gpg randomly losing keys [was: Re: signature and missing key]
On Mon, Jun 23, 2003 at 11:58:49PM +0100, Pigeon wrote: On Wed, Jun 18, 2003 at 12:15:09PM -0400, Derrick 'dman' Hudson wrote: On Tue, Jun 17, 2003 at 11:32:14PM +0100, Pigeon wrote: | With a dialup, it would be rather useful to be able to do this from the MTA | rather than the MUA. True. | Unfortunately /usr/share/doc/exim/spec.txt.gz contains no references | to either gpg or pgp. Am I really out of luck for built-in | solutions? No, but you are out of luck (AFAIK) for ready-made solutions. What you can do is instruct exim to pass all messages through a pipe as it delivers them. In your system filter put unseen pipe /usr/local/bin/gpg-key-retrieve (read the exim manual for setting up a system filter; it really is quite trivial) Yeah, you sorted me out with exim filters some time ago actually, thanks! All mail comes through my only user, so I'm running it from ~/.forward to keep all my mail filtering in one place. Then create the program gpg-key-retrieve. It needs to parse enough of the message to determine the key's id and then merely run the gpg command to retrieve it. This little hack seems to work, both for single messages and for digests. It's not totally immune against getting the odd key that you don't need, but I don't think that's a major problem. #!/bin/bash LOGFILE=/home/pigeon/mail/debug/getakey.log KEYSERVER=pgp.mit.edu TMPFILE=`mktemp -t getakey.XX` || exit 1 TMPGPG=`mktemp -t getakey.gpg.XX` if [ $? -ne 0 ]; then rm -f $TMPFILE exit 1 fi sed -n -e '/^-BEGIN PGP SIGNATURE-$/,/^-END PGP SIGNATURE-$/p' $TMPFILE 2/dev/null if [ -s $TMPFILE ]; then gpg --verify --keyserver $KEYSERVER $TMPFILE /dev/null $TMPGPG 21 grep 'requesting key' $TMPGPG /dev/null 21 (echo -n 'Key requested at '; 822-date; cat $TMPGPG) $LOGFILE fi rm -f $TMPFILE rm -f $TMPGPG This appears to have shown up some 'unexpected behaviour' on the part of gpg. It appears to import the keys OK (as long as the keyserver itself has them, of course), but randomly loses some of them... I have entries in the log file such as: Key requested at Tue, 24 Jun 2003 15:42:10 +0100 gpg: Signature made Tue Jun 24 14:40:30 2003 BST using DSA key ID 9D395550 gpg: requesting key 9D395550 from pgp.mit.edu ... gpg: key 9D395550: public key imported gpg: Total number processed: 1 gpg: imported: 1 gpg: BAD signature from Hugh Saunders (_.:|CYE-SC|:._) [EMAIL PROTECTED] (the BAD signature is because my script is verifying /dev/null) yet gpg --list-keys | grep 9D395550 gives no result, and mutt can't check the signed email. Other keys with identical log entries have been imported correctly and work fine. Doing find / -name '*gpg*' and ...'*ring*' doesn't find any spurious keyring files in places where they shouldn't be - there's nothing outside ~/.gnupg. Anyone got any idea where the missing keys have gone, and why? -- Pigeon Be kind to pigeons Get my GPG key here: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x21C61F7F pgp0.pgp Description: PGP signature
Re: signature and missing key
On Wed, Jun 18, 2003 at 12:15:09PM -0400, Derrick 'dman' Hudson wrote: On Tue, Jun 17, 2003 at 11:32:14PM +0100, Pigeon wrote: | With a dialup, it would be rather useful to be able to do this from the MTA | rather than the MUA. True. | Unfortunately /usr/share/doc/exim/spec.txt.gz contains no references | to either gpg or pgp. Am I really out of luck for built-in | solutions? No, but you are out of luck (AFAIK) for ready-made solutions. What you can do is instruct exim to pass all messages through a pipe as it delivers them. In your system filter put unseen pipe /usr/local/bin/gpg-key-retrieve (read the exim manual for setting up a system filter; it really is quite trivial) Yeah, you sorted me out with exim filters some time ago actually, thanks! All mail comes through my only user, so I'm running it from ~/.forward to keep all my mail filtering in one place. Then create the program gpg-key-retrieve. It needs to parse enough of the message to determine the key's id and then merely run the gpg command to retrieve it. This little hack seems to work, both for single messages and for digests. It's not totally immune against getting the odd key that you don't need, but I don't think that's a major problem. #!/bin/bash LOGFILE=/home/pigeon/mail/debug/getakey.log KEYSERVER=pgp.mit.edu TMPFILE=`mktemp -t getakey.XX` || exit 1 TMPGPG=`mktemp -t getakey.gpg.XX` if [ $? -ne 0 ]; then rm -f $TMPFILE exit 1 fi sed -n -e '/^-BEGIN PGP SIGNATURE-$/,/^-END PGP SIGNATURE-$/p' $TMPFILE 2/dev/null if [ -s $TMPFILE ]; then gpg --verify --keyserver $KEYSERVER $TMPFILE /dev/null $TMPGPG 21 grep 'requesting key' $TMPGPG /dev/null 21 (echo -n 'Key requested at '; 822-date; cat $TMPGPG) $LOGFILE fi rm -f $TMPFILE rm -f $TMPGPG -- Pigeon Be kind to pigeons Get my GPG key here: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x21C61F7F pgp0.pgp Description: PGP signature
Re: signature and missing key
