Re: Querying gpg-agent configuration options

[Paul R. Ramer]

On 04/26/2016 07:20 PM, Eric Pruitt wrote:
> On Tue, Apr 26, 2016 at 07:13:29PM -0700, Paul R. Ramer wrote:
>> I didn't see any indication of such a feature from the man page, but you
>> could just look at the gpg-agent.conf file.
> 
> It's not that simple. I would also need to account for flags passed into
> the application via the command line (--default-cache-ttl, etc.)  which
> can also change the configuration file used. On top of that, the
> configuration file does not necessarily reflect the state of the running
> agent e.g. if the configuration were modified after the agent was
> launched and a reload command never issued to the application or if the
> configuration file was deleted. For certain desktop environments, things
> are further complicated -- if I recall correctly, the GNOME keyring
> doesn't necessarily read its configuration from the GPG home directory.

I see.  I didn't think about the GNOME example. While I knew that the
configuration file couldn't tell you everything about a running
instance, it was the only thing I could think of.  As I said earlier,
the man page doesn't seem to say anything about this.  Hopefully,
someone else with more knowledge can give you a better answer.

-Paul

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

OT: Peer review (was: making a Debian Live CD for managing GnuPG master key and smartcards)

[Lachlan Gunn]

> Well, there's a little bit of a chicken-and-the-egg problem here.  If
> new projects are told "don't evangelize here", how will they let users
> who might be interested in their project know it exists?  Evangelization
> is important.  I don't think we want to adopt a no-evangelization rule,
> but at the same time, we want to keep it within limits, too.

Yep, I think this is important.  I'd also suggest that actively
attempting to lure potential contributors to a project from their own
mailing list is a bit of a no-no as well.

A topic that someone mentioned in this thread was peer-review.  Is there
any venue out there for seeking third-party security review for
open-source code?  I don't mean anything professional, but just
something Stack-Overflow-ey.

A few of my projects involve crypto or some other kind of security
functionality, and I feel a bit uncomfortable evangelising too much
without having had someone else go over them more thoroughly than
Coverity can.  Here wouldn't be a good venue as they tend to range from
unrelated to competing (don't judge, I just need an MIT-licenced way to
check an OpenPGP signature), but given the amount of misguided security
code out there, it seems like somewhere more generally-oriented might be
useful.

Even restricting to GnuPG itself, obviously not every one-man-band using
GPG in a script can expect to come here and get a code audit.

Thanks,
Lachlan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Querying gpg-agent configuration options

[Eric Pruitt]

On Tue, Apr 26, 2016 at 07:13:29PM -0700, Paul R. Ramer wrote:
> I didn't see any indication of such a feature from the man page, but you
> could just look at the gpg-agent.conf file.

It's not that simple. I would also need to account for flags passed into
the application via the command line (--default-cache-ttl, etc.)  which
can also change the configuration file used. On top of that, the
configuration file does not necessarily reflect the state of the running
agent e.g. if the configuration were modified after the agent was
launched and a reload command never issued to the application or if the
configuration file was deleted. For certain desktop environments, things
are further complicated -- if I recall correctly, the GNOME keyring
doesn't necessarily read its configuration from the GPG home directory.

Eric

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Querying gpg-agent configuration options

[Paul R. Ramer]

On 04/26/2016 02:31 PM, Eric Pruitt wrote:
> Is it possible to query the configuration of a running gpg-agent? In 
> particular, I would like to query the running agent to see what
> values are being used for default-cache-ttl and max-cache-ttl. I have
> reviewed the documentation for gpg-connect-agent and its commands but
> haven't found what I'm looking for.

I didn't see any indication of such a feature from the man page, but you
could just look at the gpg-agent.conf file. The man page says it
defaults to $GNUPGHOME/gpg-agent.conf. If you want to do this in an
automated way, just parse the text file for the values that are set for
the options you want to look at.

Hope that helps,

-Paul

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Querying gpg-agent configuration options

[Eric Pruitt]

Is it possible to query the configuration of a running gpg-agent? In
particular, I would like to query the running agent to see what values
are being used for default-cache-ttl and max-cache-ttl. I have reviewed
the documentation for gpg-connect-agent and its commands but haven't
found what I'm looking for.

Thanks,
Eric

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Robert J. Hansen]

> My reading of the group
> consensus is that this set of scripts is tolerated not endorsed or
> recommended.

Well, yeah, but let's keep in mind the GnuPG community
endorses/recommends very little.  Not even something like Enigmail gets
an endorsement or recommendation from GnuPG.  By and large, GnuPG just
focuses on GnuPG, and I think that's a good policy that's served
everyone well.  :)

> I personally feel a line is crossed when this group is used as
> the medium to promote a personal project.

Well, there's a little bit of a chicken-and-the-egg problem here.  If
new projects are told "don't evangelize here", how will they let users
who might be interested in their project know it exists?  Evangelization
is important.  I don't think we want to adopt a no-evangelization rule,
but at the same time, we want to keep it within limits, too.

