Purchasing OpenPGP cards, card-readers to support GnuPG
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I'd like to both support the GnuPG project, and acquire an OpenPGP card and card reader. Is there any way to purchase these items where a portion of the proceeds goes to supporting GnuPG? Thanks, ~Tomer - -- - - --- Encrypted email preferred. http://taltman.sdf.org/public_key.asc Key fingerprint = DFE8 7D60 D452 9C4F 5D1F 7515 F55F BB30 1719 7991 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJU23aqAAoJEMAutzpeVLZSxN8P/RZdL4+kzmRtjow5MfshaWfX cmZKxystchC8obkXg1jTxD5TFfQMccgkzC1ans1aRWtUjSJakmcrzsgq4F3ibCHO bRk0G9snXU7gdSMSOHfsJI0IMO29Sile/LmxqTXFRZWayM6m+71J0vsDHFcc65TR GMgvms6/6fL/4XrhL3TXHKdaUcwq1GAhzT3bBd0ERrJjr71q+CeVvsjBAswkqBYO TEo8e87wg/c2wYyE6tFhqinbTzIKukom4WMoRbWWU6LpdoZ1F9wFvDuc446J5R7D aQ+1LhDutYol6g97C1ZXqZYG0zEsrqdjqUGkh3lfpH9DW39GEOFhJCPakoFnrerS UEA4rn+UXyr3G2GXDQpck49Ks4TGSRudyvw8Frnuw8FH+MwU8W8ygdMJ5Pf657tB siYNKD9G/g4d5miH+7DDte+T35I+EQyp86oko97qFYhNUDUKFn6Zm2aSV9G0XuSY fROyFMKBZ3qlOScyG8tbaBEYZziQC8T4KNEomv0R5Tvm2scnfKqKd1bIHhvqe7mn VPfvNuaxidLMVqtITQSshFd2RpruhCHt1Vyd5q/cU1EgiDlxy/SluyqVit05SicX fRCNUE2ZtSvaxPoIwU+LSDWGg0+OPsP2whjjB+Fh3GsArAWfrVPyXCQg9t++f+AA YfchIHRrd4NQJiOLpDtn =zpRT -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Purchasing OpenPGP cards, card-readers to support GnuPG
I was hoping that long thread might suggest the same. Quite willing to support GPG via a purchase, but so little information is available... regards DaveP On 11 February 2015 at 15:35, taltman taltm...@stanford.edu wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I'd like to both support the GnuPG project, and acquire an OpenPGP card and card reader. Is there any way to purchase these items where a portion of the proceeds goes to supporting GnuPG? Thanks, ~Tomer - -- - - --- Encrypted email preferred. http://taltman.sdf.org/public_key.asc Key fingerprint = DFE8 7D60 D452 9C4F 5D1F 7515 F55F BB30 1719 7991 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJU23aqAAoJEMAutzpeVLZSxN8P/RZdL4+kzmRtjow5MfshaWfX cmZKxystchC8obkXg1jTxD5TFfQMccgkzC1ans1aRWtUjSJakmcrzsgq4F3ibCHO bRk0G9snXU7gdSMSOHfsJI0IMO29Sile/LmxqTXFRZWayM6m+71J0vsDHFcc65TR GMgvms6/6fL/4XrhL3TXHKdaUcwq1GAhzT3bBd0ERrJjr71q+CeVvsjBAswkqBYO TEo8e87wg/c2wYyE6tFhqinbTzIKukom4WMoRbWWU6LpdoZ1F9wFvDuc446J5R7D aQ+1LhDutYol6g97C1ZXqZYG0zEsrqdjqUGkh3lfpH9DW39GEOFhJCPakoFnrerS UEA4rn+UXyr3G2GXDQpck49Ks4TGSRudyvw8Frnuw8FH+MwU8W8ygdMJ5Pf657tB siYNKD9G/g4d5miH+7DDte+T35I+EQyp86oko97qFYhNUDUKFn6Zm2aSV9G0XuSY fROyFMKBZ3qlOScyG8tbaBEYZziQC8T4KNEomv0R5Tvm2scnfKqKd1bIHhvqe7mn VPfvNuaxidLMVqtITQSshFd2RpruhCHt1Vyd5q/cU1EgiDlxy/SluyqVit05SicX fRCNUE2ZtSvaxPoIwU+LSDWGg0+OPsP2whjjB+Fh3GsArAWfrVPyXCQg9t++f+AA YfchIHRrd4NQJiOLpDtn =zpRT -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving up from 2.0.26 to 2.1.1
On 11/02/15 14:59, Brian Minton wrote: In Debian, the experimental repo has gpg 2.1 with all dependencies. Follow the instructions at https://wiki.debian.org/DebianExperimental Thank you for that suggestion, Brian. I looked into the link you provided and decided that to see the precise name of the package, I'd add the repository address into source info in Synaptic Package manager. Which I did, together with Debian's gpg key. After reload, I searched for possible packages available at Debian experimental repo but failed to find any with names like gpg*, gnupg*. So I'm not there yet. No hurry, though - lots to learn. Philip signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving up from 2.0.26 to 2.1.1
On 11/02/15 16:20, Robert J. Hansen wrote: I find that distro packages (for Ubuntu) lag well behind what is available and I do appreciate that there is a trade-off between proven reliability and up-to-dateness and also that distros rely on maintainers who may well be volunteers... If your goal is to enjoy tinkering with technology, by all means, do what you're doing. Can't fault you for it in the least; I love doing it myself. Yes, I guess that I fall into this type slot. If your goal is just to make sure you have the latest and greatest security updates, you should probably stick with your distro's packages. The distro package may *say* 2.0.22, but any security fixes released after 2.0.22 will quickly be backported into your distro's 2.0.22 package. A priori, this doesn't seem very transparent but I suppose there must be a way to determine if 2.0.22 is original or augmented ? Philip signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving up from 2.0.26 to 2.1.