Efficent batch fetching with verification?

[Robin H. Johnson]

What's a reasonably efficient way to fetch a lot of keys, by
fingerprint, from keyserver pools with HKPS?

Presently, the code is effectively this:
...cat-list-of-fingerprints... | xargs gpg --recv

This has the downside of causing many execs.

As an alternate, it was suggested that I could do manual HTTP fetches
for each of the fingerprints, then verify the keyserver returned only
the correct keys. This however, still runs into the problem of calling
gpg many times.

gpgme does an exec behind the scenes, for each call, so I'm wondering
what other solutions are out there.

Most useful would be feeding a list of fingerprints to
--recv via a file descriptor, or feeding entire commands to a 
long-running GPG instance (but Assuan doesn't support RECV).

The Assuan part echos a much older request of mine, that more operations
should be available via Assuan, to efficiently sign or verify many
files.

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer
E-Mail   : robb...@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG Subkey decryption

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Thursday 2 November 2017 at 2:55:07 AM, in
, John Ramsden
wrote:-


> I think I may be misunderstanding how I'm supposed to
> be decrypting with
> a subkey. From what I thought, the public key should
> be the same on a
> subkey as it is on a primary key. I see the same
> public key when I list
> them on my machine which stores the primary key and
> the machine that
> stores the subkey.

You possibly mean you see the same user-id?

The primary key is a public key with a corresponding private key. Each
subkey is a public key with a corresponding private key. Each subkey
is bound to the primary key by a key binding signature



> I want to send a message to the public key and be
> able to decrypt it on
> any machine where I have any subkey of the primary
> key. I'm encrypting
> from my primary key and using my public key from the
> same key as the
> recipient. Do I have to define multiple recipients
> based on all the
> subkeys? If so where do I find the public key for
> these subkeys that are
> supposed to be the recipient?

GnuPG usually encrypts to the newest available encryption-capable
subkey. Or to the primary key if it is encryption-capable and there
are no encryption-capable subkeys. If you wish to specify the primary
key or a specific subkey you can list as a recipient the (sub)key-id
followed by an exclamation mark.

Something like gpg -ear 0x1CAC08E8DEFAFDFE! -r  0xEAC88A2823F99DEC!



- --
Best regards

MFPA  

Hard work never killed anyone, but why take a risk?
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCWfu1cl8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+nYcAP0RoVdNwIbIQIyasmZ7l5Kv5lCZ2ytWFmAfVH08H+JwqgD/fvMS6No8GHAo
rNxeuIfAsdQhxbQBRjFcA2tXZOm+4Q6JApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCWfu1cl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/yLDEACp7Io19utgvWKkOgGAMO1PDqDf
eE4vUs5D1pUs1E15W7ks0JUz5PDseakeYmSixGXw+wY769EE/vapmhOR7KG/AGRI
4NSuvkOZRdlDpDoownT5gFWBpdbw8kWWSBCdp4AdW9Ao8rwsTuwycyu5YvtIk6V0
6zDHfYEb2AfSgD7x6APHaPT7JqdLqHWlOJNKGRyd0EmSWm0S22lr2DIBEkq4oDOm
OO1FFBllFCsHqMtRiFxQjHT5pSItBpgbJMmb3y8kLn73yoCGFxzzQeUxGeNbvQI6
J05bkug7nmWRFdYCfEBgoGd3Z9yIaPubglSeafkQa+aVi6NUfsWcSU4DxyP1zVw6
WUMIKmu6MXOktJb4w8MQNFgg3eEtHTIwX/ZNLreY5MfckyKTj/teTC8+7cuSZsJy
sSueVQQYb1AtjM7w/yqo+5UuGWIVRPYp2GLctYy2kSboBr1t0+WNUsnmaXFzp4au
K+NZzzSUxWrzCOLSytPmeOh4B1bGGpwP7kxqSEYSiMLzguNao1qnMHCWMSHmA/dg
gKcZIYMQdXrIv7ujYzJo3TQyQvX66OuU4xf0AnnH+OgckWX06d3QhnnxQNeCaW0q
465Gic8CqHug1PEKhP40L0otbMi3G6Tfzk9rhJ5ojDhHDjwXiDP/+pg9bjwVOCYK
/m57uaSJyoWcpjmXvA==
=S6D+
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why does import refuse to merge a new subkey?

