Re: Key Transition Letter 2009-05-21
Dear Members What are the algos that are compromised ? or NOT to be used ? If this is too long a list What are the Algos that are _to_be_ /or/ _could_be_ used /or/ _not_yet_compromised_ I understand that choosing the key size and algo is something personal and others cant decide. but I'm trying to know the choice regards maniams ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Checking for interactive shell sessions [Was: Re: Can't enter passphrase in su session.]
On Thu, May 21, 2009 at 01:19:44PM -0400, Steven W. Orr wrote: [snip] > The proper way to deal with this is to: > > * Source in your .bashrc from your .bash_profile > * Set all of your environment variables in your .bash_profile > * Check in your .bashrc to see if PS1 is set. If not then you are not in > an interactive session and you need to set critical environment variables. Just BTW, a *much* more reliable way to check for an interactive session, which will not fail in many common cases (PS1 set in system-wide config files, PS1 also set in .bashrc, PS1 set in the environment of the calling shell, etc.), is the following: # First, set up all variables for both interactive and non-interactive # sessions. # Then, do this: case "$-" in *i*) echo 'Setting up interactive shell params..' stty erase ^H ;; *) # Non-interactive session, better don't output anything something_or_other=foo ;; esac Of course, substitute your own commands for the "stty" and the assignment :) Bear in mind that this only applies to Bourne-style shells; for tcsh, you might need to resort to testing for ($?prompt), indeed. G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if pi were 3? pgpiBXmYxCrAT.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
B A = BA
I have been creating key-pars for me and helping other people. Since I am not a cryptographer I use always GPG defaults options and suggestions (line command) Alfter all this new stuff (creating sha-1 collisions, md-5 ? or so) should I change the procedures I used to use? Should I revoke (and help others to revoke) their keys - some keys have yet 5 years or so "to live"? For a new key, continue to use default options? Thanks José Simões ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Allen Schultz escribió: > For the reason of SHA1 issues in the news, I've recently set up > a new OpenPGP key, and > will be transitioning away from my old one. ... > To fetch my new key from a public key server, you can simply do: > > gpg --keyserver pgp.mit.edu --recv-key DAD4736B Don't use that keyserver, it can damage your key. Try pool.sks-keyservers.net Probably most people won't sign your new key, unless they have signed your old key. WoT usually requires people exchanging keys face-to-face or relying on other signatures to know the key belongs to the right person... Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJKFbEmAAoJEMV4f6PvczxArfkH/jb/nH5hjvr7DAE2SPNHvbOg N6Lexa1krIwbY815WNGWmkGLsRnQWxbJ0OiCEIhR9OIfSo4aki69pBKh1PC72R9U b4xalL/5G58Wo3gAJEnaeKEmIYc437RS8kYwVt9kYAd0gPq1zSO3zqAhCtc8F1pw A7tJoXkGmbZOf6XzHAEXtA548P0f6rOWpVityJ8Sto5NZB5Qf/G1T5wMWJyoSed/ PR5orl7poPRNZoTUR+REivqYUU9JTCoGvFLMWvGQf5vAErcZ93lwqNDMJdfK+fx7 Wbsd9NGDFppXzcCgf9sN7w+1oek6GfeX3qFdVzvI5ymfHWDuGmOfjAH3qZ/36VM= =qDQ2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can't enter passphrase in su session.
