Re: Protecting signing key]
loop-aes is not in the vanilla kernel sources. dm-crypt and cryptoloop are. cryptoloop is depreciated, use dm-crypt instead. dm-crypt'd main advantage is that it's already in the kernel, whereas loop-aes is a add-on. Look at the different modes of encryption supported and make a decision from there. I use dm-crypt for what its worth, though I wouldn't have any problems with using loop-aes instead. On 8/3/05, Kara <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > > Reference: > > Subject: Re: Protecting signing key > Date: Tue, 02 Aug 2005 23:23:59 + > From: cdr <[EMAIL PROTECTED]> > To: gnupg-users@gnupg.org > > > One solution (free, with full source) can be found here: > > http://www.truecrypt.org/ > > What would be an equally good equivalent > for those of us using a Linux distro? > > - -- > > Ciao > > Kara > > "As long as algebra is taught in school, there > will be prayer in school." - Cokie Roberts > > > . > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2rc2 (GNU/Linux) > Comment: Using Fedora and Enigmail > Comment: OpenPGP keyID and URL in Message Headers > > iD8DBQFC8CZW15k+1L3RO5ARArR5AKDD5Nsh8GbxH2MSYY3m4ntizuXgWQCgtOUg > Y0woRWQlkN+fO9EIbOda5JI= > =/tfT > -END PGP SIGNATURE- > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Where's my private key?
You wrote: >Date: Mon, 01 Aug 2005 09:56:44 -0300 >From: Eduardo <[EMAIL PROTECTED]> >Subject: Where's my private key? >To: gnupg-users@gnupg.org >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset=ISO-8859-1 > >Hi folks. >Yesterday I needed to crypt one config file on my Linux box and was >wondering where is my private key, cause I have the private key in my >desktop (in my company) and I need to open a crypted file in my house. >How can I 'take' my private key from company to work? > >Regards On the machine where you HAVE your keys: cd tar -czf gpg.tgz ./.gnupg copy the gpg.tgz on to some removable storage medium. It will easily fit on a floppy. If you don't have keys yet at home, on that machine (you suggested you have Linux both at home and work but I don't know for sure) then all you have to do is copy the the file to your home directory and type: cd tar -xzf gpg.tgz On the other hand, if you already have your own key ring at home you will need to import the keys. There are the following three files in the .gnupg folder: pubring.gpg # stores the public keys secring.gpg # has your secret keys trustdb.gpg # the levels of trust for signed keys You should just be able export both your public and secret keys at work, and then import them at home if you already have an existing set of keys there using: gpg --export > all.gpg where the keys are, copy the all.gpg file to a floppy and take it home and type gpg --import all.gpg That will get you ALL of the keys, both public and secret. You will of course have to give YOUR imported secret key the highest level of trust when signing it because after all, it is YOUR key. Never fear, I do this all of the time, but normally just copying the keys (I also copy but old public pubring.gpg~ and the random_seed file as well) from one Linux box which is authoratative to multiple boxes running Windows, Linux, and the BSDs. If one of the machines is running Windows (you said Linux at home), please let me know and I will tell you how to do it there. Just remember that if you do NOT have any keys yet on the one machine, you are better off just copying the entire .gnupg (on Windows it is in aother folder in your Documents and Settings area) contents to the other machine. If you already have keyrings on both machines, then export from one and import on the other one. HHH PS Please reply to the Cc: address, not this one. -- Key Name: "Henry Hertz Hobbit" <[EMAIL PROTECTED]> pub 1024D/E1FA6C62 2005-04-11 [expires: 2006-04-11] Key fingerprint = ACA0 B65B E20A 552E DFE2 EE1D 75B9 D818 E1FA 6C62 __ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Protecting signing key
