Re: Why is there a conflict?
On 1/16/2021 3:18 AM, Stefan Claas wrote: On Sat, Jan 16, 2021 at 11:57 AM Stefan Claas wrote: On Sat, Jan 16, 2021 at 11:34 AM Ayoub Misherghi via Gnupg-users wrote: The intention is to sign and encrypt "data.file" producing a detached signature file. a@b:c$ gpg -s -e -b -r Mike data.file gpg: conflicting commands Why is there a conflict? I do not want to produce an attached signature. You use -s and -b, try 'gpg -a -b -e file' You can shorten this like: 'gpg -aber Mike data.file' (cool German word 'aber' :-) Regards Stefan gpg -aber data.file produced "data.file.asc" and no "data.file.sig" Danke, Ayoub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is there a conflict?
a@b:c$ gpg -e -b -r Mike data.file produced "data.file.sig" and no "data.file.gpg" Thanks, Ayoub On 1/16/2021 2:53 AM, Dmitry Gudkov wrote: Just get rid of -s On Jan 16, 2021 12:35, Ayoub Misherghi via Gnupg-users wrote: The intention is to sign and encrypt "data.file" producing a detached signature file. a@b:c$ gpg -s -e -b -r Mike data.file gpg: conflicting commands Why is there a conflict? I do not want to produce an attached signature. Ayoub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why is there a conflict?
The intention is to sign and encrypt "data.file" producing a detached signature file. a@b:c$ gpg -s -e -b -r Mike data.file gpg: conflicting commands Why is there a conflict? I do not want to produce an attached signature. Ayoub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How can I add encrypted comments.
On 1/14/2021 10:37 AM, ved...@nym.hush.com wrote: On 1/14/2021 at 4:47 AM, "Ayoub Misherghi via Gnupg-users" wrote: I am encrypting and signing documents with myself as the receiver. Nobody else will want to look inside them. Is it possible to add encrypted comments or other information to a separated signature file; and later retrieve this additional information? I want to be able to decrypt the signature file alone and retrieve all the information I put inside it. = Not exactly, but functionally, yes, it can be done. [1] Armor the signature file ( gpg --armor filename.sig ) this outputs to filename.sig.asc [2[ Armor your encrypted comments, and copy them to the end of the filename.sig.asc, (leave one blank line between the pgp footer of the signature file, and the pgp header of the encrypted file) [3] Save the whole thing as filename.sig.asc [4] gpg filename.sig,asc will automatically verify the sig if the original signed file 'filename' is present, and also decrypt the added comments vedaal = I have the concern that if this is not part of GPG, future versions of GPG may not allow it; leaving me in the lurch. I have these questions: [Q1] Does this mean "filename.sig.asc" will still be decrypted if "filename" is not present? [Q2] Is there a reason why the functionality is missing from GPG? [Q3] The references I find on the internet are directed at users of GPG and not developers of applications of GPG, can you please direct me to references that show me things like the format of the signature file, armor and not? Thanks, Ayoub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How can I add encrypted comments.
On 1/14/2021 11:52 AM, Stefan Claas wrote: > On Thu, Jan 14, 2021 at 8:16 PM Stefan Claas > wrote: >> >> On Thu, Jan 14, 2021 at 10:46 AM Ayoub Misherghi via Gnupg-users >> wrote: >>> >>> >>> I am encrypting and signing documents with myself as the receiver. Nobody else will want to look inside them. Is it possible to add encrypted comments or other information to a separated signature file; and later retrieve this additional information? I want to be able to decrypt the signature file alone and retrieve all the information I put inside it. >> >> You can add Comments: to a detached signature, yes, but beware that these >> encrypted content must be seperated for each comment line. >> >> I have not tested this yet, but you could with a shell script use some format >> or lenght preserving encryption software, like Google's Adiantum with a base64 >> encoder and then would have the smallest possible symmetrically encrypted >> output for a message as Comment: line. You can do this also manually >> of course as much as you wish because it does not invalidate the signature. >> >> Hope this helps a bit. > > Here is a quick manually inline sig. > > First message with GnuPG symmetric content in Comment lines > and second same message with Google's Adiantum+base64 > > You see the difference, what I mean with format preserving. > Hello World! :-) Regards Stefan > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hello World! :-) > > Regards > Stefan > -BEGIN PGP SIGNATURE- > Comment: vHgPAUzXglLiVFelwf0jjUzXCNIqSrinvNhjF+JRkd8K > > iHUEARYIAB0WIQR61Pk5PUF7u6Rs+mem3tVibXmEGgUCYACeDgAKCRCm3tVibXmE > Gpk6AP98iXZb8gd0NDvOllByTHkrcQvQluXd/db1c5u+skm90gEAj5c991XdP5s5 > clB9wwK9G8XoCDJnhfMLWljuvjCM8Ac= > =XJXL > -END PGP SIGNATURE- > > Regards > Stefan Yes I see, thanks. You went at length to help me. Can you please point me to a reference that discusses the standard format of the signature file? I might do something silly. Best regards, Ayoub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How can I add encrypted comments.
