Re: Extract numbers from a key // wrong pgpdump link :-(
On 8/23/11 9:14 PM, David Tomaschik wrote: > I don't see a windows binary, but it looks to be written in pure C with > no external dependencies, so I would assume you could easily build it > under Cygwin. Cygwin isn't necessary: it compiles just fine under plain MinGW. I've got a native Win32 version I've cross-compiled from an x64 Fedora 15 box. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Extract numbers from a key // wrong pgpdump link :-(
On 08/23/2011 06:52 PM, Faramir wrote: > El 03-08-2011 9:40, ved...@nym.hush.com escribió: > > Sorry, wrong link extension, > > > here is the correct one: http://www.pgpdump.net/ > > By the way, what would be required to run pgpdump locally? I guess > there is no compiled version for windows... > > Best Regards I don't see a windows binary, but it looks to be written in pure C with no external dependencies, so I would assume you could easily build it under Cygwin. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Extract numbers from a key // wrong pgpdump link :-(
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 03-08-2011 9:40, ved...@nym.hush.com escribió: > Sorry, wrong link extension, > > here is the correct one: http://www.pgpdump.net/ By the way, what would be required to run pgpdump locally? I guess there is no compiled version for windows... Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJOVC8yAAoJEMV4f6PvczxALS8IAI9zmVAzU4/rg0903m3iCIlx 0YO+xYaeoZ62Z7PdMg5gJKuttWm/WXWDjdjM52R5yOHMg4YLi8dcU+dckU2m0rE3 1J1yLE06PN10fM8EglyyL1CpzHeE5nrKRPxw8STOo5aULy6qYJdvDU0/iW62t4We rXZiUMieiwrxRsvL9LDxA3CgUMmfK83iG6ve+ivw4LVYWaJa0TXxn0o/gYpZPG4F KBUd+uGJjbketBHg+TzihHcmmqhvUFEQjJ6RLDNQtdAPNMP+rihaTIsIqbCEvQKT QHj5DXVMsdijcswwQG1yPjJUAICmqlZl7ZWosBtJFxVCxFYGirlEA4LfQrQOQJo= =2r4m -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP parts and plain text in the same email
On Thursday 18 August 2011, Alex (via GPGTools) wrote: > Hi there, > > On 18.08.2011, at 20:39, Ingo Klöcker wrote: > > why should it support something strange like a > > multipart/alternative message with a text/plain part and a > > PGP/MIME part. > > isn't this what the message "This is an OpenPGP/MIME signed message > (RFC 2440 and 3156)" is about? If this text is shown by an > incompatible client it could be replaced by the original text. Maybe. Maybe not. It depends on where this message occurs. If it occurs in the body of the multipart/* message part before the first message part boundary then it is probably only shown by mail clients which do not support MIME at all. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard PIN may be shorter than passphrase?
On 8/23/11 12:43 PM, David Tomaschik wrote: > > So even a 4-digit PIN would ensure a less than 1% chance of guessing > the PIN. (Assuming that the user does not select obvious pins like > birthdates, anniversaries, etc.) At 8 digits, the probability becomes > something like 6*10^-8, if I do the basic math correctly. Seems > pretty secure. > The minimum normal PIN is 6 characters, and the minimum admin PIN is 8. -- Grant "I am gravely disappointed. Again you have made me unleash my dogs of war." signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard PIN may be shorter than passphrase?
On Tue, Aug 23, 2011 at 9:56 AM, Werner Koch wrote: > On Tue, 23 Aug 2011 15:12, da...@systemoverlord.com said: >> Would it be reasonable to say that you may use a significantly smaller >> PIN for your smartcard than would be required of a passphrase, since >> the smartcard locks itself after 3 tries? > > Yes. It is up to 6 tries because an attacker may also try to open the > card using the admin PIN. So even a 4-digit PIN would ensure a less than 1% chance of guessing the PIN. (Assuming that the user does not select obvious pins like birthdates, anniversaries, etc.) At 8 digits, the probability becomes something like 6*10^-8, if I do the basic math correctly. Seems pretty secure. >> Since I don't use a reader with a pinpad, I must type my PIN in, and >> thus have about 8 alpha-numeric characters for my regular PIN. (The > > Better use only digits - if you need to use a keypad you can't do that > instantly. > > > Shalom-Salam, > > Werner Thanks Werner! David -- David Tomaschik, RHCE, LPIC-1 System Administrator/Open Source Advocate OpenPGP: 0x5DEA789B http://systemoverlord.com da...@systemoverlord.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Conflicting commands error?