[Peter Lebbing]

On 02/11/17 20:37, Phil Susi wrote:
> [..] but 2.0.28 on another also did it I'm pretty sure.

Yes, I'm pretty sure of that as well. 2.0 can't update secret keys; it
was introduced with 2.1 or somewhere during 2.1.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why does import refuse to merge a new subkey?

[Phil Susi]

On 11/2/2017 3:04 PM, Peter Lebbing wrote:
> On 02/11/17 16:58, Phil Susi wrote:
>> Why is this?
> 
> What version of GnuPG is this? It's a well-known limitation of GnuPG 1.4
> and 2.0, but my 2.1.18 allows me to add secret subkeys through --import.

Looks like I've still got 1.4.20 on one machine ( when I usually forget
to run gpg2 instead of just gpg ) but 2.0.28 on another also did it I'm
pretty sure.  I guess I'll try again and make sure to use a recent gpg2.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why does import refuse to merge a new subkey?

[Peter Lebbing]

On 02/11/17 16:58, Phil Susi wrote:
> Why is this?

What version of GnuPG is this? It's a well-known limitation of GnuPG 1.4
and 2.0, but my 2.1.18 allows me to add secret subkeys through --import.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG public key vulnerability?

[Shannon C]

>
> so at Facebook, we checked
> the public keys that have been uploaded to people's profiles, and notified
> people whose keys are affected


 Jon,

FYI your detection logic seems a bit overzealous, because (last time I
checked) it detects revoked ROCA-vulnerable subkeys as making the whole
public key unacceptable, even if the private key is not affected by ROCA.
According to the responses on this thread
https://lists.gnupg.org/pipermail/gnupg-users/2017-October/059417.html
ROCA-affected subkeys have no effect on the validity of the private key or
other subkeys, so if they're revoked everything should be ok.

Rejecting public keys in this way is problematic for two reasons I can
think of:
1. It confuses people because it implies that there's something wrong with
your whole key even though the problem is only with a subkey. And it
implies that revoking the subkey doesn't solve the problem.
2. It will force people to do extra work to remove their subkeys before
exporting their public key for upload to Facebook. This is annoying to do
and might lead to people deleting their subkeys from their local keyring
permanently, which is probably a bad idea.

I'm not certain, but I think keybase might be getting this wrong too.

-Shannon
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Why does import refuse to merge a new subkey?

[Phil Susi]

Whenever my subkeys expire and I have to generate a new one, I try to
import the keys on my less secure machines and gpg stupidly refuses to
update the already existing key with the new subkey.  I have to delete
the key, then import to get the new subkey into the keyring.  Why is this?


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Decrypt RSA encrypted secret by using gpg authentication key stored on yubikey

[Thomas Glanzmann]

Hello,
I have a yubikey that I use as gpg smartcard. On that yubikey I have an
authentication subkey. I uploaded the pubkey to AWS cloud. When I create
a Windows instance they use that pubkey to encrypt a password using RSA
to my privkey. Since my privkey is stored on the smartcard, I can't use
openssl to decrypt it.

So I'm looking of the equivalent of:

base64 -d /tmp/file | openssl rsautl -decrypt -inkey 
/path/to/aws/private/key.pem

Only that my key is not on the file system but the authentication key
stored on my gpg card.

Cheers,
Thomas

References:
https://docs.aws.amazon.com/cli/latest/reference/ec2/get-password-data.html#examples
https://serverfault.com/questions/603984/windows-password-wont-decrypt-on-aws-ec2-even-with-the-correct-private-key

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GPG Subkey decryption

[John Ramsden]

I think I may be misunderstanding how I'm supposed to be decrypting with
a subkey. From what I thought, the public key should be the same on a
subkey as it is on a primary key. I see the same public key when I list
them on my machine which stores the primary key and the machine that
stores the subkey.

I want to send a message to the public key and be able to decrypt it on
any machine where I have any subkey of the primary key. I'm encrypting
from my primary key and using my public key from the same key as the
recipient. Do I have to define multiple recipients based on all the
subkeys? If so where do I find the public key for these subkeys that are
supposed to be the recipient?

When I'm on the machine that holds the sub key and I attempt to decrypt
I get the message:

> gpg: decryption failed: No secret key

-- 
  John

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users