Re: Are there cases where gpg --verify will exit 0, even if verification failed?
On Wed, 14 Jan 2015 17:40, patrick-mailingli...@whonix.org said: Do you mean, for example, the signature could be valid, but the key that signed it could be revoked and gpg would still exit 0? Sure. It is just to complex to put it into one number. Consider the case for multiple signatures - who is going to decide whether the signature is valid. This has all been discussed about 15 years ago with the result of writing the gpgv binary which is suitable for most automated signature verification use cases. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Specifying passphrase for batch key generation
Reading the manual for batch GPG key generation in GnuPG 2.1, I see the following note: Since GnuPG version 2.1 it is not anymore possible to specify a passphrase for unattended key generation. The passphrase command is simply ignored and ‘%ask-passpharse’ is thus implicitly enabled. I'm running into an issue now with a module I was using to generate keys in a python script (python-gnupg). Its method was to generate a set of parameters, including the passphrase parameter, and pass that via stdin to gpg --batch --gen-key. Now that we cannot specify a passphrase in the batch parameters, what is the preferred method for batch key generation with a specified passphrase? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Specifying passphrase for batch key generation
On 14-01-2015 21:59, Joey Castillo wrote: Now that we cannot specify a passphrase in the batch parameters, what is the preferred method for batch key generation with a specified passphrase? Use GnuPG 1.4.18. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Problems when encrypting to a group on MacGPG
Hello Everyone, I'm trying to help someone configure MacGPG 2.0.22. I've defined a group with multiple keys in it. But when I try to encrypt to the group to test things, I get the following error: gpg: O g: can't encode a 256 bit key in a 0 bit frame This happens after I tell the program to accept the final key in the group as valid. But it doesn't seem to be related to a key since I've deleted the final key and it still give me the error. Any idea what might be causing this? Thanks! Thanks, Anthony -- Anthony Papillion Phone: 1.918.631.7331 XMPP Chat: cyp...@chat.cpunk.us Fingerprint: 65EF73EC 8B57F6B1 8C475BD4 426088AC FE21B251 PGP Key: http://www.cajuntechie.org/p/my-pgp-key.html To any NSA and FBI agents reading my email: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Edward Snowden's example. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problems when encrypting to a group on MacGPG
On 1/14/15 7:09 PM, Anthony Papillion wrote: gpg: O g: can't encode a 256 bit key in a 0 bit frame This happens after I tell the program to accept the final key in the group as valid. But it doesn't seem to be related to a key since I've deleted the final key and it still give me the error. You're on the right track delete some more keys, test again, repeat till you find the key causing problems. Depending on the number of keys it may be easier to add/delete a few at a time, do a binary search, etc. Good luck, Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problems when encrypting to a group on MacGPG
I use Mac GPG2, but I’ve never had this problem. You could try posting this to the MacGPG2 support page which is here http://support.gpgtools.org/ Sandeep Murthy s.mur...@mykolab.com On 2015-01-15 03:09, Anthony Papillion wrote: Hello Everyone, I'm trying to help someone configure MacGPG 2.0.22. I've defined a group with multiple keys in it. But when I try to encrypt to the group to test things, I get the following error: gpg: O g: can't encode a 256 bit key in a 0 bit frame This happens after I tell the program to accept the final key in the group as valid. But it doesn't seem to be related to a key since I've deleted the final key and it still give me the error. Any idea what might be causing this? Thanks! Thanks, Anthony -- Anthony Papillion Phone: 1.918.631.7331 XMPP Chat: cyp...@chat.cpunk.us Fingerprint: 65EF73EC 8B57F6B1 8C475BD4 426088AC FE21B251 PGP Key: http://www.cajuntechie.org/p/my-pgp-key.html To any NSA and FBI agents reading my email: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Edward Snowden's example. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are there cases where gpg --verify will exit 0, even if verification failed?
