Re: Automating and integrating GPG

[Dan Kegel]

On Mon, Sep 18, 2017 at 11:45 AM, Grzegorz Kulewski  wrote:
> I am working on a project (in Python and bash) that requires me to use GPG in 
> "headless mode" to generate keys and edit OpenPGP smartcard (to set some 
> properties and transfer some of the generated keys). This includes 
> transfering any passwords and PINs from my program to GPG, instead of 
> requiring user to enter them using pinentry.
>
> I wonder what method of integration of GPG with such project is best, most 
> future-proof and recommended and are there any other advices you may give me?

Good question.

I wrote a bit about doing that in shell scripts, see
https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058158.html

It's challenging to make it both future- and past- proof, as gpg keeps changing.
What range of Linux distributions / versions of gpg do you need to support?

The new requirement for the agent is very challenging, and should not
be taken lightly.
You may need to expose the agent concept to your program; a transparent
wrapper may not be possible.

I keep running into problems with this.
https://github.com/Oblong/obs/ has my ugly code, and an automated test
that sometimes fails on slow systems like raspberry pi because of my
poor transparent wrapper around the gpg agent.
It is somewhat obscured by site-specific stuff (e.g. it uses gpg via apt).
I could try to do a clean demo without apt sometime if that would be helpful.
- Dan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating and integrating GPG

[Dan Kegel]

On Mon, Sep 18, 2017 at 2:45 PM, Daniel Kahn Gillmor
 wrote:
> GnuPG upstream developers tend to recommend the use of GPGME for system
> integration projects that require a stable interface.

dpkg does that, but it doesn't help people trying to automate dpkg :-)

- Dan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating and integrating GPG

[Daniel Kahn Gillmor]

On Mon 2017-09-18 20:45:52 +0200, Grzegorz Kulewski wrote:

> I am working on a project (in Python and bash) that requires me to use
> GPG in "headless mode" to generate keys and edit OpenPGP smartcard (to
> set some properties and transfer some of the generated keys). This
> includes transfering any passwords and PINs from my program to GPG,
> instead of requiring user to enter them using pinentry.
>
> I wonder what method of integration of GPG with such project is best,
> most future-proof and recommended and are there any other advices you
> may give me?

GnuPG upstream developers tend to recommend the use of GPGME for system
integration projects that require a stable interface.

If you're using python, the GnuPG team maintains gpgme bindings for
python, available in debian and debian-derived systems (e.g. ubuntu) as
"python-gpg".

I don't know how much smartcard interaction gpgme supports, though.

hth,

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: using --keyserver but still getting gpg: no keyserver known (use option --keyserver)

[Daniel Kahn Gillmor]

On Mon 2017-09-18 13:50:00 +, Patrick Schleizer wrote:
> gpg --keyserver hkp://pgp.mit.edu:11371 --search-keys m...@e-mail.com
>
> gpg --keyserver=hkp://pgp.mit.edu:11371 --search-keys m...@e-mail.com
>
> gpg: no keyserver known (use option --keyserver)
> gpg: keyserver search failed: No keyserver available
>
> What am I doing wrong?

what version of gpg?  what version of dirmngr?

modern versions of gpg should default to the hkps pool, and shouldn't
need any explicit configuration.

 --dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Automating and integrating GPG

[Grzegorz Kulewski]

Hello,

I am working on a project (in Python and bash) that requires me to use GPG in 
"headless mode" to generate keys and edit OpenPGP smartcard (to set some 
properties and transfer some of the generated keys). This includes transfering 
any passwords and PINs from my program to GPG, instead of requiring user to 
enter them using pinentry.

I wonder what method of integration of GPG with such project is best, most 
future-proof and recommended and are there any other advices you may give me?

Thank you in advance.

