux User #267976
http://www.andreas-janssen.de/debian-tipps-sarge.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: gpg key error in unstable

[Edward Shornock]

On Thu, Feb 09, 2006 at 03:30:40PM +, L.V.Gandhi wrote:
> even then I got warning during apt-get update. then I tried
> lvgdell600m:~# gpg --keyserver hkp://wwwkeys.eu.pgp.net --recv-keys 1F41B907
> gpg: requesting key 1F41B907 from hkp server wwwkeys.eu.pgp.net
> gpg: /root/.gnupg/trustdb.gpg: trustdb created
> gpg: key 1F41B907: public key "Christian Marillat
> <[EMAIL PROTECTED]>" imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg:   imported: 1
> even now I got warning during apt-get update


Now that you have that key in your keyring, do the following:

gpg --export 1F41B907 |apt-key add -
apt-get update


The errors should stop.


signature.asc
Description: Digital signature

Re: gpg key for backports

[Edward Shornock]

On Thu, Feb 09, 2006 at 04:21:16PM +, L.V.Gandhi wrote:
> How to get and sign gpg keys for http://www.backports.org

If you need the backports key, try

gpg --recv-keys 16BA136C
gpg --export |apt-key add -

Found at
http://lists.backports.org/lurker/message/20051219.231854.feae4c8a.en.html


signature.asc
Description: Digital signature

gpg key for backports

[L.V.Gandhi]

How to get and sign gpg keys for http://www.backports.org

--
L.V.Gandhi
http://lvgandhi.tripod.com/
linux user No.205042

Re: gpg key error in unstable

[L.V.Gandhi]

I have sarge system. I use other repositories like
http://ftp.nerim.net, http://ftp.debian-unofficial.org,
http://www.backports.org. I upgraded apt to 0.6.43. it needs gpg keys
for all. I went to nerim and saw merillat key. I did
lvgdell600m:~# gpg --armor --export 1F41B907 | apt-key add -
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active
during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: WARNING: nothing exported
gpg: no valid OpenPGP data found.
even then I got warning during apt-get update. then I tried
lvgdell600m:~# gpg --keyserver hkp://wwwkeys.eu.pgp.net --recv-keys 1F41B907
gpg: requesting key 1F41B907 from hkp server wwwkeys.eu.pgp.net
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 1F41B907: public key "Christian Marillat
<[EMAIL PROTECTED]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:   imported: 1
even now I got warning during apt-get update
what to do?
--
L.V.Gandhi
http://lvgandhi.tripod.com/
linux user No.205042

Re: gpg key error in unstable

[L.V.Gandhi]

On 2/5/06, Andreas Janssen <[EMAIL PROTECTED]> wrote:

> Did you run apt-get update?

Thanks. That hit the point.

>Also check where the package comes from
> (apt-cache policy debtags adept libtdb1).
lvgdell600m:~# apt-cache policy debtags adept libtdb1
debtags:
  Installed: 1.5.2+b2
  Candidate: 1.5.2+b2
  Version table:
 *** 1.5.2+b2 0
500 http://ftp.de.debian.org unstable/main Packages
100 /var/lib/dpkg/status
adept:
  Installed: 1.88.4
  Candidate: 1.88.4
  Version table:
 *** 1.88.4 0
500 http://ftp.de.debian.org unstable/main Packages
100 /var/lib/dpkg/status
libtdb1:
  Installed: 1.0.6-13
  Candidate: 1.0.6-13
  Version table:
 *** 1.0.6-13 0
500 http://ftp.de.debian.org unstable/main Packages
100 /var/lib/dpkg/status
--
L.V.Gandhi
http://lvgandhi.tripod.com/
linux user No.205042

Re: gpg key error in unstable

[Andreas Janssen]

Hello

L.V.Gandhi (<[EMAIL PROTECTED]>) wrote:

> [...]
> lvgdell600m:~# apt-key update
> [GPG keys succesfully imported]
> 
> However after this I tried to install adept, I got error once again as
> below. vgdell600m:~# apt-get install adept
> [...]
> WARNING: The following packages cannot be authenticated!
>   libtdb1 debtags adept
> Install these packages without verification [y/N]?
> Where am I going wrong?

Did you run apt-get update? Also check where the package comes from
(apt-cache policy debtags adept libtdb1).

best regards
Andreas Janssen

-- 
Andreas Janssen <[EMAIL PROTECTED]>
PGP-Key-ID: 0xDC801674 ICQ #17079270
Registered Linux User #267976
http://www.andreas-janssen.de/debian-tipps-sarge.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: gpg key error in unstable

[L.V.Gandhi]

On 2/4/06, Andreas Janssen <[EMAIL PROTECTED]> wrote:
> Hello
>
> L.V.Gandhi (<[EMAIL PROTECTED]>) wrote:
>
> > I have dell inspiron 600m. today I have loaded base sarge and upgraded
> > to unstable. I wanted to avoid the error
> > Install these packages without verification.
> > Hence as per info in debian-admin site I did as follows.
> >
> > apt-get install gnupg
> >
> > Once that's done you can either download the public key by running:
> >
> > [EMAIL PROTECTED]:~# gpg --keyserver keyring.debian.org --recv 4F368D5D
> > secring.gpg  is shown as 0 byte file
> >
> > [EMAIL PROTECTED]:~# cat ziyi_key_2006.asc | gpg --import
> >
> > I tried this also. Still I get error as mentioned above.
> > What should I do?
>
> You need to run apt-key, e.g.
>
> apt-key add ziyi_key_2006.asc

I have done this.
I got
 lvgdell600m:~# apt-key add /home/lvgandhi/ziyi_key_2006.asc
OK
After this also I got error message.

> Of course this only works /after/ you installed apt from
> testing/ustable. You can also install the debian-archive-keyring
> package and run `apt-key update`.
Hence, I did the above also. output as below.
lvgdell600m:~# apt-get install debian-archive-keyring
Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed
  debian-archive-keyring
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 6050B of archives.
After unpacking 53.2kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  debian-archive-keyring
Install these packages without verification [y/N]? y
Get: 1 http://ftp.de.debian.org unstable/main debian-archive-keyring
2006.01.18 [6050B]
Fetched 6050B in 0s (8054B/s)
Selecting previously deselected package debian-archive-keyring.
(Reading database ... 85565 files and directories currently installed.)
Unpacking debian-archive-keyring (from
.../debian-archive-keyring_2006.01.18_all.deb) ...
Setting up debian-archive-keyring (2006.01.18) ...
gpg: key 1DB114E0: "Debian Archive Automatic Signing Key (2004)
<[EMAIL PROTECTED]>" not changed
gpg: key 4F368D5D: "Debian Archive Automatic Signing Key (2005)
<[EMAIL PROTECTED]>" not changed
gpg: key B5F5BBED: "Debian AMD64 Archive Key
" not changed
gpg: key 2D230C5F: "Debian Archive Automatic Signing Key (2006)
<[EMAIL PROTECTED]>" not changed
gpg: Total number processed: 4
gpg:  unchanged: 4
gpg: /etc/apt/trustdb.gpg: trustdb created

lvgdell600m:~# apt-key update
gpg: key 1DB114E0: "Debian Archive Automatic Signing Key (2004)
<[EMAIL PROTECTED]>" not changed
gpg: key 4F368D5D: "Debian Archive Automatic Signing Key (2005)
<[EMAIL PROTECTED]>" not changed
gpg: key B5F5BBED: "Debian AMD64 Archive Key
" not changed
gpg: key 2D230C5F: "Debian Archive Automatic Signing Key (2006)
<[EMAIL PROTECTED]>" not changed
gpg: Total number processed: 4
gpg:  unchanged: 4

However after this I tried to install adept, I got error once again as below.
vgdell600m:~# apt-get install adept
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  debtags libtdb1
Recommended packages:
  libqt-perl
The following NEW packages will be installed
  adept debtags libtdb1
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 3126kB of archives.
After unpacking 8086kB of additional disk space will be used.
Do you want to continue [Y/n]? y
WARNING: The following packages cannot be authenticated!
  libtdb1 debtags adept
Install these packages without verification [y/N]?
Where am I going wrong?
Any more info needed?

--
L.V.Gandhi
http://lvgandhi.tripod.com/
linux user No.205042

Re: gpg key error in unstable

[Andreas Janssen]

Hello

L.V.Gandhi (<[EMAIL PROTECTED]>) wrote:

> I have dell inspiron 600m. today I have loaded base sarge and upgraded
> to unstable. I wanted to avoid the error
> Install these packages without verification.
> Hence as per info in debian-admin site I did as follows.
> 
> apt-get install gnupg
> 
> Once that's done you can either download the public key by running:
> 
> [EMAIL PROTECTED]:~# gpg --keyserver keyring.debian.org --recv 4F368D5D
> secring.gpg  is shown as 0 byte file
> 
> [EMAIL PROTECTED]:~# cat ziyi_key_2006.asc | gpg --import
> 
> I tried this also. Still I get error as mentioned above.
> What should I do?

