Re: Primary and Signing Key on Different Smart Cards
On Thu, Nov 17, 2016 at 7:45 PM, Arthur Ulfeldtwrote: > I have a similar setup and have been doing it successfully. I have two > yubikey neos with signing keys. I found that because of bugs in gpg 2.1 I That's interesting as I want exactly that - two yubikeys for signing. Will be bale to try that once my second Yubikey arrives. Did you generated the primary key on the card or you had to maintain it on a disk somewhere? Anton. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPGSM detached signature without auth attributes
Hello! I would like to use GPGSM to sign a Linux kernel module with a private key stored on an OpenPGP smartcard. The original signing tool uses OpenSSL to sign the kernel module using a detached CMS signature. The kernel requires that the CMS does not contain any authenticated attributes and it refuses to validate the signature otherwise [1]. In the original signing tool [2] the CMS_add1_signer call uses the CMS_NOATTR and CMS_NOSMIMECAP flags (the same can be achieved by using the -noattr flag of the openssl command-line utility). Is there anything like this available in GPGSM? I've looked at the source code of both GPGSM and libksba and it looks like there is currently no easy way to omit these attributes from CMS with GPGSM? Thanks! [1] - https://lkml.org/lkml/2015/8/5/469 [2] - https://github.com/torvalds/linux/blob/master/scripts/sign-file.c#L311 Jernej signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Primary and Signing Key on Different Smart Cards
> You will need the private key on-disk *temporarily* while setting up the > smartcards. But with Knoppix, that "disk" can be a RAM disk in the main > memory of your computer, obliterated once you power it off. I think you will have to keep it as backup too in case you will want to add another smartcard with a new subkey to an existing key or not? Although if air gaped machine is secure then encrypting backup using the smartcard itself and removing the unencrypted copy will do the trick as well. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Primary and Signing Key on Different Smart Cards
> Which version, GnuPG 2.0 or 2.1? I think you can use 2.1 to reach the desired > outcome without difficulty, even if it might be a bit non-standard. I have 2.1.11 > Can we first get out of the way which exact version of GnuPG you're using? If > you're using 2.0, start with the threads linked above, and feel free to report > back if you're unclear about something. For 2.1, if time permits, I can > outline > the steps for you. You will need to have the private key on-disk for both Ok. So I am using 2.1 and I have read the referenced threads and the both options assume that you either generate key of the card or maintain a copy of that. Anybody was able to do that with generating keys on the card always and not extracting them from the card as the copy either? > rather trust GnuPG's random number generator than the one on a cheap smartcard > (or any smartcard for that matter). So I would recommend to not use the > on-card > key generation feature anyway. That's quite an interesting point that I have not thought about. Do you have any references to the papers that I can read on this subject? > with writable media altogether (ignoring writing DVD's for a moment; that's > not > something you accidentally leave on). Unless you don't have a DVD writer, of > course :-). Do not have DVD writer anymore, but managed to buy USB flashcard with write protection switch. As I understand the protection switch there is hardware one, so should be good enough replacement for DVD-Rs. Key generation on air gaped machine is ok for me and I think I have enough information now to try to do that. But same time I find it a kind of overkill over key generation on the card for my use cases. E.g. I am not looking for security stronger than government issued eID cards have and they are usually key on card generated with card random number generator. Anton. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to prevent passphrase caching in 2.1
Hi, is adding | default-cache-ttl 0 and/or | max-cache-ttl 0 to gpg-agent.conf the official way to deactivate passphrase caching completely and make GnuPG only use the term transferred with the --passphrase option? Thanks Caro ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to prevent passphrase caching in 2.1
Hi, is adding | default-cache-ttl 0 and/or | max-cache-ttl 0 to gpg-agent.conf the official way to deactivate passphrase caching completely and make GnuPG only use the term transferred with the --passphrase option? Thanks Caro ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Implications of a common private keys directory in 2.1
On Sun, 16 Oct 2016 01:22:50 + (UTC), I wrote: >Hi, > >my next problem with 2.1.15 on Windows 7. > >I add a pub/sec keypair to two different keyrings > '--import ... --keyring a.kbx', then '--import ... --keyring b.kbx'. >Following this I delete that key from one of the keyrings > '--delete-secret-and-public-key ... --keyring a.kbx', >which unfortunately as a side effect also removes the secret key >associated with the other public keyring (b.kbx), as for both public key >items there's only one single secret key file stored in the common >private-keys-v1.d directory. > >Is there any chance to get that disentangled, maybe by defining a >separate secret key directory for each public .kbx keyring in use? The silence makes me believe that what I described is intended behavior, not a 2.1 design flaw. I'd like to know whether that's correct. Any response would still be appreciated. Kind regards, Caro ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: configure warnings and errors upon ./configure for Pinentry v0.9.7
Thanks Krzysztof. I did apt-get install pinentry-qt4 although it was an older (0.8.3-2) version than what is on gnupg . org. It installed without any errors but when I run gpg2 --gen-key I'm still getting: We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: agent_genkey failed: No pinentry Key generation failed: No pinentry There is no delay in the error - it occurs at the same time the text above is displayed. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users