We don't have a rule on this subject.  I don't think we need one,
either.  But speaking just for myself, I'd advise people not promote
their projects more than every other month.  Six announcements a year
ought to be plenty to let people know about a new project.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Bob (Robert) Cavanaugh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter and All,
I completely agree. I think that this "project" is now outside the
scope of this group and should either split off into its own group or
the author should stop self-promoting. My reading of the group
consensus is that this set of scripts is tolerated not endorsed or
recommended. I have seen multiple posts specifically warning against
practices promulgated by this set of scripts and while there are
nothing wrong with experimenting and requesting feedback from the
group I personally feel a line is crossed when this group is used as
the medium to promote a personal project.

On 4/26/2016 4:32 AM, Peter Lebbing wrote:
> On 26/04/16 12:52, Dashamir Hoxha wrote:
>> A project similar in goals (simplifying GnuPG by automating tasks
>> and emphasising best practices) is this one:
>> https://github.com/dashohoxha/egpg You can find the answer to
>> some of the questions above by looking at its code.
> 
> I think you are taking the "plugging my project" approach too far.
> While generating exposure is definitely a good component of making
> your project succesful, I think a bit more modesty is in order. If
> I had a say in it: Just create your own threads (not too many
> please :), don't mention your project in every thread where it has
> some common ground.
> 
> This is my personal opinion. I don't get to say what you do. But I
> feel the need to express this opinion now.
> 
> Regarding your choice of words and also modesty, the answers to
> the questions are not in your code. Your /opinions/ on the matter
> are in your code. You do not get to decide what is truth, what is
> the answer. Incidentally, the answer is 42, so you're late to the
> party... ;P
> 
> I hadn't even read the following until I almost trimmed it from the
> mail and it caught my eye... so ...
> 
>> In my opinion, the first thing to be done is to build a .deb
>> package for it, so that it can be installed easily on all Debian
>> derived systems, then you can also use it in your special Live CD
>> system. This is the task about it:
>> https://github.com/dashohoxha/egpg/issues/19
> 
> Wait, wait, wait... I sincerely hope you're not suggesting that
> the first thing Daniel Pocock and others need to do is build a .deb
> package for your project, that instead you meant this to read as
> "the first thing /I/ should do is build a .deb package for egpg",
> so that they can play with your code. I wouldn't even agree with
> the latter; but the former is just... I hope you can pick your own
> adjective.
> 
> Cheers,
> 
> Peter.
> 

- -- 
Thanks,
Bob Cavanaugh

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXH69FAAoJENFeiMzlp+pmuucIALiAgIC4l4B0F4FseQ8cO5te
urPlzfPkPUYKKQT57yLuURoak1ilaco0ln8HB1IOswos5yFkQFDFLtDhJ+j07ole
UjMb0h3VT/Jv3N/zAujIoZoV4kE+eNZKGFbkfMeGi6CHeXXAkTBlWtoFnXU9rwRE
2xovURzmD5dyF8Mn9s61b4QQqiR7XcDgnO0cPQxU1haJZ4NBEDNtEO1kICRTgMdd
qOq0XMtvXt/jqL/Gj73fYzuyUuyqAHj4kpb4IyxKlJ8J/xANaCpGmJcusmz2RivJ
CIEjRg1Ou00HXsiSV/a27yuKNf5y88OvzWpt4Z7FbVtValL9K8i02otBi048gTo=
=7wRC
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Tuesday 26 April 2016 at 8:53:06 AM, in
, Daniel Pocock wrote:


> There has been some discussion on debian-devel[1]
> about making a

> bootable Debian Live CD specifically for GnuPG

> The benefit is that everything on the CD is
> self-contained, it can't be

> tampered with, it can run without network support in
> the kernel and the

> workflow would be controlled by a script.  All the
> details, including

> workflow, are described in a wiki[2]

> I have some questions about this:

> - has anybody already seen anything like this?
> Nobody likes

> re-inventing the wheel


[0] is a How-To for creating an OpenPGP keypair for use with GnuPG on
an airgapped system (using Tails) and exporting the subkeys for
day-to-day use. There is a link [1] to a second guide to export the
subkeys to an OpenPGP smartcard.


[0] 

[1] 



- --
Best regards

MFPA  

Always be on the lookout for conspicuousness
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJXH8/mXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw12sIAIWgCSDX3Zdltj2I5f3acyQ4
XGkUJlnTgSMwdJCT2/CFiJA5FFjCFoHl8Vq9wu91fx1xTT06/SwmTtKM9nBV1FYp
h49dBRhonFDiTKtaXKzpTHM3nXBcGtaDJZG4BAbGZOJXUNrck50ZSlQf9F6c+2xd
sgXYkxHNd4nBbfAgG/2KgZIxnjIuNPQD3VtrMrLzOO7LYcAoFi/QCPK5F35eh4qM
uVBezMec1vvqa9RqW8Vtx2OlXHwDLVj7bqvnRdfxo3UTI3oXqCe6/xKWwqZhjIOq
XJifQfOSCQgis6EQoVBTg0AJIS6s7X/ez2jJUWJCysX6Cp+vEsCOfFo8g08MrBSI
vgQBFgoAZgUCVx/P5l8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45LsAAQDO7QuqoZyipXNYfVIbuSsKrQXc
Ko1su9gQSCXQmOfQTAD8D1ppRAz8y0k+dhLVivVfykwMXNU8VogbhlHbQbtyEg8=
=OJBH
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Req: 64-bit GnuPG/GPGME for Windows

