Re: Non printable ASCII characters in pass phrase.

[Robert J. Hansen]

> Is it safe to have non printable ASCII characters in the pass phrase?

GnuPG doesn't care, but your password manager might have problems or
your third-party pinentry or...

Best advice is to use printable UTF-8.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Non printable ASCII characters in pass phrase.

[Ayoub Misherghi via Gnupg-users]

Is it safe to have non printable ASCII characters in the pass phrase?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "skipped: Unusable public key"

[Ayoub Misherghi via Gnupg-users]

If it is not in my machine I do not know where it is. I did not export 
it. I did not share it or put on any server.



On 7/27/2020 4:51 PM, Philihp Busby wrote:

It appears that 3C5B212A55B966881E2D2718A45398B520BEE91E does not have the [E] 
usage for encryption, nor does it have any subkeys with that usage. This subkey 
would have been created by default when the master key was created. See if you 
can recover it?

 From your prior message on 2020-07-13, it has the ID 
F2A76096E857E2AF607DD144D17AA44F49BB5A08.




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Damien Goutte-Gattat via Gnupg-users]

On Mon, Jul 27, 2020 at 10:00:07PM +0200, Stefan Claas wrote:

For testing my new Nitrokey I have just install Enigmail for
Thunderbird on a fresh Ubuntu system and when clicking on
a signed message from a friend, which has properly set-up
WKD Thunderbird/Enigmail can not fetch the pub key. :-(


Unless I missed something, I believe Enigmail will only attempt to 
automatically fetch a key from a Web Key Directory when *composing* a 
message (if there’s no key for the recipient in the local keyring), and 
*not* when checking a signature on a received message.


See that excerpt from Enigmail 2.0 changelog [1]:

Support for Web Key Directory (WKD) is implemented. Enigmail will try 
to download unavailable keys during message composition from WKD.



You can force GnuPG to try to fetch a missing key when verifying a 
signature by enabling the --auto-key-retrieve option (please read the 
note about the “web bug” in gpg’s man page before doing so—that option 
is disabled by default for a reason.)



Regards,

- Damien


[1] https://enigmail.net/index.php/en/download/changelog


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "skipped: Unusable public key"

[Philihp Busby via Gnupg-users]

It appears that 3C5B212A55B966881E2D2718A45398B520BEE91E does not have the [E] 
usage for encryption, nor does it have any subkeys with that usage. This subkey 
would have been created by default when the master key was created. See if you 
can recover it?

>From your prior message on 2020-07-13, it has the ID 
>F2A76096E857E2AF607DD144D17AA44F49BB5A08.

On 2020-07-27T15:52:04-0700 Ayoub Misherghi via Gnupg-users 
 wrote 1.8K bytes:

> 
> Not obvious to me why that is happening:
> 
> 
> ayoub@vboxpwfl:~/testdir$ ls
> 
> textfile
> 
> 
> ayoub@vboxpwfl:~/testdir$ gpg -r sentry -e textfile
> 
> gpg: sentry: skipped: Unusable public key
> gpg: textfile: encryption failed: Unusable public key
> 
> 
> 
> ayoub@vboxpwfl:~/testdir$ gpg --list-keys
> 
> /home/ayoub/.gnupg/pubring.kbx
> --
> pub   ed25519 2020-07-09 [SC] [expires: 2020-09-25]
>   3C5B212A55B966881E2D2718A45398B520BEE91E
> uid   [ultimate] sentry
> 
> pub   ed25519 2020-07-09 [SC] [expires: 2021-07-09]
>   7A675D7F52BC905C22F8249091556BC29D4C595E
> uid   [ultimate] develop1
> sub   cv25519 2020-07-09 [E] [expires: 2021-07-09]
> 
> 
> 
> ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys
> /home/ayoub/.gnupg/pubring.kbx
> --
> sec   ed25519 2020-07-09 [SC] [expires: 2020-09-25]
>   3C5B212A55B966881E2D2718A45398B520BEE91E
> uid   [ultimate] sentry
> 
> sec   ed25519 2020-07-09 [SC] [expires: 2021-07-09]
>   7A675D7F52BC905C22F8249091556BC29D4C595E
> uid   [ultimate] develop1
> ssb   cv25519 2020-07-09 [E] [expires: 2021-07-09]
> 
> ayoub@vboxpwfl:~/testdir$
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

"skipped: Unusable public key"

[Ayoub Misherghi via Gnupg-users]

