Re: Sign key with externalized master key

[Xavier Maillard]

flapflap  writes:

> Xavier Maillard:
>>
>> Daniel Kahn Gillmor  writes:
>>
>>> On Wed 2015-02-11 00:41:18 -0500, Xavier Maillard wrote:
 May I ask how one would sign public keys when a "master key" is
 stored onto an USB stick ?

 So what ? My USB stick is formated using extFat so permissions are
 something unknown.
>>>
>>> The fact that you're using a FAT volume is the root cause here; FAT
>>> filesystems do not have ownership or permissions, so when a modern OS
>>> mounts them, it has to fake permissions for these files.
>>
>> Thank you for this precision. Are you aware of some "portable" and
>> well supported by the 3-major OSes filesystem type ?
>
> Since your issue only affects signing of other keys - which normally is
> not a daily scenario - what about using a GNU/Linux live system/CD/USB
> for that purpose?
> That way you can use a normal GNU/Linux supported filesystem and don't
> have to worry whether to trust your normal OS or which filesystem is
> compatible with all OSses you intend to use.

Good catch. I did something close: refurbished and updated my old slackware
GNU/linux system with FUSE exfat support. That does the job !

Thank you for your help.
--
Xavier

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Sign key with externalized master key

[Brian Minton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


On Wed, Feb 11, 2015, 5:33 PM Xavier Maillard  wrote:


Thank you for this precision. Are you aware of some "portable" and
well supported by the 3-major OSes filesystem type ?


Just UDF
-BEGIN PGP SIGNATURE-
Version: OpenKeychain v3.1.2

iIAEAREIACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJU3BNJ
AAoJEGuOs6Blz7qpz9MA/0MioB8VjrF/4+6UnN4RP9E+PNWzumMPpYsfkEXej8tW
AP95+irR2/yR6Rbv7WXGsV3GSftc/iYaiykwGB1VdIHmMQ==
=aHkI
-END PGP SIGNATURE-
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Purchasing OpenPGP cards, card-readers to support GnuPG

[NIIBE Yutaka]

On 02/12/2015 12:35 AM, taltman wrote:
> Is there any way to purchase these items where a portion of the proceeds
> goes to supporting GnuPG?

Indirectly, I'd say.

I think that if you stay in Europe, being a FSFE member, you'll get
its member card with OpenPGPcard feature.  I'm sure that it will
improve the eco system around GnuPG, although it's not directly
supporting GnuPG development.  Besides, it gives her good opportunity
to consider the importance and difficulty of controling her own
computing, by a concrete example of card reader implementation and
card implementation.

Buying OpenPGPcard implementations (instead of other card
implementations of PKCS) also benefits GnuPG development indirectly.
Because OpenPGPcard specification is published, and its functionality
is clear enough.  Well, PKCS is published, YES... but supporting cards
other than OpenPGPcard specification is very difficult for free
software project, in general, because the standard practice assumes
non-free environment and the industry tends to be unfriendly to free
software.

Buying original OpenPGPcard implementation would be better, so that we
can support publishing OpenPGPcard specification as free
specification.

Perhaps, you'd like more free implementation of OpenPGPcard, but
(partially) non-free implementation also works.

In the current situation, I never accuse users/developers of non-free
OpenPGPcard implementation.  It's not ideal, but it would be an
important step towards better control of our own computing.

Difficulty is... for card readers.  I only know one free (as in
freedom) implementation which connects physical card, that's
CryptoStick (now, new project name, Nitrokey), which combines
physical OpenPGPcard into a token.