-- 
Grzegorz Kulewski

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OT: Which smartphone would you use

[Mauricio Tavares]

On Mon, Sep 18, 2017 at 2:04 PM, Matthias Apitz  wrote:
> On Monday, 18 September 2017 17:32:51 CEST, Thomas Hejze 
> wrote:
>>
>> Hello everyone,
>> I know this is off-topic, but since it is related to IT security and
>> therefore more or less to GNUPG, I hope that I get some helping answers,
>> though.
>>
>> Having been objecting to smartphones for a long time I fear that the time
>> has come that I get one for myself. The question is which one.
>>
>> IPhone is not an option, Android probably not, due to security
>> considerations.
>> ...
>
>
> I'm using for more than two years an Ubuntu phone BQ E4.5. The project was
> driven by Canonical and BQ as the hardware OEM. The project died in March of
> this year, but is now moved to a community of OpenSource entusiast. The
> software novadays is mostly Ubuntu 15.04, with some Android blobs in the
> kernel for the hardware access.
>
  Wasn't there also at least one company in Europe selling the
Ubuntu phones?

> Check https://forums.ubports.com/
>
> matthias
>
>
>
> --
> Sent from my Ubuntu phone
> http://www.unixarea.de/
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: using --keyserver but still getting gpg: no keyserver known (use option --keyserver)

[Dr. Peter Voigt]

On Mon, 18 Sep 2017 12:13:20 -0400
Lee  wrote:

> Try it without the port number
> $ gpg --keyserver hkp://pgp.mit.edu --search-keys
> torbrow...@torproject.org gpg: searching for
> "torbrow...@torproject.org" from hkp server pgp.mit.edu (1) Tor
> Browser Developers (unknown)  4096 bit RSA
> key 0x669ECC703A7C585A, created: 2017-08-18, expires: 2020-08-24
> (2) Tor Browser Developers 
>   4096 bit RSA key 0xB9294788BE63AEFC, created: 2017-08-18,
> expires: 2017-08-25 (expired)
> (3) Tor Browser Developers (signing key)
>  4096 bit RSA key 0x4E2C6E8793298290,
> created: 2014-12-15, expires: 2020-08-24
> Keys 1-3 of 3 for "torbrow...@torproject.org".  Enter number(s),
> N)ext, or Q)uit > q
 

Hhm, it's working on my machine both with "hkp://" and with port number:

# gpg --keyserver hkp://pgp.mit.edu:11371 --search-keys 
torbrow...@torproject.org
gpg: data source: http://pgp.mit.edu:11371
(1) Tor Browser Developers (unknown) 
  4096 bit RSA key 669ECC703A7C585A, created: 2017-08-18, expires: 
2020-08-24
(2) Tor Browser Developers 
  4096 bit RSA key B9294788BE63AEFC, created: 2017-08-18, expires: 
2017-08-25 (expired)
(3) Tor Browser Developers (signing key) 
  4096 bit RSA key 4E2C6E8793298290, created: 2014-12-15, expires: 
2020-08-24
Keys 1-3 of 3 for "torbrow...@torproject.org".  Enter number(s), N)ext, or 
Q)uit > 

My GnuPG version is 2.1.18.

Under Debian Stretch I have solved similar keyserver related issues
with the option "standard-resolver" in ~/.gnupg/dirmngr.conf. I hope it
helps.

Peter




pgpfALMQPei5O.pgp
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to encrypt using public certificate\key

[Peter Lebbing]

On 07/09/17 12:58, shaarang tyagi wrote:
> I am trying to understand the encryption process and the all the input
> that is required to perform encryption.
> 
> So according to this RFC, section 2.1:

If you want to learn about what makes an OpenPGP message, gpg
--list-packets is very useful:

$ echo Talking to myself | gpg -r pe...@digitalbrains.com -e | gpg
--list-packets

And now you see which packets make up a message encrypted to me.

> https://tools.ietf.org/html/rfc4880#section-2.1
> 
> There can be 2 sources for encryption key, either a session
> key(generated randomly) or a shared pass phrase (key is derived from
> this phrase) ?

Well, in a sense that's correct, but it's missing an important point.

What GnuPG does is:

- Create a random session key, unique for each encrypted message. This
is what the data is encrypted with.
- For each public key the data is encrypted to, include a Public-Key
Encrypted Session Key Packet[1] (PKESK), which is the session key
encrypted to a specific public key.
- If decryption by passphrase is requested (--symmetric), also create a
Symmetric-Key Encrypted Session Key Packet[2] (SKESK), which allows to
decrypt the session key with the passphrase.

