Re: Unable to decrypt file copied from USB thumb drive.

2021-10-29 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
12021/07/21 01:78.66 ನಲ್ಲಿ, Chris Taylor  
ಬರೆದರು:
> Hello Group,
> 
> I am developing a backup process for personal files, on USB thumb
> drive.  I tar and zip my files (30GB) then encrypt them with:
> 
> gpg --no-symkey-cache --symmetric --cipher-algo AES256 my-backup.tar.gz
> 
> I copy my-backup.tar.gz.gpg to my USB thumb drive.  I am using Ubuntu so
> the USB drive is formatted to Ext4.
> 
> I try to decrypt with:
> 
> gpg --output my-backup.tar.gz --decrypt my-backup.tar.gz.gpg
> 
> and get the following error:
> 
> gpg: AES256 encrypted data
> gpg: encrypted with 1 passphrase
> gpg: block_filter 0x556d112aa1e0: read error (size=13328,a->size=13328)
> gpg: WARNING: encrypted message has been manipulated!
> gpg: block_filter: pending bytes!
> 
> I have gpg version 2.2.19, libgcrypt 1.8.5.  Without encryption this
> process has worked perfectly well many times.
> 
> Any advice greatly appreciated.
> 
> Chris.

Do you get the same error if you try to decrypt it before moving the file? I 
tried with the exact same arguments with gpg 2.3.1, libgcrypt 1.9.4 and 
everything worked well (though I didn't try moving the files to another medium).

I also wonder if you're waiting until the file has been fully written (you can 
ensure this by running `sync` and waiting until it has returned) before trying 
to decrypt?

- Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his


publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using gpg to add digital signature to a linux executable

2021-10-26 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
12021/07/18 04:64.54 ನಲ್ಲಿ, Andrew Marlow via Gnupg-users 
 ಬರೆದರು:
> Hello everyone,
> 
> For some time now where I work there has been a rule saying "thou shalt add a
> digital signature to every executable and shared library when shipping 
> software
> designed to run on Windows". This is quite doable and all is well and good. At
> least, on Windows. But what about linux? The only thing I've seen for linux is
> to create separate digital signatures using tools like gpg (GNU Privacy 
> Guard).
> I can find no mention of how to attach them to an executable or shared 
> library.
> Has anyone here ever done anything like this please? It seems to me there is
> real benefit in doing it. So, much as I detest Windows, this seems to be one
> area in which Windows is slightly ahead.
> 
> --
> Regards,
> 
> Andrew Marlow
> [1]http://www.andrewpetermarlow.co.uk
> 
> 
> References:
> 
> [1] http://www.andrewpetermarlow.co.uk/

Why not do a detached signature using e.g. gpg -sb --output file.sig file? 
Then, someone can run gpg --verify file.sig file to ensure that the signature 
is valid.

HTH,

Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his


publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD docs on the wiki, restructuring. Feedback on forUsers page

2021-09-30 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
12021/06/32 07:17.95 ನಲ್ಲಿ, Phil Pennock  ಬರೆದರು:
> On 2021-09-30 at 12:17 +0000, ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users wrote:
> > Hmm, this is odd. I setup WKD as detailed on the 
> > https://wiki.gnupg.org/WKDHosting (using the openpgpkey subdomain), 
> > currently only for one address on my domain (s...@chiraag.me). Opening the 
> > file directly in a web browser does work, so the file is at the correct 
> > path with the correct (I presume) permissions. However, running the test 
> > given here does _not_ work and fails with the debugging output I've 
> > attached.
> >
> > Any ideas?
> 
> Do you have user-agent filtering in your web-server?
> 
> 2021-09-30 17:11:35 dirmngr[733043.6] error accessing 
> 'https://openpgpkey.chiraag.me/.well-known/openpgpkey/chiraag.me/hu/55caf3anhb75xpzx9m6hgw6589ozf1b9?l=spam':
>  http status 403
> 
> Running:
> 
>   curl -fSs 
> 'https://openpgpkey.chiraag.me/.well-known/openpgpkey/chiraag.me/hu/55caf3anhb75xpzx9m6hgw6589ozf1b9?l=spam'
>  | gpg --import
> 
> works.  So you return the data just fine to curl, but when dirmngr asks
> for it, it's getting a "403 Forbidden" response.
> 
> That smells to me of a web-server which is trying to block user-agents
> it dislikes.  This isn't certain, but that's where I'd start looking.
> 
> -Phil

That is very helpful! I'll have to check with my hoster to figure out what's 
going on, thanks :)

- Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his


publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD docs on the wiki, restructuring. Feedback on forUsers page

2021-09-30 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
12021/06/31 06:01.41 ನಲ್ಲಿ, Alessandro Vesely via Gnupg-users 
 ಬರೆದರು:
> On Tue 28/Sep/2021 17:39:29 +0200 Bernhard Reiter wrote:
> > Feedback (and help) is always appreciated.:)
> 
> 
> I'm not sure if WKD/forHosts would be a better location than WKDHosting.
> 
> Anyway, I'd publish the test suggested by Alissa on this list on 8 July 2019:
> 
>  gpg --homedir "$(mktemp -d)" --locate-keys h...@alyssa.is
>

Hmm, this is odd. I setup WKD as detailed on the 
https://wiki.gnupg.org/WKDHosting (using the openpgpkey subdomain), currently 
only for one address on my domain (s...@chiraag.me). Opening the file directly 
in a web browser does work, so the file is at the correct path with the correct 
(I presume) permissions. However, running the test given here does _not_ work 
and fails with the debugging output I've attached.