On Tue, Aug 02, 2005 at 05:48:39PM -0500, Ryan Malayter wrote: [snip] > That said, everything I've read indicates that the encrypting file > system (EFS) in Windows 2000+ is reasonably well implemented. However, > the user's password is still the weak link, as it is used to protect > the private key that EFS needs for decryption. > > Because you can get the hash of this password from the disk in some > way (you always have to be able to, otherwise you could not > authenticate), the password is the weak link. I can't speak about EFS, since I'm not familiar with it at all, but that statement does not have to be necessarily true. You *can* get by without storing even a hash of the password on the disk, and it's actually pretty easy - just encrypt a known-plaintext magic sequence of bytes using a key derived from the password and store the encrypted result. There is also the possibility of generating a random magic sequence and storing that on the disk in plaintext, too, thus "salting" the authentication in a different way every time. Okay, so, come to think of it, this could be called hashing in a way, and it is still vulnerable to dictionary attacks on the password. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 "yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation. pgpxDY34W1b7K.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Problem with gcry_pk_decrypt (libgcrypt)
Hi @ll. I like to encrypt and decrypt large files e.g. pdf files. I wrote some code based on libgcrypt. I tested it with .txt files. Encryption seems to work, but gcry_pk_decrypt works only, if there's a single line in the txt file. If the txt file contains more than one line of text, the result is wrong. But no error occurs. /** Start encryption */ //read data block InputFile.seekg (0, ios::end); int FileSize = InputFile.tellg(); InputFile.seekg (0, ios::beg); char* Buffer; Buffer = new char[FileSize]; InputFile.read(Buffer,FileSize); //build S-Expression char fmt[] = "(data (flags raw) (value %s))"; char* strSExp = (char *) malloc(strlen(Buffer)+strlen(fmt)); sprintf(strSExp, fmt, (va_list) Buffer); rc = gcry_sexp_build(&sexp, NULL, fmt, strSExp); // Encrypt plaintext rc = gcry_pk_encrypt(&result, sexp, pKey); // Write it to file size_t retSize = gcry_sexp_sprint(result, GCRYSEXP_FMT_ADVANCED, NULL, 0); strSExp = (char *) realloc(strSExp, retSize); retSize = gcry_sexp_sprint(result, GCRYSEXP_FMT_ADVANCED, strSExp, retSize); fwrite( &retSize, 1 , sizeof(retSize) , OutputFile ); fwrite( strSExp , 1 , retSize , OutputFile ); ... /** End encryption */ /** Start decryption */ ... //read size fread(&retSize, 1, sizeof(retSize), InputFile); //read encrypted text Buffer = (char *) malloc(retSize); fread(Buffer, 1, retSize, InputFile); rc = gcry_sexp_new(&sexp, Buffer, 0, 1); //decrypt rc = gcry_pk_decrypt(&result, sexp, sKey); /** End decryption */ After that rc is 0 and result is like that #070E7FE38DC4C2B8657B0329511023D56CA5F895AAF74F4CD764FC5D8093E314C7A09AF009A3BE013AD16C7E891375B0FAC 9AE7E9A7F8E0019023BC225526424# Any help would be appreciated. Yours Claudia ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG ftp server
Is ths FTP server having problems? I can connect to it, but can't log in. -- wget ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.2.tar.bz2 --15:57:40-- ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.2.tar.bz2 => `gnupg-1.4.2.tar.bz2' Resolving ftp.gnupg.org... 217.69.76.44 Connecting to ftp.gnupg.org[217.69.76.44]:21... connected. Logging in as anonymous ... Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem with gcry_pk_decrypt (libgcrypt)
On Wed, 03 Aug 2005 14:33:57 +0200, Claudia Reuter said: > I like to encrypt and decrypt large files e.g. pdf files. I wrote some > code based on libgcrypt. I tested it with .txt files. Encryption seems > to work, but gcry_pk_decrypt works only, if there's a single line in the > txt file. If the txt file contains more than one line of text, the Libgcrypt is a library of cryptographic building blocks. At least a medium level of cryptographic experience is required to make use of it. The usual way to encrypt large files is by using an hybrid approach. It is simple impossible to use RSA to encrypt large blocks of data in a secure and useful way. You should better look into gpg or gpgme for your task. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG ftp server
