Re: GNU Privacy Handbook typo
Hi Patrick, Am Freitag 07 Juni 2024 12:25:58 schrieb Patrick F. Marques via Gnupg-users: > I believe there is a “tiny” typo in this page > https://www.gnupg.org/gph/en/manual/x334.html > I believe it should be “their key” instead of “they key” thanks for reporting! > Also, according to https://www.gnupg.org/gph/en/manual/book1.html bug > reports concerning the GNU Privacy Handbook should be sent to Mike > Ashley (), however e-mails sent to that given address > bounce, which is why I'm reporting here. Yes, this is an outdated hint and I guess there will be much more outdated as well regarding the GPH. I've checked https://www.gnupg.org/documentation/guides.html to find the source code repository, but I cannot easily find it on https://git.gnupg.org/cgi-bin/gitweb.cgi so I do not even know where the source code for it is today. We probably should label it outdated or old or so, to warn more users that some information could be outdated. Regards, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: S/MIME which certificate format
Am Donnerstag 20 Juni 2024 11:20:14 schrieb Marco Moock: > My cert itself creates the problem, the separate CA intermediate > cert can be imported properly. I've figured and included the lines for additional context only. :) -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: S/MIME which certificate format
Hi Marco, hi Werner, Am Dienstag 18 Juni 2024 08:44:00 schrieb Bernhard Reiter via Gnupg-users: > > I can send you mine if you would like to test. > > At least I can try to import it and see what my version says. did a test with Gpg4win, which print a different error message: gpg (GnuPG) 2.4.5 libgcrypt 1.10.3 gpgsm --debug-all --import zert.crt gpgsm: can't get authorityInfoAccess: No value gpgsm: issuer certificate (#/CN=Sectigo RSA Client Authentication and Secure Email CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB) not found gpgsm: DBG: [no clock] keydb_insert_cert: enter (hd=0x006c3e38) Oops, ksba_cert_get_image failed: imagelen=238 hdr=4 len=1523 off=0 gpgsm: DBG: [no clock] keydb_insert_cert: leave (err=General error) gpgsm: error storing certificate: General error gpgsm: DBG: [no clock] keydb_release: enter (hd=0x006c3e38) gpgsm: DBG: [no clock] keydb_release: leave gpgsm: error storing certificate gpgsm: no issuer found in certificate gpgsm: basic certificate checks failed - not imported gpgsm: total number processed: 2 Marco, it makes sense to mail that certificate to Werner as well, he is fastest to see where the error messages comes from. Thanks Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: S/MIME which certificate format
Am Montag 17 Juni 2024 19:27:35 schrieb Marco Moock: > Am 17.06.2024 um 17:14:07 Uhr schrieb Bernhard Reiter via Gnupg-users: > > does Sectigo offer a public certificate somewhere which could > > possibly be imported for a test? > I can send you mine if you would like to test. At least I can try to import it and see what my version says. BTW: at least once in the last years Debian had some patches that GnuPG upstream did not recommend. So yes, the behaviour can be different in the GnuPG packages from distributions. If the precise package can be given it sometimes helps to reproduce an issue. Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: S/MIME which certificate format
Hello, Am Mittwoch 12 Juni 2024 21:37:11 schrieb Marco Moock: > I got an S/MIME certificate from Sectigo, which I would like to use > with gpgsm/Kleopatra. does Sectigo offer a public certificate somewhere which could possibly be imported for a test? The message gpgsm: unknown digest algorithm '?' used certificate from 2.2.43 let me assume that the algorithm is unknown to GnuPG. However this could be wrong. Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Hints on how to check for a WKD key (was: Trying to get PKA working)
Am Mittwoch 21 Februar 2024 17:16:57 schrieb Werner Koch via Gnupg-users: > On Wed, 21 Feb 2024 15:52, Philip Colmer said: > > that works. The wiki (https://wiki.gnupg.org/WKDHosting) says to use > > gpg --homedir "$(mktemp -d)" --verbose --locate-keys > > your.em...@example.org ... and this doesn't work. > > Its a wiki and ppl change it at will and worse nobody checks and updates > it. *cough* I do check and update it on a few places, but not everywhere. (And help is always appreciated.) The above example as it is in the wiki still works as a test with 2.2.40. And it is indicated as test. Note that for the test somebody is not really importing the pubkey. What did not work? > $ gpg-wks-client --check -v w...@gnupg.org > > If you add --debug=ipc you can actually see what has been requested from > the server. Without any option you just get an returns status for > scripting. I've added the second test method as well. -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to get a pubkey with WKD
Am Donnerstag 15 Februar 2024 15:35:11 schrieb Werner Koch via Gnupg-users: > On Thu, 15 Feb 2024 11:48, Bernhard Reiter said: > > But it does not get the current version of the pubkey in some > > circumstances. > > Example? I am not zware of it. Testing with 2.4.4 and 2.2.34 gpg --locate-external-keys bernh...@intevation.de got me my pubkey in all cases. So you are correct, it works for those version. For Debian GNU/Linux oldstable, it still is 2.2.27, though and 2.2.19 for Ubuntu GNU/Linux 20.04LTS. -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
How to get a pubkey with WKD (Re: Incompatible secret key format between 2.4.4 and 2.2.27?)
Am Donnerstag 15 Februar 2024 10:45:53 schrieb Werner Koch: > The following will get his pubkey by WKD on the command line: > > gpg --locate-keys --auto-key-locate clear,nodefault,wkd w...@gnupg.org > > FWIW, > > gpg --locate-external-key w...@gnupg.org > > is much easier that the abvove long list of options. FWIW But it does not get the current version of the pubkey in some circumstances. And the long version works in a few more elder GnuPG versions. ;) Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Incompatible secret key format between 2.4.4 and 2.2.27?
Am Dienstag 13 Februar 2024 15:50:55 schrieb mlist_e9e869bc--- via Gnupg-users: > Is wk at gnupg.org the private email I can send the public key to you? Yes, that is one of Werner's pubkeys. The following will get his pubkey by WKD on the command line: gpg --locate-keys --auto-key-locate clear,nodefault,wkd w...@gnupg.org > I'm willing to send you a copy to examine but not publicly as that's > (now I remember) a result of a dumb experiment. -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Regarding the expiration of the signed data in npth-1.6.tar.bz2
Hi Witchy, Am Samstag 03 Februar 2024 15:35:20 schrieb witchy via Gnupg-users: > I am trying to install npth which is needed to build gpg. > I noticed that the npth signature data has expired. that is okay, if you downloaded stuff from https://www.gnupg.org/download/index.html nPth1.6 2018-07-16 293kdownloaddownload LANG=C gpg --verify npth-1.6.tar.bz2.sig gpg: assuming signed data in 'npth-1.6.tar.bz2' gpg: Signature made Mon Jul 16 09:37:23 2018 CEST gpg:using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: Good signature from "Werner Koch (dist sig)" [expired] gpg: Note: This key has expired! That messsage shows that the signature is fine at the time it was made in principle. You can additionally check the pubkey: LANG=C gpg -kv "D8692123C4065DEA5E0F3AB5249B39D24F25E3B6" gpg: Note: signature key 249B39D24F25E3B6 expired Fri Dec 31 12:00:07 2021 CET pub rsa2048/249B39D24F25E3B6 2011-01-12 [SC] [expired: 2021-12-31] D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 uid [ expired] Werner Koch (dist sig) sub rsa2048/F58A5868AC87C71A 2011-01-12 [A] [expired: 2019-12-31] That should be good enough. > Is it possible to have it signed again? At least if a new release is done, that release would be freshly signed. So far I haven't seen renewed signatures from GnuPG devs, which makes it unlikely they sign the nPth release from 2018 again. Regards, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: NO_SECKEY difference between 2.2 and 2.3
Am Dienstag 21 November 2023 15:28:46 schrieb Aleksander Machniak: > >> - v2.3 outputs two NO_SECKEY lines referring both recipient's and > >> sender's keys. Potentially the sender has encrypted the message for themselves, this would explain why there are two potential decryption keys that you both do not have. Try an additional -v to see more about the message structure. Maybe v2.3 is just more informative here. -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
webmail and OpenPGP/MIME -> Mailvelope (Re: Signature)
Am Mittwoch 30 August 2023 16:32:26 schrieb Gilberto F da Silva via Gnupg-users: > It is getting harder and harder to use GnuPG with email as webmail > is used more and more. https://mailvelope.com https://github.com/mailvelope/mailvelope enables OpenPGP in webmail and if the webmail service is offering the necessary support, you can do OpenPGP/MIME as well. Mailvelope supports using GnuPG as crypto backend, though it could be easier to set up. Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Failed to export secret key
Am Freitag 08 September 2023 15:40:43 schrieb Alexander Leidinger via Gnupg-users: > > You clicked on CANCEL or closed the window. > > No prompt at all in the console / ssh connection (and no graphics, so > nothing to click on). So no manual cancelling from me. There used to be pinentries issues with terminal size in the past https://dev.gnupg.org/T5322 https://dev.gnupg.org/T4924 Maybe that helps with debugging. You could try a large terminal window. Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
very large RSA key (Re: Sirs:)
Am Freitag 25 August 2023 18:37:15 schrieb xyz938 via Gnupg-users: > Where do I change in the code to create a 32764 bit key? Look where the --enable-large-rsa is implemented in the code, see https://wiki.gnupg.org/LargeKeys for some discussion why using a large RSA keypair is a bad idea. Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Strange message seen on FreeBSD 14.0 amd64
Am Mittwoch 12 Juli 2023 10:39:29 schrieb Dennis Clarke via Gnupg-users: > Thank you for the detailed reply as well as the comfort that > this should "just work"(tm) or not. On gnupg-devel, Niibe wrote that Clang 16 works for him asking for the version of clang that may have given you issues: https://lists.gnupg.org/pipermail/gnupg-devel/2023-July/035390.html Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "gpg --card-edit" with multiple card readers (Yubikey)
Michael, Am Freitag 07 Juli 2023 20:32:15 schrieb Michael Richardson: > > I should eventually describe the environment. > > Yes please. > Could it go into a wiki page or something that people can comment on and/or > amend? feel free to open a page with the info that Werner has already given on https://wiki.gnupg.org Regards, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Question - GPG - No Secret Keys
Hi Rafael,
Am Freitag 16 Juni 2023 19:50:43 schrieb Alberti, Rafael Ricardo via
Gnupg-users:
> On May 15 2023, we installed and were looking at using GPG a server.
which operating system and if you are running GNU/Linux, which distribution
are you using?
> We created the proper Public and Private key and Pass Phrase. The
> decryption and encryption was working well for a few weeks until on June
> 13, 2023 the decryption failed.