Any ideas?

Thanks,

Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat 
trust hashing ipc clock lookup extprog
gpg: DBG: [no clock] start
gpg: DBG: fd_cache_invalidate (/tmp/tmp.apCYUlb83x/pubring.kbx)
gpg: DBG: iobuf-1.0: open '/tmp/tmp.apCYUlb83x/pubring.kbx' 
desc=file_filter(fd) fd=3
gpg: DBG: iobuf-1.0: close 'file_filter(fd)'
gpg: DBG: /tmp/tmp.apCYUlb83x/pubring.kbx: close fd/handle 3
gpg: DBG: fd_cache_close (/tmp/tmp.apCYUlb83x/pubring.kbx) new slot created
gpg: DBG: iobuf-*.*: ioctl '/tmp/tmp.apCYUlb83x/pubring.kbx' invalidate
gpg: DBG: fd_cache_invalidate (/tmp/tmp.apCYUlb83x/pubring.kbx)
gpg: DBG: did (/tmp/tmp.apCYUlb83x/pubring.kbx)
gpg: keybox '/tmp/tmp.apCYUlb83x/pubring.kbx' created
gpg: /tmp/tmp.apCYUlb83x/trustdb.gpg: trustdb created
gpg: DBG: [no clock] keydb_new
gpg: DBG: [no clock] keydb_search enter
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search   0: SUBSTR: 's...@chiraag.me'
gpg: DBG: internal_keydb_search: searching keybox (resource 0 of 1)
gpg: DBG: internal_keydb_search: searched keybox (resource 0 of 1) => EOF
gpg: DBG: [no clock] keydb_search leave (not found)
gpg: DBG: chan_5 <- # Home: /tmp/tmp.apCYUlb83x
gpg: DBG: chan_5 <- # Config: /tmp/tmp.apCYUlb83x/dirmngr.conf
gpg: DBG: chan_5 <- OK Dirmngr 2.3.1 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_5 -> GETINFO version
gpg: DBG: chan_5 <- D 2.3.1
gpg: DBG: chan_5 <- OK
gpg: DBG: chan_5 -> WKD_GET -- s...@chiraag.me
gpg: DBG: chan_5 <- S SOURCE https://openpgpkey.chiraag.me
gpg: DBG: chan_5 <- ERR 167772218 No data 
gpg: error retrieving 's...@chiraag.me' via WKD: No data
gpg: error reading key: No data
gpg: DBG: chan_5 -> BYE
gpg: DBG: [no clock] keydb_release
gpg: DBG: [no clock] stop
gpg: keydb: handles=1 locks=0 parse=0 get=0
gpg:build=0 update=0 insert=0 delete=0
gpg:reset=0 found=0 not=1 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=0 cached=0 good=0 bad=0
gpg: objcache: keys=0/0/0 chains=0,0..0 buckets=0/0 attic=0
gpg: objcache: uids=0/0/0 chains=0,0..0 buckets=0/0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
  outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x calls=0 bytes=0
gpg: secmem usage: 0/65536 bytes in 0 blocks


publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: set the default setting of using "echo RELOADAGENT | gpg-connect-agent"

2021-07-06 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
12021/04/26 02:64.27 ನಲ್ಲಿ, Cheng Fei Phung via Gnupg-users 
 ಬರೆದರು:
> Hi,
> 
> how do I set the default setting of using "echo RELOADAGENT |
> gpg-connect-agent"
> for [1]https://wiki.archlinux.org/title/Pass ?
> 
> References:
> 
> [1] https://wiki.archlinux.org/title/Pass

Why do you need to do that? This feels like an XY problem: 
https://en.wikipedia.org/wiki/XY_problem

Sincerely,

Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his


publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Detaching signature from signed object

2021-06-20 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
12021/04/10 05:36.72 ನಲ್ಲಿ, Matthew Richardson via Gnupg-users 
 ಬರೆದರು:
> Is there any way in GnuPG to detach (or extract) a signature from a signed
> object?  For example, a signed object is created with:-
> 
> >gpg --armor --output signedfile.asc --sign inputfile.txt
> 
> where what is wanted is a detached signature which would verify against
> inputfile.txt.
> 
> This feature is in PGP 2:-
> 
> >pgp -sa inputfile.txt -o signedfile.asc
> >pgp -b signedfile.asc -o verified.txt
> 
> which also produces verified.pgp as the detached signature.  The feature is
> described (briefly) in the PGP 2 documentation thus:-
> 
> >To detach a signature certificate from a signed message:
> > pgp -b ciphertextfile
> 
> The reason for asking is that I operate a service [1], which currently used
> PGP 2, and which would benefit from more recent crypto, but which also uses
> "pgp -b" extensively.
> 
> Best wishes,
> Matthew
> 
> [1] http://www.itconsult.co.uk/stamper.htm
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

I believe you're looking for the -sb option, which creates a detached signature.