I know that all processes have an exit code, what I meant was if you invoke gpg interactively like gpg —edit-key key ID /email and then execute a wrong subcommand or specify something incorrectly then the gpg exit code will not reflect this unless the subcommand launches another process. Sandeep Murthy s.mur...@mykolab.com On 14 Jan 2015, at 13:40, Daniel Kahn Gillmor d...@fifthhorseman.net wrote: On Wed 2015-01-14 08:22:45 -0500, Sandeep Murthy wrote: Exit codes in shells indicate problems relating to completion or disruption of the child process invoked by a parent process. They will not record unsuccessful events inside the child process related to program functions, i.e. if you inside gpg editing a key and enter an incorrect subcommand or use it incorrectly then this will not affect the exit code, I don’t think. This is not the case. all processes have a return code, whether they are invoked by a shell or by other processes. The return code is a critical part of the output of a program. gpg does use the return code to indicate failure of signature verification. consider the results of: echo test1 test1.txt echo test2 test2.txt gpg --detach-sign --armor test1.txt gpg --verify test1.txt.asc test1.txt gpg --verify test1.txt.asc test2.txt the return value of the first --verify should be 0, but the second --verify invocation should return 1, indicating that the signature cannot be verified over the (different) contents of test2.txt --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are there cases where gpg --verify will exit 0, even if verification failed?
On Wed, 14 Jan 2015 14:40, d...@fifthhorseman.net said: gpg does use the return code to indicate failure of signature verification. But recall that success does not mean that the signature is good. Check the status output or use gpgv. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are there cases where gpg --verify will exit 0, even if verification failed?
Werner Koch: On Wed, 14 Jan 2015 14:40, d...@fifthhorseman.net said: gpg does use the return code to indicate failure of signature verification. But recall that success does not mean that the signature is good. Check the status output or use gpgv. Do you mean, for example, the signature could be valid, but the key that signed it could be revoked and gpg would still exit 0? Or can you tell another example please where gpg would exit 0, but where where the signature is bad? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is there a shell script or bash library for parsing gpg's --status-fd output?
Hi! Is there a shell script or bash library for parsing gpg's --status-fd output? I mean, I could code it myself. But why duplicate effort and risk messing up. Maybe there is some existing or even recommended or even official library to do this? (What I mean by parsing is: to get from lines such as [GNUPG:] GOODSIG 416... to variables such as goodsig=true, fingerprint=416... and so forth.) Cheers, Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Vanity Keys
On 13-01-2015 21:38, Werner Koch wrote: Well, we could also change the code to trial verify with all key ids but that takes longer than needed and may by itself be used as a DoS. You don't need to test all keyID's - just those with the same key ID. Assuming this is a rare occasion and someone's keyring is not flooded with keys with the same ID (in that case you are probably under some kind of attack and might investigate), you can even detect and store this condition somewere when importing the key and checking this probably very short list if key ID's that appear multiple times. I wonder what this would do with the keyserver network. They probably need adapting too. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More strangeness.
On Tue, 13 Jan 2015 21:33, dgouttegat...@incenp.org said: [2] https://bugs.g10code.com/gnupg/issue1794 Right, this is a blocker for a 2.1.2 release. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Issuer Fingerprint
On Wed, 14 Jan 2015 00:54, 2014-667rhzu3dc-lists-gro...@riseup.net said: I thought we already took care of this with sig-notation issuer-...@notations.openpgp.fifthhorseman.net=%g [0] But GnuPG does not know about this - it is Dkg's private thing. Further this triples the required size for each signature. If we would do that with notaion data something like iss...@gnupg.org= would be used. But see the discussion on gnupg-devel. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are there cases where gpg --verify will exit 0, even if verification failed?