2009/5/21 Steven W. Orr : > > This topic is getting far more complicated than you might expect. I'm familiar with the differences between bash_profile and bashrc and when they are or at not read. Or least I believe I am. > If you use su then you do not go through the .bash_profile unless you use > the - option. i.e., "su - bob" will go through bob's .bash_profile but > > "su bob" will only go through the .bashrc . I'm using 'su -' As I said: - There is nothing, nothing, in /etc/bash* or /etc/profile*, or the equivalents in bob's home directory, that has anything to do with setting up environment variables to for gpg. Bob doesn't even have a .bash_profile. - When I log in via ssh there is no GPG_AGENT_INFO variable set. - When I log in via ssh and sign the file I am prompted to enter the passphrase. There's no GPG_AGENT_INFO variable set, yet I'm still prompted to enter the passphrase. - The output of env in both sessions is almost identical, saving those differences I previously mentioned which I don't see have anything to do with gpg. - Even if I manually invoke gpg-agent as a deamon and set the GPG_AGENT_INFO variable in the 'su -' session, I am still not prompted to enter the passphrase. Perhaps I'm missing something and need it spelling out to me. but given the above, I really don't see how the problem of not being prompted to enter the passphrase whilst logged in under 'su -' can be related to a problem with the parsing, or lack of, of bash config files. thanks, mike ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: laying groundwork for an eventual migration away from SHA1 with gpg
(also cc'd to GnuPG-Users. This thread seems like it's more appropriate there; let's continue it there if possible.) John W. Moore III wrote: > Presumably this tactic would also be effective by visiting a State > Website. I chose the example I did because I couldn't find information on Arkansas driver's license security features in a five minute web search. Other states may be different, I don't know. > Still, BoF Parties can be a helluva lot of fun. :) Yeah, that's why I show up to the keysigning BoFs at conventions. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Allen Schultz wrote: > Thank you for the information. I will clearsign this using the > new key only. > Let me know if this signature does not work either. OpenPGP Security Info UNTRUSTED Good signature from Allen Schultz (aldaek) Key ID: 0xF55651E0 / Signed on: 5/21/2009 12:47 PM Key fingerprint: 16AD EFE1 D68F C8A8 B086 68CD 1A35 85C7 DAD4 736B Works much better with just a single Signature. :-D JOHN 8-) Timestamp: Thursday 21 May 2009, 14:17 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10-svn5019: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJKFZreAAoJEBCGy9eAtCsPooYIAJvpfHU++TMnzzIk+WeK2TJt /aHasNt68bdMw0O9MDc7pHkzuH4tEpW5LSa9sf9M6/EexbNovLBkb1JFMeGajHSc VrTtiozjXos33qcL9D155gCHb//T0QtFKvDKZWCsYP403wtlMEiQL8YiP3lwGmLk H3+g0O0/rS0k+ZSyiEYjYk0n92W40SoOOJyBtN87DEjW/av66OQRJSFjSO2Avk1j OZRHvkh+HM/xZWbNI1ffCaaGJKMSTLHKA/xtMOiC+NdUpWuNo+pZvVQTZLqjI4NW JM+qQU0aeS5tSo9EwqMKflBGOWPDm5VL6+mVBMe76+uawOqSXQL45Tp8dBeBons= =jnd6 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, May 21, 2009 at 7:31 AM, Raimar Sandner wrote: > After all the _old_ key could have been compromised, that is what I meant :) Thank you for the information. I will clearsign this using the new key only. EE79C636 has already been updated [and uploaded] with an expiration date. This key is outdated due to the SHA-1 break in collisions. pub 1024D/EE79C636 2009-04-24 [expires: 2009-08-19] Key fingerprint = 0DC0 D8F6 A3A7 C107 59C4 1512 579A F712 EE79 C636 uid Allen Schultz uid [jpeg image of size 6128] sub 2048g/762B1E36 2009-04-24 As far as signing or verifying through email. The subject has already been discussed. Again, it's your choice. I may sign at a "unverified - fingerprint through unsecure medium" per the questions gpg asks. It does not validate the rest of my public ring. But that was only done with the older EE79C636 as of the signing of this email. Let me know if this signature does not work either. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72 iQEcBAEBCAAGBQJKFYWWAAoJEMNyjCz1VlHgo3YH/05JARgW8utXay9rR7nIe7lI b1aRHYxTVslXKEKOiGk4PqAWkVCPbdly2dOzta/q1r+yq1HOXDe9v8mfMFstJdMd MTDhZd7QF9Cc2o586Nz1zHbGqkNvBb4U3oO+4AkgjmZMzL3IMXeYvUCvWbKHm7uh Bd0ofmYC/ABFCKR0jSrn/Zfs3Qf0fAXomPuuPSSpTghVZyeTyAvwtnda5tqvmjmh 2DK2SGJ0c6yC8GbHFzS2np8plL957FpnEHfrTkxfuOw6GVNixOvrcAlyepkX2rW+ Vi3KfSrVIp2KOxTy6pOSkXLnweFY5C9fKsgEpS2hnUpy43L0YeChu7bQDRWHKlA= =wFD0 -END PGP SIGNATURE- -- Allen Schultz pub 3072R/DAD4736B 2009-05-20 Key fingerprint = 16AD EFE1 D68F C8A8 B086 68CD 1A35 85C7 DAD4 736B uid Allen Schultz (aldaek) uid [jpeg image of size 6128] sub 2048R/F55651E0 2009-05-20 [expires: 2010-05-20] sub 2048R/5687B83E 2009-05-20 [expires: 2010-05-20] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GNUPG 1.2.1 problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Pawe³ ¯uk wrote: > I can not upgrade my current version of gnupg Can You please be more specific regarding