Re: debugging systemd user services for gpg-agent and dirmngr [was: Re: gpg hangs when asking for passphrase]

[Daniel Kahn Gillmor]

On Mon 2017-05-15 19:10:35 -0400, Joey Morris wrote:
> Daniel Kahn Gillmor  wrote on Wed, May 10, 2017 at 
> 10:58:21PM -0400:
>> On Wed 2017-05-10 22:17:28 -0400, Joey Morris wrote:
>> > I have systemd version 222-1 installed, which appears to be wildly out of 
>> > date.
>> > The first thing I'll try when I get back to this is to upgrade systemd.
>> 
>> yes, please!
>
> After upgrading systemd, I'm happy to report that my agent connections no 
> longer
> hang and everything seems to be working well. (Because the upgrade fixed my
> problem, I didn't attempt your other suggestion of moving my .xsession startup
> tasks to .config/openbox/autostart.) Thank you for the assistance!

yay, glad to hear it!  I'm still a bit perplexed by what happened there,
but hopefully having this note in the archives will help folks find it
if they have a similar problem with an older version of systemd.

 --dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

SSH RSA comment lost when imported to gpg-agent

[Konstantin Gribov]

Hi, folks.

I've found strange `gpg-agent` behavior. When I import `~/.ssh/id_ed25519`
with `ssh-add` it takes comment from its public counterpart. But when I do
the same with `id_rsa` it just use `.ssh/id_rsa` instead of actual comment.

Is there any way to change that comment via `gpg-connect-agent`?

Env: Arch Linux, GnuPG 2.1.20.

-- 

Best regards,
Konstantin Gribov
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: suspicious key found

[David Shaw]

On May 16, 2017, at 9:47 AM, Janne Inkilä  wrote:
> 
> I made a key search with my name and found something suspicious.
> 
> The search:
> 
> https://pgp.mit.edu/pks/lookup?search=janne+inkila=index=on
> 
> I have used my old key since 2007. Fingerprint F4DB 40F8 BF22 8B9D 9B8F  F679 
> A482 4C9A 033E 22A2. I know this is quite old key and maybe I should revoke 
> it.
> 
> BUT
> 
> I also found another key with fingerprint 87C4 F4C8 16D1 3CC3 03E0 7977 1A9C 
> 6259 033E 22A2. The key ID is the same 033E 22A2 on both keys. There's also 
> signatures in this key. Looks like same persons and same key ID's but 
> fingerprints doesn't match. For some reason this key has been revoked.
> 
> Did someone really generated same looking key? And why? Any ideas? Someone 
> tries to capture my emails? I would like to see some sort of theory what is 
> going on, thanks :)

There are many such fake keys on the keyservers.  I have one as well.  It's 
trivial to forge the short (8 hex digit) key ID - just keep generating keys 
over and over until you match the lower 32 bits.  Note that the fingerprints do 
not match, as there is no (current) way to forge an entire fingerprint.

See https://evil32.com - they made the keys as a demonstration, but didn't 
upload them.  It's an excellent demonstration why people should never trust the 
short key ID for anything.

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: suspicious key found

[Felix Winterhalter]

There was a proof of concept attack on the fingerprints a couple of 
years ago. The keys were revoked afterwards.


TL;DR short key fingerprints are not secure at all. Also the web of 
trust is your friend here.


Cheers,

Felix


On 16/05/17 15:47, Janne Inkilä wrote:

I made a key search with my name and found something suspicious.

The search:

https://pgp.mit.edu/pks/lookup?search=janne+inkila=index=on 



I have used my old key since 2007. Fingerprint F4DB 40F8 BF22 8B9D 
9B8F  F679 A482 4C9A 033E 22A2. I know this is quite old key and maybe 
I should revoke it.


BUT

I also found another key with fingerprint 87C4 F4C8 16D1 3CC3 03E0 
7977 1A9C 6259 033E 22A2. The key ID is the same 033E 22A2 on both 
keys. There's also signatures in this key. Looks like same persons and 
same key ID's but fingerprints doesn't match. For some reason this key 
has been revoked.


