invalid gpg key revocation
___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: invalid gpg key revocation
Okay, there are a lot of responses, and I need to get to the bottom of this as quickly as possible, but I also want to do so methodically. Let me respond to the points raised as best I can until this is resolved. > -Original Message- > From: gnupg-users-boun...@gnupg.org [mailto:gnupg-users- boun...@gnupg.org] > On Behalf Of Robert J. Hansen > Sent: Monday, March 05, 2012 11:27 AM > To: gnupg-users@gnupg.org > Subject: Re: invalid gpg key revocation > On 3/5/12 12:12 PM, auto15963...@hushmail.com wrote: > > I am 99.9% sure no one has gotten access to my machine or my keys. > > Whenever anyone ascribes 99.9% certainty to a belief, my knee-jerk > reaction is to think the only 99.9% certainty is they've got the wrong > confidence interval. :) > > There are really only a few possibilities here: > > 1. User error. You did it yourself by accident and didn't realize > it. > 2. Someone has access to your private key and passphrase and > revoked your user ID. > 3. GnuPG has a critical, showstopper bug. > 4. The algorithm you used has a critical cryptographic flaw that > someone exploited. > > I can't tell you how likely #1 or #2 are, but #s 3 and 4 both seem like > fairly low-probability events. I would begin by checking to see if > either #1 or #2 are in fact the case. If you want me to believe #3 or > #4 are the case, you're first going to have to convince me it could not > have been #1 or #2. I agree that user error is a possibility, but I am not certain how to prove it. I can reproduce another public key just like the one that was revoked except using a different name. I can use the same program, same method and same machine, and I can post it to an email here just as I posted it to the other site I mentioned. This way you can see the result plainly. At least we can determine whether the key is getting made correctly. I have to reiterate, but not eliminate the posibility, that someone having access to this machine is extremely unlikely. This machine is not in a public place or workplace. It is at my home, and I do not have any guest accessing it. My family members would not, and could not do this anyway. It is fully encrypted and well protected. I have a good deal of anti-malware and firewall protection. Impossible, no; improbable, highly so. > -Original Message- > From: gnupg-users-boun...@gnupg.org [mailto:gnupg-users- boun...@gnupg.org] > On Behalf Of David Shaw > Sent: Monday, March 05, 2012 12:40 PM > To: auto15963...@hushmail.com > Cc: gnupg-users@gnupg.org GnuPG > Subject: Re: invalid gpg key revocation > > > On Mar 5, 2012, at 12:12 PM, auto15963...@hushmail.com wrote: > > > What can be looked at on the revoked key > > to see how or under what circumstances it was revoked? Thanks. > > A revocation appears as a signature on the key. Anyone who has (write) > access to the key can add such a signature (if it exists). However, only > the holder of the secret key can generate such a signature. In other > words, if you really never made a revocation (many howto documents > recommend making one and saving it when you generate your key), and the > revocation you found on your key is genuine (if gpg confirms it is > revoked), then I recommend you check if someone has access to your secret > key. > > You can examine the revocation certificate with: > > gpg --export (your key id) | gpg --list-packets Looking at this instruction, I think you assume that I have imported the revoked key onto my keyring. I have not done so. On my keyring is the valid key, which is not revoked. The revoked key appears to be on a keyserver. When I do a search and view the result online, I can see my key ID number and user ID plainly identifying this key as having now been revoked. I have not imported it. The really wierd part is that I never publicly put it on a server myself. I guess someone else did that as part of this malice after I put it on a website for importing. I am reluctant to import the bad one because it might mess up the good one. So, I am not sure how to look at the certificate with your command, which appears to require that I export it. Does it not? > > The piece you are interested in will look like this. It's usually the > second packet in an exported key: > > :signature packet: algo 1, keyid 7296AD3DA736CEC5 > version 4, created 1330970459, md5len 0, sigclass 0x20 > digest algo 2, begin of digest 74 51 > hashed subpkt 2 len 4 (sig created 2012-03-05) > hashed subpkt 29 len 10 (revocation reason 0x01 (foobar)) > subpkt 16 len 8 (issuer key ID 7296AD3DA736CEC5) > data: [2047 bits] > > Note the sigclass is "0x20", which is the revocation class. The keyid > would be that of your key (or it's a revocation for someone else, and is > not relevant to your key). "Created" is the epoch timestamp of when the > revocation was supposedly generated, echoed in "sig created". The >
Re: invalid gpg key revocation