why You cannot Upgrade GnuPG? Since You are apparently using a Windows O/S [based upon the version of Thunderbird this message was sent with] I am wondering why You are unable to simply swap the pertinent Binary Files with ones for a newer version in Your installation. :-\ JOHN ;) Timestamp: Thursday 21 May 2009, 13:38 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10-svn5019: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJKFZGvAAoJEBCGy9eAtCsPkBUH/AwyMlaJ+evYieKI8GG7Xi2E sQ07BoNoYzFUo1ELxYYK/J8H3hduC7TtoWVV7eUFqU6qqTCHSlzAPQk9M+jc4k4u YcPchp4lpBQ+suA6eOtBiePqvca86ggYKNtEp9XxMwTqlvy81ULIwTC9PsN0zKyh JCFYkZhAAa0X6eX573u3UcA7wDSAm3LhMNhBZL/FvmTToEg3WNJVWFO3QZOsKrjQ urV5USDjfCK68Dd8BxXevRXCPI1g9AQFVDewTaxRAPgF/ntMBIxHT9k3ukZJkF9U 0JTseIVCQDWe6NnyZNqO12ZcR2Ccpy09HUVsxxMHwBIP/b4WiYH4RSJNjZMbLtI= =vtIb -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can't enter passphrase in su session.
On Wednesday, May 20th 2009 at 17:36 -, quoth Chris Babcock: =>On Wed, 20 May 2009 20:00:42 +0100 =>mike _ wrote: => =>> Can anyone offer any insight in this issue? => =>http://www.joshstaiger.org/archives/2005/07/bash_profile_vs.html => =>In .bash_profile, you will have something *like* this: =>if test -f $HOME/.gpg-agent-info &&kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info`\ =>2>/dev/null; then => GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info` => export GPG_AGENT_INFO =>else => eval `/usr/bin/gpg-agent --daemon` => echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info =>fi => =>You *may* have something like this: => =>if [ -f /etc/bashrc ]; then =>. /etc/bashrc =>fi => => =>The code to launch gpg-agent needs to be in .bashrc if you want it to =>execute for su users. If your .bash_profile executes your .bashrc as =>above then you can remove the definition from .bash_profile. This topic is getting far more complicated than you might expect. Setting environment variables needs to be done from your .bash_profile . It happens once when you log in and all child processes inherit the resulting variables. If you use su then you do not go through the .bash_profile unless you use the - option. i.e., "su - bob" will go through bob's .bash_profile but "su bob" will only go through the .bashrc . The same is true of ssh. If you ssh to a host to create a session then you will go through the .bash_profile but if you ssh to a host to just execute a command then you will only go through the .bashrc . The proper way to deal with this is to: * Source in your .bashrc from your .bash_profile * Set all of your environment variables in your .bash_profile * Check in your .bashrc to see if PS1 is set. If not then you are not in an interactive session and you need to set critical environment variables. Usually PATH is the only one you need to set. if [[ -n "${PS1}" ]] then : Do interactive stuff. Set aliases and variables, etc. else . ~/.bash_pathset fi -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GNUPG 1.2.1 problem
On May 20, 2009, at 5:25 AM, Paweł Żuk wrote: I use gnupg 1.2.1 version For same cases during decrypting I receive: gpg: encrypted with 2048-bit RSA key, ID 453733BB, created 2006-02-13 "Comapny (User) " gpg: md_enable: algorithm 8 not available gpg: Signature made Tue May 19 16:10:09 2009 CEST using RSA key ID FD947F6A gpg: Can't check signature: unknown digest algorithm There is any possibility to skip this error. Yes. If you use the --skip-verify option to GPG, it will do the decryption step, but not do the verification step. Note, though, that may not be what you want if the signature over the data is important to you. In that case, you must either upgrade or ask the person sending you the message to use a digest algorithm that you can handle. You can get a list of digests that you can handle by typing "gpg --version". The "Hash" list is what you can handle. I can not upgrade my current version of gnupg "Algorithm 8" is SHA-256. Those folks who want a switchover to SHA-256, pay attention :) David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AW: Re: laying groundwork for an eventual migration away from SHA1 with gpg
This subject is increasingly off-topic for -devel. I've cc'd this message to -users; let's see if we can't move the thread there. Niels Dettenbach wrote: > Hmmm, Keysigning parties makes sense if they strictly follow serious > procedures and requirements - but can't give a 100% security (as the > most other identity checks too). Even a Passport could be modified or > cheated. With a high-quality forged passport I can not only travel -- I can also vote, run for (most) public offices, get utilities in my name, open bank accounts, and so on. Those secondary pieces of documentation won't be forgeries, they'll be real -- and once I have them, I destroy my forged passport and settle into my new assumed identity. If the attacker is smart enough and savvy enough to get a high-quality forged passport, there's no way they'll present it for inspection to someone who's actively looking for a forged passport. They'll present their real (obtained illegally and containing incorrect information, but quite real) identity documents instead. Further, you won't find 100% security anywhere. Pursuing it is an ephemera. You won't get there, and if you obsess over it your obsession will ultimately hurt your security. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
