Behaviour of gpgsm / gpgme with multiple S/MIME certificates/keys per address (old/expired/about to expire and new)
Hi, I recently got into trouble with S/MIME signing and encryption in claws-mail, which uses gpgme. My old (first) S/MIME certificate is about to expire, so I got a new one. I added the new one to gpgsm's keystore. But after that, claws-mail as well as gpgsm complain about the keys being ambiguous. Clearly, the call gpgsm -u u...@example.com aborts because it cannot decide which of the two certificates to use. It works when I specify a definite key ID (fingerprint) for -u or just fix the default one. But what if I have multiple mail addresses, each with old and new keys lying around? Is there a way to tell gnupg to prefer a certain key for a given mail address? While I can fix a key ID in claws-mail, too, this currently breaks altenating usage of S/MIME and PGP, as currently there is only one configuration field for the key ID to use for both (hopefully that will change soon). With the GPG/PGP part, I revoke my old key and all seems fine. I somehow fail to see the equivalent mechanism for S/MIME. I even checked the expiration process, advancing my system clock past the expiration date of the old certificate. Even then, gpgsm complained about ambiguous keys. Wouldn't it be sensible to a) always use the newest S/MIME key with non-expired certificate and b) discard the ones that are expired by default? This issue even extended to antoher installation of gnupg/claws-mail suddenly refusing to use the old key, although I did not yet add the new secret key to it. They just picked up on the new certificate being published and hence also consider the keys ambiguous (even if there is only one secret key). Any pointers? I wonder if I am doing something basic wrong, as regular expiration of S/MIME certificates is the norm, isn't it? Doesn't anyone else have issues with the accumulating number of old certificates? (I am using GnuPG 2.1.21, gpgme 1.9.0., btw.) Alrighty then, Thomas -- Dr. Thomas Orgis Universität Hamburg RRZ / Basis-Infrastruktur / HPC Schlüterstr. 70 20146 Hamburg Tel.: 040/42838 8826 Fax: 040/428 38 6270 smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: TOFU
On 07.06.17 14:24, Peter Lebbing wrote: > On 07/06/17 13:49, Stefan Claas wrote: >> In Enigmail with the blue and green bar (without showing statistics) it >> would simply mean >> that it switches from green to blue, right? > Not necessarily! > I have one more question if you don't mind. One of my tests showed me the difference between the classic way Enigmail handles the Untrusted blue signatures and how TOFU handles this. Now my question as a Mac dummie and TOFU newbie. If Mallory would gain tomorrow access to my Computer, but not to my passphrase and he would replace one pub key in my pubring and modify the TOFU database, how would TOFU handle this? Would TOFU alert me again that there is a second key with the same email address? Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key management for archives
Il 09/06/2017 08:24, Werner Koch ha scritto: > ( gpg --status-fd 1 --show-session-key --max-output 1 \ > -o /dev/null 2>/dev/null FILE || true ) \ >| awk '$1=="[GNUPG:]" && $2=="SESSION_KEY" {print $3}' > The output can then be used with --override-session-key Tks! That's exactly what I was looking for. I'll probably put that in a script that immediately re-encrypts the session key with the public key of the newly authorized user. Then he'll decode the session key and use it to decrypt the archive. BYtE, Diego ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: setting GnuPG card to 'not forces' does not let sign
El día viernes, junio 09, 2017 a las 08:09:12a. m. +0200, Werner Koch escribió: > > > The bad PIN counter in the card is not decremented. Switching the card > > back to 'forced' makes signing with PIN working again. > > Interesting. Did you also try to reset the card (i.e. re-insert) whit > non-forced set? As I wrote in the last mail, it works now like it should and for signing as for SSH I only have to enter the PIN once. I have one last remaining issue with this GnuPG card and/or my USB device HID Global OMNIKEY 6121 Smart Card Reader and/or FreeBSD, i.e. its totally unclear at the moment what is causing it: Sometimes (let's say in 50% of the cases) the USB device is not seen by the FreeBSD kernel on power-on boot, even if the OMNIKEY is already inserted before power-on. When it is not seen on boot, it is not seen on withdraw and re-insert. When it is seen, it is always seen, i.e. one can re-insert as much as you want, it always works. Sometimes not even a re-boot helps, it takes 2-3 re-boots to get the OMNIKEY seen. I know, this is not a GnuPG issue, but I wanted to mention it here to ask if others has similar experiences, even on Linux or other OS, or if it worth to get a new OMNIKEY device or even another device. Comments? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key management for archives
On Tue, 6 Jun 2017 14:39, ndk.cla...@gmail.com said: > Is it possible to "extract" the used session key, so that the requester > just ignores the asymmetric crypto and just uses the symmetric key to > decode the file? Drawbacks? Other ideas? Here is how I would do that: ( gpg --status-fd 1 --show-session-key --max-output 1 \ -o /dev/null 2>/dev/null FILE || true ) \ | awk '$1=="[GNUPG:]" && $2=="SESSION_KEY" {print $3}' Note that gpg exists with a failure (due to the "exceeded --max-output limit" error message) and for extra cleanness I shortcut that error. The output can then be used with --override-session-key Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgptLRY1EOcay.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: RE: setting GnuPG card to 'not forces' does not let sign
El día viernes, junio 09, 2017 a las 08:06:50a. m. +0200, Werner Koch escribió: > On Thu, 8 Jun 2017 12:48, g...@unixarea.de said: > > Every time I write to gnupg-users@gnupg.org I get this crap from a robot > > or from Sarah about dating. Can someone do anything that he/she/it is not > > That bot is subscribed. I enabled the moderation flag and disabled > delivery. > Thanks for this. Re/ the issue itself, it seems that a complete restart of the chain gpg-agent -- scdaemon -- /usr/local/sbin/pcscd fixed the issue. It asks now once for the PIN for signing and then not again until reboot. Thanks as well for the nice hint about X-message-flag: header line. The warning looks really nice in the crappy MS OutLook. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: RE: setting GnuPG card to 'not forces' does not let sign
On Thu, 8 Jun 2017 12:48, g...@unixarea.de said: > Every time I write to gnupg-users@gnupg.org I get this crap from a robot > or from Sarah about dating. Can someone do anything that he/she/it is not That bot is subscribed. I enabled the moderation flag and disabled delivery. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpo9P1kYyd8C.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: setting GnuPG card to 'not forces' does not let sign
> The bad PIN counter in the card is not decremented. Switching the card > back to 'forced' makes signing with PIN working again. Interesting. Did you also try to reset the card (i.e. re-insert) whit non-forced set? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpU34DdC6IJ0.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users