Re: fingerprint associated public key does not match displayed public key
What other keys would it hold? Behold: pub ed25519/1E7A94D4E87F91D5 2021-02-22 [SC] 7D8EC4B85B6FEDD6C10D3C791E7A94D4E87F91D5 uid [ultimate] Robert J. Hansen uid [ultimate] Robert J. Hansen sub cv25519/7D6CCDB66CA1202F 2021-02-22 [E] My public certificate has two keys: an Edwards-25519 signing key and a Curve-25519 encryption key. Back in the '90s, certificates almost always held a single key that was used for both encryption and signing. Then we realized, "if the courts force us to give our decryption key to the cops so they can read our traffic, we're also giving them the ability to impersonate us." Since then, virtually every OpenPGP certificate has had at least two keys: one for signing and one for encryption. There are cases where three or more keys are appropriate, but they're kind of outside the scope of the current discussion. Sure it does. I did that no more than twenty minutes ago myself. So I typed the gpg --import > certificate.txt command and it says "no such file or directory: certificate.txt" (certificate has a different name of course). Did you notice the command is "gpg --import < certificate.txt"? I placed the file in my .gnupg hidden folder. Then you'd need to do "gpg --import < ~/.gnupg/certificate.txt". If certificate.txt isn't in your current directory, you need to tell Linux where to look for it. Here is really the root of my problem. As you probably know, I'm not using a Web Key Service/Directory enabled email provider, so if I were to get an encrypted message intended for me, I'd have to copy the encryption text, paste it into txt file, then import/decrypt it like that with: gpg --decrypt ~/Desktop/encryptedfile.txt | perl -MMIME::QuotedPrint -0777 -nle 'print decode_qp($_)' That's shockingly bad. Try using an email client with OpenPGP support built-in. On Linux the two major choices are Evolution and Thunderbird. That's a command I found online from a source that I've been using for learning pgp. Please stop using that resource. As mentioned above, it's shockingly bad. As the FAQ says, "The good news is the internet is a treasure trove of information. The bad news is that the internet is a festering sewer of misinformation, conspiracy theories, and half-informed speculations all masquerading as informed commentary." ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint associated public key does not match displayed public key
> Key(s): a certificate holds at least one, but usually more than one. I see. So, a certificate (aka pgp public key block) holds at least one key (+ pertinent metadata that changes/updates depending on use, etc.), but usually more. What other keys would it hold? The paired secret key? No. Other public keys in my key ring? Unlikely. If the certificate is made for encryption of a message that only one specific secret key can decrypt. Why would it hold more than one key? >> But the import command doesn't work with txt. > Sure it does. I did that no more than twenty minutes ago myself. So I typed the gpg --import > certificate.txt command and it says "no such file or directory: certificate.txt" (certificate has a different name of course). I placed the file in my .gnupg hidden folder. Here is really the root of my problem. As you probably know, I'm not using a Web Key Service/Directory enabled email provider, so if I were to get an encrypted message intended for me, I'd have to copy the encryption text, paste it into txt file, then import/decrypt it like that with: gpg --decrypt ~/Desktop/encryptedfile.txt | perl -MMIME::QuotedPrint -0777 -nle 'print decode_qp($_)' That's a command I found online from a source that I've been using for learning pgp. What am I missing? Does this only work well with WKS/D enabled message services? On Fri, Dec 17, 2021 at 12:42 PM Robert J. Hansen wrote: > > > The document snapshot analogy really helps. > > I'm glad it's helped! > > >> No, and I'm going to strongly encourage you to stop asking > > implementation questions. > > > > I think I'll take that advice. > > When you think you're ready, we'll be here to answer your implementation > questions. It would break my heart if you thought you should never ask > them -- I just, only, think that diving into implementation details is > almost always a bad idea for new users. > > If you want to teach someone poetry you start by showing them the witty > banter and playful puns in Shakespeare, and encourage them to laugh and > enjoy the show. Learning about iambic pentameter can wait. :) > > > I'm getting the picture now. The pgp key block is really the > > certificate. The certificate holds the key and metadata. > > Key(s): a certificate holds at least one, but usually more than one. > Beyond that minor detail you've got it perfect. > > >> gpg --import < certificate.asc > > > > So, when dealing with a displayed certificate (what I was calling a > > pgp public key block), the only method I thought of was copying and > > pasting it onto a txt file. But the import command doesn't work with > > txt. > > Sure it does. I did that no more than twenty minutes ago myself. > > How were you trying to do this? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint associated public key does not match displayed public key
The document snapshot analogy really helps. I'm glad it's helped! No, and I'm going to strongly encourage you to stop asking implementation questions. I think I'll take that advice. When you think you're ready, we'll be here to answer your implementation questions. It would break my heart if you thought you should never ask them -- I just, only, think that diving into implementation details is almost always a bad idea for new users. If you want to teach someone poetry you start by showing them the witty banter and playful puns in Shakespeare, and encourage them to laugh and enjoy the show. Learning about iambic pentameter can wait. :) I'm getting the picture now. The pgp key block is really the certificate. The certificate holds the key and metadata. Key(s): a certificate holds at least one, but usually more than one. Beyond that minor detail you've got it perfect. gpg --import < certificate.asc So, when dealing with a displayed certificate (what I was calling a pgp public key block), the only method I thought of was copying and pasting it onto a txt file. But the import command doesn't work with txt. Sure it does. I did that no more than twenty minutes ago myself. How were you trying to do this? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint associated public key does not match displayed public key
