Re: Trust signature domain

2017-01-17 Thread David Shaw 
On Jan 16, 2017, at 11:52 AM, John Lane  wrote:
> 
> I'm trying to experiment with trust signatures but I can't work out how
> the 'domain' question is used ?
> 
> I think I understand what it is for, but I can't enter a value and get
> it to work.
> 
> I have a key A that has signed b...@example.com and c...@example.org
> 
> If I tsign A at level 2 with the domain blank then B and C are fully valid.
> 
> If I tsign A at level 2 with a domain of example.com then neither are
> valid. I expected B to be valid.
> 
>> From what I've read, I think this value might be a regular expression
> and need to be entered in a certain way.

The value is a regular expression internally, but you don't need to enter it as 
one.   GnuPG automatically takes what you enter into the domain field and 
converts it to a regexp.  For example:

  example.com

becomes:

  <[^>]+[@.]example\.com>$

Can you post the actual user IDs of the keys you are testing with (or a similar 
example.com set) so I can try them as well?

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgme: error in OS X app bundle

2017-01-17 Thread Paul Applegate 
Here is what I sent you an hour and a half ago:
You can use the website listed at the bottom of the email to unsubscribe.
https://lists.gnupg.org/mailman/listinfo/gnupg-users 


You signed up for a mailing list, so you get every email until you unsubscribe.


> On Jan 17, 2017, at 8:20 PM, Loy Fortner  wrote:
> 
> Stop the bull shit now
> 
> On Jan 17, 2017 8:12 PM, > wrote:
> Werner Koch wrote:
> 
> > On Tue, 17 Jan 2017 14:52, r...@sixdemonbag.org 
> >  said:
> >
> > > Homebrew uses /usr/local, GPGTools uses /usr/local, GPGOSX uses
> > > /usr/local/gnupg-2.1, hand-installed often goes to $HOME, some people
> > > use /opt, and so on.
> >
> > So, this is the standard Unix pattern.  We should add /usr/local/bin to
> > the default PATH, though.
> >
> > Salam-Shalom,
> >
> >Werner
> 
> and macports uses /opt/local/bin.
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgme: error in OS X app bundle

2017-01-17 Thread Loy Fortner 
Stop the bull shit now

On Jan 17, 2017 8:12 PM,  wrote:

> Werner Koch wrote:
>
> > On Tue, 17 Jan 2017 14:52, r...@sixdemonbag.org said:
> >
> > > Homebrew uses /usr/local, GPGTools uses /usr/local, GPGOSX uses
> > > /usr/local/gnupg-2.1, hand-installed often goes to $HOME, some people
> > > use /opt, and so on.
> >
> > So, this is the standard Unix pattern.  We should add /usr/local/bin to
> > the default PATH, though.
> >
> > Salam-Shalom,
> >
> >Werner
>
> and macports uses /opt/local/bin.
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgme: error in OS X app bundle

2017-01-17 Thread gnupg 
Werner Koch wrote:

> On Tue, 17 Jan 2017 14:52, r...@sixdemonbag.org said:
> 
> > Homebrew uses /usr/local, GPGTools uses /usr/local, GPGOSX uses
> > /usr/local/gnupg-2.1, hand-installed often goes to $HOME, some people
> > use /opt, and so on.
> 
> So, this is the standard Unix pattern.  We should add /usr/local/bin to
> the default PATH, though.
> 
> Salam-Shalom,
> 
>Werner

and macports uses /opt/local/bin.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Feature request: treat missing smartcard reader as missing smartcard

2017-01-17 Thread Loy Fortner 
Please stop sending me this message I don't know what you are talking about
so stop

On Jan 17, 2017 6:54 PM, "NIIBE Yutaka"  wrote:

> Peter Lebbing  wrote:
> > For instance, if I open an encrypted mail in Thunderbird/Enigmail, I see
> > the following:
> >
> > - Card reader is plugged in but no card or different card present in
> reader:
> >
> > I am prompted to insert the correct OpenPGP card. Once I do this and
> > okay the prompt, decryption is succesful.
> >
> > - Card reader not plugged in:
> >
> > Empty message window with Enigmail error on the lines of "Decryption
> > failed. No secret key available."
>
> Good point.
>
> In the development branch, I'm currently working for multiple card/token
> support (currently only with internal CCID driver).  And I also happened
> to notice this difference this month.
>
> Now in the repo (master), signing and decryption work well with multiple
> card/token and a user is prompted when there is no relevant card/token.
>
> This is just a lucky coincidence, but I'm glad to see the development of
> GnuPG goes well.
>
> Thank you for your support of GnuPG.  Your support encourages me
> (hopefully, all of us) fixing bugs and adding feature(s).
> --
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Feature request: treat missing smartcard reader as missing smartcard

2017-01-17 Thread NIIBE Yutaka 
Peter Lebbing  wrote:
> For instance, if I open an encrypted mail in Thunderbird/Enigmail, I see
> the following:
>
> - Card reader is plugged in but no card or different card present in reader:
>
> I am prompted to insert the correct OpenPGP card. Once I do this and
> okay the prompt, decryption is succesful.
>
> - Card reader not plugged in:
>
> Empty message window with Enigmail error on the lines of "Decryption
> failed. No secret key available."