>
> Upon review, we received a "No Secret Key" error - nothing changed on the
> machine. We also noticed that the Public and Private key were no longer
> visible in the armor i.e. Gpg -list-keys{returned blank}
>
> What would cause the keys to be removed?We did notice that an install
> of GPG occurred on the server on June 13.
>
> Can a GPG Auto Update remove the Keys inside the Armor ?
It MUST not. So if this update did, it would be a defect of the packaging
(or the updating process in general).
> If so, how can we disable GPG Auto Update feature
Depends on which update service you were using.
GnuPG is available for many platforms and can be installed by many means.
> After much review, and "by chance" we re-imported the Public.key and the
> TrustDb.Key and the Armor was repopulated with the old Key information and
> the decryption started to work again
Good to know that you had a working backup (that is recommended practice). :)
Best Regards
Bernhard
--
https://intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter
signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: expiration date for the keys pgp (automatism)
Am Freitag 09 Juni 2023 14:25:01 schrieb Werner Koch via Gnupg-users: > A really proper solution would use a function to decode field 7 And potentially filter for otherwise valid pubkeys. >;) Best, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: expiration date for the keys pgp (automatism)
Hello Marc, Am Montag 05 Juni 2023 16:49:55 schrieb broussard marc via Gnupg-users: > It is the firs time that I am writing to the mailing list... welcome! > I would to launch a script each week end, to have a warning when for > instance, when the key is expired 4 week later. In this case, early january > 2025 I would like this warning. > > I think I can manage to do it with shell script (LINUX) ... Another option would be to use GPGME which somehow is the official API to access GnuPG functionality and usually more stable than parsing the output yourself in a shell. E.g. you can use python, see https://wiki.gnupg.org/APIs . > but before, I would like to if there is a fonction in pgp which allow that > or anything similar ? => does pgp can tell when the key is becoming soon > expired? At least I do not remember such a function. But I have two more hints: * See in the documentation for option -with-colons if you really do want to parse the output yourself. * Faking the time may help you, e.g. put it four weeks in the future. See for the "esoteric" option --faked-system-time Again, personally a python script would be my first choice. Regards Bernhard signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
get OpenPGP pubkeys authenticated using German personal ID
https://pgp.governikus.de/?lang=EN """ Governikus provides the online service for authenticating your OpenPGP key on behalf of the German Federal Office for Information Security (BSI). This online service compares the name read from your ID card, your electronic residence permit or eID card for citizens of the European Union with the name specified in your OpenPGP key. If the names match, your public key is electronically signed by Governikus, confirming the match. """ interesting, kind of cool. Obviously they cannot authenticate the email address so once I have a common name, we get collisions? Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Mastodon account: running a server?
Hi Henning, Am Donnerstag 25 Mai 2023 19:15:19 schrieb Henning Follmann: > Well there was also the initial thought of spinning "our own" instance. yes, I did not mention it, because I've answered it back then: The limitation are administration and moderation time. For this to work out, at least one more person would need to step up. My idea is that most GnuPG developers will rather improve something specific for GnuPG (or the Free Soft ecosystem around it) than running a fedivese server. > I still hold the gnupg.social dns registration and I am still willing > to pay for it and keeping it current. > I also would chip in time as a assistant administrator. Though I have to > say I do not have any experience in running a mastodon instance. Thanks for both offers! If someone else comes up and wants to run the server, it may become a viable option. (Though I don't know how GnuPG devs think about using the official name.) If this is considered, why not run a Pleroma backend or one of this line. Best Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Mastodon account(s), server search
Hello, Am Donnerstag 01 Dezember 2022 17:42:47 schrieb Bernhard Reiter: > seems to be a good time to start an official Mastodon account > for GnuPG and related topics like Gpg4win and OpenPGP. this plan was frozen first by the future OpenPGP standards (see gnupg-devel@ from the 26th on). secondly by me being unable to work for several weeks > At least for announcements and some interaction as the interest > is growing for this decentral platform. I'm picking it up again and assume ongoing interest. == Server selection details > initial rough requirements: > * located in Europe (preferred, because many GnuPG / Gpg4win people know the legal environment in the EU better) > * can be volunteeringly paid for > * some volume / track record to expect a good administration > * a moderation and contents policy that allows for respectful >exchange, but is liberal in that commercial Free Software >topics (and broad other topics) are allowed as well. > * (optional) Free Software and privacy friendly organisation Found more: * can take the potential load (https://twitter.com/gnupg as 20k followers) * (optional) Tor network access * German any English? The latter is a question if we should make two account, one for Englisch and one for German. There are quite a lot of German speaking Gpg4win and GnuPG users, it probably is the second largest group after English. Thanks again for the server suggestions, my current ranking is: 1. https://mstdn.social 35k account Has everything, strong point: Tor access. Weak point: no advertising I've asked, and it is okay to write about professional Free Software products as long as it does not flood the public timeline. 2. infosec.exchange 18k Servers rented in Germany, Responsible Person in the US. No Tor. No FS preferance. Strong point: Infosec community (and moderators from that topic) 3. fosstodon.org 16k No Tor. weak point: English post only. All are suitable servers and we could migrate of course. Maybe I'm looking for a server which is a little bit smaller as a forth alternative. (I've gave https://pleroma.social servers a brief look, but I haven't found a good match. ;) ) Best Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
files are there now (Re: [Announce] GnuPG 2.4.1 released)
Am Freitag 28 April 2023 17:21:54 schrieb Todd Zullinger via Gnupg-users: > > https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2 (7169k) > > https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2.sig > > It seems neither of these files have not made it to the > server yet: They are now. (Though not visible on https://gnupg.org/ftp/gcrypt/gnupg/ yet ) curl --silent https://gnupg.org/ftp/gcrypt/gnupg/ | grep '2\.4\.1' | wc -l 0 ) Best Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.4.1 released
Am Freitag 28 April 2023 15:47:52 schrieb Werner Koch via Gnupg-devel: > We are pleased to announce the availability of a new stable GnuPG > release: version 2.4.1. Congrats! > - Version 2.4 is the current stable version with a lot of new features > compared to 2.2. This announcement is about the latest release of > this series; the previous release was 2.3.8. This reads like "2.3.8" was a typo, maybe something to check for the next announcement. Best Regards Bernhard signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: using gpg-agent from web server mod_wsgi script
Am Freitag 07 April 2023 01:20:07 schrieb Christian, Mark via Gnupg-users: > I was hoping to gpg-preset-passphrase a gpg-agent running under the apache > WSGI service account, so that a python gpgme web wsgi/cgi application could > access the gpg-agent's private key in order to run various gpg operations. > It seems the python mod_wsgi script is not finding the gpg-agent. I'm > wondering if this is possible? apache and mod_wsgi are most likely controlling the environment variables for the python process closely and running on a different user and thus directory than your gpg-agent. So the mod_wsgi process may not be able to access the agent's socket > I'm using gpg2 2.2.27 and python gpgme_version 1.16.0 Other solution approach: Use a private key without passphrase. Best, Bernhard [Answering an elder question where I haven't seen an answer to.] signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Debian Packages for 2.4 (was: Application deadlock when using GnuPG, gpgsm, and Scute)
Hi Simon, Am Dienstag 11 April 2023 15:13:12 schrieb Simon Josefsson via Gnupg-users: > >> Are there well-maintained debian packages for GnuPG 2.4 anywhere? > >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022702#10 > only took an hour or so to build bullseye packages for 2.2.40 and 2.4.0 > via gitlab. See how to test the packages below. [found the instructions in the link as well] > Of course, this is work in progress... See > https://gitlab.com/debdistutils/packages/cicd-config for background. > > I'm sure we could finalize this into stable URLs and sign the apt > repository using a GnuPG key if people find this interesting. Cool, thanks! Yes I am interested and I think others will be as well. > I would find packages for Trisquel aramo useful myself, > I'm not sure the bullseye packages work directly. If there is helpful input someone in this list has and is a Debian user, you can and should send it to the issue tracker. Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
WKD: another company supports it: univention
Hi, the German company Univention has announced its support of WKD: https://www.univention.de/wkd/ (in German so far) And yes, it can be seen: gpg-wks-client --verbose --supported univention.de gpg-wks-client: provider for 'f...@univention.de' does NOT support WKS (which means it support WKD, but not the mail managing service WKS). gpg -v --locate-keys --auto-key-locate clear,nodefault,wkd i...@univention.de gpg: key 2D3B68C377EE285B: public key "Univention Security Updates " imported (used gpg-wks-client (GnuPG) 2.2.34 to do the testing) Also noticable at https://www.univention.com/security-policy/ where Univention lists a gpg command. Noticed it as someone entered it into the wiki, scroll down from https://wiki.gnupg.org/WKD?#Implementations Thanks :) This is cool, because Univention's product have an identity managing service at the core. It may mean that we get more WKD services in the future. Regards, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Technical Terms/Website TheBat!: OpenPGP, GnuPG
Am Freitag 03 Februar 2023 09:27:04 schrieb Bernhard Reiter: > Just noticed that some of your technical terms on the web-site can be > improved: Got a friendly response: -- Weitergeleitete Nachricht -- [..] Thank you very much for the detailed explanation. We have updated the respective web-pages and it will take a couple of days for the cache to update too. If you would like to, you can access these links avoiding the old caches pages: https://www.ritlabs.com/de/products/thebat/?a https://www.ritlabs.com/en/products/thebat/?a Alexander Petrari Ritlabs, SRL -- -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Technical Terms/Website TheBat!: OpenPGP, GnuPG
Dear TheBat!-Team, it is good that you are offering support for email cryptography in your email client products. And it is fine and cool that you are using GnuPG (on Windows via Gpg4win). Just noticed that some of your technical terms on the web-site can be improved: https://www.ritlabs.com/de/products/thebat/ "Unterstützung für PGP, GnuPGP, und S/MIME" There is the typo "GnuPGP" where you mean "GnuPG". Also note that "PGP" is a proprietary product (owned by Broadcom these days, last time I've looked). You are probably not really supporting it, I guess. :) And the crypto format is called "OpenPGP". So using "OpenPGP" or "OpenPGP/MIME" would give your users a better understanding of what TheBat! is supporting. https://www.ritlabs.com/en/products/thebat/ "PGP" If you have any questions about GnuPG or Gpg4win, you can either mail the mailinglist (gnupg-users@) or the Gpg4win forum. Best Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
switching off compression (was: En-/Decryption speed for large files (GnuPG and Gpg4win))
Am Dienstag 17 Januar 2023 13:08:18 schrieb Andre Heinecke via Gnupg-users: > Another big difference what you will see in the perfomance of GnuPG is if > you use -z 0 which disables compression. According to the GnuPG documentation (2.4.0) https://gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-compress_002dlevel '-z 0' is equivalent to the following long options '--compress-level 0 --bzip2-compress-level 0' yes, both have to be given. > You can put "compress-level 0" into > your gpg.conf to cause Kleopatra to also use that. Would not be enough to disable bip2 encryption (according to the documentation). Looking at https://gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html#index-compress_002dalgo what shall work with just one option is `compress-algo uncompressed` Best, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG for OS X 2.4.0 released
Am Dienstag 10 Januar 2023 00:47:08 schrieb Ralph Seichter via Gnupg-users: > GnuPG for OS X / macOS release 2.4.0 is now available for download via > https://sourceforge.net/p/gpgosx/docu/Download/ . Cool, Ralph! > It took me longer than > usual to provide this release, because I ran into build problems. I also > spent several weeks in hospitals over the last couple of months, and I > am still not well today, so I hope you can forgive the delay. ;-) All the best wishes for your health in the new year! Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Reminder: use plaintext mails only on ML
Friends of GnuPG, a happy new year to all of you! Now I am taking Andrew (hi) as an example to send a reminder why using text/plain format only mails is a good idea on this (and other mailing lists). Am Samstag 17 Dezember 2022 19:54:39 schrieb Andrew Gallagher via Gnupg-users: > I’ve been Because HTML can have a lot of active contents, a number of people I know sanitize email that have text/html parts. Some ignore such emails completely. In the past I know that Werner ignored (most) emails with text/html. There are more advanted to text/plain mails: * people can better chose how their email client is displaying the contents, for instance the font size and color. * it saves energy because of less bytes transmitted and backuped (and indexed, archived and searched). Best Regards, Bernhard ps. On a general remark, I believe there is a productivity gap between people that use full fledged and customised emails clients to those with only web and mobile clients. As email is one of the working decentralised communication solutions, I think we should value it more and thus help people to learn about the productivity of an email client that they can fully control (on their hardware) and customize to have one unified interface to several communities. -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Only GnuPG 2.2.x in Debian Bookworm?