Lastly and unlikely, if you stay in Japan, being a FSIJ member, you'll
automatically get the pressure of buying FST-01 as Gnuk Token (or NeuG
standalone). :-) I'm selling FST-01 so that I could have more time for
GnuPG development, and I'd like to invite more developers into this
area, while I'd like to encourage Chinese Industry for free (as in
freedom) hardware design.
-- 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Sign key with externalized master key

[flapflap]

Xavier Maillard:
> 
> Daniel Kahn Gillmor  writes:
> 
>> On Wed 2015-02-11 00:41:18 -0500, Xavier Maillard wrote:
>>> May I ask how one would sign public keys when a "master key" is
>>> stored onto an USB stick ?
>>>
>>> I followed instructions from [1]. Now I am in the process of
>>> announcing my key transition to all old signers *but*, as a last
>>> test, I just tested public signature with my "master key" and this is
>>> where troubles occur:
>>>
>>> LANG=C gpg --home /Volumes/FSF/.gnupg --recv-keys 
>>> gpg: WARNING: unsafe permissions on homedir `/Volumes/FSF/.gnupg'
>>> gpg: external program calls are disabled due to unsafe options file 
>>> permissions
>>> gpg: keyserver communications error: General error
>>> gpg: keyserver receive failed: General error
>>>
>>> So what ? My USB stick is formated using extFat so permissions are
>>> something unknown.
>>
>> The fact that you're using a FAT volume is the root cause here; FAT
>> filesystems do not have ownership or permissions, so when a modern OS
>> mounts them, it has to fake permissions for these files.
> 
> Thank you for this precision. Are you aware of some "portable" and
> well supported by the 3-major OSes filesystem type ?

Since your issue only affects signing of other keys - which normally is
not a daily scenario - what about using a GNU/Linux live system/CD/USB
for that purpose?
That way you can use a normal GNU/Linux supported filesystem and don't
have to worry whether to trust your normal OS or which filesystem is
compatible with all OSses you intend to use.

~flapflap

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key keeps showing unknown trust

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Monday 9 February 2015 at 9:24:50 AM, in
, Hugo Osvaldo Barrera
wrote:




> Only on older versions of gpg, according to the man
> pages:

>~/.gnupg/secring.gpg  A secret keyring as
>used by GnuPG versions before 2.1.  It is not
>used by GnuPG 2.1 and later.



If GnuPG 2.1.x finds an existing secring.gpg, that is used. If not,
the new file format secring.kbx is used.


- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

Free advice costs nothing until you act upon it
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJU2+WLXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwNk0IAKAeFYJlaM7bxwja5Cd6ufFW
NYhTdHwolenLWGyPOyykSDcDShU3utALV/EgosE3IJpZX8VN7LCVQUX3OR7eVoQn
PQ3akVhP/ga9rRX0b87/mNxX96U7bHpgzkY4L29s3Zofkk9iOmrL1bGasU/Pkbc/
+RdS4mUGffROslp8+cCIA7BZ78/9NXoOszIgkunjKlWClzsHlsvcbRaHzkwgIN5B
guNMLVJqRhKHqfXQ0XFIBlrCRIbaWx1IuMGP+5IuKVF+06qMJoh3/hfWFRrWlYLT
ligq17HvIWZtKlHUbAyG8OQEjTP6JbF80C1rMrRfzgwDktuQEi6gwjaHVLa+IkaI
vgQBFgoAZgUCVNvloF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45B08AQCdUFdbokk+fWbHZNCNN+PWD7Td
IiHspCCwL+Av2hca5gEAAlVa8hS6sUaOr0Y6XJiMkQGDmfI5iKGysP8hBnVWJAA=
=KFAs
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Sign key with externalized master key

[Xavier Maillard]

Daniel Kahn Gillmor  writes:

> On Wed 2015-02-11 00:41:18 -0500, Xavier Maillard wrote:
>> May I ask how one would sign public keys when a "master key" is
>> stored onto an USB stick ?
>>
>> I followed instructions from [1]. Now I am in the process of
>> announcing my key transition to all old signers *but*, as a last
>> test, I just tested public signature with my "master key" and this is
>> where troubles occur:
>>
>> LANG=C gpg --home /Volumes/FSF/.gnupg --recv-keys 
>> gpg: WARNING: unsafe permissions on homedir `/Volumes/FSF/.gnupg'
>> gpg: external program calls are disabled due to unsafe options file 
>> permissions
>> gpg: keyserver communications error: General error
>> gpg: keyserver receive failed: General error
>>
>> So what ? My USB stick is formated using extFat so permissions are
>> something unknown.
>
> The fact that you're using a FAT volume is the root cause here; FAT
> filesystems do not have ownership or permissions, so when a modern OS
> mounts them, it has to fake permissions for these files.