> -Original Message- > From: gnupg-users-boun...@gnupg.org [mailto:gnupg-users- boun...@gnupg.org] > On Behalf Of Ingo Klöcker > Sent: Monday, March 05, 2012 3:37 PM > To: gnupg-users@gnupg.org > Subject: Re: invalid gpg key revocation > > On Sunday 04 March 2012, Robert J. Hansen wrote: > > On 3/4/2012 4:13 PM, auto15963...@hushmail.com wrote: > > > Hello. Supposing I create a key with an arbitrary user ID... > > > > This seems to me to be a simple question wrapped up in a lot of > > unnecessarily specific details: "How is it possible for a > > non-authorized person to revoke a user ID?" > > > > 1. Mathematical weakness in the underlying > > algorithms (unlikely but possible) > > 2. Critical bug in GnuPG (unlikely but possible) > > 3. Someone's swiped your private key (disturbingly > > possible) > > 4. He has left his laptop unlocked and unattended for a very short period > of time and he is using gpg-agent with a cache-ttl > 0. I do in fact use gpg-agent and a cache >0, but this machine is not in a workplace or public location. It is in my home, in a place where visitors have no access, and my family would not have been able to do this. My machine has considerable security. I am not saying it would be 100% impossible to get access, but I am saying that if there is a possibility, I am not aware of it and I need to be so that I can prevent it recurrence. I do believe that there is another more plausible explanation. For instance, what procedure occurs at the server itself that allows the revocation to occur? Is it a fully automated event? Is there a way for a person without a key to issue a command to the server in any way to make this happen? > > I have verified that one can generate a revocation certificate without > entering a passphrase if one has previously signed something (e.g. an > email). So, it was probably just a very nasty prank. This is good information, but I personally would give it a stronger name than prank. > > Maybe gpg shouldn't use the cached signing passphrase (or any cached > passphrase) for generating a revocation certificate. This does sound like a reasonable consideration, in my opinion. At least, I would like to have that option configurable. > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: invalid gpg key revocation
On 06/03/12 19:36, auto15963...@hushmail.com wrote: > The revoked key appears to be on a keyserver. When I do a search and view > the result online, I can see my key ID number and user ID plainly identifying > this key as having now been revoked. I have not imported it. The keyservers don't do any validation on revocation certificates; anyone who feels like it can add /invalid/ revocation certificates to your key to annoy you. But as soon as OpenPGP software imports the key from the keyserver, it will simply discard /invalid/ revocation certificates as noise. So I think the most likely thing is that someone who wants to annoy you has uploaded not only your key, but also a fake revocation certificate to the keyserver so the web interface will give you misleading information. My suggestion: - Back up your GnuPG home directory (the one with the keyrings and stuff) - Import the key from the keyserver and check the validity of the revocation - Perhaps restore the backup of the directory afterwards, or not If it is an invalid revocation: unfortunate. To answer your next question: no, it is not possible to remove your key or the false revocation from the keyserver. This stuff is just noise. Users of keyservers need to be aware that keyservers can contain noise, which does not harm the operation of the software, but can be misleading, or potentially insulting. It is out of *your* control, and therefore when looked at it sanely, also out of your responsibility. Good luck, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: invalid gpg key revocation
Am Dienstag, 6. März 2012, 19:36:07 schrieb auto15963...@hushmail.com: > I agree that user error is a possibility, but I am not certain how > to prove it. I can reproduce another public key just like the one > that was revoked except using a different name. I do not see any possible user error during key generation which might lead to this except for the generation of very short keys. AFAIK gpg offers a minimum of 1024 bit now and 512 bit has been possible earlier. 512 bit could have been cracked. > I have to reiterate, but not eliminate the posibility, that someone > having access to this machine is extremely unlikely. This is not primarily meant as physical access. > I have a good deal of anti-malware and firewall protection. > Impossible, no; improbable, highly so. Anti-malware software ist usually easy to circumvent. You create malware and play with its compilation parameters until none of the 10 most popular scanners can detect it any more. Chances are better to limit the access of hijacked software to critical data. And that doesn't help against kernel bugs. > Looking at this instruction, I think you assume that I have > imported the revoked key onto my keyring. I have not done so. You really should. > On my keyring is the valid key, which is not revoked. If there is a valid revocation signature out there it does not make any sense not to revoke the local copy of the key. > When I do a search and view the > result online, I can see my key ID number and user ID plainly > identifying this key as having now been revoked. How can a user ID identify a key as being revoked? I don't use key servers often. What I know from regular discussions here is that most key servers don't implement crypto functions. Thus they may show a key as revoked because they have not realized that the revocation signature is invalid. > I am reluctant > to import the bad one because it might mess up the good one. There are not "a good one" and "a bad one". There's an updated one and an outdated one (your local copy). You can always delete signatures locally. Besides you can make a backup of your key, import the revoked one, have a look at it and at worst delete the key and import your backup. > > Can you confirm that? > > I have generated the key on my main PC, which, as far as I know, > and I am no slouch when it comes to security (and, no problem, :) I > do not think you suggested I am). My machine is well protected with > firewall and antimalware. I am interested in software security (not an expert, though) but I would never consider the key I use to sign this email being safe. I mention that in my signature policy. I have different keys for different security levels. > I do not make documents on one > machine, save it to CD and move media to another machine for using > on internet. You probably don't even use a seperate user account for key handling. You don't have to be paranoid but you should accept the consequences of security compromises. > If my machine has been compromised in any way, I need > to ascertain that much and fix it. You cannot fix your machine in a way that you can be sure this will not happen again. You have to determine the risk and effort you are willing to take. Maybe a smartcard is an improvement for you (and no, using a smartcard does not guarantee that unwanted signatures cannot be created). > Still, I find this possibility extremely unlikely in all honesty. I guess you won't find many on this list who share that view. > Nevertheless, I am perfectly willing > to use a different software to try to reproduce another key, and I > am perfectly willing and capable of using the CLI of gnupg if need > be; in this way I can be sure that the program itself is not > responsible. How do you want to reproduce attackers' behaviour? If your next key does not get revoked by someone else then you are sure it is safe? You may create a new key (in a secure environment) with an offline main key with a secure and individual passphrase (hard task not to forget it). That would give you a lot of security that your key is not revoked by someone else. But it will not make your subkeys safer (and thus your signatures more trustworthy). > I have created a key in a manner that I believe is > secure. If it can be revoked, what else can be done with it? Most probable signatures can be faked and data encryped to this key can be decrypted. New subkeys and UIDs can be created. The preferred key server can be changed so that people "never" see the revocation. > I need to fix my mistake so that it does not happen again. Above you refused to do so because it was too much effort for you. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: invalid gpg key revocation
On 03/06/2012 01:36 PM, auto15963...@hushmail.com wrote: > Looking at this instruction, I think you assume that I have > imported the revoked key onto my keyring. I have not done so. On > my keyring is the valid key, which is not revoked. The revoked key > appears to be on a keyserver. When I do a search and view the > result online, I can see my key ID number and user ID plainly > identifying this key as having now been revoked. I have not > imported it. So much mystery involved here! You're making everyone guess at the situation by not identifying the key. I understand you might have reasons for this caginess, but please realize that your reluctance to spell out the details of the situation makes this process take much more of your time and of the time of other people on this list. You might not be aware that keyservers don't check the correctness of any of the cryptographic material placed on them. So it's possible to upload something that looks like a revocation certificate but would be rejected by any reasonable OpenPGP client implementation, since it would not validate. > The really wierd part is that I never publicly put it > on a server myself. Anyone with possession of an OpenPGP certificate can upload it to the public keyservers. > I am reluctant > to import the bad one because it might mess up the good one. I understand your hesitation to import the revocation certificate to your public keyring, though you can probably clean it up with some of the subcommands of gpg --edit-key . Alternately, you could create a new GNUPGHOME directory and work temporarily from that. e.g.: mkdir -m 0700 ~/tmpgpg GNUPGHOME=~/tmpgpg export GNUPGHOME ... do your work here, you'll start with an empty keyring ... rm -rf ~/tmpgpg unset GNUPGHOME > So, I > am not sure how to look at the certificate with your command, which > appears to require that I export it. Does it not? No, you could also just fetch the key from the keyserver via http, and feed it to gpg --list-packets directly. Here's me doing that with my own key (you'd need to replace the long keyid with the keyid you care about): wget -O- \ 'http://keys.gnupg.net/pks/lookup?op=get&search=0xCCD2ED94D21739E9'\ | gpg --list-packets \ | less however, importing it into a gpg keyring is probably a better idea, since it would let you verify whether the revocation certificate is valid. Regards, --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Separate user account (was Re: invalid gpg key revocation)