I am encrypting and signing documents with myself as the receiver. Nobody else will want to look inside them. Is it possible to add encrypted comments or other information to a separated signature file; and later retrieve this additional information? I want to be able to decrypt the signature file alone and retrieve all the information I put inside it. Thanks, Ayoub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Protecting encryption server
You are absolutely right. I am naive; but I am learning. A time will come when I will involve experts formally, and what I am learning here will help me talk and plan more intelligently. You are also right on another account. I have not defined the problem for you sufficiently. Even though I have stated on the list that internal threat is probably greater than external threat, most of the responses seem to me to address external threat. I will find a way of giving you more information, preserving confidentiality where necessazry. Ayoub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
"encrypted with 1 passphrase"
A gpg says "encrypted with 1 passphrase". Are there situations where a message gets encrypted with multiple passphrases? ayoub@vboxpwfl:~/testdir$ ls textfile ayoub@vboxpwfl:~/testdir$ gpg --passphrase onetwothree --symmetric textfile ayoub@vboxpwfl:~/testdir$ ls textfile textfile.gpg ayoub@vboxpwfl:~/testdir$ gpg --passphrase onetwothree -o textfile.dcr -d textfile.gpg gpg: AES256 encrypted data gpg: encrypted with 1 passphrase ayoub@vboxpwfl:~/testdir$ ls textfile textfile.dcr textfile.gpg ayoub@vboxpwfl:~/testdir$ ayoub@vboxpwfl:~/sentry/trunk$ diff textfile textfile.dcr ayoub@vboxpwfl:~/sentry/trunk$ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Protecting encryption server
It has its merits; the drawback with this is the added network traffic, the additional crunch power and the numerous servers. (I know, nothing comes for free, everything comes at a price.) Adding unpredictable randomness at different levels is a good measure, definitely. These are strategies to protect or mitigate risk coming from external unfriendliness. There exits probably worse risk coming from inside; the operators and admins; that is probably a bigger risk that is harder to aleviate. I am learning from all the responses, even though it may seem otherwise. I am listening and you people are doing than talking. I am grateful. Thanks everybody; keep it coming. Ayoub On 7/28/2020 2:45 PM, Denis BEURIVE wrote: I think of another way to make things harder for a hacker. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Protecting encryption server
I understand. I do not expect to to solve these problems over here, but I am getting useful suggestions and yours is one of them. It may seem a little to you but I find the responses enlightening. You are probably concerned that I may not get adequate returns for the time I spend here: I appreciate that. That is a mark of a good character you have. Although it has not been my intention to advertise, I got a few good responses off list as a side effect. I will engage people formally as you suggest when the time comes for it. Before that happens. I am coding a prototype right now that is not going to be inadequate; but all this will help me arrive at a better understanding, help demonstrate basic ideas and hopefully prepare me and others for the production of a better specifications, better action and better product. I apologize if I am encroaching. Thanks, Ayoub On 7/28/2020 5:17 PM, raf via Gnupg-users wrote: You might be asking in the wrong place. We can suggest helpful things like vetting staff, hardware security ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Protecting encryption server
A human environment went insane and uncontrollable. The system is intended to bring sanity back and maintain it. Client programs access server(s) for real-time encryption or decryption. Network of servers that may be located at different geographic locations. Each server would need keys that need to be protected. The servers are in a hierarchy communicating with each other securely as needed. Horrible environment to protect. Server design may need to be specialized with immunity to tampering and abuse. Operator and admin may need to be on constant monitoring/surveillance with biometric ID. Equipment may need to be identifiable and be under constant monitoring and surveillance. Grateful for all suggestions. Keep them coming. I have a lot to learn. Ayoub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Protecting encryption server
I am going to have a server machine doing encryption. How do you protect against server operator or admin tampering. This is a scenario where internal threat or hostility is high; you cannot trust your own guys. (Real situation; not paranoid.) Thanks, Ayoub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Non printable ASCII characters in pass phrase.