Thank you for this precision. Are you aware of some "portable" and
well supported by the 3-major OSes filesystem type ?

Regards
--
Xavier


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving up from 2.0.26 to 2.1.1

[Philip Jackson]

On 11/02/15 21:16, Daniel Kahn Gillmor wrote:
> On Wed 2015-02-11 14:02:49 -0500, Philip Jackson wrote:
>> On 11/02/15 14:59, Brian Minton wrote:
>>> In Debian, the experimental repo has gpg 2.1 with all dependencies. Follow 
>>> the
>>> instructions at https://wiki.debian.org/DebianExperimental

 snip...
> 
> You don't say how you searched specifically, so i can't say what's gone
> wrong in your case.

I used the Synaptic Package Manager gui to search for gnupg2 after adding the
experimental repository in the Settings/repository using the formula given on
the website link provided by Brian Minto (above) :

deb http://ftp.debian.org/debian experimental main

Amongst all the items listed then as available in experimental (after reload)
there was nothing shown in Synaptic Package Manager under gnupg.

> Here's what i see:
> 
> 0 dkg@alice:~$ apt-cache policy gnupg2
> gnupg2:
>   Installed: 2.1.1-1
>   Candidate: 2.1.1-1
>   Version table:
>  *** 2.1.1-1 0
>   1 http://ftp.us.debian.org/debian/ experimental/main amd64 Packages
> 100 /var/lib/dpkg/status
>  2.0.26-4 0
> 500 http://ftp.us.debian.org/debian/ jessie/main amd64 Packages
> 200 http://ftp.us.debian.org/debian/ sid/main amd64 Packages
> 0 dkg@alice:~$ 
> 
When I try your way from the command line, I get :

$ apt-cache policy gnupg2
gnupg2:
  Installed: 2.0.22-3ubuntu1.1
  Candidate: 2.0.22-3ubuntu1.1
  Version table:
 2.1.1-1 0
  1 http://ftp.debian.org/debian/ experimental/main amd64 Packages
 *** 2.0.22-3ubuntu1.1 0
500 http://fr.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 
Packages
100 /var/lib/dpkg/status
 2.0.22-3ubuntu1 0
500 http://fr.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

I'm not sure what this is telling me but I think it is indicating :

1.  that 2.1.1 is available in experimental/main Packages.
2.  that I have 2.0.22 installed
3.  that latest available for my distro (candidate) is 2.0.22

Although I did, last summer, install 2.0.22 using the distro's software centre,
I subsequently used the same software centre to remove it before building 2.0.26
on my own.  So I don't know why the above indicates that 2.0.22 is installed.

If I do gpg2 --version, it comes back clearly with 2.0.26. and enigmail clearly
indicates that it has found the gpg2 that I built.

So, moving on, if I do :

 apt-get -t experimental install gnupg2

will I get 2.1.1 installed together with its dependencies ?

And returning to my original questions, since it is written that 2.0* and 2.1
cannot co-exist, I suppose that I shall have to remove manually everything
connected with my 2.0.26 ?

Thanks, Philip



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Generating

[Laurens Van Houtven]

Hi,


I just acquired an OpenPGP v2.0 SmartCard. Works beautifully, except for one 
thing: no 4096 bit keys. I thought this would be supported, but when I try to 
generate a key with gpg —card-edit, I can only select up to 3072 bits. I 
thought 4096 was supported on the v2 card, as long as you had GnuPG 2.0.18+, 
which I do:

gpg (GnuPG/MacGPG2) 2.0.26
libgcrypt 1.6.2
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Any ideas?


thanks in advance
lvh


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: (bug?) Revoked keys and past signatures

[Daniel Kahn Gillmor]

On Tue 2015-02-10 18:24:19 -0500, Daniel Kahn Gillmor wrote:
> It sounds to me like you're asking for the standard to separate out
> "signature creation time" from "signature validity start time".
>
> This is an interesting proposal, and i can see why it would make sense
> for this scenario.
>
> I can also see it introducing a lot of subtle bugs in what is already a
> very nuanced and subtle area (certificate timestamp checking; not just
> in OpenPGP either -- the ongoing x.509 discussions about overlapping
> windows of certificate validity).