On Tue, Jun 17, 2003 at 11:32:14PM +0100, Pigeon wrote: | With a dialup, it would be rather useful to be able to do this from the MTA | rather than the MUA. True. | Unfortunately /usr/share/doc/exim/spec.txt.gz contains no references | to either gpg or pgp. Am I really out of luck for built-in | solutions? No, but you are out of luck (AFAIK) for ready-made solutions. What you can do is instruct exim to pass all messages through a pipe as it delivers them. In your system filter put unseen pipe /usr/local/bin/gpg-key-retrieve (read the exim manual for setting up a system filter; it really is quite trivial) Then create the program gpg-key-retrieve. It needs to parse enough of the message to determine the key's id and then merely run the gpg command to retrieve it. -D -- Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge Him, and He will make your paths straight. Proverbs 3:5-6 http://dman.ddts.net/~dman/ pgp0.pgp Description: PGP signature
signature and missing key
Hello, when reading some emails with Balsa, I get the following message: The signature could not be verified due to a missing key what does it mean and how can I fix it? TIA! Marcelo -- Marcelo Chiapparini DFT-IF/UERJ [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: signature and missing key
Hi! On Tue, Jun 17, 2003 at 09:57:22AM -0300, Marcelo Chiapparini wrote: Hello, when reading some emails with Balsa, I get the following message: The signature could not be verified due to a missing key You need to import the public key from the respective user. The Linux Kernel Archives key can be imported with gnupg with the following command, for example: gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E Usually the poster gives some information at the end of his mail about where his public key kann be obtained etc., so that you can import it and verify that he indeed is culprit. HTH Eamon Roque. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: signature and missing key
Hi! thank you for the answer!. Do I need to import the public key for *each* user? I am asking because many user of this list use this type of signature! or importing the Linux Kernel Archives key do the task for all users? Thanks again Marcelo On 17.06.03 10:48, [EMAIL PROTECTED] wrote: Hi! On Tue, Jun 17, 2003 at 09:57:22AM -0300, Marcelo Chiapparini wrote: Hello, when reading some emails with Balsa, I get the following message: The signature could not be verified due to a missing key You need to import the public key from the respective user. The Linux Kernel Archives key can be imported with gnupg with the following command, for example: gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E Usually the poster gives some information at the end of his mail about where his public key kann be obtained etc., so that you can import it and verify that he indeed is culprit. HTH Eamon Roque. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Marcelo Chiapparini DFT-IF/UERJ [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: signature and missing key
On Tue, Jun 17, 2003 at 11:09:21AM -0300, Marcelo Chiapparini wrote: thank you for the answer!. Do I need to import the public key for *each* user? I am asking because many user of this list use this type of signature! Yes, you do. gpg can be configured to do this automatically ('keyserver-options auto-key-retrieve' in ~/.gnupg/options, I believe), but obviously that will slow things down on the occasions where it does have to go off and get the key. or importing the Linux Kernel Archives key do the task for all users? No, that's just one example of a key, namely the one that's used to sign releases of the Linux kernel. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: signature and missing key
Is there a way to get this information via http or shttp? It appears that I am behind a firewall which blocks the command listed above. On Tue, 2003-06-17 at 06:48, [EMAIL PROTECTED] wrote: Hi! On Tue, Jun 17, 2003 at 09:57:22AM -0300, Marcelo Chiapparini wrote: Hello, when reading some emails with Balsa, I get the following message: The signature could not be verified due to a missing key You need to import the public key from the respective user. The Linux Kernel Archives key can be imported with gnupg with the following command, for example: gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E Usually the poster gives some information at the end of his mail about where his public key kann be obtained etc., so that you can import it and verify that he indeed is culprit. HTH Eamon Roque. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: signature and missing key
On Tue, Jun 17, 2003 at 03:51:53PM +0100, Colin Watson wrote: On Tue, Jun 17, 2003 at 11:09:21AM -0300, Marcelo Chiapparini wrote: thank you for the answer!. Do I need to import the public key for *each* user? I am asking because many user of this list use this type of signature! Yes, you do. gpg can be configured to do this automatically ('keyserver-options auto-key-retrieve' in ~/.gnupg/options, I believe), but obviously that will slow things down on the occasions where it does have to go off and get the key. With a dialup, it would be rather useful to be able to do this from the MTA rather than the MUA. Unfortunately /usr/share/doc/exim/spec.txt.gz contains no references to either gpg or pgp. Am I really out of luck for built-in solutions? -- Pigeon Be kind to pigeons Get my GPG key here: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x21C61F7F pgp0.pgp Description: PGP signature