Re: GnuPG 2.2.4 on Windows - problems accessing some HKPS keyservers

2018-01-24 Thread David Gray via Gnupg-users 
Thanks, Phil - 

I appreciate your help and your response.

Thanks,

Dave

Sent from my iPhone

> On Jan 23, 2018, at 9:51 PM, Phil Pennock  wrote:
> 
> Looks to me like a GnuPG bug.  In fact, it looks very much like
> https://dev.gnupg.org/T1447 which has been marked resolved.
> 
> The hostname there is a CNAME to Amazon DNS, and my dirmngr logfile
> records:
> 
> 2018-01-23 21:28:10 dirmngr[70787.6] TLS verification of peer failed: 
> hostname does not match
> 2018-01-23 21:28:10 dirmngr[70787.6] DBG: expected hostname: 
> keyserver-prod.v3jierkpjv.eu-west-1.elasticbeanstalk.com
> 
> The untrusted name retrieved from DNS resolution of the CNAME record is
> being used as the name for validation.
> 
> The patches to address the issue seem to focus on SRV records, so
> repaired one way in which the problem manifested, but either didn't fix
> the underlying issue, or there's been a regression.
> 
> I've opened a new ticket for the maintainers to track this.
> https://dev.gnupg.org/T3755
> 
> -Phil


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.2.4 on Windows - problems accessing some HKPS keyservers

2018-01-23 Thread David Gray via Gnupg-users 
Good Evening -

 

I'm running GnuPG 2.2.4 on Windows.  I'm able to successfully query the SKS
keyserver pool via HKPS (hkps://hkps.pool.sks-keyservers.net) with no
problems.  I'm trying to query the hkps://keys.mailvelope.com keyserver, and
I'm not having any luck.  I suspect I don't have the appropriate hkp-cacert
referenced in the dirmngr, but I got the certificate by browsing to
https://keys.mailserver.com, exporting the root cert in the certification
path as a Base-64 encoded X.509 file (with .pem extension) and copying it to
my gnupg home directory, and the hkp-cacert line in dirmngr.conf references
that .PEM file.  The cert thumbprint shows:
ad7e1c28b064ef8f6003402014c3d0e3370eb58a in windows certmgr, and the full
contents of that .pem file appear at the bottom of this message for
reference.

 

I'm hoping someone may be able to point me in the right direction to
troubleshoot this a bit further - I suspect I've done something wrong but
I'm not sure how to identify exactly what it is.

 

Details below - Thanks!

 

Dave

 

This is what I get when I attempt to lookup the key for patr...@enigmail.com
  at hkps://keys.mailvelope.com:

 

C:\Users\dave>gpg --debug-all -vvv --search-keys patr...@enigmail.com

gpg: reading options from 'C:/Users/dave/AppData/Roaming/gnupg/gpg.conf'

gpg: using character set 'CP437'

gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache
memstat trust hashing ipc clock lookup extprog

gpg: DBG: [not enabled in the source] start

gpg: DBG: chan_0x0180 <- # Home: C:/Users/dave/AppData/Roaming/gnupg

gpg: DBG: chan_0x0180 <- # Config:
C:/Users/dave/AppData/Roaming/gnupg/dirmngr.conf