You need to run apt-key, e.g.

apt-key add ziyi_key_2006.asc

Of course this only works /after/ you installed apt from
testing/ustable. You can also install the debian-archive-keyring
package and run `apt-key update`.

best regards
Andreas Janssen

-- 
Andreas Janssen <[EMAIL PROTECTED]>
PGP-Key-ID: 0xDC801674 ICQ #17079270
Registered Linux User #267976
http://www.andreas-janssen.de/debian-tipps-sarge.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

gpg key error in unstable

[L.V.Gandhi]

I have dell inspiron 600m. today I have loaded base sarge and upgraded
to unstable. I wanted to avoid the error
Install these packages without verification.
Hence as per info in debian-admin site I did as follows.

apt-get install gnupg

Once that's done you can either download the public key by running:

[EMAIL PROTECTED]:~# gpg --keyserver keyring.debian.org --recv 4F368D5D
secring.gpg  is shown as 0 byte file

[EMAIL PROTECTED]:~# cat ziyi_key_2006.asc | gpg --import

I tried this also. Still I get error as mentioned above.
What should I do?
--
L.V.Gandhi
http://lvgandhi.tripod.com/
linux user No.205042

Re: Problem with apt-get and gpg key

[Andrew M.A. Cater]

On Thu, Jan 26, 2006 at 09:57:54AM -0600, Sergio Cuéllar Valdés wrote:
> Hi,
> 
> When I make an apt-get update I get an error concerning a gpg key:
> 
> 
> W: GPG error: http://http.us.debian.org testing Release: The following
> signatures were invalid: BADSIG F1D53D8C4F368D5D Debian Archive
> Automatic Signing Key (2005) <[EMAIL PROTECTED]>
> W: You may want to run apt-get update to correct these problems
> 
> 
Google for apt-key secure update and you'll probably find the very
good entry from Joey Hess and others on the Debian wiki.

> When I list the keys with apt-key list:
> pub   1024D/4F368D5D 2005-01-31 [expires: 2006-01-31]
> uid  Debian Archive Automatic Signing Key (2005)
> <[EMAIL PROTECTED]>
> 
> It expires at 31 January.
> 
apt-get install debian-archive-keyring

apt-key update


> I am running Testing.

Should be there by now :)

Hope this helps,


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Problem with apt-get and gpg key

[Christoph Anton Mitterer]

Sergio Cuéllar Valdés wrote:

>Yesterday I didnt have this problem.
>  
>
Ask google,.. view the archieve.

Chris.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Problem with apt-get and gpg key

[Sergio Cuéllar Valdés]

Hi,

When I make an apt-get update I get an error concerning a gpg key:


W: GPG error: http://http.us.debian.org testing Release: The following
signatures were invalid: BADSIG F1D53D8C4F368D5D Debian Archive
Automatic Signing Key (2005) <[EMAIL PROTECTED]>
W: You may want to run apt-get update to correct these problems


When I list the keys with apt-key list:
pub   1024D/4F368D5D 2005-01-31 [expires: 2006-01-31]
uid  Debian Archive Automatic Signing Key (2005)
<[EMAIL PROTECTED]>

It expires at 31 January.

I am running Testing.

Yesterday I didnt have this problem.

Cheers,
Sergio

quick gpg key help

[salahuddin pasha]

hello

i have create a gpg key for my address [EMAIL PROTECTED] (for very hight traffic i have create this account for debian)
but [EMAIL PROTECTED] is my main address.

so should i use edit key and adduid [EMAIL PROTECTED] to my gpg --key

to join http://www.debian.org/devel/join/newmaint

(i want my my [EMAIL PROTECTED] will anything related to debian
project and [EMAIL PROTECTED] etc etc all my designed and work is known
as by salahuddin66)

thanks-- -salahuddin_66

Re: Murdering those mutt-gpg key retrievals

[Brian McGroarty]

On Thu, Dec 04, 2003 at 11:03:40AM +0100, Florian Ernst wrote:
> Hello Brian!
> 
> On Wed, Dec 03, 2003 at 04:45:16PM -0600, Brian McGroarty wrote:
> >Automatic key retrieval is nice, however it also makes for very slow
> >mail reading if it's done inside of mutt.
> >
> >Has anyone set up procmail to prefetch unknown keys automatically? I
> >thought I remembered some mention of this previously, however my list
> >search is turning up a blank.
> 
> http://www.procmail.org/ links to some interesting tips and manuals,
> at least one mentions this topic, see
> http://pm-doc.sourceforge.net/pm-tips-body.html#procmail_and_pgp

Thanks, Flo.

Another list person mailed to suggest this if automatic key retrieval
is already enabled:

:0c
| gpg --batch >/dev/null


I tuned it a little by stealing a part of one of the recipes you point
to. This makes it check fewer messages:

:0c
* B   ?? -BEGIN PGP
* H ! ?? ^FROM_DAEMON
| /usr/bin/gpg --batch >/dev/null  2>/dev/null



signature.asc
Description: Digital signature

Re: Murdering those mutt-gpg key retrievals

[David]

On Fri, Dec 05, 2003 at 07:34:54AM +0100, Magnus von Koeller wrote:
Content-Description: signed data
> On Friday 05 December 2003 04:13, David wrote:
> > I have nothing whatsoever mentioning
> > auto-key-retrieve on the stable system. I've diffed the
> > corresponding ~/.muttrc's, /etc/Muttrc's and ~/.gnupg/options and
> > cannot find anything that would account for the different
> > behaviors.
> 
> Well, I don't know the exact version numbers for this but auto key 
> retrieving used to be the default but isn't anymore.

The version of gnupg on my testing system is 1.2.3.  I'd assume then
that the default must have changed between the version now in stable and
this one.

> If you still 
> want it, you need to put this into your ~/.gnupg/options:
> 
> keyserver-options auto-key-retrieve

Yes, I added this line (also renamed options to gpg.conf, as it appears
that this is now the default name).

Most times, I read mail offline, so auto-retrieve doesn't work anyway; I
was mostly just wondering why it did auto-retrieve in stable with no
option to do so, and apparently required specifying the option in
testing.  I couldn't find any mention of any change in defaults in the
changelogs.

Thanks for the reply.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Murdering those mutt-gpg key retrievals

[Magnus von Koeller]

On Friday 05 December 2003 04:13, David wrote:
> I have nothing whatsoever mentioning
> auto-key-retrieve on the stable system. I've diffed the
> corresponding ~/.muttrc's, /etc/Muttrc's and ~/.gnupg/options and
> cannot find anything that would account for the different
> behaviors.

Well, I don't know the exact version numbers for this but auto key 
retrieving used to be the default but isn't anymore. If you still 
want it, you need to put this into your ~/.gnupg/options:

keyserver-options auto-key-retrieve

-- 
---  Magnus von Koeller ---
email:[EMAIL PROTECTED]
address:  International University
  Campus 9, App. 13
  D-76646 Bruchsal / Germany
phone:+49-7251-700-659
mobile:   +49-179-4562940
web:  http://www.vonkoeller.de   


pgp0.pgp
Description: signature

Re: Murdering those mutt-gpg key retrievals

[David]

On Sat, Nov 29, 2003 at 08:49:01PM +0100, Florian Ernst wrote:
> 
> You can import keys manually just like
> gpg --keyserver pgp.mit.edu --recv-keys 8DE4D38E
> for Karsten's key.
> 
> If you want to have it done automatically one way is to enable a
> keyserver in your .gnupg/pgp.conf and enable
> keyserver-options auto-key-retrieve
> as well.

While on the subject, I have something I don't quite understand.

I have recently upgraded to testing.  I use mutt.  On stable, a key
would automatically be retrieved, or at least attempted (I'm on
dialup)..  Yesterday, I noted that this wasn't happening with testing -
not sure if this has been the case all along with testing.  I still have
my stable system installed.  I have nothing whatsoever mentioning
auto-key-retrieve on the stable system. I've diffed the corresponding
~/.muttrc's, /etc/Muttrc's and ~/.gnupg/options and cannot find anything
that would account for the different behaviors.

I wonder if there is a difference in the default behavior between the
stable/testing gnupg's or what?  I'm puzzled.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Murdering those mutt-gpg key retrievals

[Florian Ernst]

Hello Brian!

On Wed, Dec 03, 2003 at 04:45:16PM -0600, Brian McGroarty wrote:
Automatic key retrieval is nice, however it also makes for very slow
mail reading if it's done inside of mutt.
Has anyone set up procmail to prefetch unknown keys automatically? I
thought I remembered some mention of this previously, however my list
search is turning up a blank.
http://www.procmail.org/ links to some interesting tips and manuals,
at least one mentions this topic, see
http://pm-doc.sourceforge.net/pm-tips-body.html#procmail_and_pgp
Cheers,
Flo


pgp0.pgp
Description: PGP signature

Murdering those mutt-gpg key retrievals

[Brian McGroarty]

On Sat, Nov 29, 2003 at 08:49:01PM +0100, Florian Ernst wrote:
> 
> You can import keys manually just like
> gpg --keyserver pgp.mit.edu --recv-keys 8DE4D38E
> for Karsten's key.
> 
> If you want to have it done automatically one way is to enable a
> keyserver in your .gnupg/pgp.conf and enable
> keyserver-options auto-key-retrieve
> as well.