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 In Debian, the experimental repo has gpg 2.1 with all dependencies. Follow the instructions at https://wiki.debian.org/DebianExperimental -BEGIN PGP SIGNATURE- Version: OpenKeychain v3.1.2 iIAEAREIACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJU22BA AAoJEGuOs6Blz7qpQ2oA/R3WgCWvyL2OTcSeJTkbAKT/mUmq76Zwj+T6x4TTcM53 AP9xUSQFI3RYwiENCrtfpLkQTO1lpdjt6myK+uAQvSY5zQ== =qpQf -END PGP SIGNATURE- On Wed, Feb 11, 2015, 8:46 AM Philip Jackson philip.jack...@nordnet.fr wrote: On 10/02/15 23:53, Daniel Kahn Gillmor wrote: The questions you're asking are very much the sort of thing that distributions are designed to address. What distro are you using? what version? 2.1.1 has been packaged for some distros already (as have some of these dependencies), and you might be able to save yourself a lot of pain by choosing a path with a maintainer familiar with your system :) Thank you for your reply, Daniel. I'm using UbuntuStudio 1404 - a flavour of Ubuntu, kept up to date by frequent downloads by their Software Updater utility. I originally tried using the gnupg2 2.0.22 available as a package from Ubuntu, but once installed I couldn't make it work (and I do know about enigmail having to locate gpg2). As soon as I removed it, enigmail worked fine with gnupg1.4.16 (the standard with the distro download). I then tried 2.0.26 on my own and this worked a treat. I find that distro packages (for Ubuntu) lag well behind what is available and I do appreciate that there is a trade-off between proven reliability and up-to-dateness and also that distros rely on maintainers who may well be volunteers. So I don't mind trying available releases more up to date than the distro makes available. I'm quite happy using enigmails's nightly builds. Neither Ubuntu Software Centre nor Synaptic Package Manager indicate availability of anything more modern than 1.4.16 / 2.0.22 - unless you know better ? Philip ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
On Wed 2015-02-11 00:41:18 -0500, Xavier Maillard wrote: May I ask how one would sign public keys when a master key is stored onto an USB stick ? I followed instructions from [1]. Now I am in the process of announcing my key transition to all old signers *but*, as a last test, I just tested public signature with my master key and this is where troubles occur: LANG=C gpg --home /Volumes/FSF/.gnupg --recv-keys A KEYID gpg: WARNING: unsafe permissions on homedir `/Volumes/FSF/.gnupg' gpg: external program calls are disabled due to unsafe options file permissions gpg: keyserver communications error: General error gpg: keyserver receive failed: General error So what ? My USB stick is formated using extFat so permissions are something unknown. The fact that you're using a FAT volume is the root cause here; FAT filesystems do not have ownership or permissions, so when a modern OS mounts them, it has to fake permissions for these files. If you mount the filesystem manually, you can usually specify tighter permissions. I don't know the exact syntax for OS X, but on GNU/Linux systems, that would be: mount -t vfat -ouid=$USERNAME,umask=077 /dev/sdx1 /Volumes/FSF umask is the relevant option here to set the default permissions. Alternately, if your umask is set properly before mounting the filesystem, i think mount(8) will just default to it. hth, --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving up from 2.0.26 to 2.1.1
I find that distro packages (for Ubuntu) lag well behind what is available and I do appreciate that there is a trade-off between proven reliability and up-to-dateness and also that distros rely on maintainers who may well be volunteers... If your goal is to enjoy tinkering with technology, by all means, do what you're doing. Can't fault you for it in the least; I love doing it myself. If your goal is just to make sure you have the latest and greatest security updates, you should probably stick with your distro's packages. The distro package may *say* 2.0.22, but any security fixes released after 2.0.22 will quickly be backported into your distro's 2.0.22 package. smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Generating