Did someone really generated same looking key? And why? Any ideas? 
Someone tries to capture my emails? I would like to see some sort of 
theory what is going on, thanks :)


Janne Inkilä

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: command 'LEARN' failed: No inquire callback in IPC

[Dustin Rogers]

Hi Mr. Yutaka:


Thank you for your input and all the dev work you have done.


This is a cloud environment so I dont have the luxury of physical access to a 
usb port. I do not leverage libusb because this is using network attached 
Safenet Luna SA HSM (gemalto brand) PKCS11 smart card provider.


I just gave the native scdaemon a try. It doesnt seem to recognize this card 
provider at all.

LEARN
ERR 100663404 Card error 

In fact the native support for smart cards does not seem to support network 
attached HSM "virtual tokens" devices at all. It could be possible that I need 
to specify the local port the installed HSM agent is running on, but I dont 
think I will be that lucky.

Perhaps I could help build the support into the native scdaemon, but you are an 
expert at this, so I dont want to come off rude.  I know the work isnt simple.

I have this  other scdaemon (gnupg-pkcs11-scd) working fine with gnupg 2.0, but 
with manual pinentry for each operation. I cant get it working with gnupg 2.1. 
(again, I am looking for the unattended pinentry support the later version 
seems to have) Thus, I really dont think this is an issue with the scdaemon I 
am using. Moreover, I can see the INQUIRE PIN callback is there, the pinentry 
is just not appearing. Really I would like to understand why the 
gpg-connect-agent is allowing the pin call back through, and the gpg-agent 
itself is not?

Thank you,
-Dustin Rogers

Here is my config file thus far for native scdaemon:

#Debug Level
debug-level guru
#Smartcard Provider SO object
pcsc-driver /usr/lib/libCryptoki2_64.so
#pcsc-driver /usr/lib/libCryptoki2.so
log-file scdaemon.log
#card-timeout 1




From: Gnupg-users  on behalf of NIIBE Yutaka 

Sent: Tuesday, May 16, 2017 2:24 AM
To: Rogers, Dustin; gnupg-users@gnupg.org
Subject: Re: command 'LEARN' failed: No inquire callback in IPC

"Rogers, Dustin"  wrote:
> I have recently installed gnupg 2.1.20 from source on a centos6.8 box.

What's the configure option?  Did you enable smart card support with
libusb?

> [root@system1 ~]# gpg --card-edit
>
> gpg-agent[5158]: DBG: chan_8 -> OK Pleased to meet you, process 5159
[...]
> gpg-agent[5158]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready

This is not the scdaemon from GnuPG.

Please install scdaemon of GnuPG and try again with that.
--

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Gnupg-users Info Page
lists.gnupg.org
GnuPG user help mailing list. The topic of this is list is help and discussion 
among users of GnuPG. This includes questions on how to script GnuPG, how to 
create or ...



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: suspicious key found

[Andrew Gallagher]

On 2017/05/16 14:47, Janne Inkilä wrote:
> Did someone really generated same looking key? And why? Any ideas?

Yes, they did. Most of the strong set was duplicated by the Evil32
project in order to demonstrate the danger of relying on short key IDs
(because on modern hardware it takes mere seconds to generate a fake key
with the same short ID). Unfortunately the fake keys got uploaded to an
SKS server and polluted the database. The authors then mass-revoked all
the offending keys, but since SKS is append-only they still appear in
search results.

https://evil32.com/

The fact that invalid (even suspicious) keys exist on the SKS servers
(or anywhere on the internet for that matter) is in itself not a problem
- any decent public-key infrastructure must be designed under the
assumption that forgeries are inevitable and use some other method
(signatures, out of band verification) to determine the validity of keys.

The moral of the story is: don't believe everything you see on the
internet. ;-)

Andrew.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

suspicious key found

[Janne Inkilä]

I made a key search with my name and found something suspicious.