gpg: DBG: chan_0x0180 <- OK Dirmngr 2.2.4 at your service

gpg: DBG: connection to the dirmngr established

gpg: DBG: chan_0x0180 -> GETINFO version

gpg: DBG: chan_0x0180 <- D 2.2.4

gpg: DBG: chan_0x0180 <- OK

gpg: DBG: chan_0x0180 -> KEYSERVER --clear hkps://keys.mailvelope.com/

gpg: DBG: chan_0x0180 <- OK

gpg: DBG: chan_0x0180 -> KS_SEARCH -- patr...@enigmail.com

gpg: DBG: chan_0x0180 <- ERR 285212985 Wrong name 

gpg: error searching keyserver: Wrong name

gpg: keyserver search failed: Wrong name

gpg: DBG: chan_0x0180 -> BYE

gpg: DBG: [not enabled in the source] stop

gpg: keydb: handles=0 locks=0 parse=0 get=0

gpg:build=0 update=0 insert=0 delete=0

gpg:reset=0 found=0 not=0 cache=0 not=0

gpg: kid_not_found_cache: count=0 peak=0 flushes=0

gpg: sig_cache: total=0 cached=0 good=0 bad=0

gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0

  outmix=0 getlvl1=0/0 getlvl2=0/0

gpg: rndjent stat: collector=0x calls=0 bytes=0

gpg: secmem usage: 0/32768 bytes in 0 blocks

 

The corresponding logs from dirmngr show:

 

2018-01-22 19:40:43 dirmngr[1664] handler for fd 864 started

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> # Home:
C:/Users/dave/AppData/Roaming/gnupg

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> # Config:
C:/Users/dave/AppData/Roaming/gnupg/dirmngr.conf

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> OK Dirmngr 2.2.4
at your service

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 <- GETINFO version

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> D 2.2.4

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> OK

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 <- KEYSERVER --clear
hkps://keys.mailvelope.com/

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> OK

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 <- KS_SEARCH --
patr...@enigmail.com

2018-01-22 19:40:43 dirmngr[1664] TLS handshake failed: Wrong name 

2018-01-22 19:40:43 dirmngr[1664] error connecting to
'https://52.50.100.145:443': Wrong name

2018-01-22 19:40:43 dirmngr[1664] command 'KS_SEARCH' failed: Wrong name


2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> ERR 285212985
Wrong name 

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 <- BYE

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> OK closing
connection

2018-01-22 19:40:43 dirmngr[1664] handler for fd 864 terminated

 

 

By contrast, this is what I get when I query the SKS pool for the same key
via HKPS:

 

C:\Users\dave>gpg --debug-all -vvv --keyserver
hkps://hkps.pool.sks-keyservers.net --search-keys patr...@enigmail.com

gpg: reading options from 'C:/Users/dave/AppData/Roaming/gnupg/gpg.conf'

gpg: using character set 'CP437'

gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache
memstat trust hashing ipc clock lookup extprog

gpg: DBG: [not enabled in the source] start

gpg: DBG: chan_0x0190 <- # Home: C:/Users/dave/AppData/Roaming/gnupg

gpg: DBG: chan_0x0190 <- # Config:
C:/Users/dave/AppData/Roaming/gnupg/dirmngr.conf

gpg: DBG: chan_0x0190 <- OK Dirmngr 2.2.4 at your service

gpg: DBG: connection to the dirmngr established

gpg: DBG: chan_0x0190 -> GETINFO version

gp

Re: Problems with cert validation via CRL

2017-02-23 Thread David Gray 
Thanks very much for getting back to me - I really appreciate your help.  I 
have been able to get the validation to work by adding the trusted root 
certificate to the "trusted-certs" folder under the gnupg directory on my 
windows box.  The directory wasn't there but I was able to add it and as long 
as the cert is there dirmngr knows that it can trust the CRL that has been 
issued.  I haven't had a chance to circle back on my Linux installation, but 
I'm sure the same approach will work.  I'm also not sure how/why the Linux 
installation was originally able to validate the cert, but I will dig into 
that.  

Thanks again for your help - it's very much appreciated!