Automatic key retrieval is nice, however it also makes for very slow
mail reading if it's done inside of mutt.

Has anyone set up procmail to prefetch unknown keys automatically? I
thought I remembered some mention of this previously, however my list
search is turning up a blank.


signature.asc
Description: Digital signature

OT: new GPG key

[Karsten M. Self]

I've decided it's time to start signing mail again...

Note that this is a general purpose, eternal key (my old key expired
April of this year).  I extended it by one day from today to sign my
current key (inconsistent handling of expiry date modifications of keys
makes this impractical in a general sense).  Unfortunately, this means 
my existing trust ring has also expired.  Note that this key is not 
being used in the most secure of environments (portable and remote 
systems, included), but it should be suitable for pedestrian threats.  
I also wanted to forego a bunch of queries about why I was showing up 
with a new key (though you're right to be suspicious).

I hope to have the new key circulating at keysignings soon.

Peace.

-- 
Karsten M. Self <[EMAIL PROTECTED]>http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   At the sound of the toner, boycott Lexmark:  trade restraint via DMCA.
http://news.com.com/2100-1023-979791.html


pgp0.pgp
Description: PGP signature

Re: gpg key in memory

[Joey Hess]

Benedict Verheyen wrote:
> Op di 11-02-2003, om 01:38 schreef Joey Hess:
> > Benedict Verheyen wrote:
> > > I only have 1 key pair. When i read the gpg manual it didn't suggest to
> > > keep more than 1 key pair ( or i didn't see it). I always thought you
> > > where only supposed to have 1 key pair? Or maybe a second one for
> > > instance to sign packages that one developed?
> > 
> > It's a personal policy decision. I would prefer, if someone "borrowed"
> > my laptop for 10 minutes sometime without me knowing, that they not be
> > able to upload packages signed with my key, and that if they sent signed
> > mail, I would be able to revoke that key without revoking my main key.
> 
> Good point. But i can't imagine your passphrase being very complicated
> then or you must have a good memory.
> Also, how many key pairs do you have then? Plus if you have more
> keypairs, you need to have several passphrases too.

Um, this thread is about programs that remember your passphrase for you. 

Anyhow, I only have 2 keys.


-- 
see shy jo



msg30316/pgp0.pgp
Description: PGP signature

Re: gpg key in memory

[Benedict Verheyen]

Op di 11-02-2003, om 01:38 schreef Joey Hess:
> Benedict Verheyen wrote:
> > I only have 1 key pair. When i read the gpg manual it didn't suggest to
> > keep more than 1 key pair ( or i didn't see it). I always thought you
> > where only supposed to have 1 key pair? Or maybe a second one for
> > instance to sign packages that one developed?
> 
> It's a personal policy decision. I would prefer, if someone "borrowed"
> my laptop for 10 minutes sometime without me knowing, that they not be
> able to upload packages signed with my key, and that if they sent signed
> mail, I would be able to revoke that key without revoking my main key.

Good point. But i can't imagine your passphrase being very complicated
then or you must have a good memory.
Also, how many key pairs do you have then? Plus if you have more
keypairs, you need to have several passphrases too.

-- 
Benedict Verheyen 
Linux 2.4.20 AMD Athlon(tm) Processor AuthenticAMD GNU/Linux



signature.asc
Description: Dit berichtdeel is digitaal gesigneerd

Re: gpg key in memory

[Joey Hess]

Vineet Kumar wrote:
> > quintuple-agent, the new gpg-agent is supposed to be better but is not
> > in deban yet.
> 
> I've never used it, but is this the same one you're talking about?
> 
> doozer:~% apt-cache policy quintuple-agent

No, it's gpg-agent that is not in debian yet. Probably should have used
a semicolon.

-- 
see shy jo



msg30138/pgp0.pgp
Description: PGP signature

Re: gpg key in memory

[Benedict Verheyen]

Op ma 10-02-2003, om 04:29 schreef Scott Henson:
> On Sun, 2003-02-09 at 18:53, Benedict Verheyen wrote:
> > I didn't think about that. I'm using Ximian Evolution 1.2.2.
> 
> Im using evolution and it automagically takes care of that.  Just click
> the button telling it to remember the passphrase when you type it in.  
> -- 
> Scott Henson <[EMAIL PROTECTED]>

Thanks i'll give that a try.

-- 
Benedict Verheyen 
Linux 2.4.20 AMD Athlon(tm) Processor AuthenticAMD GNU/Linux



signature.asc
Description: Dit berichtdeel is digitaal gesigneerd

Re: gpg key in memory

[Vineet Kumar]

* Joey Hess ([EMAIL PROTECTED]) [030210 08:46]:
> Benedict Verheyen wrote:
> > is it possible (like with ssh) to have gpg ony ask you your passphrase
> > once and then remember it for the duration of a session?
> > This would be handy if one is writing a lot of emails and you don't want
> > to bother every single time to type your passphrase.
> > I chose quit a long and difficult passphrase and it isn't fun to type
> > it over and over again when i want to encrypt or sign an email.
> > 
> > Any sollution to this other than chosing a simpler and shorter
> > passphrase?
> 
> quintuple-agent, the new gpg-agent is supposed to be better but is not
> in deban yet.

I've never used it, but is this the same one you're talking about?

doozer:~% apt-cache policy quintuple-agent
quintuple-agent:
  Installed: (none)
  Candidate: 1.0.3
  Version Table:
 1.0.3 0
700 http://http.us.debian.org testing/main Packages
600 http://http.us.debian.org unstable/main Packages

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"Under no circumstances will I ever purchase anything offered to me as
the result of an unsolicited email message. Nor will I forward chain
letters, petitions, mass mailings, or virus warnings to large numbers
of others. This is my contribution to the survival of the online
community." - Roger Ebert, "The Boulder Pledge"



msg29944/pgp0.pgp
Description: PGP signature

Re: gpg key in memory

[Joey Hess]

Benedict Verheyen wrote:
> is it possible (like with ssh) to have gpg ony ask you your passphrase
> once and then remember it for the duration of a session?
> This would be handy if one is writing a lot of emails and you don't want
> to bother every single time to type your passphrase.
> I chose quit a long and difficult passphrase and it isn't fun to type
> it over and over again when i want to encrypt or sign an email.
> 
> Any sollution to this other than chosing a simpler and shorter
> passphrase?

quintuple-agent, the new gpg-agent is supposed to be better but is not
in deban yet.

I'd be very wary of using such agents for any key that has real value.
It's ok for low security keys like the one I use to sign all my mails.

-- 
see shy jo



msg29922/pgp0.pgp
Description: PGP signature

Re: gpg key in memory

[Scott Henson]

On Sun, 2003-02-09 at 18:53, Benedict Verheyen wrote:
> I didn't think about that. I'm using Ximian Evolution 1.2.2.

Im using evolution and it automagically takes care of that.  Just click
the button telling it to remember the passphrase when you type it in.  
-- 
Scott Henson <[EMAIL PROTECTED]>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: gpg key in memory

[Benedict Verheyen]

Op ma 10-02-2003, om 00:38 schreef Mark Zimmerman:
> On Sun, Feb 09, 2003 at 11:57:06PM +0100, Benedict Verheyen wrote:
> > Hi,
> > 
> > is it possible (like with ssh) to have gpg ony ask you your passphrase
> > once and then remember it for the duration of a session?
> > This would be handy if one is writing a lot of emails and you don't want
> > to bother every single time to type your passphrase.
> > I chose quit a long and difficult passphrase and it isn't fun to type
> > it over and over again when i want to encrypt or sign an email.
> > 
> > Any sollution to this other than chosing a simpler and shorter
> > passphrase?
> > 
> 
> This is probably specific to your mail user agent. Mutt remembers your
> passphrase for the duration of a session unless you tell it to forget
> it. If you tell us what user agent you use, perhaps someone will know
> the answer in that context.
> 
> -- Mark

I didn't think about that. I'm using Ximian Evolution 1.2.2.

-- 
Benedict Verheyen
Linux 2.4.20 AMD Athlon(tm) Processor AuthenticAMD GNU/Linux


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: gpg key in memory

[Mark Zimmerman]

On Sun, Feb 09, 2003 at 11:57:06PM +0100, Benedict Verheyen wrote:
> Hi,
> 
> is it possible (like with ssh) to have gpg ony ask you your passphrase
> once and then remember it for the duration of a session?
> This would be handy if one is writing a lot of emails and you don't want
> to bother every single time to type your passphrase.
> I chose quit a long and difficult passphrase and it isn't fun to type
> it over and over again when i want to encrypt or sign an email.
> 
> Any sollution to this other than chosing a simpler and shorter
> passphrase?
> 

This is probably specific to your mail user agent. Mutt remembers your
passphrase for the duration of a session unless you tell it to forget
it. If you tell us what user agent you use, perhaps someone will know
the answer in that context.

