Re: Multiple dev one signing key

[Werner Koch]

On Fri,  8 Mar 2019 20:05, johndoe65...@mail.com said:

> What is the best way forward?
> - One signing key accessible on the release system

I'd say depends on the release system.  In most cases this is a
networked box and I would hesitate to do this.  Using gpg --with a
remote gpg-agent would be an option, though.

> - Eatch dev having a copy of the key to be able to sign a release

That is what we do in GnuPG.  We have a few core developers which carry
a key and that set of key is distributed with each gpg release and also
via other channels.  We also demand that the keys are all smartcard based
and thus a remote key compromise would need physical access.  Well, a
developer could be tricked into sign a bad release bu tat leas this
would not compromise the widely distributed key.

We often add a second signature to a release.  For example, I sign many
of the releases and when Niibe-san then sends me his signature for the
same tarball I then append that signature to mine [1].  This is also the
reasons why you often notice changed signature file (you can simply
concatenate detached signatures).  For a small group this works really
well, but for a larger group the system Konstantin describes in his mail
is better up to the task.


Shalom-Salam,

   Werner


[1] Using gnupg/build-aux/append-signature.sh
-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Default trust-model TOFU

[Werner Koch]

On Fri,  8 Mar 2019 20:21, tliko...@iki.fi said:

> have plans for that, to set the default trust model to "tofu" or
> "tofu+pgp"?

I am still not convinced that the UI as implemented on the command line
is better that what we have now.  It looks more complicated than what
one would expect under TOFU.

The tracking of all signature verification and thus decryption
operations in a local database does not feel right.  It has been
implemented to avoid counting signature several times which would give a
wrong picture of the key usage patterns over time.

I would like to address these two problems first.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP Anonymous Board Idea

[Werner Koch]

On Fri,  8 Mar 2019 22:00, ab...@monksofcool.net said:

> a) We're moving ever further off topic in terms of GnuPG.

FWIW, given the low traffic on gnupg-users, I would consider this still
to on topic.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: user id question

[Werner Koch]

On Sun, 10 Mar 2019 14:51, 2017-r3sgs86x8e-lists-gro...@riseup.net said:

> Is "nerdy" good or bad in this context?

That is really up to you.  Often it is fun to be a nerd.

To the OP: I have done keysigning for about 25 years but meanwhile I
don't think that the Web of Trust is a good idea to make encryption for
the masses really easy.  Also it is often more a game than serious
operational security.  In particular if it comes to the pretty German of
scheme of it which sometimes demands two government issued identity
documents and so on.  That is in stark contrast to the grassroots origin
of PGP and its tendency not to trust the government.  For a small closed
group the Web of Trust used to work well, though.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keys in the keystore dir (private-keys-v1.d/) are being modified

[Werner Koch]

On Sun, 10 Mar 2019 15:54, claudio.flore...@gmail.com said:

> After signing a file with my sign subkey I noticed that the private key
> file of the sign subkey was modified. Why? What happens?

To speed up the migration and to not annoy you by asking for your
passphrase for each private key, GnuPG defers a part of the migration to
the time when you have to enter the passphrase anyway.  This is what
happened here.

Please be aware that future versions of GnuPG _may_ update the file with
the private key to record certain meta data.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Questions about finding keys used to encrypt files with gpg

[Werner Koch]

On Sat,  9 Mar 2019 17:52, mattia.cod...@poste.it said:

> I noticed that the gpg -d [filename] command works out without asking
> me for the passphrase, so after a brief search i became aware of the
> fact that gpg uses public/private keys encrypting, combined with a

Right public key cryptography is the main use case of gpg.  However you
used plain symmetric encryption (-c) which requires that sender and
recipient share one key.  The behavior you noticed when decrypting your
own symmetric encrypted message is that gpg remembers the passphrase
used for symmetric encryption as long as the cache does not expire or
you restart gpg-agent.  If you would have sent the message to someone
else that other party would be asked for the passphrase.

To disable this, sometimes surprising, caching of passphrases for
symmetric encryption, you can use the option --no-symkey-cache with
gpg.

> As far as i know, in order to succesfully export and decrypt the files
> in other computers, one must export and restore the original key pairs
> used to encrypt the original files. So what should i do to figure it
> out what kind of keys were used ?

Please read a one of the howtos or the README of gpg to learn about the
basic use.  In short:

1. Create a key pair:

   gpg --gen-key

   Which creates the keyblock (certificate) including a user id.  You
   will be asked to protect the private part of the key with a
   passphrase, so that a stolen computer will not immediately lead to a
   compromise of your private key.  You are not required to use a
   passphrase, though - the message will be strongly encrypted without a
   passphrase, the passphrase is pure local thing.