Is it safe to have non printable ASCII characters in the pass phrase? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "skipped: Unusable public key"
If it is not in my machine I do not know where it is. I did not export it. I did not share it or put on any server. On 7/27/2020 4:51 PM, Philihp Busby wrote: It appears that 3C5B212A55B966881E2D2718A45398B520BEE91E does not have the [E] usage for encryption, nor does it have any subkeys with that usage. This subkey would have been created by default when the master key was created. See if you can recover it? From your prior message on 2020-07-13, it has the ID F2A76096E857E2AF607DD144D17AA44F49BB5A08. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
"skipped: Unusable public key"
Not obvious to me why that is happening: ayoub@vboxpwfl:~/testdir$ ls textfile ayoub@vboxpwfl:~/testdir$ gpg -r sentry -e textfile gpg: sentry: skipped: Unusable public key gpg: textfile: encryption failed: Unusable public key ayoub@vboxpwfl:~/testdir$ gpg --list-keys /home/ayoub/.gnupg/pubring.kbx -- pub ed25519 2020-07-09 [SC] [expires: 2020-09-25] 3C5B212A55B966881E2D2718A45398B520BEE91E uid [ultimate] sentry pub ed25519 2020-07-09 [SC] [expires: 2021-07-09] 7A675D7F52BC905C22F8249091556BC29D4C595E uid [ultimate] develop1 sub cv25519 2020-07-09 [E] [expires: 2021-07-09] ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys /home/ayoub/.gnupg/pubring.kbx -- sec ed25519 2020-07-09 [SC] [expires: 2020-09-25] 3C5B212A55B966881E2D2718A45398B520BEE91E uid [ultimate] sentry sec ed25519 2020-07-09 [SC] [expires: 2021-07-09] 7A675D7F52BC905C22F8249091556BC29D4C595E uid [ultimate] develop1 ssb cv25519 2020-07-09 [E] [expires: 2021-07-09] ayoub@vboxpwfl:~/testdir$ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is there no secret key?
With API I mean something like GPGME. This is what came across to me: 1) It is preferable to have "--batch" on command line even in unattended operation; and not in the gpg.conf file? 2) --pinentry-mode when needed goes in gpg.conf 3) --allow-loopback-pinentry when needed goes in gpg-agent.conf New related question: Is it true that command line parameters only go to gpg and gpg-agent? Ayoub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is there no secret key?
The same thing happens when I give the option --no-batch on the command line. The problem seems to have gone away when I moved the config option inentry-mode loopback to the $HOME/.gnupg/gpg.conf from the $HOME/.ngupg/gpg-agent.conf In the final version when development ends, I am going to have "no-batch" in the config because the final version works non-interactively (and through the API.) That is why I have it in the config now. Thanks guys, Ayoub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Newbie question.
Sorry for seeming to be "spreading unjustified accusations". What I said was meant to encourage that sort of "benign tyranny", I was not complaining; or at least that was not my intention. Thank you for explaining how the list works. Ayoub On 7/27/2020 2:08 AM, Werner Koch wrote: On Sun, 26 Jul 2020 12:59, Ayoub Misherghi said: The moderators on this list (I do not know who they are) have been tyrannical excluding some of my posts; I am not bitter or resentful. I This mailing list is not moderated and thus your post are not excluded by any moderated. The only automatic rejection we have are for too long posts. In some very rare cases we set the moderation flag for a specific user but that is announced on the list. I just checked that it is not the case for you. What our helpful moderators are mainly doing is to allow posts from non-subscribers. Please calm down and don't spread unjustified accusations. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Deleting or renaming $HOME/.gnugpg
What will happen to gpg if I rename $HOME/.gnupg and start a new $HOME/.gnupg. I have not shared any of the keys and starting anew will not have any consequences to me or anybody else. What will it do to the gnupg? Will it allow me to get on with my work while at the same time be able to revert back to the old configs by renaming directories, just to answer questions from the list trying to help me. Will this scenario work? Thanks, Ayoub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is there no secret key?
I am not asked for pass phrase. The following lines show you what I have in the ".conf-file" ### ### # # Lines uncommented in $HOME/.gnupg/gpg-agent.conf log-file $HOME/gpg-log.txt # The same thing happens when I comment this line out allow-loopback-pinentry batch ### ### # Lines uncommented in $HOME/.gnupg/gpg.conf batch require-secmem no-greeting Ayoub On 7/26/2020 2:49 AM, Peter Lebbing wrote: On 20/07/2020 20:25, Ayoub Misherghi via Gnupg-users wrote: gpg: decryption failed: No secret key Are your gpg.conf and gpg-agent.conf (or let's just say any .conf-file in your GnuPG home, ~/.gnupg) empty? Do you get a pinentry popup asking for a passphrase? Peter. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Newbie question.
I understand it can be frustrating, especially if nobody has a deciding vote or Vito power or moderator power. Someone should have have veto power and anybody with other ideas can always fork and do his own thing. That way it may probably work. A tyrant can stay on course and others fork and be their own tyrant and are free to produce something better. The moderators on this list (I do not know who they are) have been tyrannical excluding some of my posts; I am not bitter or resentful. I have to live up to standard and my posts have to be kind and gentle so as not to burden those trying to help me for free; and amenable to support by helping whoever is helping me. If there was no tyrant I could have caused nuisance. Documentation needs a tyrant too. On 7/26/2020 12:01 PM, Robert J. Hansen wrote: How about collective and cooperative effort in a wiki, or cloud funding pledges or donations? Those who contribute (money or effort) get privilege of some kind. I am very pessimistic about the idea of collective effort. What experience has taught me from working on the FAQ is that a small number of people with extreme ideas speak up the loudest, and the vast majority of users who are calm and reasonable speak up barely at all. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Newbie question.
