Re: WKS server problems
On 23/03/2020 16:52, john doe wrote: > I thought that 'only-urandom' could be used as an replacement of haveged > on this Stretch VM, looks like I misunderstood when to use this option. Try it anyway, debian often backport newer features if they have security implications (dkg should be able to tell you definitively). -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKS server problems
On 3/23/2020 5:21 PM, Andrew Gallagher wrote: > On 23/03/2020 15:58, john doe wrote: >> $ gpg --version >> gpg (GnuPG) 2.1.18 >> libgcrypt 1.7.6-beta >> >> Is it not working because of a too old release? > > Yes, that's FAR too old. :-) You need to dist-upgrade to buster. > I'll go back to using havege then as I need to generate a gpg key for testing purposes on this VM. I thought that 'only-urandom' could be used as an replacement of haveged on this Stretch VM, looks like I misunderstood when to use this option. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKS server problems
On 23/03/2020 15:58, john doe wrote: > $ gpg --version > gpg (GnuPG) 2.1.18 > libgcrypt 1.7.6-beta > > Is it not working because of a too old release? Yes, that's FAR too old. :-) You need to dist-upgrade to buster. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKS server problems
On 3/23/2020 1:01 PM, Werner Koch wrote: > On Mon, 23 Mar 2020 10:16, john doe said: > >> Thank you Werner, I wrapped the above as an one liner: > > This is even easier. > > $ mkdir -p /etc/gcrypt && echo only-urandom>/etc/gcrypt/random.conf > > The '#' lines are merely comments to show which other options are > available. > > > Shalom-Salam, > Actually, I just reinstalled the Stretch VM in question to test the above option and I'm back to square one. $ gpg --version gpg (GnuPG) 2.1.18 libgcrypt 1.7.6-beta Is it not working because of a too old release? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKS server problems
On Mon, 23 Mar 2020 10:16, john doe said: > Thank you Werner, I wrapped the above as an one liner: This is even easier. $ mkdir -p /etc/gcrypt && echo only-urandom>/etc/gcrypt/random.conf The '#' lines are merely comments to show which other options are available. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKS server problems
On 3/22/2020 8:55 PM, Werner Koch via Gnupg-users wrote: > On Sun, 22 Mar 2020 12:36, Andrew Gallagher said: >> On 22/03/2020 05:38, john doe wrote: >>> Do you have enough entropy on the VM? >> >> Argh, thank you. I thought I had enough entropy because monkeysphere >> created its trust root without issue, but installing haveged did fix the >> problem. > > You might be better off using this: > > --8<---cut here---start->8--- > $ cat /etc/gcrypt/random.conf > # Options for the random generator > > # We don't trust the the Jitter based thing - do not use it. > #disable-jent > > only-urandom > > --8<---cut here---end--->8--- > > instead if the very brittle and CPU dependent haveged. On any decent > Linux urandom is good enough. Right at some early boot stages and on a > fresh or not properly shutdown system, it might have too less entropy. > But if you have such concerns you should anyway use the latest Libgcrypt > which does not only mix in RDRAND but als entropy from its own > JitterRNG. > Thank you Werner, I wrapped the above as an one liner: $ mkdir -p /etc/gcrypt && printf "# Options for the random generator\n#\n# https://lists.gnupg.org/pipermail/gnupg-users/2020-March/063372.html\n#\n# We don't trust the Jitter based thing - do not use it.\n#disable-jent\n\nonly-urandom\n" > /etc/gcrypt/random.conf Note that this e-mail is folded by my mailer. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: monkeysign removal from bullseye
On 22/03/2020 19:22, Wiktor Kwapisiewicz wrote: > Actually newer GnuPG already has a lot of interesting options. For key > signing automation the most interesting one is "--quick-sign-key" that > can sign a given UID in a key given by fingerprint. This will be very useful in the future, thanks. The --quick-* options are a great help. Unfortunately I'm trying to maintain a package that's compatible with stable .deb distros so I can't rely upon new features until the distros bump... -- Andrew Gallagher ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKS server problems
On 22/03/2020 19:55, Werner Koch wrote: > You might be better off using this: ... > instead if the very brittle and CPU dependent haveged. Thanks, Werner! That seems to work. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: monkeysign removal from bullseye
On 22/03/2020 22:16, Vincent Breitmoser wrote: > Have you seen openpgp-ca? It's an effort that sounds similar to what you are > describing, based on sequoia-pgp. That sounds very interesting, thank you! A -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users