-- Mark


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: gpg key in memory

[Jeffrey Taylor]

Quoting Benedict Verheyen <[EMAIL PROTECTED]>:
> Hi,
> 
> is it possible (like with ssh) to have gpg ony ask you your passphrase
> once and then remember it for the duration of a session?
> This would be handy if one is writing a lot of emails and you don't want
> to bother every single time to type your passphrase.
> I chose quit a long and difficult passphrase and it isn't fun to type
> it over and over again when i want to encrypt or sign an email.
> 
> Any sollution to this other than chosing a simpler and shorter
> passphrase?

Look at ssh-agent and ssh-add.

eval `ssh-agent`
ssh-add

Note back-quotes.  This will start up persistent ssh-agent process.
ssh-add will prompt for passphrase and add key.  You need to kill
ssh-agent manually, it will outlast session, IIRC.  There is a way to
have ssh-agent start a new sub-shell and terminate when sub-shell
exits.  You can add other keys besides default (RSA key in ~/.ssh) by
file name.

HTH,
  Jeffrey
  


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

gpg key in memory

[Benedict Verheyen]

Hi,

is it possible (like with ssh) to have gpg ony ask you your passphrase
once and then remember it for the duration of a session?
This would be handy if one is writing a lot of emails and you don't want
to bother every single time to type your passphrase.
I chose quit a long and difficult passphrase and it isn't fun to type
it over and over again when i want to encrypt or sign an email.

Any sollution to this other than chosing a simpler and shorter
passphrase?

-- 
Benedict Verheyen 
Linux 2.4.20 AMD Athlon(tm) Processor AuthenticAMD GNU/Linux


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: gpg key signing protocol question

[Michelle Storm]

On Fri, Nov 08, 2002 at 06:32:01PM +1100, Rob Weir wrote:
> On Thu, Nov 07, 2002 at 02:22:40PM -0500, martin f krafft wrote:
> > also sprach Robert L. Harris <[EMAIL PROTECTED]> [2002.11.07.1327 -0500]:
> > >   If I don't though, gpg won't go look it up.  Is this normal?  Anyone
> > > know the fix for this?  I've poked around and prodded the options in 
> > > my muttrc and no-luck.  It's not just Martin, anyone who's ID I don't
> > > have on my ring already.
> > 
> > try:
> > 
> >   echo auto-key-retrieve >> ~/.gnupg/gpg.conf
> 
> I think that's changed to 'keyserver-options auto-key-retrieve' with GPG
> 1.2.
> 
> -rob

I had to modify the following 2 sections in ~/.gnupg/options
I just had to uncomment them, they were already there just commented
out. (except the first section, I believe I had to type in the keyserver
I use)


First Section:

# Most users just set the name and type of their preferred keyserver.
# Most servers do synchronize with each other and DNS round-robin may
# give you a quasi-random server each time.

keyserver x-hkp://pgp.mit.edu
#keyserver mailto:pgp-public-keys@;keys.nl.pgp.net
#keyserver ldap://keyserver.pgp.com



Second Section:

# Options for keyserver functions
#
# include-disabled = when searching, include keys marked as "disabled"
#on the keyserver (not all keyservers support this).
#
# include-revoked = when searching, include keys marked as "revoked"
#   on the keyserver.
#
# verbose = show more information as the keys are fetched.
#   Can be used more than once to increase the amount
#   of information shown.
#
# use-temp-files = use temporary files instead of a pipe to talk to the
#  keyserver.  Some platforms (Win32 for one) always
#  have this on.
#
# keep-temp-files = do not delete temporary files after using them
#   (really only useful for debugging)
#
# honor-http-proxy = if the keyserver uses http, honor the http_proxy
#environment variable
#
# auto-key-retrieve = automatically fetch keys as needed from the
# keyserver when verifying signatures or when importing
# keys that have been revoked by a revocation key that
# is not present on the keyring.

keyserver-options auto-key-retrieve include-disabled include-revoked



-- 
Michelle Alexia "Jade" Storm
Dragon Impersonating a Human and failing.



msg11892/pgp0.pgp
Description: PGP signature

Re: gpg key signing protocol question

[Rob Weir]

On Thu, Nov 07, 2002 at 02:22:40PM -0500, martin f krafft wrote:
> also sprach Robert L. Harris <[EMAIL PROTECTED]> [2002.11.07.1327 -0500]:
> >   If I don't though, gpg won't go look it up.  Is this normal?  Anyone
> > know the fix for this?  I've poked around and prodded the options in 
> > my muttrc and no-luck.  It's not just Martin, anyone who's ID I don't
> > have on my ring already.
> 
> try:
> 
>   echo auto-key-retrieve >> ~/.gnupg/gpg.conf

I think that's changed to 'keyserver-options auto-key-retrieve' with GPG
1.2.

-rob



msg11838/pgp0.pgp
Description: PGP signature

Re: gpg key signing protocol question

[Paul Johnson]

On Thu, Nov 07, 2002 at 01:27:46PM -0500, Robert L. Harris wrote:
>   If I don't though, gpg won't go look it up.  Is this normal?  Anyone
> know the fix for this?  I've poked around and prodded the options in 
> my muttrc and no-luck.  It's not just Martin, anyone who's ID I don't
> have on my ring already.

This is normal.  The fix is to edit your .gnupg/options to have
something like the following...

keyserver x-hkp://pgp.mit.edu
keyserver x-hkp://wwwkeys.us.pgp.net
keyserver-options auto-key-retrieve include-disabled include-revoked


-- 
 .''`. Baloo Ursidae <[EMAIL PROTECTED]>
: :'  :proud Debian admin and user
`. `'`
  `-  Debian - when you have better things to do than to fix a system



msg11698/pgp0.pgp
Description: PGP signature

Re: gpg key signing protocol question

[Brian Nelson]

sean finney <[EMAIL PROTECTED]> writes:

> hey all,
>
> so last night at the LISA 2002 conference in philly there was
> quite a nice keysigning get-together, at which i exchanged
> something like a dozen or two keys with other folks.  now previously,
> when i had signed keys with close friends, we'd just end up doing a
> bunch of gpg --sendkeys and gpg --recvkeys and eventually stuff would
> just kind of work, but i've gotten the impression that there's a
> standard protocol for signing folk's keys--involving mailing the signed
> key back to the owner of the key--is that the case?  if so, what's the
> specific process i should take? (specific commands would be great too:)

http://www.debian.org/events/keysigning

-- 
People said I was dumb, but I proved them!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: gpg key signing protocol question

[Robert L. Harris]

Bingo, but had to move ".gnupg/options to .gnupg/gpg.conf" of course.

Thanks.

Thus spake martin f krafft ([EMAIL PROTECTED]):

> Date: Thu, 7 Nov 2002 14:22:40 -0500
> From: martin f krafft <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: gpg key signing protocol question
> Organization: Debian GNU/Linux
> X-Mailing-List: <[EMAIL PROTECTED]> archive/latest/243904
> 
> also sprach Robert L. Harris <[EMAIL PROTECTED]> [2002.11.07.1327 -0500]:
> >   If I don't though, gpg won't go look it up.  Is this normal?  Anyone
> > know the fix for this?  I've poked around and prodded the options in 
> > my muttrc and no-luck.  It's not just Martin, anyone who's ID I don't
> > have on my ring already.
> 
> try:
> 
>   echo auto-key-retrieve >> ~/.gnupg/gpg.conf
> 
> -- 
>  .''`. martin f. krafft <[EMAIL PROTECTED]>
> : :'  :proud Debian developer, admin, and user
> `. `'`
>   `-  Debian - when you have better things to do than fixing a system





:wq!
---
Robert L. Harris
   
DISCLAIMER:
  These are MY OPINIONS ALONE.  I speak for no-one else.
FYI:
 perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: gpg key signing protocol question

[martin f krafft]

also sprach Robert L. Harris <[EMAIL PROTECTED]> [2002.11.07.1327 -0500]:
>   If I don't though, gpg won't go look it up.  Is this normal?  Anyone
> know the fix for this?  I've poked around and prodded the options in 
> my muttrc and no-luck.  It's not just Martin, anyone who's ID I don't
> have on my ring already.

try:

  echo auto-key-retrieve >> ~/.gnupg/gpg.conf

-- 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer, admin, and user
`. `'`
  `-  Debian - when you have better things to do than fixing a system



msg11591/pgp0.pgp
Description: PGP signature

Re: gpg key signing protocol question

[Robert L. Harris]

Ok, on Martin's last email I've noticed something I'm seeing more and
more:


[-- PGP output follows (current time: Thu Nov  7 13:24:32 2002) --]
gpg: Signature made Thu Nov  7 12:01:06 2002 EST using DSA key ID 330C4A75
gpg: Can't check signature: public key not found
[-- End of PGP output --]


I bring it up here as it was a topic here earlier.  

  I'm using Mutt and gpg.  I've put the gpg extensions from mutt.org
into my .muttrc and everything works great except calls to get the keys
from a keyserver.  If I manually do a "gpg --recv-keys " and put it
on my ring then load the message it's just dandy.  It even gets the
keyserver from my options file.