RFC 4880 section 2.1 indeed also mentions a different method where the
passphrase is used to derive the key to encrypt the data, rather than
using a random session key. This is possible if the data is preceded by
a single SKESK that specifies how to derive the key from the passphrase,
as in section 5.3 [2]. But this type of data is never produced by GnuPG,
to my knowledge.

So /the/ method, the single method, to create an encrypted message is to
generate a random session key which is used to encrypt the data. Then
get that session key to your recipient, be that by public key or by
shared passphrase.

Finally, multiple passphrases that all decrypt the data (multiple SKESK
packets) are permitted, but I don't think GnuPG can create such messages
(I'm not sure).

> gpg -e -u "Sender User Name" -r "Receiver User Name" somefile

What you /should/ do is put all options before the command; that way the
command line is unambiguous and gpg will always catch your meaning. "-e"
is the command, and "somefile" is the command argument. So:

$ gpg -u "Sender User Name" -r "Receiver User Name" -e somefile

When you include options after the command, it might work, but it
requires guesswork on the part of gpg, so you should avoid it.

> Which method does this command uses exactly? 

It encrypts the data with a random session key, and encrypts the session
key to the public key belonging to "Receiver User Name". To be exact,
the first public key it finds in its keyring that matches "Receiver User
Name". Which one is the first, you don't know, so it's best to make sure
only one key matches what you give.

And the command line contains useless cruft, as it specifies a signing
key, but doesn't request signing of the data. So the "-u" argument is
silently ignored as not relevant but not harmful either. If there is
only one private key, it's never necessary to specify it by "-u".

> It does message encryption with a given username's certificate's pub
> key?(Is this a third method which is not mentioned in that RFC ) ?

No, there's no third method to decrypt data, it's either encrypted to a
public key, or a passphrase unlocks it, or both. Okay, I guess that does
make three ;-).

> Also, Where can i find all the commands for all the possibilities using
> different key sources?

Either the man page if you're on a UNIXy OS:

$ man gpg

Or the Texinfo documentation which is on the web[3] and can also be read
on UNIXy OSes by:

$ info gnupg

(or a different info reader, I usually use "pinfo").

The Texinfo manual has more than the man page, and is also a lot easier
to navigate. But they are mostly reference manuals, you'll still need
other documentation to get you started.

Let me point out, as you're perusing the OpenPGP RFC, that there is even
another method[4] to encrypt data[5] to a passphrase defined there, but
it's deprecated. As it should be, no salting!, obsolete cipher:

> [...] If no packets of these types precede the encrypted data,
> the IDEA algorithm is used with the session key calculated as the MD5
> hash of the passphrase, though this use is deprecated.

Just ignore this, it's ancient. If somebody sends you such messages,
please page them or send them a fax, requesting them to come over to the
21st century. It's not that scary on most days.

And there is more such stuff in the RFC. If it says something like
"deprecated" or SHOULD NOT or something, you can probably skip it.

HTH,

Peter.

[1] 
[2] 
[3] 
[4] 

[5] Okay, that puts "is there a third method to encrypt" into a
different light again :-)

-- 
I use the GNU Privacy Guard (GnuPG) in c

Re: OT: Which smartphone would you use

[Matthias Apitz]

On Monday, 18 September 2017 20:07:38 CEST, Mauricio Tavares 
 wrote:




I'm using for more than two years an Ubuntu phone BQ E4.5. The 
project was
driven by Canonical and BQ as the hardware OEM. The project 
died in March of

this year, but is now moved to a community of OpenSource entusiast. The
software novadays is mostly Ubuntu 15.04, with some Android blobs in the
kernel for the hardware access.


  Wasn't there also at least one company in Europe selling the
Ubuntu phones?


Yes, as I said BQ.com




--
Sent from my Ubuntu phone
http://www.unixarea.de/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OT: Which smartphone would you use

[Dotan Cohen]

The answer pretty much depends on what smartphone features you are
looking for. Do you need to run a web browser? Email integration?
AnkiDroid? A decent camera?

Let us know what features you are looking for.

