Re: GPGSM detached signature without auth attributes

[Stephan Beck]

Hi,

I forgot to include the links to the docs.

[1] http://g10code.com/docs/openpgp-card-2.1.pdf
[2] http://g10code.com/docs/openpgp-card-3.0.pdf

Stephan Beck:
> Hi Jerney,
> 
> Jernej Kos:
>> Hello!
>>
>> I would like to use GPGSM to sign a Linux kernel module with a private
>> key stored on an OpenPGP smartcard.


0x4218732B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Implications of a common private keys directory in 2.1

[Carola Grunwald]

Hello Werner!

On Mon, 21 Nov 2016 10:28:47 +0100, you wrote:

>On Sun, 20 Nov 2016 21:37, c...@nymph.paranoici.org said:
>
>>>Is there any chance to get that disentangled, maybe by defining a
>>>separate secret key directory for each public .kbx keyring in use?
>
>No.
>
>> The silence makes me believe that what I described is intended behavior,
>> not a 2.1 design flaw. I'd like to know whether that's correct. Any
>
>Correct.  The gpg-agent takes care of private keys and does not know
>about gpg or gpgsm.  Deleting a private key is not easy because it may
>be used by several protocols.  This is the reason you see an extra
>confirmation message when trying to delete a private key.
>
>BTW, the use of the --keyring option is in general not a good idea.  We
>would very much like to entirely get rid of them due to the problems
>assocciated with that kludge (or well, that upward compatibility with
>PGP).

IMHO for several reasons there has to be some method to structure larger
key depositories.

Just to name a few ...

- Performance drops with the number of available keys, especially when
data lacking a key-ID (--throw-keyids) have to be decrypted.

- In a multi-user environment the key owning recipient has to be granted
access to the private key with some sender being restricted to only use
the public key no matter whether there's any chance s/he guesses the
correct passphrase.

- There's no reason to have keys used for different tasks together on a
single keyring, as key management gets chaotic with such a hodgepodge.
And confusion would increase even more trying to mimic v1.4 by running
multiple GPG Agents dedicated to tasks which have to be separated.

Even if there's no chance to return to completely separated keyrings,
which without doubt have stood the test of time in GnuPG 1.4, I think
there at least has to be a method to group public as well as private
keys in some way to allow the selection of only one or a few of these
subsets to take part in processing. Currently for example apart from the
accidental deletion of private keys I earlier described I don't see any
concept of dealing with orphaned files in the private-keys and
openpgp-revocs directory. An Agent managing all lists of key subsets
would gain the information needed to solve all these problems, for
example delete the private key file when all list entries associated
with that privat key are removed.

Though not very familiar with GnuPG internals I hope I made my concerns
somewhat clearer.

Good night, and good luck

Caro

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: configure warnings and errors upon ./configure for Pinentry v0.9.7

[Stephan Beck]

Hi,

David Adamson:
> On Mon, Nov 21, 2016 at 12:33 PM, Stephan Beck  wrote:
>> Hi,
>>
>> David Adamson:
>>
>> If you only want to use the command line (i.e. text mode) and do not
>> need a GUI, you'll probably need the pinentry-curses package. Install it
>> by typing: sudo apt-get install pinentry-curses
> 
> Thanks for the tip. I just tried your suggestion, installed
> pinentry-curses, which installed without error but I am getting the
> same error when trying generate keys, just as before.

Ah, I forgot one thing: you have to add the following to your ~/.bashrc
file:
GPG_TTY=$(tty)
export GPG_TTY

Does it work now?

HTH

Stephan


0x4218732B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPGSM detached signature without auth attributes

[Stephan Beck]

Hi Jerney,

Jernej Kos:
> Hello!
> 
> I would like to use GPGSM to sign a Linux kernel module with a private
> key stored on an OpenPGP smartcard.