On Wed, 3 Aug 2005 06:57:11 -0700 (PDT), S K said: > Is ths FTP server having problems? I can connect to > it, but can't log in. Sorry. Restarted. oftpd is still leaking file descriptors. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: throughput of GnuPG symmetric ciphers
On 8/3/05, Henry Hertz Hobbit <[EMAIL PROTECTED]> wrote: > Given the size of the files that you are encrypting, I would strongly > advise going with the Eden chip rather than a software based solution... I actually found an open-source tool, 7-zip, that includes AES-256 encryption functionality. For whatever reason, it runs several times faster than GnuPG in software. Fast enough, in fact, that the removable hard disk devices have become the limiting factor in the system (the 7-zip process only uses 70% CPU on a 2.4 GHz P4). The code is open-source, and it uses a salted + iterated SHA256 hash to produce the AES key from a pass phrase. The AES implementation is Gladman's well-known and fast C++ code. Looking at the source, I haven't figured out whether it uses ECB or CFB mode yet; the 7-zip code is rather light on comments. I am assuming ECB, which should be fine for my application. See http://www.7-zip.org for more details. Thanks for all the help. -- Ryan = All problems can be solved by diplomacy, but violence and treachery are equally effective, and more fun. -Anonymous ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Primary certify-only key?
Is there a way to generate the following key collection with GnuPG? pub 4096R usage: C sub 4096R usage: S The problem is that I cant create the first key with only "C" the capability. Using the --expert option and disabling "E", "S" and "A" results in "CSEA". Thomas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 1.4.2 released
On Sat, Jul 30, 2005 at 09:28:28PM -0400, David Shaw wrote: > On Sat, Jul 30, 2005 at 02:20:35PM -0400, Jason Harris wrote: > Thought you'd get a kick out of that... :) > Note that in the next release of GnuPG, --with-libcurl will be the > default. (So the more people who try it now, and report back any > problems, the better). Here's one, on a box with IPv6 support but not connectivity: %gpg --keyserver keyserver.linux.it --send 0xd39da0e3 gpg: sending key D39DA0E3 to hkp server keyserver.linux.it gpgkeys: HTTP URL is `http://keyserver.linux.it:11371/pks/add' gpgkeys: HTTP post error 22: Failed to connect to 2001:1418:13:10::1: No route to host -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? [EMAIL PROTECTED] _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 pgpA3mJ0cewM6.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IPv6 failover?
On Wed, Aug 03, 2005 at 02:32:16PM -0400, Jason Harris wrote: > On Sat, Jul 30, 2005 at 09:28:28PM -0400, David Shaw wrote: > > On Sat, Jul 30, 2005 at 02:20:35PM -0400, Jason Harris wrote: > > > Thought you'd get a kick out of that... > > :) > > > Note that in the next release of GnuPG, --with-libcurl will be the > > default. (So the more people who try it now, and report back any > > problems, the better). > > Here's one, on a box with IPv6 support but not connectivity: > > %gpg --keyserver keyserver.linux.it --send 0xd39da0e3 > gpg: sending key D39DA0E3 to hkp server keyserver.linux.it > gpgkeys: HTTP URL is `http://keyserver.linux.it:11371/pks/add' > gpgkeys: HTTP post error 22: Failed to connect to 2001:1418:13:10::1: No > route to host The complaint is that keyserver.linux.it has both IPv4 and IPv6 addresses, but you can't reach it via IPv6, so you want gpgkeys to fail over to its IPv4 address? David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Primary certify-only key?
On Wed, Aug 03, 2005 at 07:26:38PM +0200, Thomas Kuehne wrote:
> Is there a way to generate the following key collection with GnuPG?
>
> pub 4096R usage: C
> sub 4096R usage: S
>
> The problem is that I cant create the first key with only "C" the
> capability.
>
> Using the --expert option and disabling "E", "S" and "A" results in "CSEA".
Try the attached patch (to 1.4.2).