How about collective and cooperative effort in a wiki, or cloud funding pledges or donations? Those who contribute (money or effort) get privilege of some kind. On 7/26/2020 2:48 AM, Peter Lebbing wrote: On 12/07/2020 20:01, Ayoub Misherghi wrote: Can you please suggest some good tutorial and reference material preferably free (probably mutually exclusive requirements) that will bring me up to your level or close to it please. No, I think the available documentation is lacking in quality. And on the other hand there's a lot of bad advice on websites. It's an unfortunate situation, but few people enjoy writing good documentation. It is a very laborious process. Sorry I can't be of better assistance. Peter. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg: make_keysig_packet failed: End of file
What am I doing wrong? ayoub@vboxpwfl:~/sentry/trunk$ gpg --list-keys /home/ayoub/.gnupg/pubring.kbx -- pub ed25519 2020-07-09 [SC] [expired: 2020-07-19] 3C5B212A55B966881E2D2718A45398B520BEE91E uid [ expired] sentry pub ed25519 2020-07-09 [SC] [expires: 2021-07-09] 7A675D7F52BC905C22F8249091556BC29D4C595E uid [ultimate] develop1 sub cv25519 2020-07-09 [E] [expires: 2021-07-09] ayoub@vboxpwfl:~/sentry/trunk$ gpg --list-secret-keys /home/ayoub/.gnupg/pubring.kbx -- sec ed25519 2020-07-09 [SC] [expired: 2020-07-19] 3C5B212A55B966881E2D2718A45398B520BEE91E uid [ expired] sentry sec ed25519 2020-07-09 [SC] [expires: 2021-07-09] 7A675D7F52BC905C22F8249091556BC29D4C595E uid [ultimate] develop1 ssb cv25519 2020-07-09 [E] [expires: 2021-07-09] ayoub@vboxpwfl:~/sentry/trunk$ gpg --no-batch --edit-key 3C5B212A55B966881E2D2718A45398B520BEE91E Secret key is available. sec ed25519/A45398B520BEE91E created: 2020-07-09 expired: 2020-07-19 usage: SC trust: ultimate validity: expired ssb cv25519/D17AA44F49BB5A08 created: 2020-07-09 expired: 2020-07-19 usage: E [ expired] (1). sentry gpg> expire Changing expiration time for the primary key. Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 2m Key expires at Wed 23 Sep 2020 07:50:43 PM PDT Is this correct? (y/N) y gpg: signing failed: End of file gpg: make_keysig_packet failed: End of file gpg> q ayoub@vboxpwfl:~/sentry/trunk$ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Documentation.
I wish I knew. There are gaps in my knowledge of it and I do not know what those gaps include. I have not seen a proper overview to be able to tell what I am missing. I would say I need a comprehensive over view first. With that I would know what my gaps are and be able to educate my self, or it would make it possible for you to steer me. Thanks, On 7/23/2020 7:50 AM, john doe wrote: On 7/23/2020 1:44 AM, Ayoub Misherghi via Gnupg-users wrote: Hi, I find documentation lacking, both free and commercial. Are there any efforts to remedy this? If I am wrong, can anybody please show me where I can get a good tutorial and good reference material please? What are you looking for that is not online? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Documentation.
Hi, I find documentation lacking, both free and commercial. Are there any efforts to remedy this? If I am wrong, can anybody please show me where I can get a good tutorial and good reference material please? Ayoub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why is there no secret key?
ayoub@vboxpwfl:~/testdir$ ls textfile ayoub@vboxpwfl:~/testdir$ gpg -r develop1 -e textfile ayoub@vboxpwfl:~/testdir$ ls textfile textfile.gpg ayoub@vboxpwfl:~/testdir$ gpg -u develop1 -o textfile.dcr -d textfile.gpg gpg: encrypted with 256-bit ECDH key, ID 367BD2210D4E904D, created 2020-07-09 "develop1" gpg: public key decryption failed: End of file gpg: decryption failed: No secret key ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys /home/ayoub/.gnupg/pubring.kbx -- sec ed25519 2020-07-09 [SC] [expired: 2020-07-19] 3C5B212A55B966881E2D2718A45398B520BEE91E uid [ expired] sentry sec ed25519 2020-07-09 [SC] [expires: 2021-07-09] 7A675D7F52BC905C22F8249091556BC29D4C595E uid [ultimate] develop1 ssb cv25519 2020-07-09 [E] [expires: 2021-07-09] ayoub@vboxpwfl:~/testdir$ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is this supposed to happen?
Is this supposed to happen? ayoub@vboxpwfl:~/testdir$ ls textfile textfile.dcr textfile.gpg ayoub@vboxpwfl:~/testdir$ gpg -r sentry -e �^�z�OI�@l��{ �3�7���\C�Wa��$1�Y� �E2��%0[܌�:͋��h��ͳ� ���k�l��� % ��]�yB}���^C gpg: signal Interrupt caught ... exiting ayoub@vboxpwfl:~/testdir$ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Newbie question.
