Re: Primary and Signing Key on Different Smart Cards

[Anton Marchukov]

On Thu, Nov 17, 2016 at 7:45 PM, Arthur Ulfeldt  wrote:
> I have a similar setup and have been doing it successfully. I have two
> yubikey neos with signing keys. I found that because of bugs in gpg 2.1 I

That's interesting as I want exactly that - two yubikeys for signing.
Will be bale to try that once my second Yubikey arrives.

Did you generated the primary key on the card or you had to maintain
it on a disk somewhere?

Anton.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GPGSM detached signature without auth attributes

[Jernej Kos]

Hello!

I would like to use GPGSM to sign a Linux kernel module with a private
key stored on an OpenPGP smartcard.

The original signing tool uses OpenSSL to sign the kernel module using a
detached CMS signature. The kernel requires that the CMS does not
contain any authenticated attributes and it refuses to validate the
signature otherwise [1].

In the original signing tool [2] the CMS_add1_signer call uses the
CMS_NOATTR and CMS_NOSMIMECAP flags (the same can be achieved by using
the -noattr flag of the openssl command-line utility).

Is there anything like this available in GPGSM? I've looked at the
source code of both GPGSM and libksba and it looks like there is
currently no easy way to omit these attributes from CMS with GPGSM?

Thanks!

[1] - https://lkml.org/lkml/2015/8/5/469
[2] - https://github.com/torvalds/linux/blob/master/scripts/sign-file.c#L311


Jernej



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Primary and Signing Key on Different Smart Cards

[Anton Marchukov]

> You will need the private key on-disk *temporarily* while setting up the
> smartcards. But with Knoppix, that "disk" can be a RAM disk in the main
> memory of your computer, obliterated once you power it off.

I think you will have to keep it as backup too in case you will want
to add another smartcard with a new subkey to an existing key or not?

Although if air gaped machine is secure then encrypting backup using
the smartcard itself and removing the unencrypted copy will do the
trick as well.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Primary and Signing Key on Different Smart Cards

[Anton Marchukov]

> Which version, GnuPG 2.0 or 2.1? I think you can use 2.1 to reach the desired
> outcome without difficulty, even if it might be a bit non-standard.

I have 2.1.11

> Can we first get out of the way which exact version of GnuPG you're using? If
> you're using 2.0, start with the threads linked above, and feel free to report
> back if you're unclear about something. For 2.1, if time permits, I can 
> outline
> the steps for you. You will need to have the private key on-disk for both

Ok. So I am using 2.1 and I have read the referenced threads and the
both options assume that you either generate key of the card or
maintain a copy of that. Anybody was able to do that with generating
keys on the card always and not extracting them from the card as the
copy either?

> rather trust GnuPG's random number generator than the one on a cheap smartcard
> (or any smartcard for that matter). So I would recommend to not use the 
> on-card
> key generation feature anyway.

That's quite an interesting point that I have not thought about. Do
you have any references to the papers that I can read on this subject?

> with writable media altogether (ignoring writing DVD's for a moment; that's 
> not
> something you accidentally leave on). Unless you don't have a DVD writer, of
> course :-).

Do not have DVD writer anymore, but managed to buy USB flashcard with
write protection switch. As I understand the protection switch there
is hardware one, so should be good enough replacement for DVD-Rs.

Key generation on air gaped machine is ok for me and I think I have
enough information now to try to do that. But same time I find it a
kind of overkill over key generation on the card for my use cases.
E.g. I am not looking for security stronger than government issued eID
cards have and they are usually key on card generated with card random
number generator.

Anton.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How to prevent passphrase caching in 2.1

[Carola Grunwald]

Hi,

is adding

| default-cache-ttl 0

and/or

| max-cache-ttl 0

to gpg-agent.conf the official way to deactivate passphrase caching
completely and make GnuPG only use the term transferred with the
--passphrase option?

Thanks

Caro

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How to prevent passphrase caching in 2.1

[Carola Grunwald]

Hi,

is adding

| default-cache-ttl 0

and/or

| max-cache-ttl 0

to gpg-agent.conf the official way to deactivate passphrase caching
completely and make GnuPG only use the term transferred with the
--passphrase option?

Thanks

Caro

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Implications of a common private keys directory in 2.1

[Carola Grunwald]

On Sun, 16 Oct 2016 01:22:50 + (UTC), I wrote:

>Hi,
>
>my next problem with 2.1.15 on Windows 7.
>
>I add a pub/sec keypair to two different keyrings
>  '--import ... --keyring a.kbx', then '--import ... --keyring b.kbx'.
>Following this I delete that key from one of the keyrings
>  '--delete-secret-and-public-key ... --keyring a.kbx',
>which unfortunately as a side effect also removes the secret key
>associated with the other public keyring (b.kbx), as for both public key
>items there's only one single secret key file stored in the common
>private-keys-v1.d directory.
>
>Is there any chance to get that disentangled, maybe by defining a
>separate secret key directory for each public .kbx keyring in use?

The silence makes me believe that what I described is intended behavior,
not a 2.1 design flaw. I'd like to know whether that's correct. Any
response would still be appreciated.

Kind regards,

Caro

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: configure warnings and errors upon ./configure for Pinentry v0.9.7

[David Adamson]

Thanks Krzysztof. I did apt-get install pinentry-qt4 although it was
an older (0.8.3-2) version than what is on gnupg . org. It installed
without any errors but when I run gpg2 --gen-key I'm still getting:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry

There is no delay in the error - it occurs at the same time the text
above is displayed.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users