Hi, I just acquired an OpenPGP v2.0 SmartCard. Works beautifully, except for one thing: no 4096 bit keys. I thought this would be supported, but when I try to generate a key with gpg —card-edit, I can only select up to 3072 bits. I thought 4096 was supported on the v2 card, as long as you had GnuPG 2.0.18+, which I do: gpg (GnuPG/MacGPG2) 2.0.26 libgcrypt 1.6.2 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA, RSA, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Any ideas? thanks in advance lvh signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: (bug?) Revoked keys and past signatures
On Tue 2015-02-10 18:24:19 -0500, Daniel Kahn Gillmor wrote: It sounds to me like you're asking for the standard to separate out signature creation time from signature validity start time. This is an interesting proposal, and i can see why it would make sense for this scenario. I can also see it introducing a lot of subtle bugs in what is already a very nuanced and subtle area (certificate timestamp checking; not just in OpenPGP either -- the ongoing x.509 discussions about overlapping windows of certificate validity). For reference, X.509 does not provide the signing time at all, but has notBefore and notAfter fields. Other signed objects that use CMS can potentially have all three, which is potentially confusing: http://csrc.nist.gov/groups/SNS/piv/npivp/SP80078FAQ.htm X.509 public key certificates do not specify the time of signature generation, but do specify a validity period using the notBefore and notAfter fields. For each of the X.509 certificates, the notBefore time in the certificate should be used as the digital signature generation date. The digital signatures on the CHUID, biometric, and security object are all encoded as Cryptographic Message Syntax (CMS) external digital signatures, as defined in RFC 3852. RFC 3852 defines the signingTime attribute, which specifies the time at which the signer (purportedly) performed the signing process. If present in a particular object (i.e., the CHUID, biometric, or security object), the signingTime attribute should be used as the signature generation time. For any object that omits the signingTime attribute, the notBefore time encoded in the corresponding PIV Authentication certificate should be used as the signature generation time. (the above is slightly out of date, and should reference https://tools.ietf.org/html/rfc5652#section-11.3 instead of RFC 3852) --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving up from 2.0.26 to 2.1.1
On 11/02/15 21:16, Daniel Kahn Gillmor wrote: On Wed 2015-02-11 14:02:49 -0500, Philip Jackson wrote: On 11/02/15 14:59, Brian Minton wrote: In Debian, the experimental repo has gpg 2.1 with all dependencies. Follow the instructions at https://wiki.debian.org/DebianExperimental snip... You don't say how you searched specifically, so i can't say what's gone wrong in your case. I used the Synaptic Package Manager gui to search for gnupg2 after adding the experimental repository in the Settings/repository using the formula given on the website link provided by Brian Minto (above) : deb http://ftp.debian.org/debian experimental main Amongst all the items listed then as available in experimental (after reload) there was nothing shown in Synaptic Package Manager under gnupg. Here's what i see: 0 dkg@alice:~$ apt-cache policy gnupg2 gnupg2: Installed: 2.1.1-1 Candidate: 2.1.1-1 Version table: *** 2.1.1-1 0 1 http://ftp.us.debian.org/debian/ experimental/main amd64 Packages 100 /var/lib/dpkg/status 2.0.26-4 0 500 http://ftp.us.debian.org/debian/ jessie/main amd64 Packages 200 http://ftp.us.debian.org/debian/ sid/main amd64 Packages 0 dkg@alice:~$ When I try your way from the command line, I get : $ apt-cache policy gnupg2 gnupg2: Installed: 2.0.22-3ubuntu1.1 Candidate: 2.0.22-3ubuntu1.1 Version table: 2.1.1-1 0 1 http://ftp.debian.org/debian/ experimental/main amd64 Packages *** 2.0.22-3ubuntu1.1 0 500 http://fr.