[Brian Minton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Does the speedo make file always build a 32 bit version?
-BEGIN PGP SIGNATURE-

iIAEAREKACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJXH6w4
AAoJEGuOs6Blz7qpzJAA/j3scwJNjftJY/sSw/ADk3YCxDaokrIaOmqqcWoNmHit
AP0S3Hh70UOM56zz30eFqd68x24l+mbDMLt/62jkMSH6ng==
=UKD1
-END PGP SIGNATURE-

On Tue, Apr 26, 2016, 1:33 PM Robert J. Hansen  wrote:

> How difficult would it be to get a 64-bit GnuPG and GPGME binary package
> built for Windows?  The existing one appears to be 32-bit only, and my
> development environment is 64-bit only.
>
> (This is not a high-priority item.  Please, no one go to any special
> lengths.)
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Req: 64-bit GnuPG/GPGME for Windows

[Robert J. Hansen]

How difficult would it be to get a 64-bit GnuPG and GPGME binary package
built for Windows?  The existing one appears to be 32-bit only, and my
development environment is 64-bit only.

(This is not a high-priority item.  Please, no one go to any special
lengths.)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is there a foolproof tutorial to start with gpgme?

[Robert J. Hansen]

> There is some ready to comple example somewhere with easy tasks like
> signature checking or compiling?

A while ago I wrote a brief GPGME application to iterate over keys on a
keyring -- I used it to benchmark whether GPGME or piping GnuPG output
to a Perl script would be faster for processing large keyrings.  I've
cleaned up the code, put a proper CMake build environment on it, and you
can download it at:

https://github.com/rjhansen/gpgme-example

Please note: since CMake doesn't have a plugin (yet) to automatically
detect GPGME, and since Homebrew's gpgme-config application is
completely broken (seriously, it refers to paths that don't even exist
on my system), certain paths are hardcoded.  Open src/CMakeLists.txt and
look at lines 2-7.  You'll need to edit those to reflect your own
system.  Beyond that, it should work for you.  If it doesn't, let me know!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Dashamir Hoxha]

On Tue, Apr 26, 2016 at 5:31 PM, Daniel Pocock  wrote:

>
> > I don't want to do that. It doesn't seem reasonable to me.
>
> Can you please tell me what you mean when you say "It doesn't seem
> reasonable to me"?
>
> Alternatively, what would be reasonable?
>

Somebody else reviews it and finds it useful to be built a DEB package for
it.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Paolo Bolzoni]

I am kinda lost, what is the topic again?

On Tue, Apr 26, 2016 at 5:31 PM, Daniel Pocock  wrote:
>
>
> On 26/04/16 17:29, Dashamir Hoxha wrote:
>> On Tue, Apr 26, 2016 at 4:57 PM, Daniel Pocock > > wrote:
>>
>>
>>
>> On 26/04/16 15:40, Dashamir Hoxha wrote:
>> > On Tue, Apr 26, 2016 at 3:11 PM, Robert J. Hansen 
>> 
>> > >> wrote:
>> >
>> > When asking other people to do things for you, it pays to keep in 
>> mind
>> > how valuable the community has deemed your contributions.  If you
>> > haven't earned much reputation, you might want to do that before 
>> you go
>> > about asking people to do things for you.
>> >
>> >
>> > Thanks Robert, it does make sense. What you said is definitely true.
>> > I have no power to force people to do something for me. But I have the 
>> right
>> > to say what I think should be done (up to my understanding).
>> > I cannot build a DEB package and I am not going to do that. But I can 
>> ask
>> > other people to do it... if they can, if they wish, if they find it
>> > reasonable,
>> > if they find it useful, etc. It is up to them to make their decision...
>> > which will
>> > not affect me either way.
>> >
>>
>> Yes, you can do that, in Debian you can file an RFP bug:
>>
>> https://wiki.debian.org/RFP
>>
>> If other people are interested in your package they will discover the
>> bug report and collaborate to make a package.
>>
>> You said you cannot build a package, well, Debian is 100% open and
>> transparent, our full packaging documentation is online:
>>
>> https://wiki.debian.org/IntroDebianPackaging
>>
>> and various references are at the bottom
>>
>> You don't have to be a Debian Developer, anybody on the Internet can
>> register with https://mentors.debian.net and upload a package they
>> created:
>>
>> http://mentors.debian.net/
>>
>>
>> I don't want to do that. It doesn't seem reasonable to me.
>
> Can you please tell me what you mean when you say "It doesn't seem
> reasonable to me"?
>
> Alternatively, what would be reasonable?
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Daniel Pocock]