On Thursday 21 May 2009 15:15:18 Raimar Sandner wrote: > I believe (an I think others do too) it is good praxis to not sign new keys > even if you have signed the old one and the new key is signed by the old > one, without personally checking with the keyholder first. After all, the > new key could have been compromised. After all the _old_ key could have been compromised, that is what I meant :) signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
Hello On Thursday 21 May 2009 11:35:44 Allen Schultz wrote: > For the reason of SHA1 issues in the news, I've recently set up > a new OpenPGP key, and > will be transitioning away from my old one. > This message is signed by > both keys to certify the > transition. I have not recieved signatures with your mail, but Charly's reply implicates that there is a signature, though it does not validate. I have switched to a new mail system, I hope it does not strip away signatures :-/ > If you already know my old key, you can now verify that the new > key is > signed by the old one: > > gpg --check-sigs DAD4736B I believe (an I think others do too) it is good praxis to not sign new keys even if you have signed the old one and the new key is signed by the old one, without personally checking with the keyholder first. After all, the new key could have been compromised. > If you don't already know my old key, or you just want to be > double > extra paranoid, you can check the fingerprint against the one > above: > > gpg --fingerprint DAD4736B If someone does _not_ know the old key, checking the fingerprint against an untrusted source like an eMail is certainly not enough. It is crucial for the web of trust that key/UID combinations are only signed after the fingerpint has been confirmed by the keyholder in person, and the UID has been checked against an official identification. I think the best way to have your new key integrated in the web of trust is to visit a keysigning party, or to look up key signers in your area at biglumber.com. Raimar signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Question from GPG
On Wednesday 20 May 2009 19:53:47 Fayina Zaporozhets wrote: > I did trust and signed the key before: > > > > C:\GNU\GnuPG>gpg --edit-key E3655B17 > > gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. > > This is free software: you are free to change and redistribute it. > > There is NO WARRANTY, to the extent permitted by law. > > > pub 1024D/E3655B17 created: 2008-07-14 expires: 2018-07-12 usage: SC > > trust: ultimate validity: ultimate > > sub 2048g/5A85DEB2 created: 2008-07-14 expires: 2018-07-12 usage: E > > [ultimate] (1). Schneider B2B Services - UAT/Training (UAT and Training > Key.) signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
Allen Schultz wrote the following on 5/21/09 5:35 AM: [...] > > Please let me know if there is any trouble, and sorry for the > inconvenience. [...] No inconvenience. Results of signature verification and key usage: -BEGIN GPG OUTPUT- gpg: Signature made Thu May 21 05:34:13 2009 EDT using RSA key ID F55651E0 gpg: BAD signature from "Allen Schultz (aldaek) " -END GPG OUTPUT- $ gpg --edit-key F55651E0 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 3072R/DAD4736B created: 2009-05-20 expires: never usage: SC trust: unknown validity: unknown sub 2048R/F55651E0 created: 2009-05-20 expires: 2010-05-20 usage: S sub 2048R/5687B83E created: 2009-05-20 expires: 2010-05-20 usage: E [ unknown] (1). Allen Schultz (aldaek) [ unknown] (2) [jpeg image of size 6128] Command> check uid Allen Schultz (aldaek) sig!3DAD4736B 2009-05-20 [self-signature] sig! EE79C636 2009-05-20 Allen Schultz uid [jpeg image of size 6128] sig!3DAD4736B 2009-05-20 [self-signature] To sum up (as far as I can sum up). 1. Your message (who shows in the PGP headers both SHA1 and SHA256) shows that signature has been done using the signing subkey F55651E0 of primary key DAD4736B. 2. Signature does not verify. Your photo file can be displayed. 3. Your primary key DAD4736B has been signed using EE79C636 (as you said it would be): $ gpg --edit-key EE79C636 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 1024D/EE79C636 created: 2009-04-24 expires: never usage: SC trust: unknown validity: unknown sub 2048g/762B1E36 created: 2009-04-24 expires: never usage: E [ unknown] (1). Allen Schultz Command> check uid Allen Schultz sig!3EE79C636 2009-04-24 [self-signature] 4. I cannot sign your key, not because I am double extra paranoid or even simple basic paranoid (which I am), but because I don't know you, I can't ascertain that you are who to claim to be, or that the above key or keys belong to you. There are some basic rules to the Web of Trust. Best regards, Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can't enter passphrase in su session.