The search:

https://pgp.mit.edu/pks/lookup?search=janne+inkila=index=on

I have used my old key since 2007. Fingerprint F4DB 40F8 BF22 8B9D 9B8F  
F679 A482 4C9A 033E 22A2. I know this is quite old key and maybe I 
should revoke it.


BUT

I also found another key with fingerprint 87C4 F4C8 16D1 3CC3 03E0 7977 
1A9C 6259 033E 22A2. The key ID is the same 033E 22A2 on both keys. 
There's also signatures in this key. Looks like same persons and same 
key ID's but fingerprints doesn't match. For some reason this key has 
been revoked.


Did someone really generated same looking key? And why? Any ideas? 
Someone tries to capture my emails? I would like to see some sort of 
theory what is going on, thanks :)


Janne Inkilä

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie can't get --passphrase option to work

[Peter Lebbing]

On 16/05/17 13:31, Dan Kegel wrote:
> That wasn't my experience.  I used keys with no passphrase,
> and *still* had to use loopback (and jump through other hoops) to get
> gpg to work unattended.

I was talking about the things one usually does on a headless server,
which is decryption and data signatures. I'm unaware of this having any
issues, and I don't see you mention them in your referenced posts either.

I haven't ever heard unattended certifications being discussed, I don't
know if it is straightforward.

With regards to key management, this is often something a logged in
human user does and can hence do without having to wrestle unattended
stuff. I understand this doesn't always apply, but the OP here was
talking about decryption, not key management. That should be
straightforward.

When I say, by the way, that having no passphrase is better than using a
passphrase which is literally contained in a script, I'm saying that it
is usually better, not that it is always appropriate. It might be
appropriate to solve it in a different way, but a passphrase literally
in a script is probably not it.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie can't get --passphrase option to work

[Dan Kegel]

On Tue, May 16, 2017 at 12:31 AM, Peter Lebbing  wrote:
> You should also ask yourself what the purpose of the passphrase is other
> than to make your life difficult
> You should probably just remove the passphrase from the key. That way
> any decryption or signature will just succeed without jumping through
> hoops to pass the passphrase to GnuPG.

That wasn't my experience.  I used keys with no passphrase,
and *still* had to use loopback (and jump through other hoops) to get
gpg to work unattended.
https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058158.html
https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058162.html
describe my travails.  It was several days of learning curve.  In fairness,
I needed a solution that worked with all versions of gpg that shipped
with any LTS version of ubuntu, not just the current release, which
made things a bit harder.
- Dan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using a GnuPG CCID card in another computer (follow-up)

[Damien Goutte-Gattat]

On 05/16/2017 07:55 AM, Matthias Apitz wrote:

The question remains: Why I do have to move the files below .gnupg/ to
the other workstation?


The card only contains the private keys. GnuPG also needs some 
informations that are only contained in the public parts, such as the 
User IDs associated with the key and the bindings between a primary key 
and its subkeys.


So while you no not have to move *all* the files below .gnupg, you at 
least need to import your *public* key onto your other workstation.


(That's why the card editor of GnuPG has a "fetch" command. The idea is 
that you put your public key in a publicly-accessible location, and make 
the "URL" field of your card point to that location. With that, upon 
arriving onto a new computer--with an empty or inexisting .gnupg--, you 
can get a working setup just by inserting your card, firing up the card 
editor, and using the "fetch" command".)




And, what are the files below .gnupg/private-keys-v1.d are exactly?


They normally contain the private key themselves. When the private keys 
are stored on a smartcard, they are "stubs", whose purpose is to inform 
GnuPG that the keys are on a smartcard (notably, they contain the serial 
number of said smartcard).


GnuPG should normally re-create those stubs automatically if they do not 
exist when you run the --card-status command, so you should not have to 
copy them over manually.