HTH!

- Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his


publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: keydb_search failed: Invalid argument

2021-06-03 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
12021/03/32 08:63.22 ನಲ್ಲಿ, NIIBE Yutaka  ಬರೆದರು:
> Hello,
> 
> ಚಿರಾಗ್ ನಟರಾಜ್ wrote:
> > I'm getting this error/warning even when I just decrypt an encrypted
> > file using plain gpg.
> 
> If you keep using ~/.gnupg/pubring.gpg, I think this is the cause of
> your problem.
> 
> In this case, see this comment in the bug tracker of GnuPG:
> 
>   https://dev.gnupg.org/T5409#145906
> 
> To excerpt the solution from the comment, it's:
> --
> cd ~/.gnupg
> gpg --export-options backup --export >allkeys.gpg
> mv pubring.gpg pubring.gpg-saved
> gpg --import-options restore --import  rm allkeys.gpg
> --
> --

That worked perfectly, thank you!

Sincerely,

Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his


publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

keydb_search failed: Invalid argument

2021-05-31 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
Hello!

I use Debian unstable+experimental. Debian unstable has gpg version 2.2.27, 
while Debian experimental has gpg version 2.3.1. I'm using gpg mainly in the 
context of pass (https://passwordstore.org), but also for encrypting files and 
such. Additionally, I use ProtonMail, and I have the bridge 
(https://protonmail.com/bridge) use pass to retrieve credentials.

With gpg version 2.2.27, everything works just fine - there are no warnings or 
errors and pass and ProtonMail bridge both work well. With gpg version 2.3.1, 
however, I run into a warning of "gpg: keydb_search failed: Invalid argument" 
whenever I attempt to decrypt a password with pass. pass also returns an error 
code of 2, which seems to be propagated from the gpg return value. Because of 
this, the ProtonMail bridge program believes that it was not able to retrieve 
the credentials and fails to load properly.

I saw another email on here with a "keydb_search: Broken pipe" message, but I 
wasn't sure if these are related or if there is something I have misconfigured. 
I don't really have control over how ProtonMail bridge calls pass, and I'm 
getting this error/warning even when I just decrypt an encrypted file using 
plain gpg.

Any help would be deeply appreciated!

Sincerely,

Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his


publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Email encryption within mailaccount

2021-03-14 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
12021/01/32 05:75.34 ನಲ್ಲಿ, Daniel Bossert  ಬರೆದರು:
> Well, the company has an Microsoft online account, what I don't like at all. 
> So
> I was searching for a solution
> 
> "ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users"  skrev: (14 mars 2021
> 18:30:12 CET)
> 
> 12021/01/32 05:23.74 ನಲ್ಲಿ, Daniel Bossert via Gnupg-users 
>  ಬರೆದರು:
> Hello
> 
> Is there a way that all mails (sent, incoming, draft) get encrypted 
> by default?
> 
> Regards
> Daniel
> --
> Skickat från min Android-enhet med K-9 Mail. Ursäkta min fåordighet.
> 
> Sent: depends on whether you have the other person's public key. If you 
> don't, you can't encrypt to them...
> Received: Not generally. See below for what you probably want.
> Draft: Depends on the email client.
> 
> What you *probably* want is something like ProtonMail, where everything 
> is seamlessly encrypted before being stored. This means that all sent emails 
> are stored encrypted on *your* end (even if they were sent as unencrypted 
> emails to the other person or people). The same is true of drafts and 
> incoming email.
> 
> HTH!
> 
> - Chiraag
> 
> 
> --
> Skickat från min Android-enhet med K-9 Mail. Ursäkta min fåordighet.

That's a dangerous game, my friend. So this is for your work email, not for 
your personal email, right? In that case, I wouldn't bother with this. It's 
likely risky in terms of information disclosure and will likely raise flags 
(especially if you're the only one doing this...).

-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his


publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Email encryption within mailaccount

2021-03-14 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
12021/01/32 05:23.74 ನಲ್ಲಿ, Daniel Bossert via Gnupg-users 
 ಬರೆದರು:
> Hello
> 
> Is there a way that all mails (sent, incoming, draft) get encrypted by 
> default?
> 
> Regards
> Daniel
> --
> Skickat från min Android-enhet med K-9 Mail. Ursäkta min fåordighet.

