When to use GPG flags

2016-02-19 Thread Eric Pruitt 
I'm writing an email client with support for PGP encrypted and signed
messages using GPG. I've noticed that GPG seems to do the right thing in
may situations regardless of the flags used which makes it hard to know
if I'm passing it the correct flags. For example, if I pipe a
clearsigned message into GPG using "gpg --decrypt", GPG verifies the
clearsigned signature and strips the "---BEGIN PGP" and "---END
PGP..." blocks. I would expect GPG to raise an error because it doesn't
get any encrypted data. Is there some type of GPG "strict mode" that
will make GPG exit unsuccessfully if when processing certain types of
data with flags that don't match? Ignore buffer overflow and flaws in
the GPG code, Is there any danger of remote execution by piping
arbitrary messages into "gpg" without _any_ flags at all (GPG seems to
"do the right thing" in many situations when no flags are provided at
all)?

Eric

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Use of --passphrase-file

2016-02-19 Thread Harman, Michael 
Thanks Brian. I think I tried this but I couldn’t figure out how to completely 
hide the passphrase so no one could get to it. Maybe I was using it 
incorrectly. Since this is an unattended operation that runs day and night, I 
wanted to secure the passphrase so gpg could get to it without human 
intervention, but not let anyone else see or know where it was stored.

Mike

Michael W. Harman, MIT | Senior Application Architect, Information Services | 
UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 
610.768.3416

From: Brian Minton [mailto:br...@minton.name]
Sent: Thursday, February 18, 2016 3:10 PM
To: Harman, Michael; gnupg-users@gnupg.org
Subject: Re: Use of --passphrase-file


A pretty good option is to use gpg-agent. It can keep your passphrase /secret 
key in (secure) memory for a few minutes so you can use the key in scripted 
tasks.

On Thu, Feb 18, 2016, 4:24 PM Harman, Michael 
mailto:michael.har...@uhsinc.com>> wrote:
I am attempting to automate a process that decrypts files. The files are 
encrypted with my key which has a passphrase. I have determined I can use the 
“--passphrase-file” option to get the passphrase of my key. In the gpg 
documentation at 
https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html, 
under “--passphrase-file file” it says “Don't use this option if you can avoid 
it”, but I can’t find any alternative solution in the documentation. I found 
one blog that says to just remove the passphrase, however I’d like to preserve 
the passphrase. Do you have any recommendations where I can have a passphrase 
but still use it in an unattended fashion that is secure?

Michael W. Harman, MIT | Senior Application Architect, Information Services | 
UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 
610.768.3416

UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including 
any attachments, is for the sole use of the intended recipient(s) and may 
contain confidential and privileged information. Any unauthorized review, use, 
disclosure or distribution of this information is prohibited, and may be 
punishable by law. If this was sent to you in error, please notify the sender 
by reply e-mail and destroy all copies of the original message.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including 
any attachments, is for the sole use of the intended recipient(s) and may 
contain confidential and privileged information. Any unauthorized review, use, 
disclosure or distribution of this information is prohibited, and may be 
punishable by law. If this was sent to you in error, please notify the sender 
by reply e-mail and destroy all copies of the original message.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to configure Smartcard without 'toggle'

2016-02-19 Thread Nick Zbinden 
Hi,

Sorry. The information is basically in the linked issue.

I had the problem moths ago and their was no solution. Now I retried and I
still have the same problem. Back then it was probably 'gnupg-2.1.3.3' now
it is the newest version from Arch Linux Repo '2.1.11-1'.

I want to set up a Yubikey 4 Nano:

Reader ...: 1050:0405:X:0
Application ID ...: D276000124010201000604156287
Version ..: 2.1
Manufacturer .: Yubico

Since I never got to the point where the SmartCard is relevant, I don't
think it has anything to do with the problem.

My problem is that I can not select the private keys, because I can not use
'toggle'.

Thanks for your help!





