Re: GnuPG 2 + OpenPGP card on F17
After more wrestling with this, I'm still no closer to a solution than I was this morning. I was able to recreate Nguyễn's difficulties with an Ubuntu 12.04LTS/64-bit system, though, so we can confirm that one's got problems and it's not simple user error on his part. Or, rather, if it is then I'm making the exact same errors, so... I don't know what the root cause of the problem is yet. I don't want anyone to misread this as "GnuPG 2 sucks," because that's *not at all what I'm saying*. But it does appear that GnuPG 2 has serious problems with smartcards when running under Ubuntu 12.04LTS or Fedora 17. Maybe we should get the Fedora, Debian and Ubuntu GnuPG package maintainers in on this discussion? Perhaps they don't have smart cards with which to test their packages. If so, I would be happy to buy them smart cards and readers for testing purposes. This is important functionality and right now it just doesn't appear to reliably work. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2 + OpenPGP card on F17
Hi, After pkill gpg-agent, it seems that gg-agent still run: hongquan@Pangolin ~ $ pkill gpg-agent hongquan@Pangolin ~ $ ps ax | grep gpg-agent 1991 ?Ss 0:00 /usr/bin/ssh-agent /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/hongquan/.gnupg/gpg-agent-info-Pangolin /usr/bin/dbus-launch --exit-with-session gnome-session --session=ubuntu 1992 ?Zs 0:00 [gpg-agent] 4094 pts/3S+ 0:00 grep --colour=auto gpg-agent Do you have any idea? On 05/30/2012 06:26 PM, Werner Koch wrote: > Did you restart gpg-agent? > > pkill gpg-agent > > and check with ps that it has really been killed. You should see a > notice in the log as soon as you restart gpg-agent. Check also the > owner of the socket: > > lsof /home/USER/.gnupg/S.gpg-agent > > > Shalom-Salam, > >Werner > > -- Regards, Quân ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Some people say longer keys are silly. I think they should be supported by gpg.
On Wednesday 30 of May 2012 21:14:42 MFPA wrote: > Hi > > > On Monday 28 May 2012 at 3:12:24 AM, in > > , Robert J. Hansen wrote: > > The problem isn't the fraction of the population. The > > problem is command and control. > > That will always be a problem if the planting is uncoordinated. > > As a thought experiment, what happens when all the "real" protesters > have gone on to something else and plants from various agencies make > up 100%? Ahh, the Memoirs Found in a Bathtub! Well written book, quite captivating. -- Hubert Kario QBS - Quality Business Software 02-656 Warszawa, ul. Ksawerów 30/85 tel. +48 (22) 646-61-51, 646-74-24 www.qbs.com.pl ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Some people say longer keys are silly. I think they should be supported by gpg.
MFPA wrote: > Hi > > > On Monday 28 May 2012 at 3:12:24 AM, in > , Robert J. Hansen wrote: > > >> The problem isn't the fraction of the population. The >> problem is command and control. > > That will always be a problem if the planting is uncoordinated. > > As a thought experiment, what happens when all the "real" protesters > have gone on to something else and plants from various agencies make > up 100%? > > My mother once told me that it was easy in the late 1930s and 1940s for Communist Party members to identify the FBI informants. The informants were the only ones who paid their dues. Real communists could not afford it. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:40:01 up 1 day, 2:00, 4 users, load average: 1.26, 1.36, 1.35 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Some people say longer keys are silly. I think they should be supported by gpg.
On 05/30/2012 04:14 PM, MFPA wrote: > That will always be a problem if the planting is uncoordinated. And if the planting *is* coordinated, why in the world would you ever need a 1 in 6 penetration rate? I'm sorry, but this is rapidly descending down the rabbit-hole of conspiracy theory -- where every plea for sanity and rationality is met by an expansion of the conspiracy theory in order to explain why sanity and rationality don't work in this particular case. The world is not _The Illuminatus! Trilogy_. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Some people say longer keys are silly. I think they should be supported by gpg.