2009/5/20 Chris Babcock : > > In .bash_profile, you will have something *like* this: > if test -f $HOME/.gpg-agent-info &&kill -0 `cut -d: -f 2 > [cut] Nothing like that b...@foo:~> grep -ir gpg-agent /etc/bash* 2>/dev/null b...@foo:~> grep -ir gpg-agent /etc/profile* 2>/dev/null b...@foo:~> Nothing in ~/.bash* or ~/.profile* either. 2009/5/20 Steven W. Orr : > > If you log in via X I don't. Never have. The machine doesn't have X installed. Both the replies so far have made me realised that I'm guilty of neglecting to include some relevant info. When logged in via ssh, the session in which I do get prompted to enter the passphrase, the output is as follows. gpg: using PGP trust model gpg: key B97DE878: accepted as trusted key You need a passphrase to unlock the secret key for user: "Bob" 4096-bit RSA key, ID B97DE878, created 2009-05-19 can't connect to `/home/bob/.gnupg/S.gpg-agent': No such file or directory gpg: no running gpg-agent - starting one [I am prompted to enter my passphrase via some sort of ncurses interface. From output of strace it appears to be /usr/bin/pinentry-curses] File `/home/bob/rpmbuild/RPMS//repodata/repomd.xml.asc' exists. Overwrite? (y/N) y gpg: writing to `/home/bob/rpmbuild/RPMS//repodata/repomd.xml.asc' gpg: RSA/SHA1 signature from: "B97DE878 Bob" The "can't connect to `/home/bob/.gnupg/S.gpg-agent': No such file or directory" message appears in both sessions. Hence the appearance of this message does not appear to be related to my not being prompted to enter the passphrase. Also GPG_AGENT_INFO is not set in either the ssh or su sessions. Hence it being set up properly or otherwise does not appear to be relevant to my not being prompted to enter the passphrase in a su session. Further investigation today reveals: If I dump the output of env in the ssh session and in the su session to files and then run diff I get b...@foo:~> diff /tmp/env_ssh /tmp/env_su 8d7 < TERM=xterm 9a9 > TERM=xterm 12d11 < SSH_CLIENT=XXX.XXX.XXX.XXX 56278 22 15d13 < SSH_TTY=/dev/pts/0 26c24 < MAIL=/var/mail/bob --- > MAIL=/var/spool/mail/bob 29d26 < SSH_SENDS_LOCALE=yes 47d43 < SSH_CONNECTION=XXX.XXX.XXX.XXX 56278 YYY.YYY.YYY.YYY 22 SSH_TTY is set in the ssh session but not the su session. Setting it in the su session to the value it's set for by the user that ran su doesn't help. (I.e. if I log in via ssh then check the value of SSH_TTY, su to bob then set SSH_TTY to that value.) When bob logs in, via ssh or via su, no gpg-agent process is started. Under both sessions, after the attempt is made to sign a file, no gpg-agent process is running. So when gpg says "gpg: no running gpg-agent - starting one" presumably it starts one then kills it again after the passphrase entry. Under the su session, if I start a gpg-agent process manually I get this: b...@foo:~> eval $(gpg-agent --daemon) b...@foo:~> ps aux | grep gpg bob356 0.0 0.0 4016 480 ?Ss 11:14 0:00 gpg-agent --daemon bob358 0.0 0.0 3232 728 pts/0S+ 11:14 0:00 grep gpg b...@foo:~> echo $GPG_AGENT_INFO /tmp/gpg-K81hbj/S.gpg-agent:356:1 b...@foo:~> gpg -a --detach-sign ~/rpmbuild/RPMS/repodata/repomd.xml You need a passphrase to unlock the secret key for user: "Bob" 4096-bit RSA key, ID B97DE878, created 2009-05-19 gpg: cancelled by user gpg: no default secret key: General error gpg: signing failed: General error Again I'm not prompted to enter the passphrase. So maybe the problem is that under su, gpg-agent fails to launch /usr/bin/pinentry (which in turn decides whether to launch pinentry-curses, or a QT or GTK equivalent). If I run gpg under strace and look through the output there is no mention of /usr/bin/pinentry being called, but there is in the ssh session. Why no attempt is to launch /usr/bin/pinentry though I have not been able to determine. thanks, mike ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Question from GPG