On 06/03/12 21:14, Hauke Laging wrote: > You probably don't even use a seperate user account for key handling. I don't even do that either. Sounds to me like mainly snake oil with an insignificantly reduced actual hacking risk. To clarify, an attacker is able to get into your personal user account on your desktop machine, but then unable to escalate his privileges to administrator level? That's an odd combination of skills and lack of skills at the same time. It only takes one vulnerable program which he can (install and?) run. Or he just needs to wait until you become superuser from your own user account and hitch the ride. And you also can't access that separate user account from your own, or you face the same problem: the attacker is effectively you on your personal account. Watches you access the separate user account, and bingo. These are just the most obvious ones. The subtle ones are probably much cooler. I'm not a hacker. >> I need to fix my mistake so that it does not happen again. > > Above you refused to do so because it was too much effort for you. I find this unnecessarily harshly formulated. He hasn't refused to do anything, even though he's not making it easy by being so secretive. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Separate user account (was Re: invalid gpg key revocation)
Am Dienstag, 6. März 2012, 22:00:05 schrieb Peter Lebbing: > On 06/03/12 21:14, Hauke Laging wrote: > > You probably don't even use a seperate user account for key handling. > > I don't even do that either. So don't I. > Sounds to me like mainly snake oil with an > insignificantly reduced actual hacking risk. That certainly depends on the way you use the system. > To clarify, an attacker is able to get into your personal user account on > your desktop machine, but then unable to escalate his privileges to > administrator level? That's an odd combination of skills and lack of > skills at the same time. AFAIK there is nearly no skill level required in order to get into an average user account. There is software which creates malware. You don't have to write it yourself. Just wait for the next exploit in a widely used (or known to be used) software. > Or he > just needs to wait until you become superuser from your own user account > and hitch the ride. That's obviously something one shouldn't do then. > And you also can't access that separate user account from your own, or you > face the same problem: the attacker is effectively you on your personal > account. Watches you access the separate user account, and bingo. Not being an expert I consider user switching safe both under Windows and Linux. > These are just the most obvious ones. The subtle ones are probably much > cooler. I'm not a hacker. Sure, but there's cool stuff on the other side, too. A user need not be capable of installing software. A processes capabilities can be limited (I run my Internet software under AppArmor profiles). The access to X can be limited. I see the biggest problem in hijacking a running process by feeding in data that exploits a bug and thus being able to read and write data locally and over the Internet with the biggest threat (on a well configured system) being a privilege escalation bug in the kernel which can be triggered from the hijacked process. Some time ago I suggested on this list to add an option to gpg-agent which would open a message box every time a cached passphrase is used. I don't like the idea that I don't know what gpg-agent is doing. This suggestion was denied with the argument that the overall security level was so low that there were many possibilities to deactivate (or even manipulate) such a feature and thus it would just give a false feeling of security... > >> I need to fix my mistake so that it does not happen again. > > > > Above you refused to do so because it was too much effort for you. > > I find this unnecessarily harshly formulated. He hasn't refused to do > anything, even though he's not making it easy by being so secretive. Then I misunderstood him. I remember that he objected to the idea of having completely seperate environments as a reliable key protection. What do you have to to to be "really" safe? 1) Boot the system from a read-only medium. 2) Read the data from the unsafe medium. 3) Create the signature. 4) Take the key and signature out of the current environment. 5) The fun part (for most data types): Check (on as many different systems as "seems" necessary) whether the data is correct (how do you search for unknown exploits?). 6) Make the signature available to the unsafe world. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Separate user account (was Re: invalid gpg key revocation)
On 06/03/12 22:31, Hauke Laging wrote: > AFAIK there is nearly no skill level required in order to get into an average > user account. There is software which creates malware. You don't have to > write it yourself. Just wait for the next exploit in a widely used (or known > to be used) software. I don't see the counterargument here: why is the situation different for becoming that other user account or the superuser? Just because they use less programs? Wait slightly longer, for an exploit in the programs that do expose those accounts. BTW, I do hope there is some skill level needed to get into the user account of, for example, seasoned computer users (remotely, not counting physical access). For a suitable definition of "seasoned". >> Or he just needs to wait until you become superuser from your own user >> account and hitch the ride. > > That's obviously something one shouldn't do then. Yes, I get that. Like I said, I only gave the obvious ones. Unfortunately the small-scale remedy to those is also obvious. However, you might plug a hole, but the sieve as a whole keeps going. > Sure, but there's cool stuff on the other side, too. A user need not be > capable of installing software. A processes capabilities can be limited (I > run my Internet software under AppArmor profiles). The access to X can be > limited. I'm not saying you should give up protecting yourself. I just don't see a significant role of the separate user account in those efforts. