Unattended subkey generation

[Salih Kardan]

Hello everyone,

Is it possible to generate sub-keys without user interaction?
I found this Unattended-GPG-key-generation

article, but currently it allows just one subkey while generating key pair.
What I want is a little bit different: I want to generate just sub-keys
without user interaction.

Last week in a mailing list post I saw the below command to change
passphrase without user interaction:


*`ECHO -e PASSWD\nMyOldPassword\nMyNewPassword\nSAVE|GPG --command-fd 0
--no-tty --passphrase-repeat 0 --status-fd 2 --verbose --edit-key E62651B3`*
Can I apply same approach while generation sub-keys? If yes could you
please provide me some sample ?
Thanks,
Salih
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "key algorithm" in GnuPG's signature verification output

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Tuesday 9 December 2014 at 10:58:47 AM, in
, gnupgpacker
wrote:

> Gpg-1.4.8 isn't captable using edDAS. In my opinion
> output would be ok if a new edDSA key has been used!?
> If RSA signing key has been used, there might be some
> fault...

Both were used.

For the RSA subkey, the verification output you shared shows bad signature.

For the EDDSA subkey your output is the expected result.



- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

The trouble with words is that you never know whose mouths they've been in.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJUh7V/XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwwrcH+gKt9/sW+8btVANrSXIGq2B8
jIvPyL0kDax59DbHNq9IJtPZKWZOhkRQNEarxNot5bJxZ5JJVNT3y3FA7BnGMb2t
K757tqUHFlid9UXgnQ4yop8Y10jUrLT5P3QpmhuVIOrtLxGDTqzpTtgSr4vVA+Gb
SwjhJsztYufSc9qjxq6KqDOK3mJrSqYxZy6N2M6XqqRPMExOUsSP1TVPf4WA5srN
DWKsXowhtSKwgjn5drZYJm17jxPSjLn954OhcZ0huPi5uzfo6rCC27ZsiWQM/9xC
pJamhTAdoP/x6hyQq2S65lRgMrYy7z119LqaP1rT7/iFJjyIdOZk5oMWvm5XpGSI
vgQBFgoAZgUCVIe1jF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45Ma8AQC1lupbEK2+lgxpu1PmMg3ip8Ug
pQSEX8eqsCiBIHGWHwEATgPtS7KiSj3mKiHPngp7DNbyLaosbKEeMS+9vCeidwI=
=nRKO
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "key algorithm" in GnuPG's signature verification output

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Tuesday 9 December 2014 at 9:22:07 AM, in
, Hugo Hinterberger
wrote:


> Hi,

> It seems that you (MFPA) changed your signing practice
> after I noted that I can't verify signatures created
> with your key “1AF778E4”. I did not know that one could
> sign a message with two keys in one signing block.

Just use "local-user" more than once. If identifyinf specific subkeys,
you need to follow the key-id with an exclamation mark (!).



> I am wondering if there is a way to collapse the
> verification result for a multi-key signature down to a
> single “good” or “bad” value/result, because Enigmail
> gave me some ambiguous message about your signatures.

What I am applying is two signatures. It is perfectly possibly you can
verify one and not the other.


- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

War is a matter of vital importance to the State.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJUh6nwXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwB8AIAJcuHgKcGD51HjOdtnV+ViHW
XYs7Ypk9qPmGC/0bDmFnOpp/cCobygi4i/H0ojHOnM2kSFmu8id+gUKDsBhUNn0w
Fg/ITw/lVE8ZaOxIXkuMReJ6WSpWcs8KMVUxfah5df6QHdHvC4+hLeAPDi7ZujcP
ZyqYkipLX90eOLD6szhmjZdP5N95ju05riq6NqQUhb5yuNW93PhSWBscHXpSjCdh
j87N2wsa4UW5/qL35jQ30Jt4QNZfZ3VECfVchNDjjMgKDvghfAXOKPkPk1/QKraQ
gE4UfmCCgWgocFTsBFYWYi7/OeEnItZ12Ea9B5nxlNUvhCkA1frY+PahgMI/A3eI
vgQBFgoAZgUCVIep/F8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45C/0AQD/N8owcv/J7rCPMabq2FjdIXvJ
BLeHP8nLrctA0YGKrwEAuBMOumfIN6dgDvid1NF11hFAv9vyCAJz3oUb2WlA8go=
=HLH/
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[SOLVED-ish] Re: Cannot sign (but can decrypt) after importing stub-keys from smart-card

[Olivier Mehani]

Hi all,

As it appears, I had the problem before, and even documented it [0] for
memory's sake, then completely forgot about it. So here's an update for
that, so I can find the solution better next time (:

tldr; GnuPG looks (apparently) for the most recent signing subkey
listed in the (public/secret?) keyring. Deleting those from the local
keyring, until GPG picks the one present on the card, seems to be a
working option. Is there any other?