2016-02-19 16:12 GMT+01:00 Werner Koch :

> Hi,
>
> if you have a problem with GnuPG, please always specify the version you
> are using and best also the OS.  For cars it is also useful to tell us
> the reader you are using.
>
> The first few lines of
>
>   gpg --version
>
> are the best way to show us the version (you may need to type "gpg2").
>
>
> Shalom-Salam,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Use of --passphrase-file

2016-02-19 Thread Harman, Michael 
Thanks Steve for your feedback! I spent a lot of time jotting down all the 
different ways to do this, including encrypting the passphrase file, adding 
some kind of trust to the key if possible or putting the passphrase inline in 
the code and then locking down the code itself. As you point out, any solution 
does not prevent someone from finding the passphrase if they really know how 
and where to look. I'll hide the passphrase and then lock it down with security.
Thanks again, Mike

Michael W. Harman, MIT | Senior Application Architect, Information Services | 
UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 
610.768.3416

From: Steve Butler [mailto:sbut...@fchn.com]
Sent: Thursday, February 18, 2016 2:56 PM
To: Harman, Michael; gnupg-users@gnupg.org
Subject: RE: Use of --passphrase-file

Any "secure" storage for the passphrase will itself need a mechanism to 
"unlock".  This only digs the hole one more level down.  Only you can decide 
when to stop digging.  But remember, whatever the automated script can do, a 
human following the script can also do.  [Note to self, use "hacker" instead of 
"human" next time.]

After wrestling with this for some time several years ago, I came to the 
conclusion that I could only delay the inevitable and could not prevent it.  I 
my case I chose to "hide" the plaintext passphrase in a fashion that kept the 
casual looker (non-hacker) at bay (1 level down) but was real easy to implement 
and didn't require another password/phrase.  Any serious programmer could 
easily read the code and reveal the passphrase.  Then I limit who has access to 
that particular box.

Stephen M. Butler, PMP, PSM
IT Manager - Software Engineering
First Choice Health Network
Email: sbut...@fchn.com
Voice: 206-268-2309
Fax:  206-268-6173

From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Harman, 
Michael
Sent: Wednesday, February 17, 2016 8:34 AM
To: gnupg-users@gnupg.org
Subject: Use of --passphrase-file

I am attempting to automate a process that decrypts files. The files are 
encrypted with my key which has a passphrase. I have determined I can use the 
"--passphrase-file" option to get the passphrase of my key. In the gpg 
documentation at 
https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html, 
under "--passphrase-file file" it says "Don't use this option if you can avoid 
it", but I can't find any alternative solution in the documentation. I found 
one blog that says to just remove the passphrase, however I'd like to preserve 
the passphrase. Do you have any recommendations where I can have a passphrase 
but still use it in an unattended fashion that is secure?

Michael W. Harman, MIT | Senior Application Architect, Information Services | 
UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 
610.768.3416

UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including 
any attachments, is for the sole use of the intended recipient(s) and may 
contain confidential and privileged information. Any unauthorized review, use, 
disclosure or distribution of this information is prohibited, and may be 
punishable by law. If this was sent to you in error, please notify the sender 
by reply e-mail and destroy all copies of the original message.

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original 
message.

UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including 
any attachments, is for the sole use of the intended recipient(s) and may 
contain confidential and privileged information. Any unauthorized review, use, 
disclosure or distribution of this information is prohibited, and may be 
punishable by law. If this was sent to you in error, please notify the sender 
by reply e-mail and destroy all copies of the original message.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Documentation format

2016-02-19 Thread listo factor 

On 02/06/2016 12:08 PM, Robert J. Hansen - r...@sixdemonbag.org wrote:

Since I seem to have become the doyen of documentation, I figure I
should ask: what markup language and/or output formats should we be
pursuing for future documentation work?


Whatever you decide to use, I suggest to consider the likely split
between the frequency of electronic vs. paper reading. If I was
doing it, my primary concern would be the ability of the chosen
format to support flexible, "read-time" formating for electronic
displays of both 'pad and desktop monitor size. I also believe
colour has no place in such publications. All just IMHO, and from
someone who does not even remember when he last printed a
computer manual...

Factor


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A problem in the web of trust model or a gnupg bug?

2016-02-19 Thread Peter Lebbing 
On 19/02/16 19:47, Andrea Dari wrote:
> This time gpg didn't run that command by itself.

Huh. That's odd. I've never observed GnuPG neglecting to update it
automatically when something might have changed.

But I'm glad you figured it out, it was pretty weird.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A problem in the web of trust model or a gnupg bug?

2016-02-19 Thread Andrea Dari 
Nop I didn't, now it works!

This time gpg didn't run that command by itself.