Sent: depends on whether you have the other person's public key. If you don't, 
you can't encrypt to them...
Received: Not generally. See below for what you probably want.
Draft: Depends on the email client.

What you *probably* want is something like ProtonMail, where everything is 
seamlessly encrypted before being stored. This means that all sent emails are 
stored encrypted on *your* end (even if they were sent as unencrypted emails to 
the other person or people). The same is true of drafts and incoming email.

HTH!

- Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his


publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg cards

2021-01-28 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
12021/00/27 02:03.62 ನಲ್ಲಿ, Philipp Schmidt  ಬರೆದರು:
> Hello Everybody!
> 
> I have tried to something in the docs about this, but without success. For
> quite a while now, I am using a yubikey as gpg card and that is working really
> good. Since it is risky to have only one Key, I just purchased another one to
> create a clone of the first. So I went ahead and copied the very same keys 
> from
> the backup to the second. But trying to actually use does not work, I get an
> error like: 'please insert card: […]' So.
> 
> What can I do to make gpg use the card as well (if possible) ?

Sorry, I don't know the answer to this one, since I've never tried it. One 
option is simply creating a separate key and encrypting to two distinct 
(sub)keys, which is what I would do. You don't want to have to get rid of 
_both_ keys if one is compromised in some way, and having two copies of the key 
makes it more likely that it will be compromised or lost or whatever.

> Another thing I would really love to know is: Is it possible to use the gpg
> card as smartcard for the system login as well? Right now I am using the PIV
> functionality of the yubikey, but would really prefer to use one system.
> Does anybody know if that is possible?

What I do is use my Yubikey for U2F so it functions as a secondary form of 
authorization. I do this for both login and screen unlocking using the 
libpam-u2f module. It looks like you can use libpam-poldi 
(http://www.g10code.com/p-poldi.html) if you want to use your Yubikey GPG key 
for primary authentication, but YMMV.

> Last but not least I am still on a quest for a setup to use Full Disk
> Encryption and Security Token to actually decrypt the Disk on boot.
> 
> Does anybody know if that is possible with a gpg card?

Possibly, but I haven't really looked into it.

> Thanks ahead for any kind of help.

Here's a bit of (unsolicited) advice: don't put all your eggs in one basket. I 
wouldn't use my GPG key to unlock my hard drive, log in, and decrypt 
_everything_ without having a foolproof way to get back in. In my case, for 
example, I use my Yubikey for everything as follows:

1. To unlock my LUKS-encrypted hard drives, I enter part of the passphrase from 
memory and use the yubikey for the rest. The data hard drive has a backup 
passphrase I never use since it's primarily unlocked by a keyfile stored in 
/root. The system hard drive has a backup passphrase that I don't ever use, but 
I also don't care since I can easily re-install the system.
2. To login, I use my Yubikey as U2F. Assuming I can get into my system HDD, I 
can always de-activate the U2F module to be able to get back in if my Yubikey 
fails.
3. I use my Yubikey as the primary key for pass, my password manager. I encrypt 
to a backup key that never leaves my laptop so I can still access the passwords 
should my Yubikey fail.

At *minimum*, you should have backup options for each thing you use the Yubikey 
for (assuming you don't want data loss). It's like with OTP codes - *always* 
save the backup codes :)

Sincerely,

Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his


publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD for GitHub pages

2021-01-11 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
12021/00/10 04:42.21 ನಲ್ಲಿ, Stefan Claas via Gnupg-users 
 ಬರೆದರು:
> Not sure if Let's Encrypt issues such certs. If, I could set-up two droplets 
> at
> Digital Ocean, a bob.300baud.de one and an alice.300baud.de one and see
> what happens.

Let's Encrypt does offer such certificates. You can generate using e.g.:

sudo certbot certonly --rsa-key-size 4096 --manual -d *.domain.tld

(editing parameters as necessary).

HTH!

- Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his


publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: On future of GnuPG

2021-01-05 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
12021/00/04 08:01.47 ನಲ್ಲಿ, markus.ro...@neverbox.com ಬರೆದರು:
> 
> On 2021-01-05 Stefan Claas via Gnupg-users - gnupg-users@gnupg.org wrote:
> > ... but why are then SKS key servers
> > still in operation, which allows third parties to look up who signed
> > who's key and with what trust level and GnuPG's WoT support, compared
> > to sq and Hagrid?
> 
> The landscape has changed dramatically from the times when the
> original PGP fundamentals were introduced. Today, for any secure
> personal communication system to be of practical use, it must
> be designed from the ground up observing the following simple
> principle: *anonymity is the necessary condition of privacy*.

That depends heavily on your threat model, though. For many people, the goal 
isn't to keep their identity safe from the people they're talking with. Rather, 
the goal is to keep the contents of their messages safe from _everyone else_ 
(including CIA, NSA, shitty governments, etc).