> Please reply inline unless your email client makes this difficult. I will be doing that from now on. I'm not sure of any other way besides manually copying and pasting, but that's not a problem. > There is a Frequently Asked Questions document that you may want to read if you haven't done so already: I read the whole thing. It helped a little, but there was a lot that I just don't get (yet). I'll be reading through it again, along with the users archives, and the manual itself. I've started on a journey here, I see that. There's a lot to learn. But I am thrilled to learn it all. I do appreciate all the help. > The easiest way is to use WKD/WKS (Web Key Directory/Service) if your email provider supports this because then some OpenPGP-aware automatically download your key when someone enters your email address into their email client. I don't think gmail supports WKD. I'll look into a WKS/D supporting email provider. > Otherwise, you can simply send your exported key to the person you want to give your public key to. Yeah so, I can attach the .asc file that's in my Disk/users/SamiBadri folder (it's the only .asc file I've seen), but I'm assuming that is my public key. Is that correct? Is there anyway to send your private key? I want to know so that I don't do it accidentally. Also, if I use the cat SamiB.asc command, the terminal reveals a certificate (and I assume that's my public key certificate). Can I copy/paste and send that as a txt attachment? Will they be able to do anything with it? For instance, let's say they don't have my email, key ID, or fingerprint, only the pgp public key block (aka certificate), can you do anything with a txt-type file that only shows the certificate in armor? Lastly, I see that you have attached a signature .asc file with your email. I can import that file, and compare to? S.B. On Fri, Dec 17, 2021 at 7:02 AM Ingo Klöcker wrote: > > Please reply inline unless your email client makes this difficult. As you can > see from the replies to your messages that's what we prefer on this mailing > list. It helps to make the context of the replies more clear. > > There is a Frequently Asked Questions document that you may want to read if > you haven't done so already: > https://gnupg.org/faq/gnupg-faq.html > > On Freitag, 17. Dezember 2021 02:43:25 CET S.B. via Gnupg-users wrote: > > When you want to give someone your public key, do you normally just > > give your email, fingerprint, key ID, or the armor form key block? > > The easiest way is to use WKD/WKS (Web Key Directory/Service) if your email > provider supports this because then some OpenPGP-aware automatically download > your key when someone enters your email address into their email client. I > don't think gmail supports WKD. > > Otherwise, you can simply send your exported key to the person you want to > give your public key to. You may want to use the option "--export-options > export-minimal" when exporting your key to keep the armor form key block > small. > > It may also make sense to upload your key to some keyservers, so that people > can get your key without first having to contact you. > > Regards, > Ingo > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint associated public key does not match displayed public key
> Think of them as two different snapshots of the same document at different points in time, as various minor edits are made to it. But the important bits, the stuff you care about, will be consistent through revisions so long as the fingerprint remains unchanged. The document snapshot analogy really helps. > No, and I'm going to strongly encourage you to stop asking implementation questions. I think I'll take that advice. > What you're calling a "key block" is a certificate, not a key. A certificate includes cryptographic keys and metadata about those keys. I'm getting the picture now. The pgp key block is really the certificate. The certificate holds the key and metadata. > gpg --import < certificate.asc So, when dealing with a displayed certificate (what I was calling a pgp public key block), the only method I thought of was copying and pasting it onto a txt file. But the import command doesn't work with txt. I was thinking of converting the txt to asc using a conversion app but then I knew that it can't be that difficult. If the only thing you have is the person's certificate, and it's not in an .asc format, is there any other way of importing it into your key ring? Or are all public key imports obtained via asc files? S.B. On Fri, Dec 17, 2021 at 4:43 AM Robert J. Hansen wrote: > > > That key block did not match the one on his profile. That’s what > > confused me. But I’m learning (from you guys) that the key blocks > > don’t necessarily have to match. So I can assume that: > > More accurately, they're very unlikely to match. The version on his > site may lack some signatures or user IDs present on the keyserver copy, > or vice-versa. Think of them as two different snapshots of the same > document at different points in time, as various minor edits are made to > it. But the important bits, the stuff you care about, will be > consistent through revisions so long as the fingerprint remains unchanged. > > > - the fingerprint is specific for the secret key component of the > > generated key pair and does not