On 26/04/16 17:29, Dashamir Hoxha wrote:
> On Tue, Apr 26, 2016 at 4:57 PM, Daniel Pocock  > wrote:
> 
> 
> 
> On 26/04/16 15:40, Dashamir Hoxha wrote:
> > On Tue, Apr 26, 2016 at 3:11 PM, Robert J. Hansen  
> > >> wrote:
> >
> > When asking other people to do things for you, it pays to keep in 
> mind
> > how valuable the community has deemed your contributions.  If you
> > haven't earned much reputation, you might want to do that before 
> you go
> > about asking people to do things for you.
> >
> >
> > Thanks Robert, it does make sense. What you said is definitely true.
> > I have no power to force people to do something for me. But I have the 
> right
> > to say what I think should be done (up to my understanding).
> > I cannot build a DEB package and I am not going to do that. But I can 
> ask
> > other people to do it... if they can, if they wish, if they find it
> > reasonable,
> > if they find it useful, etc. It is up to them to make their decision...
> > which will
> > not affect me either way.
> >
> 
> Yes, you can do that, in Debian you can file an RFP bug:
> 
> https://wiki.debian.org/RFP
> 
> If other people are interested in your package they will discover the
> bug report and collaborate to make a package.
> 
> You said you cannot build a package, well, Debian is 100% open and
> transparent, our full packaging documentation is online:
> 
> https://wiki.debian.org/IntroDebianPackaging
> 
> and various references are at the bottom
> 
> You don't have to be a Debian Developer, anybody on the Internet can
> register with https://mentors.debian.net and upload a package they
> created:
> 
> http://mentors.debian.net/
> 
> 
> I don't want to do that. It doesn't seem reasonable to me.

Can you please tell me what you mean when you say "It doesn't seem
reasonable to me"?

Alternatively, what would be reasonable?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Dashamir Hoxha]

On Tue, Apr 26, 2016 at 4:57 PM, Daniel Pocock  wrote:

>
>
> On 26/04/16 15:40, Dashamir Hoxha wrote:
> > On Tue, Apr 26, 2016 at 3:11 PM, Robert J. Hansen  > > wrote:
> >
> > When asking other people to do things for you, it pays to keep in
> mind
> > how valuable the community has deemed your contributions.  If you
> > haven't earned much reputation, you might want to do that before you
> go
> > about asking people to do things for you.
> >
> >
> > Thanks Robert, it does make sense. What you said is definitely true.
> > I have no power to force people to do something for me. But I have the
> right
> > to say what I think should be done (up to my understanding).
> > I cannot build a DEB package and I am not going to do that. But I can ask
> > other people to do it... if they can, if they wish, if they find it
> > reasonable,
> > if they find it useful, etc. It is up to them to make their decision...
> > which will
> > not affect me either way.
> >
>
> Yes, you can do that, in Debian you can file an RFP bug:
>
> https://wiki.debian.org/RFP
>
> If other people are interested in your package they will discover the
> bug report and collaborate to make a package.
>
> You said you cannot build a package, well, Debian is 100% open and
> transparent, our full packaging documentation is online:
>
> https://wiki.debian.org/IntroDebianPackaging
>
> and various references are at the bottom
>
> You don't have to be a Debian Developer, anybody on the Internet can
> register with https://mentors.debian.net and upload a package they
> created:
>
> http://mentors.debian.net/


I don't want to do that. It doesn't seem reasonable to me.
On the other hand, EasyGnuPG is free software, anybody (that finds it
useful)
can build a DEB package from it.

Regards,
Dashamir
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Daniel Pocock]

On 26/04/16 15:40, Dashamir Hoxha wrote:
> On Tue, Apr 26, 2016 at 3:11 PM, Robert J. Hansen  > wrote:
> 
> When asking other people to do things for you, it pays to keep in mind
> how valuable the community has deemed your contributions.  If you
> haven't earned much reputation, you might want to do that before you go
> about asking people to do things for you.
> 
> 
> Thanks Robert, it does make sense. What you said is definitely true.
> I have no power to force people to do something for me. But I have the right
> to say what I think should be done (up to my understanding).
> I cannot build a DEB package and I am not going to do that. But I can ask
> other people to do it... if they can, if they wish, if they find it
> reasonable,
> if they find it useful, etc. It is up to them to make their decision...
> which will
> not affect me either way.
> 

Yes, you can do that, in Debian you can file an RFP bug:

https://wiki.debian.org/RFP

If other people are interested in your package they will discover the
bug report and collaborate to make a package.

You said you cannot build a package, well, Debian is 100% open and
transparent, our full packaging documentation is online:

https://wiki.debian.org/IntroDebianPackaging

and various references are at the bottom

You don't have to be a Debian Developer, anybody on the Internet can
register with https://mentors.debian.net and upload a package they created:

http://mentors.debian.net/

Regards,

Daniel

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Import a pkcs12 certificate chain

[Ian Prideaux]

> We then send our certificate to the third party
>
I was wrong. We don't send them the certificate, we send them the public
key generated when the certificate chain is imported.

