Re: [EXT] Best practices for obtaining a new GPG certificate
Hi David, when Gentoo switched to requiring gpg-signed git commits and pushes, we put some thought into requirements and best practices. Minus the Gentoo-specific parts, this is probably good reading: https://www.gentoo.org/glep/glep-0063.html https://wiki.gentoo.org/wiki/Project:Infrastructure/ Generating_GLEP_63_based_OpenPGP_keys Best, Andreas Am Donnerstag, 18. März 2021, 05:06:24 CET schrieb David Mehler via Gnupg- users: > Hello, > > My existing GPG certificate is going to expire in less than a month. > I'd like to know current best practices for obtaining a new one? In > particular I'm looking for the best protocol and strength for a > security not a performance stance. The certificate will mainly be used > for verifying and signing sent messages, and tagging git commits on > personal servers. Devices used will be Windows 10 pcs and tablets and > Android (version 10 and 11) phones and tablets. > Suggestions welcome. > Thanks. > Dave. > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- PD Dr. Andreas K. Huettel Institute for Experimental and Applied Physics University of Regensburg 93040 Regensburg Germany tel. +49 151 241 67748 (mobile) tel. +49 941 943 1618 (office) fax +49 941 943 3196 e-mail andreas.huet...@ur.de http://www.akhuettel.de/ signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Re: gnupg and ssh interaction somehow broken (card reader with pinpad)
> > Can you swap the readers between the two computers and see if the > problem follows the suspected-bad reader? > Possible as last resort, I'd rather figure this out some other way though. -- PD Dr. Andreas K. Huettel Institute for Experimental and Applied Physics University of Regensburg 93040 Regensburg Germany tel. +49 151 241 67748 (mobile) tel. +49 941 943 1618 (office) fax +49 941 943 3196 e-mail andreas.huet...@ur.de http://www.akhuettel.de/ signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
On 3/18/2021 10:21 AM, Andreas K. Huettel wrote: Hi David, when Gentoo switched to requiring gpg-signed git commits and pushes, we put some thought into requirements and best practices. Minus the Gentoo-specific parts, this is probably good reading: https://www.gentoo.org/glep/glep-0063.html https://wiki.gentoo.org/wiki/Project:Infrastructure/ Generating_GLEP_63_based_OpenPGP_keys > On the pages, I get 'There is currently no text in this page. You can search for this page title in other pages, or ...'. Am I missing something? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
https://www.gentoo.org/glep/glep-0063.html https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys > On the pages, I get 'There is currently no text in this page. You can > search for this page title in other pages, or ...'. > Am I missing something? Only that kmail insisted on breaking the link... let's hope it doesn't this time. (Not every mail client implements flowing text correctly, which is why having the client insert line breaks is the safer variant for readability. However...) -- PD Dr. Andreas K. Huettel Institute for Experimental and Applied Physics University of Regensburg 93040 Regensburg Germany tel. +49 151 241 67748 (mobile) tel. +49 941 943 1618 (office) fax +49 941 943 3196 e-mail andreas.huet...@ur.de http://www.akhuettel.de/ signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg and ssh interaction somehow broken (card reader with pinpad)
On Wed, 17 Mar 2021 16:31, Andreas K. Huettel said: > 2021-03-17 16:15:37 scdaemon[4932] Prüfung des CHV1 fehlgeschlagen: > Ungültiger > [Not being familiar with the details, I dont know if I can post the full log > here or if it contains sensitive data.] At that debug level it is okay. However with a higher debug level (debug cardio) the log would show your PIN if you have used disable-pinpad. With a pinpad it won't show it, of course. > gpg (GnuPG) 2.2.25 We fixed a reader bug in 2.2.26 which also changed how the SPR532 is accessed. See https://dev.gnupg.org/T5167 - Thus you better update to the latest version first. If you want to debug things, put debug cardio debug-ccid-driver into scdameon.conf, kill and retry. You may send the log to me by PM; I would then only share it with my colleague Gniibe. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
On 3/18/2021 2:39 PM, Andreas K. Huettel wrote: https://www.gentoo.org/glep/glep-0063.html https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys Reading the URLs given by the OP, I see that the GPG FAQ (1) talks about a default of '2048' but in the latest (2.2.17) release of GPG it looks like the default is now '3072': gpg --expert --full-gen-key Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key (14) Existing key from card Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) Am I missing something? 1) https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096 -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Best practices for obtaining a new GPG certificate
On Thu, 18 Mar 2021 00:06, David Mehler said: > My existing GPG certificate is going to expire in less than a month. > I'd like to know current best practices for obtaining a new one? In Do you really want a new one? Usually it is easier to prolong your key. By default a new key has an expire data so that unused keys and those with forgotten passphrase will eventually expire. In general you just run gpg --quick-set-expire FINGERPRING EXPIREDATE Expire dat may be something like 5y for 5 years or an explicit date like 2024-12-31. Here is an example $ gpg -K A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8 sec ed25519 2021-03-15 [SC] [expires: 2023-03-15] A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8 uid [ unknown] f...@example.de ssb cv25519 2021-03-15 [E] 989ABB95E888956DBD5D7F66C376233B98457556 $ gpg --quick-set-expire A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8 4y $ gpg -K A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8 sec ed25519 2021-03-15 [SC] [expires: 2025-03-17] A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8 uid [ unknown] f...@example.de ssb cv25519 2021-03-15 [E] 989ABB95E888956DBD5D7F66C376233B98457556 Send the public key then to your peers, keyserver, web key directory, or wherever. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Timeout when signing