For reference, X.509 does not provide the signing time at all, but has
notBefore and notAfter fields.  Other signed objects that use CMS can
potentially have all three, which is potentially confusing:

http://csrc.nist.gov/groups/SNS/piv/npivp/SP80078FAQ.htm

  X.509 public key certificates do not specify the time of signature
  generation, but do specify a validity period using the notBefore and
  notAfter fields. For each of the X.509 certificates, the notBefore
  time in the certificate should be used as the digital signature
  generation date.

  The digital signatures on the CHUID, biometric, and security object
  are all encoded as Cryptographic Message Syntax (CMS) external digital
  signatures, as defined in RFC 3852. RFC 3852 defines the signingTime
  attribute, which specifies the time at which the signer (purportedly)
  performed the signing process. If present in a particular object
  (i.e., the CHUID, biometric, or security object), the signingTime
  attribute should be used as the signature generation time. For any
  object that omits the signingTime attribute, the notBefore time
  encoded in the corresponding PIV Authentication certificate should be
  used as the signature generation time.


(the above is slightly out of date, and should reference
https://tools.ietf.org/html/rfc5652#section-11.3 instead of RFC 3852)


--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Purchasing OpenPGP cards, card-readers to support GnuPG

[Werner Koch]

On Wed, 11 Feb 2015 16:35, taltm...@stanford.edu said:

> Is there any way to purchase these items where a portion of the proceeds
> goes to supporting GnuPG?

Not that I know about.  I for myself did not wanted to get into the
hardware business.  But meanwhile I consider to have some merchandise
stuff and a card might well fit into that category.  Maybe not a card
but the fully free gnuk token.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving up from 2.0.26 to 2.1.1

[Daniel Kahn Gillmor]

On Wed 2015-02-11 14:02:49 -0500, Philip Jackson wrote:
> On 11/02/15 14:59, Brian Minton wrote:
>> In Debian, the experimental repo has gpg 2.1 with all dependencies. Follow 
>> the
>> instructions at https://wiki.debian.org/DebianExperimental
>
> Thank you for that suggestion, Brian.  I looked into the link you provided and
> decided that to see the precise name of the package, I'd add the repository
> address into source info in Synaptic Package manager.  Which I did, together
> with Debian's gpg key.
>
> After reload, I searched for possible packages available at Debian 
> experimental
> repo but failed to find any with names like gpg*, gnupg*.
>
> So I'm not there yet.  No hurry, though - lots to learn.

You don't say how you searched specifically, so i can't say what's gone
wrong in your case.

Here's what i see:

0 dkg@alice:~$ apt-cache policy gnupg2
gnupg2:
  Installed: 2.1.1-1
  Candidate: 2.1.1-1
  Version table:
 *** 2.1.1-1 0
  1 http://ftp.us.debian.org/debian/ experimental/main amd64 Packages
100 /var/lib/dpkg/status
 2.0.26-4 0
500 http://ftp.us.debian.org/debian/ jessie/main amd64 Packages
200 http://ftp.us.debian.org/debian/ sid/main amd64 Packages
0 dkg@alice:~$ 


hth,

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving up from 2.0.26 to 2.1.1

[Robert J. Hansen]

> A priori, this doesn't seem very transparent but I suppose there must
> be a way to determine if 2.0.22 is original or augmented ?

Yep, but as I'm not much of an Ubuntu guy I'll let one of them give you
specific instructions -- I just know Ubuntu, like Debian (which it's
built on), is very good about making that information available.

As a first try I'd suggest looking at:

https://launchpad.net/ubuntu/+source/gnupg2/2.0.24-1ubuntu2



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] GnuPG 2.1.2 released

[Werner Koch]

Hello!

The GnuPG Project is pleased to announce the availability of the
third release of GnuPG modern: Version 2.1.2.