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 100 /var/lib/dpkg/status 2.0.22-3ubuntu1 0 500 http://fr.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages I'm not sure what this is telling me but I think it is indicating : 1. that 2.1.1 is available in experimental/main Packages. 2. that I have 2.0.22 installed 3. that latest available for my distro (candidate) is 2.0.22 Although I did, last summer, install 2.0.22 using the distro's software centre, I subsequently used the same software centre to remove it before building 2.0.26 on my own. So I don't know why the above indicates that 2.0.22 is installed. If I do gpg2 --version, it comes back clearly with 2.0.26. and enigmail clearly indicates that it has found the gpg2 that I built. So, moving on, if I do : apt-get -t experimental install gnupg2 will I get 2.1.1 installed together with its dependencies ? And returning to my original questions, since it is written that 2.0* and 2.1 cannot co-exist, I suppose that I shall have to remove manually everything connected with my 2.0.26 ? Thanks, Philip signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.1.2 released
Hello! The GnuPG Project is pleased to announce the availability of the third release of GnuPG modern: Version 2.1.2. The GNU Privacy Guard (GnuPG) is a complete and free implementation of the OpenPGP standard as defined by RFC-4880 and better known as PGP. GnuPG, also known as GPG, allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries making use of GnuPG are available. Since version 2 GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Three different versions of GnuPG are actively maintained: - GnuPG modern (2.1) is the latest development with a lot of new features. This announcement is about the first release of this version. - GnuPG stable (2.0) is the current stable version for general use. This is what most users are currently using. - GnuPG classic (1.4) is the old standalone version which is most suitable for older or embedded platforms. You may not install modern (2.1) and stable (2.0) at the same time. However, it is possible to install classic (1.4) along with any of the other versions. What's New in GnuPG-2.1 === * gpg: The parameter 'Passphrase' for batch key generation works again. * gpg: Using a passphrase option in batch mode now has the expected effect on --quick-gen-key. * gpg: Improved reporting of unsupported PGP-2 keys. * gpg: Added support for algo names when generating keys using --command-fd. * gpg: Fixed DoS based on bogus and overlong key packets. * agent: When setting --default-cache-ttl the value for --max-cache-ttl is adjusted to be not lower than the former. * agent: Fixed problems with the new --extra-socket. * agent: Made --allow-loopback-pinentry changeable with gpgconf. * agent: Fixed importing of unprotected openpgp keys. * agent: Now tries to use a fallback pinentry if the standard pinentry is not installed. * scd: Added support for ECDH. * Fixed several bugs related to bogus keyrings and improved some other code. A detailed description of the changes found in 2.1 can be found at https://gnupg.org/faq/whats-new-in-2.1.html . Getting the Software Please follow the instructions found at https://gnupg.org/download/ or read on: GnuPG 2.1.2 may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at https://gnupg.org/mirrors.html . Note that GnuPG is not available at ftp.gnu.org. On ftp.gnupg.org you find these files: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.2.tar.bz2 (4720k) ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.2.tar.bz2.sig This is the GnuPG 2.1 source code compressed using BZIP2 and its OpenPGP signature. A Windows installer is not available for this version because we are currently reworking some parts of it. This version fixes a lot of bugs found after the release of 2.1.0 but there are still known bugs which we are working on. Please check the mailing list archives and https://wiki.gnupg.org for known problems and workaround. Checking the Integrity == In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.1.2.tar.bz2 you would use this command: gpg --verify gnupg-2.1.2.tar.bz2.sig gnupg-2.1.2.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See below for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either sha1sum or shasum. Assuming you downloaded the file gnupg-2.1.1.tar.bz2, you would run the command like this: sha1sum gnupg-2.1.2.tar.bz2 and check that the output matches the first line from the following list: 7e972cb9af47d9b8ce164dcf37fc4f32634d6cd6 gnupg-2.1.2.tar.bz2 Release Signing Keys To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary
Re: Purchasing OpenPGP cards, card-readers to support GnuPG
On Wed, 11 Feb 2015 16:35, taltm...@stanford.edu said: Is there any way to purchase these items where a portion of the proceeds goes to supporting GnuPG? Not that I know about. I for myself did not wanted to get into the hardware business. But meanwhile I consider to have some merchandise stuff and a card might well fit into that category. Maybe not a card but the fully free gnuk token. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving up from 2.0.26 to 2.1.1
On Wed 2015-02-11 14:02:49 -0500, Philip Jackson wrote: On 11/02/15 14:59, Brian Minton wrote: In Debian, the experimental repo has gpg 2.1 with all dependencies. Follow the instructions at https://wiki.debian.org/DebianExperimental Thank you for that suggestion, Brian. I looked into the link you provided and decided that to see the precise name of the package, I'd add the repository address into source info in Synaptic Package manager. Which I did, together with Debian's gpg key. After reload, I searched for possible packages available at Debian experimental repo but failed to find any with names like gpg*, gnupg*. So I'm not there yet. No hurry, though - lots to learn. You don't say how you searched specifically, so i can't say what's gone wrong in your case. Here's what i see: 0 dkg@alice:~$ apt-cache policy gnupg2 gnupg2: Installed: 2.1.1-1 Candidate: 2.1.1-1 Version table: *** 2.1.1-1 0 1 http://ftp.us.debian.org/debian/ experimental/main amd64 Packages 100 /var/lib/dpkg/status 2.0.26-4 0 500 http://ftp.us.debian.org/debian/ jessie/main amd64 Packages 200 http://ftp.us.debian.org/debian/ sid/main amd64 Packages 0 dkg@alice:~$ hth, --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving up from 2.0.26 to 2.1.1
A priori, this doesn't seem very transparent but I suppose there must be a way to determine if 2.0.22 is original or augmented ? Yep, but as I'm not much of an Ubuntu guy I'll let one of them give you specific instructions -- I just know Ubuntu, like Debian (which it's built on), is very good about making that information available. As a first try I'd suggest looking at: https://launchpad.net/ubuntu/+source/gnupg2/2.0.24-1ubuntu2 smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
Daniel Kahn Gillmor d...@fifthhorseman.net writes: On Wed 2015-02-11 00:41:18 -0500, Xavier Maillard wrote: May I ask how one would sign public keys when a master key is stored onto an USB stick ? I followed instructions from [1]. Now I am in the process of announcing my key transition to all old signers *but*, as a last test, I just tested public signature with my master key and this is where troubles occur: LANG=C gpg --home /Volumes/FSF/.gnupg --recv-keys A KEYID gpg: WARNING: unsafe permissions on homedir `/Volumes/FSF/.gnupg' gpg: external program calls are disabled due to unsafe options file permissions gpg: keyserver communications error: General error gpg: keyserver receive failed: General error So what ? My USB stick is formated using extFat so permissions are something unknown. The fact that you're using a FAT volume is the root cause here; FAT filesystems do not have ownership or permissions, so when a modern OS mounts them, it has to fake permissions for these files. Thank you for this precision. Are you aware of some portable and well supported by the 3-major OSes filesystem type ? Regards -- Xavier signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
