Re: How to do pinentry in same screen as gpg
On Fri, 3 Jan 2014, Hauke Laging wrote: Am Fr 03.01.2014, 01:14:22 schrieb Dan Mahoney, System Admin: It basically works perfectly with gpg1, where I can get an inline prompt for a password, but gpg2 falls short where it tries to set up some kind of a unix-socket connection to a pinentry dialog, and this all falls apart within the simple exec() alpine is doing to launch the filter. GPG hangs up and I wind up needing to kill the whole window. Do you start gpg-agent before gpg2? I would expect the behaviour to be the same like gpg if gpg-agent is not running. It might also be nice if I could basically start a pinentry program in a dedicated window, You can write a wrapper around pinentry. This wrapper could start pinentry in a different console. See: http://lists.gnupg.org/pipermail/gnupg-users/2013-July/047168.html http://lists.gnupg.org/pipermail/gnupg-users/2013-December/048362.html I assume this is much more a screen problem. Some time ago I tried to create a pipeline between two processes running in different screen windows. I didn't manage to do that. But maybe there are tricks unknown to me. Maybe that can be done with redirecting stdin and stdout to a socket with socat or something like that. Actually -- it *looks like* loopback-pinentry is pretty much exactly what I'm looking for here, if I understand the feature. Hopefully recent fundraising activity can get 2.1 out the door soon. (I'm going to donate!) -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to do pinentry in same screen as gpg
On Fri, 3 Jan 2014, Hauke Laging wrote: Am Fr 03.01.2014, 01:14:22 schrieb Dan Mahoney, System Admin: It basically works perfectly with gpg1, where I can get an inline prompt for a password, but gpg2 falls short where it tries to set up some kind of a unix-socket connection to a pinentry dialog, and this all falls apart within the simple exec() alpine is doing to launch the filter. GPG hangs up and I wind up needing to kill the whole window. Do you start gpg-agent before gpg2? I would expect the behaviour to be the same like gpg if gpg-agent is not running. No, the agent "is required", per the manpage. If GPG doesn't find an agent, it starts one: I just fired up a gpg --gen-key on my system where 2.x is installed. danm 74860 0.0 0.1 13728 2120 ?? Ss1:18PM 0:00.02 gpg-agent --daemon --use-standard-socket danm 74853 0.0 0.1 17408 3136 3 I+1:18PM 0:00.02 gpg --gen-key (gpg2) danm 74861 0.0 0.0 9264 1972 ?? I 1:18PM 0:00.01 pinentry (pinentry-curses) It leaves this agent running after you exit GPG, which feels sloppy -- ssh doesn't leave ssh-agent running after I connect, if I use it at all. It might also be nice if I could basically start a pinentry program in a dedicated window, You can write a wrapper around pinentry. This wrapper could start pinentry in a different console. See: http://lists.gnupg.org/pipermail/gnupg-users/2013-July/047168.html http://lists.gnupg.org/pipermail/gnupg-users/2013-December/048362.html I assume this is much more a screen problem. Some time ago I tried to create a pipeline between two processes running in different screen windows. I didn't manage to do that. But maybe there are tricks unknown to me. Maybe that can be done with redirecting stdin and stdout to a socket with socat or something like that. I seem to recall that I was able to do it by messing heavily with environment variables. As I want to get back into playing with smartcards, the agent become more necessary. (Or keeping v1 and v2 installed in parallel, which seems nonoptimal). Hauke, in your posts, you mention that the pinentry protocol isn't on the GPG website. Could that please be fixed by the people who maintain the project? I notice it also missing from http://www.gnupg.org/documentation/manuals/ If I come up with a good method for doing so, I'll post a howto/blog here. I do wonder how difficult it would be to write a pinentry-getline which doesn't try to do any fancy display tricks -- I just want enough magic to turn echoing off. (I think the ncurses are part of what mess alpine up). I may try this as well. Thanks all, -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to do pinentry in same screen as gpg
All, I have a script that I use to send mail (as part of pine/alpine) that needs to prompt for my key passphrase. I run alpine on a private unix server, within a screen session. It basically works perfectly with gpg1, where I can get an inline prompt for a password, but gpg2 falls short where it tries to set up some kind of a unix-socket connection to a pinentry dialog, and this all falls apart within the simple exec() alpine is doing to launch the filter. GPG hangs up and I wind up needing to kill the whole window. Here's where I've gotten on a possible solution: I could possibly have every window within my screen session have my .cshrc check for a running gpg-agent, and start one if it's not (this seems wasteful considering how infrequently I sign). Along these lines, I'd probably have to have every single screen process update the running TTY, so that my most recently-opened screen would contain the dialog. It seems that the pinentry command is invoked behind the scenes by the agent, and then directly writes to and reads/from the tty specified (so it could in theory interfere with whatever else I'm running on that screen), for example, if I were doing something while su'd to root. -or- It would also be nice if pinentry could cause the spawning of a new screen window via "screen -X", but as I have a password-protected screen, this isn't possible either. -or- It might also be nice if I could basically start a pinentry program in a dedicated window, and simply choose to use it when needed (similar in analog to how I might use a hardware pinpad, or a fingerprint reader). I don't know if this is possible. I could also start up some "dummy" program in a screen where the agent will spawn. I think that last one is the plan of attack I'll likely pursue. However, it would be really, really nice if, instead of gpg--agent--assuan--pinentry, GPG could just fall back to prompting for a password on the same tty where GPG is running. It would also be nice if GPG had some method of simply saying "hey, I can't find a place to spawn this pinentry, and could exit cleanly." Thoughts are welcome. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [gnupg-users] Re: Future of GnuPG 1.x.x?