David
Index: keyid.c
===
--- keyid.c (revision 3847)
+++ keyid.c (working copy)
@@ -547,10 +547,13 @@
if ( use & PUBKEY_USAGE_SIG )
{
if (pk->is_primary)
-buffer[i++] = 'C';
+use|=PUBKEY_USAGE_CERT;
buffer[i++] = 'S';
}
+ if ( use & PUBKEY_USAGE_CERT )
+buffer[i++] = 'C';
+
if ( use & PUBKEY_USAGE_ENC )
buffer[i++] = 'E';
Index: keygen.c
===
--- keygen.c(revision 3847)
+++ keygen.c(working copy)
@@ -190,9 +190,6 @@
{
byte buf[1];
-if (!use)
-return;
-
buf[0] = 0;
/* The spec says that all primary keys MUST be able to certify. */
@@ -205,6 +202,10 @@
buf[0] |= 0x04 | 0x08;
if (use & PUBKEY_USAGE_AUTH)
buf[0] |= 0x20;
+
+if (!buf[0])
+return;
+
build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1);
}
@@ -1238,6 +1239,9 @@
if(flags&PUBKEY_USAGE_SIG)
tty_printf("%s ",_("Sign"));
+ if(flags&PUBKEY_USAGE_CERT)
+tty_printf("%s ",_("Certify"));
+
if(flags&PUBKEY_USAGE_ENC)
tty_printf("%s ",_("Encrypt"));
@@ -1248,7 +1252,7 @@
/* Returns the key flags */
static unsigned int
-ask_key_flags(int algo)
+ask_key_flags(int algo,int subkey)
{
const char *togglers=_("SsEeAaQq");
char *answer=NULL;
@@ -1258,6 +1262,10 @@
if(strlen(togglers)!=8)
BUG();
+ /* Only primary keys may certify. */
+ if(subkey)
+possible&=~PUBKEY_USAGE_CERT;
+
/* Preload the current set with the possible set, minus
authentication, since nobody really uses auth yet. */
current=possible&~PUBKEY_USAGE_AUTH;
@@ -1291,7 +1299,7 @@
cpr_kill_prompt();
if(strlen(answer)>1)
- continue;
+ tty_printf(_("Invalid selection.\n"));
else if(*answer=='\0' || *answer==togglers[6] || *answer==togglers[7])
break;
else if((*answer==togglers[0] || *answer==togglers[1])
@@ -1318,6 +1326,8 @@
else
current|=PUBKEY_USAGE_AUTH;
}
+ else
+ tty_printf(_("Invalid selection.\n"));
}
xfree(answer);
@@ -1362,7 +1372,7 @@
}
else if( algo == 7 && opt.expert ) {
algo = PUBKEY_ALGO_RSA;
- *r_usage=ask_key_flags(algo);
+ *r_usage=ask_key_flags(algo,addmode);
break;
}
else if( algo == 6 && addmode ) {
@@ -1382,7 +1392,7 @@
}
else if( algo == 3 && opt.expert ) {
algo = PUBKEY_ALGO_DSA;
- *r_usage=ask_key_flags(algo);
+ *r_usage=ask_key_flags(algo,addmode);
break;
}
else if( algo == 2 ) {
Index: getkey.c
===
--- getkey.c(revision 3847)
+++ getkey.c(working copy)
@@ -1291,16 +1291,24 @@
/* first octet of the keyflags */
flags=*p;
- if(flags & 3)
+ if(flags & 1)
{
+ key_usage |= PUBKEY_USAGE_CERT;
+ flags&=~1;
+ }
+
+ if(flags & 2)
+ {
key_usage |= PUBKEY_USAGE_SIG;
- flags&=~3;
+ flags&=~2;
}
- if(flags & 12)
+ /* We do not distinguish between encrypting communications and
+encrypting storage. */
+ if(flags & (0x04|0x08))
{
key_usage |= PUBKEY_USAGE_ENC;
- flags&=~12;
+ flags&=~(0x04|0x08);
}
if(flags & 0x20)
Index: misc.c
===
--- misc.c (revision 3847)
+++ misc.c (working copy)
@@ -407,19 +407,19 @@
/* they are hardwired in gpg 1.0 */
switch ( algo ) {
case PUBKEY_ALGO_RSA:
- use = PUBKEY_USAGE_SIG | PUBKEY_USAGE_ENC | PUBKEY_USAGE_AUTH;
+ use = PUBKEY_USAGE_CERT | PUBKEY_USAGE_SIG | PUBKEY_USAGE_ENC |
PUBKEY_USAGE_AUTH;
break;
case PUBKEY_ALGO_RSA_E:
use = PUBKEY_USAGE_ENC;
break;
case PUBKEY_ALGO_RSA_S:
- use = PUBKEY_USAGE_SIG;
+ use = PUBKEY_USAGE_CERT | PUBKEY_USAGE_SIG;
break;
case PUBKEY_ALGO_ELGAMAL_E:
use = PUBKEY_USAGE_ENC;
break;
case PUBKEY_ALGO_DSA:
- use = PUBKEY_USAGE_SIG | PUBKEY_USAGE_AUTH;
+ use = PUBKEY_USAGE_CERT | PUBKEY_USAGE_SIG | PUBKEY_USAGE_AUTH;
break;
default:
break;
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mai