Sent from my Mobile Device

> On Feb 21, 2017, at 9:31 PM, NIIBE Yutaka  wrote:
> 
> Hello, again,
> 
> David Gray  wrote:
>> dave@dave-VirtualBox:~/.gnupg/crls.d$ dirmngr --debug-all --fetch-crl 
>> http://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crl
> 
> Reading the code of dirmngr, I think that --fetch-crl (or dirmngr-client
> --load-crl) doesn't work well for a CRL which is not signed by system CA
> directly.  When dirmngr doesn't know the issuer, it inquires back to the
> client, and it fails as:
> 
>> dirmngr[3184.0]: DBG: find_cert_bysubject: certificate not returned by 
>> caller - doing lookup
>> dirmngr[3184.0]: error fetching certificate by subject: Configuration error
>> dirmngr[3184.0]: CRL issuer certificate 
>> {92616B82E1A2A0AA4FEC67F1C2A3F7B48000C1EC} not found
>> dirmngr[3184.0]: crl_parse_insert failed: Missing certificate
> 
> When it is gpgsm which asks dirmngr to validate a certificate, I think
> it works.
> 
> I think that you once successfully did that on this box:
> 
>> dave@dave-VirtualBox:~/.gnupg/crls.d$ gpgsm --debug-all --list-keys 
>> --with-validation
> 
> And the CRL is cached.  Thus,
> 
>> gpgsm: DBG: chan_6 -> ISVALID 
>> 685A02B9E2BD4B5EE1FA51739B8882AEA38FB3C8.3FAADAD7DD3F946B114321153B76F88C
> 
> This is gpgsm asking if your X.509 client certificate is valid or not.
> 
>> gpgsm: DBG: chan_6 <- INQUIRE ISTRUSTED 
>> 02FAF3E291435468607857694DF5E45B68851868
> 
> Here, I think that the CRL for your X.509 client certificate is cached
> and checked.  dirmngr does not ask about anything about your X.509
> client certificate or its issuer.
> 
> dirmngr inquires back to gpgsm if the root issuer is trusted.
> 
>CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust 
> AB,C=SE
>fingerprint=02FAF3E291435468607857694DF5E45B68851868
> 
> then, gpgsm asks to gpg-agent.
> 
>> gpgsm: DBG: chan_7 -> ISTRUSTED 02FAF3E291435468607857694DF5E45B68851868
>> gpgsm: DBG: chan_7 <- S TRUSTLISTFLAG relax
>> gpgsm: DBG: chan_7 <- OK
> 
> It is trusted.  Then, gpgsm replies back to dirmngr.
> 
>> gpgsm: DBG: chan_6 -> D 1
>> gpgsm: DBG: chan_6 -> END
> 
> It's trusted.
> 
>> gpgsm: DBG: chan_6 <- OK
> 
> Then, dirmngr answers OK for the validation of your X.509 client certificate.
> 
>> gpgsm: DBG: chan_6 -> ISVALID 
>> 14673DA5792E145E9FA1425F9EF3BFC1C4B4957C.00E023CB1512835389AD616E7A54676B21
> 
> This is gpgsm asking if the intermediate certificate of following is
> valid or not:
> 
>CN=COMODO SHA-256 Client Authentication and Secure Email CA,O=COMODO CA 
> Limited,
>L=Salford, ST=Greater Manchester, C=GB
>fingerprint=59B825FC08860B04B392CC25FEC48C760753B689
> 
>> gpgsm: DBG: chan_6 <- INQUIRE ISTRUSTED 
>> 02FAF3E291435468607857694DF5E45B68851868
>> gpgsm: DBG: chan_7 -> ISTRUSTED 02FAF3E291435468607857694DF5E45B68851868
>> gpgsm: DBG: chan_7 <- S TRUSTLISTFLAG relax
>> gpgsm: DBG: chan_7 <- OK
>> gpgsm: DBG: chan_6 -> D 1
>> gpgsm: DBG: chan_6 -> END
>> gpgsm: DBG: chan_6 <- OK
> 
> Similar interactions between gpg-agent<->gpgsm<->dirmngr.
> 
>> gpgsm: DBG: chan_7 -> ISTRUSTED 02FAF3E291435468607857694DF5E45B68851868
>> gpgsm: DBG: chan_7 <- S TRUSTLISTFLAG relax
>> gpgsm: DBG: chan_7 <- OK
> 
> I don't know the exact reason, but gpgsm again asks gpg-agent.
> 
> And gpgsm shows your X.509 client certificate:
> 
>>   ID: 0x2F5900E9
>>  S/N: 3FAADAD7DD3F946B114321153B76F88C
>>   Issuer: /CN=COMODO SHA-256 Client Authentication and Secure Email 
>> CA/O=COMODO CA Limited/L=Salford/ST=Greater Manchester/C=GB
>>  Subject: /EMail=u...@domain.com
>>  aka: u...@domain.com
>> validity: 2017-01-02 00:00:00 through 2018-01-02 23:59:59
>> key type: 2048 bit RSA
>>key usage

