Re: Did I break my Ubuntu GPG installation?

2017-01-18 Thread Stefan Boehringer 

Hello Peter and thank you very much!

> On 18/01/17 13:06, Stefan Boehringer wrote:
>> The error is as follows:
>> 
 gpg: Auf geht's - Botschaft eintippen ...
 test
 gpg: Keine gültigen OpenPGP-Daten gefunden.
 gpg: processing message failed: Unbekannter Systemfehler
>
> What was the command line you used to invoke gpg? It looks like it is
> expecting you to type in an OpenPGP message, i.e., one that begins with
> "-BEGIN PGP MESSAGE-" for example. "test" is not valid OpenPGP
> data. I think you made a mistake in the invocation.
>
> A test for encrypting and decrypting stuff from the command line looks
> something like this:
>
> $ echo Hello >test.txt
> $ gpg -r stefan.boehrin...@posteo.de -e test.txt
> $ rm test.txt
> $ gpg test.txt.gpg
>
> And at the end, you'll have your test.txt back. If (like me) you think
> pipes are cool, try this:
>
> $ echo Hello | gpg -r stefan.boehrin...@posteo.de -e | gpg

That worked. I really misunderstood the gpg commandline. :-)

>
> HTH,
>
> Peter.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

2017-01-18 Thread John Lane 
On 18/01/17 15:39, Damien Goutte-Gattat wrote:

> 
> I believe there's a bug in the handling of the regular expression
> associated with a trust signature. I've just submitted a patch to fix it
> [1]. With that patch applied, I get the expected result for step 10
> (Blake's key is fully valid, not the others') and step 14 (Blake's key
> is fully valid, and so are Chloe's and David's keys).

thanks for that. I thought I was going mad!
I will look out for an update that contains your patch...

> 
> For step 16, none of the keys are valid, but I think that's the expected
> behavior: you signed Introducer with a level 2 trust signature
> restricted to example.es, so the signature of Blake's key (which as an
> example.org UID) is rightly ignored. Blake's key is thus of unknown
> validity and his signatures on Chloe's and David's keys are ignored as
> well.

I agree, I added that test because I wondered if I had misunderstood how
it ought to work.

> 
> (Side note: you can use the '%transient-key' directive when
> batch-generating keys for testing purposes. This instructs GnuPG to use
> a less secure but faster random number generator, thus speeding up the
> generation process.)
> 

I don't know how I missed that... right below %no-protection which I did
use :)

much appreciated your fast response to my query.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

2017-01-18 Thread Damien Goutte-Gattat 

Hi,

On 01/18/2017 03:51 PM, John Lane wrote:

I think things look ok up to step 9 and point (a) and (b) appear to work
as I expect but (c) doesn't. I'd really appreciate some feedback about
what is happening in:
step 10 (trust level 1 restricted to example.org)
step 14 (trust level 2 restricted to example.org)
step 16 (trust level 2 restricted to example.es)

It would appear that any domain restriction disables trust completely!


I believe there's a bug in the handling of the regular expression 
associated with a trust signature. I've just submitted a patch to fix it 
[1]. With that patch applied, I get the expected result for step 10 
(Blake's key is fully valid, not the others') and step 14 (Blake's key 
is fully valid, and so are Chloe's and David's keys).


For step 16, none of the keys are valid, but I think that's the expected 
behavior: you signed Introducer with a level 2 trust signature 
restricted to example.es, so the signature of Blake's key (which as an 
example.org UID) is rightly ignored. Blake's key is thus of unknown 
validity and his signatures on Chloe's and David's keys are ignored as well.


(Side note: you can use the '%transient-key' directive when 
batch-generating keys for testing purposes. This instructs GnuPG to use 
a less secure but faster random number generator, thus speeding up the 
generation process.)


Damien

[1] https://lists.gnupg.org/pipermail/gnupg-devel/2017-January/032472.html



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Feature request: treat missing smartcard reader as missing smartcard

2017-01-18 Thread Peter Lebbing 
On 18/01/17 00:21, NIIBE Yutaka wrote:
> This is just a lucky coincidence, but I'm glad to see the development of
> GnuPG goes well.

Ah, two birds with one stone! Thank you for working on multi-card-reader
setups!

> Thank you for your support of GnuPG.  Your support encourages me
> (hopefully, all of us) fixing bugs and adding feature(s).