Thanks Ingo

Andrea

2016-02-19 19:20 GMT+01:00 Ingo Klöcker :

> On Friday 19 February 2016 15:12:34 Andrea Dari wrote:
> > 1) This is the general situation:
> >
> > http://pastebin.com/NXuJj2h5
> >
> > User one is the user that i fully trust and has a revocation dated on
> > 18 February 2016
> >
> > 2) Here you can see User one pbkey details:
> >
> > http://pastebin.com/g2tQKzPN
> >
> > 3) Here you can see that user three is treated with validity = full
> > even if it is signed after the revocation of User one key.
> >
> > http://pastebin.com/EEGXcNa2
> >
> > Fortunately, this is not a real situation, but I tested it to
> > understand what happened in this cases; because i wasn't able to find
> > any documentation about it.
>
> Did you run "gpg --check-trustdb" after you revoked the key of User one?
>
>
> Regards,
> Ingo
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A problem in the web of trust model or a gnupg bug?

2016-02-19 Thread Ingo Klöcker 
On Friday 19 February 2016 15:12:34 Andrea Dari wrote:
> 1) This is the general situation:
> 
> http://pastebin.com/NXuJj2h5
> 
> User one is the user that i fully trust and has a revocation dated on
> 18 February 2016
> 
> 2) Here you can see User one pbkey details:
> 
> http://pastebin.com/g2tQKzPN
> 
> 3) Here you can see that user three is treated with validity = full
> even if it is signed after the revocation of User one key.
> 
> http://pastebin.com/EEGXcNa2
> 
> Fortunately, this is not a real situation, but I tested it to
> understand what happened in this cases; because i wasn't able to find
> any documentation about it.

Did you run "gpg --check-trustdb" after you revoked the key of User one?


Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to configure Smartcard without 'toggle'

2016-02-19 Thread Werner Koch 
Hi,

if you have a problem with GnuPG, please always specify the version you
are using and best also the OS.  For cars it is also useful to tell us
the reader you are using.

The first few lines of 

  gpg --version

are the best way to show us the version (you may need to type "gpg2").


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A problem in the web of trust model or a gnupg bug?

2016-02-19 Thread Andrea Dari 
I use the default Debian gnupg packet config, I have only Andrea Dari's
private key.
I tested it also with gnupg v2.x but it still have the same problem.

2016-02-19 15:27 GMT+01:00 Peter Lebbing :

> On 19/02/16 15:12, Andrea Dari wrote:
> > 1) This is the general situation:
>
> I don't see why this unexpectedly keeps user three fully valid... it
> looks like you're right and three should be invalid. Do you have any
> funny stuff in gpg.conf? For which of these keys do you have the private
> key installed in this installation of GnuPG? I don't think the latter
> should matter, but it could be useful to know...
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A problem in the web of trust model or a gnupg bug?

2016-02-19 Thread Peter Lebbing 
On 19/02/16 15:12, Andrea Dari wrote:
> 1) This is the general situation:

I don't see why this unexpectedly keeps user three fully valid... it
looks like you're right and three should be invalid. Do you have any
funny stuff in gpg.conf? For which of these keys do you have the private
key installed in this installation of GnuPG? I don't think the latter
should matter, but it could be useful to know...

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A problem in the web of trust model or a gnupg bug?

2016-02-19 Thread Andrea Dari 
1) This is the general situation:

http://pastebin.com/NXuJj2h5

User one is the user that i fully trust and has a revocation dated on 18
February 2016

2) Here you can see User one pbkey details:

http://pastebin.com/g2tQKzPN

3) Here you can see that user three is treated with validity = full even if
it is signed after the revocation of User one key.

http://pastebin.com/EEGXcNa2

Fortunately, this is not a real situation, but I tested it to understand
what happened in this cases; because i wasn't able to find any
documentation about it.


2016-02-19 14:26 GMT+01:00 Peter Lebbing :

> I can't reproduce this. A revocation correctly invalidates any
> certifications *both* before or after the moment of revocation. After
> all, the time can be faked.[1]
>
> I tested with no "revocation reason" specified, by the way. But I don't
> think GnuPG uses the revocation reason for anything, although I'm not
> 100% sure.
>
> Could you show some of the output you get, possibly redacted for privacy?
>
> As a very simple explanation, are you overlooking a different
> certification on the key that is still valid and trusted?
>
> I used GnuPG 2.1.11.
>
> HTH,
>
> Peter.
>
> [1] Other than that, if you revoke a key using the revocation
> certificate you made when the key was created, it will show a revocation
> date equal to the creation date even though you only uploaded the
> certificate years later, for example. Even if only certifications made
> after revocation would be invalidated, that situation would still
> invalidate all revocations, since they're all later than the key
> creation. This is not very relevant to your problem, though, I just
> thought it was an interesting observation.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A problem in the web of trust model or a gnupg bug?

