gnupg website

2017-01-24 Thread sivmu 
Hi,

not sure this is the perfect place, but I wanted to point out that the
gnupg.org website still uses sha1 as a mac.
If I am not mistaken, several common browsers have announced to display
warnings fur this kind of tls connection, so it might be a good idea to
update the server at the next opportunity.

Also, activating OCSP to increase privacy might be a good idea too.

Thanks for your work on open source encryption.

- Regards

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Counterarguments Supporting GnuPG over Off The Record (OTR)

2017-01-24 Thread Stephan Beck 


MFPA:
> 
> 
> On Friday 20 January 2017 at 6:10:37 AM, in
> , Miroslav Rovis wrote:-
> 
> 
> 
>> And we all are controled, exception, to varying
>> extent,
> 
> We are all completely controlled in modern society: we are enslaved to
> money and those who control it.

And sometimes even organizations that in theory should help you against
surveillance don't do it. When I discovered that my phone has been
wiretapped by measuring with a dedicated bug detector (German make and
model, and recording that measurement on video) I officially informed
the police who didn't do anything except telling me I should hand in a
proof/evidence. I did - the video of the measurement where you can
clearly see and hear the sharp reaction of the bug detector. They didn't
want to anything, not an on-site control measurement either, as another
lawyer had told me they are obliged to.

When, shortly after that,  I told a lawyer to have insight into the
records of the investigations, he did that, showed me the records, and
didn't do anything, he told me for instance, that the police would only
perform a control measurement if their own undercover agents are in
danger! And that I'd need the expertise of a dedicated engineer doing an
analysis for I don't know how many bucks! No, the bug detector doesn't
lie and he does not measure cheese or ham but the signals of , for
instance, radio emitting devices. He even silenced the fact (as I now
was informed by the State Prosecutor, if I believe this information)
that by the time I had the meeting with him for the insight into the
records, the case had already been rejected for further investigation
and dropped. Or that information is not true, because this lawyer
actually told me in person he would inform me when he received any
information. Strange.
When I sent an encrypted email to Digitalcourage.de about nine months
ago, telling them that I had evidence and asking for help in finding a
good lawyer who would act (I have a specialized legal insurance), I got
a "sorry, we can't help you but we wish you success". Thanks a lot.

From that time on, I know that organizations like Digitalcourage are
just interested in THEIR protagonism for THEIR topics like the mass
storage of data. They couldn't or didn't want to help me as an
individual who had found out (by measurement) that someone was/is
wiretapping me, but they positively could have given me the contact data
of a specialized lawyer they knew (with more than 30 years of
existence). I also signed their petition against mass storage of
communications data in Germany and saw that they must have contacts to
lawyers, as I already had thought. I have held my deception about them
deep in my heart, but now could not withstand to stand up and speak out.

It was not my imagination, it was a MEASURING DEVICE that states that
there has been wiretapping of my phone line. And there is this video
file that leaves you with no doubt...

Whenever I feel like repeating it, I'll do that and I'll inform once
again the police (or the media) and so on... THAT is fighting against
surveillance, not (only) signing petitions.

Cheers

Stephan

Feel free to contact me if you'd like to have that video file ...



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: tofu: Missing entry in the bindings table for new key

2017-01-24 Thread Justus Winter 
Hi!

Luis Ressel  writes:

> [ Unknown signature status ]
> On Tue, 24 Jan 2017 11:53:55 +0100
> Justus Winter  wrote:
>
>> Can you please describe in detail what you were doing so that we can
>> recreate the problem?  You can create a throwaway environment for
>> experimentation by setting the environment variable GNUPGHOME to a
>> temporary directory, like so (assuming a Bourne-like shell):
>
> This was easier to reproduce than I expected. I've attached the
> transcript of a shell session demonstrating the problem. Manually
> calling "gpg --tofu-policy good $KEYID" fixes the issue.

Thanks for the nice report.  I have been able to reproduce it and have
created https://bugs.gnupg.org/gnupg/issue2929 for it.

> I'm using gpg 2.1.17; I haven't checked yesterday's release yet.

It is affecting master as well.


(: Justus


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: pyme3 for Windows

2017-01-24 Thread Justus Winter 
ankostis  writes:
> On 24 January 2017 at 11:46, Justus Winter  wrote:
>> We cross-compile all our software for Windows using MinGW.  We don't
>> build the Python bindings though.  If anyone manages to do that, please
>> share your findings.
>>
>>
> Ideally python bindings should be compiled and packaged as wheels
> for  3 different "platforms":
> - MinGW
> - Cygwin (when GnuPG there upgrades from the old 1.x)
> - Gpg4Win (32bit & 64bit, don't know what are they using.

Gpg4Win uses MinGW, Cygwin is out of scope for us imho.

However, I believe the question is whether or not we can load a shared
library compiled with MinGW into the Python process (however that is
built, I don't know).