Xavier Maillard: Daniel Kahn Gillmor d...@fifthhorseman.net writes: On Wed 2015-02-11 00:41:18 -0500, Xavier Maillard wrote: May I ask how one would sign public keys when a master key is stored onto an USB stick ? I followed instructions from [1]. Now I am in the process of announcing my key transition to all old signers *but*, as a last test, I just tested public signature with my master key and this is where troubles occur: LANG=C gpg --home /Volumes/FSF/.gnupg --recv-keys A KEYID gpg: WARNING: unsafe permissions on homedir `/Volumes/FSF/.gnupg' gpg: external program calls are disabled due to unsafe options file permissions gpg: keyserver communications error: General error gpg: keyserver receive failed: General error So what ? My USB stick is formated using extFat so permissions are something unknown. The fact that you're using a FAT volume is the root cause here; FAT filesystems do not have ownership or permissions, so when a modern OS mounts them, it has to fake permissions for these files. Thank you for this precision. Are you aware of some portable and well supported by the 3-major OSes filesystem type ? Since your issue only affects signing of other keys - which normally is not a daily scenario - what about using a GNU/Linux live system/CD/USB for that purpose? That way you can use a normal GNU/Linux supported filesystem and don't have to worry whether to trust your normal OS or which filesystem is compatible with all OSses you intend to use. ~flapflap ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key keeps showing unknown trust
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Monday 9 February 2015 at 9:24:50 AM, in mid:20150209092450.ga12...@athena.barrera.io, Hugo Osvaldo Barrera wrote: Only on older versions of gpg, according to the man pages: ~/.gnupg/secring.gpg A secret keyring as used by GnuPG versions before 2.1. It is not used by GnuPG 2.1 and later. If GnuPG 2.1.x finds an existing secring.gpg, that is used. If not, the new file format secring.kbx is used. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net Free advice costs nothing until you act upon it -BEGIN PGP SIGNATURE- iQF8BAEBCgBmBQJU2+WLXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwNk0IAKAeFYJlaM7bxwja5Cd6ufFW NYhTdHwolenLWGyPOyykSDcDShU3utALV/EgosE3IJpZX8VN7LCVQUX3OR7eVoQn PQ3akVhP/ga9rRX0b87/mNxX96U7bHpgzkY4L29s3Zofkk9iOmrL1bGasU/Pkbc/ +RdS4mUGffROslp8+cCIA7BZ78/9NXoOszIgkunjKlWClzsHlsvcbRaHzkwgIN5B guNMLVJqRhKHqfXQ0XFIBlrCRIbaWx1IuMGP+5IuKVF+06qMJoh3/hfWFRrWlYLT ligq17HvIWZtKlHUbAyG8OQEjTP6JbF80C1rMrRfzgwDktuQEi6gwjaHVLa+IkaI vgQBFgoAZgUCVNvloF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45B08AQCdUFdbokk+fWbHZNCNN+PWD7Td IiHspCCwL+Av2hca5gEAAlVa8hS6sUaOr0Y6XJiMkQGDmfI5iKGysP8hBnVWJAA= =KFAs -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Purchasing OpenPGP cards, card-readers to support GnuPG
On 02/12/2015 12:35 AM, taltman wrote: Is there any way to purchase these items where a portion of the proceeds goes to supporting GnuPG? Indirectly, I'd say. I think that if you stay in Europe, being a FSFE member, you'll get its member card with OpenPGPcard feature. I'm sure that it will improve the eco system around GnuPG, although it's not directly supporting GnuPG development. Besides, it gives her good opportunity to consider the importance and difficulty of controling her own computing, by a concrete example of card reader implementation and card implementation. Buying OpenPGPcard implementations (instead of other card implementations of PKCS) also benefits GnuPG development indirectly. Because OpenPGPcard specification is published, and its functionality is clear enough. Well, PKCS is published, YES... but supporting cards other than OpenPGPcard specification is very difficult for free software project, in general, because the standard practice assumes non-free environment and the industry tends to be unfriendly to free software. Buying original OpenPGPcard implementation would be better, so that we can support publishing OpenPGPcard specification as free specification. Perhaps, you'd like more free implementation of OpenPGPcard, but (partially) non-free implementation also works. In the current situation, I never accuse users/developers of non-free OpenPGPcard implementation. It's not ideal, but it would be an important step towards better control of our own computing. Difficulty is... for card readers. I only know one free (as in freedom) implementation which connects physical card, that's CryptoStick (now, new project name, Nitrokey), which combines physical OpenPGPcard into a token. Lastly and unlikely, if you stay in Japan, being a FSIJ member, you'll automatically get the pressure of buying FST-01 as Gnuk Token (or NeuG standalone). :-) I'm selling FST-01 so that I could have more time for GnuPG development, and I'd like to invite more developers into this area, while I'd like to encourage Chinese Industry for free (as in freedom) hardware design. -- signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Feb 11, 2015, 5:33 PM Xavier Maillard xav...