Re: Side-channel attacks

2022-01-18 Thread Johan Wevers via Gnupg-users
On 17-01-2022 0:09, Robert J. Hansen via Gnupg-users wrote:

> I was asked for help with something in the 1.2 series (!!).  Without
> exception, our first response is usually "for the love of God, upgrade!"
> 
> They rarely do.  It's worked fine for them for a decade or more, and
> they're not going to change...

Well, a bit more respect for backwards compatibility would help a lot by
that. Now I'm forced to keep an 1.4 and pgp 2.6 version installed just
to be able to read all my old data. Some people just refuse to update to
versions that routinely break backwards compatibility.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Side-channel attacks

2022-01-18 Thread Robert J. Hansen via Gnupg-users

Well, a bit more respect for backwards compatibility would help a lot
by that. Now I'm forced to keep an 1.4 and pgp 2.6 version installed
just to be able to read all my old data. Some people just refuse to
update to versions that routinely break backwards compatibility.


You've had literally 27 years to migrate your data.  I have zero sympathy.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


gpg --verify in batch mode / how to require a trust level?

2022-01-18 Thread Bernd Graf via Gnupg-users

Hi,

for a backup integrity protection, I want to add a signature check to
the restore script to reject the backup files that are not properly
signed. So far, so good.

#$ gpg --verify backup.tar.sig

#$ if [ $? -ne 0 ]; then echo "backup is not properly signed!"; exit 1; fi

#$ tar xzvf backup.tar

Now, I find that `gpg --verify` produces a return code rc=0 when there
is a public key in my keyring that I once added, even though I never
declared that I trust this key.

How can I require `gpg --verify` to only accept keys from my keyring
with a certain trust level and fail otherwise (rc!=0)

Alternatively, how can I check that a signature was done with a specific
key?

Many thanks

Bernd


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


gpg --verify in batch mode / how to require a trust level?

2022-01-18 Thread Bernd Graf via Gnupg-users

Hi,

for a backup integrity protection, I want to add a signature check to
the restore script to reject the backup files that are not properly
signed. So far, so good.

#$ gpg --verify backup.tar.sig

#$ if [ $? -ne 0 ]; then echo "backup is not properly signed!"; exit 1; fi

#$ tar xzvf backup.tar

Now, I find that `gpg --verify` produces a return code rc=0 when there
is a public key in my keyring that I once added, even though I never
declared that I trust this key.

How can I require `gpg --verify` to only accept keys from my keyring
with a certain trust level and fail otherwise (rc!=0)

Alternatively, how can I check that a signature was done with a specific
key?

Many thanks

Bern


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Side-channel attacks

2022-01-18 Thread Robert J. Hansen via Gnupg-users

1.4 should be able to decrypt all 2.6 generated data.


Not from the Disastry builds, which extended 2.6 to support newer 
algorithms.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Side-channel attacks

2022-01-18 Thread Werner Koch via Gnupg-users
On Tue, 18 Jan 2022 09:50, Johan Wevers said:

> Well, a bit more respect for backwards compatibility would help a lot by
> that. Now I'm forced to keep an 1.4 and pgp 2.6 version installed just

1.4 should be able to decrypt all 2.6 generated data.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: gpg --verify in batch mode / how to require a trust level?

2022-01-18 Thread Ingo Klöcker
On Dienstag, 18. Januar 2022 15:59:11 CET Bernd Graf via Gnupg-users wrote:
> How can I require `gpg --verify` to only accept keys from my keyring
> with a certain trust level and fail otherwise (rc!=0)
> 
> Alternatively, how can I check that a signature was done with a specific
> key?

Use gpgv instead of gpg. It's much more lightweight and specifically meant for 
signature verification. In particular, you can pass it a keyring that only 
contains the keys you want:

$ gpgv --keyring FILE backup.tar.sig backup.tar

For details
$ man gpgv

Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: gpg --verify in batch mode / how to require a trust level?

2022-01-18 Thread Werner Koch via Gnupg-users
On Tue, 18 Jan 2022 15:59, Bernd Graf said:

> How can I require `gpg --verify` to only accept keys from my keyring
> with a certain trust level and fail otherwise (rc!=0)

Use gpgv instead of gpg.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Side-channel attacks

2022-01-18 Thread Стефан Васильев via Gnupg-users

Johan Wevers wrote:


On 17-01-2022 0:09, Robert J. Hansen via Gnupg-users wrote:


I was asked for help with something in the 1.2 series (!!).  Without
exception, our first response is usually "for the love of God, 
upgrade!"


They rarely do.  It's worked fine for them for a decade or more, and
they're not going to change...


Well, a bit more respect for backwards compatibility would help a lot 
by

that. Now I'm forced to keep an 1.4 and pgp 2.6 version installed just
to be able to read all my old data. Some people just refuse to update 
to

versions that routinely break backwards compatibility.


I know from people that they use GnuPG 1.4 (Windows) for portability on
a USB stick and therefore it could be run in a native Windows 10 
sandbox,

while also running a Tor hidden service in the sandbox, to communicate
encrypted, without relying on third party client/server models via VPS 
or

major email providers.

Is it possible to do that with the latest gpg4win?

Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Side-channel attacks

2022-01-18 Thread vedaal via Gnupg-users


On 1/18/2022 at 11:26 AM, "Robert J. Hansen via Gnupg-users"  wrote:>
1.4 should be able to decrypt all 2.6 generated data.

Not from the Disastry builds, which extended 2.6 to support newer 
algorithms.

=
1.4 still can decrypt and verify anything in Disastry's last build. 
He died before he could implement Camellia. 

I have been using it since it came out, and 1.4 can easily decrypt and
verify, but there is a simple procedural issue.:
1.4 decides that when it sees a v3 key, it tries to decrypt Idea and
verify md5. Which works perfectly for 2.6.x.

In order for 1.4 to decrypt and verify messages done with other
encryption algorithms and signing algorithms, the name of the signing
algorithm and the name of the encryption algorithm need to be included
in the command line. 
If this is cumbersome, so just continue to use Disastry 2.6 to decrypt
and verify. 
It's not gnupg's problem. 

Vedaal 
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users