Werner, Am Dienstag 13 Dezember 2022 16:36:24 schrieb Werner Koch via Gnupg-users: > On Sat, 10 Dec 2022 22:21, Karel van Gruiten said: > > I am only a user, but I wonder why they stick to the 2.2-series and do > > Probably because there is an interest conflict between the GnuPG > maintainers in Debian and those who want to turn OpenPGP into something > very different (i.e. new IETF OpenPGP WG participants / Sequoia venture > capitalists). > SCNR can you be more specific? Speculations and rumors do not help much, even if they are meant to be funny (where they?) Which IETF OpenPGP working group members are you referring to? What of their actions will be a problem for OpenPG from our point of view? Who are the "Sequoia venture capitalists" and what are their interests? Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Only GnuPG 2.2.x in Debian Bookworm?
Am Sonntag 11 Dezember 2022 13:19:11 schrieb Ingo Klöcker: > The Debians may be waiting for the 2.4 release (which was announced as the > next stable release after 2.2). Unlikely, it seems more like the maintainers were less active. 2.3 is on the wishlist (since October), you may want to follow https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022702 And Daniel Kahn Gillmor (DKG, the maintainer) got more active since April this year, and added 2.2.40 (and previously .35, .39). See https://tracker.debian.org/pkg/gnupg2 (Thanks Daniel!) (DKG does not appear in the changelog for about 14 months, maybe this break of him is reponsible for a slight delay in current versions for bookworm, you possibly can see more if you look at the archives of the maintainer's mailing list or other public information of Debian.) Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unable to make GPG4Win 4.x portable
Hello Karel, Am Samstag 03 Dezember 2022 17:34:44 schrieb Karel van Gruiten via Gnupg-users: > Unfortunately my mail to gpg4win-users...@wald.intevation.org was bounced, (I'd be interested in this offlist, can you send me the bounce message to see if this is a problem with our infrastructure?) > so I am trying to ask for help here: I recently finally switched from the > old 3.x series of GPG4Win to 4.0.4 doing a clean install which is working > properly. ButI am unable to create a portable installation from this, > mkportable gives this output: > > C:\Program Files (x86)\Gpg4win\bin>mkportable.exe --full f:\gpg4win\ > mkportable: file 'share/locale/mai/kf5_entry.desktop' not found in the > source directory mkportable: file 'share/locale/mai/LC_MESSAGES/ki18n5.mo' > not found in the source directory mkportable: file > What am I making wrong? Possibly not having installed "everything" (see instructions at): https://www.gpg4win.org/download.html Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Mastodon account: hosting a server
Am Samstag 03 Dezember 2022 14:55:03 schrieb Henning Follmann: > Well, in general I might volunteer some resources. Thanks to you and to the other for offering help with running a server. (Also for suggesting server for an account, this will still take me few days until I get to it.) About running a server just for GnuPG, I agree with what Michael wrote: | It's the promises about moderation and other softer human resources | that seem to really be the limit for running Mastodon instances. (back to Henning) > However I work mostly on the AWS cloud here in the US. > I heard some resentments against the instance being located in the US. I'd stated a preferred location in Europe mostly because this is a legal space that I (and many members of the Verein) are most familiar with. To me GnuPG and OpenPGP is about friendly global collaboration for those that care about privacy. Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Mastodon account: offer to operate it for the GnuPG Verein
Hello, Am Samstag 03 Dezember 2022 21:01:17 schrieb Juergen M. Bruckner via Gnupg-users: > In my view, someone from the GnuPG core team should be in control of the > account. as it should be an official account I also believe someone should operate it on behalf of the GnuPG core team. I volunteer to operate the account on behalf of the GnuPG e.V. https://gnupg.org/verein/ (which is where I am currently the vice-chair) My suggestion to them is that the verein also volunteeringly pays for the account (that is a yearly donation of 50-100€ I in my view). Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Thunderbird is missing WKS (Re: Questions regarding WKD/WKS)
Am Freitag 02 Dezember 2022 18:06:59 schrieb Andreas Heinlein via Gnupg-users: > > I would also strongly suggest to use gpg-wks-client. > > Thanks, I overlooked that. I find it a little difficult to instruct normal > users to configure their client to sign mails, but make an exception when > submitting their mail to the wks. The idea is that a mail user agent supports this special workflow. > I cannot use gpg-wks-client here - our folks are using thunderbird. > https://bugzilla.mozilla.org/show_bug.cgi?id=1695048 Yes, it would be cool to have good manual instructions. Especially for windows. I ponder writing a tool in go to supplement to gpg-wks-client for the sending part on windows only (as it is quite easy to do a static cross build in go). But it can be done in C as well I guess. The usability problems stays the same: You would want to use the credentials and the TLS implementation of the email client, which you cannot get. And even accessing the TLS properties on windows makes this less portable. And I do not think GnuPG wants to grow a real smtp-client library. Regards, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Mastodon account, good server?
Hi friends of GnuPG, seems to be a good time to start an official Mastodon account for GnuPG and related topics like Gpg4win and OpenPGP. At least for announcements and some interaction as the interest is growing for this decentral platform. Is there an interest here? Should be do this? If we do this, a server needs to be select. I'd probably go and suggest one my initial rough requirements: * located in Europe * can be volunteeringly paid for * some volume / track record to expect a good administration * a moderation and contents policy that allows for respectful exchange, but is liberal in that commercial Free Software topics (and broad other topics) are allowed as well. * (optional) Free Software and privacy friendly organisation Any suggestions matching these? Best Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPA conversion to GTK3
Hi Andreas, Am Samstag 12 November 2022 22:53:07 schrieb Andreas Rönnquist via Gnupg-users: > And yes, I have noted that gpg4win has abandoned gpa, which I guess is > part of the reason of the lower priority for it, but that doesn't mean > that us Linux people cannot use it, right? "abandoned" is not the right word for it, to be fair. ;) It is that GPA has not seen much active development within the whole GnuPG development team for all platforms. In my observation this is because a) there is a good expert user interface with Kleopatra already b) and maintaining two would bind efforts that are well invested elsewhere. c) for a better user experience the export UIs like GPA and Kleopatra should appear less. So GPA is looking for new maintainers and it is great that you are hacking on it. Hope more people join this and other related OpenPGP endtoend efforts. Best Regards, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problems with Gnus (Emacs) + GnuPG for signing a mail with S/MIME
Am Freitag 11 November 2022 14:40:13 schrieb Angel de Vicente: > I actually have no problems signing with S/MIME also inside Emacs (as > far as the passphrase has been cached). And I have no problems signing > with PGP (pinentry loopback works fine then). > > So it looks like something that affects exclusively pinentry loopback > while signing with S/MIME As always, there must be a difference in how OpenPGP and S/MIME signing with GnuPG is called from Emacs/Gnus. (There is a small chance that it is with the specific keypair you are using.) Comparing detailed logs of OpenPGP and S/MIME might reveal the difference. I darkly remember Gnus using GPGME, if this is the case, maybe a GPGME_DEBUG log can help you. Otherwise you need to look into how Emacs can produce more details about what it is going (I am not an Emacs user, so I cannot really help you there.) Regards Bernhard signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Difference between versions--Question
Hi Kevin, Am Freitag 04 November 2022 13:55:58 schrieb K S via Gnupg-users: > How do I run configure to get the compression routines? checkout the "config.log" or the output of your configure command run to see if there are messages concerning compression libraries. > FYI, this is the first time I've built from source. It is cool that you have tried it! :) Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problems with Gnus (Emacs) + GnuPG for signing a mail with S/MIME
Am Freitag 04 November 2022 20:03:35 schrieb Angel de Vicente: > Any ideas as to what might cause this? Not really, I would start the analysis by asserting that gpgsm --sign still works outside of Emacs and then somehow try to emulate the loopback mode. Maybe there is a different problem somewhere. Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Troubleshooting help
Am Freitag 11 November 2022 11:58:42 schrieb Andrea Lenarduzzi via Gnupg-users: > gpg: selecting card failed: with #reader-port 32768 and disable-ccid-driver You probably know that -v (several times) and --debug-all on many GnuPG binaries can greatly increase the verbosity and thus help to see more. Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: mutt locking
Am Freitag 23 September 2022 18:19:42 schrieb Louis Holbrook via Gnupg-users: > - I would like to use pinentry-tty during my normal gpg cli operations. > - I am fine with using pinentry-curses in the mutt context > > Is there a way to do this? FWIW: Probably not, as the pinentry is a configuration of gpg-agent. In theory you could start a new gpg-agent with a different configuration option, but pinentry-curses really so bad? :) Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Understanding KDF for symmetric encryption (was: Seeking Assurance on Security and Memory Leaks in SuSE GnuPG)
Hi Tony, one way to make progress (here on the mailinglist) is to split up unrelated topics into single issues, so everyone can dig deeper, if needed. From your posts I focus on the KDF for symmetric encryption. (I believe other concerns have been answered, at least I've seen answers, if not please open a seperate topic for each question.) Am Montag 03 Oktober 2022 18:45:48 schrieb Tony Lee via Gnupg-users: > Werner noted [for Count 1024] For backward compatibility reasons with > 1.4 the default count value is used in this case [and] You can't compare > some AES-KDF to the SHAl based KDF of OpenPGP. The --s2k options mention > "mangling passphrases" which sounds exactly like a KDF, but a default > SHA-1 was used in one case, at least. As a far as I've understood, using SHA1 hash in a KDF maybe okay (depending on other properties of the KDF). As mentioned by Werner, the KDF is calibrated dynamically by gpg-agent, did you check the bottom of https://gnupg.org/documentation/manuals/gnupg/Agent-Options.html (with --s2k-calibration and --s2k-count ) those have to be given to gpg-agent (e.g. in the gpg-agent.conf). If you want to increase the difficulty of the KDF used, my understanding is that a good option to use would be --s2k-calibration to gpg-agent. > The Spectra Secure YouTube was: > https://www.youtube.com/watch?v=j-qBChKG15Y "Password Managers: The Case > Against GNU pass (feat gpg)". Around minute 4:31 it explains very > clearly that the --s2k settings do not work (when exporting a key), In the video description, there is a link to https://dev.gnupg.org/T1800 which explains that being able to set a few parameters for the export of secret key material directly from gpg is a wish and not a defect. It maybe that the documentation could be improved on this point as however this would only be a minor thing in my view as gpg-agent does a dynamic calibration that sounds reasonable. However T1800 still says that --s2k-count works for symmetric encryption, see https://gnupg.org/documentation/manuals/gnupg/OpenPGP-Options.html#index-s2k_002dcount-1 if it does not, it would be a defect. It would be a minor one, if the default is gotten from gpg-agent (as stated) and gpg-agent gets it right. So you can start seeking evidence for it or the contrary, either by measurements or by following the code. Have you compared runs of gpg -c with different --s2k-count values?) Following the code usually works by building gnupg (its libraries and tools) and then start at main() with the handling of the arguments and possibly add some debugging printing or other method to see if you get to the point where the value is used or or. It should be possible for a software-engineer without deep knowlede of C. Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