I'm real happy to hear that! Thank you! I love the improvements GnuPG
2.1 brings!

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Did I break my Ubuntu GPG installation?

2017-01-18 Thread Peter Lebbing 
On 18/01/17 13:06, Stefan Boehringer wrote:
> The error is as follows:
> 
>>> gpg: Auf geht's - Botschaft eintippen ...
>>> test
>>> gpg: Keine gültigen OpenPGP-Daten gefunden.
>>> gpg: processing message failed: Unbekannter Systemfehler

What was the command line you used to invoke gpg? It looks like it is
expecting you to type in an OpenPGP message, i.e., one that begins with
"-BEGIN PGP MESSAGE-" for example. "test" is not valid OpenPGP
data. I think you made a mistake in the invocation.

A test for encrypting and decrypting stuff from the command line looks
something like this:

$ echo Hello >test.txt
$ gpg -r stefan.boehrin...@posteo.de -e test.txt
$ rm test.txt
$ gpg test.txt.gpg

And at the end, you'll have your test.txt back. If (like me) you think
pipes are cool, try this:

$ echo Hello | gpg -r stefan.boehrin...@posteo.de -e | gpg

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

2017-01-18 Thread John Lane 
On 18/01/17 03:03, David Shaw wrote:

> 
> Can you post the actual user IDs of the keys you are testing with (or a 
> similar example.com set) so I can try them as well?

Hi David,

I have written a test shell script to experiment with trust signatures.
The script is at https://git.io/vMXMQ

There are six participants: 'myself', who knows 'introducer' who knows
'alice' and 'blake'. 'blake' knows 'chloe' and 'david'

'introducer' signs 'alice' and trust-signs 'blake', who signs 'chloe'
and 'david'

'myself' trust-signs 'introducer'

I'm working on the belief that:

(a) by trust-signing introducer at level 1, any keys certified by
introducer (i.e. alice and blake) become valid for me.
(b) by trust signing introducer at level 2 I extend (a) so that any keys
certified by a key trust-certified by introducer (blake) also become
valid for me (chloe and david).
(c) by trust signing with a domain restriction I limit the scope of (a)
and (b) but it is not clear to me how this applies.

I think things look ok up to step 9 and point (a) and (b) appear to work
as I expect but (c) doesn't. I'd really appreciate some feedback about
what is happening in:
step 10 (trust level 1 restricted to example.org)
step 14 (trust level 2 restricted to example.org)
step 16 (trust level 2 restricted to example.es)

It would appear that any domain restriction disables trust completely!

My test output is at https://git.io/vMXDa

Much appreciated.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Renewing expired keys

2017-01-18 Thread Miroslav Rovis 
On 170118-22:59+1030, Lachlan Gunn wrote:
> Le 2017-01-18 à 22:48, Miroslav Rovis a écrit :
> > On 170115-22:17+0100, Juan Miguel Navarro Martínez wrote:
> > ...
> >> Lastly, revoke the old one if you aren't going to use it publicly anymore.
> > Isn't is wrong to revoke a key which you don't consider was compromised?
> > If you don't want to use it, it suffices that it is expired, or?
> 
> No, compromise is only one reason---there are lots of reason-codes that
> can go into the revocation packet, and compromise is only one.
> Specificially, "superseded" is such a reason.
> 
> Otherwise, if you switch to a new key, people won't know that your old
> one is no longer in use.
> 
> Thanks,
> Lachlan

Thank *you*!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Did I break my Ubuntu GPG installation?

2017-01-18 Thread Stefan Boehringer 
Damien Goutte-Gattat  writes:

>> I don't know why so much is stated as "unbekannt = unknown"...
>
> It looks like you didn't save and restore your trust database when you
> deleted your .gnupg folder (it's a file called trustdb.gpg). As a
> result, GnuPG does not know what level of ownertrust should be
> assigned to your key.
>
> Your own key should normally be "ultimately trusted", and is the root
> from which all key validity computation are done. Without an
> ultimately trusted key, no key can be valid.
>
>> What could I do?
>
> Editing your key and manually setting its ownertrust to "ultimate"
> (using the "trust" command in the key editor) should be enough.
>
> Hope that helps,

Thank you Damien for your suggestion. I set trust to ultimate, but still
the "no valid OpenPGP-Data" error occurs.