On Sat, 4 Aug 2012, Robert J. Hansen wrote: On 08/04/2012 03:26 PM, Sin Trenton wrote: Is the plan to retire 1.x sometime in a not too distant future (I'm not saying that I assume an actual time plan being set)? I am not a GnuPG developer. My information is not definitive. Take it with a grain of salt. That said, my understanding is the GnuPG developers wish to end 1.4 support as soon as possible. This is reasonable, given that 2.0 has been out for a decade. When 2.0 first came out I was not a big fan, but it's become much more stable and useful over the past few years. However, ending GnuPG 1.4 support 'as soon as possible' is not the same as 'ending it now.' They want to minimize impact on end-users as much as possible. The 1.4 model still works better for certain things. I've never successfully managed to make pinentry work in a shell/screen session using my mailer, and I've never heard back from the GPG developers about allowing the main gnupg process to prompt for a pin directly, without needing the socket/window of pinentry. Both myself and Doug Barton have commented on this list to this effect. I consider this a blocking factor for moving to 2.0. When 1.4 support ends, expect an EOL date to be announced far in advance and a lot of help given to people who need to migrate to 2.0. See above. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "No-Keyserver" (and other) flags on keys
On Mon, 28 Jun 2010, David Shaw wrote: I presently consider synchronization broken. If there were only one network of keyservers out there, and I didn't have to search multiple places when trying to sign or request a key, I might think otherwise, but this is not the case. See my alternate request about being able to use multiple urls in auto-key-locate, which I don't believe currently works. It does. auto-key-locate hkp://pgp.mit.edu hkp://subkeys.pgp.net hkp://some.other.server.etc ldap://even.a.ldap.server.works Aah, perhaps here is a problem. auto-key-locate may in fact do this, but --search does not. Is there a way to make that work? -- "Ca. Tas. Tro. Phy." -John Smedley, March 28th 1998, 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "No-Keyserver" (and other) flags on keys
On Sun, 27 Jun 2010, David Shaw wrote: However, you raise another question: How does a keyserver know who is uploading the key? At the moment, it doesn't. That would need to be addressed if you want keyservers to be able to reject a no-ks-modify key. One way to do it is to only accept key updates that are signed by the key itself. But, of course, to do that, the keyserver needs to be able to verify a signature... That's one way. Another is to do it the keyserver.pgp.com way, and email the primary uid a cookie. No crypto required. RFC2440 doesn't at all require that the authenticity be verified cryptographically. Correct? Correct, but then, RFC-2440 or 4880 doesn't say much about keyservers at all. It's mainly a message format document. Semantics of keyservers are not specified beyond one or two minor things like the no-modify flag and the "preferred keyserver" field. The difficulty with mailing the primary user ID a cookie is that it pretty much means your server can't synchronize with any other server. Keyserver A updating keyserver B for key "foo" would in essence be someone other than the owner, even if they're in the same "pool", as keyservers can have multiple names. Assumably if I have enough sense to set my preferred keyserver url (either to a keyserver or to a private url), I know which keyservers are islands and which are pools. I presently consider synchronization broken. If there were only one network of keyservers out there, and I didn't have to search multiple places when trying to sign or request a key, I might think otherwise, but this is not the case. See my alternate request about being able to use multiple urls in auto-key-locate, which I don't believe currently works. I'm also not aware of how servers synchronize, but if it's a different protocol than the standard single-key-request protocol, then there's an easy metric to say "don't hand out keys with this flag via this protocol". Perhaps if I get deeply into this, I could define keyservers which were aware of which other ones did verification. Since your server would have an entrance restriction, and the other servers won't, that means that your server would have to either reject keys from other servers (i.e. not syncing) or apply the same restriction (email user IDs from keys that weren't uploaded directly to your server). keyserver.pgp.com solves this by simply not syncing to anyone else. That makes it a completely opt-in server. I wasn't against this plan. This was (as mentioned) for work on a private keyserver whose changes would be merged upstream. Consider it an initial step toward the whole. However, I think you're still missing my question: is it necessary for the keyserver to be crypto-aware if I just want a keyserver to reject those keys outright? Is there crypto involved in reading that flag, or is it just a simple parse? From reading RFC2440 it seems the latter, but I certainly respect you've been doing this longer than I :) There is crypto involved in showing that the flag is real - that the keyholder set the flag, and not someone just setting the flag for malicious reasons. For example, take the case of a key with the no-modify flag set (i.e. the keyholder doesn't want the key on a keyserver). The attacker takes this key, and removes the flag. He then sends the key to a keyserver without crypto. The keyserver sees the key has no flag, so accepts it. This allows an attacker to violate the keyholder's requirements. If the keyserver had crypto, it would know that the key had been tampered with and the flag removed. At present, no keyservers respect this flag, with or without crypto. So that's not much of a leap, anyway. This "attack vector" exists now. I'm sure more than a few people have been annoyed that their keys wound up on a server, as I had read in a previous (and very long) thread. Without at all getting into the "flag" argument, do you feel keyservers should be verifying selfsigs before publication, or do you think they should remain "dumb"? Both imply some problems, but your statement as to keyservers not doing crypto didn't seem to imply whether you're for or against it, and I'm curious. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "No-Keyserver" (and other) flags on keys
On Sun, 27 Jun 2010, David Shaw wrote: On Jun 27, 2010, at 7:50 PM, Dan Mahoney, System Admin wrote: It's effectively a no-op though, as no server supports it. I'm looking into making mods to at least one server type (we run one locally at work), and commit them upstream. If I'm going to wade into that muck, I might as well have multiple things to try to make work. The change in the key file format is the "hard" part :) Having keyservers support no-modify requires that they first support crypto at all. That's a really big step. The ones I've seen have enough awareness of what's in a key to pull a key apart and determine who's signed it, when, and when it's expired. Is there more than that to read these bits? Again:step zero may be to determine what the internal format is. Vastly more. Keyservers are basically databases with a front-end that understands the OpenPGP key format. They don't actually do any crypto math - just storing the key packets in the database and allowing people to search for them. However, you raise another question: How does a keyserver know who is uploading the key? At the moment, it doesn't. That would need to be addressed if you want keyservers to be able to reject a no-ks-modify key. One way to do it is to only accept key updates that are signed by the key itself. But, of course, to do that, the keyserver needs to be able to verify a signature... That's one way. Another is to do it the keyserver.pgp.com way, and email the primary uid a cookie. No crypto required. RFC2440 doesn't at all require that the authenticity be verified cryptographically. Correct? While we're at this, do the various keyserver client-implementations provide any option for passing a human-readable message back to gpg? I don't see anything in draft-shaw-openpgp-hkp-00, but that's long expired (but good reading). From what you're telling me, it also sounds like keyservers don't actually verify the signatures that are on a key, and that's left up to the client. However, I think you're still missing my question: is it necessary for the keyserver to be crypto-aware if I just want a keyserver to reject those keys outright? Is there crypto involved in reading that flag, or is it just a simple parse? From reading RFC2440 it seems the latter, but I certainly respect you've been doing this longer than I :) -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "No-Keyserver" (and other) flags on keys