Re: Problem with gcry_pk_decrypt (libgcrypt)
Claudia Reuter wrote: >I like to encrypt and decrypt large files e.g. pdf files. I wrote some >code based on libgcrypt. I tested it with .txt files. Encryption seems >to work, but gcry_pk_decrypt works only, if there's a single line in the >txt file. That suggests your read operations assume textmode. >fread(&retSize, 1, sizeof(retSize), InputFile); >//read encrypted text >Buffer = (char *) malloc(retSize); >fread(Buffer, 1, retSize, InputFile); Do you store the file length in the first sizeof(retSize) byte(s)? You now read sizeof(retSize) bytes of data and store them in *retSize. Now you consider retSize as a size_t and read that many bytes into Buffer. Are you sure this is what you want? -- ir. J.C.A. Wevers // Physics and science fiction site: [EMAIL PROTECTED] // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Primary certify-only key?
On Wed, 03 Aug 2005 19:26:38 +0200, Thomas Kuehne said: > The problem is that I cant create the first key with only "C" the > capability. GnuPG does not yet distinguish between C and S. So it does not make much sense to have a way of selecting this. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Encrypting an e-mail to a Hushmail user
Hi gang, Yesterday I tried valiantly to get a Hushmail user to install GPG or PGP (6.5.8...still free and a good version) on his M$ system, but he said it was too hard to work and Hushmail was nice and easy. Anyway, after a few tries of trying to upload my public key to the Hush server, I figured out I had to upload without my picture...finally it took my key. Now that I have my friends key on my keyring and have signed it, I find I get an 'error' every time I try to encrypt a message to him. I have a feeling it's because I'm using my key and it still has the photo, but I can't figure out how to sign the e-mail to him *without* using the photo/attribute(s) in my key. Anyone care to give me a quick hand with this? It'd sure be appreciated. (Now if I can just get him to use GPG for Windows thing would be great!) John B. pgpQDeMC1Cz42.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Encrypting an e-mail to a Hushmail user
On Wed, Aug 03, 2005 at 02:28:17PM -0500, JB wrote: > > Hi gang, > > Yesterday I tried valiantly to get a Hushmail user to install GPG or PGP > (6.5.8...still free and a good version) on his M$ system, but he said it was > too hard to work and Hushmail was nice and easy. > Anyway, after a few tries of trying to upload my public key to the Hush > server, I figured out I had to upload without my picture...finally it took my > key. > Now that I have my friends key on my keyring and have signed it, I find I > get an 'error' every time I try to encrypt a message to him. I have a feeling > it's because I'm using my key and it still has the photo, but I can't figure > out how to sign the e-mail to him *without* using the photo/attribute(s) in > my key. > Anyone care to give me a quick hand with this? It'd sure be appreciated. > (Now if I can just get him to use GPG for Windows thing would be great!) I'm afraid that nobody will be able to help you unless you post something more useful than "I get an 'error'" David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Encrypting an e-mail to a Hushmail user