Hi, I'm trying to encrypt and sign a large file. It takes a while to do this, and I then do other things while this is happening. It then completes and presumably asks me for my key passphrase, but I miss this and it times out, so all I see is the following error message: gpg: signing failed: Timeout gpg: file.gz: sign+encrypt failed: Timeout I guess that it is actually pinentry that times out, and gpg just passes on the error from pinentry? How can I configure this timeout? My /usr/bin/pinentry on my (Gentoo) system is a symlink to /usr/bin/pinentry-gtk-2, but since I am doing this over SSH without X forwarding, and it is working fine (and asking me in a curses based interface), I don't think pinentry-gtk-2 is actually the pinentry program being used, but I don't really understand how this works TBH. I do know that Gentoo uses Gentoo's eselect utility to manage the /usr/bin/pinentry symlink, but it seems like gpg is smart enough to use the appropriate version if this isn't appropriate, somehow. Can anyone explain this, or point me to where it is explained? Many thanks in advance. Kind regards, Nick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Best practices for obtaining a new GPG certificate
Hello, Thanks all. I am definitely wanting a new key. With regards the info John posted: gpg --expert --full-gen-key Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key (14) Existing key from card in the output there's ECC output should I go with an ECC-style key or RSA? As regards RSA keysize I typically use 4096. Thanks. Dave. On 3/18/21, Werner Koch wrote: > On Thu, 18 Mar 2021 00:06, David Mehler said: > >> My existing GPG certificate is going to expire in less than a month. >> I'd like to know current best practices for obtaining a new one? In > > Do you really want a new one? Usually it is easier to prolong your key. > By default a new key has an expire data so that unused keys and those > with forgotten passphrase will eventually expire. In general you just run > > gpg --quick-set-expire FINGERPRING EXPIREDATE > > Expire dat may be something like 5y for 5 years or an explicit date like > 2024-12-31. > > Here is an example > > $ gpg -K A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8 > > sec ed25519 2021-03-15 [SC] [expires: 2023-03-15] > A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8 > uid [ unknown] f...@example.de > ssb cv25519 2021-03-15 [E] > 989ABB95E888956DBD5D7F66C376233B98457556 > > $ gpg --quick-set-expire A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8 4y > > > $ gpg -K A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8 > > sec ed25519 2021-03-15 [SC] [expires: 2025-03-17] > A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8 > uid [ unknown] f...@example.de > ssb cv25519 2021-03-15 [E] > 989ABB95E888956DBD5D7F66C376233B98457556 > > > Send the public key then to your peers, keyserver, web key directory, or > wherever. > > > Shalom-Salam, > >Werner > > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Timeout when signing
On 2021-03-18 at 13:57 +, Nick Cripps via Gnupg-users wrote: > Hi, > > I'm trying to encrypt and sign a large file. It takes a while to do > this, and I then do other things while this is happening. It then > completes and presumably asks me for my key passphrase, but I miss > this and it times out, so all I see is the following error message: > > gpg: signing failed: Timeout > gpg: file.gz: sign+encrypt failed: Timeout > > I guess that it is actually pinentry that times out, and gpg just > passes on the error from pinentry? > > How can I configure this timeout? > > My /usr/bin/pinentry on my (Gentoo) system is a symlink to > /usr/bin/pinentry-gtk-2, but since I am doing this over SSH without X > forwarding, and it is working fine (and asking me in a curses based > interface), I don't think pinentry-gtk-2 is actually the pinentry > program being used, but I don't really understand how this works TBH. > I do know that Gentoo uses Gentoo's eselect utility to manage the > /usr/bin/pinentry symlink, but it seems like gpg is smart enough to > use the appropriate version if this isn't appropriate, somehow. Can > anyone explain this, or point me to where it is explained? > > Many thanks in advance. > > Kind regards, > Nick What are your caching preferences? I would first sign an empty/ummy file, so it asks for the passphrase and unlocks the private key, then perform the real operation (which will hopefully not require your input). Kind regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
On 2021-03-18 at 15:15 +0100, john doe via Gnupg-users wrote: > Reading the URLs given by the OP, I see that the GPG FAQ (1) talks > about a default of '2048' but in the latest (2.2.17) release of GPG > it looks like the default is now '3072': > What keysize do you want? (3072) > > > Am I missing something? > > 1) https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096 The FAQis outdated. GnuPG was indeed updated some years ago to use 3072 as the default size for rsa https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=909fbca19678e6e36968607e8a2348381da39d8c ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