RE: Problems with cert validation via CRL

2017-02-22 Thread David Gray 
You were correct, Peter.  I haven't had a chance to verify on Ubuntu yet, but 
on Windows the following steps did the trick:

- there was no 'trusted-certs' directory in my existing home directory 
(C:\users\dave\appdata\Roaming\gnupg\), so I created one.  I also went ahead 
and created a 'logs' directory.
- I added the line "log-file 
C:\Users\dave\AppData\Roaming\gnupg\logs\dirmngrlog.txt" to my dirmngr.conf 
file to capture what I wanted
- I saved a copy of the root cert with fingerprint 
02FAF3E291435468607857694DF5E45B68851868 to a DER-encoded file with .crt 
extension to the 'trusted-certs' directory.
- I executed the 'gpgsm --list-keys --with-validation --debug-all' command, 
and all keys were shown to be good.

I've attached the debug output from the command as well as the dirmngrlog.txt 
file that was generated in case it is of interest.  (As an aside, you may 
notice that I've installed version 2.1.18 since the last output was provided). 
I don't fully understand everything that is shown in these files, but it sure 
seems to me like you were exactly right - dirmngr did not know to trust that 
root cert, so it couldn't verify that the CRL was signed by a trustworthy 
party.  Once I told dirmngr that the root cert could be trusted, it could 
verify the CRL.  I've since been able to encrypt data using this key, so 
things are looking good.

I can't thank you enough - this has been extremely helpful.

Thanks!

Dave







-Original Message-
From: Peter Lebbing [mailto:pe...@digitalbrains.com]
Sent: Tuesday, February 21, 2017 10:13 AM
To: David Gray ; NIIBE Yutaka 
Cc: gnupg-users@gnupg.org
Subject: Re: Problems with cert validation via CRL

On 21/02/17 13:20, David Gray wrote:
> I'm no expert, but when I look at the debug info (attached to original
> email), it appears that gpgsm is able to get the crl that my cert
> points to but it may be having trouble parsing it.

Reading that part made me think it couldn't find the issuer of the CRL:

> dirmngr[3184.0]: error fetching certificate by subject: Configuration
> error
> dirmngr[3184.0]: CRL issuer certificate
> {92616B82E1A2A0AA4FEC67F1C2A3F7B48000C1EC} not found

When I fetch the CRL we're talking about, OpenSSL tells me about it:

> Certificate Revocation List (CRL):
> Version 2 (0x1)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA 
> Limited/CN=COMODO SHA-256 Client Authentication and Secure Email CA
> Last Update: Feb 20 16:07:34 2017 GMT
> Next Update: Feb 24 16:07:34 2017 GMT
> CRL extensions:
> X509v3 Authority Key Identifier:
>
> keyid:92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
>
> X509v3 CRL Number:
> 822

The issuer is the certificate that gpgsm knows about:

> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> e0:23:cb:15:12:83:53:89:ad:61:6e:7a:54:67:6b:21
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, 
> CN=AddTrust External CA Root
> Validity
> Not Before: Dec 22 00:00:00 2014 GMT
> Not After : May 30 10:48:38 2020 GMT
> Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
> Limited, CN=COMODO SHA-256 Client Authentication and Secure Email CA [...]
> X509v3 extensions:
> X509v3 Authority Key Identifier:
>
> keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
>
> X509v3 Subject Key Identifier:
>
> 92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
> [...]
> SHA1
> Fingerprint=59:B8:25:FC:08:86:0B:04:B3:92:CC:25:FE:C4:8C:76:07:53:B6:8
> 9

I suspect that even though gpgsm knows about it, dirmngr might not, hence the 
failing CRL verification. I think you need to feed the certificate to dirmngr 
as well.