The GNU Privacy Guard (GnuPG) is a complete and free implementation of
the OpenPGP standard as defined by RFC-4880 and better known as PGP.

GnuPG, also known as GPG, allows to encrypt and sign data and
communication, features a versatile key management system as well as
access modules for public key directories.  GnuPG itself is a command
line tool with features for easy integration with other applications.
A wealth of frontend applications and libraries making use of GnuPG
are available.  Since version 2 GnuPG provides support for S/MIME and
Secure Shell in addition to OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom). It can
be freely used, modified and distributed under the terms of the GNU
General Public License.

Three different versions of GnuPG are actively maintained:

- GnuPG "modern" (2.1) is the latest development with a lot of new
  features.  This announcement is about the first release of this
  version.

- GnuPG "stable" (2.0) is the current stable version for general use.
  This is what most users are currently using.

- GnuPG "classic" (1.4) is the old standalone version which is most
  suitable for older or embedded platforms.

You may not install "modern" (2.1) and "stable" (2.0) at the same
time.  However, it is possible to install "classic" (1.4) along with
any of the other versions.


What's New in GnuPG-2.1
===

 * gpg: The parameter 'Passphrase' for batch key generation works
   again.

 * gpg: Using a passphrase option in batch mode now has the expected
   effect on --quick-gen-key.

 * gpg: Improved reporting of unsupported PGP-2 keys.

 * gpg: Added support for algo names when generating keys using
   --command-fd.

 * gpg: Fixed DoS based on bogus and overlong key packets.

 * agent: When setting --default-cache-ttl the value
   for --max-cache-ttl is adjusted to be not lower than the former.

 * agent: Fixed problems with the new --extra-socket.

 * agent: Made --allow-loopback-pinentry changeable with gpgconf.

 * agent: Fixed importing of unprotected openpgp keys.

 * agent: Now tries to use a fallback pinentry if the standard
   pinentry is not installed.

 * scd: Added support for ECDH.

 * Fixed several bugs related to bogus keyrings and improved some
   other code.

A detailed description of the changes found in 2.1 can be found at
https://gnupg.org/faq/whats-new-in-2.1.html .


Getting the Software


Please follow the instructions found at https://gnupg.org/download/ or
read on:

GnuPG 2.1.2 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found
at https://gnupg.org/mirrors.html .  Note that GnuPG is not available
at ftp.gnu.org.

On ftp.gnupg.org you find these files:

 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.2.tar.bz2  (4720k)
 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.2.tar.bz2.sig

This is the GnuPG 2.1 source code compressed using BZIP2 and its
OpenPGP signature.

A Windows installer is not available for this version because we are
currently reworking some parts of it.

This version fixes a lot of bugs found after the release of 2.1.0 but
there are still known bugs which we are working on.  Please check the
mailing list archives and https://wiki.gnupg.org for known problems and
workaround.


Checking the Integrity
==

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.1.2.tar.bz2 you would use this command:

 gpg --verify gnupg-2.1.2.tar.bz2.sig gnupg-2.1.2.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See below for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.1.1.tar.bz2, you would run the command like this:

 sha1sum gnupg-2.1.2.tar.bz2

   and check that the output matches the first line from the
   following list:

7e972cb9af47d9b8ce164dcf37fc4f32634d6cd6  gnupg-2.1.2.tar.bz2


Release Signing Keys


To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarball

Re: moving up from 2.0.26 to 2.1.1

[Philip Jackson]

On 11/02/15 16:20, Robert J. Hansen wrote:
>> I find that distro packages (for Ubuntu) lag well behind what is
>> available and I do appreciate that there is a trade-off between
>> proven reliability and up-to-dateness and also that distros rely on
>> maintainers who may well be volunteers...
> 
> If your goal is to enjoy tinkering with technology, by all means, do
> what you're doing.  Can't fault you for it in the least; I love doing it
> myself.

Yes, I guess that I fall into this type slot.

> If your goal is just to make sure you have the latest and greatest
> security updates, you should probably stick with your distro's packages.
> The distro package may *say* 2.0.22, but any security fixes released
> after 2.0.22 will quickly be backported into your distro's 2.0.22 package.