Not obvious to me why that is happening:


ayoub@vboxpwfl:~/testdir$ ls

textfile


ayoub@vboxpwfl:~/testdir$ gpg -r sentry -e textfile

gpg: sentry: skipped: Unusable public key
gpg: textfile: encryption failed: Unusable public key



ayoub@vboxpwfl:~/testdir$ gpg --list-keys

/home/ayoub/.gnupg/pubring.kbx
--
pub   ed25519 2020-07-09 [SC] [expires: 2020-09-25]
  3C5B212A55B966881E2D2718A45398B520BEE91E
uid   [ultimate] sentry

pub   ed25519 2020-07-09 [SC] [expires: 2021-07-09]
  7A675D7F52BC905C22F8249091556BC29D4C595E
uid   [ultimate] develop1
sub   cv25519 2020-07-09 [E] [expires: 2021-07-09]



ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys
/home/ayoub/.gnupg/pubring.kbx
--
sec   ed25519 2020-07-09 [SC] [expires: 2020-09-25]
  3C5B212A55B966881E2D2718A45398B520BEE91E
uid   [ultimate] sentry

sec   ed25519 2020-07-09 [SC] [expires: 2021-07-09]
  7A675D7F52BC905C22F8249091556BC29D4C595E
uid   [ultimate] develop1
ssb   cv25519 2020-07-09 [E] [expires: 2021-07-09]

ayoub@vboxpwfl:~/testdir$


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Stefan Claas]

Damien Goutte-Gattat wrote:
 
> On Mon, Jul 27, 2020 at 10:00:07PM +0200, Stefan Claas wrote:
> >For testing my new Nitrokey I have just install Enigmail for
> >Thunderbird on a fresh Ubuntu system and when clicking on
> >a signed message from a friend, which has properly set-up
> >WKD Thunderbird/Enigmail can not fetch the pub key. :-(
> 
> Unless I missed something, I believe Enigmail will only attempt to 
> automatically fetch a key from a Web Key Directory when *composing* a 
> message (if there’s no key for the recipient in the local keyring), and 
> *not* when checking a signature on a received message.
> 
> See that excerpt from Enigmail 2.0 changelog [1]:
> 
> > Support for Web Key Directory (WKD) is implemented. Enigmail will try 
> > to download unavailable keys during message composition from WKD.

Ah, ok, thanks. I thought it will fetch also automatically when checking
signatures.

> You can force GnuPG to try to fetch a missing key when verifying a 
> signature by enabling the --auto-key-retrieve option (please read the 
> note about the “web bug” in gpg’s man page before doing so—that option 
> is disabled by default for a reason.)

I enabled it now and it works. :-)

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Stefan Claas]

Dmitry Alexandrov wrote:
 
> Stefan Claas  wrote:
> > Enigmail for Thunderbird on a fresh Ubuntu system
> > when clicking on a signed message from a friend, which has properly set-up 
> > WKD Thunderbird/Enigmail can not fetch the pub
> > key. :-(
> 
> Unfortunately, ‘can not’ is not very informative description.  Does it return 
> any error?  How do you know that even tries?

Sorry, for the bad description. When having a signed message in Enigmail
and you do not have the pub key in your key ring it shows a yellow bar and
ask if you like to decrypt the message. When clicking on the decrypt button
it searches key servers and not WKD.

> > What have I to do that this works? I thought that GnuPG and Enigmail 
> > nowadays defaults to WKD too.
> 
> You mean, that you expect, that GPG should silently fetch absent keys when 
> checking signatures out of a box?  No, it does not
> do that:

[...]

Thanks, with auto-key-retrieve and auto-key-locate WKD etc. it works when
clicking on the decrypt button in Enigmail or the lock button in Claws-Mail

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Dmitry Alexandrov]

Stefan Claas  wrote:
> Enigmail for Thunderbird on a fresh Ubuntu system
> when clicking on a signed message from a friend, which has properly set-up 
> WKD Thunderbird/Enigmail can not fetch the pub key. :-(

Unfortunately, ‘can not’ is not very informative description.  Does it return 
any error?  How do you know that even tries?

> What have I to do that this works? I thought that GnuPG and Enigmail nowadays 
> defaults to WKD too.