Hi On Monday 28 May 2012 at 3:12:24 AM, in , Robert J. Hansen wrote: > The problem isn't the fraction of the population. The > problem is command and control. That will always be a problem if the planting is uncoordinated. As a thought experiment, what happens when all the "real" protesters have gone on to something else and plants from various agencies make up 100%? -- Best regards MFPAmailto:expires2...@rocketmail.com When it comes to humility, I'm the greatest. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP interoperability
Hi On Friday 25 May 2012 at 10:22:45 AM, in , Johan Wevers wrote: > Maybe the NSA has found a workable solution for > factoring but not for DL? And shared the fact privately with Symantec? -- Best regards MFPAmailto:expires2...@rocketmail.com Wisdom is a companion to age; yet age may travel alone. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPA download site
On Wed, 30 May 2012 16:54, r...@sixdemonbag.org said: > >http://www.gnupg.org/related_software/gpa/ > > then, as it points off at a site which only offers 0.9.0 for download. :) That makes sense. For most other parts of GnuPG we enter the current version number into a file swdb.wml and are done. But not for GPA :-(. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2 + OpenPGP card on F17
On Wed, 30 May 2012 14:54, r...@sixdemonbag.org said: > Also, should this be socket://home... or socket:///home...? Oops, 3 dashes are correct. > Starting over from scratch again I manually removed S.gpg-agent and > S.log. S.gpg-agent was recreated automatically, but S.log seemed to not be. S.log is created by watchgnupg. However GnuPG always tries to re-connect; thus you may start watchgnupg after gpg-agent. "watchgnupg --force SOCKETFILE" only deletes an existing SOCKETFILE and creates a new one. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPA download site
On 05/30/2012 10:46 AM, Werner Koch wrote: > The new download site is > > ftp://ftp.gnupg.org/gcrypt/gpa/ > > You may want to update: http://www.gnupg.org/related_software/gpa/ then, as it points off at a site which only offers 0.9.0 for download. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPA download site (was: changing the default for --keyid-format)
The new download site is ftp://ftp.gnupg.org/gcrypt/gpa/ -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: changing the default for --keyid-format
On Wed, 30 May 2012 16:16, r...@sixdemonbag.org said: > On 05/30/2012 09:40 AM, Mark H. Wood wrote: >> Oh, how many times have I wondered why GPA has no search tool. > > Taking a look at GPA, it seems that 0.9.0 no longer compiles on a modern > UNIX -- it expects libassuan-1.x, apparently, and libassuan's now in a > version 2. There is a new release: Noteworthy changes in version 0.9.2 (2012-05-02) * Adjust server mode to modern Libassuan. * Add options --enable-logging for W32. * Add options --gpg-binary, --gpgsm-binary and --debug-edit-fsm. * Properly process CMS data in the clipboard and with the server's VERIFY_FILES and DECRYPT_FILES commands. * Minor code cleanups. Noteworthy changes in version 0.9.1 (2012-04-18) * The key selection dialogs for encryption and signing do not anymore list expired, revoked or otherwise invalid keys. * If no recipients are given to the server, a generic key selection dialog is now used. * Now works with Libassuan 2.x. * The card manager now displays the ATR for an unknown card. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: changing the default for --keyid-format
On 05/30/2012 09:40 AM, Mark H. Wood wrote: > Oh, how many times have I wondered why GPA has no search tool. Taking a look at GPA, it seems that 0.9.0 no longer compiles on a modern UNIX -- it expects libassuan-1.x, apparently, and libassuan's now in a version 2. I wasn't able to get the git checkout to work, either, due to a gettext infrastructure mismatch. The Makefile.in.in came from 0.17, but the autoconf macros on my system are from 0.18. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: changing the default for --keyid-format
On Tue, May 29, 2012 at 09:23:08PM +0200, Werner Koch wrote: > On Tue, 29 May 2012 19:44, r...@sixdemonbag.org said: > > > Anyway. If people are interested in what I found out about effective > > user-interface design with respect to certificate managers, say the > > word. Otherwise I'll crawl back under my rock and leave the subject > > GPA has many different ways to show keys. IMHO the selection box which > pops up in GPA, if run as a UI-server, can't figure out the key to use. > I have always thought that this is better than the the standard GPA > frontpage, which shows all keys; despite that the most common operation > then is trying to locate the right key. A search box would make much > more sense here. However, changing such a common UI might result in a > lot of negative comments - people love what they once learned. Oh, how many times have I wondered why GPA has no search tool. There's plenty of unused space to the right of "[bunch of keys] Key manager". To say nothing of the (perhaps peculiar) custom of placing a "Find" operation on Edit menus. The tabular display can stay where it is. Perhaps the search function (when there is one) could scroll it, or sort all of the current hits to the top of the table widget's viewport. I've been meaning to do something about that but, I'm ashamed to say, I haven't gotten it done. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpyDFZPCUc2w.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: getting an encrypted file to show what public key was used