@maillard.im wrote: Thank you for this precision. Are you aware of some portable and well supported by the 3-major OSes filesystem type ? Just UDF -BEGIN PGP SIGNATURE- Version: OpenKeychain v3.1.2 iIAEAREIACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJU3BNJ AAoJEGuOs6Blz7qpz9MA/0MioB8VjrF/4+6UnN4RP9E+PNWzumMPpYsfkEXej8tW AP95+irR2/yR6Rbv7WXGsV3GSftc/iYaiykwGB1VdIHmMQ== =aHkI -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: status of ed25519 draft
On Tue, 10 Feb 2015 21:56, br...@minton.name said: Is there any way to see the progress of the IETF working group on the draft Werner has submitted? I noticed that the draft expires in The process to get the I-D to an RFC is somewhat work intensive and I would actually prefer to have the OpenPGP WG re-established to make it easier. I will of course update the I-D in time. May. In particular, I would like to know if 22 is going to be the IANA standardized Public-Key Algorithm number. We have an informal agreement on the WG list to use that number. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving up from 2.0.26 to 2.1.1
On 10/02/15 23:53, Daniel Kahn Gillmor wrote: The questions you're asking are very much the sort of thing that distributions are designed to address. What distro are you using? what version? 2.1.1 has been packaged for some distros already (as have some of these dependencies), and you might be able to save yourself a lot of pain by choosing a path with a maintainer familiar with your system :) Thank you for your reply, Daniel. I'm using UbuntuStudio 1404 - a flavour of Ubuntu, kept up to date by frequent downloads by their Software Updater utility. I originally tried using the gnupg2 2.0.22 available as a package from Ubuntu, but once installed I couldn't make it work (and I do know about enigmail having to locate gpg2). As soon as I removed it, enigmail worked fine with gnupg1.4.16 (the standard with the distro download). I then tried 2.0.26 on my own and this worked a treat. I find that distro packages (for Ubuntu) lag well behind what is available and I do appreciate that there is a trade-off between proven reliability and up-to-dateness and also that distros rely on maintainers who may well be volunteers. So I don't mind trying available releases more up to date than the distro makes available. I'm quite happy using enigmails's nightly builds. Neither Ubuntu Software Centre nor Synaptic Package Manager indicate availability of anything more modern than 1.4.16 / 2.0.22 - unless you know better ? Philip signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
flapflap flapf...@riseup.net writes: Xavier Maillard: Daniel Kahn Gillmor d...@fifthhorseman.net writes: On Wed 2015-02-11 00:41:18 -0500, Xavier Maillard wrote: May I ask how one would sign public keys when a master key is stored onto an USB stick ? So what ? My USB stick is formated using extFat so permissions are something unknown. The fact that you're using a FAT volume is the root cause here; FAT filesystems do not have ownership or permissions, so when a modern OS mounts them, it has to fake permissions for these files. Thank you for this precision. Are you aware of some portable and well supported by the 3-major OSes filesystem type ? Since your issue only affects signing of other keys - which normally is not a daily scenario - what about using a GNU/Linux live system/CD/USB for that purpose? That way you can use a normal GNU/Linux supported filesystem and don't have to worry whether to trust your normal OS or which filesystem is compatible with all OSses you intend to use. Good catch. I did something close: refurbished and updated my old slackware GNU/linux system with FUSE exfat support. That does the job ! Thank you for your help. -- Xavier ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users