understanding GnuPG --clearsign option
Hi, one can sign the message with --clearsign option which adds ASCII armored(Radix-64 encoding) PGP signature at the end of the text. This PGP signature contains the UID of the signer, timestamp and key ID. However, two questions: 1) Where is the UID of the signer, timestamp of the signature and signer key-ID stored? If I execute gpg2 --verify file.asc, then I'm able to see the UID of the signer, timestamp and signer key-ID, but if I decode the Radix-64/base64 data back to binary(base64 -d) and use hexdump -C to analyze this data, I do not see the UID, timestamp or signer key-ID. 2) What exactly is this PGP signature? Is it a SHA1 hash of the message which is encrypted with my private key and then ASCII armored? regards, Martin ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to create new keyring from an existing key in an existing keyring?
On 11/08/13 23:11, adrelanos wrote: I could think of a way to export the key, change --homedir, create a new keyring, and import a the key. But is there a more elegant way? gpg --export 0xDEADBEEF | gpg --no-default-keyring --keyring \ /etc/apt/trusted.gpg.d/meat.gpg --import (one long command line) HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to create new keyring from an existing key in an existing keyring?
On 08/12/2013 09:18 AM, Peter Lebbing wrote: On 11/08/13 23:11, adrelanos wrote: I could think of a way to export the key, change --homedir, create a new keyring, and import a the key. But is there a more elegant way? gpg --export 0xDEADBEEF | gpg --no-default-keyring --keyring \ /etc/apt/trusted.gpg.d/meat.gpg --import (one long command line) Assumes /etc/apt/trusted.gpg.d exists and is a folder (good assumption for Debian based, not so good for RPM based) and that the ordinary user can write a file in the folder (bad assumption even if your flavor is Debian-esque) with no changes made. On Debian-esque you may need to do a: # chmod 1777 /etc/apt/trusted.gpg.d then the above command, then: # chmod 755 /etc/apt/trusted.gpg.d Does that get you what you want? Is the meat some sort of comment that adrelanos will be dead meat? The command is elegant though. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GPGME 1.4.3 released
Hello! I am pleased to announce version 1.4.3 of GPGME. GnuPG Made Easy (GPGME) is a C language library that allows to add support for cryptography to a program. It is designed to make access to public key crypto engines as included in GnuPG easier for applications. GPGME provides a high-level crypto API for encryption, decryption, signing, signature verification, and key management. * Noteworthy changes in version 1.4.3 (2013-08-12) - The default engine names are now taken from the output of gpgconf. If gpgconf is not found the use of gpg 1 is assumed. - Under Windows the default engines names are first searched in the installation directory of the gpgme DLL. - New function gpgme_data_identify to detect the type of a message. - Interface changes relative to the 1.4.2 release: ~~ gpgme_signers_countNEW. gpgme_data_type_t NEW. gpgme_data_identifyNEW. * Download You may download this library and its OpenPGP signature from: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.3.tar.bz2 (950k) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.3.tar.bz2.sig GZIP compressed tarballs are also available: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.3.tar.gz (1202k) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.3.tar.gz.sig As an alternative you may use a patch file to upgrade the previous version of the library: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.2-1.4.3.diff.bz2 (27k) SHA-1 checksums are: ffdb5e4ce85220501515af8ead86fd499525ef9a gpgme-1.4.3.tar.bz2 65c7f78593065946a7480c3389b4b1f19326a59d gpgme-1.4.3.tar.gz dc9f68f8d2fa1208f736035fc6c5693ae4bac0f7 gpgme-1.4.2-1.4.3.diff.bz2 * Support Please send questions regarding the use of GPGME to the gnupg-devel mailing list: http://lists.gnupg.org/mailman/listinfo/gnupg-devel/ If you need commercial support, you may want to consult this listing: http://www.gnupg.org/service.html The driving force behind the development of the GnuPG system is my company g10 Code. Maintenance and improvement of GnuPG and related software takes up most of our resources. To allow us to continue our work on free software, we ask to either purchase a support contract, engage us for custom enhancements, or to donate money: http://g10code.com/gnupg-donation.html Happy hacking, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgp6_A4ygOldF.pgp Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: understanding GnuPG --clearsign option
On Mon, Aug 12, 2013 at 11:40:35AM +0300, Martin T wrote: Hi, one can sign the message with --clearsign option which adds ASCII armored(Radix-64 encoding) PGP signature at the end of the text. This PGP signature contains the UID of the signer, timestamp and key ID. However, two questions: 1) Where is the UID of the signer, timestamp of the signature and signer key-ID stored? If I execute gpg2 --verify file.asc, then I'm able to see the UID of the signer, timestamp and signer key-ID, but if I decode the Radix-64/base64 data back to binary(base64 -d) and use hexdump -C to analyze this data, I do not see the UID, timestamp or signer key-ID. 2) What exactly is this PGP signature? Is it a SHA1 hash of the message which is encrypted with my private key and then ASCII armored? According to http://openpgp.org/technical/ the OpenPGP standard is RFC 4880. So, as your question is quite technical, you should be able to find your answer here : http://www.ietf.org/rfc/rfc4880.txt Sorry for not being able to help you more! Leo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: understanding GnuPG --clearsign option