On Tue, May 29, 2012 at 11:28:36AM -0400, Robert J. Hansen wrote: > This goes to underline the importance of proper certificate validation. > If I have the sequence of events correct, then it could have been > avoided entirely if there had been a Step 4.5, "validate the certificate > he just received." Indeed. The problem is much like a hash index. And anyone who's used hash indexing* should know that he must search the indicated "bucket" for the record which actually matches the search key. Hashing only cuts the size of the search space; it doesn't guarantee reducing it to a single-element space. * And anyone who puts socks in one drawer and shirts in another has used hash indexing. :-) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpe88WKS1xAI.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2 + OpenPGP card on F17
On 5/30/12 5:13 AM, Werner Koch wrote: > log-file socket://home/USER/.gnupg/S.log Also, should this be socket://home... or socket:///home...? With the former, when I invoke gpg-agent manually I get a message of "can't connect to `home/rjh/.gnupg/S.log': No such file or directory". With the latter, I get a "can't connect to `/home...': Connection refused." Starting over from scratch again I manually removed S.gpg-agent and S.log. S.gpg-agent was recreated automatically, but S.log seemed to not be. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2 + OpenPGP card on F17
Thanks very much for being willing to help with this. I appreciate it. After making the debugging changes to scdaemon.conf and gpg-agent.conf, I ps ax|grepped for gpg-agent and killed all running instances. I then logged out of my GNOME 3 session, in order to bring the state to as close to pristine as I could without a full reboot. I removed the card from the reader, restarted GNOME 3, reinserted the card and tried again. After running 'watchgnupg --force /home/rjh/.gnupg/S.log | tee mycombinedlog', I ran 'gpg2 --card-status' and got another round of the 'Unsupported certificate' message. No output was written to the file 'mycombinedlog', which was zero bytes in length. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2 + OpenPGP card on F17
On Wed, 30 May 2012 11:47, quanngu...@mbm.vn said: > I tried to make the log, but both the file S.log and mycombinedlog are > empty. > Did I wrong somewhere? Did you restart gpg-agent? pkill gpg-agent and check with ps that it has really been killed. You should see a notice in the log as soon as you restart gpg-agent. Check also the owner of the socket: lsof /home/USER/.gnupg/S.gpg-agent Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2 + OpenPGP card on F17
Hello Werner, I also encounter this problem on Ubuntu 12.04 I tried to make the log, but both the file S.log and mycombinedlog are empty. Did I wrong somewhere? hongquan@Pangolin ~ $ cat .gnupg/scdaemon.conf log-file socket://home/hongquan/.gnupg/S.log verbose debug 1024 debug 2048 debug-ccid-driver hongquan@Pangolin ~ $ cat .gnupg/gpg-agent.conf log-file socket://home/hongquan/.gnupg/S.log verbose debug 1024 On Wed 30 May 2012 04:13:03 PM ICT, Werner Koch wrote: > On Wed, 30 May 2012 10:50, r...@sixdemonbag.org said: > >> for a bit. If anyone has any advice, I'll be coming back to this >> problem tomorrow. Maybe letting it sit for a while will spur my brain >> into solving it. > > The "sudo gpg2" might indicate that root has a running gpg-agent and > thus scdaemon. Scdaemon requests exclusive access to the card (but see > --timeout) and thus you can't access the card from the user. > > The usual debug hints are: > > log-file socket://home/USER/.gnupg/S.log > verbose > debug 1024 > debug 2048 > debug-ccid-driver > > to scdaemon.conf and > > log-file socket://home/USER/.gnupg/S.log > verbose > debug 1024 > > to gpg-agent.conf. Then start in another xterm > > watchgnupg --force /home/USER/.gnupg/S.log | tee mycombinedlog > > Run > > gpg2 --card-status > > and watch what happens. You may send me the log output. You may also > try to stop pcscd and add write access to the reader's USB device. > > > Salam-Shalom, > >Werner > -- Regards, Quân ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] [FYI] keys.gnupg.net (was: changing the default for --keyid-format)
On May 29, 2012, at 1:26 PM, Werner Koch wrote:
> Hi,
>
> I can't remember whether I announced it, but since some weeks
>
> keys.gnupg.net is a CNAME to pool.sks-keyservers.net
>
> and
>
> http-keys.gnupg.net is a CNAME to ha.pool.sks-keyservers.net
>
> The reason for this change is that it is useless to spend a lot of work
> in maintaining such a second pool. The folks behing sks-keyservers.net
> to a very well job. keys.gnupg.org is mentioned in the installed sample
> config file and thus likely used by many new users. Now it works again.