It is working now. The problem was in gpg-agent.conf that I forgot about. I did not do a re-install. I learned from this list. Thanks. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Detached signature file.
Is it possible to add content to a detached signature file? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: decrypt_message failed: Unknown system error
Thanks. I wish the error message did not say system error when it was human error. On 7/16/2020 3:07 AM, Ingo Klöcker wrote: On Mittwoch, 15. Juli 2020 21:32:29 CEST Ayoub Misherghi via Gnupg-users wrote: ayoub@vboxpwfl:~/testdir$ gpg -r develop1 -e textfile ayoub@vboxpwfl:~/testdir$ ls textfile textfile.gpg ayoub@vboxpwfl:~/testdir$ gpg -u develop1 -o textfile.dcr -d textfile gpg: no valid OpenPGP data found. gpg: decrypt_message failed: Unknown system error You are trying to decrypt the original file (textfile) instead of the encrypted file (textfile.gpg). Regards, Ingo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg: decrypt_message failed: Unknown system error
How do I go about giving you debug information? I am not operating in batch or unattended mode now. All lines in my user gpg.conf are commented out. Before knowing the proper procedure for managing IDs graciously explained to me on this list, I deliberately created a temporary ID with a short time of validity so as to discard it when it expired (after about three days. Not intending to share the keys with anybody.) I deleted the ID after expiration and re-created a new ID with the same name. When it expired again I deleted it and created a new ID with the same name again; and that is when my problems started. ayoub@vboxpwfl:~/testdir$ ls textfile ayoub@vboxpwfl:~/testdir$ gpg -r develop1 -e textfile ayoub@vboxpwfl:~/testdir$ ls textfile textfile.gpg ayoub@vboxpwfl:~/testdir$ gpg -u develop1 -o textfile.dcr -d textfile gpg: no valid OpenPGP data found. gpg: decrypt_message failed: Unknown system error ayoub@vboxpwfl:~/testdir$ ayoub@vboxpwfl:~/testdir$ gpg --list-keys /home/ayoub/.gnupg/pubring.kbx -- pub ed25519 2020-07-09 [SC] [expires: 2020-07-19] 3C5B212A55B966881E2D2718A45398B520BEE91E uid [ultimate] sentry sub cv25519 2020-07-09 [E] [expires: 2020-07-19] pub ed25519 2020-07-09 [SC] [expires: 2021-07-09] 7A675D7F52BC905C22F8249091556BC29D4C595E uid [ultimate] develop1 sub cv25519 2020-07-09 [E] [expires: 2021-07-09] ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys /home/ayoub/.gnupg/pubring.kbx -- sec ed25519 2020-07-09 [SC] [expires: 2020-07-19] 3C5B212A55B966881E2D2718A45398B520BEE91E uid [ultimate] sentry ssb cv25519 2020-07-09 [E] [expires: 2020-07-19] sec ed25519 2020-07-09 [SC] [expires: 2021-07-09] 7A675D7F52BC905C22F8249091556BC29D4C595E uid [ultimate] develop1 ssb cv25519 2020-07-09 [E] [expires: 2021-07-09] ayoub@vboxpwfl:~/testdir$ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Newbie question.
Sorry for splitting Peter and Philihp into two threads. I have probably put my gpg environment/program in a state it cannot come out of. I want to do what cowards do. I want to uninstall gpg and start all over again, escaping from the mess I put my self into somehow. With the advice you gave me I should do better next the time, and hopefully stay out of trouble. I have not given anybody any of the IDs yet. And besides, the intended application is non interactive and also does not communicate anything. It hides everything and itself from ever body and ever thing, let alone the keys (or at least that is the intention if a manage to keep me out of trouble. I am a ASIC hardware guy venturing to do what I should not; obviously.) How do I ensure I uninstall without leaving any history or state that could affect a new install please? Sorry for the head ache I am giving you. If I manage to make money and not go bankrupt I will remember my friends. On 7/12/2020 11:01 AM, Ayoub Misherghi wrote: Thanks. This exposes to me how little I know and it will take me time to absorb it. None of this information is in anything I read. Nothing comes close. I will not come to grips with it with the kind of reading material I have. Can you please suggest some good tutorial and reference material preferably free (probably mutually exclusive requirements) that will bring me up to your level or close to it please. The material I come across is just like silly preschool stuff with 1/4 truth which keeps you ill informed and miss informed and throws you off track. They over simplify and drain education out of you making you zombie. Thanks, Ayoub On 7/12/2020 9:15 AM, Peter Lebbing wrote: On 12/07/2020 17:45, Ayoub Misherghi wrote: Sorry for going off list and messing everybody up. Now I disserve punishment. Heh :-). It's just that if I reply off-list, it only helps you, but if it is on-list, other people can find it in a search engine when they're facing something similar. On 11/07/2020 21:07, Ayoub Misherghi wrote: My current intended usage is in non-interactive mode, completely. I can remove them from the gpg.conf but I would have to issue them every time. My understanding is that non-interactive mode requires those commands. Well, in that case, you should supply --no-batch when you're using it interactively; I'll show why further down. My personal choice would be to have my scripts and programs supply the --batch on invocation rather than put it in the config file, because you only need to write that command invocation in the script once (as you're writing the script), whereas you'll be writing the --no-batch every time you /do/ use it from an interactive shell. I selected "expert" mode because I am using ED2599 incrpytion that is available only in this mode (I know, I am newbie) You only need the --expert on commands creating or adding keys for that. Once you have the key, you no longer need --expert to just use it. All the config lines I showed are in my user config. A few days ago, my set up, which is still in development phase, worked until my short lived gpg keys expired. I fell in deep * when I created new keys. It all worked, with the passphrase-file option and without, before I fell. Can you pull this dumb newbie out? I think the combination that worked might have been --8<---cut here---start->8--- pinentry-mode loopback passphrase-file /home/ayoub/.gnupg/output.png --8<---cut here---end--->8--- but once you commented out the passphrase-file entry, GnuPG had no way to get the passphrase. Normally you should use the pinentry (so comment out the pinentry-mode line as well), but
Re: Newbie question.