As to the OpenPGP card 2.1 [1] specification, you can store the private
key of an X.509 certificate on card (Data Object Cardholder Certificate,
TAG 7F21) ONLY for using it for authentication purposes in a
client/server environment, not for signing.
In version 3.0 of the OpenPGP card specification the decipher and sign
capabilities for use with an PKIX/X.509 certificate have been
introduced. Unfortunately I don't know of any existing OpenPGP smart
card that implements version 3.0 [2].
So, I guess, without even discussing the possibility (and further
details) of using a "smartcard-based" X.509 certificate's private key
with gpgsm for digitally signing a file skipping/overriding/ignoring
CMS's auth attributes for signing a kernel module, it is not (yet)
feasible (in practice).

My 2 cent

Stephan


0x4218732B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: configure warnings and errors upon ./configure for Pinentry v0.9.7

[David Adamson]

On Mon, Nov 21, 2016 at 12:33 PM, Stephan Beck  wrote:
> Hi,
>
> David Adamson:
>
> If you only want to use the command line (i.e. text mode) and do not
> need a GUI, you'll probably need the pinentry-curses package. Install it
> by typing: sudo apt-get install pinentry-curses

Thanks for the tip. I just tried your suggestion, installed
pinentry-curses, which installed without error but I am getting the
same error when trying generate keys, just as before.


> There's one thing I don't really understand:
> In your first mail you talked about your laptop with Debian Jessie, and
> that it has gnupg 1.4.18 pre-installed. I think the whole info should
> be: Debian Jessie (standard install) has gnupg 1.4.18 AND gnupg 2.0.26
> pre-installed. Or how would you be able to issue a command gpg2 at all?
> Or do you have a text-mode only pre-installed Debian Jessie with both
> gnupg versions?

You're right there's some information I accidentally left out. I have
a standard debian 8 jessie install which included gnupg v 1.4.18. I
then downloaded and installed from gnupg.org the source code for
version GnuPG modern 2.1.16 and needed libraries. With that said you
can pick up with the opening line of this thread. I hope I didn't
leave anything out this time.

I'm really starting to feel I missed a step along the way and messed
up the install.  I suppose I could do a fresh install  of the OS and
just use the 1.4.18 version otherwise I'm not aware of what to do
differently on my second attempt. I feel as though I followed the
instructions. It probably some basic linux config that I'm too new to
know about, LOL.

Thanks.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: configure warnings and errors upon ./configure for Pinentry v0.9.7

[Stephan Beck]

Hi,

David Adamson:
> On Mon, Nov 21, 2016 at 4:16 AM, Werner Koch  wrote:
> 
>>> configure: error: No pinentry enabled.
>>
>> You need to install the appropriate development package for the GUI
>> platform.
> 
> I looked for a GUI platform but had no idea what it's called where to
> find it and why I need a GUI if I plan on using purely command line
> interface.
> 
> Would It be:
> "GPA is a graphical frontend to GnuPG"
> 
> Thanks for your help!

If you only want to use the command line (i.e. text mode) and do not
need a GUI, you'll probably need the pinentry-curses package. Install it
by typing: sudo apt-get install pinentry-curses

There's one thing I don't really understand:
In your first mail you talked about your laptop with Debian Jessie, and
that it has gnupg 1.4.18 pre-installed. I think the whole info should
be: Debian Jessie (standard install) has gnupg 1.4.18 AND gnupg 2.0.26
pre-installed. Or how would you be able to issue a command gpg2 at all?
Or do you have a text-mode only pre-installed Debian Jessie with both
gnupg versions?

HTH

Stephan


0x4218732B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent crashes on Windows 10

[Juan Miguel Navarro Martínez]

On 2016-11-18 at 09:45, Matthias Wachs wrote:
> Hi Werner, hi all,
> 
> 2.1.12 may be outdated but is the latest version for Windows (available on
> Heise):
> https://www.heise.de/download/product/gnu-privacy-guard-gnupg-1677/download
> 
> The version included in gpg4win is even older:
> https://www.gpg4win.org/download.html
> -> GnuPG 2.0.30

I can't tell about heise.de version but as Peter Lebbing has said, GnuPG
2.0.30 is the latest stable branch version.