2. Export the public part of the key par

   gpg -a --export YOUR_USERID >pubkey.asc

3. Send the public key to the recipient by plain mail, courier etc.

4. Ask your peer to encrypt a message to you with

   gpg -ear YOURUSERID OUTFILE

5. After receiving that message you can use

   gpg -d PLAINTEXT

You may always add -v to get some more info from gpg.  There are may GUI
frontends and mailers which don't require you to remember the above
command.  You may also want to look into distribution mechanisms for
public keys (which are used to encrypt) like keyservers or the Web Key
Directory.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Keys in the keystore dir (private-keys-v1.d/) are being modified

[Claudio Floreani]

I recently updated to GnuPG 2.2 and migrated my secret keyring file
(secring.gpg) to the new keystore dir (private-keys-v1.d).

I use a VCS to track what is being modified inside my $GNUPGHOME.

After signing a file with my sign subkey I noticed that the private key
file of the sign subkey was modified. Why? What happens?

I expected that my private key and subkeys were immutable files in the
keystore.


* C laudio F
loreani_
*
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: user id question

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Friday 8 March 2019 at 8:15:43 AM, in
, Werner Koch wrote:-



> If you plan to take part in that nerdy key signing
> game

Is "nerdy" good or bad in this context?

- --
Best regards

MFPA  

The truth is rarely pure and never simple
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXIUkZV8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+u9oAQCQMlSlN7PlFjdh4i67SlS3OgcHaMrz19meN9kt37T6GQD/Xvx8AegXZ7fM
9QnMMnEtAEIAlBvfyxDiXuo+tZn/kAqJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCXIUkZl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/8PUD/0YHATTgmY4RbZiKz4HbNDn82S6
X9pvPPDoOf0cO0IVCQuVxj9zF4PCI8vVJs4DJDW1x578ThQ3wbLMNXVNTYpwfmVX
G6tIV1PaVLlERH4hHtALhL0y6cxD6Z3OfzsMEalAWusIYZbs48kJQS0hntqgDpOr
21uWZG/sDJ9DcI3TkIywYSI21Z3zAjGNhU9WZbg85cH51d6AUPWTTRSzh25JAad6
RTsT/GMcuuCDiPjHWPHQ1Z2tf1TwQI5chJf8gbRn+9opGhs9ziLlzEQywWMs2NAO
Z9+getLMutkQBPDWpkRjox5hYwVV2/fZo1sw+bNDdS2kqdAfJg3kyAcMJQEqZAB4
WPVRTGLXzw7wj+TaXBvyY1Wrejzzgv3b8VEgI+Vn5sVVbCFz6AQNydV9Acf2syR9
SrDhOnCEPMG+jHuMjF/M3ZlchUX1CHrPMd7oQtBaor9kWyGyBshVszvH0s8qpz8v
fVHMUjlCgUsEuun1ugIM1HUhDCDLh/FoTgGEOukrTHB+qva/jIZc3T6Z1VArvNOO
gRZmrRmrodlOjdy849ylXXr9ymU+4ATaz4vSs9+/0qte7CvVVkgkgNSH76hxdkda
7e48bZgv0AZOma1PRyBL4Ch4HAz4PKSzWWSe3GkvsGWUOTME9CKW15qmwSYVaYQN
QDbaywtn8GnaxpFx3g==
=UKqC
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Several GnuPG instances, with their corresponding agents

[Damien Goutte-Gattat via Gnupg-users]

Hi,

On Sun, Mar 10, 2019 at 01:25:41AM -0500, Konstantin Boyandin wrote:
> Question: how do I keep several GnuPG versions installed, every
> version with its own gpg-agent?

A Gpg-agent is tied to a specific home directory (as specified in the
GNUPGHOME environment variable or through the --homedir option of gpg),
so all you have to is to make sure you use a separate home directory for
each version you want to use.

For example, assuming you have installed version X of GnuPG under
$HOME/myprogs/gnupg-X, create a directory to use as the home directory
for that version (say, $HOME/gnupg-homes/X), then you can start using
that version by running the following:

  PATH=$HOME/myprogs/gnupg-X/bin:$PATH
  export GNUPGHOME=$HOME/gnupg-homes/X
  $SHELL -i

You'll start a new shell in which all GnuPG invocations will use the
binaries from the X version and the keyrings and other associated files
from the indicated home directory. Simply exit that shell to use again
your system-provided GnuPG in the normal home directory.

Hope that helps,

- Damien


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Questions about finding keys used to encrypt files with gpg

[mattia.codato]

Hi, i've encrypted some files from my hd using the gpg -c [filename] command.

As usual gpg prompted me for a passhprase and then created the encrypted files, 
so far it worked out perfectly.

I noticed that the gpg -d [filename] command works out without asking me for 
the passphrase, so after a brief search i became aware of the fact that gpg 
uses public/private keys encrypting, combined with a passphrase.

Having i used the gpg -c command straight out of the box (so no explicit key 
setup was made before running the command), i suppose the gpg command used some 
kind of default keys or something like that.

Unfortunately running the gpg --list-keys or gpg --list-secret-keys command 
gives nothing in output, so i guess no keys is really installed.

As far as i know, in order to succesfully export and decrypt the files in other 
computers, one must export and restore the original key pairs used to encrypt 
the original files. So what should i do to figure it out what kind of keys were 
used ?

Regards

Mattia  


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users