change. > > No, and I'm going to strongly encourage you to stop asking > implementation questions. You're not ready for them. For now, learn > how to use the system, and only then start paying attention to the fine > detail of how the system is implemented. > > But if you insist, see section 12.2 of RFC4880. "A V4 fingerprint is > the 160-bit SHA-1 hash of the octet 0x99, followed by the two-octet > packet length, followed by the entire Public-Key packet starting with > the version field. The Key ID is the low-order 64 bits of the fingerprint." > > > - the pgp public key is, in a way, fluid. It can take many different > > forms but encrypts specifically for the matching secret key only. The > > same public key can have different key blocks. > > No. This will probably become easier to understand if we use the > correct language. *Keys* are not fluid. *Certificates* can be. What > you're calling a "key block" is a certificate, not a key. A certificate > includes cryptographic keys and metadata about those keys. The keys > generally don't change (although I can think of pathological cases where > they do). The metadata about those keys can change a lot. > > Most of the data in a certificate is metadata. > > > - I could’ve used the keyserver-obtained public key (retrieved via the > > fingerprint), or I could’ve used the displayed public key that was > > given in armor text form. They are one and the same, even though > > their revealed text is different. > > You could have used it and the odds are quite good it wouldn't have > mattered in the slightest. > > > When you want to give someone your public key, do you normally just > > give your email, fingerprint, key ID, or the armor form key block? > > I use WKS. > > > is there a command i could've used to directly import the key using > > the displayed key block? I've tried some different ones I found in > > various places but nothing worked. > > gpg --import < certificate.asc ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint associated public key does not match displayed public key
Please reply inline unless your email client makes this difficult. As you can see from the replies to your messages that's what we prefer on this mailing list. It helps to make the context of the replies more clear. There is a Frequently Asked Questions document that you may want to read if you haven't done so already: https://gnupg.org/faq/gnupg-faq.html On Freitag, 17. Dezember 2021 02:43:25 CET S.B. via Gnupg-users wrote: > When you want to give someone your public key, do you normally just > give your email, fingerprint, key ID, or the armor form key block? The easiest way is to use WKD/WKS (Web Key Directory/Service) if your email provider supports this because then some OpenPGP-aware automatically download your key when someone enters your email address into their email client. I don't think gmail supports WKD. Otherwise, you can simply send your exported key to the person you want to give your public key to. You may want to use the option "--export-options export-minimal" when exporting your key to keep the armor form key block small. It may also make sense to upload your key to some keyservers, so that people can get your key without first having to contact you. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint associated public key does not match displayed public key
That key block did not match the one on his profile. That’s what confused me. But I’m learning (from you guys) that the key blocks don’t necessarily have to match. So I can assume that: More accurately, they're very unlikely to match. The version on his site may lack some signatures or user IDs present on the keyserver copy, or vice-versa. Think of them as two different snapshots of the same document at different points in time, as various minor edits are made to it. But the important bits, the stuff you care about, will be consistent through revisions so long as the fingerprint remains unchanged. - the fingerprint is specific for the secret key component of the generated key pair and does not change. No, and I'm going to strongly encourage you to stop asking implementation questions. You're not ready for them. For now, learn how to use the system, and only then start paying attention to the fine detail of how the system is implemented. But if you insist, see section 12.2 of RFC4880. "A V4 fingerprint is the 160-bit SHA-1 hash of the octet 0x99, followed by the two-octet packet length, followed by the entire Public-Key packet starting with the version field. The Key ID is the low-order 64 bits of the fingerprint." - the pgp public key is, in a way, fluid. It can take many different forms but encrypts specifically for the matching secret key only. The same public key can have different key blocks. No. This will probably become easier to understand if we use the correct language. *Keys* are not fluid. *Certificates* can be. What you're calling a "key block" is a certificate, not a key. A certificate includes cryptographic keys and metadata about those keys. The keys generally don't change (although I can think of pathological cases where they do). The metadata about those keys can change a lot. Most of the data in a certificate is metadata. - I could’ve used the keyserver-obtained public key (retrieved via the fingerprint), or I could’ve used the displayed public key that was given in armor text form. They are one and the same, even though their revealed text is different. You could have used it and the odds are quite good it wouldn't have mattered in the slightest. When you want to give someone your public key, do you normally just give your email, fingerprint, key ID, or the armor form key block? I use WKS. is there a command i could've used to directly import the key using the displayed key block? I've tried some different ones I found in various places but nothing worked. gpg --import < certificate.asc ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users