On Sun, 27 Jun 2010, David Shaw wrote: It's a flag that can be set on a key user ID, similar to cipher or compression preferences. Run "--edit-key" on a key, and enter "showpref" or "pref". You will probably see a mention of "Keyserver no-modify" (or "no-ks-modify"). You can turn it on and off with setpref, like any other preference: "ks-modify" allows keyserver modifications, and "no-ks-modify" disallows them. Note that the definition of no-modify is that only the keyholder (or the administrator of the keyserver) can override it. So the flag only applies to other people - the keyholder can choose to upload his key if he so desires. Also, is it possible for either the manpage or the interactive help to include the meaning of the various preferences that are not cipher types? Sure enough, it's not in the man page. I'll fix that. I'd love to see an "editpref" which more interactively presented you with options (and descriptions) you could toggle (but would still maintain backwards compatibility with apps that used showpref or setpref) It's effectively a no-op though, as no server supports it. I'm looking into making mods to at least one server type (we run one locally at work), and commit them upstream. If I'm going to wade into that muck, I might as well have multiple things to try to make work. The change in the key file format is the "hard" part :) Having keyservers support no-modify requires that they first support crypto at all. That's a really big step. The ones I've seen have enough awareness of what's in a key to pull a key apart and determine who's signed it, when, and when it's expired. Is there more than that to read these bits? Again:step zero may be to determine what the internal format is. However, you raise another question: How does a keyserver know who is uploading the key? (Note that this doesn't apply to my original question, since that was simply a "keyservers should throw this away" flag, where a user might choose to publish on his website, his .plan file, on his business cards, in DNS, or via LDAP or S/Mime autodiscovery.) -Dan -- "Hitler, Satan, those Hanson kids, anything. Just not the curious anteater." -Peter Scolari, as Wayne Szalinki in "Honey, I Shrunk The Kids--The Series" Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "No-Keyserver" (and other) flags on keys
On Sun, 27 Jun 2010, David Shaw wrote: On Jun 27, 2010, at 3:58 PM, Dan Mahoney, System Admin wrote: All, How difficult would it be to propose some kind of extension flag to the PGP key format that in essence says "don't publish me to a keyserver". Note that I'm asking from a technical point of view, not a social (i.e. making servers support it) or IETF one (insert bikesheds here). My question is: Is it possible to do in such a way that keys would be backward-compatible? Not only is it possible, it already exists. GnuPG can even set it and unset it, as you like. Really? Where is it? Also, is it possible for either the manpage or the interactive help to include the meaning of the various preferences that are not cipher types? It's effectively a no-op though, as no server supports it. I'm looking into making mods to at least one server type (we run one locally at work), and commit them upstream. If I'm going to wade into that muck, I might as well have multiple things to try to make work. The change in the key file format is the "hard" part :) -Dan -- "She's been getting attacked by these leeches, they're leaving these marks all over her neck. You gotta keep her out of those woods. If one more leech gets her, she's gonna get a smack." -Someone's Mother, December 18th, 1998 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
"No-Keyserver" (and other) flags on keys
All, How difficult would it be to propose some kind of extension flag to the PGP key format that in essence says "don't publish me to a keyserver". Note that I'm asking from a technical point of view, not a social (i.e. making servers support it) or IETF one (insert bikesheds here). My question is: Is it possible to do in such a way that keys would be backward-compatible? (I have no idea about the internal format of a PGP key, to me it's just bricktext...at least right now). -Dan -- "If you aren't going to try something, then we might as well just be friends." "We can't have that now, can we?" -SK & Dan Mahoney, December 9, 1998 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using gpg2 without pinentry?
Hey there, I currently use gnupg 1 from within Alpine (running under screen), and it works okay, but I had a bear of a time using gpg2 because of the pinentry stuff. Specifically, gpg was launched within a mail filter, and had no idea how to spawn a third program (the pinentry window)) in a correct way. I've tried kludging it so it launches in a different screen by tweaking various environment variables, but this seems the wrong way to go about it. As does running with X-forwarding just to launch a tiny pinentry app (I can't guarantee I'll have an xserv everywhere I sit.) Is there some reasonable way that gpg can detect that it has a controlling termainal (or even, a config file option) and just ask me for my passphrase on stdin? I am my sysadmin. I trust me :) -Dan -- "Let me tell you something about regrowing your dead wife Lucy, Harry. It's probably illegal, potentially dangerous, and definitely crazy." -Harry nods- Vincent Spano, as Boris in "Creator". Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Searching multiple keyservers
On Wed, 23 Jun 2010, MFPA wrote: PGP Command Output Warning: using insecure memory! gpg: Signature made Wed Jun 23 12:59:05 2010 EDT using RSA key ID AD0C6E69 gpg: Good signature from "MFPA " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BA 23 9B 46 81 F1 EF 95 18 E6 BD 46 44 7E CA 03 --- Begin PGP Signed Message Verified 2010-06-23 13:25:55 -- Hi On Wednesday 23 June 2010 at 9:27:01 AM, in , Laurent Jumet wrote: Using GPGShell allows "Update from all keyservers". "all" being simply all the ones you have listed in your gpgshell config file. IIRC, you have a list for fetching/updating keys and another list for submitting keys - the latter may be useful to specify servers you know don't synchronise reliably, when posting revocations. Considering I'm running on a FreeBSD system, however... -Dan -- "It would be bad." -Egon Spengler, "Ghostbusters" Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Searching multiple keyservers
Hey all, Is there an easy syntax to chain multiple keyservers for searching? In theory it shouldn't be necessary, but there are distinct keyserver networks out there that don't share, as well as "private" hkp keyservers which might need to be searched first. -Dan -- "SOY BOMB!" -The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan Performance. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the "clean" function (and the "PGP Global Directory")