On Tue, 23 Aug 2011 15:51, michaelquig...@theway.org said: >> gpg --batch --armor -keyring /Publib/.../ARP_pubring.gpg This is the same as -k -e -y -r -i -n -g - thus you are asking for a key lising and encryption ... - Use two dashes. Back to the fingerprint problem: For historic reasons --fingerprint acts as a command if no other command has been given but similar to --with-fingerprint if a command has been given. Thus it works if you put it into gpg.conf and use an explicit command. However if you want to use gpg's default operation (decrypt/verify) it will instead to a key listing with fingerprints. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Conflicting commands error?
On Tue Aug 23, 2011 at 09:51:59 -0400, michaelquig...@theway.org wrote: > Hello, > > I use this syntax to sign files in a script--it works without problems, > but when trying to manually sign a file, I'm receiving the following > result: > > > gpg --batch --armor -keyring /Publib/.../ARP_pubring.gpg > --secret-keyring /Prodlib/.../ARP_secring.gpg --local-user 55EC3D41\! > --output S0004458.asc --clear-sign S0004458 > gpg: conflicting commands > $ > > I'm sure I'm overlooking something simple, but I'm just not seeing it > today. > Try using --keyring instead of -keyring. Regards, Michael ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Conflicting commands error?
On Tue, Aug 23, 2011 at 11:15:27AM -0400, michaelquig...@theway.org wrote: gpg: conflicting commands $ I'm sure I'm overlooking something simple, but I'm just not seeing it today. Okay -- I found the dash in "clear-sign"--which should read "clearsign". Of course I find it shortly after sending the first request--sorry. But if you wouldn't have sent it, you never would have found it... that's to be expected :-) signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Conflicting commands error?
Michael Quigley/TheWay wrote on 08/23/2011 09:51:59 AM: > Hello, > > I use this syntax to sign files in a script--it works without > problems, but when trying to manually sign a file, I'm receiving the > following result: > > > gpg --batch --armor -keyring /Publib/.../ARP_pubring.gpg --secret- > keyring /Prodlib/.../ARP_secring.gpg --local-user 55EC3D41\! -- > output S0004458.asc --clear-sign S0004458 > gpg: conflicting commands > $ > > I'm sure I'm overlooking something simple, but I'm just not seeing it today. > > Thanks, > Michael Quigley > Computer Services > The Way International > www.TheWay.org Okay -- I found the dash in "clear-sign"--which should read "clearsign". Of course I find it shortly after sending the first request--sorry.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Conflicting commands error?
Hello, I use this syntax to sign files in a script--it works without problems, but when trying to manually sign a file, I'm receiving the following result: > gpg --batch --armor -keyring /Publib/.../ARP_pubring.gpg --secret-keyring /Prodlib/.../ARP_secring.gpg --local-user 55EC3D41\! --output S0004458.asc --clear-sign S0004458 gpg: conflicting commands $ I'm sure I'm overlooking something simple, but I'm just not seeing it today. Thanks, Michael Quigley Computer Services The Way International www.TheWay.org___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard PIN may be shorter than passphrase?
On Tue, 23 Aug 2011 15:12, da...@systemoverlord.com said: > Would it be reasonable to say that you may use a significantly smaller > PIN for your smartcard than would be required of a passphrase, since > the smartcard locks itself after 3 tries? Yes. It is up to 6 tries because an attacker may also try to open the card using the admin PIN. > Since I don't use a reader with a pinpad, I must type my PIN in, and > thus have about 8 alpha-numeric characters for my regular PIN. (The Better use only digits - if you need to use a keypad you can't do that instantly. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Smartcard PIN may be shorter than passphrase?
Would it be reasonable to say that you may use a significantly smaller PIN for your smartcard than would be required of a passphrase, since the smartcard locks itself after 3 tries? Since I don't use a reader with a pinpad, I must type my PIN in, and thus have about 8 alpha-numeric characters for my regular PIN. (The admin PIN is somewhat longer.) Would this be considered a reasonable length? (Someone who can read the memory on a smart card by opening it up is NOT in my threat model -- if they can do that, they have much easier ways to coerce me into giving up my PIN.) -- David Tomaschik, RHCE, LPIC-1 System Administrator/Open Source Advocate OpenPGP: 0x5DEA789B http://systemoverlord.com da...@systemoverlord.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Re: Which release should we be using?
