Re: Several GnuPG instances, with their corresponding agents

[Phil Pennock]

On 2019-03-10 at 01:25 -0500, Konstantin Boyandin via Gnupg-users wrote:
> I would like to use, whenever I like, manually builds (such as current
> 2.2.13).
> 
> Question: how do I keep several GnuPG versions installed, every version
> with its own gpg-agent?

After running ./configure [--args], take a look at the generated
`config.h` file.  Some of these can't be easily overridden at configure
time, but you can patch between configure and build.

As to whether you break at the "directory" or "socket location" level
... remember that GnuPG regards the contents of the directory as its
fiefdom and is free to move things around, often with auto-upgrade logic
which might get in the way if you want to try to downgrade.

Specifically, the defines which matter here are:
  GNUPG_DEFAULT_HOMEDIR
  anything ending _SOCK_NAME

I recommend, if doing this, that you just change GNUPG_DEFAULT_HOMEDIR
and do not try to share one config directory between multiple
concurrently-installed versions of GnuPG.

Myself, I install to /opt/gnupg/ and leave the homedir to the default.
If a user account needs to use the newer GnuPG instead of the system
one, it's the responsibility of that account to manage the directory.
If one account is trying to use both system and current GnuPG, that's a
logic error elsewhere which should be cleaned up.

-Phil

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Issue with install version (gpg (GnuPG) 2.0.30)

[Seshadrigupta Sreeram]

Dear Community,

We recently installed gpg (GnuPG) 2.0.30 on AIX 7.1 and we are having
issues with decryption with the below error message.

*Error*:

cli007payd04:/global/site/vendor/psoft/payqa/user/inbound/DASHBOARDANYWHERE/ARCHIVING
$ gpg2 --decrypt DCXSUBKIOSIUHRY.2018-11-09-16.15.05.00
Warning: using insecure memory!

You need a passphrase to unlock the secret key for
user: "PeopleSoft Payroll (File Validation) "
2048-bit ELG key, ID ECC0069D, created 2004-06-25 (main key ID 0CD363B0)

exec(): 0509-036 Cannot load program gpg-agent_64 because of the following
errors:
0509-130 Symbol resolution failed for gpg-agent_64 because:
0509-136   Symbol _GLOBAL__AIXI_libpth_so (number 188) is not
exported from
   dependent module /usr/lib/libpth.a[libpth.so.20].
0509-136   Symbol _GLOBAL__AIXD_libpth_so (number 189) is not
exported from
   dependent module /usr/lib/libpth.a[libpth.so.20].
0509-192 Examine .loader section symbols with the
 'dump -Tv' command.
gpg: can't connect to the agent: End of file
gpg: problem with the agent: No agent running


*GPG Version:*

cli007payd04:/global/site/vendor/psoft/payqa/user/scripts/validation $ gpg2
--version
gpg (GnuPG) 2.0.30
libgcrypt 1.5.4
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2


Encryption works fine and we have the issue only while decryption.

Thanks in advance!!






*Regards,SreeramPeopleSoft Platform TeamITM – 3rd Floor, 3S2 E2(O)
248-838-6328 , (M) 248-909-6138, T-line 821-6328Email:- ss2...@chrysler.com
*
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Several GnuPG instances, with their corresponding agents

[Konstantin Boyandin via Gnupg-users]

Hi Damien,

On 10.03.2019 21:50, Damien Goutte-Gattat writes:
> On Sun, Mar 10, 2019 at 01:25:41AM -0500, Konstantin Boyandin wrote:
>> Question: how do I keep several GnuPG versions installed, every
>> version with its own gpg-agent?
> 
> A Gpg-agent is tied to a specific home directory (as specified in the
> GNUPGHOME environment variable or through the --homedir option of gpg),
> so all you have to is to make sure you use a separate home directory for
> each version you want to use.
> 
> For example, assuming you have installed version X of GnuPG under
> $HOME/myprogs/gnupg-X, create a directory to use as the home directory
> for that version (say, $HOME/gnupg-homes/X), then you can start using
> that version by running the following:
> 
>   PATH=$HOME/myprogs/gnupg-X/bin:$PATH
>   export GNUPGHOME=$HOME/gnupg-homes/X
>   $SHELL -i
> 
> You'll start a new shell in which all GnuPG invocations will use the
> binaries from the X version and the keyrings and other associated files
> from the indicated home directory. Simply exit that shell to use again
> your system-provided GnuPG in the normal home directory.

Thanks for the pieces of advice, I'll try that shortly.

I'd  also like to share the same keys among all 2.2.* versions - I'll
check how to do that with as little ado as possible.

Sincerely,
Konstantin



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple dev one signing key

[Werner Koch]

On Mon, 11 Mar 2019 12:43, johndoe65...@mail.com said:

> Just to be clear, you Werner will sign everything that needs to be
> signed for a release with your personal key.

In practise that is the case.  However, anyone of our small group can
sign releases and also update the online list of current version
numbers.

> As an extra layer of security Niibe will also sign the release and send
> you the detacht signature.

One signature is actually sufficient but for users of the Web of Trust a
second signature might a difference to some.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple dev one signing key

[john doe]

On 3/10/2019 8:29 PM, Werner Koch wrote:
> On Fri,  8 Mar 2019 20:05, johndoe65...@mail.com said:
>
>> What is the best way forward?
>> - One signing key accessible on the release system
>
> I'd say depends on the release system.  In most cases this is a
> networked box and I would hesitate to do this.  Using gpg --with a
> remote gpg-agent would be an option, though.
>

Looks like this approach is out of the question, we are scattered around
the world without knowing eatch other in real life! :)

>> - Eatch dev having a copy of the key to be able to sign a release
>
> That is what we do in GnuPG.  We have a few core developers which carry
> a key and that set of key is distributed with each gpg release and also
> via other channels.  We also demand that the keys are all smartcard based
> and thus a remote key compromise would need physical access.  Well, a
> developer could be tricked into sign a bad release bu tat leas this
> would not compromise the widely distributed key.
>
> We often add a second signature to a release.  For example, I sign many
> of the releases and when Niibe-san then sends me his signature for the
> same tarball I then append that signature to mine [1].  This is also the
> reasons why you often notice changed signature file (you can simply
> concatenate detached signatures).  For a small group this works really
> well, but for a larger group the system Konstantin describes in his mail
> is better up to the task.
>

Just to be clear, you Werner will sign everything that needs to be
signed for a release with your personal key.
As an extra layer of security Niibe will also sign the release and send
you the detacht signature.

Is that correct or what am I missing?


Thank you Werner for your input, along with Werner's input I'd also like
to thank the below two for their input:
Daniel Kahn Gillmor 
Konstantin Ryabitsev 

--
John Doe

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users