You mean, that you expect, that GPG should silently fetch absent keys when 
checking signatures out of a box?  No, it does not do that:

| '--auto-key-retrieve'
| '--no-auto-key-retrieve'
|  These options enable or disable the automatic retrieving of keys
|  from a keyserver when verifying signatures made by keys that are
|  not on the local keyring.  The default is '--no-auto-key-retrieve'.
|
|  If the method "wkd" is included in the list of methods given to
|  'auto-key-locate', the signer's user ID is part of the signature,
|  and the option '--disable-signer-uid' is not used, the "wkd" method
|  may also be used to retrieve a key.
|
|  Note that this option makes a "web bug" like behavior possible.
|  Keyserver or Web Key Directory operators can see which keys you
|  request, so by sending you a message signed by a brand new key
|  (which you naturally will not have on your local keyring), the
|  operator can tell both your IP address and the time when you
|  verified the signature.
— (info "(gnupg) GPG Configuration Options")


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why is there no secret key?

[Ayoub Misherghi via Gnupg-users]

With API I mean something like GPGME.


This is what came across to me:


1) It is preferable to have "--batch" on command line even in unattended 
operation; and not in the gpg.conf file?



2) --pinentry-mode when needed goes in gpg.conf


3) --allow-loopback-pinentry when needed goes in gpg-agent.conf



New related question:


Is it true that command line parameters only go to gpg and gpg-agent?



Ayoub


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

WKD - .onion redirects mapping

[Phil Pennock via Gnupg-users]

Folks,

Is there any facility in GnuPG, or any neat hacks which can be applied
to current releases, to be able to remap WKD queries to go to specified
.onion hosts?

Eg,  lists:

openpgpkey.debian.org: http://habaivdfcyamjhkk.onion/

and indeed if I use `gpg --list-keys --with-wkd-hash debian.org` and
pick someone vaguely at random, I can run:

curl -fSs 
http://habaivdfcyamjhkk.onion/.well-known/openpgpkey/debian.org/hu/ycp4ih1jtsdky6d6ufee9h3txmmaqgag
 | gpg --import

and it works.

My understanding is that for .onion hostname services they already have
security equivalent to TLS providing privacy in their direct links onto
Tor, so if I trust my access to my Tor gateway, this gives enough
privacy.

So I'd be looking for something morally equivalent to having
`~/.gnupg/onion-wkd-mappings.txt` containing lines like, well, the
snippet I pasted above from the onion.debian.org page (with comments etc
allowed too, so I can record the provenance of mappings), or some moral
equivalent (directory with entries to be remapped, etc).

Or am I looking at just a thin shell wrapper to do the mappings needed
to invoke `curl | gpg` as above?  I'm thinking that with dirmngr already
having some Tor support, it's a better place to automatically do so.

-Phil

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

WKD question

[Stefan Claas]

Hi all,

I must admit I am a bit out of the loop when it comes to GnuPG
configuration.

For testing my new Nitrokey I have just install Enigmail for
Thunderbird on a fresh Ubuntu system and when clicking on
a signed message from a friend, which has properly set-up
WKD Thunderbird/Enigmail can not fetch the pub key. :-(

I tried also under Windows, with gpg4win and also no luck.

What have I to do that this works? I thought that GnuPG
and Enigmail nowadays defaults to WKD too.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why is there no secret key?

[Ayoub Misherghi via Gnupg-users]

The same thing happens when I give the option --no-batch on the command 
line.



The problem seems to have gone away when I moved the config option 
inentry-mode loopback


to the $HOME/.gnupg/gpg.conf from the $HOME/.ngupg/gpg-agent.conf


In the final version when development ends, I am going to have 
"no-batch" in the config because the final version works


non-interactively (and through the API.) That is why I have it in the 
config now.



Thanks guys,


Ayoub




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why is there no secret key?

[Peter Lebbing]

On 27/07/2020 20:56, Ayoub Misherghi wrote:
> The same thing happens when I give the option --no-batch on the
> command line.

But that only passes --no-batch to gpg, not to gpg-agent. Werner said
you shouldn't put these options in your .conf-files. Please just include
--batch on the command line with the actual batch commands.

> The problem seems to have gone away when I moved the config option
> inentry-mode loopback
> 
> to the $HOME/.gnupg/gpg.conf from the $HOME/.ngupg/gpg-agent.conf

--pinentry-mode is a gpg option, not a gpg-agent option. The
loopback-related option to gpg-agent is --allow-loopback-pinentry.

> In the final version when development ends, I am going to have
> "no-batch" in the config because the final version works
> 
> non-interactively (and through the API.) That is why I have it in the
> config now.