  If I don't though, gpg won't go look it up.  Is this normal?  Anyone
know the fix for this?  I've poked around and prodded the options in 
my muttrc and no-luck.  It's not just Martin, anyone who's ID I don't
have on my ring already.


Robert




Thus spake martin f krafft ([EMAIL PROTECTED]):

> Date: Thu, 7 Nov 2002 12:01:06 -0500
> From: martin f krafft <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: gpg key signing protocol question
> Organization: Debian GNU/Linux
> X-Mailing-List: <[EMAIL PROTECTED]> archive/latest/243869
> 

-- snip --

> 
> -- 
>  .''`. martin f. krafft <[EMAIL PROTECTED]>
> : :'  :proud Debian developer, admin, and user
> `. `'`
>   `-  Debian - when you have better things to do than fixing a system





:wq!
---
Robert L. Harris
   
DISCLAIMER:
  These are MY OPINIONS ALONE.  I speak for no-one else.
FYI:
 perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: gpg key signing protocol question

[martin f krafft]

also sprach sean finney <[EMAIL PROTECTED]> [2002.11.07.1134 -0500]:
> so last night at the LISA 2002 conference in philly there was quite
> a nice keysigning get-together, at which i exchanged something like
> a dozen or two keys with other folks.  now previously, when i had
> signed keys with close friends, we'd just end up doing a bunch of
> gpg --sendkeys and gpg --recvkeys and eventually stuff would just
> kind of work, but i've gotten the impression that there's a standard
> protocol for signing folk's keys--involving mailing the signed key
> back to the owner of the key--is that the case?  if so, what's the
> specific process i should take? (specific commands would be great
> too:)

usually it is prefered to send the key back to the owner via encrypted
(or not) email rather than uploading it to the keyservers, because it
gives power to the owner what to do with the key.

here's what i usually do after i verified someone's identity:

  gpg --recv-key 12345678
  gpg --edit-key !$
  > check
  > fpr
  > sign
  [...]
  > trust
  > save
  > quit

  gpg-mailkeys !$

gpg-mailkeys is from the signing-party package and sends the key
unencrypted to the owner.

-- 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer, admin, and user
`. `'`
  `-  Debian - when you have better things to do than fixing a system



msg11557/pgp0.pgp
Description: PGP signature

Re: gpg key signing protocol question

[Stephen Gran]

> hey all,
> 
> so last night at the LISA 2002 conference in philly there was
> quite a nice keysigning get-together, at which i exchanged
> something like a dozen or two keys with other folks.  now previously,
> when i had signed keys with close friends, we'd just end up doing a
> bunch of gpg --sendkeys and gpg --recvkeys and eventually stuff would
> just kind of work, but i've gotten the impression that there's a
> standard protocol for signing folk's keys--involving mailing the signed
> key back to the owner of the key--is that the case?  if so, what's the
> specific process i should take? (specific commands would be great too:)
> 
> thanks,
> --sean
> 
Hey Sean,
What I've done so far this morning is:
gpg --recv-key 
gpg --edit-key 
gpg-mailkeys 
gpg --send-keys 
That way, everybody gets a copy of their signed key (which is the sorta
supposed to way), and I also export their key with my new signature to
the mirrors.  The advantage of emailing it to them is that they can
merge it in immediately, instead of waiting for it to propogate through
the mirrors.  I don't personally care about the lag time, but some do.

Steve
-- 
Stephen Gran
[EMAIL PROTECTED]
http://www.lobefin.net/~steve




msg11555/pgp0.pgp
Description: PGP signature

gpg key signing protocol question

[sean finney]

hey all,

so last night at the LISA 2002 conference in philly there was
quite a nice keysigning get-together, at which i exchanged
something like a dozen or two keys with other folks.  now previously,
when i had signed keys with close friends, we'd just end up doing a
bunch of gpg --sendkeys and gpg --recvkeys and eventually stuff would
just kind of work, but i've gotten the impression that there's a
standard protocol for signing folk's keys--involving mailing the signed
key back to the owner of the key--is that the case?  if so, what's the
specific process i should take? (specific commands would be great too:)

thanks,
--sean




msg11550/pgp0.pgp
Description: PGP signature

Re: GPG: key D5DE453D: invalid subkey binding

[Henrique de Moraes Holschuh]

On Sat, 09 Feb 2002, Osamu Aoki wrote:
> Also, it looks like I can "send" my key to "keyring.debian.org" but I can
> not "recv".  Maybe I have to wait CRON but...  (I am not a Debian
> developer)

keyring.debian.org is only for registered Debian developers. However, I am
supposed to get my butt in gear and implement keyring.cipsga.org.br sometime
this millenium. That one will be open to all (and will use nearly the same
code as keyring.debian.org).

I will post a small note here when I manage that. BTW, the code behind
keyring.debian.org is quite simple, and its use interface is limited (no
searchs).

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Re: GPG: key D5DE453D: invalid subkey binding

[Osamu Aoki]

On Sat, Feb 09, 2002 at 04:04:52PM -0200, Henrique de Moraes Holschuh wrote:
> On Sat, 09 Feb 2002, Osamu Aoki wrote:
> > What is the remedy?  Any pointer to information will be nice.
> 
> There is none.
Sad :( ...
> I gave up the entire pgp.net keyserver system, and since I loathe the
> non-DFSG-compliant keyserver.net crap, I've been using keyring.debian.org as
> the only keyserver where people can get a proper copy of my key (other than
> asking me for it directly, or finger [EMAIL PROTECTED]).

"keyserver.net" used to be usable but it started causing problem thus I
stopped using it a while ago.  That is not my option too.

If this is true, /usr/share/gnupg/option.skel must be modified.  It
said:

# GnuPG can import a key from a HKP keyerver if one is missing
# for certain operations. Is you set this option to a keyserver
# you will be asked in such a case whether GnuPG should try to
# import the key from that server (server do syncronize with each
# other and DNS Round-Robin may give you a random server each time).
# Use "host -l pgp.net | grep www" to figure out a keyserver.

There should be some warning of the bugs on those pgp.net keyservers.

Also, it looks like I can "send" my key to "keyring.debian.org" but I can
not "recv".  Maybe I have to wait CRON but...  (I am not a Debian
developer)


-- 
~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ 
+  Osamu Aoki <[EMAIL PROTECTED]>, GnuPG-key: 1024D/D5DE453D  +
+  My debian quick-reference, http://qref.sourceforge.net/quick/  +

Re: GPG: key D5DE453D: invalid subkey binding

[Henrique de Moraes Holschuh]

On Sat, 09 Feb 2002, Osamu Aoki wrote:
> What is the remedy?  Any pointer to information will be nice.

There is none. One could get the keyserver software, and fix it (good luck,
that thing is NOT easy to grok), then waste a few days of machine cicles
purging all screwed up keys from the keyring...   And you would still risk
that people would ignore all your hard work, I suppose.

I gave up the entire pgp.net keyserver system, and since I loathe the
non-DFSG-compliant keyserver.net crap, I've been using keyring.debian.org as
the only keyserver where people can get a proper copy of my key (other than
asking me for it directly, or finger [EMAIL PROTECTED]).

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Re: GPG: key D5DE453D: invalid subkey binding

[Osamu Aoki]

On Sat, Feb 09, 2002 at 08:06:27AM -0200, Henrique de Moraes Holschuh wrote:
> On Fri, 08 Feb 2002, Osamu Aoki wrote:
> > gpg: key D5DE453D: invalid subkey binding
> 
> This is from a pgp.net keyserver? 
Yes! 

> If so, it has corrupted your key in the
> server because there are two subkeys. Their crap software has not been
> updated in far a while.
> 
> > pub  1024D/D5DE453D  created: 2000-09-24 expires: never  trust: f/u
> > sub  1024g/D130E875  created: 2000-09-24 expires: 2001-09-24
> > sub  1024g/ECF1020D  created: 2002-02-08 expires: 2005-02-07
> 
> Looks like it. I have this problem as well.

What is the remedy?  Any pointer to information will be nice.

I did following: (Did not work)

 1) removed 2nd sub key and changed expire date of first subkey locally
 2) host $ gpg  --send-keys D5DE453D
gpg: success sending to `wwwkeys.us.pgp.net' (status=200)

But keyserver does not remove 2nd sub key.  (Just merges it)

Osamu
-- 
~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ 
+  Osamu Aoki <[EMAIL PROTECTED]>, GnuPG-key: 1024D/D5DE453D  +
+  My debian quick-reference, http://qref.sourceforge.net/quick/  +

Re: GPG: key D5DE453D: invalid subkey binding

[Henrique de Moraes Holschuh]

On Fri, 08 Feb 2002, Osamu Aoki wrote:
> gpg: key D5DE453D: invalid subkey binding

This is from a pgp.net keyserver? If so, it has corrupted your key in the
server because there are two subkeys. Their crap software has not been
updated in far a while.

> pub  1024D/D5DE453D  created: 2000-09-24 expires: never  trust: f/u
> sub  1024g/D130E875  created: 2000-09-24 expires: 2001-09-24
> sub  1024g/ECF1020D  created: 2002-02-08 expires: 2005-02-07

Looks like it. I have this problem as well.