I am re-sending this text only. I made the mistake of sending it html previously. Sorry for splitting Peter and Philihp into two threads. I have probably put my gpg environment/program in a state it cannot come out of. I want to do what cowards do. I want to uninstall gpg and start all over again, escaping from the mess I put my self into somehow. With the advice you gave me I should do better next the time, and hopefully stay out of trouble. I have not given anybody any of the IDs yet. And besides, the intended application is non interactive and also does not communicate anything. It hides everything and itself from ever body and ever thing, let alone the keys (or at least that is the intention if a manage to keep me out of trouble. I am a ASIC hardware guy venturing to do what I should not; obviously.) How do I ensure I uninstall without leaving any history or state that could affect a new install please? Sorry for the head ache I am giving you. If I manage to make money and not go bankrupt I will remember my friends. On 7/12/2020 11:01 AM, Ayoub Misherghi wrote: Thanks. This exposes to me how little I know and it will take me time to absorb it. None of this information is in anything I read. Nothing comes close. I will not come to grips with it with the kind of reading material I have. Can you please suggest some good tutorial and reference material preferably free (probably mutually exclusive requirements) that will bring me up to your level or close to it please. The material I come across is just like silly preschool stuff with 1/4 truth which keeps you ill informed and miss informed and throws you off track. They over simplify and drain education out of you making you zombie. Thanks, Ayoub On 7/12/2020 9:15 AM, Peter Lebbing wrote: On 12/07/2020 17:45, Ayoub Misherghi wrote: Sorry for going off list and messing everybody up. Now I disserve punishment. Heh :-). It's just that if I reply off-list, it only helps you, but if it is on-list, other people can find it in a search engine when they're facing something similar. On 11/07/2020 21:07, Ayoub Misherghi wrote: My current intended usage is in non-interactive mode, completely. I can remove them from the gpg.conf but I would have to issue them every time. My understanding is that non-interactive mode requires those commands. Well, in that case, you should supply --no-batch when you're using it interactively; I'll show why further down. My personal choice would be to have my scripts and programs supply the --batch on invocation rather than put it in the config file, because you only need to write that command invocation in the script once (as you're writing the script), whereas you'll be writing the --no-batch every time you /do/ use it from an interactive shell. I selected "expert" mode because I am using ED2599 incrpytion that is available only in this mode (I know, I am newbie) You only need the --expert on commands creating or adding keys for that. Once you have the key, you no longer need --expert to just use it. All the config lines I showed are in my user config. A few days ago, my set up, which is still in development phase, worked until my short lived gpg keys expired. I fell in deep * when I created new keys. It all worked, with the passphrase-file option and without, before I fell. Can you pull this dumb newbie out? I think the combination that worked might have been --8<---cut here---start->8--- pinentry-mode loopback passphrase-file /home/ayoub/.gnupg/output.png --8<---cut here---end--->8--- but once you commented out the passphrase-file entry, GnuPG had no way to get the passphrase. Normally you should use the pinentry (so comment out the pinentry-mode line as well), but you force it to use the loopback pinentry-mode. gpg _could_ ask for your passphrase that way. But, you also specify --batch. --batch tells GnuPG that the human is currently unavailable and it needn't bother trying to interact with it. So it has no way to get the passphrase and gives up. It will ask you for the passphrase when you comment out --batch, but I recommend also commenting out the --pinentry-mode line so it'll just launch a pinentry like it wants to do. Now about this configuration: --8<---cut here---start->8--- pinentry-mode loopback passphrase-file /home/ayoub/.gnupg/output.png --8<---cut here---end--->8--- If this file is stored with the same access conditions as ~/.gnupg/private-keys-v1.d/, it serves no good purpose. You should then just use a key without a passphrase. With a key without a passphrase, an attacker would just need the file ~/.gnupg/private-keys-v1.d/[...].key and they're good to go. With your passphrase-file, they need two files: ~/.gnupg/private-keys-v1.d/[...].key
Re: Newbie question.
