Re: Forwarding scdaemon over SSH - is it possible?

[NIIBE Yutaka]

On 06/09/2016 08:09 PM, Michael Fladischer wrote:
> some months ago I bought a Yubikey Neo 4 to store my private key on. It
> works perfect with GnuPG on my local Laptop.
> 
> Now I would like to sign some files with my key on a remote server
> (build machine). I'm logged in there over SSH and I tried forwarding the
> unix domain socket from scdaemon over the relatively new
> SSH-unix-domain-socket-forwaring feature like this:
> 
> ssh my.server.com -R ~/.gnupg/S.scdaemon:~/.gnupg/S.scdaemon

You don't need to do that.  Instead, you need to use forwarding of
gpg-agent's socket.  Note that it is gpg-agent which gpg frontend
connects to, and it is gpg-agent which connects to scdaemon.

Once gpg-agent' socket is forwarded, you can access your local
scdaemon, like:

  gpg frontend  --> [by forwarded socket] --> [by normal socket]
  remote your serverlocal gpg-agent   local scdaemon

It works for me with Gnuk Token, and I don't think it's hardware
specific.
-- 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fw: GnuPG - Encryption process issues.

[Peter Lebbing]

Hello all,

Since I'm afraid that the message written by Jonas might not be read, as
it is posted solely on the mailing list, let me quote him here and
expand on it:

On 09/06/16 13:47, Jonas Hedman wrote:
> On 16-06-08 22:11:27, Ankit Bhardwaj5 wrote:
>> Hello Carlos
>>
>> As i m busy in completing DR checklist, i will try to finish this by
>> today.
>
>
> You know this is a public mailing list, right?

My own addition to this is: a public mailing list with a few rules.
Among them are:

> Please write only in English, avoid top posting
> and strip quotes to the necessary minimum.

Could you please not top post and trim your quotes?

Cheers,

Peter.

PS: Just to clear up any possible confusion, I am not affiliated with
GnuPG nor part of any "Team". I'm just a private individual posting to a
mailing list for GnuPG users.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WINDOWS - Adding passphrase to gpg via command line

[Mike Kaufmann]

Hi,

Im am using GnuPG v2.1.11.59877 on Windows 10. The utility 
gpg-preset-passphrase.exe is not available on my system. Is there a location I 
can download this tool and install on my machine? I would like to use the tool, 
to set the password on gpg-agent.

Regards
Mike


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to convert (ancient) key in "version 2" to more modern "version 4" format?

[Daniel Kahn Gillmor]

Hi Bjoern--

On Sat 2016-05-28 18:04:13 -0400, Bjoern Kahl wrote:
>  Because I have *tons* of mails (and other archived data files) that
>  have been signed and / or encrypted with such keys and I (I have to
>  use such a strong word here) *insist* on being able to continue to
>  read these mails and files whenever the need arises.

So there are two things you might want to do with these mails: verify
their signatures and decrypt them.  Right?  Is it possible that
signature verification for old (likely weak, and quite possibly
compromised) keys isn't relevant?  If so, then the problem space becomes
focused on decryption.

I think there are serious usability risks to providing live decryption
capability for *new* material that is sent encrypted to known-weak keys,
but i can understand the use case you describe.

Perhaps the better approach is to have a one-time tool that can either
(a) translate your encrypted messages into a newer encrypted form
(e.g. replacing the PKESK packets with ones encrypted to a newer,
stronger key), or (b) extracting the session key from the encrypted
object and storing it in a separate lookup table, so that the old secret
key isn't relevant any longer.

Either of these approaches would also be useful to people who want to
destroy their old secret key material without losing access to their
data, while making it harder for people to start interacting with
bad/old keys.

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fw: GnuPG - Encryption process issues.

[Peter Lebbing]