Good afternoon, I have one problem encrypting the file using gnupg. When I run: cmd/c c:\gnu\GnuPG\gpg --homedir C:\GNU\GnuPG\pubrings\ --yes -e -r "E3655B17" Medgate_LeaveOgAbsenceStatus_2009-05-20.csv 2>errors.txt I'm getting the question: pub 2048g/5A85DEB2 2008-07-14 Schneider B2B Services - UAT/Training (UAT and Training Key.) Primary key fingerprint: C2C0 304A E23A D0F5 2911 AE4F 0EBD 3829 E365 5B17 Subkey fingerprint: 40F1 EC5E 7BD0 B69B F0A2 96DC 4CF4 BFE6 5A85 DEB2 It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) I did trust and signed the key before: C:\GNU\GnuPG>gpg --edit-key E3655B17 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 1024D/E3655B17 created: 2008-07-14 expires: 2018-07-12 usage: SC trust: ultimate validity: ultimate sub 2048g/5A85DEB2 created: 2008-07-14 expires: 2018-07-12 usage: E [ultimate] (1). Schneider B2B Services - UAT/Training (UAT and Training Key.) C:\GNU\GnuPG>gpg --sign-key E3655B17 pub 1024D/E3655B17 created: 2008-07-14 expires: 2018-07-12 usage: SC trust: ultimate validity: ultimate sub 2048g/5A85DEB2 created: 2008-07-14 expires: 2018-07-12 usage: E [ultimate] (1). Schneider B2B Services - UAT/Training (UAT and Training Key.) "Schneider B2B Services - UAT/Training (UAT and Training Key.) " was already signed by key 0CA9461C Nothing to sign with key 0CA9461C Key not changed so no update needed. What could be a problem? Doing a Google search didn't really shed any new light on this either. I need to schedule automatic process and this confirmation question does not let me do it. I'll appreciate any advice. Thanks, Fayina ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing usage of master key
On Monday 18 May 2009 16:35:29 Christoph Anton Mitterer wrote: > In principle it is possible by issuing new self-sigs, but gnupg > doesn't support this AFAIK. Does there exist another program to do this (I won't tell anyone ;) )? The PGP Desktop applications doesn't seem to be able to do anything advanced. I will look at the gnupg source code to try to find the correct section to manipulate the usage. But the info that it can be handled by a new self signature helps a lot. Now I know that it doesn't get ignored by the information stored on the key server. Thanks Regards, Resul Cetin ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing usage of master key
On Monday 18 May 2009 16:46:02 Resul Cetin wrote: > On Monday 18 May 2009 16:35:29 Christoph Anton Mitterer wrote: > > In principle it is possible by issuing new self-sigs, but gnupg > > doesn't support this AFAIK. > > I will look at the gnupg source code to try to find the correct section to > manipulate the usage. But the info that it can be handled by a new self > signature helps a lot. Now I know that it doesn't get ignored by the > information stored on the key server. Thanks Ok, it was quite easy to do (not clean, but it could be done in a fast and hackish way). Just searched for gnupg-1.4.9/g10/getkey.c:parse_key_usage and changed p to non-const and always set "(*p) &=~2;". Afterwards I started my new compiled hackish-gpg --edit-key and set the expire of my master key. After this procedure I had only the Cert flag set. Thanks Christoph - you are my personal hero of the day :) Regards, Resul Cetin ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing usage of master key