Please just include --batch (I assume you mistyped when you wrote
--no-batch) on the command line with the actual batch commands.

Not sure what you mean by through the API.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

Sorry for seeming to be "spreading unjustified accusations". What I said 
was meant to encourage that sort of "benign tyranny", I was not 
complaining; or at least that was not my intention.



Thank you for explaining how the list works.


Ayoub


On 7/27/2020 2:08 AM, Werner Koch wrote:

On Sun, 26 Jul 2020 12:59, Ayoub Misherghi said:


The moderators on this list (I do not know who they are) have been
tyrannical excluding some of my posts; I am not bitter or resentful. I

This mailing list is not moderated and thus your post are not excluded
by any moderated.  The only automatic rejection we have are for too long
posts.  In some very rare cases we set the moderation flag for a
specific user but that is announced on the list.  I just checked that
it is not the case for you.

What our helpful moderators are mainly doing is to allow posts from
non-subscribers.

Please calm down and don't spread unjustified accusations.


Salam-Shalom,

Werner



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why is there no secret key?

[Peter Lebbing]

On 27/07/2020 11:17, Werner Koch wrote:
> of the "batch" option.  This option should in general not be used for
> gpg-agent.

Which, by the way, is documented well in the man page gpg-agent(1):

   --batch
  Don't  invoke  a  pinentry or do any other thing requiring human
  interaction

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: question regarding using gpg to verify a file from a .sign file

[Werner Koch via Gnupg-users]

On Fri, 24 Jul 2020 19:30, Semih Ozlem said:

> when I run the command
>
> gpg --verify SHAxSUM.sign SHAxSUM
>
> I get the following message
>
> gpgv: unknown type of key resource 'trustedkeys.kbx'

As you can see by the error message ("gpgv:...") you invoked the gpgv
tool and not the gpg tool as you showed above. 


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why is there no secret key?

[Werner Koch via Gnupg-users]

On Sun, 26 Jul 2020 13:25, Ayoub Misherghi said:
> I am not asked for pass phrase.

Right; that is because:

> # Lines uncommented in $HOME/.gnupg/gpg-agent.conf
> log-file $HOME/gpg-log.txt
> # The same thing happens when I comment this line out
> allow-loopback-pinentry
>
> batch

of the "batch" option.  This option should in general not be used for
gpg-agent.

> # Lines uncommented in $HOME/.gnupg/gpg.conf
>
> batch

Do not but this option into the conf file.  All kind of stuff won't
work; --batch is used case-by-case on the command line.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Passphrase Pop up

[Werner Koch via Gnupg-users]

On Mon, 27 Jul 2020 02:41, Dmitry Alexandrov said:

> GnuPG version 3 does not exist yet.  The stable release is 2.2.21.

The OP probably meant Gpg4win 3.1.12 which is our Windows installer
featuring GnuPG 2.2.21, Kleoptra, and our Outlook plugin.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Werner Koch via Gnupg-users]

On Sun, 26 Jul 2020 12:59, Ayoub Misherghi said:

> The moderators on this list (I do not know who they are) have been
> tyrannical excluding some of my posts; I am not bitter or resentful. I

This mailing list is not moderated and thus your post are not excluded
by any moderated.  The only automatic rejection we have are for too long
posts.  In some very rare cases we set the moderation flag for a
specific user but that is announced on the list.  I just checked that
it is not the case for you.

What our helpful moderators are mainly doing is to allow posts from
non-subscribers.

Please calm down and don't spread unjustified accusations.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key-Server Issues

[MFPA via Gnupg-users]

Hi


On Monday 27 July 2020 at 1:55:11 AM, in
,
JACOB EDWARDS WIESE via Gnupg-users wrote:-


> If I use the web version

> 

> then it says "Error 502 bad gateway".  



Try https://keys.openpgp.org/search?q=0x94CBAFDD30345109561835AA0B7F8B60E3EDFAE3


-- 
Best regards

MFPA  

Penguins are not to be trusted, especially those who listen to organ music.

pgpeWe1yvnuhc.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Deleting or renaming $HOME/.gnugpg

[Peter Lebbing]

Hi,

On 27/07/2020 07:03, Ayoub Misherghi via Gnupg-users wrote:
> Will this scenario work?

Yes, as long as you also kill the daemons so they restart with the new
situation:

$ gpgconf --kill all

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users