> -> Files Under /home/ehpadm/.gnupg
> 
> -rw--- 1 ehpadm sapsys 1200 May 3 21:54 trustdb.gpg
> -rw--- 1 ehpadm sapsys 7438 May 3 21:54 pubring.gpg~
> -rw--- 1 ehpadm sapsys 8557 May 3 21:54 pubring.gpg
> -rw--- 1 ehpadm sapsys 4805 May 3 21:54 secring.gpg
> -rw--- 1 ehpadm sapsys 11 May 3 22:03 .#lk200104b8.mxoccsapehpn2.6488076
> -rw--- 1 ehpadm sapsys 9029 May 4 11:18 gpg.conf
> -rw--- 1 ehpadm sapsys 11 May 4 13:43 .#lk2000c328.mxoccsapehpn2.6160766
> -rw--- 1 ehpadm sapsys 11 May 4 13:55 .#lk2000c328.mxoccsapehpn2.8913004
> -rw--- 1 ehpadm sapsys 11 May 4 15:55
> .#lk2000c328.mxoccsapehpn2.12976528
> -rw--- 1 ehpadm sapsys 11 May 4 17:58
> .#lk2000c328.mxoccsapehpn2.10158578
> -rw--- 1 ehpadm sapsys 11 May 4 18:06 .#lk2000c328.mxoccsapehpn2.5308674
> -rw--- 1 ehpadm sapsys 0 May 31 10:00 random_seed

Note this last line. There is a file /named/ random_seed, but it's not
doing its purpose. The file random_seed is used to store some randomness
to carry it over from one invocation to the next. This file is empty; it
contains no data, and hence no randomness.

First of all, you can happily delete this file. It's useless in its
current state, and GnuPG will generate a new one.

I did a quick look at the code, and stopped looking when the code
detecting an empty random_seed file was at least there in the year 2000
(commit 7438612 of libgcrypt). This case should be handled gracefully.
But still, it seems to work for you when you block access to this file,
right? Why not delete it. Although I suspect you may have tried it already.

Coming to speak of moments something was introduced, I don't think you
ever mentioned which version of GnuPG you're using. Could you please
tell us?

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Configuration hints for using gnupg (2.0.x) interchangeably with graphical frontend and in the terminal

[Peter Lebbing]

On 01/06/16 21:36, Bjoern Kahl wrote:
>  Currently, whenever Enigmail needs a passphrase, it throws up a popup
>  window (actually, it runs gpg, which runs the agent, which runs
>  pinentry-mac, which throws up the window) _somewhere_: sometimes on
>  the screen I am looking at, sometimes on another physical screen,
>  sometimes hidden behind other windows, sometimes in the front.

That's odd, I don't know pinentry-mac, but pinentry-gtk is always fully
on top. It's so much on top that you can't use any other window while
it's active. It would require the option "no-grab" to prevent it from
fully taking over the screen. Do you perhaps have that option or
something equivalent configured in gpg-agent.conf?

As for which display it pops up on... on an X11 server, it will use the
X display the request is coming from, but an X display may consist of
several physical screens. Since my two screens are next to each other, I
really can't tell you if it pops up on the same physical screen. I
suspect it might not, since it probably only communicates the contents
of the DISPLAY environment variable to the agent.

>  When using gpg in the terminal originally the same happened: Some
>  random window popping up at some random spot on some random monitor.
> 
>  Even worse, when logging in through SSH, it throw up a pin entry
>  window on the locked graphical session idling on the remote machine
>  instead of in the terminal I am working in.

Now that is something that definitely should not be happening. That's
odd. It's a pity I know nothing about Macs, so I can't directly help
you. But this does not happen here on Linux. When you invoke gpg on a
terminal and that gpg needs a pinentry, it tells the agent on which tty
it is and what its DISPLAY environment variable is. When you use SSH,
this will not set a DISPLAY variable by default, so you'll get a text
pinentry on the text terminal you run SSH on. If you use X forwarding,
it will do the correct thing and set an appropriate DISPLAY and set up
access control, after which you'll get the pinentry on the system you're
SSH'ing from. Only if you misconfigure SSH and force it to pass through
the DISPLAY environment variable, would such a thing as you describe
happen. In that case, your DISPLAY variable is probably ":0", and it
will contact the first local X server, which will be the wrong one, as
"local" is interpreted wrongly.

>  Partial solution tried:
> 
>  I created a second gpg-agent.conf named "gpg-agent-term.conf" and
>  configured the first to run pinentry-mac and the latter to run
>  pinentry-curses.

This really shouldn't be necessary. The only thing where you normally
need to watch out is with the SSH agent support, which has no means to
communicate invoking tty and graphical display. But when you're just
using gpg, it should do the correct thing out-of-the-box, and you need
no configuration for using gnupg (2.0.x) interchangeably with graphical
frontend and in the terminal (your title :).

> Searching through
>  all my shells where the passphrase dialogue appeared is annoying.

Yes, that is *very* annoying.