A priori, this doesn't seem very transparent but I suppose there must be a way
to determine if 2.0.22 is original or augmented ?

Philip




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving up from 2.0.26 to 2.1.1

[Philip Jackson]

On 11/02/15 14:59, Brian Minton wrote:
> In Debian, the experimental repo has gpg 2.1 with all dependencies. Follow the
> instructions at https://wiki.debian.org/DebianExperimental

Thank you for that suggestion, Brian.  I looked into the link you provided and
decided that to see the precise name of the package, I'd add the repository
address into source info in Synaptic Package manager.  Which I did, together
with Debian's gpg key.

After reload, I searched for possible packages available at Debian experimental
repo but failed to find any with names like gpg*, gnupg*.

So I'm not there yet.  No hurry, though - lots to learn.

Philip



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Purchasing OpenPGP cards, card-readers to support GnuPG

[Dave Pawson]

I was hoping that long thread might suggest the same.
Quite willing to support GPG via a purchase,
but so little information is available...

regards DaveP

On 11 February 2015 at 15:35, taltman  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> I'd like to both support the GnuPG project, and acquire an OpenPGP card
> and card reader.
>
> Is there any way to purchase these items where a portion of the proceeds
> goes to supporting GnuPG?
>
> Thanks,
>
> ~Tomer
>
> - --
> - 
> - ---
>
> Encrypted email preferred.
> http://taltman.sdf.org/public_key.asc
> Key fingerprint = DFE8 7D60 D452 9C4F 5D1F  7515 F55F BB30 1719 7991
> -BEGIN PGP SIGNATURE-
>
> iQIcBAEBCgAGBQJU23aqAAoJEMAutzpeVLZSxN8P/RZdL4+kzmRtjow5MfshaWfX
> cmZKxystchC8obkXg1jTxD5TFfQMccgkzC1ans1aRWtUjSJakmcrzsgq4F3ibCHO
> bRk0G9snXU7gdSMSOHfsJI0IMO29Sile/LmxqTXFRZWayM6m+71J0vsDHFcc65TR
> GMgvms6/6fL/4XrhL3TXHKdaUcwq1GAhzT3bBd0ERrJjr71q+CeVvsjBAswkqBYO
> TEo8e87wg/c2wYyE6tFhqinbTzIKukom4WMoRbWWU6LpdoZ1F9wFvDuc446J5R7D
> aQ+1LhDutYol6g97C1ZXqZYG0zEsrqdjqUGkh3lfpH9DW39GEOFhJCPakoFnrerS
> UEA4rn+UXyr3G2GXDQpck49Ks4TGSRudyvw8Frnuw8FH+MwU8W8ygdMJ5Pf657tB
> siYNKD9G/g4d5miH+7DDte+T35I+EQyp86oko97qFYhNUDUKFn6Zm2aSV9G0XuSY
> fROyFMKBZ3qlOScyG8tbaBEYZziQC8T4KNEomv0R5Tvm2scnfKqKd1bIHhvqe7mn
> VPfvNuaxidLMVqtITQSshFd2RpruhCHt1Vyd5q/cU1EgiDlxy/SluyqVit05SicX
> fRCNUE2ZtSvaxPoIwU+LSDWGg0+OPsP2whjjB+Fh3GsArAWfrVPyXCQg9t++f+AA
> YfchIHRrd4NQJiOLpDtn
> =zpRT
> -END PGP SIGNATURE-
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



-- 
Dave Pawson
XSLT XSL-FO FAQ.
Docbook FAQ.
http://www.dpawson.co.uk

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Purchasing OpenPGP cards, card-readers to support GnuPG

[taltman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

I'd like to both support the GnuPG project, and acquire an OpenPGP card
and card reader.

Is there any way to purchase these items where a portion of the proceeds
goes to supporting GnuPG?