Hi! Am 20:59, schrieb Anthony Papillion: > My passphrases are > stored in a Keepass database that resides in a TrueCrypt container. It's > protected well. My actual key is protected by a 62 character passphrase One could argue that this is equivalent to having a passphrase-less keyring within the Truecrypt container. To take Keepass's additional encryption into account, the key within the container could have the Keepass-passphrase. cu, Sven ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Trying to convert from PGP on XP to a GUI on Win 7
I have 64-bit Windows 7. But there may be a hope. Microsoft has an emulator/virtual machine called Windows XP Mode THAT runs many older Windows XP programs and that are "not natively compatible with Windows 7". Do you know if Gpg4win will install GpgEX running in Windows XP Mode? Werner Koch wrote: > > On Mon, 22 Aug 2011 00:10, marshallabr...@comcast.net said: > >> encrypted file using gpg2.exe. There didn't seem to be a GUI. Reading >> thru >> the manual, I see that there is supposed to be an extension/plug-in on >> the >> Windows Explorer menu for GpgEX, but I don't see it. What should I do? > > If you are using a 64 bit Windows7 you are out of luck. We have not yet > ported GpgEx. If you are using older 64 bit Windows version you have > the option to install a 32 bit version of the explorer. Please do that > and you will be able to use GpgEX. You might need to re0install > Gpg4win - I am not sure. > > > Shalom-Salam, > >Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://old.nabble.com/Trying-to-convert-from-PGP-on-XP-to-a-GUI-on-Win-7-tp32307468p32313231.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgme problem with claws mail
On 08/23/2011 02:44, Werner Koch wrote: > On Tue, 23 Aug 2011 11:09, do...@dougbarton.us said: > >> Awesome, thanks! The problem turned out to be the fingerprint option in > > Right, fingerprint is a command and may thus not be combined with other > commands. Well sure, it makes sense when you say it that way. :) I've had it in my gpg.conf for ages though, so I didn't suspect it immediately. Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgme problem with claws mail
On Tue, 23 Aug 2011 11:09, do...@dougbarton.us said: > Awesome, thanks! The problem turned out to be the fingerprint option in Right, fingerprint is a command and may thus not be combined with other commands. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgme problem with claws mail
On Tue, 23 Aug 2011 10:02:30 +0200 Werner Koch wrote: > On Mon, 22 Aug 2011 09:06, do...@dougbarton.us said: > > > Any suggestions on how I can debug why gpgme is not recognizing that > > there is a signature in the message? > > That is not enough information to help you. > > To look at what gpgme is doing you may set an envvar before starting > claws like here: > > GPGME_DEBUG=5:/foo/bar/gpgme.log claws-mail > > A debug level of 5 yields a lot of output. Have a look into the log > file. Awesome, thanks! The problem turned out to be the fingerprint option in my gpg.conf file. Changing that to with-fingerprint fixed it. I have logs for with and without if you're interested. That option was showing up in red in vim so maybe I should have paid more attention to it. :) Thanks again, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgme problem with claws mail
On Mon, 22 Aug 2011 09:06, do...@dougbarton.us said: > Any suggestions on how I can debug why gpgme is not recognizing that > there is a signature in the message? That is not enough information to help you. To look at what gpgme is doing you may set an envvar before starting claws like here: GPGME_DEBUG=5:/foo/bar/gpgme.log claws-mail A debug level of 5 yields a lot of output. Have a look into the log file. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On Tue, 23 Aug 2011 09:39, y...@yyy.id.lv said: > For some certificates gpgsm asks during import, whether to trust them > (and if confirmed, add entry to trustlist.txt automatically). Is it > possible to make gpgsm to ask whether to trust it, for any certificate? It does that for all proper certificates. We can't handle all kinds of bogus root certificates; there is a reason why PKIX demands certain certificate attributes. Actually we do handle another kind of those certs: For qualified signatures, some countries issue root certificates which would not pass the usual checks - thus if such a root certificate is listed in the qualified.txt file, we do the relaxed checking but OTOH annoy you with additional prompts. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On 2011.08.23. 10:07, Werner Koch wrote: > On Mon, 22 Aug 2011 18:05, y...