On Wednesday 03 August 2005 8:28 pm, JB wrote: > Hi gang, 1. Please send your key (with photo) to subkeys.pgp.net so that people on the list can verify your signatures. > Now that I have my friends key on my keyring and have signed it, I find I > get an 'error' every time I try to encrypt a message to him. 2. The exact error message is essential. 3. Check that your own key is set to ultimate trust. (gpg --edit-key and set trust/) 4. Run gpg --update-trustdb > I have a > feeling it's because I'm using my key and it still has the photo, Unlikely. Usually the error is that no trusted key can be found and this error is due to you not setting your own key as trusted. -- Neil Williams = http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ pgplqKWcZuboZ.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Encrypting an e-mail to a Hushmail user
On Wed, 3 Aug 2005, JB wrote: > Now that I have my friends key on my keyring and have signed it, I find I > get an 'error' every time I try to encrypt a message to him. I have a feeling > it's because I'm using my key and it still has the photo, but I can't figure > out how to sign the e-mail to him *without* using the photo/attribute(s) in > my key. What's the exact error? --Len. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Leave clearsigned content encoding alone, how?
I use gnupg-1.4.1 on GNU/Linux (up-to-date Gentoo, Linux 2.6.12 on AMD64 if it matters) to sign and encrypt my mail, and everything is fine as long as I stay with strictly us-ascii. However, when I use other characters (mostly national characters covered by iso-8859-15), gnupg converts the input data to UTF-8 when signing, wreaking havoc with those characters. The fact that gnupg converts back when verifying or decrypting the data only makes matters worse since *I* am unaware of the problem that others face in reading my e-mails. My gnupg.conf explicitly states "charset iso-8859-15" so that cannot really be the problem. (It's the only charset-related setting in effect for gnupg, I have checked and triple-checked this.) My MUA, muttng, correctly identifies the input data prior to signing as iso-8859-15 and after signing as utf-8, but a lot of mailers don't seem to deal very well with UTF-8 data. Not clearsigning the message avoids this problem, but is hardly an ideal solution. PGP/MIME signing is not really an option either, considering the number of broken MUAs out there. This appears to only be a problem with clearsigned messages, not PGP/MIME messages (for some odd reason) which leads to my question: How do I get gnupg to ignore the charset of the input data and just leave it *as is* when clearsigning? The exact command lines used are (long): Clearsigning: /usr/bin/gpg --no-verbose --batch --quiet --output - --passphrase-fd 0 --armor --textmode --clearsign -u $SIGNING_KEY_ID $FILENAME PGP/MIME signing: /usr/bin/gpg --no-verbose --batch --quiet --output - --passphrase-fd 0 --armor --detach-sign --textmode -u $SIGNING_KEY_ID $FILENAME No radical differences there, the only one I can see is --clearsign and --detach-sign and the ordering of --textmode and the signing option. I looked through the archives for almost a year back and couldn't find anything of relevance, but if I missed something, please feel free to let me know. -- Michael Kjörling, [EMAIL PROTECTED] - http://michael.kjorling.com/ * ASCII Ribbon Campaign: Against HTML Mail, Proprietary Attachments * * . No bird soars too high if he soars with his own wings . * pgpBfSZjj4v1w.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Leave clearsigned content encoding alone, how?