In many ways, security and anonymity are at odds, since if I can't easily 
verify that  is the person they claim to be, I have no way of knowing if I'm 
telling them stuff they shouldn't know. While there are ways to ensure 
confidentiality and integrity of the *communication channel* while preserving 
anonymity, there isn't really a way of ensuring the integrity of the 
*conversation* while preserving anonymity. Pretty much any way of properly 
resolving this dilemma requires de-anonymizing both participants, and then 
we're right back where we started.

If, instead, we acknowledge that most use cases require integrity of the 
communication channel *and* the conversation, then we can use common 
identifiers (like phone numbers) or (mostly) verifiable identities (like GPG 
keys hosted on WKD) to ensure the integrity of the conversation (I say mostly 
verifiable because there's always a chance the domain is compromised and the 
keys are replaced). Once anonymity isn't really as much of a concern, we get 
things like Signal, which is decidedly *not* anonymous (with the exception of 
using VOIP numbers to sign up) but is most assuredly private (they don't know 
what you're saying and neither does anyone else, apart from the people you're 
messaging).

Regards,

Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his


publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Split private key in order to share among users

2020-12-20 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
I believe you're talking about an implementation of Shamir's Secret Sharing 
Scheme. http://point-at-infinity.org// should do what you want.

- Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his


publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Announcing paperbackup.py to backup keys as QR codes on paper

2020-09-14 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
Additionally, you can install paperkey from the Debian repos, which might do 
something similar?

HTH!

- Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his

14/09/20 14:07 ನಲ್ಲಿ, ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users  
ಬರೆದರು:
> You'll have to install python3-qrencode, not qrencode. All of the 
> dependencies should by in the form of python3- (or if that's not 
> available, install it through pip3).
> 
> Hope that helps!
> 
> - Chiraag
> --
> ಚಿರಾಗ್ ನಟರಾಜ್
> Pronouns: he/him/his
> 
> 14/09/20 08:16 ನಲ್ಲಿ, bexnews--- via Gnupg-users  
> ಬರೆದರು:
> > Hello Friends,
> >
> > Ok I am no coder so I am trying to bungle my way thru setting up
> > paperbackup.py.
> >
> > My goal was to be able to print out a paper encrypted backup of a strong key
> > that I can use to encrypt data or other keys. I tried the Windows 
> > Paperbackup
> > from OllyDbg but it is older, on Windows (I'm on Linux atm) and was having a
> > hard time getting the roundtrip to work with my printer and scanner.
> > Paperbackup.py looked like a smart idea and I like the redundancy of the QR
> > code and text string outputs. I tried the usage instructions
> >
> > 1. the first issue was I think specifically you need to prefix 
> > "paperbackup.py"
> > with "python" correct?
> > 2. second issue was when I do #1 I get
> >
> > Traceback (most recent call last):
> >   File "paperbackup.py", line 35, in 
> >     import qrencode
> > ImportError: No module named qrencode
> >
> >
> > 3. I may be failing to install all the dependencies properly. I did  "sudo 
> > apt
> > install qrencode" and seems installed (qrencode version 3.4.4 Copyright (C)
> > 2006-2012 Kentaro Fukuchi), but no change in the ImportError in #2. Is there
> > some other way to "hook" qrencode into paperbackup.py? I tried putting it 
> > all
> > into the same folder but it doesn't seem to help.
> >
> > danke schoen!
> > - bexnews
> >
> > Announcing paperbackup.py to backup keys as QR codes on paper
> >
> > Gerd v. Egidy [1]gerd.von.egidy at intra2net.com
> > Tue Feb 21 15:34:17 CET 2017
> >   □ Previous message (by thread): [2]Problems with cert validation via 
> > CRL
> >   □ Next message (by thread): [3]Announcing paperbackup.py to backup 
> > keys
> > as QR codes on paper
> >   □ Messages sorted by: [4][ date ] [5][ thread ] [6][ subject ] [7][
> > author ]
> > 
> > ━━━
> >
> > Hi,
> >
> > I'd like to announce a program I wrote to backup GnuPG and SSH keys as
> > qrcodes on paper:
> >
> > paperbackup.py
> > [8]https://github.com/intra2net/paperbackup
> >
> > This is designed as fallback if all your regular backups failed to 
> > restore or
> > were lost.
> >
> > Usage is like this:
> >
> > gpg2 --armor --export "User Name" >key.asc
> > gpg2 --armor --export-secret-key "User Name" >>key.asc
> > paperbackup.py key.asc
> > paperrestore.sh key.asc.pdf | diff key.asc -
> > lpr key.asc.pdf
> >
> > You'll find all the details, reasoning and examples in the README.
> >
> > Kind regards,
> >
> > Gerd
> >
> >
> >
> >
> > References:
> >
> > [1] 
> > mailto:gnupg-users%40gnupg.org?Subject=Re%3A%20Announcing%20paperbackup.py%20to%20backup%20keys%20as%20QR%20codes%20on%20paper=%3C9664399.F7pj19RVc2%40thunder.m.i2n%3E
> > [2] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/057787.html
> > [3] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/057771.html
> > [4] 
> > https://lists.gnupg.org/pipermail/gnupg-users/2017-February/date.html#57765
> > [5] 
> > https://lists.gnupg.org/pipermail/gnupg-users/2017-February/thread.html#57765
> > [6] 
> > https://lists.gnupg.org/pipermail/gnupg-users/2017-February/subject.html#57765
> > [7] 
> > https://lists.gnupg.org/pipermail/gnupg-users/2017-February/author.html#57765
> > [8] https://github.com/intra2net/paperbackup
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users