On Tue, 22 Jun 2010, Dan Mahoney, System Admin wrote: On Tue, 22 Jun 2010, David Shaw wrote: On Jun 22, 2010, at 11:02 PM, Dan Mahoney, System Admin wrote: It seems there's two interesting problems which inter-relate. The first is PGP corporation's "global directory", which seems to operate orthogonally from every other keyserver I've seen. It's HTTP-only, not queryable by any of the open-source clients (in fact, it doesn't support wildcard searches at all, and returns a captcha before delivering results), and not SUBMITTABLE to from any of the open source clients. Not exactly. The GD speaks LDAP, so you can set your keyserver to ldap://keyserver.pgp.com and you can query and submit, etc. Interesting, I didn't see mention of that. I must try this (assuming I've built with LDAP support, that is, which under BSD is a bit obtuse). It's also the ONLY keyserver I've seen that supports photo IDs, and actually uses the web interface to show you the person. The SKS servers (i.e. pretty much everything that isn't the GD) do support photo IDs, but they do not use the web interface to show you the photo. That was what I meant to imply, perhaps I was unclear. Are you sure about that? "clean" strips off useless signatures (useless being defined as an invalid signature, a superseded signature, a revoked signature, and a signature from a key that isn't present on the keyring). Signatures from keys that are present, but have no trust value are not stripped off. Let me double check. I saw it earlier today when transferring my work sig to my personal one. But it might just have been that my coworkers did not have sigs present. It's entirely possible I mangled the windows. Yup, that's what happened. I had imported my work key to my personal machine, but didn't have the keys of all my coworkers on my personal box, so "clean" decided to be helpful. I pulled it off the keyserver again, and then pulled down the keys of all my coworkers, and was good. On a related subject, is there a way to say "pull down the keys of all keyids who have signed key X"? -Dan -- "Long live little fat girls!" -Recent Taco Bell Ad Slogan, Literally Translated. (Viva Gorditas) Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the "clean" function (and the "PGP Global Directory")
On Tue, 22 Jun 2010, David Shaw wrote: On Jun 22, 2010, at 11:02 PM, Dan Mahoney, System Admin wrote: It seems there's two interesting problems which inter-relate. The first is PGP corporation's "global directory", which seems to operate orthogonally from every other keyserver I've seen. It's HTTP-only, not queryable by any of the open-source clients (in fact, it doesn't support wildcard searches at all, and returns a captcha before delivering results), and not SUBMITTABLE to from any of the open source clients. Not exactly. The GD speaks LDAP, so you can set your keyserver to ldap://keyserver.pgp.com and you can query and submit, etc. Interesting, I didn't see mention of that. I must try this (assuming I've built with LDAP support, that is, which under BSD is a bit obtuse). It's also the ONLY keyserver I've seen that supports photo IDs, and actually uses the web interface to show you the person. The SKS servers (i.e. pretty much everything that isn't the GD) do support photo IDs, but they do not use the web interface to show you the photo. That was what I meant to imply, perhaps I was unclear. Are you sure about that? "clean" strips off useless signatures (useless being defined as an invalid signature, a superseded signature, a revoked signature, and a signature from a key that isn't present on the keyring). Signatures from keys that are present, but have no trust value are not stripped off. Let me double check. I saw it earlier today when transferring my work sig to my personal one. But it might just have been that my coworkers did not have sigs present. It's entirely possible I mangled the windows. -Dan -- "GO HOME AND COOK!!!" Donielle Cocossa, Taco Bell, 2:30 AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using the "clean" function (and the "PGP Global Directory")
It seems there's two interesting problems which inter-relate. The first is PGP corporation's "global directory", which seems to operate orthogonally from every other keyserver I've seen. It's HTTP-only, not queryable by any of the open-source clients (in fact, it doesn't support wildcard searches at all, and returns a captcha before delivering results), and not SUBMITTABLE to from any of the open source clients. It's also the ONLY keyserver I've seen that supports photo IDs, and actually uses the web interface to show you the person. Finally, it will sign your non-photo-uids. With a very short signature time, and pollute them so they look like this: uid Dan Mahoney sig 3E919EC51 2008-11-22 Dan Mahoney sig 3E8048D08 2009-10-15 Peter Losher sig 68D482E2 2009-08-31 Guy Sisalli sig CF9890F8 2009-07-01 Mark Andrews sig 08F13AD2 2009-10-14 Evan Hunt sig 3294EC062 2009-06-30 Paul Vlaar sig 2DC6FF82 2009-10-14 Rob Austein sig 8FA50232 2010-06-13 Emma Smith sig X CA57AD7C 2009-12-16 PGP Global Directory Verification Key sig X CA57AD7C 2009-12-29 PGP Global Directory Verification Key sig X CA57AD7C 2010-01-12 PGP Global Directory Verification Key sig X CA57AD7C 2010-01-25 PGP Global Directory Verification Key sig X CA57AD7C 2010-02-07 PGP Global Directory Verification Key sig X CA57AD7C 2010-02-20 PGP Global Directory Verification Key sig B38DB1BE 2010-06-13 Francisco Obispo (ISC) uid Dan Mahoney Yes, I'm sure I need a signature added to my key EVERY TWO WEEKS. From the same ENTITY. So, to correct this, gpg has the "clean" function, except that it seems to be broken. I can then re-upload my key. "clean" kills off any local signature and uid that is expired, but it also removes keys I have no trust value for. This might make sense on someone ELSE'S key in my homedir. But I want EVERY nonexpired signature to stay on my public key, even if I don't have an explicit trust value for the person. A workaround is to assign some trust value to every other person who's signed my key, then run --clean, but this seems broken. So, all that said, two questions. 1) Is there some option I'm missing that will just remove expired signatures, and not other things? Assume I'm still interested in the social networking aspect of who-knows-who and who-trusts-who, but not interested in this automated "I figured out a web url three years ago" noise. 2) If I find the magic way to do #1, and upload it to a keyserver, will they accept it, or will they just re-merge the expired sigs in? (For most common keyservers). -Dan -- "Ca. Tas. Tro. Phy." -John Smedley, March 28th 1998, 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IDEA Status?
On Tue, 22 Jun 2010, Robert J. Hansen wrote: On 6/22/10 10:09 PM, Dan Mahoney, System Admin wrote: Is this very old and it's now supported? Or is it still not in for some other reason (either oversight, legal, or other). By modern standards, IDEA is not considered a promising cipher. There are some very good theoretical attacks against it. Between the varying patent expiration dates (2011 or so in some countries, IIRC) and the thin safety margin, the GnuPG community has generally decided IDEA is not a priority for inclusion. Could the FAQ be updated then, assuming you speak with some authority? -Dan -- "Ca. Tas. Tro. Phy." -John Smedley, March 28th 1998, 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
IDEA Status?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey there, The FAQ for IDEA states that "The official GnuPG distribution does not contain IDEA due to a patent restriction. The patent does not expire before 2007 so don't expect official support before then." (http://gnupg.org/documentation/faqs.en.html#q3.3) Is this very old and it's now supported? Or is it still not in for some other reason (either oversight, legal, or other). - -Dan - -- - Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org - --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkwhbOIACgkQ+75aMGJLskl+HwCgxUxctq090JveZu+QZmRi+Ziy GeUAoMiqGgZZp+Rs+5eQfXomssnaqf0k =GTdI -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ...key belongs to ...