Whether this is actually the reason you're having problems, I don't know.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

C:\Users\dave>gpgsm --list-keys --with-validation --debug-all
gpgsm: reading options from 'C:\Users\dave\AppData\Roaming\gnupg\gpgsm.conf'
gpgsm: enabled debug flags: x509 mpi crypto memory cache memstat hashing ipc
C:\Users\dave\AppData\Roaming\gnupg\pubring.kbx
---
   ID: 0x0753B689
  S/N: 00E023CB1512835389AD616E7A54676B21
   Issuer: /CN=AddTrust External CA Root/OU=AddTrust External TTP 
Network/O=AddTrust AB/C=SE
  Subject: /CN=COMODO SHA-

Re: Problems with cert validation via CRL

2017-02-21 Thread David Gray 
Thanks, Peter!

According to the documentation the trusted certainty need to be in a folder 
named "trusted-certs" in the home directory.  I don't believe I've copied them 
there manually, so if it hasn't happened automatically that could very well be 
the issue.  I'm at work but once I get home I'll check it out and report back.

Really appreciate the help,

Dave

Sent from my iPhone

> On Feb 21, 2017, at 10:13 AM, Peter Lebbing  wrote:
> 
>> On 21/02/17 13:20, David Gray wrote:
>> I'm no expert, but when I look at the debug info (attached to
>> original email), it appears that gpgsm is able to get the crl that my
>> cert points to but it may be having trouble parsing it.
> 
> Reading that part made me think it couldn't find the issuer of the CRL:
> 
>> dirmngr[3184.0]: error fetching certificate by subject: Configuration error
>> dirmngr[3184.0]: CRL issuer certificate 
>> {92616B82E1A2A0AA4FEC67F1C2A3F7B48000C1EC} not found
> 
> When I fetch the CRL we're talking about, OpenSSL tells me about it:
> 
>> Certificate Revocation List (CRL):
>>Version 2 (0x1)
>>Signature Algorithm: sha256WithRSAEncryption
>>Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA 
>> Limited/CN=COMODO SHA-256 Client Authentication and Secure Email CA
>>Last Update: Feb 20 16:07:34 2017 GMT
>>Next Update: Feb 24 16:07:34 2017 GMT
>>CRL extensions:
>>X509v3 Authority Key Identifier: 
>>
>> keyid:92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
>> 
>>X509v3 CRL Number: 
>>822
> 
> The issuer is the certificate that gpgsm knows about:
> 
>> Certificate:
>>Data:
>>Version: 3 (0x2)
>>Serial Number:
>>e0:23:cb:15:12:83:53:89:ad:61:6e:7a:54:67:6b:21
>>Signature Algorithm: sha256WithRSAEncryption
>>Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, 
>> CN=AddTrust External CA Root
>>Validity
>>Not Before: Dec 22 00:00:00 2014 GMT
>>Not After : May 30 10:48:38 2020 GMT
>>Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, 
>> CN=COMODO SHA-256 Client Authentication and Secure Email CA
>> [...]
>>X509v3 extensions:
>>X509v3 Authority Key Identifier: 
>>
>> keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
>> 
>>X509v3 Subject Key Identifier: 
>>92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
>> [...]
>> SHA1 Fingerprint=59:B8:25:FC:08:86:0B:04:B3:92:CC:25:FE:C4:8C:76:07:53:B6:89
> 
> I suspect that even though gpgsm knows about it, dirmngr might not,
> hence the failing CRL verification. I think you need to feed the
> certificate to dirmngr as well.
> 
> Whether this is actually the reason you're having problems, I don't know.
> 
> HTH,
> 
> Peter.
> 
> -- 
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
> 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problems with cert validation via CRL

2017-02-21 Thread David Gray 
Thank you for your response!  I do have the trustlist.txt file on both 
computers - it was automatically populated with the root cert by pin entry when 
I imported my certificate on both machines, and it includes the "relax" keyword 
on both computers.  There are 3 cents total in my hierarchy - root, 
intermediate, and mine.  I've added the fingerprint of the intermediate and 
even my own cert to trustlist.txt to see if that would make a difference, but 
it didn't change anything.  