How to clarity a deep technical issue (Re: Seeking Assurance on Security and Memory Leaks in SuSE GnuPG)
Hi Steffen, Am Samstag 01 Oktober 2022 18:23:19 schrieb Steffen Nurpmeso: > Highly disturbing to me are such poisoning emails like you write > continuously. please be respectful and try to assume best intentions. > The software you talk about is classified to be > used by governments to some extend, and i rather have Werner and > his team work on improving this big software suite than answering > mails The people doing certifications, just like all developers, inkluding me, you and Werner do make mistakes sometimes. And it is a good property of Free Software that everyone can inspect it. So I do not mind questions, even if they point out to unlikely defects. Yes, maybe not Werner should answer them, but someone else can help to outline what the next steps are to understand what the software is doing for someone who really wants to know. Best Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
email culture (Re: WKD: conveying intent of encrypt-by-default?)
Am Donnerstag 13 Oktober 2022 23:50:33 schrieb Phil Pennock via Gnupg-users: > We need encryption _available_, but culturally > "encrypt-by-default" is not going to fly. In some cultures I hope (and guess) that it will fly. > Almost all email usage locally is Gmail, with the browser app or the > official Gmail mobile apps. That is not going to change. I wonder what could be done (in your local culture but also in other environments) to make reading encrypted emails better. E.g. have your users tried Mailvelope? https://mailvelope.com/en/ > This is about using encrypted content being a PITA for most > people. Somehow this shows how local and good native email clients could be better. As a long term email user a good email client makes me more productive and those clients can usually deal with encrypted email nicely (so it is not a hump at all, just a bit of setup once every few years). How could be get there for more people? Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent refuse to start
Hi Christian, Am Donnerstag 06 Oktober 2022 21:01:15 schrieb Roy Christian (DAIT-SITL) via Gnupg-users: > Our applications called the GNUPG 1.4.2 executable and it worked without > issue. We upgraded to GNUPG version 2.2.27 and now we have problems with > the gpg-agent. This sometimes refuses to start. have you had a look at the questions I've asked you in reponse to your question in https://wald.intevation.org/forum/forum.php?thread_id=2474&forum_id=21&group_id=11 ? (It is fine to have this discussion here on the mailinglist.) Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Subkeys renewing/expiring strategy
Am Donnerstag 13 Oktober 2022 15:42:04 schrieb Teemu Likonen: > * 2022-10-11 17:23:49+0200, nect via Gnupg-users wrote: > > Since I was struggling to choose a strategy for expiring/renewing my > > subkeys [...] > > We should ask why do you want to expire (and rotate) your subkeys? For encryption subkeys, rotating them adds a layer of protection. If this is worth the effort, you have to answer from your own perspective. To give a scenario or two: If an attacker gets access to a lot of old communication from you, they might be able to brute force an encryption key in the future. Or I maybe forced to give out an encryption key. Personally I have used a primary key with 10 years expiration and encryption subkeys with 2 years. It would only be a fifth of the communication that would be revealed. Also I could use stronger algorithms over the ten years, so it is not just a factor of five to crack, but much more. The effort was doable, but then again, I'm a regular crypto user and can use the exercise. ;) Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Debian Packages for [CVE-2022-3515] GnuPG / Libksba Security Advisory
Am Dienstag 18 Oktober 2022 09:55:12 schrieb Werner Koch via Gnupg-users: > On Tue, 18 Oct 2022 08:59, Alessandro Vesely said: > > > If you see a version number of 1.6.2 or newer, you got the fix. > > Debian fix kept the old version number 1.5.0-3, though: The libksba8 debian packages for Buster and Bullseye are 1.3.5-2+deb10u1 1.5.0-3+deb11u1 and yes, the proposed check with gpgconf --show-versions is not a test for Debian, check the package version instead. > FWIW: Debian thus misses For the upcoming version Debian of course has 1.6.2-3 and thus gets the new features. Thanks to the maintainers (Andres Metzler and Markus Koschany did the uploads). *wave* See https://security-tracker.debian.org/tracker/CVE-2022-3515 It seems Debian was quite fast to react. :) Regards, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG problem
Hello Shaoping Xie, > gpg: public key decryption failed: Permission denied if your keypair has a passphrase set, did an interactive pinentry come up? (If you want to run unattended, one method is to not set a passphrase and secure the system accordingly.) > I was puzzled at the output from “gpg –export-secret-key”. Probably the same problem. Regards, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Seeking Assurance on Security and Memory Leaks in SuSE GnuPG
Am Dienstag 30 August 2022 18:41:19 schrieb Tony Lee via Gnupg-users: > By "full entropy" I assume you mean an assessed entropy of 80--120 > bits. Although in principle I agree, in practice it is very difficult > to produce such randomness Generating passphrases from a large dictionary makes this feasable E.g. https://wald.intevation.org/scm/browser.php?group_id=71&scm_plugin=scmhg is a small tool I wrote a few years ago to understand this better, calling it with the English dictionary from `trans`, I get ./ppgen.py -2 Reading entries from /usr/share/trans/de-en Found 129207 dictionary entries. |= Number of words |= possibilities | |4 |2^67.9 | |5 |2^84.9 | |6 |2^101.9 | So with 5 or six words, you easily have a passphrase in the desired range. (There are other generators a well.) In my experience, it is possible to memorize such passwords, by construction a story around it. Of course it is some effort, but then again 3 or 4 words maybe enough for your use-case and see next point: > I agree public-key encryption is > much better for communication, but I have difficulty persuading others > to install gpg properly! Given the overall advantages, what are the difficulties to convince your peers to install GnuPG? (Or any other OpenPGP implementation.) > My own perception is that a similar > oversight on gpg would provide much-needed reassurance to someone like > myself who is in no position to evaluate such information from the > open-source code More documentation naturally is helpful, but it is a lot of effort to write and it must be kept in sync. Who tells you that the overview documention still represents the technical implementation well? A lot of things are changing by the months, not just the implementation, but also the understanding of security properties (like attack capabilities). But those have to be re-considered if the necessary summary judgement of the overview shall be useful I think. So I think this overview documentation you are asking for, would be less useful than expected. > what steps are > taken to secure these critical items against malevolent software, or > unwanted storage on disk which may be vulnerable to subsequent attack? The first and most important step is to secure your operating system, environment and storage according to your security needs. The challenge here is that this is beyond GnuPG (or any other single application) to control. Nor is it useful to try in many cases. Take virtualisation as example, there is no way for GnuPG to know if it is runsin a virtual computing environment where the memory can be frozen into storage at any time. Same with safe deleting of files. Putting the effort into following general secure computing practive will help your GnuPG security more, usually. Regards, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Redhat/Fedora still disabling brainpool curves (was: GnuPG 2.2.36 released
Am Mittwoch 13 Juli 2022 15:22:36 schrieb Todd Zullinger via Gnupg-users: > > Maybe it helps to report the problem of missing crypto algorithms to your > > GNU/Linux distribution. > > They aren't really missing but rather intentionally removed > due to legal issues on Fedora/Red Hat. This came up not so > long ago: > > https://lists.gnupg.org/pipermail/gnupg-users/2022-May/066054.html Thanks for the pointer, reading the fedora discussion: https://lists.fedoraproject.org/archives/list/le...@lists.fedoraproject.org/thread/WUQNAB4EPWSJMMVECL2TZGKB5KIDESII/#ZWQUWUYR7VVG6EXSXZYES5MWCWWKBNKG > Hopefully the legal issues will be cleared sometime soon and > Fedora will stop stripping brainpool. The last ping there was on April. As there is no open issue where users can track the progress on the Fedora legal team, maybe asking for an update after a quarter of a year is okay. (If you are a Fedora user and want brainpool algorithms included. ;) ) Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.36 released
Hi Ralf, Am Donnerstag 07 Juli 2022 05:35:57 schrieb Ralph Seichter via Gnupg-users: > GnuPG for OS X / macOS version 2.2.36 is now available via the URL > https://sourceforge.net/projects/gpgosx/files/ . > > This is the first relase since Patrick Brunschwig passed stewardship of > the project to me, thanks for maintaining the package! (And many thanks to Patrick for having done so before!) Best Regards, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.36 released
Am Montag 11 Juli 2022 14:50:24 schrieb Konstantin Ryabitsev via Gnupg-users: > > See https://dev.gnupg.org/T5949#159890 for why it doesn't work for you. > > Ah, okay, that's unfortunate. I guess I'll skip this release, since I can't > verify it without building gnupg from scratch (without verifying it first). Maybe it helps to report the problem of missing crypto algorithms to your GNU/Linux distribution. -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: TB weirdness