On Sun, 30 May 2010, Michael D. Berger wrote: On a Linux box, in encrypting a file with gpg, I get this query: It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) n Now in the context in which this is being used, there is no uncertainty regarding key ownership, and the encryption is part of a bash script. The query stops the script. Therefore, how can I prevent this query? Edit the trust of the key, and or sign it with a trust signature. -Dan -- "Don't be so depressed dear." "I have no endorphins, what am I supposed to do?" -DM and SK, February 10th, 1999 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: new Installation... configure issues
On Mon, 24 May 2010, raviraj kondraguntla wrote: Hi, I am trying to install the gnupg 1.4.10 on solaris 10 server, I have received the below error configure:3550: /opt/SUNWspro/bin/cc --version >&5 ./configure: line 3551: /opt/SUNWspro/bin/cc: No such file or directory configure:3553: $? = 127 configure:3560: /opt/SUNWspro/bin/cc -v >&5 ./configure: line 3561: /opt/SUNWspro/bin/cc: No such file or directory configure:3563: $? = 127 configure:3570: /opt/SUNWspro/bin/cc -V >&5 ./configure: line 3571: /opt/SUNWspro/bin/cc: No such file or directory configure:3573: $? = 127 configure:3596: checking for C compiler default output file name It seems, I need to install C compiler by installing SPROcc 9(unbundled SPARCworks Professional C compiler) Please advise on this. Thanks, Raj You could just install gcc. -Dan -- "Blargy Frap!" -mtreal, efnet #macintosh channel, 8.10.98, Approx 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Implications Of The Recent RSA Vulnerability
On Thu, 11 Mar 2010, erythrocyte wrote: With the recent news of researchers being able to crack 1024-bit RSA keys using power fluctuations, I was wondering if it would be a good idea to switch the RSA keys I have to some other algorithm. Both my signing and encryption keys are 4096-bit keys. Am I vulnerable to this security hole? Is it possible to generate a new keypair and retain/transfer the old signatures from my email buddies? Ref: http://www.engadget.com/2010/03/09/1024-bit-rsa-encryption-cracked-by-carefully-starving-cpu-of-ele/ Okay, let me sum up this article for you: Researchers who had physical enough access to be able to rewire the private-key-holder's system's power supply were able to compromise that system. If you're at that point, I don't think key length is your problem. -Dan Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Continued PKA problems on Windows
On Wed, 3 Mar 2010, Grant Olson wrote: On 3/3/2010 5:26 PM, Sean Rima wrote: Folks I downloaded and installed gpg4win-2.0.2rc1. I then tested my pka setup using: echo "foo" | gpg2 --no-default-keyring --keyring c:\temp\gpg --encrypt --armor --auto-key-locate pka -r s...@srima.eu -v 2> test.txt ... The only thing I can think is that the site is on Google apps or am I missing something else. I can post my gpg.conf if that helps Sean I noticed two things that may or may not matter... If I open "http://prime.gushi.org/danm.pubkey.txt"; in firefox, it opens right in the browser. If I open yours, it opens a "Save As..." window. So they have different content types. Also, the url listed in the firefox "Save as" window is some crazy computer generated url, not www.srima.eu. Just doing a quick test with curl, it takes like 4 302 redirects before you actually get to the file. It wouldn't be totally unsurprising to me if a series of redirects caused problems. So, if you're interested in comparing apples to apples, for curiosity I just uploaded your pubkey (sean.pubkey.txt) to the same url as danm.pubkey.txt). See if that fixes it, at least for testing. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Shamir's Secret Sharing Scheme integration?
On Sun, 21 Feb 2010, Richard Geddes wrote: Hello, Is there a utility that integrates gnupg with (Shamir's Secret Sharing Scheme)? And maybe using smartcards? If not has anyone seen a HowTo that shows how to integrate them? Ikinda do. I encoded my will with it before some surgery a few years ago, and documented it in the process, along with some other notes on short circuiting the whole thing. Have a look at www.gushi.org/willworks.txt -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG4Win: running gpg-agent with SSH agent support?
On Mon, 1 Feb 2010, Werner Koch wrote: Yes, we do this on Windows because we have a well known socket name there. It may actually happen that two agents are started which does not harm because the the unused agent detects this case and terminates itself after some time. What's the socket location inder win32, if you don't mind me asking? -Dan -- "You recreate the stars in the sky with cows?" -Furrball, March 7 2005, on Katamari Damacy Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Howto For DNS Key publishing.
On Thu, 29 Oct 2009, Dan Mahoney, System Admin wrote: All, I've written a pretty conclusive howto on how to publish keys in DNS, including detailing the advantages and disadvantages of each method, with full examples, details on testing, and real-world output. I've also re-implemented make-dns-cert as a shell script, so that it's more easily available to people who don't have the source, but who installed via a binary package (that's most people), including comments, cleaner record handling, auto-fingerprinting, etc. One command, three arguments, and you get all three record types. David, Would it be possible to include my make-dns-cert.sh shell script with GPG? It solves both the problems of the existing tool being a not-built-by-default binary, as well as modernizes the DNS record formats used, heavily, and is easily used by people who have installed GPG via a package. -Dan Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Encrypting with an message expiration date
On Sat, 2 Jan 2010, David Shaw wrote: On Jan 2, 2010, at 11:10 PM, Faramir wrote: Allen Schultz escribió: GnuPG-Users: Is there a way to force an expiration date when encrypting a message for additional security. I have a friend who is inquiring. I've already informed him of the "for his/her eyes only" option. What is that option? --for-your-eyes-only But don't think it adds real security. In OpenPGP, the FYEO option just sets a flag in the message that means (in effect), "Pretty please, with sugar on top, treat this as for your eyes only". The recipient is free to ignore the flag and do whatever they like. Is that analagous to the flag in older versions of PGP that would cause a message to be displayed in a non-printable/non-copyable format? -Dan -- I want to see how you see. -SK, 6/2/99, 4:30 AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Newbie where to find script for FTP
On Mon, 30 Nov 2009, cleard...@earthlink.net wrote: Hi gang --- I subscribed awhile back so I could try and absorb some of the tech stuff on the forum. Q: I have a BlueOnyx box and what to take the next step in finding a script that will use GnuPG (still need to get) to FTP some of my files on this box to an end user. Any suggestions? GPG is not the tool you want. GPG is not an ftp tool. Perhaps if you describe what you're trying to do, and what role you want encryption to play in that, someone can provide you with an answer. -Dan Mahoney -- "If you need web space, give him a hard drive. If you need to do something really heavy, build him a computer." -Ilzarion, late friday night Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Howto For DNS Key publishing.