@yyy.id.lv said: > >> So, order of certificate hashes, relative of certificate order in >> keyring, is critically important? > No. You need to make sure to not use lines of more than ~255 > characters. Check that your editor didn't reflow a comment block or > similar. > Re-tested today and it worked in more than one order. Probably issues in yesterday were some sort of temporary glitch. So, currently, importing a root certificate into gpgsm's keyring is a 2 stage process: 1. gpgsm --import _certificate_ 2. edit trustlist.txt file, to add imported certificates hash (to make it trusted (useable)). For some certificates gpgsm asks during import, whether to trust them (and if confirmed, add entry to trustlist.txt automatically). Is it possible to make gpgsm to ask whether to trust it, for any certificate? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
On 08/23/2011 02:04 AM, Werner Koch wrote: > On Tue, 23 Aug 2011 03:47, papill...@gmail.com said: > > Spying on X windows is pretty easy and thus Pinentry tries to make it > harder. Werner, Since I've never used Pinentry, I'm obviously missing something here. While I'm aware that spying on X-Window is not too complicated, how does manually entering a passphrase into Pinentry make snooping harder. Admittedly, I've never looked at the code so I probably don't know the whole story. Is entry into Pinentry vulnerable to traditional keylogging? Anthony ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: supersede key on key-server
On Mon, 22 Aug 2011 18:44, mike_ac...@charter.net said: > result of a search... it would need to first search for the key by > whatever search text was provided, and then search for hits on the > fingerprint... if there is a revoke cert then you want to return that. Keyservers store one copy of a key. A revocation certifciate is nothing but another copy of the key with an recocation signature. The keyserver merges both of them to one key (in OpenPGP parlance a keyblock). A basic keyblock looks like this: Primary_key User-Id-1 Self-signature -- to bind Primary Key to User-Id-1 User-Id-2 Self-signature -- to bind Primary Key to User-Id-2 Sub-Key-1 Self-signature -- to bind Orimary key to Sub-Key-1 etc. Now a minimal revocation certificate for the entire key is Primary_key Recovation-signature -- actually a self-signature bound to Primary-Key ewith a special attribute. After import, a keyserver of gpg will merge them to this: Primary_key Recovation-signature -- actually a self-signature bound to Primary-Key ewith a special attribute. User-Id-1 Self-signature -- to bind Primary Key to User-Id-1 User-Id-2 Self-signature -- to bind Primary Key to User-Id-2 Sub-Key-1 Self-signature -- to bind Orimary key to Sub-Key-1 Keyservers deliver that Keyblock. It doesn't matter whether you ask for the keyid or fingerprint of the primary key or of one of the Sub-Keys - you will always get the above keyblock back. GPG check all self-signatures and revocation-signatures and acts upon them. You may also revoke just one user Id using this revocation certifciate Primary_key User-Id-1 Self-signature -- to bind Primary Key to User-Id-1 Revocation-Signature -- revoking User-Id-1 After merging this is Primary_key User-Id-1 Self-signature -- to bind Primary Key to User-Id-1 Revocation-Signature -- revoking User-Id-1 User-Id-2 Self-signature -- to bind Primary Key to User-Id-2 Sub-Key-1 Self-signature -- to bind Orimary key to Sub-Key-1 and GPG would mark User-Id-1 as revoked but still allow the use of the key. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On Mon, 22 Aug 2011 18:05, y...@yyy.id.lv said: > So, order of certificate hashes, relative of certificate order in > keyring, is critically important? No. You need to make sure to not use lines of more than ~255 characters. Check that your editor didn't reflow a comment block or similar. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
On Tue, 23 Aug 2011 03:47, papill...@gmail.com said: > stored in a Keepass database that resides in a TrueCrypt container. It's > protected well. My actual key is protected by a 62 character passphrase ... as long as the box is pwoered down. Hard disk encryption does not help if the box is up and you are attacked by malware. > that I'd like to cut and paste into GPG. Considering all of that, I > think it's a bit extreme to say cutting and pasting a passphrase from Spying on X windows is pretty easy and thus Pinentry tries to make it harder. If you store your passphrase elsewhere; feed it directly to gpg-agent (gpg-preset-passphrase or a custom pinentry) without that manual c+p. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users