For GnuPG 2.1.16 download it from www.gnupg.org[1] or if you like
Gpg4Win you can install the Gpg4Win 3.0.0 Beta[2] which contains 2.1.15
(it could have been 2.1.16 but the last beta version was released a few
days earlier to the 2.1.16 release)

[1]: https://www.gnupg.org/download/index.html#binary (Second download
link on Windows row)
[2]: https://files.gpg4win.org/Beta/

-- 
Juan Miguel Navarro Martínez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to prevent passphrase caching in 2.1

[Carola Grunwald]

Hello Werner,

thanks for your fast reply.

On Mon, 21 Nov 2016 10:30:51 +0100, you wrote:

>On Sun, 20 Nov 2016 22:18, c...@nymph.paranoici.org said:
>
>> to gpg-agent.conf the official way to deactivate passphrase caching
>> completely and make GnuPG only use the term transferred with the
>
>Please describe what you want to achieve.

It's about a multi-user mail/news server, where multithreaded message
processing for all user accounts is done by a single gpg agent. As for
each single decryption task only a defined passphrase is allowed to be
used it's essential to have caching, which implicates the risk of
unauthorized passphrase usage, strictly deactivated.

Kind regards

Caro

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: configure warnings and errors upon ./configure for Pinentry v0.9.7

[David Adamson]

On Mon, Nov 21, 2016 at 4:16 AM, Werner Koch  wrote:

>> configure: error: No pinentry enabled.
>
> You need to install the appropriate development package for the GUI
> platform.

I looked for a GUI platform but had no idea what it's called where to
find it and why I need a GUI if I plan on using purely command line
interface.

Would It be:
"GPA is a graphical frontend to GnuPG"

Thanks for your help!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Primary and Signing Key on Different Smart Cards

[Andrew Gallagher]

On 21/11/16 11:04, Peter Lebbing wrote:
>>> >> rather trust GnuPG's random number generator than the one on a cheap 
>>> >> smartcard
>>> >> (or any smartcard for that matter). So I would recommend to not use the 
>>> >> on-card
>>> >> key generation feature anyway.
>> > 
>> > That's quite an interesting point that I have not thought about. Do
>> > you have any references to the papers that I can read on this subject?
> No, but I remember Werner Koch saying he'd rather not use the on-card
> RNG. I tried to find this, but the best I could find was his statement
> that you don't want regular DSA on smartcard[1]. As I understand it,
> that is because of the risk of a failing RNG.

Have a look at the graphs on page 7 of this PDF:

https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_svenda.pdf

tl;dr: Some smart cards have *shockingly* poor RNG implementations.

A



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Primary and Signing Key on Different Smart Cards

[Peter Lebbing]

On 20/11/16 22:50, Anton Marchukov wrote:
> I think you will have to keep it as backup too in case you will want
> to add another smartcard with a new subkey to an existing key or not?

Oh, good point! Maybe it's possible without on-disk keys, I'll try it
out later. Otherwise: yes, it would be impossible to add new subkeys.

> Although if air gaped machine is secure then encrypting backup using
> the smartcard itself and removing the unencrypted copy will do the
> trick as well.

I'm not too sure about "removing the unencrypted copy", though. I'd much
rather not have the key hit the disk anyway. By using a Linux Live CD
and physically removing the cable from the hard disk.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Primary and Signing Key on Different Smart Cards

[Peter Lebbing]

On 20/11/16 22:48, Anton Marchukov wrote:
>> Which version, GnuPG 2.0 or 2.1? I think you can use 2.1 to reach the desired
>> outcome without difficulty, even if it might be a bit non-standard.
> 
> I have 2.1.11

Ah! I don't have time right now, but once I do, I'll try to see to write
up some instructions...

> Ok. So I am using 2.1 and I have read the referenced threads and the
> both options assume that you either generate key of the card or
> maintain a copy of that. Anybody was able to do that with generating
> keys on the card always and not extracting them from the card as the
> copy either?