On Thu, 29 Oct 2009, Ciprian Dorin, Craciun wrote: On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin wrote: All, I've written a pretty conclusive howto on how to publish keys in DNS, including detailing the advantages and disadvantages of each method, with full examples, details on testing, and real-world output. I've also re-implemented make-dns-cert as a shell script, so that it's more easily available to people who don't have the source, but who installed via a binary package (that's most people), including comments, cleaner record handling, auto-fingerprinting, etc. One command, three arguments, and you get all three record types. I cited credit where possible, but if I missed your name, let me know. Suggestions, feedback, requests, corrections, are all welcome. Initial publishing is to my livejournal, but I'm planning to wrap the whole thing to my webpage during a revamp. http://gushi.livejournal.com/524199.html Regards, -Dan Mahoney Hello! Nice tutorial! I've tried to apply your methods (for now I'm just at the PKA method). But it seems that there is a problem with auto-key-locate option. For example for the following command: mkdir /tmp/gpg-test gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient cipr...@volution.ro --encrypt /dev/null it gives me the following error: gpg: requesting key A6FD8839 from http server stores.volution.ro gpg: /tmp/gpg-test/trustdb.gpg: trustdb created gpg: key A6FD8839: public key "Ciprian Dorin Craciun " imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 gpg: error retrieving `cipr...@volution.ro' via PKA: Unusable public key gpg: cipr...@volution.ro: skipped: No public key gpg: /dev/null: encryption failed: No public key Now, searching on the net for a solution, I've stumbled upon the following thread: http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028637.html It seems that there was a bug in GnuPG. So the question is: * am I doing something wrong? * or is the bug still present in GnuPG? Thanks, Ciprian. Okay, so here's what I've learned. I've manually retrieved your key, and imported it manually to my machine with gpg --import < file And I then get this: dmaho...@dmahoney-laptop:~/Desktop$ echo "foo" | gpg --encrypt -r cipr...@volution.ro gpg: cipr...@volution.ro: skipped: unusable public key gpg: [stdin]: encryption failed: unusable public key So it's not the PKA record. Upon examining it a little further, I see this: dmaho...@dmahoney-laptop:~/Desktop$ gpg --list-keys cipr...@volution.ro pub 3072D/A6FD8839 2008-10-19 [expires: 2009-11-21] uid Ciprian Dorin Craciun uid Ciprian Dorin Craciun uid Ciprian Dorin Craciun uid Ciprian Dorin Craciun dmaho...@dmahoney-laptop:~/Desktop$ gpg uidCiprian Dorin Craciun uidCiprian Dorin Craciun uidCiprian Dorin Craciun sub 4096g/15F68B01 2008-10-19 [expires: 2009-10-19] Looks like your subkey that I'd use to encrypt to you has expired, and thus my GPG didn't import it. -- "Man, this is such a trip" -Dan Mahoney, October 25, 1997 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Howto For DNS Key publishing.
All, I've written a pretty conclusive howto on how to publish keys in DNS, including detailing the advantages and disadvantages of each method, with full examples, details on testing, and real-world output. I've also re-implemented make-dns-cert as a shell script, so that it's more easily available to people who don't have the source, but who installed via a binary package (that's most people), including comments, cleaner record handling, auto-fingerprinting, etc. One command, three arguments, and you get all three record types. I cited credit where possible, but if I missed your name, let me know. Suggestions, feedback, requests, corrections, are all welcome. Initial publishing is to my livejournal, but I'm planning to wrap the whole thing to my webpage during a revamp. http://gushi.livejournal.com/524199.html Regards, -Dan Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A lot of questions about CERT, PKA and make-dns-cert
On Wed, 21 Oct 2009, David Shaw wrote: You didn't give an actual version number (run gpg2 --version), so I can only make an educated guess, but I do think I see your problem. You don't have one key in your CERT - you have two (309C17C5 and 624BB249) combined into one DNS record. That doesn't work - it's a one-name-one-key mapping. We should give a better error message in this case. Aah, yes, there we go. Now it seems to work on all my systems. For some reason I assumed --export would just pick one key to match on, just as --delete-keys does. Note there's still a secondary key, hence my confusion. So far, the commands for a PGP CERT are: gpg --list-keys gu...@gushi.org (read, get key id) gpg2 --export --export-options export-clean > keyid.pub.bin -or- gpg2 --export --export-options export-minimal > keyid.pub.bin make-dns-cert -k keyid.pub.bin -n gushi.gushi.org. > keyid.dnscert The commands for an IPGP cert are: gpg --list-keys y...@you.com Choose your keyid from the above. gpg2 --export --armor keyid > keyid.pub.asc copy the ascii file somewhere where it's url accessable. Manually copy/paste your fingerprint into the next command: make-dns-cert -n gushi.gushi.org. -u url format (which?) -f fingerprint >keyid.dnscert Then, publish one (and only one) CERT record in dns per-label. In my case this also means signing the zone and all that. Finally, for an _PKA record, it involves manually: u...@domain.com becomes user._pka.domain.com. Get your keyid as above. 1) Export to a uri as for IPGP cert, above (presumably, it can be the same uri). Strip your fingerprint like so: 2) gpg --fingerprint keyid | grep "Key fingerprint" | cut -d "=" -f 2 | sed 's/ *//g' The format of the text record is simple: you._pka.domain.com. IN TXT "v=pka1;fpr=[#1];uri=[#2]" Where the values are substituted from the steps above. Publish this in DNS. Test using: dig you._pka.domain.com TXT, see if you get a result. Test with a GPG client that doesn't otherwise have the key: echo "foo" | gpg --auto-key-locate pka --armor --encrypt -r y...@domain.com and see if you get an output. So here's the laundry list: 0) Do the above look mostly-right? 1) What are the best options for exporting certs for a CERT record? For a uri-styled record? (i.e. which signatures do you want to include?) 2) Do either the pka or the IPGP standards require the key to be in binary/ascii format? 3) What's the "sanctioned" list of uri formats? Where is it defined for CERT? For PKA? 4) As I'm not a c-coder, how difficult would it be to have the make-dns-cert output in base64 instead of binary? 5) How solid is the output of --fingerprint? Is it likely to change between versions, or are the grep and sed listed likely to work most places? 6) How difficult would it be to get the cert-export functions right into gpg? 7) How difficult would it be to get make-dns-cert built-by-default? 8) (asked previously) Is it worth filing a bug on not being able to specify multiple keyservers for auto-key-locate? 9) (also previously) Is it worth filing a bug to not have auto-key-locate vomit on unsupported methods? With the answers to the above, I'll write up a nice howto doc including the prereqs for all the above, the DNS requirements, and the like. -Dan -- "It's three o'clock in the morning. It's too late for 'oops'. After Locate Updates, don't even go there." -Paul Baecker January 3, 2k Indeed, sometime after 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A lot of questions about CERT, PKA and make-dns-cert