Hi, On 7/11/2020 3:34 AM, Peter Lebbing wrote: Hi! On 10/07/2020 23:47, Ayoub Misherghi via Gnupg-users wrote: ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys Could you do $ gpg --with-subkey-fingerprint --list-secret-keys ayoub@vboxpwfl:$ gpg --with-subkey-fingerprint --list-secret-keys /home/ayoub/.gnupg/pubring.kbx -- sec ed25519 2020-07-09 [SC] [expires: 2020-07-19] 3C5B212A55B966881E2D2718A45398B520BEE91E uid [ultimate] sentry ssb cv25519 2020-07-09 [E] [expires: 2020-07-19] F2A76096E857E2AF607DD144D17AA44F49BB5A08 sec ed25519 2020-07-09 [SC] [expires: 2021-07-09] 7A675D7F52BC905C22F8249091556BC29D4C595E uid [ultimate] develop1 ssb cv25519 2020-07-09 [E] [expires: 2021-07-09] BFF08DC8259E2E9FBAF92AC1367BD2210D4E904D and $ gpg --version ayoub@vboxpwfl:~/sentry/trunk$ gpg --version gpg (GnuPG) 2.2.19 libgcrypt 1.8.5 Copyright (C) 2019 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/ayoub/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 please? And do you get a popup asking for your passphrase or is what you post all the interaction that you get? If that is where the problem lies, it's good to know your operating system/distribution, your desktop environment, and stuff like that. HTH, Peter. ayoub@vboxpwfl:~/sentry/trunk$ uname -a Linux vboxpwfl 5.4.0-40-generic #44-Ubuntu SMP Tue Jun 23 00:01:04 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux Ubuntu 19.04 running inside VirtualBox on Windows 10 This lists gpg.conf (I have removed all commented lines except two that I show) ayoub@vboxpwfl:~/sentry/trunk$ cat ~/.gnupg/gpg.conf batch pinentry-mode loopback require-secmem no-greeting expert #--passphrase-file file #passphrase-file /home/ayoub/.gnupg/output.png I am not asked for pass phrase even though I have the "passphrase-file" in the gpg.conf commented out. Thanks ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: Re: Newbie question.
Sorry for going off list and messing everybody up. Now I disserve punishment. Sorry for the html too. Forwarded Message Subject:Re: Newbie question. Date: Sat, 11 Jul 2020 12:07:17 -0700 From: Ayoub Misherghi To: Peter Lebbing On 7/11/2020 11:30 AM, Peter Lebbing wrote: Hi, On 11/07/2020 19:58, Ayoub Misherghi wrote: ayoub@vboxpwfl:~/sentry/trunk$ cat ~/.gnupg/gpg.conf batch pinentry-mode loopback Ah yes. Those two options have no place in your gpg.conf. They are options that you might want to specify as part of the command line on occasion, but unless you have a very unusual setup they should not be there. You should remove both. The pinentry-mode is probably what is preventing you being asked for the passphrase. My current intended usage is in non-interactive mode, completely. I can remove them from the gpg.conf but I would have to issue them every time. My understanding is that non-interactive mode requires those commands. expert I'd recommend dropping this as well. I selected "expert" mode because I am using ED2599 incrpytion that is available only in this mode (I know, I am newbie) #--passphrase-file file #passphrase-file /home/ayoub/.gnupg/output.png These commented out lines are probably why the pinentry-mode line was there in the first place. Do you know why these lines, both the uncommented and the commented ones, are in your gpg.conf? All the config lines I showed are in my user config. A few days ago, my set up, which is still in development phase, worked until my short lived gpg keys expired. I fell in deep * when I created new keys. It all worked, with the passphrase-file option and without, before I fell. Can you pull this dumb newbie out? HTH, Peter. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Newbie question.