> (1)  Osamu Aoki <[EMAIL PROTECTED]>
> (2). Osamu Aoki <[EMAIL PROTECTED]>

The dot shows your main UID.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

GPG: key D5DE453D: invalid subkey binding

[Osamu Aoki]

Hi,

I am intriguesd by GPG.

$ gpg  --recv-keys D5DE453D

gpg: requesting key D5DE453D from wwwkeys.pgp.net ...
gpg: key D5DE453D: invalid subkey binding
gpg: key D5DE453D: not changed
gpg: Total number processed: 1
gpg:  unchanged: 1
$ gpg  --edit-key D5DE453D
Secret key is available.

pub  1024D/D5DE453D  created: 2000-09-24 expires: never  trust: f/u
sub  1024g/D130E875  created: 2000-09-24 expires: 2001-09-24
sub  1024g/ECF1020D  created: 2002-02-08 expires: 2005-02-07
(1)  Osamu Aoki <[EMAIL PROTECTED]>
(2). Osamu Aoki <[EMAIL PROTECTED]>
(3)  Osamu Aoki <[EMAIL PROTECTED]>
(4)  Osamu Aoki <[EMAIL PROTECTED]>
(5)  Osamu Aoki <[EMAIL PROTECTED]>

Command> quit
$

What is going on with above?

What is / "period" after (2) doing?

-- 
~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ 
+  Osamu Aoki <[EMAIL PROTECTED]>, GnuPG-key: 1024D/D5DE453D  +
+  My debian quick-reference, http://qref.sourceforge.net/quick/  +

Re: PUBLIC GPG KEY REVOCATION FOR DAVID DOWNEY

[Paul Mackinney]

David D. W. Downey muttered:
> I have since made a new key. the **correct** gpg key is as follows

Nice try, Moriarity, but I happen to know the real David D. W. Downey.
Not only is he one of the few truly pure and beautiful people on this
planet, he has an eidolonic memory and had memorized his pgp key.

Holmes

PUBLIC GPG KEY REVOCATION FOR DAVID DOWNEY

[David D. W. Downey]

Hey folks,
Forgive the email. I had an accident on my machine which
wiped out my gpg keyring. Unfortuantely I had not had time
to back up the ring, thus the gpg key I've been using is
completely lost.


I have since made a new key. the **correct** gpg key is as follows

pub  1024D/42D8F306 2001-12-30 David D.W. Downey ("pgpkeys") <[EMAIL PROTECTED]>
sub  2048g/6A9DD29F 2001-12-30 [expires: 2002-12-30]



-BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDwux3MRBADny+tu35ShkaTTdUd/eIlrJNx3bhL+qIFz6M15yI4hyXiFnhXV
s3E8yJH0Gkaafz3xLxNAOrQRyglwAiqjYey/RoB7uPR7y4D2iXv6P+GOvd4BRjfT
uDZo4Qw4Vo6TzuQaY3ykdfFzUBj1BnkqoKpp6fMlowBLzNAhHRC3OkzyawCglBkf
JgLKBy2YoSp6TCw8gTWpO28EAImWQkz9RTyoY7y+tLIubErQfdJPr7erGFciJTxA
lvITihx9WDEESq7kCCRdQfoVttsDQU0mbOC+3wef2OcenIoTcEAgUEjGPeIlg+06
mTc9HFlcFc7mx2gpXBc1sEC+jU6xA1/Ynza/kh0rUF0JQ5UBBaftYGFLmgUmu4xf
LiBWBACffcs1ktKhbkBu9e+SAS5gjNael8TNkIPqLZ98j9Dxbc21DQei9rrIYXFV
eLVQkws0SB1VdEMCEJ+saE9rWxr4ceYawc4xrRLxcB6oUb0CX3+nxRkbdXoVrHsM
w+yi6rVqlq9ifNBluF7IGOoZcMje+qPwzUUpQ3iu0kCEtkWlq7Q7RGF2aWQgRC5X
LiBEb3duZXkgKCJwZ3BrZXlzIikgPGRhdmlkLWRvd25leUBjb2RlY2FzdGxlLmNv
bT6IXQQTEQIAHQUCPC7HcwUJAeEzgAULBwoDBAMVAwIDFgIBAheAAAoJEOq17FpC
2PMGJxcAn1RYl2OM1KQbzwJkmvrordgdF3NwAJ9HTw54cwb2ARhq5PtRsJlxYkPa
+7kCDQQ8LsfLEAgAkAa9MiVCb6nOp96zYvBNJXZghuDu4ZEEXGmLXJ+dn5dl3ORZ
QtMKFh3KdKClu4kJIsishS+6bfykgHJZAsMcLxyeuXN4uNJOc05/Iew0m6C/OHF5
2HCJt5jJfPQcEYapzWi5q0GmuC1ZxnQ/weqvws9gAo3GDtQ2TPDbrl7Twt8ebBIj
Za4GUtVHSLuwMMGwzsn0LTA4doGAduiZn5cgag12Wc5gx+MPacZYxT3WZsfxiWwr
HsA9QL0Z8IZWNq4CWiifesykwoDQ3P10g6m3VG1jHLrMkb2DHWFVvKxdHx7Q3DHH
o9ucitppsVIAgD+01pd50SGrcv23qcGi3lez9wADBwf/awCb6y6FHyS3sj7KeXtd
6o5h0gw4cFcH8a61yCzs53invS5GVavXICZj47AR3/fAMk6TTFZcKttJW9LAunss
DphPstXxhovXAZ4yJNcL7Kxf2JO+xWwKUEmnmFfuSrtQryrfLZdrc8C84ZpmPeGm
4E1bKwpTYLPWoCa9a4UWWzJaIitBlwbByVvcVZICIq+A4u02SirkIi1JwKe192hw
ztjlOxUtCpS3T6RhTSZg6TIMFVJ6BaDUiWkHRo5iXPM4tvIIM16YbkAlSd+xsVfw
4/Akq4pNMlgpO/ipkfkgoWhKzf2Dp6Wi19TKNNBmc+5vGeaCxbihOpsvd4yIRrHa
j4hMBBgRAgAMBQI8LsfLBQkB4TOAAAoJEOq17FpC2PMG/asAnj7oWXfYYTAWsncs
6TYJry2HHNSHAJkBACXbG0uzEAc5SbrrS1Mde3zr9A==
=ZVsY
-END PGP PUBLIC KEY BLOCK-




pgpPAPRhQBIPO.pgp
Description: PGP signature

Re: GPG key expiration and signatures

[Henrique de Moraes Holschuh]

msg.pgp
Description: PGP message

GPG key expiration and signatures

[Martin F. Krafft]

just to get clarity into this:

if i set an expiration date on my GPG key and collect n signatures for
this key, what do i have to do on the day of expiration to obtain a
valid key that's signed by the same n people, and how to i
redistribute this new key?

on debian-user, i notice people with expiration dates *and* hundreds
of signatures, and i just don't want to believe that they redo them
every single year.

my understanding is that as long as you simply renew your key, all
the signatures stay the same, but a new public key would be available
that would replace the old key on the keyserver and in peoples
keyrings. am i wrong?

martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
-- 
never underestimate the power of human stupidity.


pgpb717zcRdYF.pgp
Description: PGP signature

Re: GPG key not found

[Osamu Aoki]

On Tue, Apr 17, 2001 at 02:26:09PM -0800, Ethan Benson wrote:
> my suggestion is use a different keyserver.  pgp.ai.mit.edu was my
> favorite as it was quite reliable and did not use any of these
> proprietary keyservers.  but its been down for days.  

I agree but recently it was unreachable for some reason.

So I now use: keyserver wwwkeys.eu.pgp.net

# followings are same host with different DNS entry: pgp5 
#keyserver wwwkeys.us.pgp.net
#keyserver pgp.ai.mit.edu

-- 
~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ 
+  Osamu Aoki <[EMAIL PROTECTED]>, GnuPG-key: 1024D/D5DE453D  +
+  For my debian quick-reference, peek into:  +
+   http://www.aokiconsulting.com/quick/  +



pgphHjZmgvh4p.pgp
Description: PGP signature

Re: GPG key not found

[Waldemar Brodkorb]

Hello Andre,

* Andre Berger wrote:

> I've uploaded my GPG public key to www.keyserver.net some days ago. The
> key ID is 07182FBC, but you can only get the key as 0x07182FBC, or
> [EMAIL PROTECTED] What's wrong? 

Nothing is wrong.

> How do I keep people from
> besieging me to upload a key to a key server that has already been
> uplaoded? 

Your key is there and will be synchronized with other
key-servers in the next weeks.