What does all the extra messing about with certificates achieve, and how
can I get gnupg to do it?

Thanks.


On 26/04/16 13:47, Ian Prideaux wrote:
> Hi All,
> 
> I've got a system which exchanges files with third parties. One of them
> requires that the key is generated from a certificate. I create the CSR
> and get it signed by a CA. I then create a pkcs12 file containing the
> CA's root & intermediate certificates, and the certificate that they
> created from my CSR. We then send our certificate to the third party.
> 
> Currently, I'm using
> PGP Command Line 10.2 build 335 Copyright (C) 2011 Symantec Corporation
> but I want to start using
> gpg (GnuPG) 2.0.27 libgcrypt 1.5.3
> because that's what's supplied in Solaris11u3.
> 
> The Symantec command is:
> pgp --new-passphrase newpp --passphrase oldpp --import CertificateChain.p12
> 
> However, I can't figure out what the gpg2 command is, or even if gnupg
> is capable of this. I don't really understand what this is achieving
> that ordinary keys don't.
> 
> Please can someone help?
> 
> Thanks.
> 
> 
> 
> 
> 
> 
> 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Import a pkcs12 certificate chain

[Damien Goutte-Gattat]

On 04/26/2016 02:47 PM, Ian Prideaux wrote:

The Symantec command is: pgp --new-passphrase newpp --passphrase
oldpp --import CertificateChain.p12

However, I can't figure out what the gpg2 command is, or even if
gnupg is capable of this.


I am not sure I understand your workflow and what you want to achieve
exactly.

But, as a starting point, you must know that the gpg2 program only deals
with OpenPGP keys and messages. To manipulate X.509 certificates, you
need gpgsm (another component of the GnuPG project) instead.

Presumably, the command you need should be

$ gpgsm --import CertificateChain.p12

to import the certificate and key from the PKCS#12 file into your
keyring. Then you would probably use the --export command to export back
the certificate only and send it to your third party.

Hope that helps somehow,

Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Peter Lebbing]

On 26/04/16 15:05, Dashamir Hoxha wrote:
> Please keep the discussion technical. If you don't agree with me
> this is fine. But when you express your opinion about my lack of
> modesty, this is getting personal.

This is not true: you are taking the word modesty out of the context I
used it in.

> And I don't care about your personal opinion about me, whoever you 
> are.

What you care about affects only you, and you can do to yourself
whatever you wish. I only butt in when it affects others. I've also
never until the previous message said anything about my personal opinion
of you ("respect evaporating a bit"), since it is, indeed, irrelevant.
You are inventing your own version of me, someone with who's responses
are emotionally motivated, a version that has little basis in reality.

I'm done with this topic. After some doubt, I will post this to the
list, though.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Dashamir Hoxha]

On Tue, Apr 26, 2016 at 3:11 PM, Robert J. Hansen 
wrote:
>
> When asking other people to do things for you, it pays to keep in mind
> how valuable the community has deemed your contributions.  If you
> haven't earned much reputation, you might want to do that before you go
> about asking people to do things for you.
>

Thanks Robert, it does make sense. What you said is definitely true.
I have no power to force people to do something for me. But I have the right
to say what I think should be done (up to my understanding).
I cannot build a DEB package and I am not going to do that. But I can ask
other people to do it... if they can, if they wish, if they find it
reasonable,
if they find it useful, etc. It is up to them to make their decision...
which will
not affect me either way.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Robert J. Hansen]

> Please keep the discussion technical. If you don't agree with me
> this is fine. But when you express your opinion about my lack of
> modesty, this is getting personal.

He can't do that, shouldn't do that, shouldn't even want to do that.
You're a human being, not a machine.  You deserve to be treated as a
person, not as a system of inputs and outputs.  Ideas should be
criticized or praised purely on a technical basis, but people should be
criticized or praised purely on a *human* basis.

I've looked over your egpg code.  My bloodless technical evaluation is
simple: "it is nowhere near ready for production environments."  And I
think if you read over the other technical criticisms you've received,
you'll see this is pretty much a consensus opinion.  By your own
admission, it has not received any kind of peer review or independent
code audit.  And yet, you feel it's appropriate to recommend to the
Debian folks they put this code on a live CD image they intend for use
in high-risk environments, *and* you think they should put together a
.deb package for you.

That you believe your project is ready for inclusion into a live CD
image meant for hostile environments is, I think, enough to make me
question your wisdom.  And that *is* a personal judgment, and I make no
apologies for that.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Import a pkcs12 certificate chain

[Ian Prideaux]

Hi All,

I've got a system which exchanges files with third parties. One of them
requires that the key is generated from a certificate. I create the CSR
and get it signed by a CA. I then create a pkcs12 file containing the
CA's root & intermediate certificates, and the certificate that they
created from my CSR. We then send our certificate to the third party.

Currently, I'm using
PGP Command Line 10.2 build 335 Copyright (C) 2011 Symantec Corporation
but I want to start using
gpg (GnuPG) 2.0.27 libgcrypt 1.5.3
because that's what's supplied in Solaris11u3.