On 2014-12-04, Olivier Mehani  wrote:
> I am using
> * gpg (GnuPG) 2.0.26 (2.0.26-1 [ArchLinux]),
> * the card reader integrated with the Broadcom BCM5880 subsystem on my
>   laptop,
> * pcsclite 1.8.13-1 and ccid 1.4.18-1 (ArchLinux),
> * an already initialised OpenPGP card (from Kernel Concepts),
> * a fresh user account.
> I had to downgrade from GPG 2.1 to 2.0 to be able to create the stubs, as
> suggested on this ML to work around [0] (In short: --card-edit/fetch;
> --edit-key/trust; --refresh-keys; --card-status).
[...]
> I can now decrypt messages
>   $ gpg -er sht...@ssji.net  | gpg -d
>   test
>   ^D
[...]
> Unfortunately I don't seem to be able to sign
[...]
> What am I doing wrong?

A better way to understand what's happenning is to ask GnuPG to be
verbose.

$ gpg -sv
gpg: using subkey 0xF9EB425E6D1886A7 instead of primary key 
0xF012A6E298C66655
gpg: secret key parts are not available
gpg: no default secret key: Unusable secret key
gpg: signing failed: Unusable secret key

Here, 0xF9EB425E6D1886A7 is (one of) the key(s) to be removed from the
keyring.

   $ gpg --edit-key 98c66655
   gpg> key 10
   gpg> delkey
   gpg> save

Once all mentions of other (more recent?) signing subkeys have been
removed from the keyring, GnuPG has no other choice but to use the
signing subkey present on the smartcard.

  $ gpg -sv
  gpg: NOTE: signature key 0x6CDA813213912971 expired Fri 26 Oct 2012 23:17:20 
AEDT
  gpg: NOTE: signature key 0x9CA49F44ABCF4EFA expired Mon 21 Jan 2013 14:11:29 
AEDT
  gpg: no secret subkey for public subkey 0x6CDA813213912971 - ignoring
  gpg: no secret subkey for public subkey 0x9CA49F44ABCF4EFA - ignoring
  gpg: no secret subkey for public subkey 0xADCF72E06DBC3057 - ignoring
  gpg: no secret subkey for public subkey 0xF9EB425E6D1886A7 - ignoring
  gpg: using subkey 0xE9566B9D0957D2D3 instead of primary key 0xF012A6E298C66655
  gpg: writing to stdout

What is still not clear to me is that now GnuPG does recognise that the
other secret subkeys are not available and ignores them. AFAIK
they were already unavailable before (or, at least, unusable, as
confirmed by the fact that they were suffixed with '#').

Could this be a bug, or just a misunderstanding on my part?
Additionally, is there any better way to deal with this issue?

[0] 
https://www.narf.ssji.net/~shtrom/wiki/tips/openpgpsmartcard?&#missing_key_chosen_for_signing

-- 
Olivier Mehani 
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE  F5F9 F012 A6E2 98C6 6655
Confidentiality cannot be guaranteed on emails sent or received unencrypted.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Mainkey with many subkeys??

[Doug Barton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 12/08/2014 10:48 AM, Tomo Ruby wrote:
| I know I could just set a new expiration date but most times it's
| recommended to use a key for two years at the longest.

Why do you think that's true? What threat do you think that using a
key for at most 2 years will protect you against?

Note, I'm not trying to attack you here ... you seem to have absorbed
some bad advice, or at best, advice that is intended for a different
use case. So maybe you could fill us in a bit on how you intend to use
your keys ...