On Mon, Sep 18, 2017 at 6:32 PM, Thomas Hejze  wrote:
> Hello everyone,
> I know this is off-topic, but since it is related to IT security and therefore
> more or less to GNUPG, I hope that I get some helping answers, though.
>
> Having been objecting to smartphones for a long time I fear that the time has
> come that I get one for myself. The question is which one.
>
> IPhone is not an option, Android probably not, due to security considerations.
> I want a hardware/software combination which provides a decent amount of
> security for my personal data. Jolla or Tizen comes to my mind, but as far as
> I have come with my research, hardware for those is difficult to get at least
> in Europe. So I am looking for some advice from the experts which are regulars
> on this mailing list and recommendations which hardware/software combination
> they would use resp. are using.
>
> Thanks in advance and best regards
> Thomas Hejze
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OT: Which smartphone would you use

[Matthias Apitz]

On Monday, 18 September 2017 17:32:51 CEST, Thomas Hejze  
wrote:

Hello everyone,
I know this is off-topic, but since it is related to IT 
security and therefore 
more or less to GNUPG, I hope that I get some helping answers, though.


Having been objecting to smartphones for a long time I fear 
that the time has 
come that I get one for myself. The question is which one.


IPhone is not an option, Android probably not, due to security 
considerations.

...


I'm using for more than two years an Ubuntu phone BQ E4.5. The project was 
driven by Canonical and BQ as the hardware OEM. The project died in March 
of this year, but is now moved to a community of OpenSource entusiast. The 
software novadays is mostly Ubuntu 15.04, with some Android blobs in the 
kernel for the hardware access.


Check https://forums.ubports.com/

matthias



--
Sent from my Ubuntu phone
http://www.unixarea.de/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: using --keyserver but still getting gpg: no keyserver known (use option --keyserver)

[Lee]

On 9/18/17, Patrick Schleizer  wrote:
> gpg --keyserver hkp://pgp.mit.edu:11371 --search-keys m...@e-mail.com
>
> gpg --keyserver=hkp://pgp.mit.edu:11371 --search-keys m...@e-mail.com
>
> gpg: no keyserver known (use option --keyserver)
> gpg: keyserver search failed: No keyserver available
>
> What am I doing wrong?

Try it without the port number
$ gpg --keyserver hkp://pgp.mit.edu --search-keys torbrow...@torproject.org
gpg: searching for "torbrow...@torproject.org" from hkp server pgp.mit.edu
(1) Tor Browser Developers (unknown) 
  4096 bit RSA key 0x669ECC703A7C585A, created: 2017-08-18,
expires: 2020-08-24
(2) Tor Browser Developers 
  4096 bit RSA key 0xB9294788BE63AEFC, created: 2017-08-18,
expires: 2017-08-25 (expired)
(3) Tor Browser Developers (signing key) 
  4096 bit RSA key 0x4E2C6E8793298290, created: 2014-12-15,
expires: 2020-08-24
Keys 1-3 of 3 for "torbrow...@torproject.org".  Enter number(s),
N)ext, or Q)uit > q

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: using --keyserver but still getting gpg: no keyserver known (use option --keyserver)

[Fabian A. Santiago]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

September 18, 2017 11:43 AM, "Patrick Schleizer" 
 wrote:

> gpg --keyserver hkp://pgp.mit.edu:11371 --search-keys m...@e-mail.com
>
> gpg --keyserver=hkp://pgp.mit.edu:11371 --search-keys m...@e-mail.com
>
> gpg: no keyserver known (use option --keyserver)
> gpg: keyserver search failed: No keyserver available
>
> What am I doing wrong?
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

remove the hkp prefix from your server address:

someserver.com instead of hkp://...:...

and no equal sign either after keyserver.

- --

Thanks,

Fabian S.