The Symantec command is:
pgp --new-passphrase newpp --passphrase oldpp --import CertificateChain.p12

However, I can't figure out what the gpg2 command is, or even if gnupg
is capable of this. I don't really understand what this is achieving
that ordinary keys don't.

Please can someone help?

Thanks.








___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Robert J. Hansen]

> Wait, wait, wait... I sincerely hope you're not suggesting that the
> first thing Daniel Pocock and others need to do is build a .deb package
> for your project, that instead you meant this to read as "the first
> thing /I/ should do is build a .deb package for egpg", so that they can
> play with your code. I wouldn't even agree with the latter; but the
> former is just... I hope you can pick your own adjective.

I'd like to make it clear that I'm not talking about Dashamir here.
What I'm saying here applies more broadly to libre software in general.

The libre community is a reputation culture.  People keep track of how
much others give (and how valuable it is) and use that to determine how
much to give back (and how valuable it'll be).  Well-managed projects
(GitHub pages, build environments, bug trackers, etc.) enjoy more
reputation than poorly-managed projects, and benevolent dictators for
life enjoy more reputation than tyrannical martinets.

When asking other people to do things for you, it pays to keep in mind
how valuable the community has deemed your contributions.  If you
haven't earned much reputation, you might want to do that before you go
about asking people to do things for you.

Just my two cents' worth.  :)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Dashamir Hoxha]

On Tue, Apr 26, 2016 at 2:52 PM, Peter Lebbing 
wrote:
>
> And I do it without bashing your messages, even though you
> seem to take it personal.
>

Please keep the discussion technical. If you don't agree with me this is
fine.
But when you express your opinion about my lack of modesty, this is getting
personal. And I don't care about your personal opinion about me, whoever
you are.

Respectfully,
Dashamir
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Dashamir Hoxha]

On Tue, Apr 26, 2016 at 1:16 PM, Daniel Pocock  wrote:
>
> Could you add a section to the wiki about this, with an itemized list of
> the tasks that need to be done, e.g.
>
>  * packaging egpg and uploading to Debian
>   * anybody can upload it to https://mentors.debian.net for a DD to
> sponsor
>  * creating whiptail front-end for egpg
>  * creating smartcard support for egpg
>
> Please add any other individual tasks that would be necessary
>

I manage the tasks of the project on GitHub:
https://github.com/dashohoxha/egpg/issues
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Peter Lebbing]

On 26/04/16 14:23, Dashamir Hoxha wrote:
> Peter, I already know your opinion on my project and my modesty,
> you don't have to bash every message that I write.

Quote or it didn't happen. I think I've treated you respectfully, though
I already noted my first reply to your first message here could have
been framed nicer. But that was the single exception.

The respect is starting to evaporate a bit at the moment, though.
Besides, I haven't spent much time on a lot of your messages, let alone
respond to every one of them or anything near such a thing.

> I hope that you will tolerate my lack of modesty, what else can I do?

Not impose extra work on random people[1], put your personal opinions in
proper perspective and represent your project as what it is, i.e., a
brand-spanking-new piece of code, one developer and a very small user
base? Or am I also wrong about that?

By the way, if I disagree with advice you give others here, such as here
advising to include your tool on the live CD, or the other day pointing
a new user to some webpage claiming he needed something more than the
default settings and do difficult stuff without knowing anything about
their requirements other than that they were already having some
difficulty with GnuPG in the first place, I will say so. Even if it
takes a ridicully long sentence that should probably be split into
proper parts. And I do it without bashing your messages, even though you
seem to take it personal.

Peter.

[1] I'm thinking of suggesting to someone they translate your project
when this person clearly indicates they'd like to reach a broad user
base with the effort they spend on that, and other instances.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Dashamir Hoxha]

On Tue, Apr 26, 2016 at 2:20 PM, Daniel Pocock  wrote:
>
> > I manage the tasks of the project on GitHub:
> > https://github.com/dashohoxha/egpg/issues
> >
>
> You can use the wiki to link to the Github tasks that are relevant to
> using epgp in the Live CD, you don't have to copy the details of each
> task, just link to them
>

It doesn't seem reasonable to me.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Dashamir Hoxha]

On Tue, Apr 26, 2016 at 1:32 PM, Peter Lebbing 
wrote:

>
> I think you are taking the "plugging my project" approach too far. While
> generating exposure is definitely a good component of making your
> project succesful, I think a bit more modesty is in order. If I had a
>

Peter, I already know your opinion on my project and my modesty,
you don't have to bash every message that I write.
I hope that you will tolerate my lack of modesty, what else can I do?