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: invalid gpg key revocation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 06-03-2012 15:59, auto15963...@hushmail.com escribió: ... > I do in fact use gpg-agent and a cache >0, but this machine is not > in a workplace or public location. It is in my home, in a place > where visitors have no access, and my family would not have been > able to do this. My machine has considerable security. I am not > saying it would be 100% impossible to get access, but I am saying > that if there is a possibility, I am not aware of it and I need to > be so that I can prevent it recurrence. I do believe that there > is another more plausible explanation. Same here, any attack (other than thief) on my machine would come from Internet. > For instance, what procedure occurs at the server itself that > allows the revocation to occur? Is it a fully automated event? Is > there a way for a person without a key to issue a command to the > server in any way to make this happen? Only your private key can generate the revocation certificate, Keyservers don't have your private key. After the revocation certificate is generated, anybody can import it to your public key and upload it to keyservers... remember rev certs must be capable of revoking a key in case the private key is no longer available. So we think probably somebody had access to your key, or to a backed up rev cert. You say there was not an already generated rev cert, so it is very likely your computer has a trojan on it. By the way, how long was your private key? 1024 bits? Or less? because if it was a 512 bits key, it MIGHT have been factorized. Just in case, I keep my master keys off-line, only the subkeys are at my computer. Best regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPVqxPAAoJEMV4f6PvczxAQuYH/27tOPNayc478f25WNJZBYy1 T/LEbpGnp2iLysiXxVduD/2xRD47UtulV4eNyBUKBt05s8Yqm3q8IGJr/eo4ih4p uGSz0UBPUduSMXiqqoBIx3KuZ+mYBDKy3FypVT2Zhx28yMGqxkgEaAMThqqO75SW hASqe2RecpCPbAp53sjFPtJSnDaQRiZcjKuSNcwddwPAV+ML082JR1qzOcocqnm9 xQIbObrw9HTTcJ9leHE+KyRw3PxqLExt8fVJGYGLvyerp7URiZVn8nn0ujh1N8DP ulv+FKwvpwTlJuMQMxzVNvh5jOoSfHf6lq07kPSh5WMWc9pxvRrcGWsoc8cw810= =I9XD -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: invalid gpg key revocation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 06-03-2012 16:58, Peter Lebbing escribió: ... > The keyservers don't do any validation on revocation certificates; > anyone who feels like it can add /invalid/ revocation certificates > to your key to annoy you. But as soon as OpenPGP software imports > the key from the keyserver, it will simply discard /invalid/ > revocation certificates as noise. Ah... I was not aware of that... interesting... Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPVq0ZAAoJEMV4f6PvczxA5qgH/RlrHSO6dm+eVpXZirjVabh0 1or3HlvC88Aim48xlS3v2MOOm33Gd0EYBGGpP0RQPVuznJ9io+4UvxbKzX8cZgSX atJ+tK6JMOgtFDxy/o51LQKhD9yUlAXYKeHyIqlDSOLfrT/vzkWP9Sa7lfNKpcTD V4YQC7WGQwlSOkQAzRMdd5X985/si9+Sc8QlB1Vpm1OkYLJzRlccEKif/7QwiLHf Pj87e9ZYV4Un2OfJkyFBG3tNsvZ59+XxHDEcwnhz6oIGMJOTtl5N8wIVaPLH4s78 jF3V1IzwV7f04Oazk2qeqVAj8u9jTi9tqLKjZOZ/zdxFnZ+kqsxGU95o1/EBVl4= =CtxV -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Please help!
Hi folks, I wonder if any of you can help with this problem (http://www.mozilla-enigmail.org/forum/viewtopic.php?f=3&t=838&p=3409) on Enigmail? I'd appreciate it and promise I'll post any solutions into that forum thread! Many thanks in advance, Alastair Langwell Key: E2F6 3C0F 21BB 5DEB 32BF AC52 CA72 33EC 302F 21A8 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please help!
On 3/6/12 8:03 PM, Alastair Langwell wrote: > I wonder if any of you can help with this problem on Enigmail? Contrary to your statement on the forum post, it is almost definitely *not* an Enigmail issue. This is a straightforward permissions issue. Somehow you managed to chown everything in $HOME/.gnupg to root instead of your normal user, and that's borking everything up. Fix the permissions and this will go away. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please help!
On 3/6/2012 8:03 PM, Alastair Langwell wrote: Hi folks, I wonder if any of you can help with this problem (http://www.mozilla-enigmail.org/forum/viewtopic.php?f=3&t=838&p=3409) on Enigmail? I'd appreciate it and promise I'll post any solutions into that forum thread! Many thanks in advance, Alastair Langwell Key: E2F6 3C0F 21BB 5DEB 32BF AC52 CA72 33EC 302F 21A8 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users |~/.gnupg/ and all the files it contains are owned by root -- they should be owned by you chown the directory and it's contents to be you and your primary group | ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