What is troubling in your experience is that you said there was "no key 
in the card" when you first run "gpg2 --card-status" on the new 
workstation. I have no explanation for that.


Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using a GnuPG CCID card in another computer (follow-up)

[Matthias Apitz]

El día martes, mayo 16, 2017 a las 11:12:18a. m. +0200, Peter Lebbing escribió:

> On 16/05/17 07:55, Matthias Apitz wrote:
> > The question remains: Why I do have to move the files below .gnupg/ to
> > the other workstation?
> 
> The card only holds the basic cryptographic material. But a certificate
> ("public key") holds much more information: your name, the relations
> between the cryptographic keys and how they are used, your preferences
> with regard to algorithms, how long the key is valid, and certifications
> by other users who have signed your key, to name some important ones.
> 
> So before you can use the smartcard, you need to import your
> certificate/public key. You could publish this to the keyserver network,
> or put it on the web. If the latter, you /can/ enter the URL in a data
> field on the smartcard, enabling you to use the "fetch" command of
> --card-edit.

Thanks for the two tips re/ the pub key; I did so and now it works:

I exported the pub key with:

$ gpg2 --export --armor > ccid--export-key-guru.pub

placed it on my webserver and configured its URL with the card's url-command
as

URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub

On the 2nd workstation I moved away the GNUPGHOME:
$ env | grep GNU
GNUPGHOME=/home/guru/.gnupg-ccid
$ mv .gnupg-ccid .gnupg-ccid-saved

gpg2 is unwilling to start due to missing dir and I have had
to create it with mkdir:

$ gpg2 --card-status
gpg: keyblock resource '/home/guru/.gnupg-ccid/pubring.kbx': No such file or 
directory
gpg: failed to create temporary file 
'/home/guru/.gnupg-ccid/.#lk0x000802616210.r314251-amd64.65213': No such 
file or directory
gpg: can't connect to the agent: No such file or directory
gpg: OpenPGP card not available: No agent running

$ mkdir /home/guru/.gnupg-ccid
$ chmod 0700 /home/guru/.gnupg-ccid

As you can see the keys are completely missing in the card's status:

$ gpg2 --card-status
gpg: keybox '/home/guru/.gnupg-ccid/pubring.kbx' created
Reader ...: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D2760001240102010005532B
Version ..: 2.1
Manufacturer .: ZeitControl
Serial number : 532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data ...: [not set]
Signature PIN : forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key : 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
  created : 2017-05-14 18:20:07
Encryption key: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
  created : 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D  EA4B 6AA5 C5C4 51A1 CD1C
  created : 2017-05-14 18:20:07
General key info..: [none]

but after fetching the pub key, all is fine:

[guru@r314251-amd64 ~]$ gpg2 --card-edit  

Reader ...: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D2760001240102010005532B
Version ..: 2.1
Manufacturer .: ZeitControl
Serial number : 532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data ...: [not set]
Signature PIN : forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key : 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
  created : 2017-05-14 18:20:07
Encryption key: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
  created : 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D  EA4B 6AA5 C5C4 51A1 CD1C
  created : 2017-05-14 18:20:07
General key info..: [none]

gpg/card> fetch
gpg: requesting key from 'http://www.unixarea.de/ccid--export-key-guru.pub'
gpg: /home/guru/.gnupg-ccid/trustdb.gpg: trustdb created
gpg: key 47CCF7E476FE9D11: public key "Matthias Apitz (GnuPG CCID) 
" imported
gpg: Total number processed: 1
gpg:   imported: 1


gpg/card> list

Reader ...: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D2760001240102010005532B
Version ..: 2.1
Manufacturer .: ZeitControl
Serial number : 532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data ...: [not set]
Signature PIN : forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key : 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
  created : 2017-05-14 18:20:07
Encryption key: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
  created : 2017-05-14 18:20:07
Authentication key: 

Some questions regarding generating RSA keys

[Albin Otterhäll]

Hi!