The --disable-crl-checks option allows me to use the cert for encryption, so 
I'm pretty sure the problem lies with the crl option...there are two files (in 
addition to DIR.TXT) that have been populated in crl.d, and if I do a 
dirmngr--flush they get cleared out and are added back fine the next time I try 
to validate.  The root cert does NOT include a CRL DP, so I've tried turning on 
the option not to require a crl on trusted carts, but that didn't make a 
difference.

I'm no expert, but when I look at the debug info (attached to original email), 
it appears that gpgsm is able to get the crl that my cert points to but it may 
be having trouble parsing it.  The file itself is large, but I don't think 
that's uncommon, so perhaps there is a problem with the file itself.  It's been 
updated since I started investigating, and the problem persists, so it wasn't a 
transient problem. 

Is there a way to have gpgsm (or dirmngr?) validate that it is able to parse 
and interpret the CRL (or the associated .db file in crl.d) to see if that is 
the issue?

I appreciate your help very much.  Thanks,

Dave

Sent from my Mobile Device

> On Feb 20, 2017, at 9:32 PM, NIIBE Yutaka  wrote:
> 
> Hello,
> 
> David Gray  wrote:
>> At the same time, I'm curious as to why the Ubuntu installation is
>> validating the certificate as 'good' while the Windows installation is not -
>> is this just because the Ubuntu installation was able to successfully
>> validate the certificate in the past (presumably when a previous and
>> non-problematic CRL was published)?  If the CA publishes an updated CRL that
>> doesn't have issues, will my Windows installation be able to validate the
>> certificate at that point?
> 
> Please note that my knowledge of gpgsm and X.509 is pretty much limited.
> 
> Do you have .gnupg/trustlist.txt on Ubuntu machine?  It can be created
> when you answer dialog of gpgsm by pinentry interaction.
> -- 


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Problems with cert validation via CRL

2017-02-20 Thread David Gray 
Hello - new user here; this may be an obvious question but I haven't been
able to find the answer.  Ultimately, this may just highlight some of the
problems inherent in a hierarchical trust model.

 

I've got a free x.509 email certificate generated by Comodo.  

 

I've got Ubuntu 16.04 LTS running a clean install, with gpg and gpgsm 2.1.11
installed.  I imported my certificate into my keychain using gpgsm a day or
two ago, and everything is working as expected - the certificate is
successfully validated, and I'm able to encrypt files using the public key
of this certificate, and decrypt them using the private key.  

 

I've also got a Windows 10 machine - this computer had GPG4Win installed for
some time, but I've since uninstalled that, and removed all configuration
directories/files I could find.  I've installed GnuPG binary version 2.1.11,
and I've been able to successfully import my certificate into my keychain
this morning, and everything seems to work as expected - but the certificate
is not successfully validated under Windows.  As a result, I'm not able to
encrypt anything using the public key of this certificate.

 

I'm trying to figure out what is going on - it appears that there is problem
validating the CRL available at the DP listed in my certificate regardless
of whether I run the fetch-url from Ubuntu or Windows - both output files
are attached.  Does this suggest a problem with the CRL that the CA has
published, or do I have something I need to adjust in my configs somewhere?

 

At the same time, I'm curious as to why the Ubuntu installation is
validating the certificate as 'good' while the Windows installation is not -
is this just because the Ubuntu installation was able to successfully
validate the certificate in the past (presumably when a previous and
non-problematic CRL was published)?  If the CA publishes an updated CRL that
doesn't have issues, will my Windows installation be able to validate the
certificate at that point?

 

I've replaced all the email addresses in the attached files with
'u...@domain.com'.

