Re: smartcard reader
Hi All, Am 20.10.16 um 19:46 schrieb li...@michel-messerschmidt.de: >> Are there any new options that weren't listed already? > > yubikey4 > > Although I had very good experience with the SPR 532 (and a lot of trouble > with another Cyberjack reader, the Comfort IIRC), the yubikey token has a > better trade-off between usability and security for me. > > Mainly because its usable on mobile devices through openkeychain, but good > support of 4k RSA keys is also welcome. Lack of a pin-pad is the main > drawback. Tamper resistance and firmware source may be other discussion > topics. Not sure the YubiKey4 is a good choice to start with. I bought one specifically for use with GnuPG (and for its U2F support). I had a lot of troubles getting my YubiKey on it. It finally worked using a recent Ubuntu, but on my Macbook with MacOS "El Capitan" I am unable to access the keys. I only get "card error". Digging deeper with dtruss (kind of "strace") I got as far as that scdaemon gets a "pcsc: sharing violation". I /think/ it worked exactly once. But then I played a bit with the PIV applet on the YubiKey (using yubico's piv-tool), and since then I can not get to the OpenPGP applet on the YubiKey. Only the PIV works (I see my x509 certificates in there in Keychain and can used in Safari to authenticate to for example StartSSL.com) (Any hints to get PIV and OpenPGP work side-by-side are most welcome.) Tl;dr: If adding the YubiKey, then there should be a warning not to never play with the PIV applet on it. Best regards Björn -- | Bjoern Kahl +++ Siegburg +++Germany | | "mls@-my-domain-" +++www.bjoern-kahl.de | | Languages: German, English, Ancient Latin (a bit :-)) | ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
API documentation for Python GpgMe bindings?
Dear All, I'd tried to play around with the (new) Python bindings announced just a few days ago, but I am a bit lost. I am using Python-2.7 on MacOS "El Captain", with Python-2.7, gpg2, gpgme (1.6.0_2) and the bindings py27-pygpgme and pyme all installed using MacPorts. (Yes, that is not the newest gpgme-1.7.0 announced last week, the announcement last week just made me aware of the fact that there are Python binding at all.) I know the C-library documentation of GpgMe found here: https://www.gnupg.org/documentation/manuals/gpgme/ Is there a similar documentation for the Python bindings "pyme" (or "pyme3")? Google didn't return helpful results for "gpgme python api reference" or "pyme api reference" for me. Looking at the C-library documentation and the help() output in the Python interpreter for pyme and objects accessible from there, I fail to see a clear mapping on how to call various functions. For example, I can create a GpgMe context with "ctx = pyme.core.Context()" and find a key "key = ctx.get_key("the-key-id"). But how do I - for example - change context attributes like the pinentry mode? The "pyme.core.Context" object doesn't seem to have a "set_attributes" or a "set_pinentry_mode" or anything related. I found "pyme.pygpgme.gpgme_set_pinentry_mode()", which takes a context, but apparently a different flavour of a "context" than returned from "pyme.core.Context()". Trying to pass the result from "pyme.core.Context()" to "pyme.pygpgme.gpgme_set_pinentry_mode()" gives a type error. Also, the context from "pyme.core.Context()" doesn't seem to have a function to retrieve the underlying gpgme context. So, were can I find documentation of the Python bindings or guidelines how to apply the C-library documentation to the pyme bindings for Python (either 2.7 or 3.x)? Thanks & best regards Björn -- | Bjoern Kahl +++ Siegburg +++Germany | | "mls@-my-domain-" +++www.bjoern-kahl.de | | Languages: German, English, Ancient Latin (a bit :-)) | ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Configuration hints for using gnupg (2.0.x) interchangeably with graphical frontend and in the terminal
Dear All, I am looking for hints or best practices to seamlessly mix use of GnuPG in the terminal and with frontends, in my case Enigmail in Thunderbird. I am on MacOS X (10.9.5 "Mavericks") with GnuPG installed through MacPorts as my main machine and also quite often logged into other Macs and other Linux boxes using SSH, coming from that main Mac. Problem: I quite often use gpg through Enigmail and also regularly use it in the terminal or when remotely logged into a box using ssh. Currently, whenever Enigmail needs a passphrase, it throws up a popup window (actually, it runs gpg, which runs the agent, which runs pinentry-mac, which throws up the window) _somewhere_: sometimes on the screen I am looking at, sometimes on another physical screen, sometimes hidden behind other windows, sometimes in the front. When using gpg in the terminal originally the same happened: Some random window popping up at some random spot on some random monitor. Even worse, when logging in through SSH, it throw up a pin entry window on the locked graphical session idling on the remote machine instead of in the terminal I am working in. Partial solution tried: I created a second gpg-agent.conf named "gpg-agent-term.conf" and configured the first to run pinentry-mac and the latter to run pinentry-curses. _Usually_ Enigmail/Thunderbird picks the first one and pops up its passphrase dialogue on one of my physical screens (I have no idea how it decides which one). If (and only if) I remember to explicitly start an agent with the second configuration, then gpg running in the terminal ask for my passphrase in that terminal. But *only* in that terminal. If I run gpg in another terminal, I either get the pinentry-mac (i.e. I forgot to set GPG_AGENT_INFO to the running "terminal-config" agent), or it asks me in that other terminal. On an average day, I have about 10 shell running in parallel, partly in terminal windows, partly in "screen" sessions in a single terminal window. Searching through all my shells where the passphrase dialogue appeared is annoying. However, when I start an agent with the second configuration, before starting Thunderbird, then Enigmail ask me for a passphrase in the terminal where I started that agent. Questions: How can I configure gpg and the agent such that: - Whenever I run gpg in a terminal, it will ask me for my passphrase in exactly that terminal where I am interacting with it and expect the prompt? I.e. on that TTY that is the controlling TTY of the gpg process I am interacting with? - Is there a way to have a single agent (with a single config file, so I can start it at first login and have it available in all terminals/shells and programs (e.g. Thunderbird) started from there) but still a graphical passphrase in programs which (no longer) have StdIn connected to a terminal or don't have a controlling TTY; and have a plain prompt in the terminal for programs that run in a terminal? I seriously doubt that there is any way to get back the just perfect behaviour of the old GnuPG 1.x where Enigmail would show a blocking dialogue attached to exactly that Thunderbird window where I was signing or decrypting a message. But I hope there is at least a way to get the terminal version to prompt for the passphrase in the one spot where it makes sense: the TTY it is running in. Sorry for the long mail, and thanks for reading all this. I tried to be precise on what my problem is and failed to be concise in the same time. Best regards Björn -- | Bjoern Kahl +++ Siegburg +++Germany | | "mls@-my-domain-" +++www.bjoern-kahl.de | | Languages: German, English, Ancient Latin (a bit :-)) | ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to convert (ancient) key in "version 2" to more modern "version 4" format?