Justus


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: tofu: Missing entry in the bindings table for new key

2017-01-24 Thread Justus Winter 
Hi,

Luis Ressel  writes:

> Hello,
>
> I created a new key today. When I tried to verify a signature made by
> this key, I got the error message
>
> gpg: Signature made Sat Jan 21 01:07:59 2017 CET
> gpg:using RSA key DEADBEEF
> gpg: Good signature from "foo " [ultimate]
> gpg: aka "foo " [ultimate]
> gpg: error updating TOFU database: NOT NULL constraint failed: 
> signatures.binding
> gpg: TOFU: error registering signature: General error
>
> Apparently no entry for my key/userid had been recorded in the bindings
> table. I was of course able to fix this by calling
> "gpg --tofu-policy good DEADBEEF", but it still looks like a bug to me.
> Any ideas how this could happen?
>
> Potentially relevant facts:
> * The new key's userid collides with that of my old key.
> * I'm using the setting "tofu-default-policy unknown".

Can you please describe in detail what you were doing so that we can
recreate the problem?  You can create a throwaway environment for
experimentation by setting the environment variable GNUPGHOME to a
temporary directory, like so (assuming a Bourne-like shell):

  $ export GNUPGHOME=$(mktemp -d)
  $ gpg -k
  [nothing]

Note that you need to copy your gnupg configuration over, or at least
configure the trust model.

Thanks,
Justus


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: pyme3 for Windows

2017-01-24 Thread Justus Winter 
ankostis  writes:

> On 23 January 2017 at 16:28, Jerry  wrote:
>
>> On Mon, 23 Jan 2017 01:06:38 +0100, ankostis stated:
>>
>> >Has anybody managed to compile pyme3 on Windows?
>> >
>> >Thanks for all the Hard Work,
>> >  Kostis
>> >
>>
>> I don't know if this is what yo are looking for.
>>
>> https://sourceforge.net/projects/pyme/files/latest/download?source=files
>>
>>
> Almost!
> These are `pyme-0.8.1` win32-bindings for python-2.
>
> The latest bindings have been ported to python-3 and renamed to `pyme3`,
> currently in version `1.7.1`,[1]  and are now part of `libgpgme`
> project.[2]

Actually, we renamed them to 'gpg', and the current version is 1.8.0.

We cross-compile all our software for Windows using MinGW.  We don't
build the Python bindings though.  If anyone manages to do that, please
share your findings.

Justus


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: tofu: Missing entry in the bindings table for new key

2017-01-24 Thread Luis Ressel 
On Tue, 24 Jan 2017 11:53:55 +0100
Justus Winter  wrote:

> Can you please describe in detail what you were doing so that we can
> recreate the problem?  You can create a throwaway environment for
> experimentation by setting the environment variable GNUPGHOME to a
> temporary directory, like so (assuming a Bourne-like shell):

This was easier to reproduce than I expected. I've attached the
transcript of a shell session demonstrating the problem. Manually
calling "gpg --tofu-policy good $KEYID" fixes the issue.

I'm using gpg 2.1.17; I haven't checked yesterday's release yet.

HTH,
Luis
$ ls $GNUPGHOME
gpg.conf

$ cat $GNUPGHOME/gpg.conf
trust-model tofu+pgp

$ cat key
%no-protection
%transient-key
Key-Type: RSA
Key-Length: 1024
Name-Real: foo bar
Name-Email: foo...@example.org

$ gpg --batch --gen-key < key
gpg: key 6FA38940B689B96C marked as ultimately trusted
gpg: directory '/home/aranea/.tmp-gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as 
'/home/aranea/.tmp-gnupg/openpgp-revocs.d/CFAE0B4B50808667BABDBF966FA38940B689B96C.rev'

$ touch foo

$ gpg --sign foo

$ gpg --verify foo.gpg
gpg: Signature made Tue Jan 24 12:22:04 2017 CET
gpg:using RSA key CFAE0B4B50808667BABDBF966FA38940B689B96C
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: tofu+pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Good signature from "foo bar " [ultimate]
gpg: error updating TOFU database: NOT NULL constraint failed: 
signatures.binding
gpg: TOFU: error registering signature: General error


pgpnJanCqEW_z.pgp
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: pyme3 for Windows

2017-01-24 Thread ankostis 
On 24 January 2017 at 11:46, Justus Winter  wrote:

> ankostis  writes:
>
> > On 23 January 2017 at 16:28, Jerry  wrote:
> >
> >> On Mon, 23 Jan 2017 01:06:38 +0100, ankostis stated:
> >>
> >> >Has anybody managed to compile pyme3 on Windows?
> >> >
> >> >Thanks for all the Hard Work,
> >> >  Kostis
> >> >
> >>
> >> I don't know if this is what yo are looking for.
> >>
> >> https://sourceforge.net/projects/pyme/files/latest/
> download?source=files
> >>
> >>
> > Almost!
> > These are `pyme-0.8.1` win32-bindings for python-2.
> >
> > The latest bindings have been ported to python-3 and renamed to `pyme3`,
> > currently in version `1.7.1`,[1]  and are now part of `libgpgme`
> > project.[2]
>
> Actually, we renamed them to 'gpg', and the current version is 1.8.0.
>
> We cross-compile all our software for Windows using MinGW.  We don't
> build the Python bindings though.  If anyone manages to do that, please
> share your findings.
>
>
Ideally python bindings should be compiled and packaged as wheels
for  3 different "platforms":
- MinGW
- Cygwin (when GnuPG there upgrades from the old 1.x)
- Gpg4Win (32bit & 64bit, don't know what are they using.

Do these 3 make sense?
Are there more combinations?

Kostis

Justus
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users