On Wed, Aug 03, 2005 at 08:57:07PM +, Michael Kjorling wrote: > I use gnupg-1.4.1 on GNU/Linux (up-to-date Gentoo, Linux 2.6.12 on > AMD64 if it matters) to sign and encrypt my mail, and everything is > fine as long as I stay with strictly us-ascii. However, when I use > other characters (mostly national characters covered by iso-8859-15), > gnupg converts the input data to UTF-8 when signing, wreaking havoc > with those characters. The fact that gnupg converts back when > verifying or decrypting the data only makes matters worse since *I* am > unaware of the problem that others face in reading my e-mails. I believe you are having a problem somewhere, but GPG does not do any character set conversions whatsoever, in clear signing, or any signing. If something is converting, you need to check your MUA or other programs that you are using around GPG. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IPv6 failover?
On Wed, Aug 03, 2005 at 02:48:16PM -0400, David Shaw wrote: > On Wed, Aug 03, 2005 at 02:32:16PM -0400, Jason Harris wrote: > > Here's one, on a box with IPv6 support but not connectivity: > > > > %gpg --keyserver keyserver.linux.it --send 0xd39da0e3 > > gpg: sending key D39DA0E3 to hkp server keyserver.linux.it > > gpgkeys: HTTP URL is `http://keyserver.linux.it:11371/pks/add' > > gpgkeys: HTTP post error 22: Failed to connect to 2001:1418:13:10::1: No > > route to host > > The complaint is that keyserver.linux.it has both IPv4 and IPv6 > addresses, but you can't reach it via IPv6, so you want gpgkeys to > fail over to its IPv4 address? I imagine most people will prefer that, yes, instead of using "--keyserver 62.94.26.10" as a workaround. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? [EMAIL PROTECTED] _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 pgpnH4w1OL5bM.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IPv6 failover?
On Wed, Aug 03, 2005 at 06:32:46PM -0400, Jason Harris wrote: > On Wed, Aug 03, 2005 at 02:48:16PM -0400, David Shaw wrote: > > On Wed, Aug 03, 2005 at 02:32:16PM -0400, Jason Harris wrote: > > > > Here's one, on a box with IPv6 support but not connectivity: > > > > > > %gpg --keyserver keyserver.linux.it --send 0xd39da0e3 > > > gpg: sending key D39DA0E3 to hkp server keyserver.linux.it > > > gpgkeys: HTTP URL is `http://keyserver.linux.it:11371/pks/add' > > > gpgkeys: HTTP post error 22: Failed to connect to 2001:1418:13:10::1: > > > No route to host > > > > The complaint is that keyserver.linux.it has both IPv4 and IPv6 > > addresses, but you can't reach it via IPv6, so you want gpgkeys to > > fail over to its IPv4 address? > > I imagine most people will prefer that, yes, instead of using > "--keyserver 62.94.26.10" as a workaround. The thing is, if you have a --with-libcurl build, this failover would need to happen within curl itself. What happens if you do: curl http://keyserver.linux.it:11371/pks/add on the command line. Obviously it won't do anything keyserver-wise, but does it manage to connect? David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IPv6 failover?
On Wed, Aug 03, 2005 at 07:25:41PM -0400, David Shaw wrote: > The thing is, if you have a --with-libcurl build, this failover would > need to happen within curl itself. What happens if you do: > curl http://keyserver.linux.it:11371/pks/add > > on the command line. Obviously it won't do anything keyserver-wise, > but does it manage to connect? It does: %curl -v http://keyserver.linux.it:11371/pks/add * About to connect() to keyserver.linux.it port 11371 * Trying 2001:1418:13:10::1... Failed to connect to 2001:1418:13:10::1: No route to host * Undefined error: 0 * Trying 62.94.26.10... connected * Connected to keyserver.linux.it (62.94.26.10) port 11371 [snip] Looking at http://curl.haxx.se/libcurl/c/curl_easy_setopt.html , this might do the trick: curl_easy_setopt (..., CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4); if any connection, which always seems to prefer IPv6, doesn't at first succeed. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? [EMAIL PROTECTED] _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 pgpzELgIB0rTb.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IPv6 failover?