Dear Ludwig, Am 28.05.16 um 22:24 schrieb Ludwig Hügelschäfer: > On 28.05.16 20:30, Bjoern Kahl wrote: > >> Which leaves me with the other option, teach mailvelop / >> openpgp.js to read v2 keys. >> >> Looking at the RFC-4880, it seems V3 and V2 keys share the same >> structure (section 5.5.2, page 41). Openpgp.js does handle V3 >> keys, but not V2. Which makes me wonder if it is enough to let V2 >> keys run through the same code path as the supported V3 keys, or if >> I am missing something important here. > > Björn, why would you want to put energy in support of such ancient > keys? V3 keys aren't supported any more by GnuPG 2.1, and nobody > mentioned V2 keys here for years. Usually, those keys are at best 1024 > bits long which suggests that they are replaced by a adequate V4 key > with recommended key length right now. Very simple: Because I have *tons* of mails (and other archived data files) that have been signed and / or encrypted with such keys and I (I have to use such a strong word here) *insist* on being able to continue to read these mails and files whenever the need arises. > They are obsolete in every aspect. They may not be a wise choice for creating new data (mails, files) for their limited key length and other shortcomings mentioned in 4880 and elsewhere. But they are perfectly fine and necessary to access historic data. Best Björn -- | Bjoern Kahl +++ Siegburg +++Germany | | "mls@-my-domain-" +++www.bjoern-kahl.de | | Languages: German, English, Ancient Latin (a bit :-)) | ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to convert (ancient) key in "version 2" to more modern "version 4" format?
Am 24.05.16 um 08:32 schrieb Werner Koch: > On Mon, 23 May 2016 21:56, m...@bjoern-kahl.de said: > >> :public key packet: >> version 2, algo 1, created 102227, expires 0 > > That was created by an very old PGP-2 versions. gpg bever created a > version 2 key. > >> Is there a way to have gpg2 convert and export the key? Looking > > The formats are diffefrent and even if you would use the same key > material, the fingerprint and the keyid will be diffewrent. Thus there > is no practial way of using it [1]. > [1] if you use the key material and make a v4 key out of it, gpg should > be able to decrypt keys with a wild-card keyid (--throw-keyid in > gpg, can't remember the PGP-2 option). > thanks a lot for the explanations. So while theoretically possible, it would be a pretty useless exercise, since it would change the keyid and break all collected signatures. Which leaves me with the other option, teach mailvelop / openpgp.js to read v2 keys. Looking at the RFC-4880, it seems V3 and V2 keys share the same structure (section 5.5.2, page 41). Openpgp.js does handle V3 keys, but not V2. Which makes me wonder if it is enough to let V2 keys run through the same code path as the supported V3 keys, or if I am missing something important here. Thanks Björn -- | Bjoern Kahl +++ Siegburg +++Germany | | "mls@-my-domain-" +++www.bjoern-kahl.de | | Languages: German, English, Ancient Latin (a bit :-)) | ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to convert (ancient) key in "version 2" to more modern "version 4" format?
Dear All, I have a long use key that has been created back in 2002 using - I think - some gpg 1.0.x version. This key, at least when exported with "gpg2 --export" (or "--export-secret-key"), seems to be in some "key packet version 2" format, as "gpg2 --export | gpg2 --list-packets" shows: ---8<8<--- :public key packet: version 2, algo 1, created 102227, expires 0 pkey[0]: [1024 bits] pkey[1]: [5 bits] keyid: 1234567890123456 ... --->8>8--- (Yes, it's only 1024 bits and that's not really up to modern needs, and while I eventually have to phase out this key, I still need to have it around for the time being. -- Key-rollover isn't a strength of the whole PGP system. :-( ) Modern keys generated with gpg2 show a "version 4" in the second line. I'd like to convert the existing secret key and the corresponding public key, preferably without destroying the signatures, from "version 2" to "version 4". For one thing, it would allow me to specify key preferences or set the primary ID, which seems to be not possible in the old format. For the other reason, I need to import the key into another software, in this case "Mailvelope", which does not support "version 2" keys. Is there a way to have gpg2 convert and export the key? Looking through gpg2's online help and trying to "google" an answer with varying queries did not show up any definite advise. I am currently using gpg2 version 2.0.29 with libgcrypt 1.7.0, installed using MacPorts on MacOS X 10.9.5. Thanks Björn -- | Bjoern Kahl +++ Siegburg +++Germany | | "mls@-my-domain-" +++www.bjoern-kahl.de | | Languages: German, English, Ancient Latin (a bit :-)) | ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users