Are there cases where gpg --verify will exit 0, even if verification failed? Verification could fail internally within the gpg program, or externally because the signature fie does not exist or is incorrectly named or maybe corrupt e.g. [srm@~]$ gpg --verify asig.sig; echo $? gpg: can't open `asig.sig': No such file or directory gpg: verify signatures failed: No such file or directory 2 Exit codes in shells indicate problems relating to completion or disruption of the child process invoked by a parent process. They will not record unsuccessful events inside the child process related to program functions, i.e. if you inside gpg editing a key and enter an incorrect subcommand or use it incorrectly then this will not affect the exit code, I don’t think. Sandeep Murthy s.mur...@mykolab.com On 14 Jan 2015, at 07:51, Dave Pawson dave.paw...@gmail.com wrote: In Unix terms, a program that has run successfully to completion exits with status zero, no 'extra' semantic attached? Dave On 13 January 2015 at 19:03, Patrick Schleizer patrick-mailingli...@whonix.org wrote: In another thread... Werner Koch On Mon, 12 Jan 2015 19:52, patrick- When it exits 0, then this approach is sound, sane and fine? You better check the status lines; in particular watch out for [GNUPG:] VALIDSIG E4B868C8F90C. or use gpgv. Are there cases where gpg --verify will exit 0, even if verification failed? (Suppose one uses a separate --homedir where only legitimate signing keys are imported.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are there cases where gpg --verify will exit 0, even if verification failed?
In Unix terms, a program that has run successfully to completion exits with status zero, no 'extra' semantic attached? Dave On 13 January 2015 at 19:03, Patrick Schleizer patrick-mailingli...@whonix.org wrote: In another thread... Werner Koch On Mon, 12 Jan 2015 19:52, patrick- When it exits 0, then this approach is sound, sane and fine? You better check the status lines; in particular watch out for [GNUPG:] VALIDSIG E4B868C8F90C. or use gpgv. Are there cases where gpg --verify will exit 0, even if verification failed? (Suppose one uses a separate --homedir where only legitimate signing keys are imported.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are there cases where gpg --verify will exit 0, even if verification failed?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/14/2015 02:40 PM, Daniel Kahn Gillmor wrote: On Wed 2015-01-14 08:22:45 -0500, Sandeep Murthy wrote: Exit codes in shells indicate problems relating to completion or disruption of the child process invoked by a parent process. .. the return value of the first --verify should be 0, but the second --verify invocation should return 1, indicating that the signature cannot be verified over the (different) contents of test2.txt But iirc you will anyways have to check the status-fd for the validity of the issuing key. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - A government that robs Peter to pay Paul can always depend on the support of Paul. (George Bernard Shaw) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJUtnf3AAoJEPw7F94F4Tag93cP/3sI+nnS0HK68JEeE3dfCO/5 pFweOpBSeSOeh5gA2e0UuO0Nm7l1hD2syjFNn18L/fMybVfqodYKnIWkh3v9O8oi sNNxDJ8emhWPaE0oV9VpPocEcq5MbZwerF5iIB+rm9d+R2CuqMKpIkEYv2abIxWJ tJsMlp9bXWC66QbQBDc9D+okn9yKzJgYdfAilprk7kKPmnSgIVIagwdcQyg9iUks dX1q6rsGonYzPOwWk2sZdXyAB2TleYSPq8ySaShtSt4dZ/DFK38l4hYOcOX/OrG1 bROwTg3fnjISvFHYAJPx1CCrsdN/fIOPATrCITPQLV0IdTUIhrbi6bgTjDvfr8eQ NSuggpdjvif1EtDnCQYv6gSoI2egbFFs92bqzLsfm/gVtJJi25d4JRammHNOzjWt 0SBxFBAI64cAuReDkLcqnhSu0dccQRQYUjF88a4dP9ldE6eK4HNo8h6vQxbVJ6Y+ xPQxBCMwHUoLLKWQt+PLBQXqqZFnFOdPRF6Ns+OHsIC3Go/oH7ynY+yKSQHziTRc 6TnLMfg4by2bh1RIsBF1nb1wkXcyV9tZXrriaM4H6wwPoR6IDnZnHU2dTcUn8LLT c4FBn743TT0OZbVnMhd7e3PdUe6EVE0ZTKXilKqRk36+yEdBcrRj+ihwS9Vy/gt3 /u59aDPZpS8gTPWFSzjN =KsGq -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