I'm currently doing a high school project by studying RSA keys for
better understanding them theoretically and practically. A part of the
project consist of an experiment, and I choose to test and see how big
the workload will be for the CPU when generating RSA keys of different
length. I would also like to save the time as a data point, if I need to
come to an conclusion.

The plan is to use GnuPG to generate RSA keys of different length (1024,
2048, and 4096) and GNU Time to get the CPU's workload and the time to
execute the process. The process will be automated with a python script.
The process will be in something like this:

1. For length in [1024, 2048, 4096]:
  1.1. For X times:
1.1.1. Execute Gnu PG command and monitor system resources
1.1.2. Write use of system resources to file

I will thereafter plot some graphs to see if my hypothesis is correct.

But I got some questions regarding the implementation of my GnuPG test.
An explanation of how my implementation will come after the questions.
My questions are:

* Does this settings do what I want to do?
* Can I someway disable the automatic creation of revoke certificates?
* Why does it take much longer to generate some keys?
* Why does GnuPG give the answer that the it took 0 CPU-seconds in
userspace for the creation of the keys? Is it done in another process?
* Why does the CPU workload parameter only show a value (0 < CPU) when
it took less than a second (wall clock > 1) for creating the keys?

Reading the manual it seems that the simplest way to generate the keys
is with the `--batch` option turned on. I've set the options in a file
with the following instructions:

== Begin GnuPG Instruction File ==
# Text syntax in this file
#%dry-run

%echo Generating RSA key...

# Don't ask after passphrase
%no-protection

Key-type: RSA
Key-Length: 1024
Name-Real: Real Name
Name-Email: u...@localhost.se
Expire-Date: 0

# Generate RSA key
%commit

%echo Done!
== End GnuPG Instruction File ==

The command that executes this file has two parts, the Gnu Time part and
the GnuPG part. The GNU Time command is looking as follows:

$ time --format="Wall clock: %e[s], CPU (userspace): %U[s], CPU
(workload): %P%"

And the GnuPG command is the following.

$ gpg2 --gen-key --homedir=./rsa-keys --batch [filename]

The command that I execute in my shell (fish shell if it's important) is
the following (GNU Time + GnuPG):

$ time --format="Wall clock: %e[s], CPU (userspace): %U[s], CPU
(workload): %P%" gpg2 --gen-key --homedir=./rsa-keys --batch [filename]

Output from command:

Wall clock: 36.83[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 0.04[s], CPU (userspace): 0.00[s], CPU (workload): 8%%
Wall clock: 4.76[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 72.39[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 57.52[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 84.71[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 63.32[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 51.10[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 47.58[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 64.72[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 0.05[s], CPU (userspace): 0.00[s], CPU (workload): 6%%
Wall clock: 0.03[s], CPU (userspace): 0.00[s], CPU (workload): 11%%
Wall clock: 29.62[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 55.02[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 36.08[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 42.92[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 40.41[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 204.36[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 246.42[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 51.50[s], CPU (userspace): 0.00[s], CPU (workload): 0%%

Thanks in advance!

Regards,
Albin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using a GnuPG CCID card in another computer (follow-up)

[Peter Lebbing]

On 16/05/17 07:55, Matthias Apitz wrote:
> The question remains: Why I do have to move the files below .gnupg/ to
> the other workstation?

The card only holds the basic cryptographic material. But a certificate
("public key") holds much more information: your name, the relations
between the cryptographic keys and how they are used, your preferences
with regard to algorithms, how long the key is valid, and certifications
by other users who have signed your key, to name some important ones.

So before you can use the smartcard, you need to import your
certificate/public key. You could publish this to the keyserver network,
or put it on the web. If the latter, you /can/ enter the URL in a data
field on the smartcard, enabling you to use the "fetch" command of
--card-edit.

> And, what are the files below .gnupg/private-keys-v1.d
> are exactly?