publickey - gpg-users@chiraag.me.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Announcing paperbackup.py to backup keys as QR codes on paper

2020-09-14 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
You'll have to install python3-qrencode, not qrencode. All of the dependencies 
should by in the form of python3- (or if that's not available, install it 
through pip3).

Hope that helps!

- Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his

14/09/20 08:16 ನಲ್ಲಿ, bexnews--- via Gnupg-users  ಬರೆದರು:
> Hello Friends,
> 
> Ok I am no coder so I am trying to bungle my way thru setting up
> paperbackup.py.
> 
> My goal was to be able to print out a paper encrypted backup of a strong key
> that I can use to encrypt data or other keys. I tried the Windows Paperbackup
> from OllyDbg but it is older, on Windows (I'm on Linux atm) and was having a
> hard time getting the roundtrip to work with my printer and scanner.
> Paperbackup.py looked like a smart idea and I like the redundancy of the QR
> code and text string outputs. I tried the usage instructions
> 
> 1. the first issue was I think specifically you need to prefix 
> "paperbackup.py"
> with "python" correct?
> 2. second issue was when I do #1 I get
> 
> Traceback (most recent call last):
>   File "paperbackup.py", line 35, in 
>     import qrencode
> ImportError: No module named qrencode
> 
> 
> 3. I may be failing to install all the dependencies properly. I did  "sudo apt
> install qrencode" and seems installed (qrencode version 3.4.4 Copyright (C)
> 2006-2012 Kentaro Fukuchi), but no change in the ImportError in #2. Is there
> some other way to "hook" qrencode into paperbackup.py? I tried putting it all
> into the same folder but it doesn't seem to help.
> 
> danke schoen!
> - bexnews
> 
> Announcing paperbackup.py to backup keys as QR codes on paper
> 
> Gerd v. Egidy [1]gerd.von.egidy at intra2net.com
> Tue Feb 21 15:34:17 CET 2017
>   □ Previous message (by thread): [2]Problems with cert validation via CRL
>   □ Next message (by thread): [3]Announcing paperbackup.py to backup keys
> as QR codes on paper
>   □ Messages sorted by: [4][ date ] [5][ thread ] [6][ subject ] [7][
> author ]
> 
> ━━━
>
> Hi,
> 
> I'd like to announce a program I wrote to backup GnuPG and SSH keys as
> qrcodes on paper:
> 
> paperbackup.py
> [8]https://github.com/intra2net/paperbackup
> 
> This is designed as fallback if all your regular backups failed to 
> restore or
> were lost.
> 
> Usage is like this:
> 
> gpg2 --armor --export "User Name" >key.asc
> gpg2 --armor --export-secret-key "User Name" >>key.asc
> paperbackup.py key.asc
> paperrestore.sh key.asc.pdf | diff key.asc -
> lpr key.asc.pdf
> 
> You'll find all the details, reasoning and examples in the README.
> 
> Kind regards,
> 
> Gerd
> 
> 
> 
> 
> References:
> 
> [1] 
> mailto:gnupg-users%40gnupg.org?Subject=Re%3A%20Announcing%20paperbackup.py%20to%20backup%20keys%20as%20QR%20codes%20on%20paper=%3C9664399.F7pj19RVc2%40thunder.m.i2n%3E
> [2] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/057787.html
> [3] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/057771.html
> [4] 
> https://lists.gnupg.org/pipermail/gnupg-users/2017-February/date.html#57765
> [5] 
> https://lists.gnupg.org/pipermail/gnupg-users/2017-February/thread.html#57765
> [6] 
> https://lists.gnupg.org/pipermail/gnupg-users/2017-February/subject.html#57765
> [7] 
> https://lists.gnupg.org/pipermail/gnupg-users/2017-February/author.html#57765
> [8] https://github.com/intra2net/paperbackup


publickey - gpg-users@chiraag.me.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-11 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
Yubikey dealt with a mass recall only last year due to a bug in their firmware: 
https://www.engadget.com/2019-06-13-yubico-recalls-government-grade-security-keys-due-to-bug.html
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his