On Friday 15 May 2009 12:30:27 Resul Cetin wrote: > Is there now a good way to move a subkey between two keys? The method > described at http://atom.smasher.org/gpg/gpg-migrate.txt don't work because > in the step "resign using the expire trick" doesn't work. I cannot see a > usage behind the short output of the `key` command in --edit-key and when I > try to save it after the resign, gpg will end with 2 as return code (I > would assume that the key and its subkey wasn't saved). A export and > reimport afterwards removes the "moved" key. Just removed the do_check for sig->sig_class == 0x18 in sig- check.c:check_key_signature2 and it worked. Please never ever do that at home. Best regards, Resul Cetin ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GNUPG 1.2.1 problem
I use gnupg 1.2.1 version For same cases during decrypting I receive: gpg: encrypted with 2048-bit RSA key, ID 453733BB, created 2006-02-13 "Comapny (User) " gpg: md_enable: algorithm 8 not available gpg: Signature made Tue May 19 16:10:09 2009 CEST using RSA key ID FD947F6A gpg: Can't check signature: unknown digest algorithm There is any possibility to skip this error. I can not upgrade my current version of gnupg Regards, Paweł ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Key Transition Letter 2009-05-21
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256,SHA1 For the reason of SHA1 issues in the news, I've recently set up a new OpenPGP key, and will be transitioning away from my old one. The old key will continue to be valid for some time, but i prefer all future correspondence to come to the new one. I would also like this new key to be re- integrated into the web of trust. This message is signed by both keys to certify the transition. the old key was: pub 1024D/EE79C636 2009-04-24 Key fingerprint = 0DC0 D8F6 A3A7 C107 59C4 1512 579A F712 EE79 C636 uid Allen Schultz uid [jpeg image of size 6128] sub 2048g/762B1E36 2009-04-24 And the new key is: pub 3072R/DAD4736B 2009-05-20 Key fingerprint = 16AD EFE1 D68F C8A8 B086 68CD 1A35 85C7 DAD4 736B uid Allen Schultz (aldaek) sub 2048R/F55651E0 2009-05-20 [expires: 2010-05-20] sub 2048R/5687B83E 2009-05-20 [expires: 2010-05-20] To fetch my new key from a public key server, you can simply do: gpg --keyserver pgp.mit.edu --recv-key DAD4736B If you already know my old key, you can now verify that the new key is signed by the old one: gpg --check-sigs DAD4736B If you don't already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above: gpg --fingerprint DAD4736B If you are satisfied that you've got the right key, and the UIDs match what you expect, I'd appreciate it if you would sign my key: gpg --sign-key DAD4736B Lastly, if you could upload these signatures, i would appreciate it. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system): gpg --armor --export DAD4736B | mail -s 'OpenPGP Signatures' allen.schu...@gmail.com Or you can just upload the signatures to a public keyserver directly: gpg --keyserver pgp.mit.edu --send-key DAD4736B Please let me know if there is any trouble, and sorry for the inconvenience. Regards, --ads PS: Transiition Letter idea copied from dkg (http://fifthhorseman.net/key- transition-2007-06-15.txt). -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72 iQEcBAEBCAAGBQJKFSAVAAoJEMNyjCz1VlHgjWMH/iU0U/VR1/zdpM93pL72/sfc E4OBBaz6LtHmvYJTS+lQ8EYBf9dMTd+R8r2Nh4tKCYj8oY6HhffCIhGUrgE73Gba QQbZTE56pmWtwGwiki2a+rhK9y8du8X2pajBJurTqeSNRMv8q3iGkQPI/Wn6J/l3 gBdZYZ1zqJcFIYXzzm4y10+rOtShOuOwz43DrGas6cW4FETJGWA1WUQfoLYQ5L2c mVf4y1zR6DY4nJ8zgpsJeWO5J3UJQaqpRKDvl2Ls3OdcZHJ0n1S3v1J1MK2X5Q5K A5dKauvO82YGpq5c8JR1Zp2XCdDKTZ2qxRdgESCRj3X68uGceRTS9gd7WN5whZqI RgQBEQIABgUCShUgFQAKCRBXmvcS7nnGNlcqAJ9l352qqohUIVoVE/Z+EA1HzXPQ +gCfYCXuRN9aDq/HIwig5s9ElXBWVbQ= =BThX -END PGP SIGNATURE- -- Allen Schultz ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users