On Wed, Aug 03, 2005 at 08:18:35PM -0400, Jason Harris wrote: > On Wed, Aug 03, 2005 at 07:25:41PM -0400, David Shaw wrote: > > > The thing is, if you have a --with-libcurl build, this failover would > > need to happen within curl itself. What happens if you do: > > curl http://keyserver.linux.it:11371/pks/add > > > > on the command line. Obviously it won't do anything keyserver-wise, > > but does it manage to connect? > > It does: > > %curl -v http://keyserver.linux.it:11371/pks/add > * About to connect() to keyserver.linux.it port 11371 > * Trying 2001:1418:13:10::1... Failed to connect to 2001:1418:13:10::1: > No route to host > * Undefined error: 0 > * Trying 62.94.26.10... connected > * Connected to keyserver.linux.it (62.94.26.10) port 11371 > [snip] > > Looking at http://curl.haxx.se/libcurl/c/curl_easy_setopt.html , > this might do the trick: > > curl_easy_setopt (..., CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4); > > if any connection, which always seems to prefer IPv6, doesn't > at first succeed. I'm not sure. CURL_IPRESOLVE_V4 is documented to force the connection to IPv4. That is, it'll ignore IPv6 addresses altogether, rather than try to connect and then fail over within curl. What happens if you add a "-4" to the command line above? That sets CURL_IPRESOLVE_V4. Also, going back to the original problem, can you send me the output when you try fetching a key with "--keyserver-options debug" set? David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
SKS v. unknown HTTP headers (was: Re: IPv6 failover?)
On Wed, Aug 03, 2005 at 08:44:18PM -0400, David Shaw wrote:
> On Wed, Aug 03, 2005 at 08:18:35PM -0400, Jason Harris wrote:
> > Looking at http://curl.haxx.se/libcurl/c/curl_easy_setopt.html ,
> > this might do the trick:
> >
> > curl_easy_setopt (..., CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
> >
> > if any connection, which always seems to prefer IPv6, doesn't
> > at first succeed.
>
> I'm not sure. CURL_IPRESOLVE_V4 is documented to force the connection
> to IPv4. That is, it'll ignore IPv6 addresses altogether, rather than
> try to connect and then fail over within curl. What happens if you
> add a "-4" to the command line above? That sets CURL_IPRESOLVE_V4.
(That works fine, of course.)
> Also, going back to the original problem, can you send me the output
> when you try fetching a key with "--keyserver-options debug" set?
OK, with --recv I see it falls back from v6 to v4, which is good, but it
fails with --send:
%gpg --keyserver-options debug --keyserver keyserver.linux.it --send ...
gpg: sending key ... to hkp server keyserver.linux.it
Host: keyserver.linux.it
Command:SEND
gpgkeys: HTTP URL is `http://keyserver.linux.it:11371/pks/add'
* About to connect() to keyserver.linux.it port 11371
* Trying 2001:1418:13:10::1... * Failed to connect to 2001:1418:13:10::1:
No route to host
* Undefined error: 0
* Trying 62.94.26.10... * connected
* Connected to keyserver.linux.it (62.94.26.10) port 11371
> POST /pks/add HTTP/1.1
Host: keyserver.linux.it:11371
Accept: */*
Content-Length: 2246
Content-Type: application/x-www-form-urlencoded
Expect: 100-continue
< HTTP/1.1 100 Continue
* The requested URL returned error: 500
* Closing connection #0
gpgkeys: HTTP post error 22: Failed to connect to 2001:1418:13:10::1: No
route to host
However, this seems to be specific to SKS. My SKS log reports:
2005-08-04 ... ... Error handling request
(POST,/pks/add,[+accept:*/*+content-length:2246+content-type:application/x-www-form-urlencoded+expect:100-continue+host:skylane.kjsl.com:21371]):
Scanf.Scan_failure("scanf: bad input at char number 8: looking for =, found %")
so the connection is being made (in this case via IPv4; skylane also has
an record). Moreover, the error messages from curl are confusing this
issue.
Thus, in reality, the "Expect: 100-continue" header appears to be confusing
SKS (during POSTs).
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
[EMAIL PROTECTED] _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
pgp83RiibzDZH.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