>
FWIW, the reasoning is/was similar in RPM choosing the sks-keyservers pool
as a default key server configuration:
%_hkp_keyserver hkp://pool.sks-keyservers.net
%_hkp_keyserver_query %{_hkp_keyserver}/pks/lookup?op=get&search=
There's no need to reinvent a better infrastructure.
So I'll chime in and piggy-back a +1 to Kristian Fiskerstrand here: Nice job!
(aside)
The previous default of "keys.rpm5.org" might yet have to be resurrected
if it is not possible to also use SKS key servers as a notary registrar for
automatically generated key pairs generated by every invocation of
rpmbuild -ba foo.spec
The number of invocations of rpmbuild daily is likely larger than all other
pubkey uploads to SKS key servers combined.
Which makes me a bit more sensitive to issues of bloat! with CA57AD7C
robo-signatures
in SKS key servers than most.
73 de Jeff
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2 + OpenPGP card on F17
On Wed, 30 May 2012 10:50, r...@sixdemonbag.org said: > for a bit. If anyone has any advice, I'll be coming back to this > problem tomorrow. Maybe letting it sit for a while will spur my brain > into solving it. The "sudo gpg2" might indicate that root has a running gpg-agent and thus scdaemon. Scdaemon requests exclusive access to the card (but see --timeout) and thus you can't access the card from the user. The usual debug hints are: log-file socket://home/USER/.gnupg/S.log verbose debug 1024 debug 2048 debug-ccid-driver to scdaemon.conf and log-file socket://home/USER/.gnupg/S.log verbose debug 1024 to gpg-agent.conf. Then start in another xterm watchgnupg --force /home/USER/.gnupg/S.log | tee mycombinedlog Run gpg2 --card-status and watch what happens. You may send me the log output. You may also try to stop pcscd and add write access to the reader's USB device. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: changing the default for --keyid-format
On Tue, May 29, 2012 at 10:03:57PM -0400, Robert J. Hansen wrote: > There may be a use case for contextualization in certificates, but if so > I haven't found it yet. :) You may wnat to lookup up all certificates that signed a certificate. Or just get all your certificates displayed. Or all certificates that have been signed with your keys. But this is not to say that a tabular representation helps for these use cases :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2 + OpenPGP card on F17
On 05/30/2012 04:32 AM, Robert J. Hansen wrote: > If GnuPG can't access it from the command line, Seahorse isn't going to > have any better luck. > > With gnome-keyring-daemon running: And, after restarting gnome-keyring-daemon: [rjh@isaiah Downloads]$ gpg2 --card-status gpg: selecting openpgp failed: Unsupported certificate gpg: OpenPGP card not available: Unsupported certificate [rjh@isaiah Downloads]$ sudo gpg2 --card-status Application ID ...: D2760001240102050D18 Version ..: 2.0 Manufacturer .: ZeitControl ... [snip] ... It seems nondeterministic. Which is, I know, not the case -- but it's incredibly frustrating. At risk of pointing out the obvious, I'm not a newcomer to GnuPG: if I was a newbie facing this, I would likely be overwhelmed by the seeming intractability of getting smartcards working reliably with GNOME 3. I'm frustrated and angry, and I'm just going to leave the problem here for a bit. If anyone has any advice, I'll be coming back to this problem tomorrow. Maybe letting it sit for a while will spur my brain into solving it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2 + OpenPGP card on F17
On 05/30/2012 02:37 AM, Guillaume Lanquepin-Chesnais wrote: > It seems that the version of gnome shipped with F17 includes a > gnome-keyring that supports smartcard (cf > http://nlnet.nl/project/seahorse-sc/). You should look into seahorse/key > manager if your smartcard is listed in it If GnuPG can't access it from the command line, Seahorse isn't going to have any better luck. With gnome-keyring-daemon running: [rjh@isaiah Downloads]$ gpg2 --card-status gpg: selecting openpgp failed: Card error gpg: OpenPGP card not available: Card error [rjh@isaiah Downloads]$ sudo gpg2 --card-status gpg: OpenPGP card not available: Not supported ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