On 08/12/2013 08:40 AM, Martin T wrote: Hi, one can sign the message with --clearsign option which adds ASCII armored(Radix-64 encoding) PGP signature at the end of the text. This PGP signature contains the UID of the signer, timestamp and key ID. However, two questions: GnuPG does much more than just the Radix-64 encoding with the --clearsign: $ gpg --default-key MINE --output list.asc \ --clearsign list.txt By that I mean gpg/gpg2 doesn't just do a base64 conversion but also does other magic stuff. You can stop reading now. 1) Where is the UID of the signer, timestamp of the signature and signer key-ID stored? If I execute gpg2 --verify file.asc, then I'm able to see the UID of the signer, timestamp and signer key-ID, but if I decode the Radix-64/base64 data back to binary(base64 -d) and use hexdump -C to analyze this data, I do not see the UID, timestamp or signer key-ID. The UID and other things are stored in the string which is usually more than one line long between the BEGIN PGP SIGNATURE and END PGP SIGNATURE. But I am puzzled how you did this part. If I copy the now clear signed list.txt to a justsig.txt file and edit out all but the hash I get a warning. Actually I get a warning no matter what content is in the justsig.txt file from the base file: $ base64 -d justsig.asc list.bin base64: invalid input The list.bin file has zero length unless you use nothing but the hash which is the normal way base64 works for email attachments. In any event, list.bin created with just the hash has no known file type that magic understands. e.g.: $ file list.bin list.bin: data $ ls -l list.bin 287 list.bin Like I said, if you use anything BUT just the hash, list.bin will contain nothing (zero bytes). But I will ALWAYS get the invalid input meaning it is something base64 does NOT understand. Is this what you did to get a non-zero length file via base64 -d from a --clearsign file? 2) What exactly is this PGP signature? Is it a SHA1 hash of the message which is encrypted with my private key and then ASCII armored? It uses the hash in the preferred order of what is associated with the key used and what the the version of OpenPGP you are using is capable of handling. That for me is SHA-256 since that is my first choice and my version of gpg can handle it. SHA1 is usually the default unless you set your preferences to something else since it is still difficult to do a brute attack on SHA1 (but it can be done): http://securemecca.com/public/GnuPG/GnuPG_Prefs.txt The hash is created based on the text as input using the private side of the key and then ASCII armored in such a way that when you verify it finds the appropriate public key based on the hash and does the other hash calculation of the text and see if it matches. In any event, the markers of --clearsign make it clear that only an OpenPGP compliant program can handle it. The MIME markines are used by email to determine what handles it since a --clearsign is what you need to make the signature something you can send in email but it can be used for other purposes. It is just that you can NOT send a non-ASCII signature directly in email without it being converted to ASCII first. There are other uses of -clearsign like when you what the signature and the file contents together. base64, the older uuencode and uudecode and similar programs do nothing more than convert a binary file like a zip file into ASCII text so the zip file can be sent as an email attachment. Send a message to yourself in email with a test.zip attachment. Save the entire message to a file (for Thunderbird you will have an *.eml file). Assuming the file was named test.eml and the attachment was test.zip: $ cp test.eml test.base64 Edit the test.base64 file so it has only the hashed material and note the zip name (assuming test.zip was what you attached and sent). Also note that it uses base64 as the type in the Content-Transfer-Encoding: if that is what your email used (it usually is). $ base64 -i -d test.base64 test,zip $ file test.zip test.zip: Zip archive data, at least v1.0 to extract $ unzip test.zip $ cat test.txt Hello World GnuPG does much more than just the Radix-64 binary to ASCII conversion and only gpg or gpg2 can handle it. Use base64 only if it is specified in the MIME markings (the latest malware from PeskySpammer here): Content-Type: application/zip; name=Tax Notices Report.zip Content-Transfer-Encoding: base64 Content-Disposition: attachment; name=Tax Notices Report.zip Usually you won't need to use base64 and Thunderbird Evolution, or other mail programs will allow the saving of the file unless Microsoft Exchange munges it in a bounce to you. In that case, if base64 is specified as the Transfer Encoding type you can save the enter message to file. Then edit the file and strip off all the other stuff and get the file out of the hashed stuff even if your mail
Re: Question about notations and domains
On Sun, 11 Aug 2013 16:44, eye.of.the.8ehol...@gmail.com said: Also is there a list or registry containing the defined notations ? The only ones i am aware of are preferred-email-encoding and issuer-fpr. The notations GnuPG knows about are found in g10/parse-packet.c:can_handle_critical_notation Given that these are private notations you won't be able to find a complete reference. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to create new keyring from an existing key in an existing keyring?