07182FBC Andre Berger  <[EMAIL PROTECTED]>
Fingerprint = C682 97F1 D8E7 89AB CF1E 9A0A 70AD
1A8B 0718 2FBC
  07182FBC  Andre Berger
  <[EMAIL PROTECTED]>

cya
Waldemar

-- 
* Ein gutes Kryptographieprogramm: |  (o_  *
*   http://www.gnupg.org   |  //\  *
*   Linux rulez!;-)|  V_/_ *
* GnuPG-Key: 0xBE21BD90 | Tux: #155220 | ICQ: 64035650 *

Re: GPG key not found

[Andre Berger]

* Karsten M. Self , 2001-04-18 09:43 +0200:
> on Tue, Apr 17, 2001 at 02:26:09PM -0800, Ethan Benson ([EMAIL PROTECTED]) 
> wrote:
> > On Tue, Apr 17, 2001 at 10:01:52PM +0200, Andre Berger wrote:
> > > I've uploaded my GPG public key to www.keyserver.net some days ago. The
> > > key ID is 07182FBC, but you can only get the key as 0x07182FBC, or
> > > [EMAIL PROTECTED] What's wrong? How do I keep people from
> > > besieging me to upload a key to a key server that has already been
> > > uplaoded? 
> > 
> > keyserver.net uses a fairly new proprietary keyserver, and it very
> > much appears to not like GnuPG keys.  my GPG key is on most keyservers
> > (the ones using the tried and true free pks) but i think it still does
> > not appear on keyserver.net (i haven't checked in a few monthes, i had
> > tried to upload it and it ignored it, so i waited for syncronisation
> > to occur and it never did).
> > 
> > my suggestion is use a different keyserver.  pgp.ai.mit.edu was my
> > favorite as it was quite reliable and did not use any of these
> > proprietary keyservers.  but its been down for days.  
> 
> I'm also having problems with the "round-robin" keyserver (I think),
> wwwkeys.pgp.net.  Sometimes it works, sometimes it don't (about one in
> three or four attempts fails), and responses are dog slow.

It's more or less solved: on the one hand, I took advive from D-Man and
Nate Johnston and set mutt's "pgp_sign_as" to "0x07182FBC", on the other
uplaoded my key "manually" to http://certserver.pgp.org. Seems OK now.
Just wondering what happens if the uploaded versions should ever
conflict...

Thanks for your help, please report any problems back to me.

Andre Berger[EMAIL PROTECTED]


pgpvr5cJgLoTW.pgp
Description: PGP signature

Re: GPG key not found

[Karsten M. Self]

on Tue, Apr 17, 2001 at 02:26:09PM -0800, Ethan Benson ([EMAIL PROTECTED]) 
wrote:
> On Tue, Apr 17, 2001 at 10:01:52PM +0200, Andre Berger wrote:
> > I've uploaded my GPG public key to www.keyserver.net some days ago. The
> > key ID is 07182FBC, but you can only get the key as 0x07182FBC, or
> > [EMAIL PROTECTED] What's wrong? How do I keep people from
> > besieging me to upload a key to a key server that has already been
> > uplaoded? 
> 
> keyserver.net uses a fairly new proprietary keyserver, and it very
> much appears to not like GnuPG keys.  my GPG key is on most keyservers
> (the ones using the tried and true free pks) but i think it still does
> not appear on keyserver.net (i haven't checked in a few monthes, i had
> tried to upload it and it ignored it, so i waited for syncronisation
> to occur and it never did).
> 
> my suggestion is use a different keyserver.  pgp.ai.mit.edu was my
> favorite as it was quite reliable and did not use any of these
> proprietary keyservers.  but its been down for days.  

I'm also having problems with the "round-robin" keyserver (I think),
wwwkeys.pgp.net.  Sometimes it works, sometimes it don't (about one in
three or four attempts fails), and responses are dog slow.

-- 
Karsten M. Self http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?   There is no K5 cabal
  http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org


pgpUkn5Z1X0LA.pgp
Description: PGP signature

Re: GPG key not found

[Ethan Benson]

On Tue, Apr 17, 2001 at 10:01:52PM +0200, Andre Berger wrote:
> I've uploaded my GPG public key to www.keyserver.net some days ago. The
> key ID is 07182FBC, but you can only get the key as 0x07182FBC, or
> [EMAIL PROTECTED] What's wrong? How do I keep people from
> besieging me to upload a key to a key server that has already been
> uplaoded? 

keyserver.net uses a fairly new proprietary keyserver, and it very
much appears to not like GnuPG keys.  my GPG key is on most keyservers
(the ones using the tried and true free pks) but i think it still does
not appear on keyserver.net (i haven't checked in a few monthes, i had
tried to upload it and it ignored it, so i waited for syncronisation
to occur and it never did).

my suggestion is use a different keyserver.  pgp.ai.mit.edu was my
favorite as it was quite reliable and did not use any of these
proprietary keyservers.  but its been down for days.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/


pgp6OTsW0NCrz.pgp
Description: PGP signature

Re: GPG key not found

[D-Man]

On Tue, Apr 17, 2001 at 10:01:52PM +0200, Andre Berger wrote:
| I've uploaded my GPG public key to www.keyserver.net some days ago. The
| key ID is 07182FBC, but you can only get the key as 0x07182FBC, or
| [EMAIL PROTECTED] What's wrong? How do I keep people from
| besieging me to upload a key to a key server that has already been
| uplaoded? 

In several environemnts (C, Java, Python, etc) numerical literals
beginning with '0' are interpreted as octal numbers while numeric
literals beginning with '0x' are hexadecimal.  The number, as first
shown, in octal is not valid (only digits 0..7 allows).  The second
case looks like hex to me.  I would recommend giving people the
explicitly hexadecimal version, or maybe convert it to a different
base (decimal, octal, whatever).  As decimal that ID is 119025596.

I don't really know anything about the key itself and how those
mechanisms work.

HTH,
-D

GPG key not found

[Andre Berger]

I've uploaded my GPG public key to www.keyserver.net some days ago. The
key ID is 07182FBC, but you can only get the key as 0x07182FBC, or
[EMAIL PROTECTED] What's wrong? How do I keep people from
besieging me to upload a key to a key server that has already been
uplaoded? 

Andre Berger[EMAIL PROTECTED]

Re: signing gpg key with old key ...

[kmself]

on Sat, Nov 11, 2000 at 07:01:33PM -0800, kmself@ix.netcom.com 
(kmself@ix.netcom.com) wrote:
> on Sat, Nov 11, 2000 at 03:43:37PM -0900, Ethan Benson ([EMAIL PROTECTED]) 
> wrote:
> > On Sat, Nov 11, 2000 at 02:01:35PM -0800, kmself@ix.netcom.com wrote:

> > > Question for the gallery:  Is there a good method for checking a local
> > > keyring against a public keyserver to find updates and/or additional
> > > signatures.  The best I can do right now is list the key IDs I've got
> > > and do a 'gpg --recv-keys' to update this list.
> > 
> > i don't know of a quick way no.  there should be something like gpg
> > --refresh-keyring or something.
> 
> I ran my own little thang:
> 
> gpg --list-keys | grep '^pub' | awk '{ print $2}' |
>   sed -e '/^.*\//s///' > keylist
> gpg --recv-keys `cat keylist``
> 
> ...which did the job.  I'll time a run -- 496 keys I've got now.  Takes
> a while at 56K.  And there were a number of updates -- signatures and
> the like.

FWIW:  Elapsed time:  72 minutes, @ 56K.

-- 
Karsten M. Self  http://www.netcom.com/~kmself
 Evangelist, Zelerate, Inc.  http://www.zelerate.org
  What part of "Gestalt" don't you understand?  There is no K5 cabal
   http://gestalt-system.sourceforge.net/http://www.kuro5hin.org


pgped0UWS2xFt.pgp
Description: PGP signature

Re: signing gpg key with old key ...

[kmself]

on Sat, Nov 11, 2000 at 03:43:37PM -0900, Ethan Benson ([EMAIL PROTECTED]) 
wrote:
> On Sat, Nov 11, 2000 at 02:01:35PM -0800, kmself@ix.netcom.com wrote:
> > 
> > My understanding is that you *can* change the expiration date, though
> > typically you wouldn't do so after the key had expired.  The change can
> > be propogated through public keyservers.
> 
> the problem is most implemenatations thing the expiration cannot be
> changed and won't integrate the change.  (proprietary PGP, SafeMail
> etc all assume this)  im not even sure all the keyservers will accept
> a expiration change.  
> 
> > Question for the gallery:  Is there a good method for checking a local
> > keyring against a public keyserver to find updates and/or additional
> > signatures.  The best I can do right now is list the key IDs I've got
> > and do a 'gpg --recv-keys' to update this list.
> 
> i don't know of a quick way no.  there should be something like gpg
> --refresh-keyring or something.

I ran my own little thang:

gpg --list-keys | grep '^pub' | awk '{ print $2}' |
sed -e '/^.*\//s///' > keylist
gpg --recv-keys `cat keylist``

...which did the job.  I'll time a run -- 496 keys I've got now.  Takes
a while at 56K.  And there were a number of updates -- signatures and
the like.

-- 
Karsten M. Self  http://www.netcom.com/~kmself
 Evangelist, Zelerate, Inc.  http://www.zelerate.org
  What part of "Gestalt" don't you understand?  There is no K5 cabal
   http://gestalt-system.sourceforge.net/http://www.kuro5hin.org


pgpQZWw7MugsJ.pgp
Description: PGP signature

Re: signing gpg key with old key ...