Good point.

In the development branch, I'm currently working for multiple card/token
support (currently only with internal CCID driver).  And I also happened
to notice this difference this month.

Now in the repo (master), signing and decryption work well with multiple
card/token and a user is prompted when there is no relevant card/token.

This is just a lucky coincidence, but I'm glad to see the development of
GnuPG goes well.

Thank you for your support of GnuPG.  Your support encourages me
(hopefully, all of us) fixing bugs and adding feature(s).
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: I'm confused about GPG, and it's confused about me

2017-01-17 Thread Juan Miguel Navarro Martínez 
On 2017-01-17 at 21:09, Reid Vail wrote:
> rsv2@rsv2-Serval-Pro ~ $ gpg --clearsign --local-user --default-key 
> encryption\ test
> 
You are telling GnuPG to clear sign a file called "encryption test" with
a local key that has a User ID (UID) containing "--default-key".

Try using:

gpg --clearsign --local-user
0x3A74A1DB2C796657D14BA6B83EDE6A3226F66FEB encryption\ test

or, this one if you use the other key:

gpg --clearsign --local-user
0x1F356DC33182016A8E59E5099A72F153A780EFF6 encryption\ test

Same fron encryption:

Key 1: gpg --armor --encrypt --recipient
0x3A74A1DB2C796657D14BA6B83EDE6A3226F66FEB encryption\ test

Key 2: gpg --armor --encrypt --recipient
0x1F356DC33182016A8E59E5099A72F153A780EFF6 encryption\ test

Normally, you use "default-key" as an option in gpg.conf (usually on
~/.gnupg/) like this:

default-key 0xDEADBEEF

Where DEADBEEF is your master key keyID or, more secure yet, fingerprint
(like I did above).

-- 
Juan Miguel Navarro Martínez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

2017-01-17 Thread Loy Fortner 
I don't know what you are talking about

On Jan 17, 2017 3:33 PM, "John Lane"  wrote:

> On 17/01/17 19:51, Peter Lebbing wrote:
>
> > Seems like an extended regexp with a mistake. The dot would actually
> match any
> > character, it needs to be quoted:
> >
>
> Quite right, but it would match a dot too!
>
> I did try it with and without an escape without success.
>
> There seems to be very little information available about this feature
> beyond the high-level description in the prompt output from gpg.
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

I'm confused about GPG, and it's confused about me

2017-01-17 Thread Reid Vail 
Hello GPG team -

I have tried to get GPG working but am stuck and need some help isolating the
issue, please.

I'm running GnuPG 1.4.20-1 on Linuxmint KDE 18.  My mail package is
Claws-mail 1.13.2, but I don't think it's a mail issue.

I can run GnuPG at the command line and  can create a new key pair, and the 
output
from the --fingerprint option is shown directly below, but encrypting through 
Claws
fails with a error that simply says "encryption failed".

Next I tried to get a basic signature to work, and that fails also, shown next. 
 

I'm not sure how to troubleshoot my issue.  Pointers welcome.

Reid

--
rsv2@rsv2-Serval-Pro ~ $ gpg --fingerprint rsv...@runbox.com
pub   2048R/26F66FEB 2016-11-09
  Key fingerprint = 3A74 A1DB 2C79 6657 D14B  A6B8 3EDE 6A32 26F6 6FEB
uid  Reid Vail 
sub   2048R/14C2E935 2016-11-09

pub   2048R/A780EFF6 2017-01-17
  Key fingerprint = 1F35 6DC3 3182 016A 8E59  E509 9A72 F153 A780 EFF6
uid  Reid Vail (runbox) 
sub   2048R/1ED8FE07 2017-01-17

---

rsv2@rsv2-Serval-Pro ~ $ 
rsv2@rsv2-Serval-Pro ~ $ 
rsv2@rsv2-Serval-Pro ~ $ gpg --clearsign --local-user --default-key encryption\ 
test
gpg: skipped "--default-key": secret key not available
gpg: encryption test: clearsign failed: secret key not available
rsv2@rsv2-Serval-Pro ~ $ 


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

2017-01-17 Thread John Lane 
On 17/01/17 19:51, Peter Lebbing wrote:

> Seems like an extended regexp with a mistake. The dot would actually match any
> character, it needs to be quoted:
> 

Quite right, but it would match a dot too!

I did try it with and without an escape without success.

There seems to be very little information available about this feature
beyond the high-level description in the prompt output from gpg.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

2017-01-17 Thread Peter Lebbing 
On 17/01/17 18:17, John Lane wrote:
> <[^>]+@example.net>$

Seems like an extended regexp with a mistake. The dot would actually match any
character, it needs to be quoted:

<[^>]+@example\.net>$

(and quoted even further if provided through a shell).

I hope I didn't miss any other mistakes.

(I haven't actually tried to do anything at all with trust signatures, I just
noticed a mistake while reading your message.)