>  - Whenever I run gpg in a terminal, it will ask me for my passphrase
>in exactly that terminal where I am interacting with it and expect
>the prompt?  I.e. on that TTY that is the controlling TTY of the
>gpg process I am interacting with?

That's exactly what should happen by default. Well, at least on the same
graphical environment as the terminal emulator if you're using one.

>  - Is there a way to have a single agent (with a single config file,
>so I can start it at first login and have it available in all
>terminals/shells and programs (e.g. Thunderbird) started from there)
>but still a graphical passphrase in programs which (no longer) have
>StdIn connected to a terminal or don't have a controlling TTY; and
>have a plain prompt in the terminal for programs that run in a
>terminal?

I think the priority is different: it will prefer graphical, and only
when that is deemed not available, fall back to text on the controlling
tty. If that is not available either, I think it will give up and error out.

When I say it will prefer graphical, then I mean the graphical
environment the terminal emulator is running in, not just any
environment. Certainly not on a different system. Of course, if you
multi-display a single "screen" terminal session, it might go haywire as
any X application would, since it would pick the DISPLAY from the
"screen" session that started it.

Do you have any non-default configuration set?

Again, it's a pity I know nothing of Macs. I don't even know how MacOS
communicates the fact that there is a graphical display available.
AFAIK, using X11 is just a compatibility feature thing, not the main
method to talk to the graphical environment on OS X, so it's probably
not through the DISPLAY environment variable?

However, I haven't seen anyone with actual knowledge of the topic reply
to you yet, so I thought 

Re: Installing gnupg

[Paul Applegate]

Your best bet is to use one of these two builds. The first is using the Modern 
version. The second uses the older version. The second one also has more 
options such as a keychain and integration with mail. 
https://sourceforge.net/projects/gpgosx/
https://gpgtools.org





On Thu, Jun 9, 2016 at 3:14 AM -0400, "Alex Franklin" 
 wrote:










Hi
I don't know how to install the pgp software. I have downloaded the tarball and 
signature from the website. I have OSX El Capitan. I have terminal open but it 
is not clear as to what I need to do, what I need to type in to Terminal.
Please help?
Alex





___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Installing gnupg

[Robert J. Hansen]

> I have OSX El Capitan.

GPGOSX provides a newer version of GnuPG than GPGTools does:

https://sourceforge.net/projects/gpgosx/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Forwarding scdaemon over SSH - is it possible?

[Peter Lebbing]

On 09/06/16 13:09, Michael Fladischer wrote:
> Does anyone have an idea how i could trick gpg2 into using my socket to
> talk to my local scdaemon?

This sounds like a job for our new superhero the --extra-socket option
that gpg-agent gained recently. It is meant for forwarding agent
connections to remote hosts. The local agent will then create an
scdaemon process to communicate to your smartcard.

Think well on the security implications of letting the remote machine
access your locally installed private keys. Do you fully trust the
machine and anyone with access to the socket on the remote machine?

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fw: GnuPG - Encryption process issues.

[Peter Lebbing]

On 06/06/16 19:34, Carlos Alberto Moreno Torres wrote:
> Please reply to all and direct email
> to GnuPG Team if you have any questions for them. Thanks in advance.
> 
> Also, do not remove any of the participants of this email.

This turns out to be a problem. When including all recipients, the
message to the mailing list is held for manual moderator approval:

> The reason it is being held:
> 
> Too many recipients to the message

So I would suggest to solve the problem of including all intended
recipients differently. A suggestion would be to have one person
communicate on the gnupg-users mailing list, and keep the rest of the
discourse internal to your company.

Apart from the delay, moderator approval takes valuable time of the
human moderator.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Forwarding scdaemon over SSH - is it possible?

[Michael Fladischer]

Hi,

some months ago I bought a Yubikey Neo 4 to store my private key on. It
works perfect with GnuPG on my local Laptop.

Now I would like to sign some files with my key on a remote server
(build machine). I'm logged in there over SSH and I tried forwarding the
unix domain socket from scdaemon over the relatively new
SSH-unix-domain-socket-forwaring feature like this:

ssh my.server.com -R ~/.gnupg/S.scdaemon:~/.gnupg/S.scdaemon

So far this works as it creates a socket on the server at
~/.gnupg/S.scdaemon. If I now try to test it this happens:

$ gpg2 --card-status
gpg: error getting version from 'scdaemon': No SmartCard daemon
gpg: OpenPGP card not available: No SmartCard daemon

It seems that just forwarding the socket is not enough and gpg2 wants an
actually running scdaemon o the server.