11/08/20 22:10 ನಲ್ಲಿ, Stefan Claas  ಬರೆದರು:
> 
> Johan Wevers wrote:
> 
> > On 11-08-2020 17:18, Stefan Claas wrote:
> >
> > >> Why hardware? If a bug is found you can't upgrade it easily.
> > >
> > > Because hardware can't be tampered with like software.
> >
> > If a hardware bug is found you're still lost. Even Apple has found out
> > the hard way.
> 
> Yes, you are right. While I am no programmer I would assume that designers
> of such little hardware devices, same as YubiKey or Nitrokey for example,
> do not have to deal with a boatload of large software components, burned
> into ROMS.
> 
> > >> On mobile, encrypted messengers are the norm. WhatsApp is the biggest,
> > >> and it uses Signal's encryption algorithm which is excellent.
> > >
> > > And you think that continuing with those is a good practice since
> > > Mr Snowden's YouTube Video was released?
> >
> > It is a risk, but not a bigger risk than someone taking over your pc or
> > laptop. Signal and GnuPG are both defenseless against that.
> 
> Yes, a risk, but at what price? I could imagine that many people do not
> care to much if it hurts journalists or activists from foreign countries.
> 
> But how about cybercrimes in general?
> 
> https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
> 
> Regards
> Stefan
> 
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


publickey - gpg-users@chiraag.me.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-11 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
I suppose, you're right. I'm wary of blindly believing videos, especially when 
faking them has become relatively easy at this point.

I think one thing both Android and iOS get wrong is that the user isn't really 
in control of the device. So many manufacturer ROMs have built-in bloatware and 
various apps you'll never use, and there's no way to get rid of it. There are 
different classes of apps with differing levels of access to the internals of 
the OS, and there isn't much you can do about it. And on iOS, you're at the 
mercy of Apple as to whether your device remains supported and whether e.g. 
bugs in WebKit (the only renderer available on iOS) get fixed for your device. 
While custom ROMs solve some of these issues, most phones are bought with a 
locked bootloader (since most people aren't rich enough to buy their 
smartphones outright and end up leasing them through the service provider), 
which sort of renders that argument moot for *most* people.

Fundamentally, while a Linux phone may not necessarily have all of the 
hardening or whatever that many Android phones come with today, I'd argue that 
the privacy aspects, and the fact that the user truly _owns_ their device, more 
than make up for those (current) deficiencies. It will be easier, I think, to 
defend against what you're talking about in terms of malware, shady links, and 
so on because you have the opportunity to control literally *everything* 
running on your device.

Once I get my PinePhone, one of the first things I will be doing is playing 
around with things like firejail to see if I can get seamless sandboxing for 
most programs (I already heavily utilize firejail on my laptop). And I suspect 
that level of control (and ability to keep receiving updates, no matter how old 
the phone) will put Linux phones over the top in terms of security.

Sincerely,

Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his

11/08/20 19:32 ನಲ್ಲಿ, Andrew Gallagher  ಬರೆದರು:
> 
> It matters little whether these statements were made by Snowden. Whether a 
> particular piece of software exists or not, and whether it is owned by the 
> Russians or the Israelis or the Americans, is beside the point. In principle, 
> it can exist and similar pieces of software have existed in the past, so we 
> can safely assume that something like it will always exist in some form or 
> another.
> 
> If someone roots your phone, or your laptop, it is Game Over. It does not 
> matter if you are using Signal, or WhatsApp, or PGP. If the Bad Guys have 
> rooted your phone you are helpless against them. The solution is not to let 
> them root your phone in the first place (i.e. update regularly and don’t 
> click on anything unsolicited), and don’t use your phone for anything that 
> would endanger your life if you were rooted.
> 
> Andrew Gallagher
> 
> > On 11 Aug 2020, at 17:18, Stefan Claas  wrote:
> >
> > Please ask native U.S. citizens if this is a video with a faked voice from 
> > Mr. Snowden, not me.
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


publickey - gpg-users@chiraag.me.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-11 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 

11/08/20 17:18 ನಲ್ಲಿ, Stefan Claas  ಬರೆದರು:
> 
> And you think that continuing with those is a good practice since
> Mr Snowden's YouTube Video was released?

I mean, don't you think it's odd that you can't find a single other source for 
those statements coming from Snowden? And don't you find it odd that Pegasus is 
claimed to be a Russian group, when in fact they're Israeli (showing a basic 
lack of care regarding factual statements that are easily verified or 
debunked)? I don't think Snowden would make that sort of mistake, and I would 
think we'd see a lot more articles or videos or whatever about this.

Is Pegasus dangerous? Absolutely. Do I take the claims in the video at face 
value? Not really, no. And I doubt that Snowden actually said all of those 
things as one coherent statement (although they might be various statements 
taken from various different interviews or speeches or whatever).

The whole veracity of the video rests on Snowden's authority, and I suspect the 
people who made the video are banking on people trusting it because it seems to 
come from Snowden.