Hi Vincent, Am Donnerstag 24 Februar 2022 13:27:08 schrieb Vincent Breitmoser via Gnupg-users: > > Overall I believe that attaching pubkeys (like autocrypt proposes) is not > > a good idea (the arguments put forward elsewhere). > > For the record, Autocrypt does not attach public keys, it includes them in > headers. Thanks for the correction. > I concur that attaching public keys is a bad idea. I've meant that conveying the pubkey with each email is suboptimal, may it be in the header, as attachment or elsewhere. This is what autocrypt does if I remember correctly. > I haven't tested this myself but from a quick check with someone who uses > Thunderbird they couldn't verify this claim. Maybe this just happens on > some versions? Either way I wouldn't assume it's intended behavior. This is helpful information, I agree that we should have more specific information because we can "warn" about the behaviour. Do you know which version was tested by chance? Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Who protects the private key (was: Changing the encryption algorithm used for PGP/GPG private key)
Am Sonntag 20 Februar 2022 09:30:36 schrieb Daniel Colquitt via Gnupg-users: > I agree with you, and Robert Hansen above, insofar as there is no practical > weakness in using SHA-1 as part of a key derivation algorithm. (for protecting exported private keys) > Nevertheless it does seem imprudent to use a formally broken hash function > by default, whilst silently ignoring options that users would reasonably > expect to change the algorithms used. The point, as I understand it, is compatibility. Exporting and importing a private OpenPGP key is expected to work for many implementations and over several software revisions and years. So adhereing to a standard (OpenPGP in this case) seems a good choice. You can use additional protection layers, as Werner suggested. This seems also reasonable from a usability point of view as exporting, transfering and importing of private OpenPGP keys is a rare process. Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
PGP is a proprietary Broadcom product (Was: Can't synchronize keys using Seahorse)
Am Donnerstag 17 Februar 2022 17:18:58 schrieb Robert J. Hansen via Gnupg-users: > or whichever corporate entity owned the PGP intellectual property at the > time. Network Associates gave way to PGP Security gave way to Symantec > gave way to... As far as I know, it is Broadcom since a few years https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/pgp-solutions/1-0.html A reminder again to use "OpenPGP" when refering to the open crypto standard. Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: TB weirdness
Am Donnerstag 17 Februar 2022 17:35:53 schrieb Robert J. Hansen via Gnupg-users: > Thunderbird doesn't use GnuPG. For some operations it still can (be configured to do so). Anyway, we do have a wiki page for hints https://wiki.gnupg.org/EMailClients/Thunderbird > However, for those who do: > apparently, Thunderbird is a big fan of attaching public certificates > (and/or revocation certificates, for revoked keys) to outgoing emails > for *every private certificate on your keyring*, regardless of whether > that private key is actually associated with the account in question. > > This has the potential to leak personal information, especially if > you're in a use case where you have two or more keys presenting > different pseudonymous identities. Without knowing it, you might > accidentally reveal you're the common actor behind both. Sounds like a defect to me, do you have a problem report ticket with Thunderbird or a forum entry which described the problem in more detail (like which version is affected). Overall I believe that attaching pubkeys (like autocrypt proposes) is not a good idea (the arguments put forward elsewhere). Thanks for your warning, what about if we put it on our wiki page? Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: one ecc key-pair for both encryption and signature?
Am Freitag 07 Januar 2022 20:23:33 schrieb Robert J. Hansen via Gnupg-users: > > There is anequivalence given (two functions) in the Ed25519 wikipedia > > page, but I don't know if this allows the same curve used in both > > algorithms. > Likewise, Edwards DSA can be tortured into becoming a Curve25519 key. > But once you do that, *you're no longer using Edwards DSA*. Can you be more specific why this is a problem? Is it because the two transformation functions a) create numerical problems b) or runtime problems letting out information about the private key (thus being a side channel) c) or just the additional time needed for them ? (Andrew and Robert, thanks for your answers, you have already helped me to understand that detail better.) Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gpg4win LetsEncrypt issue
Am Mittwoch 05 Januar 2022 09:16:52 schrieb Alex Nadtoka via Gnupg-users: > Is there a way to enable more detailed debug mode so I can see the path for > the certificate that dirmngr is using? Use dirmngr.conf to add more diagnostic output, e.g. log-file c:\XYZ debug-level advanced and restart dirmngr and do a request. (reload could be done by gpgconf --reload dirmngr ) Regards Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: one ecc key-pair for both encryption and signature?
Am Freitag 07 Januar 2022 15:21:45 schrieb Andrew Gallagher via Gnupg-users: > On 07/01/2022 14:06, Bernhard Reiter wrote: > > With 2.2.33 is is not possible to create a single ecc key-pair > > that can do "sign" and "encrypt". > > it is best practice to keep the encryption-capable subkey distinct. Is this the only reason? Then RSA should be limited in the same way. (Because there it is possible, so I guess that there is another reason.) Am Freitag 07 Januar 2022 15:26:50 schrieb Robert J. Hansen via Gnupg-users: > Ed25519 is (effectively) a Schnorr signature done over an Edwards curve. > Schnorr signatures have really no capability of being used for > encryption, unless you want to do it just a few bytes at a time. Reading https://en.wikipedia.org/wiki/Curve25519 | Curve25519 is an elliptic curve [..] designed for use with the elliptic | curve Diffie–Hellman (ECDH) key agreement scheme -> encrypt | The curve is birationally equivalent to a twisted Edwards curve | used in the Ed25519 signature scheme. There is anequivalence given (two functions) in the Ed25519 wikipedia page, but I don't know if this allows the same curve used in both algorithms. Regards Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
one ecc key-pair for both encryption and signature?
With 2.2.33 is is not possible to create a single ecc key-pair that can do "sign" and "encrypt". I know that "ed25519" and "cv25519" are different algorithms, but from my limited understanding the same key-pair should be usable for both encrypting and signing in theory? Can someone point me to an explanation why it isn't done so here? Thanks Bernhard == Details GNUPGHOME=~/dot-gnupg-test3/ gpg --expert --full-generate-keygpg: WARNING: gpg (GnuPG) 2.2.33; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key (14) Existing key from card Your selection? 11 Possible actions for a ECDSA/EdDSA key: Sign Certify Authenticate Current allowed actions: Sign Certify (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? e Invalid selection. -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG / Mailvelope on Windows 11
Hello, Am Mittwoch 15 Dezember 2021 13:07:21 schrieb Rhetoric Bohling via Gnupg-users: > I recently was in a loop trying to figure out GnuPG on Windows 10/11. Can > you natively use GnuPG? yes, you can use GnuPG natively build on Windows, either with a graphical or a command line interface. The official distribution of GnuPG is included in www.gpg4win.org For some use cases, there is also a crypto-engine only "simple" installer availalbe from https://gnupg.org/download/index.html see section of binary releases on this page. > Or is it limited to the few implementations of it > through Kleapatra/etc.?pgp. Kleopatra is one of several applications that use the native GnuPG installation on Windows. The Outlook add-in, the explorer plugin also use it. (Because GnuPG implements open standards like OpenPGP or the Cryptographic Message Syntax, it is interoperable with other implementations of those standards.) > I was using Mailvelope, and I could not get the Mailvelope app to recognize > I was using GnuPG. It kept saying OpenPGP. I am confused. Mailvelope uses an OpenPGP implementation called OpenPGP.js by default, because it is fully implemented in Javascript. There is the possibility to use GnuPG as backend to Mailvelope, but you need to activate it, see https://github.com/mailvelope/mailvelope/wiki/Mailvelope-GnuPG-integration (Both backend "OpenPGP.js" and "GnuPG" implement "OpenPGP". :) ) Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why are 64-bit libraries not included in GnuPG but Gpg4win?
Hello Sven, Am Samstag 04 Dezember 2021 05:13:28 schrieb Sven Richter via Gnupg-users: > Thunderbird > expects to be able to manage all public keys regardless. Even with this > setup of mine, it only pulls the private keys from GnuPG. > I far rather > have GnuPG manage my keys as much as possible than the email client. yes, it would be cool to give that as a wish to Thunderbird to develop a full GnuPG based backend for that purposes for the people that have that use case and install Gpg4win anyway. (I think adding another experimental layer in between will not be the best solution, it can introduce other sources of differences in behaviour.) [back to the 64bit libraries question] > I believe I'm only using 64-bit variants of > files are are already present in their 32-bit form in the regular bin > folder of GnuPG anyway. Hence it would make sense in my opinion to directly > include the 64-bit variants of them in the basic GnuPG installation. Maybe. The current aim is to get Gpg4win 4 out of the door, so right now the question to change the roles of the small engine installer and the full installer for Windows (Gpg4win) is taking the backseat to this. Best, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Thunderbird's hints and history for OpenPGP/MIME (new wiki page)
Am Freitag 03 Dezember 2021 13:52:19 schrieb Rainer Fiebig via Gnupg-users: > Am 03.12.21 um 12:04 schrieb Bernhard Reiter: > > of incompatible header encryption: > > | Transport information in a decentral network - just like the writing on > > | the outside of a postal mail envelope - cannot be protected in > > | principle. When reflecting on this, chose a subject that is plausible > > | in context, but without sensitive contents, to best veil potential > > | unwanted observers. (Your thinking is right: The more sensitive this > > | is, the more you have to build up a plausible context for your > > | unavoidable traces first.) > > This caters more to spies or people who have to be paranoid for an other > reason. And they will know already. > The average user, I guess, just wants to keep private communication > private. And what the subject reveals should in most cases be > negligible. So to me this paragraph seems a bit out of place. Okay, thanks for letting me know. I've included it because many people feel that encrypting this part of the meta data is a good idea and should be done for average users. (As Christoph wrote Donnerstag 09 Dezember 2021 17:10:29: | For me the encryption of the subject seemed to be an advantage because | the subject is some kind of meta information and meta information can | say very much about a person. ) This clashes a bit with the confidentially improvement somebody may get using a transport network that is not controlled by one entity and by multiple indepentently implemented clients. For this I believe that all users need to be aware of what is meta information and what is not. My hypothesis is that people can deal with this in daily non-digital life already, like considering what to talk about or display in a public or semi-public place. Anyway, next time I'll check that paragraph, I think how I can make the connection in a better way. Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why are 64-bit libraries not included in GnuPG but Gpg4win?