On Wed, 21 Oct 2009, David Shaw wrote: On Oct 20, 2009, at 10:55 PM, Dan Mahoney, System Admin wrote: On Thu, 15 Oct 2009, David Shaw wrote: On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote: I'm running: echo foo | gpg -v -v --auto-key-locate cert --recipient gu...@gushi.org --encrypt -a And get gpg: error retrieving `gu...@gushi.org' via DNS CERT: No fingerprint I exported my key with: gpg --export --export-options minimal > file; and make-dns-cert -n gushi.gushi.org -f file It works fine for me. What version of GPG are you using? I tried this again, after I nuked the "fingerprint" cert record. Oddly, running on gpg2 on an older debian system, I get: # echo "foo" | gpg2 -v -v --auto-key-locate cert --encrypt -r gu...@gushi.org gpg: no keyserver known (use option --keyserver) gpg: error retrieving `gu...@gushi.org' via DNS CERT: General error gpg: gu...@gushi.org: skipped: General error gpg: [stdin]: encryption failed: General error That first line specifically makes me scratch my head a bit. You didn't give an actual version number (run gpg2 --version), so I can only make an educated guess, but I do think I see your problem. You don't have one key in your CERT - you have two (309C17C5 and 624BB249) combined into one DNS record. That doesn't work - it's a one-name-one-key mapping. We should give a better error message in this case. Can you try again with a single key in your CERT? Alternately, if you want both of your keys, you could use 2 different CERT records for the gushi.gushi.org. name, each with one of your keys (rather than 1 CERT record with a payload containing two keys). Note that this will usually result in round-robining for those people who don't have your key, which may or may not be what you want. For the benefit of people who may search this later, what's the best set of args to extract the key with? Neither export-clean nor export-minimal seems to be what I want. In effect what I want is only the most recent signature from each other key, so some hybrid of export-clean and export-minimal? At least using gpg 2.0.13, and a single key in the CERT, this works properly for me. I can't speak for an earlier version. All of that said, I think it's worth pointing out that IPGP (the fingerprint+URL variation of CERT) is far more useful that PGP (the full key). Not all systems are going to be able to pass a 1718-byte DNS message, as yours is. As DNSSEC becomes more widely adopted, as EDNS0 and TCPDNS become more the norm, this is less of an issue. IPGP is also little more than a standards-based version of HKP, which I'm also publishing. If I've uncommented the line in options.skel (present in some distros, not others), the order will be: #auto-key-locate cert pka ldap hkp://subkeys.pgp.net (one of my other pet peeves is that gpg hangs up on unknown options, instead of falling to the next, so if I haven't compiled with LDAP support that whole line will break things. Is this worth filing a bug?) Anyway, if we assume most people just say "yeah sounds good" and uncomment the option, pka is a chance to get info out if CERT fails. Why would I duplicate the same info? If I've published an IPGP cert, and it fails to validate, the same info in PKA won't fare any better. Since there's no way to reliably publish both forms of CERT and have the client able to request one or the other (or parse all records until we find one that works, instead of the first it gets), the PGP variant actually gets the key out there in a case where the URL is unretrievable (for example, behind a firewall where outbound finger is blocked, or in a case where we're compiled without curl support, but hitting a host that requires HTTP 1.1). Put another way, with PGP, all the info you need is in the DNS packets. With IPGP, you have another step to chase down. Only parsing one CERT response also prevents one from putting in multiple keys with the same key retrievable via multiple URIs, i.e. one finger, one http, etc. (On a related note, I can't specify multiple keyservers to search on the command line or in my config file, which is also annoying, is this worth filing a bug?). Is the way a CERT record is parsed (i.e. only parsing the first one) goverened by an RFC? Or considering the likely little use this is getting, do you feel it's too late in the game to change the way multiple records would be handled? This is also why I asked for a list of what uri formats are supported, and it would help me to know which of those are retrievable by default with no external libs. Given an HTTPS-capable webserver where I also control vhost order, if I only have one URI-format to publish, what's my best chance to have this support the most clients? Hell, can one put an hkp:// uri in that URL f
Re: A lot of questions about CERT, PKA and make-dns-cert
On Thu, 15 Oct 2009, David Shaw wrote: On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote: I'm running: echo foo | gpg -v -v --auto-key-locate cert --recipient gu...@gushi.org --encrypt -a And get gpg: error retrieving `gu...@gushi.org' via DNS CERT: No fingerprint I exported my key with: gpg --export --export-options minimal > file; and make-dns-cert -n gushi.gushi.org -f file It works fine for me. What version of GPG are you using? I tried this again, after I nuked the "fingerprint" cert record. Oddly, running on gpg2 on an older debian system, I get: # echo "foo" | gpg2 -v -v --auto-key-locate cert --encrypt -r gu...@gushi.org gpg: no keyserver known (use option --keyserver) gpg: error retrieving `gu...@gushi.org' via DNS CERT: General error gpg: gu...@gushi.org: skipped: General error gpg: [stdin]: encryption failed: General error That first line specifically makes me scratch my head a bit. (The gpg manpage also appears to be a bit corrupted on this system). On my bsd system, I get what you see at http://www.gushi.org/gpg.txt. It retrieves the key, but complains of "no fingerprint", however it actually DOES import the key, so it works a second time. If you require a shell to play with this, let me know and I'll provide one. With the demise of thawte's free cert offering, I'd really like to do what I can to increase awareness of this stuff. On my ubuntu desktop, it works fine. I suspect strongly that this feature doesn't get the most broad platform testing. Let me know if you'd like to help. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A lot of questions about CERT, PKA and make-dns-cert