Doug

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBCAAGBQJUhjOlAAoJEFzGhvEaGryERpYIALJdR30hoCq/xKMmGhf7++XP
ZYDc6ywzPc8CQru0mFygGXK3eG+WHEtB4gVgWC5VBcLE/eQ8wlgPwMdr5oZdClb9
+gb2AX+cWInh70XPSBVNkkZGqeZNFftgUcDCOaLDNZwQJ8XJJhRXC9h/bIRnxbzH
/T5VU9eUCsd2qoM4GJY1PJ0vOELmqg7K4WygKi6rMm0VtQgfFl2x3/bPAUH7fgCH
Sr+yOCK2d7IIntyAVoSFDo9fFF+8jVtatrIfNrl/HA90D4nfhG2lYJ9sAXMjrpIZ
AXMqQIaHEpgSN2cgazrlsnll4aLo0tSMMIhJMzGG0g3oEb3Jmctm+IA9uZ1V+jw=
=efi6
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

"key algorithm" in GnuPG's signature verification output

[gnupgpacker]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello,
by the way:

Pls refer to OP:
http://lists.gnupg.org/pipermail/gnupg-users/2014-December/051872.html
Why break quotation marks "1AF778E4" and "good" or "bad" in OP signature 
verification while answering?

Some charset settings needed?

Thx + regards, Chris



-BEGIN PGP SIGNATURE-

iF4EAREKAAYFAlSHLfAACgkQI4+xq0ppLEmbWgEA57UmoaVrru0W91fV214PiOyY
yuaJFNsKaWvh8pWKVOcBAO7Kl2ZWEpfuHL8URd3aiK/6ZrJKQ/bhNK3CD54Vdhwi
=oUi8
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Beta for 2.1.1 available

[Johan Wevers]

On 09-12-2014 10:02, Hugo Hinterberger wrote:

> I just tried the Clipboard - Sign feature in GPA and noticed that when I
> copy the signed message to the clipboard that an empty line is inserted
> after each line generated for the signature, but not for the original
> message or modified lines (escaped line with "--" → "- --").

A misunderstanding of EOL conventions?

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can't Encrypt in Freebsd 10.1

[Antoine Michard]

For the GPG Version
gpg (GnuPG) 2.0.26
libgcrypt 1.6.1
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

And the output of pkg info:
Name   : libgpg-error
Version: 1.17
Installed on   : Mon Dec  8 15:32:57 CET 2014

Install is from port up-to-date and I reinstall later with recompil of all
dependencie

Thanks for help me

2014-12-09 15:32 GMT+01:00 Werner Koch :

> On Mon,  8 Dec 2014 17:34, michard.anto...@gmail.com said:
>
> > I've install it from port, everthing was fine but when I wanna try to
> > encryt, it says Abort !
>
> Which GnuPG version is that? ("gpg --version").
> What version of libgpg-error do you use?
>
>
> Shalom-Salam,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
>


-- 
Antoine Michard
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can't Encrypt in Freebsd 10.1

[Werner Koch]

On Mon,  8 Dec 2014 17:34, michard.anto...@gmail.com said:

> I've install it from port, everthing was fine but when I wanna try to
> encryt, it says Abort !

Which GnuPG version is that? ("gpg --version").
What version of libgpg-error do you use?


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

"key algorithm" in GnuPG's signature verification output

[gnupgpacker]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello,

signing with two keys in one block can be done. But also, if unequal technology 
used (e.g. RSA+edDSA)?

Verifying of MFPA's signature with Gpg-1.4.18 gave me:

gpg: Unterschrift vom 06.12.2014 16:56:22 mittels RSA-Schlüssel ID B31F25F0
gpg: FALSCHE Unterschrift von "0x251BCCEB547B7194" [unbekannt]
gpg: Unterschrift vom 06.12.2014 16:56:33 mittels ?-Schlüssel ID 1AF778E4
gpg: Unterschrift kann nicht geprüft werden: Unbekanntes Public-Key-Verfahren
Time: 09.12.2014 11:45:53 (09.12.2014 10:45:53 UTC)

Gpg-1.4.8 isn't captable using edDAS.
In my opinion output would be ok if a new edDSA key has been used!?
If RSA signing key has been used, there might be some fault...

Regards, Chris

(Testkey 0x3e2e0598, DSA-2048-sig)


> It seems that you (MFPA) changed your signing practice after I noted that
> I can't verify signatures created with your key “1AF778E4”. I did not know
> that one could sign a message with two keys in one signing block.

> I am wondering if there is a way to collapse the verification result for a
> multi-key signature down to a single “good” or “bad” value/result, because
> Enigmail gave me some ambiguous message about your signatures.

-BEGIN PGP SIGNATURE-

iF4EAREKAAYFAlSG1e4ACgkQI4+xq0ppLElTaAEA6HrAxq2sV30uRKp++6c/5zLa
mQ62Ec4SeUsUM7H1V/UA/i3pU18f5vZUCY1CYClTHBFLcEyGjeDDY7Z063rrNlTQ
=K9bu
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cross platform working

[kendrick eastes]

per https://www.gnupg.org/download/index.html that would be GPG4win (
http://www.gpg4win.org/), there is only an x86 exe, but it works just fine
on x64 windows.