Does anyone have an idea how i could trick gpg2 into using my socket to
talk to my local scdaemon?

Cheers,
-- 
Michael Fladischer
Fladi.at



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fw: GnuPG - Encryption process issues.

[Jonas Hedman]

On 16-06-08 22:11:27, Ankit Bhardwaj5 wrote:
> Hello Carlos
> 
> As i m busy in completing DR checklist, i will try to finish this by 
> today.


You know this is a public mailing list, right?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Installing gnupg

[Pete Stephenson]

On Jun 9, 2016 09:15, "Alex Franklin"  wrote:
>
> Hi
>
> I don't know how to install the pgp software. I have downloaded the
tarball and signature from the website. I have OSX El Capitan. I have
terminal open but it is not clear as to what I need to do, what I need to
type in to Terminal.
>
> Please help?

Hi Alex,

The tarball is for if you want to compile GnuPG from source. This is
probably not what you want to do.

The GPGtools project has a nice, easy-to-use installer for GPG on OS X.
Their site is at https://gpgtools.org

Cheers!
-Pete
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Installing gnupg

[Pete Stephenson]

On Jun 9, 2016 09:15, "Alex Franklin"  wrote:
>
> Hi
>
> I don't know how to install the pgp software. I have downloaded the
tarball and signature from the website. I have OSX El Capitan. I have
terminal open but it is not clear as to what I need to do, what I need to
type in to Terminal.
>
> Please help?

Hi Alex,

The tarball is for if you want to compile GnuPG from source. This is
probably not what you want to do.

The GPGtools project has a nice, easy-to-use installer for GPG on OS X.
Their site is at https://gpgtools.org

Cheers!
-Pete
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fw: GnuPG - Encryption process issues.

[Werner Koch]

On Mon,  6 Jun 2016 19:34, cmore...@mx1.ibm.com said:

> Below is the response from GnuPG support, please let us know if this can
> provide us the specific Root Cause. Please reply to all and direct email to
> GnuPG Team if you have any questions for them. Thanks in advance.

FWIW, what you call the “GnuPG support” and “GnuPG Team” is a public
mailing list of GnuPG users:

  GnuPG user help mailing list.
  
  The topic of this is list is help and discussion among users of
  GnuPG. This includes questions on how to script GnuPG, how to create or
  sign keys and general discussion on encryption and digital signatures as
  long as it somehow pertains to GnuPG.
  
  The contents of all messages sent to this mailing list is assumed to be
  in the public domain. Please write only in English, avoid top posting
  and strip quotes to the necessary minimum.
  
  Postings by subscribers are not moderated; postings from non-subscribers
  are held for approval but there is no guarantee that the moderator can
  approve them in time; they may even be dropped.
  
  Some kinds of postings will not be accepted: e.g. large ones, mails
  without the list name in the To: or CC: header and HTML mails. Your mail
  client does have an option to send plain text only messages; try this if
  you don't get your posting through or notice it in the archive.
  


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
/* EFH in Erkrath: https://alt-hochdahl.de/haus */


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Installing gnupg

[Samir Nassar]

On 06/09/2016 07:18 AM, Alex Franklin wrote:
> I don't know how to install the pgp software. I have downloaded the tarball
> and signature from the website. I have OSX El Capitan. I have terminal open
> but it is not clear as to what I need to do, what I need to type in to
> Terminal.

A small point of clarification. There is software called PGP, but this
is the user mailing list for GnuPG also known as GPG, which implements PGP.

There are several ways of gettings GnuPG for OS X:

A comprehensive guide to install GnuPG and configuring Thunderbird and
Enigmail is here:

https://ssd.eff.org/en/module/how-use-pgp-mac-os-x

If you look at the gnupg download page: https://www.gnupg.org/download/
note the section called binary downloads. This is most likely what you
are looking for there are two options for getting GnuPG installed.

If this information does not help you, please let share in more detail
what you are trying to accomplish.

-- 
Samir Nassar
web:samirnassar.com
email:  sa...@samirnassar.com
PGP:pgp.samirnassar.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Installing gnupg

[Alex Franklin]

Hi

I don't know how to install the pgp software. I have downloaded the tarball
and signature from the website. I have OSX El Capitan. I have terminal open
but it is not clear as to what I need to do, what I need to type in to
Terminal.

Please help?

Alex
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users