Cheers,
Dashamir
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Daniel Pocock]

On 26/04/16 14:16, Dashamir Hoxha wrote:
> On Tue, Apr 26, 2016 at 1:16 PM, Daniel Pocock  > wrote:
> 
> Could you add a section to the wiki about this, with an itemized list of
> the tasks that need to be done, e.g.
> 
>  * packaging egpg and uploading to Debian
>   * anybody can upload it to https://mentors.debian.net for a DD to
> sponsor
>  * creating whiptail front-end for egpg
>  * creating smartcard support for egpg
> 
> Please add any other individual tasks that would be necessary
> 
> 
> I manage the tasks of the project on GitHub:
> https://github.com/dashohoxha/egpg/issues 
> 

You can use the wiki to link to the Github tasks that are relevant to
using epgp in the Live CD, you don't have to copy the details of each
task, just link to them

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Peter Lebbing]

On 26/04/16 12:52, Dashamir Hoxha wrote:
> A project similar in goals (simplifying GnuPG by automating tasks and
> emphasising best practices) is this one: https://github.com/dashohoxha/egpg
> You can find the answer to some of the questions above by looking at its
> code.

I think you are taking the "plugging my project" approach too far. While
generating exposure is definitely a good component of making your
project succesful, I think a bit more modesty is in order. If I had a
say in it: Just create your own threads (not too many please :), don't
mention your project in every thread where it has some common ground.

This is my personal opinion. I don't get to say what you do. But I feel
the need to express this opinion now.

Regarding your choice of words and also modesty, the answers to the
questions are not in your code. Your /opinions/ on the matter are in
your code. You do not get to decide what is truth, what is the answer.
Incidentally, the answer is 42, so you're late to the party... ;P

I hadn't even read the following until I almost trimmed it from the mail
and it caught my eye... so ...

> In my opinion, the first thing to be done is to build a .deb package for
> it, so that it can be installed easily on all Debian derived systems,
> then you can also use it in your special Live CD system.
> This is the task about it: https://github.com/dashohoxha/egpg/issues/19

Wait, wait, wait... I sincerely hope you're not suggesting that the
first thing Daniel Pocock and others need to do is build a .deb package
for your project, that instead you meant this to read as "the first
thing /I/ should do is build a .deb package for egpg", so that they can
play with your code. I wouldn't even agree with the latter; but the
former is just... I hope you can pick your own adjective.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Daniel Pocock]

On 26/04/16 12:52, Dashamir Hoxha wrote:
> On Tue, Apr 26, 2016 at 9:53 AM, Daniel Pocock  > wrote:
> 
> 
> There has been some discussion on debian-devel[1] about making a
> bootable Debian Live CD specifically for GnuPG
> 
> The benefit is that everything on the CD is self-contained, it can't be
> tampered with, it can run without network support in the kernel and the
> workflow would be controlled by a script.  All the details, including
> workflow, are described in a wiki[2]
> 
> I have some questions about this:
> 
> - has anybody already seen anything like this?  Nobody likes
> re-inventing the wheel
> 
> - can we call all the necessary GnuPG commands from a script without the
> user interacting directly with GnuPG, using "--batch" / unattanded
> operation?  The sequence of commands involved would be similar to this
> blog[3]
> 
> - what would be the preferred way for the GUI to obtain and keep the
> master key passphrase without prompting the user to re-enter it for
> every operation?
> 
> - would anybody else like to suggest improvements to the workflow?
> 
> 
> A project similar in goals (simplifying GnuPG by automating tasks and
> emphasising best practices) is this one: https://github.com/dashohoxha/egpg
> You can find the answer to some of the questions above by looking at its
> code.
> But I really think that you can incorporate it in your project, maybe
> extending it with new workflows that it doesn't have yet (related to
> using smartcards etc.).
> 
> In my opinion, the first thing to be done is to build a .deb package for
> it, so that it can be installed easily on all Debian derived systems,
> then you can also use it in your special Live CD system.
> This is the task about it: https://github.com/dashohoxha/egpg/issues/19
> 

Thanks for pointing this out

Could you add a section to the wiki about this, with an itemized list of
the tasks that need to be done, e.g.

 * packaging egpg and uploading to Debian
  * anybody can upload it to https://mentors.debian.net for a DD to sponsor
 * creating whiptail front-end for egpg
 * creating smartcard support for egpg

Please add any other individual tasks that would be necessary

Regards,

Daniel



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Dashamir Hoxha]

On Tue, Apr 26, 2016 at 9:53 AM, Daniel Pocock  wrote:

>
> There has been some discussion on debian-devel[1] about making a
> bootable Debian Live CD specifically for GnuPG
>
> The benefit is that everything on the CD is self-contained, it can't be
> tampered with, it can run without network support in the kernel and the
> workflow would be controlled by a script.  All the details, including
> workflow, are described in a wiki[2]
>
> I have some questions about this:
>
> - has anybody already seen anything like this?  Nobody likes
> re-inventing the wheel
>
> - can we call all the necessary GnuPG commands from a script without the
> user interacting directly with GnuPG, using "--batch" / unattanded
> operation?  The sequence of commands involved would be similar to this
> blog[3]
>
> - what would be the preferred way for the GUI to obtain and keep the
> master key passphrase without prompting the user to re-enter it for
> every operation?
>
> - would anybody else like to suggest improvements to the workflow?
>

A project similar in goals (simplifying GnuPG by automating tasks and
emphasising best practices) is this one: https://github.com/dashohoxha/egpg
You can find the answer to some of the questions above by looking at its
code.
But I really think that you can incorporate it in your project, maybe
extending it with new workflows that it doesn't have yet (related to using
smartcards etc.).