With 2.1, maybe it's possible. I'm curious to try it out. It might work.
It might not.

>> rather trust GnuPG's random number generator than the one on a cheap 
>> smartcard
>> (or any smartcard for that matter). So I would recommend to not use the 
>> on-card
>> key generation feature anyway.
> 
> That's quite an interesting point that I have not thought about. Do
> you have any references to the papers that I can read on this subject?

No, but I remember Werner Koch saying he'd rather not use the on-card
RNG. I tried to find this, but the best I could find was his statement
that you don't want regular DSA on smartcard[1]. As I understand it,
that is because of the risk of a failing RNG. Signature generation in
DSA requires a good quality random number, otherwise it might be
possible to reconstruct the private key through signatures. In the time
since that post, GnuPG gained deterministic DSA, which no longer
requires randomness for signature generation.

> But same time I find it a
> kind of overkill over key generation on the card for my use cases.

That is of course your choice. However, people have done analysis of
large amounts of public keys on keyservers before. If someone discovers
a way to exploit a weakness in the OpenPGP Card on-card RNG, they might
be able to analyse massive amounts of public keys and put the results on
the internet for everyone to see. Just to show they can, and win the
internets. Even if you don't suspect adversaries who target you
specifically, you might be caught in a massive untargeted sweep. I'm
just thinking out loud here, it's just something that came to mind. It's
your decision, I'm just trying to help you make it an informed decision.
Maybe you think I'm being overly paranoid. I'd rather have you consider
it and then dismiss it than not think of it at all.

HTH,

Peter.

[1] https://lists.gnupg.org/pipermail/gnupg-users/2013-October/047841.html

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to prevent passphrase caching in 2.1

[Werner Koch]

On Sun, 20 Nov 2016 22:18, c...@nymph.paranoici.org said:

> to gpg-agent.conf the official way to deactivate passphrase caching
> completely and make GnuPG only use the term transferred with the

Please describe what you want to achieve.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpQr_aAZLoCP.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Implications of a common private keys directory in 2.1

[Werner Koch]

On Sun, 20 Nov 2016 21:37, c...@nymph.paranoici.org said:

>>Is there any chance to get that disentangled, maybe by defining a
>>separate secret key directory for each public .kbx keyring in use?

No.

> The silence makes me believe that what I described is intended behavior,
> not a 2.1 design flaw. I'd like to know whether that's correct. Any

Correct.  The gpg-agent takes care of private keys and does not know
about gpg or gpgsm.  Deleting a private key is not easy because it may
be used by several protocols.  This is the reason you see an extra
confirmation message when trying to delete a private key.

BTW, the use of the --keyring option is in general not a good idea.  We
would very much like to entirely get rid of them due to the problems
assocciated with that kludge (or well, that upward compatibility with
PGP).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp0ZZzf8imO8.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: configure warnings and errors upon ./configure for Pinentry v0.9.7

[Werner Koch]

On Sat, 19 Nov 2016 21:51, davidadamson...@gmail.com said:

> *** The config script /usr/local/bin/gpg-error-config was
> *** built for x86_64-pc-linux-gnu and thus may not match the
> *** used host x86_64-unknown-linux-gnu.

This warning is a bit unfortunate but it is harmless.  Both platform
triplets indicate the same platform.

The names of these triplets are sometimes changed and when you are using
an older version of a library you may see such a warning.  The reason
why we print this warning is to be able to figure out build problems in
case of non properly installed systems where a native library and a
library used for cross-compiling are mixed up.

> checking for Qt5Core >= 5.0.0 Qt5Gui >= 5.0.0 Qt5Widgets >= 5.0.0...
> ./configure: line 9744: no: command not found

The "no" is a minor bug in the configure script - it is mostly harmless.

> configure: error: No pinentry enabled.

You need to install the appropriate development package for the GUI
platform.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpQGQ9beF1El.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users