On Thu, 15 Oct 2009, David Shaw wrote: David, For starters let me thank you on both the fullness and the expedience of your answer. Far too many open source projects just go "crickets" when I send out a laundry list, and I need to recognize your time. Let me also apologize in advance for my wordiness. We have quite a bit of ground to cover. On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote: 1) Currently the only tool that can generate a CERT record, make-dns-cert, is not built or packaged by default under any os I've found (I've tried FreeBSD and ubuntu). It has no documentation, no examples, and only a terse 4-line usage summary. I've also seen a few bugs reported with it, that I don't know if they're fixed, such as not handling whitespace in the key fingerprint properly. I was referencing this thread: http://lists.gnupg.org/pipermail/gnupg-users/2006-April/028314.html If that's no longer the case, then no worry. I suppose if doc were more abundant I wouldn't have had to pore over old mailing list entries looking for examples :) The few examples I've seen online as to how to use this have the FP whitespace-stripped, so I assumed it was done so deliberately to work around that, and I did the same. Whether TXT or CERT, though, it's a fairly high barrier for many users. True, and sadly, applying for a separate typecode would be an additional barrier to entry there. (SPF made TXT what it is today!) Is there a formal spec document? The most I could find was a PDF slideshow. I do encourage you to document it better, and I'm willing to help explain wherever necessary, or make code changes if there is something that could be done better. Docs, I'm totally on. I'm trying as much as I can to link to the standards docs as well, which is why I was asking for a supported-uri-format doc. Ideally there should be something in the gpg faq, something in the manpage, and at least a small README in tools that covers all the things in there (maybe we can talk about what the rest of those do as well). If you really feel up to making code changes: gpg --export --format cert-PGP d...@prime.gushi.org gpg --export --format cert-IPGP gu...@gushi.org [--url=http://foo] gpg --export --format pka f...@bar.com --url=http://foo Some variation on the above would all be wonderful, but I don't think I'm likely to get that wish granted. One of the tutorials I saw made reference of using pgp-clean -- what is the gnupg equivalent of this? If you build GnuPG with curl (which is the default, assuming you have curl), then you have HTTP 1.1 support. That said, is there a particular HTTP 1.1 feature that you need here? After the PKA parsing happens, GPG is just doing a regular HTTP GET. No, I'm just looking for a full list of what you can put in the uri= portion of a _pka record. I never found it enumerated. Is https supported? If so, does the system do cert validation? I've seen finger and http, but wouldn't know where in the code to try to read to figure out the full list. I also didn't find a clear listing of what format the key should be in, although the finger "hinted" at the usual armored format. From a code end, I'd like to know for sure if either/both work. 4) Try though I might, I can't seem to get my full-key in CERT format to recognize. It works fine for me. What version of GPG are you using? gpg (GnuPG) 2.0.12 libgcrypt 1.4.4 When you say it works for you, do you mean you're able to parse my key, or that you've been able to publish and retrieve your own CERT-PGP record? If I nuke things down to my single cert-ipgp record, could you try again? Incidentally, you have two different CERT records for gushi.gushi.org at the same time. You have both a fingerprint-style answer and a full-key answer. This is not a major problem (GPG won't care - it'll just take the first one that parses), but if your nameserver does some sort of round-robining, it can be confusing as to which record is the one that gets used. I did that because it complained about having "no fingerprint", so I thought for a moment it needed both kinds, one with the key, and a separate one with the FP. Most versions of bind9 understand the CERT record, with base64 representation, and numeric typecodes. bind9.6 understands the PGP type value mnemonic but not IPGP. BIND 9.7 understands IPGP. The cert is a single, long, unbroken hex string. BIND will understand it if you chuck it into an include file or paste it in with a non-wrapping editor. But it's fragile and unwieldly. If you feel like carefully counting characters, you can wrap it, as long as you hit a hex boundary. Adding a few spaces and parens would make it just work if wrapped. And the presentation format should be base64, not binary
A lot of questions about CERT, PKA and make-dns-cert
All, I'm in the process of writing a blog entry about the PKA and CERT methods. A couple people have written them a long time ago, and I'd like to bring some of the info up to date. (If this is better asked on gnupg-dev, let me know). For starters: 1) Currently the only tool that can generate a CERT record, make-dns-cert, is not built or packaged by default under any os I've found (I've tried FreeBSD and ubuntu). It has no documentation, no examples, and only a terse 4-line usage summary. I've also seen a few bugs reported with it, that I don't know if they're fixed, such as not handling whitespace in the key fingerprint properly. 2) I realize this is a fringe feature, but other than a few scattered blog posts that reference each other, some of which are written by gnupg developers, info on these methods is HARD TO FIND. There's nothing in the docs/faq about this, at all. I think adoption would be much more widespread if this were a faq-able item. It's mentioned once in the manpage, once in the default gnupg.conf, and that's really it. If you document it, people will use it (and with thawte dropping personal freemail certs lately, this is something you want). 3) As far as I know, PKA isn't standardized in any RFC. Has this been changed? I saw mention of applying to IANA for its own typecode. Is there a list somewhere of what uri types are supported? I saw talk of it not supporting http 1.1, but that may be fixed with curl. Of the two methods, I tend to actually prefer PKA because it lets me delegate _pka.example.com to its own sub-zone, whereas CERT records must be inserted into the main zone. 4) Try though I might, I can't seem to get my full-key in CERT format to recognize. I am not sure if this is because my key is "complicated" (i.e. it has subkeys), because the cert is not under my primary uid, or because I just plain exported it wrong. I'm running: echo foo | gpg -v -v --auto-key-locate cert --recipient gu...@gushi.org --encrypt -a And get gpg: error retrieving `gu...@gushi.org' via DNS CERT: No fingerprint I exported my key with: gpg --export --export-options minimal > file; and make-dns-cert -n gushi.gushi.org -f file It's still live if anyone wants to try. 5) Finally, the quality of records being generated, while consistent with rfc3597, leaves them as a real bear to manage, and import. If you're going to export them in hex, could we please also get whitespace so we can get this into an editor easily? Ideally, the things would just be base64 encoded, in accordance with rfc4398. Most versions of bind9 understand the CERT record, with base64 representation, and numeric typecodes. bind9.6 understands the PGP type value mnemonic but not IPGP. BIND 9.7 understands IPGP. What would be really, really cool, is step by step instructions for exporting, or hell, let gpg generate these records, the way ssh-keygen generates SSHFP records. Those are my thoughts. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