Sincerely,

Chiraag


publickey - gpg-users@chiraag.me.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-10 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 

10/08/20 18:05 ನಲ್ಲಿ, bereska  ಬರೆದರು:
> Dear Chiraag,
> 
> I've been thinking of a similar setup with my GPG keys on a smart card
> to encrypt/decrypt data on my android phone.
> Could be more specific about your setup?
> 
> thank you
> Dmitry

Hi Dmitry,

I created a tutorial a while back on my website for setting this stuff up: 
https://chiraag.me/passwords/index.php

Let me know if you have questions or if anything's unclear!

Best,

Chiraag


publickey - gpg-users@chiraag.me.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-10 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
10/08/20 09:07 ನಲ್ಲಿ, Stefan Claas  ಬರೆದರು:
> 
> Matthias Apitz wrote:
> 
> > El día domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas 
> > escribió:
> >
> > > > This article showed up today, when I did a Google search again:
> > > >
> > > > 
> > > >
> > > > Trustworthy source.
> > >
> > > Mmmhhh, it is getting 'better and better' for smartphone users.
> > >
> > > https://www.androidauthority.com/government-tracking-apps-1145989/
> > >
> >
> > One can use a Linux mobile phone running UBports.com (as I and all my 
> > family do)
> > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).
> 
> Yes, people gave me already (not from here of course) good advise for other 
> OSs
> which one can use. The question is how long will those OSs been unaffected ...
> 
> > Stop whining, stand up and fight and protect yourself.
> 
> I am not whining ... I only wanted to let the people know. Also very
> interesting that only one person in this thread replied, besides you ...

I was wary of storing my private GPG keys on my phone (if only because of 
theft/loss/etc), so I set up my keys on a Yubikey and use that to decrypt stuff 
on my phone. From what I understand, even if they were to obtain secrets 
decrypted by the Yubikey or exfiltrate private files, they would not be able to 
actually decrypt them given that the key resides on the Yubikey (if the private 
key were on the phone itself, they'd "just" have to crack the passphrase or 
whatever, which would presumably be much easier...).

Just another way to mitigate the risk of stuff like this.

Sincerely,

Chiraag


publickey - gpg-users@chiraag.me.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-07 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
Isn't the NSO group Israeli, not Russian as claimed in the video? 
https://en.wikipedia.org/wiki/NSO_Group

Sincerely,

Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his

07/08/20 16:12 ನಲ್ಲಿ, Stefan Claas  ಬರೆದರು:
> 
> Stefan Claas wrote:
> 
> > ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users wrote:
> >
> > > Is it possible to link the original source material (Snowden's speech or 
> > > interview or whatever) rather than this video which
> > > could, for example, be a montage of several different speeches or 
> > > interviews?
> > >
> > > Sincerely,
> > >
> > > Chiraag
> >
> > Apologies, I currently have no other sources, wish I had.
> 
> P.S. I also send a message to Mr Snowden via Twitter, but
> I doubt he will see this, because of his over 4 Million
> followers, which might write him too.
> 
> And yesterday I wrote an email to NSO group, asking if
> their latest release of Pegasus is capable of doing
> this. But no reply yet ...
> 
> Regards
> Stefan
> 
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


publickey - gpg-users@chiraag.me.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-07 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
Is it possible to link the original source material (Snowden's speech or 
interview or whatever) rather than this video which could, for example, be a 
montage of several different speeches or interviews?

Sincerely,

Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his

07/08/20 13:35 ನಲ್ಲಿ, Stefan Claas  ಬರೆದರು:
> 
> ... you may like to check out Mr. Snowden's YouTube video:
> 
> https://www.youtube.com/watch?v=wltrint1JrA
> 
> Regards
> Stefan
> 
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


publickey - gpg-users@chiraag.me.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Clearing cached PIN for Yubikey

2020-08-05 Thread ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users 
Hello!

I was attempting to figure out what the 'canonical' way of clearing a Yubikey's 
cached PIN is. I adjusted the default-cache-ttl and max-cache-ttl values in 
gpg-agent.conf to no effect. I also attempted to use card-timeout (even though 
it was clear from searching around that it was probably useless).

I know there's a setting to force (or not force) entering a PIN for signing in 
gpg --edit-card, but there doesn't seem to be a corresponding option for 
forcing a PIN for decryption.

Obviously I can just yank out my Yubikey or restart the agent (systemctl --user 
restart gpg-agent) and get the desired effect (although echo RELOADAGENT | 
gpg-connect-agent *doesn't* achieve the same thing...), but I'd like to find 
another option if available.

Here is the output of gpg --version:

gpg (GnuPG) 2.2.20
libgcrypt 1.8.6
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/chiraag/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

I'm running Debian sid/experimental and use systemd as my init system and 
service manager, if that impacts anything.

Thank you very much for any tips and/or pointers!

Sincerely,

Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his


publickey - gpg-users@chiraag.me.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users