Hi Sven, Am Donnerstag 02 Dezember 2021 10:06:11 schrieb Bernhard Reiter: > > It's not like they don't > > exist at all but they are part of Gpg4win only. was in contact with Werner (for other reasons) yesterday, he may still write something about this, but what I think now is that you are talking about libraries like gpgme which Thunderbird uses. > > Shouldn't they be included directly in the core part? Gpgme is an access libary (the official API) and of course it is mainly needed when other application access it. Some people do not need it and it seems reasonable to me, to not consider it part of the core of the GnuPG crypto engine. > Gpg4win is an official GnuPG distribution for Windows > and it is possible to customise the installation to mainly install GnuPG. If it really is the libraries (like I assume now), it seems fine to have them in the full distribution for Windows. Another aspect is interesting: After the setup change you did to Thunderbird, did all operations work fine using public and private keys from GnuPG? Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Thunderbird's hints and history for OpenPGP/MIME (new wiki page)
Hi Peter, Am Donnerstag 02 Dezember 2021 17:35:17 schrieb Dr. Peter Voigt: > thanks for that page. I'm not using Thunderbird but I know many people > who do. In particular the option to turn off the annoying dots is very > useful. good to know that you think it is useful. :) > Did you toot the link through Mastodon as well > - I just failed to find and re-toot a correspondig content. I didn't toot it so far. First I wanted to gather some feedback, especially about the following section, where I've added a recommendation what to use instead of incompatible header encryption: | Transport information in a decentral network - just like the writing on the | outside of a postal mail envelope - cannot be protected in principle. | When reflecting on this, chose a subject that is plausible in context, | but without sensitive contents, to best veil potential unwanted observers. | (Your thinking is right: The more sensitive this is, the more you have | to build up a plausible context for your unavoidable traces first.) (Also I've just improved the phrasing and spelling.) Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why are 64-bit libraries not included in GnuPG but Gpg4win?
Am Mittwoch 01 Dezember 2021 01:19:45 schrieb Sven Richter via Gnupg-users: > As the title states, why are there no 64-bit libraries in GnuPG for > Windows? (The installer from the binary releases) I don't know (but I respond with hints and repeat the question as HTML emails are filtered out by some participants.) > It's not like they don't > exist at all but they are part of Gpg4win only. Shouldn't they be included > directly in the core part? Why are they "moved out" to Gpg4win? It seems > weird to me that I would have to install gpg4win just to get hold of some > 64-bit libraries for GnuPG. Gpg4win is an official GnuPG distribution for Windows and it is possible to customise the installation to mainly install GnuPG. Overal I believe this maybe an oversight, maybe you should file an issue with dev.gnupg.org. > The fact that I'm already using Thunderbird 64-bit. As many will know, > Enigmail isn't much of a thing anymore. But I don't really trust that new > OpenPGP.js implementation they have now, As far as I know Thunderbird 78+ uses RNP/Botan, and not OpenPGP.js. > I rather use my existing setup. No > problem, there is a setting just for this in Thunderbird after all, simply > set mail.openpgp.allow_external_gnupg = true. Except that this got me vague > error messages.I'll spare everybody any long explanations but as hinted the > issue seemingly was my 64-bit client. After hours of work I ended up having > to install Gpg4win, copy the 64-bit libraries over and deinstall it again. Thanks for reporting that this worked fine for you after the right setup! > Luckily the libraries work despite Gpg4win 3.1.16 containing only GnuPG > 2.2.28, while I'm already using GnuPG 2.3.3, still seems questionable > though.This brought me to the question above: Why are the 64-bit libraries > only in Gpg4win? Why does GnuPG not come with 64-bit libraries in the first > place? I can't imagine that I'm the only or first one using GnuPG and > wanting it to work with 64-bit software. Most people use Gpg4win, only recently we had to recommed to install the crypto engine installers over it. So thanks for reporting the issue! Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Thunderbird's hints and history for OpenPGP/MIME (new wiki page)
Hi, just compiled a new wiki page with history and hints about using Thunderbird with OpenPGP/MIME. https://wiki.gnupg.org/EMailClients/Thunderbird Mainly I've used information from the email list, but it also adds a conclusion how to deal with subject lines of email. Let me know how you like it. Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Translations Popups and Cookiekalypse
Am Donnerstag 18 November 2021 22:26:39 schrieb Stuart Longland via Gnupg-users: > I might've gotten past their cookie pop-up (I hate those: > EU's privacy laws are not my problem) But your privacy may be your concern. The requirements of the laws have not changed that much with the introduction of the GDPR, they are just more unified over all Europe and more enforced. Because service providers can only process the minimum personal data for providing the service to you, they need to ask you before they can use your data for marketing purposes. So agreeing explicietly to a technical session cookie only is not strictely speaking necessary, it is the web site provider that want you to agree to more, so they can use your personal data to sell your attention to advertisment services. Best, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: User id's without person's name, only email
Am Dienstag 16 November 2021 18:06:02 schrieb Andrew Gallagher via Gnupg-users: > On Tue, 2021-11-16 at 18:20 +0200, Teemu Likonen wrote: > > Am I seeing a starting trend here? Do some people think that it is > > better practice to have only have email address as user id? Some email providers offering pubkeys via WKD only accept email-only uids, see the policy flag "mailbox-only" in https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/13/ > It is reasonable therefore to take the view that the non-email portion > of a userID is cruft at best (and an unnecessary leakage of personal > information at worst). There are two potential problems here: a) usability in case of deliberately missleading information madam president b) abuse prevention and responsibility on case of illegal information Mr X is an XXX he lives at Drowning Street YY However an email provider can exclude those ab-use-cases in their terms of service with their users and hold them responsible in case of violation. So it is still okay to use uids which are no email addresses or some uids with more or other information. Just do not expect other services to carry this information, do not fully trust them (just like you do not trust pubkeys by default) and be prepared to take responsibility for the contents you are transmitting. Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Management - BSI had send private key instead of public key
Am Mittwoch 17 November 2021 00:17:58 schrieb Стефан Васильев via Gnupg-users: > According to an article on the German site golem.de[1] > Germany's BSI[2] had sent its private key instead of > it's public key to a user via email, who requested its > public key. > https://www.golem.de/news/verschluesselung-bsi-verschickt-privaten-pgp-schluessel-2111-161073.html The article says that is was one private key, password encrypted for one email address (probably a functional address for a team). I have no further information on the incident, and know of no MUA or GUI that makes attaching private key material to an email easy. The most likely scenario would be, that there was a private key in a file somewhere on the system that could be attached to an email manually. As GnuPG itself uses a directory clearly named like .gnupg/private-keys-v1.d/, there is a good chance that it was an exported private key named differently. The BSI says to have 1400 employees, so not all of them will be technical security experts, they were growing a lot. The BSI increasingly seems to use OpenPGP/MIME instead of S/MIME and is getting more accessible this way for encrypted email exchange. Overall a good case for using more WKD in the client and the server, where the pubkey would have been transfered automatically with some basic trust and no need for a manual email attachment. Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
WKD, wildcard DNS resolution (Re: Error when trying to locate key via WKD)
Am Donnerstag 28 Oktober 2021 12:07:52 schrieb Andrew Gallagher via Gnupg-users: > On 28/10/2021 10:44, Bernhard Reiter wrote: > > can you provide me a pointer to the gnupg-devel thread? > > (Did a few minutes of searching, I probably missed something.) > > The megathread from hell starts here :-) > https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064567.html That is not gnupg-_devel_ (where I was searching). :) I actually read most of the January thread on "WKD for GitHub pages". Interesting to me is: https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064584.html Ingo explaning that it is considered a security drawback if a domain for the advanced method is there but does not allow a connection with a valid TLS certificate. The understanding of the current draft therefore is If the subdomain for the advanced method resolves via DNS, the direct method MUST NOT be used. Rationale: if the webspace of my email domain is not under my direct control, I'll use the advanced method to indicate a different WKD server I'll trust (and control sufficiently to do so) by creating the necessary DNS entry. If a WKD client would ask this email domain webspace in the direct method, there is an additional attack vector because I do not control the webserver. On the other hand, if I trust my email domain webserver, the DNS provider can create the advanced method DNS entry and attack me. However this DNS provider could also just change the entry to my email domain webserver. If so, maybe the phrasing can be improved for the next draft. Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Error when trying to locate key via WKD
Am Donnerstag 28 Oktober 2021 09:32:55 schrieb Christoph Klassen via Gnupg-users: > that GPG doesn't fall back to the direct method. AFAIU it cannot fall back, because openpgpkey.mail.de seem to exist. Am Mittwoch 27 Oktober 2021 22:54:48 schrieb Ingo Klöcker: > The problem with wildcard sub-domains and WKD has been discussed here or on > gnupg-devel recently. Ingo, can you provide me a pointer to the gnupg-devel thread? (Did a few minutes of searching, I probably missed something.) Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.32 with libgcrypt 1.8.8
Am Montag 25 Oktober 2021 17:01:15 schrieb Martin: > But after "make" and "make install" I see the the GnuPG 2.2.32 doesn't use > libgcrypt 1.8.8 but 1.8.5 (which was installed by Ubuntu repository). Maybe you need to modify the LD_LIBRARY_PATH accordingly. (When self compiling I often create a small file like "setgnupg" and source it in my shell to set all the path. Here is my file for the packages of Phil. For those LD_LIBRARY_PATH is not needed but this maybe different in your situation.) more setgnupg /dev/null :: setgnupg :: base=/opt/gnupg # from Phil Pennock and gnupg-devel: # LD_LIBRARY_PATH is unneeded, # because the executables have the RPATH stamped into them. #export LD_LIBRARY_PATH=$base/lib:$LD_LIBRARY_PATH # You _shouldn't_ need to set MANPATH explicitly on any modern man(1) # system, because they have facilities to translate $PATH to $MANPATH # accordingly. #export MANPATH=$base/share/man:$MANPATH export PATH=$base/bin:$PATH export INFOPATH=$base/share/info:$INFOPATH :: . setgnupg gets me the new version as preferred binary. Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why does one machine allow me to use two yubikeys simultaneously connected, while another only allows one?