[Ethan Benson]

On Sat, Nov 11, 2000 at 02:01:35PM -0800, kmself@ix.netcom.com wrote:
> 
> My understanding is that you *can* change the expiration date, though
> typically you wouldn't do so after the key had expired.  The change can
> be propogated through public keyservers.

the problem is most implemenatations thing the expiration cannot be
changed and won't integrate the change.  (proprietary PGP, SafeMail
etc all assume this)  im not even sure all the keyservers will accept
a expiration change.  

> Question for the gallery:  Is there a good method for checking a local
> keyring against a public keyserver to find updates and/or additional
> signatures.  The best I can do right now is list the key IDs I've got
> and do a 'gpg --recv-keys' to update this list.

i don't know of a quick way no.  there should be something like gpg
--refresh-keyring or something.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/


pgpv0a8no2OIo.pgp
Description: PGP signature

Re: Getting new keys (was Re: signing gpg key with old key ...)

[Henrique M Holschuh]

On Sat, 11 Nov 2000, kmself@ix.netcom.com wrote:
> There are two general problems with a public key infrastructure:
> 
>   - Key distribution (the 'keyserver' line handles this).
>   - Key modification updates.  

See attached script. Modify it for your needs, or write a new one that isn't
such an ugly hack :-)

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
#!/bin/sh
## GNUPG Maintenance script
##

###
### User-defined parameters
###

## Read-Only keyrings
ROKEYRINGS="/usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-keyring.pgp"

## Keyserver list
#KEYSERVERS="keyring.debian.org wwwkeys.eu.pgp.net wwwkeys.us.pgp.net"
KEYSERVERS="wwwkeys.eu.pgp.net wwwkeys.us.pgp.net"

PROG=`basename $0`



set +e

if test -x /usr/bin/time; then
	TIMECMD=/usr/bin/time
else
	TIMECMD=
fi

runupdate() {
	# Does an update run
	gpg --batch --list-keys --fast-list | grep ^pub\  | awk '{ print $2 }' | sed s/^.*\\/// | xargs -r ${TIMECMD} gpg -q --batch --lock-multiple --recv-key $@
}

## First, update public ring from any readonly keyrings

echo ${PROG}: Updating RW keyring from RO keyrings...
echo ${PROG}: Keyrings: ${ROKEYRINGS}

${TIMECMD} gpg --batch --quiet --fast-import ${ROKEYRINGS}

echo

## Now, refresh key data from dynamic sources

echo ${PROG}: Requesting fresh key data from public keyservers...

for i in ${KEYSERVERS} ; do 
	echo ${PROG}: Keyserver ${i}...
	runupdate --keyserver ${i}
	echo
done

## Now, rebuild database

echo ${PROG}: Rebuilding trust database...
gpg --batch --quiet --update-trustdb

echo ${PROG}: DONE.


pgpoexVQkCMib.pgp
Description: PGP signature

Re: Getting new keys (was Re: signing gpg key with old key ...)

[kmself]

on Sat, Nov 11, 2000 at 05:17:43PM -0500, Mike ([EMAIL PROTECTED]) wrote:
> kmself@ix.netcom.com wrote:
> > Question for the gallery:  Is there a good method for checking a local
> > keyring against a public keyserver to find updates and/or additional
> > signatures.  The best I can do right now is list the key IDs I've got
> > and do a 'gpg --recv-keys' to update this list.
> 
> From my ~/.gnupg/options:
> 
> # GnuPG can import a key from a HKP keyerver if one is missing

<..>

> keyserver wwwkeys.eu.pgp.net
> 
> That lets my system query a keyserver anytime a new key comes along,
> whether it be a signed email or whatever.  This is how I've gotten all
> but a very few of the keys used on this list, including yours if I
> remember correctly.

This isn't the problem.  I've got the same configuration in my
.gnupg/options file.

I've got 400+ keys.  What I'd like to do is update any signatures,
revocations, or expiry date changes for these keys.  The gpg --recv-keys
command I'm running right now (see prior post) is the only way I can
think of to update this key data.  It appears to be working, but it's
not the cleanest process.

There are two general problems with a public key infrastructure:

  - Key distribution (the 'keyserver' line handles this).
  - Key modification updates.  

The second is the problem I'm tryin to resolve.

-- 
Karsten M. Self  http://www.netcom.com/~kmself
 Evangelist, Zelerate, Inc.  http://www.zelerate.org
  What part of "Gestalt" don't you understand?  There is no K5 cabal
   http://gestalt-system.sourceforge.net/http://www.kuro5hin.org


pgplLoa6bjK8l.pgp
Description: PGP signature

Getting new keys (was Re: signing gpg key with old key ...)

[Mike]

kmself@ix.netcom.com wrote:
> Question for the gallery:  Is there a good method for checking a local
> keyring against a public keyserver to find updates and/or additional
> signatures.  The best I can do right now is list the key IDs I've got
> and do a 'gpg --recv-keys' to update this list.

From my ~/.gnupg/options:

# GnuPG can import a key from a HKP keyerver if one is missing
# for sercain operations. Is you set this option to a keyserver
# you will be asked in such a case whether GnuPG should try to
# import the key from that server (server do syncronize with each
# others and DNS Round-Robin may give you a random server each time).
# Use "host -l pgp.net | grep www" to figure out a keyserver.
keyserver wwwkeys.eu.pgp.net

That lets my system query a keyserver anytime a new key comes along, whether
it be a signed email or whatever.  This is how I've gotten all but a very few
of the keys used on this list, including yours if I remember correctly.
-- 
Mike Werner  KA8YSD   | He that is slow to believe anything and
  | everything is of great understanding,
'91 GS500E| for belief in one false principle is the
Morgantown WV | beginning of all unwisdom.



pgpSePjwAuCN0.pgp
Description: PGP signature

Re: signing gpg key with old key ...

[kmself]

on Thu, Nov 09, 2000 at 09:35:56AM -0600, Jorgensen, Jens ([EMAIL PROTECTED]) 
wrote:
> Adam Shand wrote:
> 
> > > how do i sign my new public key with my old private key?
> >
> > okay sorry to follow up my own message but i just figured it out.
> > sometimes it seems that i have to write down (or explain it to someone
> > else) in order to figure it out.
> >
> > if you need to do this it seems impossible from with in the --edit-key
> > menu you need to do it on the command line like this:
> >
> > # gpg -u old-key-id --sign-key new-key-id
> >
> > so now my next question is.  my old key id is expired but i've used it to
> > sign my new key.  i don't want people to use my old key.
> >
> > should i revoke my old key or will that illegitimize it's signature on my
> > new key?
> >
> > should i move the expire date on my old key (and update the keys server)?
> > if i do that how do i stop people from using it?

> The tools people use for sending you stuff should tell them that the
> key is expired. That should encourage them not to use it. If you
> revoke your old key that certainly invalidates the signature.
> Technically you can't change the expire date. I mean there's nothing
> to stop the software from changing the date and regenerating the
> signature but the server *should* recognize this and reject such a
> change since the old signature includes the expiration date.

My understanding is that you *can* change the expiration date, though
typically you wouldn't do so after the key had expired.  The change can
be propogated through public keyservers.

Question for the gallery:  Is there a good method for checking a local
keyring against a public keyserver to find updates and/or additional
signatures.  The best I can do right now is list the key IDs I've got
and do a 'gpg --recv-keys' to update this list.

-- 
Karsten M. Self  http://www.netcom.com/~kmself
 Evangelist, Zelerate, Inc.  http://www.zelerate.org
  What part of "Gestalt" don't you understand?  There is no K5 cabal
   http://gestalt-system.sourceforge.net/http://www.kuro5hin.org


pgpEa1fs5nzlR.pgp
Description: PGP signature

Re: signing gpg key with old key ...

[Jorgensen, Jens]

The tools people use for sending you stuff should tell them that the key is 
expired. That should encourage them not to use it. If you revoke your old key 
that certainly invalidates the signature. Technically you can't change the 
expire date. I mean there's nothing to stop the software from changing the date 
and regenerating the signature but the server *should* recognize this and 
reject such a change since the old signature includes the expiration date.

Adam Shand wrote:

> > how do i sign my new public key with my old private key?
>
> okay sorry to follow up my own message but i just figured it out.
> sometimes it seems that i have to write down (or explain it to someone
> else) in order to figure it out.
>
> if you need to do this it seems impossible from with in the --edit-key
> menu you need to do it on the command line like this:
>
> # gpg -u old-key-id --sign-key new-key-id
>
> so now my next question is.  my old key id is expired but i've used it to
> sign my new key.  i don't want people to use my old key.
>
> should i revoke my old key or will that illegitimize it's signature on my
> new key?
>
> should i move the expire date on my old key (and update the keys server)?
> if i do that how do i stop people from using it?
>
> thanks,
> adam.
>
> --
> Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < /dev/null

--
Jens B. Jorgensen
[EMAIL PROTECTED]