Re: gpg 2.2.x devuan jessie no TOFU TLS

2017-10-27 Thread Fulano Diego Perez 


Werner Koch:
> On Thu, 26 Oct 2017 16:00, fulanope...@cryptolab.net said:
> 
>> checking for LIBGNUTLS... no
> 
> The minimal requirement is GNUTLS 3.0 - please check that you have the
> 3.x -dev package installed.  You should also consult config.log to check
> why GNUTLS was not found.
> 
> 
> Salam-Shalom,
> 
>Werner

installing pkg-config found them !

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Verify that the file is from who I expect it to be from

2017-10-27 Thread Werner Koch 
On Fri, 27 Oct 2017 05:55, dan.ho...@redbone.co.nz said:
> Thanks - I get the line saying "good signature" i n my message, but are you
> saying that I have to grep the output for the message and the email address
> of the encryptor?

Never ever do this.  You need to use --status-fd to get well defined
strings.  For example

  $ gpg --verify --status-fd 1 x.msg 2>/dev/null \
| awk '$1=="[GNUPG:]" && $2=="VALIDSIG" {print $3}'

prints the fingerprint of the signing iff the signature is valid.  Take
care that you know what is actually verified.  The best way to
accomplish this is to use detached signatures.

Anyway, using gpgv is in most cases much more robust (see my other
mail).


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpvbdVFnnwet.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Verify that the file is from who I expect it to be from

2017-10-27 Thread Werner Koch 
On Fri, 27 Oct 2017 06:01, dan.ho...@redbone.co.nz said:

> gpg2 --verify-sign  

Verification against a set of known keys is done using gpgv

  gpgv FILE

which uses ~/.gnupg/trustedkeys.gpg.  To specifiy another file with keys
you use

  gpgv --keyring KEYRING FILE

here is how we do this when building GnUPG using the Speedo scripts:

  if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then
echo "list of software versions is not valid!" >&2
exit 1
  fi

This is from gnupg/build-aux/getswdb.sh.  To create the file with the
keys you can do this:

  gpg --export --export-options export-minimal FPR1 FPR2 FPR2 >trustedkeys.gpg

Do _not_ use --armor.  --export-options is not really required but
strips down the size of the key.


@Rob: Shouldn't we mention gpgv in the FAQ?


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpqFduEBlmWG.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg 2.2.x devuan jessie no TOFU TLS

2017-10-27 Thread Werner Koch 
On Thu, 26 Oct 2017 16:00, fulanope...@cryptolab.net said:

> checking for LIBGNUTLS... no

The minimal requirement is GNUTLS 3.0 - please check that you have the
3.x -dev package installed.  You should also consult config.log to check
why GNUTLS was not found.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpDet_XVd9kT.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg 2.2.x devuan jessie no TOFU TLS

2017-10-27 Thread Fulano Diego Perez 



 Forwarded Message 
Subject: Re: gpg 2.2.x devuan jessie no TOFU TLS
Date: Fri, 27 Oct 2017 17:36:09 +1100
From: Fulano Diego Perez 
To: GnuPG Users , d...@lists.dyne.org



Daniel Kahn Gillmor:
> On Fri 2017-10-27 01:00:36 +1100, Fulano Diego Perez wrote:
>> cannot work this out
>>
>> installed sqlite3 and gnutls available packages and -dev packages
> 
> what versions of these packages did you install?  can you provide more
> explicit details?

aside from below i installed latest gnu package dependencies

Package: libgnutls28-dev
New: yes
State: installed
Automatically installed: no
Multi-Arch: same
Version: 3.3.8-6+deb8u7
Priority: optional
Section: libdevel
Maintainer: Debian GnuTLS Maintainers

Architecture: amd64
Uncompressed Size: 2,957 k
Depends: libgnutls-deb0-28 (= 3.3.8-6+deb8u7), libgnutlsxx28 (=
3.3.8-6+deb8u7), nettle-dev (>= 2.5), libc6-dev | libc-dev,
 zlib1g-dev, libtasn1-6-dev (>= 3.9), libp11-kit-dev,
libgnutls-openssl27 (= 3.3.8-6+deb8u7)
Suggests: gnutls-doc, gnutls-bin, guile-gnutls
Conflicts: gnutls-dev
Replaces: gnutls-dev
Provides: gnutls-dev, libgnutls-openssl-dev
Description: GNU TLS library - development files

Package: libsqlite3-dev
New: yes
State: installed
Automatically installed: no
Multi-Arch: same
Version: 3.8.7.1-1+deb8u2
Priority: optional
Section: libdevel
Maintainer: Laszlo Boszormenyi (GCS) 
Architecture: amd64
Uncompressed Size: 1,542 k
Depends: libsqlite3-0 (= 3.8.7.1-1+deb8u2), libc6-dev
Suggests: sqlite3-doc
Description: SQLite 3 development files

> 
> the debian packages build fine on stretch and later, but i'm reluctant
> to try to backport them to jessie myself these days.  Such a port would
> introduce too many platform-level incompatibilities.
> 
>  --dkg
> 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users