>
> Damien

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Did I break my Ubuntu GPG installation?

2017-01-18 Thread Damien Goutte-Gattat 

On 01/18/2017 01:06 PM, Stefan Boehringer wrote:

I don't know why so much is stated as "unbekannt = unknown"...


It looks like you didn't save and restore your trust database when you 
deleted your .gnupg folder (it's a file called trustdb.gpg). As a 
result, GnuPG does not know what level of ownertrust should be assigned 
to your key.


Your own key should normally be "ultimately trusted", and is the root 
from which all key validity computation are done. Without an ultimately 
trusted key, no key can be valid.



What could I do?


Editing your key and manually setting its ownertrust to "ultimate" 
(using the "trust" command in the key editor) should be enough.


Hope that helps,

Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Did I break my Ubuntu GPG installation?

2017-01-18 Thread Stefan Boehringer 
Hello there.

I'm quite new to GnuPG. In November I played around with it and
generated my first key.

In the meantime I started to read more about it and decided to start
anew, generating a masterkey under more secure conditions (I used
Tails), keeping it offline afterwards and generated signing and
encryption subkeys for daily use.

The problem now is as follows: on my Ubuntu machine I deleted my old key
and imported the new subkeys. But GPG wouldn't let me en- or decrypt
anything. So I thought, maybe it would be a good idea to uninstall GPG,
delete the .gnupg-folder and install it again. I did that and imported
the subkeys, but it still doesn't work. The error is as follows:

>> gpg: Auf geht's - Botschaft eintippen ...
>> test
>> gpg: Keine gültigen OpenPGP-Daten gefunden.
>> gpg: processing message failed: Unbekannter Systemfehler

Could translate to: "no valid OpenPGP-Data" and "unknown system error"?

But gpg --edit-key stefan.boehrin...@posteo.de shows me:

>> gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.
>> 
>> Geheimer Schlüssel ist vorhanden.
>> 
>> pub  rsa4096/98723X
>>  erzeugt: 2017-01-11  verfällt: niemals   Aufruf: SC  
>>  Vertrauen: unbekannt Gültigkeit: unbekannt
>> ssb  rsa4096/42B4XXX
>>  erzeugt: 2017-01-11  verfällt: niemals   Aufruf: E   
>> ssb  rsa2048/6E101XX
>>  erzeugt: 2017-01-11  verfällt: 2019-01-11  Aufruf: S   
>> ssb  rsa2048/209F5X
>>  erzeugt: 2017-01-11  verfällt: 2019-01-11  Aufruf: E   
>> [ unbekannt ] (1). Stefan Böhringer (born Oct. 29. 1980, Regensburg, 
>> Germany) 

I don't know why so much is stated as "unbekannt = unknown"...

On another Arch-Installation and on my Android-Phone using OpenKeyChain
it works just fine. What could I do?

Best regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Renewing expired keys

2017-01-18 Thread Lachlan Gunn 
Le 2017-01-18 à 22:48, Miroslav Rovis a écrit :
> On 170115-22:17+0100, Juan Miguel Navarro Martínez wrote:
> ...
>> Lastly, revoke the old one if you aren't going to use it publicly anymore.
> Isn't is wrong to revoke a key which you don't consider was compromised?
> If you don't want to use it, it suffices that it is expired, or?

No, compromise is only one reason---there are lots of reason-codes that
can go into the revocation packet, and compromise is only one.
Specificially, "superseded" is such a reason.

Otherwise, if you switch to a new key, people won't know that your old
one is no longer in use.

Thanks,
Lachlan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Renewing expired keys

2017-01-18 Thread Miroslav Rovis 
On 170115-22:17+0100, Juan Miguel Navarro Martínez wrote:
...
> Lastly, revoke the old one if you aren't going to use it publicly anymore.
Isn't is wrong to revoke a key which you don't consider was compromised?
If you don't want to use it, it suffices that it is expired, or?

-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Renewing expired keys

2017-01-18 Thread Werner Koch 
On Sun, 15 Jan 2017 22:09, fa...@ariis.it said:

> gpg --edit-key 

Since 2.1.17 you can also do this without using the menu: 

  gpg --quick-set-expire YOUR_FINGERPRINT EXPIRE_DATE

EXPIRE_DATE can have the usual formats for example "2018-11-30"


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp_Hyp115xGH.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users