Hi Christian, Am Freitag 22 Oktober 2021 15:24:27 schrieb Christian Chavez via Gnupg-users: > Anyone got any suggestions on how to debug this? if you swap in the elder versiong of GnuPG, you could conclude that it is indeed the change of behaviour between the versions. If so you could find out which version in particular introduced this change and look at the detailed changelogs. Otherwise what is helping we often is to step of the verbosity and logs of the different components in trying to see more about what is going on. E.g. add --verbose, then a second one and then go further with the --debug* options. HTH Regards Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust-model and federated lookups
Hi Phil, Am Freitag 22 Oktober 2021 17:00:11 schrieb Phil Pennock via Gnupg-users: > I think what I _want_ is `trust-model pgp+federated+tofu`, which means, > in order: (1) any sigs from the WoT; (2) origin information from the > key, if the origin shows the key was safely retrieved from a federated > origin in a provable way (WKD, various DNSSEC storage options, etc); (3) > TOFU as a fallback if there's nothing better. > > I might even just want `trust-model pgp+federated` if I'm feeling more > cautious. But in reality tofu helps a little. > > Does this make sense to people? Is there a security problem with this? > Does this seem like a reasonable feature request? Yes, not really, yes. ;) To me it is important that the behaviour of the application using this information is ideally not black and white, you probabaly now https://wiki.gnupg.org/AutomatedEncryption which is a vision how email clients can deal with pubkeys that they have different levels of confidence in. Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD Research: Measuring use. An mailinglist maintainers that would help?
Hi Erich, Am Freitag, 22. Oktober 2021, 19:17:07 CEST schrieb Erich Eckner via Gnupg- users: > There are two parts of the usage: The publishing part and the > search-for-and-use-if-available part. Both need separate measurements, I > think. Yes, though we want to focus on the latter part. > > One idea is: If we have a public email address where a lot of emails are > > send to, e.g. the submission address of a mailinglist > > we could set up an OpenPGP key for it via WKD > > and use a small tool to pipe each incoming mail through on the server > > to decrypt and count the mail. > > Wouldn't this break DKIM signatures on the mail? Good question. Mailman as a popular mailinglist software, already modifies mails, thus may break these DKIM signature. I need to do more research on this concern. (Here is an old Mailman Discussion https://wiki.list.org/DEV/DKIM) > Just to be clear: You intend to send the encrypted mail through the mailing > list as usual, right? Yes, unencrypted, of course. > Also: This would only cover mailing lists and thus skew the results. What > about organizations, that use WKD in-house, but whose members rarely write > to mailing lists? If you have any ideas how to do a direct or indirect measurement, I'd like to hear about them. > If you want to fiddle around with mailservers, I would prefer your second > approach: You measure the requests to the webserver, but actually don't > offer a key via WKD - thus, the email flow is undisturbed, but you still > get your metrics. True, using the weblogs may give some indications. However it does not measure if the clients later actually would understand the pubkey and send encrypted emails and an advanced client may cache the results of a WKD request for a limited time. > For measuring the publishing part, one could actively query for WKD on > known MX domains. (As written above, the work is more focused on the client, but following up your suggestion: That they offer a WKD in principle does not say much about how many email addresses actually offer a key, as we cannot walk them and need an email address before we could actually do a real query. Otherwise, would be interesting to see if there are more prominent WKD offers out there.) > For measuring the usage part, I think, it's more valuable to have a look > at available software and their features: How many people use mail client > X, and does X have WKD enabled by default or can it use WKD at all / as a > fallback / ... This is a good suggestion, Christoph is already doing this since a while. Thanks for your feedback! Best Regards, Bernhard ps.: I've chosen to have this discussion in gnupg-users, where me and Christoph are subscrubed. -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
WKD Research: Measuring use. An mailinglist maintainers that would help?
Hello friends of OpenPGP, as part of his Bachelor thesis [1], Christoph wants so to find out, which actions could increase the overall usage of WKD. Ideally we should be able to observe some changes in the usage of WKD over time and hopefully can credit something to some changes like measures tried during the research. So how do we observe WKD usage over time? Obviously this is hard to do, as we are in a decentral system, this is designed to keep things private. Thus our measurement could only be indirectly. One idea is: If we have a public email address where a lot of emails are send to, e.g. the submission address of a mailinglist we could set up an OpenPGP key for it via WKD and use a small tool to pipe each incoming mail through on the server to decrypt and count the mail. We can also count the number of request for the WKD address on the webserver serving the WKD. In both counts, no personal data is saved. So it is just about the safety of the decryption tool, which can be provided. Do you know email addresses, e.g. of mailinglists, where you know the server administrators would be potentially willing to help this academic research? An other ideas? Best Regards, Bernhard [1] https://wiki.gnupg.org/WKD/Misc -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Importing a signed key
Hi Holger,
Am Freitag 15 Oktober 2021 17:55:28 schrieb Holger Sebert:
> The new version, however, does nothing:
>
> $ gpg --import somekey.pub.key.gpg
> gpg: Total number processed: 0
you could add more verbosity to find out what is going on, e.g. like
gpg --verbose --import somekey.pub.key.gpg
or
gpg --verbose --verbose --import somekey.pub.key.gpg
or
gpg --debug-level advanced --import somekey.pub.key.gpg
> On the other hand, importing the plain key-file ("somekey.pub.key")
> works:
If you want to check the signature, try
gpg --verbose --verify somekey.pub.key.gpg
see if the result helps you.
Usually it is considered safe to import public keys, because they are not
automatically trusted by GnuPG. (Usually means, unless you or some GnuPG
using application is makeing other assumptions.)
Regards,
Bernhard
--
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GNU Privacy Assistant - false negatives on detached signature verification (GPA)
Am Mittwoch 06 Oktober 2021 21:19:18 schrieb anonymous via Gnupg-users: > It seems that GPA can only verify detached signatures when it has a suffix > of .sig .sign or .asc. When a detached signature has a different suffix > (for example .gpg like all of the sha256sum.txt.gpg files for verifying > Linux Mint downloads) GPA will always display a signature status of "Bad" > even though the signature is in fact good. If this is reproducable for you, please file a problem report on dev.gnupg.org with keyword GPA. Note that GPA maintance is currently very slow. Werner has some GKT3 patches but no time to get this is shape. And unless someone steps up to maintain the windows port, it will probably be dropped from Gpg4win for example. (See gpg4win-devel@ discussion). Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD docs on the wiki, restructuring. Feedback on forUsers page
Am Mittwoch 29 September 2021 20:26:02 schrieb Alessandro Vesely via Gnupg-users: > On Tue 28/Sep/2021 17:39:29 +0200 Bernhard Reiter wrote: > > Feedback (and help) is always appreciated.:) > > I'm not sure if WKD/forHosts would be a better location than WKDHosting. Not sure either yet. I'll just know that that https://wiki.gnupg.org/WKD got too long and needs to be restructured for the different perspectives. I haven't gotten to the WKDHosting page so far. > Anyway, I'd publish the test suggested by Alissa on this list on 8 July > 2019: > > gpg --homedir "$(mktemp -d)" --locate-keys h...@alyssa.is done > The address https://www.ietf.org/id/draft-koch-openpgp-webkey-service.txt, > near the bottom of the page yields 404. Please use: > https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service done, thanks for your good suggesitons! Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
WKD docs on the wiki, restructuring. Feedback on forUsers page
Hi All, the https://wiki.gnupg.org/WKD page got longer over time and thus should better be split up to help people find what they are interested in. Thus I've started with restructuring and found it cannot be done in one step. New is https://wiki.gnupg.org/WKD/forUsers which should address WKD from the users perspective. It has a principle list of what to look for with email clients and email providers now. It will later link an annotated list of clients and providers (once they get properly put in a good place). Feedback (and help) is always appreciated. :) Best Regards, Bernhard ps.: Christoph will probably help me with updating the wiki as he will write his bachelor thesis about how to improve the usage of WKD. -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Error messages reconfiguring an OpenPGP smartcard
Hi Borden, Am Samstag 04 September 2021 12:11:34 schrieb Borden via Gnupg-users: > Can I get some troubleshooting guidance to understand this output and why > I cannot generate a new encryption key? in general, increasing verbosity helps to understand better what is going on. For most GnuPG command line tools, this means to add "--verbose" or the short form "-v" to the command line. A second "-v" will give you more data. Then there is the group of "--debug" options which will give you even more insights. Check the documentation to see what they actually do. (And be careful when posting those verbose information, it my contain sensible parts if higher debug levels are used.) Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unable to load dll
Hi Eric, Am Mittwoch 04 August 2021 19:58:49 schrieb Eric Y. Lin: > I've built up a win32 application to remotely import a public key to verify > a digital signature. Everything works fine in a Windows 10 machine. Yet, as > I was trying this win32 app when the gpg4win-3.1.16 was uninstalled, it > didn't work. > > The error message is "Unable to load DLL '.'" The > specified module could not be found. I got the same error message even if I > copied the libgpgme.imp and libgpgme-11.dll to be in the same folder as the > win32 app. It seems that your application was using GPGME, which is the official API for the GnuPG crypto engine. For it to work, you'd need Gpg4win or another build of GnuPG and GPGME for windows installed. There is GnuPG only build for Windows, but as I remember it may not include GPGME. > Another small issue is that the remotely listing and importing public key > is a very slow process. It usually takes about one minute or so to > complete. Is this a normal thing ? I am not e what you mean by remotely. If you are accessing a keyserver or using WKD, it first depends on the speed of the server response and the network. Both should be fast. GnuPG then may need to compute the trust relations and this can take a bit, if there are many. Before you can make this faster, I'd try to find out where the time is spend. Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
Hi Rainer, Am Mittwoch 28 Juli 2021 11:22:18 schrieb Rainer Fiebig via Gnupg-users: > Hi! I'm having a problem when searching for keys on keyservers when > using "gpg --search-keys". > > The only line in dirmngr.conf (except for comments) is: > keyserver hkps://keys.openpgp.org note that this particular keyserver has decided to be incompatible with the current OpenPGP standard, by ommitting a valid user id, unless it was "validated". (It says so it in its FAQ and there is port of a discussion here https://dev.gnupg.org/T4393#133695) This could potentially cause problems. > However, this (and only this) works: > > ~> gpg --keyserver keyserver.ubuntu.com --search-keys > E3FF2839C048B25C084DEBE9B26995E310250568 Have you tried some other keyservers like http://keys2.andreas-puls.de/ ? Or you can set some dirmngr options to get more diagnostic output in its logfile. (See dirmngr's documentation.) Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: contact list issues
Hello Marcio, Am Montag 12 Juli 2021 18:15:26 schrieb Marcio Barbado, Jr. via Gnupg-users: > My goal is to move away from the Google Contacts service but keep my > contacts reasonably available. > > So, I would like to know if someone in this list is able to share positive > results in that sense. using a privacy sensitive email provider can help you here. E.g. with https://posteo.de/en the addressbook can be shared by CardDAV and is available to many email clients, I've shared it successfully with Android and SailfishOS devices via https://f-droid.org/de/packages/at.bitfire.davdroid/ I saw it on Kmail, too and vdirsyncer would also allow a sync. I guess mailbox.org will offer a similiar service and there are probably more email providers out there that offer CalDAV with the account. (Posteo and Mailbox.org just came out top on a 2015 test for privacy aware providers in a test.de survey and they are add-free and with a reasonable fee.) Note that both also offer WKD services. Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Run Kleopatra on MS Windows 10
Hello, Am Sonntag 04 Juli 2021 18:36:43 schrieb Виктор Джелепов via Gnupg-users: > Hello, I'm using Gpg4win on Windows 10 Home (64-bit). Gpg4Win version: > 3.1.16 > > When I try to run Kleopatra from the desktop (not as an administrator), > it doesn't run. try to find out why it does not run. If you have been using Kleopatra as an administrator before (which is not recommended), you may have a permission problem somewhere. So one way could be to move away (backup) your GnuPG data and then see if Kleopatra runs again. > When I run it as an administrator, I get a dialog with the > following warning message: "Kleopatra cannot be run as administrator > without breaking file permissions in the GnuPG data folder. To manage keys > for other users please manage them as a normal user and copy the > 'AppData\Roaming\gnupg' directory with proper permissions. Are you sure you > want to continue?" You can just continue there, if you know what you are doing and can live with the permission and security consequences (as outlined in https://wiki.gnupg.org/Gpg4win/RunAsUser) > As I understand, this is a known issue. Looked for working solutions, but > so far found some workarounds: > 1. Install an older version of Gpg4win (e.g. 3.1.14) > 2. Run Kleopatra through the cmd > 3. Run as a normal user (Found more info in an article on the GnuPG Wiki: > https://wiki.gnupg.org/Gpg4win/RunAsUser) > > Are there other recommended solutions or workarounds for this type of > issue? Thanks! Best Regards, Bernhard ps.: Let us move this discussion to https://lists.wald.intevation.org/mailman/listinfo/gpg4win-users-en/ which is more focussed on Gpg4win topics. :) -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG4Win 3.1.16: mkportable.exe missing?