Thanks. This exposes to me how little I know and it will take me time to absorb it. None of this information is in anything I read. Nothing comes close. I will not come to grips with it with the kind of reading material I have. Can you please suggest some good tutorial and reference material preferably free (probably mutually exclusive requirements) that will bring me up to your level or close to it please. The material I come across is just like silly preschool stuff with 1/4 truth which keeps you ill informed and miss informed and throws you off track. They over simplify and drain education out of you making you zombie. Thanks, Ayoub On 7/12/2020 9:15 AM, Peter Lebbing wrote: On 12/07/2020 17:45, Ayoub Misherghi wrote: Sorry for going off list and messing everybody up. Now I disserve punishment. Heh :-). It's just that if I reply off-list, it only helps you, but if it is on-list, other people can find it in a search engine when they're facing something similar. On 11/07/2020 21:07, Ayoub Misherghi wrote: My current intended usage is in non-interactive mode, completely. I can remove them from the gpg.conf but I would have to issue them every time. My understanding is that non-interactive mode requires those commands. Well, in that case, you should supply --no-batch when you're using it interactively; I'll show why further down. My personal choice would be to have my scripts and programs supply the --batch on invocation rather than put it in the config file, because you only need to write that command invocation in the script once (as you're writing the script), whereas you'll be writing the --no-batch every time you /do/ use it from an interactive shell. I selected "expert" mode because I am using ED2599 incrpytion that is available only in this mode (I know, I am newbie) You only need the --expert on commands creating or adding keys for that. Once you have the key, you no longer need --expert to just use it. All the config lines I showed are in my user config. A few days ago, my set up, which is still in development phase, worked until my short lived gpg keys expired. I fell in deep * when I created new keys. It all worked, with the passphrase-file option and without, before I fell. Can you pull this dumb newbie out? I think the combination that worked might have been --8<---cut here---start->8--- pinentry-mode loopback passphrase-file /home/ayoub/.gnupg/output.png --8<---cut here---end--->8--- but once you commented out the passphrase-file entry, GnuPG had no way to get the passphrase. Normally you should use the pinentry (so comment out the pinentry-mode line as well), but you force it to use the loopback pinentry-mode. gpg _could_ ask for your passphrase that way. But, you also specify --batch. --batch tells GnuPG that the human is currently unavailable and it needn't bother trying to interact with it. So it has no way to get the passphrase and gives up. It will ask you for the passphrase when you comment out --batch, but I recommend also commenting out the --pinentry-mode line so it'll just launch a pinentry like it wants to do. Now about this configuration: --8<---cut here---start->8--- pinentry-mode loopback passphrase-file /home/ayoub/.gnupg/output.png --8<---cut here---end--->8--- If this file is stored with the same access conditions as ~/.gnupg/private-keys-v1.d/, it serves no good purpose. You should then just use a key without a passphrase. With a key without a passphrase, an attacker would just need the file ~/.gnupg/private-keys-v1.d/[...].key and they're good to go. With your passphrase-file, they need two files: ~/.gnupg/private-keys-v1.d/[...].key ~/.gnupg/output.png and once again they're good to go, they have your private key. Why would it be more difficult to get a hold of two files rather than one? Just drop the passphrase, and all your problems magically disappear :-). But given its name, I suppose output.png is generated by some unlocking process. Suppose you did it like this before: $ my-unlocker >~/.gnupg/output.png You can actually unlock keys the way GnuPG intends to do that with: $ my-unlocker | /usr/lib/gnupg/gpg-preset-passphrase --preset You can find the keygrip for your keys with: $ gpg --with-keygrip --list-secret-keys You do need it for every subkey you want to use like this separately, and also, it does not verify whether the passphrase was correct. Also, put allow-preset-passphrase max-cache-ttl in ~/.gnupg/gpg-agent.conf and issue $ gpgconf --kill gpg-agent to reload. is how long you want the passphrase to stay available after gpg-preset-passphrase, and it defaults to a mere 2 hours. You could set it to 4294967295 to specify a lifetime of 136 years, i.e., infinitely for all practical purposes. Watch out that my-unlocker doesn't leak the passphrase in any way. I
Newbie question.
What am I doing wrong: ayoub@vboxpwfl:~/testdir$ ls textfile ayoub@vboxpwfl:~/testdir$ gpg -r develop1 -o textfile.gpg -e textfile ayoub@vboxpwfl:~/testdir$ ls textfile textfile.gpg ayoub@vboxpwfl:~/testdir$ gpg -u develop1 -o textfile.dcr -d textfile.gpg gpg: encrypted with 256-bit ECDH key, ID 367BD2210D4E904D, created 2020-07-09 "develop1" gpg: public key decryption failed: End of file gpg: decryption failed: No secret key ayoub@vboxpwfl:~/testdir$ gpg --list-keys /home/ayoub/.gnupg/pubring.kbx -- pub ed25519 2020-07-09 [SC] [expires: 2020-07-19] 3C5B212A55B966881E2D2718A45398B520BEE91E uid [ultimate] sentry sub cv25519 2020-07-09 [E] [expires: 2020-07-19] pub ed25519 2020-07-09 [SC] [expires: 2021-07-09] 7A675D7F52BC905C22F8249091556BC29D4C595E uid [ultimate] develop1 sub cv25519 2020-07-09 [E] [expires: 2021-07-09] ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys /home/ayoub/.gnupg/pubring.kbx -- sec ed25519 2020-07-09 [SC] [expires: 2020-07-19] 3C5B212A55B966881E2D2718A45398B520BEE91E uid [ultimate] sentry ssb cv25519 2020-07-09 [E] [expires: 2020-07-19] sec ed25519 2020-07-09 [SC] [expires: 2021-07-09] 7A675D7F52BC905C22F8249091556BC29D4C595E uid [ultimate] develop1 ssb cv25519 2020-07-09 [E] [expires: 2021-07-09] ayoub@vboxpwfl:~/testdir$ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users