In my opinion, the first thing to be done is to build a .deb package for
it, so that it can be installed easily on all Debian derived systems, then
you can also use it in your special Live CD system.
This is the task about it: https://github.com/dashohoxha/egpg/issues/19
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Lachlan Gunn]

>> - would anybody else like to suggest improvements to the workflow?

One thing that I forgot to mention is that it would be good to have some
way to copy master keys to new media or to rewrite them to existing
ones.  This could be prompted if some but not all disks have master keys
for example.

Automatic extension of the expiry dates should catch cases where the key
has been corrupted, but if it can be disabled then it might be a good
idea to check them.  I can't remember the exact details of how
expiration dates work with subkeys so you may need to do this yourself
anyway.

Anyway, thanks again for having gotten the ball rolling on this, if I
get some time I'd be keen to lend a hand.

Thanks,
Lachlan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

[Lachlan Gunn]

> There has been some discussion on debian-devel[1] about making a
> bootable Debian Live CD specifically for GnuPG

I have thought for a while that something like this would be a good
idea, it's been sitting on the list of things to have a go at for a
while, so I'm glad to see that someone is actually doing it.

It could be useful to include other kinds of key management than GnuPG,
e.g. for code-signing.  Maybe not shown to the user in the first
instance, but it seems like a good idea to have it in the image.

> - would anybody else like to suggest improvements to the workflow?

I realise it's a livecd, but I would suggest explicitly banishing
anything resembling swap support from the image if possible.

I also think that insisting that the user print a revocation cert before
continuing is a bit harsh; I don't have a printer connected to my
airgapped machine, for example, but since I have multiple backups of the
private key I'm not too worried.

As far as smartcards, that PKCS#11 tool hasn't had a release since 2011
according to its website.  In any case, even if you do get it working
then ultimately you have to use whatever type the user has in the
reader, which at the moment is essentially always an OpenPGP card.  Plus
as I understand it you need to distribute all of the per-card drivers
for PKCS#11, which tend to be non-free.

I think this may be offtopic, but one related thing that I'd also like
to look into at some point is whether one can use SELinux to do
red/black-separation style stuff.  Since this livecd is only really
meant for signing it isn't terribly useful, I don't think, unless you
wanted to do something like prevent exported private keys from being
written to non-special media for example.

Thanks,
Lachlan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Is there a foolproof tutorial to start with gpgme?

[Paolo Bolzoni]

Dear list,

gpgme is very interesting, but it appears quite daunting to start from
the documentation alone.
There is some ready to comple example somewhere with easy tasks like
signature checking or compiling?

Cheers,
Paolo

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: (OT) gpgme-sharp API missing

[Alexander Strobel]

Am 25.04.2016 um 15:07 schrieb MFPA:
>> Strangely enough, even until today it does not show
>> up in my inbox...
> 
> If the same applies to all three of your messages, I suggest checking 
> your subscription options at 
> . You might have 
> the option to receive a copy of your own posts turned off.

Thank you for the hint.
It was a problem with this single email only. All other emails showed up
in the past.

Best regards
 Alex Strobel
 www.gpg4o.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

making a Debian Live CD for managing GnuPG master key and smartcards

[Daniel Pocock]

There has been some discussion on debian-devel[1] about making a
bootable Debian Live CD specifically for GnuPG

The benefit is that everything on the CD is self-contained, it can't be
tampered with, it can run without network support in the kernel and the
workflow would be controlled by a script.  All the details, including
workflow, are described in a wiki[2]

I have some questions about this:

- has anybody already seen anything like this?  Nobody likes
re-inventing the wheel

- can we call all the necessary GnuPG commands from a script without the
user interacting directly with GnuPG, using "--batch" / unattanded
operation?  The sequence of commands involved would be similar to this
blog[3]

- what would be the preferred way for the GUI to obtain and keep the
master key passphrase without prompting the user to re-enter it for
every operation?

- would anybody else like to suggest improvements to the workflow?

1. https://lists.debian.org/msgid-search/571dd206.1070...@pocock.pro
2. https://wiki.debian.org/OpenPGP/CleanRoomLiveEnvironment
3.
https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Paper backup

[Paolo Bolzoni]

On Mon, Apr 25, 2016 at 4:38 PM, Dashamir Hoxha  wrote:
> On Mon, Apr 25, 2016 at 4:01 PM, Robert J. Hansen 
> wrote:
> But once you have to split the data and QR-encode it, it doesn't make much
> difference whether you have 2 pages of output or 8 pages. So, it doesn't
> make sense
> reducing the output, and it doesn't make sense using Paperkey anymore. At
> this point
> Paperkey only makes things more complex, instead of making them simpler.

Just don't forget that any machine-readable format like QR should put
togheter with a human readable one. Because your cannot be sure how
easy it to read a QR when you need it.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users