Either the real cryptograhic material for a private key, or simply a
note telling GnuPG "that key is on card X". However, I'm surprised by
the size of these files you show. All my "notes saying card X", stubs,
on this laptop are around a mere 360 bytes. I know these files are
S-Expressions, but I haven't checked the exact construction. I would
expect OpenPGP smartcard stubs to generally come down to very comparable
sizes.

You can ask GnuPG to list all the OpenPGP private keys it knows about
along with the keygrip. The keygrip corresponds to the file name in
private-keys-v1.d. It will also indicate when a key is on a card:

> $ gpg2 --with-keygrip -K
> /home/peter/.gnupg/pubring.kbx
> --
> sec>  rsa2048 2009-11-12 [C] [expires: 2017-10-19]
>   8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E
>   Keygrip = 13790148EEE34BC5140DD31B6F95EABA8A19E419
>   Card serial no. = 0005 0274
> uid   [ultimate] Peter Lebbing 
> ssb>  rsa2048 2009-11-12 [S] [expires: 2017-10-19]
>   Keygrip = 46E61BB13BF429980D89B6B7BDE0F70E55E41A03
> ssb>  rsa2048 2009-11-12 [E] [expires: 2017-10-19]
>   Keygrip = A9C7C73653BEDAF478E4956FCF4C3AFC7CB9A00C
> ssb>  rsa2048 2009-12-05 [A] [expires: 2017-10-19]
>   Keygrip = 2DD5CC89FE601845C8C4F74F9643724A08D878FD
> 
> sec   rsa1024 2012-03-17 [SC] [expired: 2017-03-29]
>   825472F37172B95ADC7349BE98B67DE4DCDFDFA4
>   Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A
> uid   [ expired] Test Teststra 
> uid   [ expired] Test Teststra (Koning van Wezel) 
> 
> ssb   rsa1024 2012-03-17 [E] [expired: never ]
>   Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D
> ssb   rsa2048 2016-01-12 [A] [expired: never ]
>   Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63
> ssb   rsa1024 2017-03-22 [S] [expired: 2017-03-29]
>   Keygrip = B93CA4F1A44FAD92D45DC836DEC653769421E703

A '>' after 'sec' or 'ssb' indicates it is on a card. A '#' indicates
the key is unavailable.

You could do this to check what GnuPG thinks those files represent.

Note it only mentions the card serial number for the primary key, even
though the E and S subkeys are on a different card.

I have to admit I cheated a bit for the above output; I had to specify
"--list-options show-unusable-subkeys" because the test key was expired,
and I removed an awful lot of test keys from the output.

private-keys-v1.d also contains keys for gpgsm, which will not show up
when invoking "gpg2 -K" as above.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie can't get --passphrase option to work

[Peter Lebbing]

On 12/05/17 16:15, Ryk McDorman wrote:
> In the program I'm passing the output and input filenames as parameters to a 
> one-line batch file consisting of this command:
> echo | "C:\Program Files (x86)\gnuPG\bin\gpg.exe" --batch  
> --output %1  --passphrase-fd 0 --decrypt %2

You should also ask yourself what the purpose of the passphrase is other
than to make your life difficult. Your disk holds a file with an
encrypted private key as well as a file containing the plaintext
password. Why would an attacker that is able to access the encrypted
private key not also be able to access the PowerShell script with the
password? What purpose does the password serve in this scenario?

You should probably just remove the passphrase from the key. That way
any decryption or signature will just succeed without jumping through
hoops to pass the passphrase to GnuPG.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: command 'LEARN' failed: No inquire callback in IPC

[NIIBE Yutaka]

"Rogers, Dustin"  wrote:
> I have recently installed gnupg 2.1.20 from source on a centos6.8 box.

What's the configure option?  Did you enable smart card support with
libusb?

> [root@system1 ~]# gpg --card-edit
>
> gpg-agent[5158]: DBG: chan_8 -> OK Pleased to meet you, process 5159
[...]
> gpg-agent[5158]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready

This is not the scdaemon from GnuPG.

Please install scdaemon of GnuPG and try again with that.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users