Thanks,

~Tomer

- -- 
- 
- ---

Encrypted email preferred.
http://taltman.sdf.org/public_key.asc
Key fingerprint = DFE8 7D60 D452 9C4F 5D1F  7515 F55F BB30 1719 7991
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJU23aqAAoJEMAutzpeVLZSxN8P/RZdL4+kzmRtjow5MfshaWfX
cmZKxystchC8obkXg1jTxD5TFfQMccgkzC1ans1aRWtUjSJakmcrzsgq4F3ibCHO
bRk0G9snXU7gdSMSOHfsJI0IMO29Sile/LmxqTXFRZWayM6m+71J0vsDHFcc65TR
GMgvms6/6fL/4XrhL3TXHKdaUcwq1GAhzT3bBd0ERrJjr71q+CeVvsjBAswkqBYO
TEo8e87wg/c2wYyE6tFhqinbTzIKukom4WMoRbWWU6LpdoZ1F9wFvDuc446J5R7D
aQ+1LhDutYol6g97C1ZXqZYG0zEsrqdjqUGkh3lfpH9DW39GEOFhJCPakoFnrerS
UEA4rn+UXyr3G2GXDQpck49Ks4TGSRudyvw8Frnuw8FH+MwU8W8ygdMJ5Pf657tB
siYNKD9G/g4d5miH+7DDte+T35I+EQyp86oko97qFYhNUDUKFn6Zm2aSV9G0XuSY
fROyFMKBZ3qlOScyG8tbaBEYZziQC8T4KNEomv0R5Tvm2scnfKqKd1bIHhvqe7mn
VPfvNuaxidLMVqtITQSshFd2RpruhCHt1Vyd5q/cU1EgiDlxy/SluyqVit05SicX
fRCNUE2ZtSvaxPoIwU+LSDWGg0+OPsP2whjjB+Fh3GsArAWfrVPyXCQg9t++f+AA
YfchIHRrd4NQJiOLpDtn
=zpRT
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving up from 2.0.26 to 2.1.1

[Robert J. Hansen]

> I find that distro packages (for Ubuntu) lag well behind what is
> available and I do appreciate that there is a trade-off between
> proven reliability and up-to-dateness and also that distros rely on
> maintainers who may well be volunteers...

If your goal is to enjoy tinkering with technology, by all means, do
what you're doing.  Can't fault you for it in the least; I love doing it
myself.

If your goal is just to make sure you have the latest and greatest
security updates, you should probably stick with your distro's packages.
The distro package may *say* 2.0.22, but any security fixes released
after 2.0.22 will quickly be backported into your distro's 2.0.22 package.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Sign key with externalized master key

[Daniel Kahn Gillmor]

On Wed 2015-02-11 00:41:18 -0500, Xavier Maillard wrote:
> May I ask how one would sign public keys when a "master key" is
> stored onto an USB stick ?
>
> I followed instructions from [1]. Now I am in the process of
> announcing my key transition to all old signers *but*, as a last
> test, I just tested public signature with my "master key" and this is
> where troubles occur:
>
> LANG=C gpg --home /Volumes/FSF/.gnupg --recv-keys 
> gpg: WARNING: unsafe permissions on homedir `/Volumes/FSF/.gnupg'
> gpg: external program calls are disabled due to unsafe options file 
> permissions
> gpg: keyserver communications error: General error
> gpg: keyserver receive failed: General error
>
> So what ? My USB stick is formated using extFat so permissions are
> something unknown.

The fact that you're using a FAT volume is the root cause here; FAT
filesystems do not have ownership or permissions, so when a modern OS
mounts them, it has to fake permissions for these files.