Peter Lebbing: On 11/08/13 23:11, adrelanos wrote: I could think of a way to export the key, change --homedir, create a new keyring, and import a the key. But is there a more elegant way? gpg --export 0xDEADBEEF | gpg --no-default-keyring --keyring \ /etc/apt/trusted.gpg.d/meat.gpg --import (one long command line) That worked well. Thanks for your help. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[OT] Re: How to create new keyring from an existing key in an existing keyring?
On 12/08/13 14:04, Henry Hertz Hobbit wrote: gpg --export 0xDEADBEEF | gpg --no-default-keyring --keyring \ /etc/apt/trusted.gpg.d/meat.gpg --import Assumes /etc/apt/trusted.gpg.d exists and is a folder (good assumption for Debian based, not so good for RPM based) I simply took his own example. # chmod 1777 /etc/apt/trusted.gpg.d Bad idea. It makes my eyes hurt, 1777 and trusted directly next to eachother ;). I think it's not really directly related to the question, but if it were relevant, I'd say that the correct way would be to let the ordinary user create the file elsewhere and then have root move it to that directory, /after/ changing ownership of the file to root. Is the meat some sort of comment that adrelanos will be dead meat? Eh? A bit sinister interpretation, but okay: I took 0xDEADBEEF for the fact that it's a 32-bit identifier that's mildly funny. I still needed a filename for the keyring, so I stored the dead beef in the meat file. Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: understanding GnuPG --clearsign option
On Mon, Aug 12, 2013 at 11:40:35AM +0300, Martin T wrote: Hi, one can sign the message with --clearsign option which adds ASCII armored(Radix-64 encoding) PGP signature at the end of the text. This PGP signature contains the UID of the signer, timestamp and key ID. However, two questions: 1) Where is the UID of the signer, timestamp of the signature and signer key-ID stored? If I execute gpg2 --verify file.asc, then I'm able to see the UID of the signer, timestamp and signer key-ID, but if I decode the Radix-64/base64 data back to binary(base64 -d) and use hexdump -C to analyze this data, I do not see the UID, timestamp or signer key-ID. To add to the other good advice you've gotten, you might want to experiment with the --list-packets option to gpg to get a peak at the inner structure of that blob at the end. -- @maximus_freeman 0x7D964D3361142ACF pgpMkpwmvefDh.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: understanding GnuPG --clearsign option
On Aug 12, 2013, at 4:40 AM, Martin T m4rtn...@gmail.com wrote: Hi, one can sign the message with --clearsign option which adds ASCII armored(Radix-64 encoding) PGP signature at the end of the text. This PGP signature contains the UID of the signer, timestamp and key ID. However, two questions: 1) Where is the UID of the signer, timestamp of the signature and signer key-ID stored? If I execute gpg2 --verify file.asc, then I'm able to see the UID of the signer, timestamp and signer key-ID, but if I decode the Radix-64/base64 data back to binary(base64 -d) and use hexdump -C to analyze this data, I do not see the UID, timestamp or signer key-ID. The timestamp and the signer's key ID are both present in the binary blob. The signer's user ID is not, as GPG is using the signer's key ID to look up the signer's key and shows the user ID from there. 2) What exactly is this PGP signature? Is it a SHA1 hash of the message which is encrypted with my private key and then ASCII armored? It's not always SHA-1, and there are other things included in the hash, but at a very high level, this is basically accurate. The exact construction of a signature and how the input is calculated is given in RFC-4880, the OpenPGP specification. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users