On Tue, Dec 9, 2014 at 1:07 AM, Dave Pawson  wrote:

> I'm looking at sharing an encrypted file, Linux to 64 bit windows.
>
> It seems that a Windows version isn't available, is this right please?
> Lots of "similar" names, nothing from GNU?
>
> TiA
>
> --
> Dave Pawson
> XSLT XSL-FO FAQ.
> Docbook FAQ.
> http://www.dpawson.co.uk
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "key algorithm" in GnuPG's signature verification output

[Hugo Hinterberger]

Hi,

It seems that you (MFPA) changed your signing practice after I noted that  
I can't verify signatures created with your key “1AF778E4”. I did not know  
that one could sign a message with two keys in one signing block.


I am wondering if there is a way to collapse the verification result for a  
multi-key signature down to a single “good” or “bad” value/result, because  
Enigmail gave me some ambiguous message about your signatures.


Kind regards,
Hugo


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Beta for 2.1.1 available

[Hugo Hinterberger]

On Tue, 09 Dec 2014 10:02:48 +0100, Hugo Hinterberger  
 wrote:



Hi,

On Mon, 24 Nov 2014 09:24:28 +0100, Werner Koch  wrote:


Bug reports please to the gnupg-users.


I just tried the Clipboard - Sign feature in GPA and noticed that when I  
copy the signed message to the clipboard that an empty line is inserted  
after each line generated for the signature, but not for the original  
message or modified lines (escaped line with "--" → "- --").


System: Windows 7 64-bit

Kind regards,
Hugo


Trying to verify the just generated message results in a “"Clipboard"  
contained no OpenPGP data.” warning message.


Tries to remove the empty lines resulted in “Bad Signature” verification  
results.



Hugo


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Beta for 2.1.1 available

[Hugo Hinterberger]

Hi,

On Mon, 24 Nov 2014 09:24:28 +0100, Werner Koch  wrote:


Bug reports please to the gnupg-users.


I just tried the Clipboard - Sign feature in GPA and noticed that when I  
copy the signed message to the clipboard that an empty line is inserted  
after each line generated for the signature, but not for the original  
message or modified lines (escaped line with "--" → "- --").


System: Windows 7 64-bit

Kind regards,
Hugo


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cross platform working

[Dave Pawson]

Thanks - I'll try it.

regards Dave P

On 9 December 2014 at 08:26, kendrick eastes  wrote:
> per https://www.gnupg.org/download/index.html that would be GPG4win (
> http://www.gpg4win.org/), there is only an x86 exe, but it works just fine
> on x64 windows.
>
> On Tue, Dec 9, 2014 at 1:07 AM, Dave Pawson  wrote:
>>
>> I'm looking at sharing an encrypted file, Linux to 64 bit windows.
>>
>> It seems that a Windows version isn't available, is this right please?
>> Lots of "similar" names, nothing from GNU?
>>
>> TiA
>>
>> --
>> Dave Pawson
>> XSLT XSL-FO FAQ.
>> Docbook FAQ.
>> http://www.dpawson.co.uk
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>



-- 
Dave Pawson
XSLT XSL-FO FAQ.
Docbook FAQ.
http://www.dpawson.co.uk

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cross platform working

[Antoine Michard]

Hi,
You can try http://www.gpg4win.org/, work great on 7 64bits and no problem
to exchange with FreeBSD

Envoyé de mon Nexus 5
Le 9 déc. 2014 09:09, "Dave Pawson"  a écrit :

> I'm looking at sharing an encrypted file, Linux to 64 bit windows.
>
> It seems that a Windows version isn't available, is this right please?
> Lots of "similar" names, nothing from GNU?
>
> TiA
>
> --
> Dave Pawson
> XSLT XSL-FO FAQ.
> Docbook FAQ.
> http://www.dpawson.co.uk
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Cross platform working

[Dave Pawson]

I'm looking at sharing an encrypted file, Linux to 64 bit windows.

It seems that a Windows version isn't available, is this right please?
Lots of "similar" names, nothing from GNU?

TiA

-- 
Dave Pawson
XSLT XSL-FO FAQ.
Docbook FAQ.
http://www.dpawson.co.uk

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users