If you mount the filesystem manually, you can usually specify tighter
permissions.  I don't know the exact syntax for OS X, but on GNU/Linux
systems, that would be:

 mount -t vfat -ouid=$USERNAME,umask=077 /dev/sdx1 /Volumes/FSF

umask is the relevant option here to set the default permissions.
Alternately, if your umask is set properly before mounting the
filesystem, i think mount(8) will just default to it.

hth,

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving up from 2.0.26 to 2.1.1

[Brian Minton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

In Debian, the experimental repo has gpg 2.1 with all dependencies. Follow
the instructions at https://wiki.debian.org/DebianExperimental
-BEGIN PGP SIGNATURE-
Version: OpenKeychain v3.1.2

iIAEAREIACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJU22BA
AAoJEGuOs6Blz7qpQ2oA/R3WgCWvyL2OTcSeJTkbAKT/mUmq76Zwj+T6x4TTcM53
AP9xUSQFI3RYwiENCrtfpLkQTO1lpdjt6myK+uAQvSY5zQ==
=qpQf
-END PGP SIGNATURE-

On Wed, Feb 11, 2015, 8:46 AM Philip Jackson 
wrote:

> On 10/02/15 23:53, Daniel Kahn Gillmor wrote:
> > The questions you're asking are very much the sort of thing that
> > distributions are designed to address.
> >
> > What distro are you using?  what version?  2.1.1 has been packaged for
> > some distros already (as have some of these dependencies), and you might
> > be able to save yourself a lot of pain by choosing a path with a
> > maintainer familiar with your system :)
>
> Thank you for your reply, Daniel.
>
> I'm using UbuntuStudio 1404 - a flavour of Ubuntu, kept up to date by
> frequent
> downloads by their "Software Updater" utility.
>
> I originally tried using the gnupg2 2.0.22 available as a package from
> Ubuntu,
> but once installed I couldn't make it work (and I do know about enigmail
> having
> to locate gpg2).  As soon as I removed it, enigmail worked fine with
> gnupg1.4.16
> (the standard with the distro download).
>
> I then tried 2.0.26 on my own and this worked a treat.
>
> I find that distro packages (for Ubuntu) lag well behind what is available
> and I
> do appreciate that there is a trade-off between proven reliability and
> up-to-dateness and also that distros rely on maintainers who may well be
> volunteers.  So I don't mind trying available releases more up to date
> than the
> distro makes available.  I'm quite happy using enigmails's nightly builds.
>
> Neither "Ubuntu Software Centre" nor "Synaptic Package Manager" indicate
> availability of anything more modern than 1.4.16 / 2.0.22 - unless you
> know better ?
>
> Philip
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving up from 2.0.26 to 2.1.1

[Philip Jackson]

On 10/02/15 23:53, Daniel Kahn Gillmor wrote:
> The questions you're asking are very much the sort of thing that
> distributions are designed to address.
> 
> What distro are you using?  what version?  2.1.1 has been packaged for
> some distros already (as have some of these dependencies), and you might
> be able to save yourself a lot of pain by choosing a path with a
> maintainer familiar with your system :)

Thank you for your reply, Daniel.

I'm using UbuntuStudio 1404 - a flavour of Ubuntu, kept up to date by frequent
downloads by their "Software Updater" utility.

I originally tried using the gnupg2 2.0.22 available as a package from Ubuntu,
but once installed I couldn't make it work (and I do know about enigmail having
to locate gpg2).  As soon as I removed it, enigmail worked fine with gnupg1.4.16
(the standard with the distro download).

I then tried 2.0.26 on my own and this worked a treat.

I find that distro packages (for Ubuntu) lag well behind what is available and I
do appreciate that there is a trade-off between proven reliability and
up-to-dateness and also that distros rely on maintainers who may well be
volunteers.  So I don't mind trying available releases more up to date than the
distro makes available.  I'm quite happy using enigmails's nightly builds.

Neither "Ubuntu Software Centre" nor "Synaptic Package Manager" indicate
availability of anything more modern than 1.4.16 / 2.0.22 - unless you know 
better ?

Philip




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: status of ed25519 draft

[Werner Koch]

On Tue, 10 Feb 2015 21:56, br...@minton.name said:
> Is there any way to see the progress of the IETF working group on
> the draft Werner has submitted?  I noticed that the draft expires in

The process to get the I-D to an RFC is somewhat work intensive and I
would actually prefer to have the OpenPGP WG re-established to make it
easier.  I will of course update the I-D in time.

> May.  In particular, I would like to know if 22 is going to be the IANA
> standardized Public-Key Algorithm number. 

We have an informal agreement on the WG list to use that number.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users