OpenPGP: 3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC
-BEGIN PGP SIGNATURE-
Version: OpenPGP.js v2.5.4
Comment: http://openpgpjs.org

wsFcBAEBCAAQBQJZv+sECRBVUCsO65Bw/AAAJ+AP/1P16+FHSJtOeH/SSLAY
9MsYw2SdJJlR7KM0dijb6MjthzFeSuX3sRZ/vcfHbgro1V12VNFCZqAPKOxi
aWt06MF+hig0Lz6VablrnszwnTffftCMPOALMUipOI9l3jdwKKosdObX8JAS
ckTzrU6Fg3XKMzI/h7LDkocPCujSHUh9G/vcvVeTpcHX5NUqVGDyY1rBe+z8
GIvtVZbaX/f0fT/Th5/zurTiExkBkTsXBwOBv5EF/ICK9E3txF2x4LIPywEn
XV4rqwHfGmxPKpb08IIFG/jw82mPk5AYr5+AkTMRLxeALoawaZrYoFq/slG+
VRIw/Y4ynPkiJykpx37IBF/+8RnI9OKtlFGSiO1HmjYxO6l8bCLzkuRNnUOF
Nn+iHvvLVh0Vg20SNy4ffUnms+of4Dj8eYwDx7HU1vAtMy5s0k/ou+Jd0rzw
q51quIGG8yG07I/CT0adZV1tqYXBZRJgnk3t0x2uBuLKINHAFPM1jT0+185K
Ikr2jyXKNLm080sU4zNOUH99UINq/DgLfq+hPadJVDpNBty5qNcp50oSGvV2
pg1EYZbh2bK5ExSyn01C+GRDFGoyUM4DY0caLsKiuMgT8M6DQ5LmABwvUQ56
DGsszdJ0m1QhvSBPMm09AzljTtrefadn5mA1stvMxcb01sVA7zyn/e7dVEi7
dAPa
=0Omz
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

OT: Which smartphone would you use

[Thomas Hejze]

Hello everyone,
I know this is off-topic, but since it is related to IT security and therefore 
more or less to GNUPG, I hope that I get some helping answers, though.

Having been objecting to smartphones for a long time I fear that the time has 
come that I get one for myself. The question is which one.

IPhone is not an option, Android probably not, due to security considerations.
I want a hardware/software combination which provides a decent amount of 
security for my personal data. Jolla or Tizen comes to my mind, but as far as 
I have come with my research, hardware for those is difficult to get at least 
in Europe. So I am looking for some advice from the experts which are regulars 
on this mailing list and recommendations which hardware/software combination 
they would use resp. are using.

Thanks in advance and best regards
Thomas Hejze

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Extending expiration date and SSH

[Damien Goutte-Gattat]

Hi,

On 09/18/2017 12:38 PM, Marko Božiković wrote:

Will that change the SSH public key (as it is exported using ssh-add -L for
adding to .ssh/authorized_keys)?


No. The expiration date of the subkey is not part of the key material 
itself, it is stored in the subkey binding signature. A modification of 
the expiration date has no effect on the public key as seen by SSH.



Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

using --keyserver but still getting gpg: no keyserver known (use option --keyserver)

[Patrick Schleizer]

gpg --keyserver hkp://pgp.mit.edu:11371 --search-keys m...@e-mail.com

gpg --keyserver=hkp://pgp.mit.edu:11371 --search-keys m...@e-mail.com

gpg: no keyserver known (use option --keyserver)
gpg: keyserver search failed: No keyserver available

What am I doing wrong?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Extending expiration date and SSH

[Peter Lebbing]

On 18/09/17 12:38, Marko Božiković wrote:
> Will that change the SSH public key (as it is exported using ssh-add -L for
> adding to .ssh/authorized_keys)?

No, if it is a regular SSH key, it will not change by changing the
expiration date.

> I'm looking for a best practice approach to avoid locking myself out of my
> machines :)

Back up your .gnupg dir, and if something goes wrong, put it back from
backup. Always good advice.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Extending expiration date and SSH

[Marko Božiković]

Hi all,

I use my authentication GPG key for SSHing into different machines. My GPG
keys are stored on a Yubikey and I use gpg-agent to interface with the Yubikey
and use the keys for SSH authentication.

My GPG keys have expired and while that doesn't have any effect on SSH
authentication, I'd still like to extend their expiration date.

Will that change the SSH public key (as it is exported using ssh-add -L for
adding to .ssh/authorized_keys)?

I'm looking for a best practice approach to avoid locking myself out of my
machines :)

Thank you!
-- 
Marko

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users