 

I appreciate any assistance you might be able to provide.  Thank you,

 

Dave

 

 

dave@dave-VirtualBox:~/.gnupg/crls.d$ dirmngr --debug-all --fetch-crl 
http://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crl
dirmngr[3184.0]: Note: no default option file '/home/dave/.gnupg/dirmngr.conf'
dirmngr[3184.0]: enabled debug flags: x509 crypto memory cache memstat hashing 
ipc lookup
dirmngr[3184.0]: permanently loaded certificates: 0
dirmngr[3184.0]: runtime cached certificates: 0
dirmngr[3184.0]: RESP: 'HTTP/1.1 200 OK'
dirmngr[3184.0]: RESP: 'Date: Mon, 20 Feb 2017 13:32:34 GMT'
dirmngr[3184.0]: RESP: 'Content-Type: application/x-pkcs7-crl'
dirmngr[3184.0]: RESP: 'Connection: close'
dirmngr[3184.0]: RESP: 'Set-Cookie: 
__cfduid=dba16ddf7e3474878a3bb0d6b4d273e9f1487597554; expires=Tue, 20-Feb-18 
13:32:34 GMT; path=/; domain=.comodoca.com; HttpOnly'
dirmngr[3184.0]: RESP: 'Last-Modified: Sun, 19 Feb 2017 16:58:28 GMT'
dirmngr[3184.0]: RESP: 'ETag: W/"58a9ceb4-efab2"'
dirmngr[3184.0]: RESP: 'X-CCACDN-Mirror-ID: dwdccacrl10'
dirmngr[3184.0]: RESP: 'Cache-Control: public, max-age=14400'
dirmngr[3184.0]: RESP: 'CF-Cache-Status: HIT'
dirmngr[3184.0]: RESP: 'Expires: Mon, 20 Feb 2017 17:32:34 GMT'
dirmngr[3184.0]: RESP: 'Server: cloudflare-nginx'
dirmngr[3184.0]: RESP: 'CF-RAY: 334253495461246e-IAD'
dirmngr[3184.0]: RESP: ''
dirmngr[3184.0]: update times of this CRL: this=20170219T165828 
next=20170223T165828
dirmngr[3184.0]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[3184.0]: DBG: find_cert_bysubject: certificate not in cache
dirmngr[3184.0]: DBG: get_cert_local_ski called w/o context
dirmngr[3184.0]: DBG: find_cert_bysubject: certificate not returned by caller - 
doing lookup
dirmngr[3184.0]: error fetching certificate by subject: Configuration error
dirmngr[3184.0]: CRL issuer certificate 
{92616B82E1A2A0AA4FEC67F1C2A3F7B48000C1EC} not found
dirmngr[3184.0]: crl_parse_insert failed: Missing certificate
dirmngr[3184.0]: processing CRL from 
'http://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crl' 
failed: Missing certificate

dave@dave-VirtualBox:~/.gnupg/crls.d$ gpgsm --debug-all --list-keys 
--with-validation
gpgsm: reading options from '/home/dave/.gnupg/gpgsm.conf'
gpgsm: enabled debug flags: x509 mpi crypto memory cache memstat hashing ipc
gpgsm: failed to open '/home/dave/.gnupg/policies.txt': No such file or 
directory
gpgsm: DBG: looking for parent certificate
gpgsm: DBG:   found via authid and keyid
gpgsm: DBG: got issuer's certificate:
gpgsm: DBG: BEGIN Certificate 'issuer':
gpgsm: DBG:  serial: 01
gpgsm: DBG:   notBefore: 2000-05-30 10:48:38
gpgsm: DBG:notAfter: 2020-05-30 10:48:38
gpgsm: DBG:  issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust AB,C=SE
gpgsm: DBG: subject: CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust AB

RE: No secret key under different account

2009-11-09 Thread David Gray 
Hi, 
Thanks for the info & detailed response.  I'm going to go with 
option C as you suggest.  Must admit I hadn't realised that .MAN 
pages are the docs. 