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

2017-01-17 Thread John Lane 

>> I'm trying to experiment with trust signatures but I can't work out how
>> the 'domain' question is used ?
>>
the only thing I've been able to find is this regular expression

|<[^>]+@example.net>$|

(http://linuxfr.org/users/gouttegd/journaux/de-la-confiance-dans-le-monde-openpgp#limitation-du-champ-des-trust-signatures)

I still can't make it work though!

FWIW gpg (GnuPG) 2.1.17
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgme: error in OS X app bundle

2017-01-17 Thread Werner Koch 
On Tue, 17 Jan 2017 14:52, r...@sixdemonbag.org said:

> Homebrew uses /usr/local, GPGTools uses /usr/local, GPGOSX uses
> /usr/local/gnupg-2.1, hand-installed often goes to $HOME, some people
> use /opt, and so on.

So, this is the standard Unix pattern.  We should add /usr/local/bin to
the default PATH, though.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgph2j0J3Ftv_.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgme: error in OS X app bundle

2017-01-17 Thread Robert J. Hansen 
> Is there another directory which should be included into the default
> PATH on macOS?  We can't add private directories  (that is for what PATH
> is used for), but adding standard directories would be fine.

Well, the problem we run into is there's so many different places people
install GnuPG on OS X.

Homebrew uses /usr/local, GPGTools uses /usr/local, GPGOSX uses
/usr/local/gnupg-2.1, hand-installed often goes to $HOME, some people
use /opt, and so on.

I have a hack around it, but it's kind of gross, and I'm really hoping
there's a better way.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgme: error in OS X app bundle

2017-01-17 Thread Werner Koch 
On Mon, 16 Jan 2017 20:28, r...@sixdemonbag.org said:

> GPGME 2017-01-16 14:14:55 <0x0d3f>  gpgme-walk_path: 'gpgconf' not found
> in '/usr/bin:/bin:/usr/sbin:/sbin'

Is there another directory which should be included into the default
PATH on macOS?  We can't add private directories  (that is for what PATH
is used for), but adding standard directories would be fine.

> I can think of a few ways to approach this, but they all seem inelegant.
>  Looking for a .profile in $HOME, parsing it for PATH information, and
> looking for gpgconf in those dirs?  Or should I just raise a, "Please

You could build gpgme with this option

  ./configure --enable-fixed-path=/foo:/foo/bar:/baz

so that PATH will be ignored and the given fixed PATH is used to locate
gppgconf.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp9Ah_zIoKBH.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Feature request: treat missing smartcard reader as missing smartcard

2017-01-17 Thread Peter Lebbing 
Hi devs,

I think scdaemon would behave more predictably and more *correct* if it
treated a missing or changed card reader as a missing or changed card.

For instance, if I open an encrypted mail in Thunderbird/Enigmail, I see
the following:

- Card reader is plugged in but no card or different card present in reader:

I am prompted to insert the correct OpenPGP card. Once I do this and
okay the prompt, decryption is succesful.

- Card reader not plugged in:

Empty message window with Enigmail error on the lines of "Decryption
failed. No secret key available."


These days, it is quite common to see readers with either integrated
smartcards or smartcards that can't be changed or removed easily. I
think these devices should be treated as currently the smartcard is.
I.e., if the reader is not plugged in, prompt the user to insert their
smartcard just like scdaemon would if the reader were present but empty.

I think this is also the reason why in this[1] mail to gnupg-users,
Anton is not able to do the same procedure as I could. I used a desktop
smartcard reader and two regular OpenPGP cards. Anton used one regular
OpenPGP card and one Yubikey. Where I was prompted to change cards, his
attempt likely failed because he had to swap *readers* as well as cards.

Peter.

[1] 

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Primary and Signing Key on Different Smart Cards

2017-01-17 Thread Peter Lebbing 
Hello Anton,

> 1. I have gpg 2.1.11. What is your gpg2 --version ?

I did that with Debian package 2.1.11-7.

> 2. Since YubiKey is a usb token and my primary card is a plastic
> smartcard from ZeithControl they are in fact located in two different
> readers.

Ah, that sounds like a likely culprit to me. I've thought more often
that scdaemon would be improved if it handled missing and changed
readers exactly the same as missing or changed smartcards.

I can't think of a way to solve this right now.

> I found that gpg is not able to locate card if more than one
> reader is present and somehow always default to some first card it
> sees.

Yes, multiple reader support is a work in progress.

> 3. Any other thoughts? Any debug logs I can enable?

Something like:

debug-level expert
log-file /home//scdaemon.log

added to $GNUPGHOME/scdaemon.conf could help. But note that it may
contain the card PIN in the APDU dumps! The easiest way, IMHO, to
prevent leaking private data is to use a PIN like 123456 for your tests,
and only when you've got it working do it all for real with a real PIN
and real OpenPGP keys and *no more logs*. This also prevents leaking
your PIN to your storage or your backups for instance, which could be a
problem depending on your threat model.

I've never had any luck with anything other than a plain absolute path
for the log-file directive, so I'm always just writing them out completely.

(Similar debug log directives are available for other components)

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users