Hello Karel, Am Samstag, 3. Juli 2021, 22:29:15 CEST schrieb karel-v_g--- via Gnupg-users: > After Updating from GPG4Win 3.1.15 to .16 I noticed that the newest build > does not install mkportable.exe?! Is it missing by intend or by accident? as far as I know mkportable works in principle on Gpg4win 3.1.16, see success reports on https://dev.gnupg.org/T5287 So the question is why does it not install for you. Can you try a reinstall and select all components? > PS: I hope it is okay to ask this GPG4Win-related question here on the > GnuPG-list!? To me it is okay, though gpg4win-users...@wald.intevation.org is even more appropriate. If possible, followup there. (You need to subscribe to the list.) Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: BSI - Why PQC for Thunderbird and not gpg4win in the first place?
Am Dienstag 29 Juni 2021 20:01:03 schrieb Стефан Васильев via Gnupg-users: > Werner Koch wrote: > > On Tue, 29 Jun 2021 15:31, Стефан Васильев said: > >> I don't understand why the BSI is looking for Post Quantum > >> Cryptography support with OpenPGP for Thunderbird and not for the > >> promoted gpg4win, The tender includes implementing the algorithms in libgcrypt as well, so Gpg4win will also get it. When trying to understand how public administration and governments work, it is helpful to think of them as several groups and people. So it is not something that _the_ BSI wants or _the_ German Government. It is about sections, people, parties, ministries that all act within their view on their tasks, duties and also group and personal interests. This is okay, but it means one person, group or ministry may look at a technical aspect differently then others and act accordingly. > >> As understood, Germany recently passed a law to strengthen authorities > >> to allow the usage of their Government trojan, which tells me that > >> using > > > > It is quite a problem for the BSI that the gov is trying to shift them > > into the same trouble the NSA has. Protecting the citizen while at the > > same time helping to attack them. To be more specific, the conservatice party block (CDU/CSU) in Germany has been pushing many years for more suveillance, more rights for secret services and attack capabilities. And the resistance from other parties like SPD, FDP, attornies, journalists has been becoming weaker. (Note that the biggest block of German voters prefer this conservative block, so this is a problem of convincing more people and changing their vote about those topic). Similiar in Europe and the pandemic has shifted public attention away from the downsides. Rumors go that there is a good part that the German BSI may be split up in the future in what I'd call a "good" and "bad" part. This makes sense, as if "security" public administrations have legal rights and obligations, they need technical support and this is typical within the ministry of the interior. On the other hand the protecting part should be more independent maybe in the consumer and economy protection with the ministry of justice or the ministry economy. Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Debian using ed25519 APT repo meta data (Re: Ditching OpenPGP, a new approach to signing APT repositories)
Am Dienstag 29 Juni 2021 19:00:00 schrieb Konstantin Ryabitsev via Gnupg-users: > Yes, but speaking from personal experience, integrating libsodium into your > automation is significantly easier than almost any other option. Let Debian > folks do what makes most sense for their needs -- what they are doing is > certainly not wrong or heading in the wrong direction. Sure, there are enough reasons to not use a standardized "packaging" protocol. It comes with risks of course, but if it is well understood, it is much simpler. The problem with the draft wiki page is that others use it to push their agenda of antagonising OpenPGP and Debian without understanding the technical matter. So having giving more context and a better fitting headline would clarify this. Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Ditching OpenPGP, a new approach to signing APT repositories
Am Dienstag 29 Juni 2021 14:44:39 schrieb Konstantin Ryabitsev via Gnupg-users: > With this change, they are replacing PGP with ed25519, but everything else > remains pretty much the same But OpenPGP so much more than one algorithm, you can even use ed25519 with OpenPGP today. (Again, probably because of the draft or work in progress status, maybe someone with write access to the wiki could clarify the headline.) Thanks for the infos, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Ditching OpenPGP, a new approach to signing APT repositories
Am Sonntag 27 Juni 2021 18:56:15 schrieb Стефан Васильев via Gnupg-users: > maybe interesting for some of you. > https://wiki.debian.org/Teams/Apt/Spec/AptSign This does not have references on the problems it is claiming to address. No description of the context where it is supposed to be used and what part it will play in the security. Also there is no mention of how the trust relation of the public keys will be established. So not yet possible to evaluate the page, it looke like a 0.2 draft in a wiki and probably gets to the point of being an interesting proposal later. Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Translate Thai Language
Am Donnerstag 27 Mai 2021 03:40:47 schrieb นายสุชัย วรรณกิจวรกุล via Gnupg-users: > https://www.google.com/collections/s/list/GonnECDElSgvvZAspdWokUS97euzFg/-nn6B0iFiAA If this is a serious mail, please note that many of us cannot see the contents of the above link, because it seems to need a google account to allow access. Best, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG NEVER asks for a passphrase
Hi Steven, Am Donnerstag 27 Mai 2021 17:44:23 schrieb Steven Dudley via Gnupg-users: > Windows 7 home premium > service pack 1 > 8 gb of ram > 64-bit > > GnuPG 1.4.23 > GPG Config 1.33 > GPG Shell 3.78 (Note that I cannot find a current info on GPG Shell are you shure this is still security supported?) > When I right click on a file and send to GPG Tools, pick my OLD DEFAULT > (being phased out) email, GPG runs and a *.gpg file is created. I double > click on it, I'm asked for a passphrase, I enter it, and my file is > decrypted. > > When I encrypt to my NEW key, my *.gpg file is created, I double click on > it, GPG NEVER asks for a passphrase, it just decrypts the file. Try to operate "gpg" on the command line to see more messages which may help you to find out if this is a frontend issue or something else. example gpg -vv --decrypt x.gpg Newer GnuPG version on windows would cache a passphrase for a while, I cannot say what GPG Shell does (as far as I remember it isn't Free Software). Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Gpg4win/RunAsUser: (Is:After upgrading to gpg4win 3.3.15 Kleopatra fails to come up)
Am Montag 19 April 2021 23:49:56 schrieb Shridhar Mysore via Gnupg-users: > <<<< > Kleopatra cannot be run as adminstrator without breaking file permissions > in the GnuPG data folder. (For completeness here in the ML) https://wiki.gnupg.org/Gpg4win/RunAsUser Best, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Public relations: GnuPG 2.3.0 status?
Am Montag 12 April 2021 12:40:11 schrieb Bernhard Reiter:
> My suggestion:
> a) give it no label (thus implicitly assuming a regular release)
> b) change the download webpage to remove the "(devel)" substring.
Patch to remove missleading "(devel)" from downloads webpage for 2.3.0
release.
diff --git a/web/download/index.org b/web/download/index.org
index 1af5af7..21cb96a 100644
--- a/web/download/index.org
+++ b/web/download/index.org
@@ -48 +48 @@
- | [[../software/index.org][GnuPG]] (devel) | {{{gnupg24_ver}}} | {{{gnupg24_date}}} | {{{gnupg24_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg24_ver}}}.tar.bz2{{{ftpclose}}}| {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg24_ver}}}.tar.bz2.sig{{{ftpclose}}}|
+ | [[../software/index.org][GnuPG]] | {{{gnupg24_ver}}} | {{{gnupg24_date}}} | {{{gnupg24_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg24_ver}}}.tar.bz2{{{ftpclose}}}| {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg24_ver}}}.tar.bz2.sig{{{ftpclose}}}|
signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Public relations: GnuPG 2.3.0 status?
Am Donnerstag 08 April 2021 11:05:48 schrieb Werner Koch via Gnupg-devel: > We are pleased to announce the availability of a new GnuPG release: > version 2.3.0. Congratulations! As I am trying to spread the word, I am considering how to write about the status of the release. https://gnupg.org/download/index.html calls it **devel** GnuPG (devel) 2.3.0 (and the 2.2.27 "LTS"). In contrast, the text here assumes as least "beta": > This release marks the start of public testing releases > eventually leading to a new stable version 2.4. > > Although some bugs might linger in the 2.3 versions, they are intended > to replace the 2.2 series. 2.3 may even be used for production purposes > if either the risk of minor regressions is acceptable or the new > features are important. On the other hand it is "released", and it is okay to use in production, so it could just be labeled the "current release" (and 2.2 "LTS" in contrast") However the quote above talks about "public testing releases", which again more hints towards "release candidate". My suggestion: a) give it no label (thus implicitly assuming a regular release) b) change the download webpage to remove the "(devel)" substring. Rationale: It is okay for production (under some circumstances) and this is the main association people have with a release. It being a point release, will make people cautious that have reason to be conservative. Fine by you? Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