2016-02-19 Thread Peter Lebbing 
I can't reproduce this. A revocation correctly invalidates any
certifications *both* before or after the moment of revocation. After
all, the time can be faked.[1]

I tested with no "revocation reason" specified, by the way. But I don't
think GnuPG uses the revocation reason for anything, although I'm not
100% sure.

Could you show some of the output you get, possibly redacted for privacy?

As a very simple explanation, are you overlooking a different
certification on the key that is still valid and trusted?

I used GnuPG 2.1.11.

HTH,

Peter.

[1] Other than that, if you revoke a key using the revocation
certificate you made when the key was created, it will show a revocation
date equal to the creation date even though you only uploaded the
certificate years later, for example. Even if only certifications made
after revocation would be invalidated, that situation would still
invalidate all revocations, since they're all later than the key
creation. This is not very relevant to your problem, though, I just
thought it was an interesting observation.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A problem in the web of trust model or a gnupg bug?

2016-02-19 Thread Andrea Dari 
Yes, both GMT.

2016-02-19 12:33 GMT+01:00 Andrew Gallagher :

> On 19/02/16 10:25, Andrea Dari wrote:
> > Hi,
> >
> > In my public keyring I have a public key signed in date 19 February 2016
> > by a user (pbkey) that I trust fully, but the same pbkey of the user
> > that I trust is revoked in date 18 February 2016.
>
> Are both dates in GMT?
>
> A
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A problem in the web of trust model or a gnupg bug?

2016-02-19 Thread Andrea Dari 
Yes, both GMT.

Andrea

2016-02-19 12:33 GMT+01:00 Andrew Gallagher :

> On 19/02/16 10:25, Andrea Dari wrote:
> > Hi,
> >
> > In my public keyring I have a public key signed in date 19 February 2016
> > by a user (pbkey) that I trust fully, but the same pbkey of the user
> > that I trust is revoked in date 18 February 2016.
>
> Are both dates in GMT?
>
> A
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A problem in the web of trust model or a gnupg bug?

2016-02-19 Thread Andrew Gallagher 
On 19/02/16 10:25, Andrea Dari wrote:
> Hi,
> 
> In my public keyring I have a public key signed in date 19 February 2016
> by a user (pbkey) that I trust fully, but the same pbkey of the user
> that I trust is revoked in date 18 February 2016.

Are both dates in GMT?

A



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

A problem in the web of trust model or a gnupg bug?

2016-02-19 Thread Andrea Dari 
Hi,

In my public keyring I have a public key signed in date 19 February 2016 by
a user (pbkey) that I trust fully, but the same pbkey of the user that I
trust is revoked in date 18 February 2016.

So the question is, how can be possible that a pbkey signed after a key
revocation, which could be easily done by a malicious user, is treated by
gnupg as validate fully?

This, in my opinion, should breaks the chain of trust for keys signed after
a key revocation.

A possible solution could be to change the trust of the key revoked from
full to untrusted, but in that case all the keys signed before the
revocation will be treated as validate unknown which is not what a user
could want.

Thanks to those who want to respond.

Andrea
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How to configure Smartcard without 'toggle'

2016-02-19 Thread Nick Zbinden 
Hallo all,

I have the same issue as in this bug [1]. When I '--edit-key' the 'toggle'
command will not show the private keys. I don't understand the comments in
the bugticket and the question asked by 'einalex' seems relevant.

"perhaps I missed something but...with the command removed how are we able
to see the private keys (esp the details on where they are stored
(smartcards))."

Every single guide I was able to find uses this:

gpg --edit-key 0xXX
toggle
key 1
keytocard

How can I do this without the 'toggle' command? Am I missing something?

When I just type these commands the Smartcard rejects the keys, so its
not just a visual problem.

[1] https://bugs.gnupg.org/gnupg/issue1975
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users