Cheers
Dave 


-Original Message-
From: John Clizbe [mailto:j...@mozilla-enigmail.org] 
Sent: 02 November 2009 12:02
To: GnuPG Users
Cc: David Gray
Subject: Re: No secret key under different account

David Gray wrote:
> 
> What are peoples thoughts on which is the best option: 
> 
> a) copy the secring.gpg & pubring.gpg files to the second user account? 
> b) export and import the keys to the second user account? 
> c) add a reference to the second account's gpg.conf file? 

it depends on what you are trying to accomplish. Any of the above may be the 
best option for a given set of requirements. If I wish to use my keys on a new 
machine, option a or redirecting gpg.conf to keyrings (& trustdb) on portable 
media is probably the route I'd take.

If I wanted to share a central keyring of, for example, customer keys, I 
probably go with option c.

> Also could anyone please give me an example of the syntax for adding 
> keyring references to gpg.conf?

no-default-keyring
primary-keyring pubring.gpg
keyring O:\GnuPG\pubring.gpg
keyring strong.gpg
keyring trusted.gpg
secret-keyring  secring.gpg
secret-keyring  O:\GnuPG\secring.gpg

These should be explained in gpg2.man which should be in the share\gnupg 
directory under gpg2's onstallation directory, default on Windows:
C:\Program Files\GNU\GnuPG2\share\gnupg\gpg2.man. It can be read with Notepad


-- 
John P. Clizbe  Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net  or
 mailto:pgp-public-k...@gingerbear.net?subject=help

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: gpg.conf

2009-11-04 Thread David Gray 
Hi Michel, 
Thanks for the information, most useful. 

Regards
David 



-Original Message-
From: gnupg-users-boun...@gnupg.org [mailto:gnupg-users-boun...@gnupg.org] On 
Behalf Of Michel Messerschmidt
Sent: 02 November 2009 11:10
To: gnupg-users@gnupg.org
Subject: Re: gpg.conf

On Mon, Nov 02, 2009 at 10:51:46AM -, David Gray wrote:
> Could anyone point me in the right direction for a manual/examples 
> on how to edit the gpg.conf file for GnuPG 2.0.12 (GPG 4 Win)? 

http://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG.html#Invoking-GPG

Within this manual you'll find:
###
gpg.conf
This is the standard configuration file read by gpg2 on startup. It may 
contain any valid long option; the leading two dashes may not be entered and 
the option may not be abbreviated. This default name may be changed on the 
command line (see option –options). You should backup this file.
###

Valid options are listed in 
http://www.gnupg.org/documentation/manuals/gnupg/GPG-Options.html#GPG-Options



> I would like to see examples of how to add further keyrings

Use the "keyring" option:
--keyring file
Add file to the current list of keyrings. If file begins with a tilde and a 
slash, these are replaced by the $HOME directory. If the filename does not 
contain a slash, it is assumed to be in the GnuPG home directory ("~/.gnupg" if 
--homedir or $GNUPGHOME is not used).

Note that this adds a keyring to the current list. If the intent is to use 
the specified keyring alone, use --keyring along with --no-default-keyring. 



HTH,
Michel

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: gpg.conf

2009-11-02 Thread David Gray 
Hello John, 

Thanks for the man page and skeleton file for gpg.conf, both very useful.  

The main issue at the moment (thread: "No secret key under different account") 
is how 
to access the keyring files under a different account.  I'm looking for the 
best (least duplication of data/settings ) solution to this and someone 
suggested 
adding a reference to gpg.conf.  

I've installed GPG under the 'Administrator' account but the C# executable 
which runs GPG, will run from a SQL Server 2005 agent job, the account for this 
is SQLService, therefore this account needs to see the keyrings owned by 
Administrator.

Apart from that it's good to see what else can be changed and the skeleton you 
sent me 
is a good place to begin. 

Regards
Dave 


-Original Message-
From: John Clizbe [mailto:j...@mozilla-enigmail.org] 
Sent: 02 November 2009 11:41
To: David Gray
Subject: Re: gpg.conf

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

David Gray wrote:
> Hi
> Could anyone point me in the right direction for a manual/examples on 
> how to edit the gpg.conf file for GnuPG 2.0.12 (GPG 4 Win)?

For a server, I'd recommend GnuPG 1.4.10 - at least it comes with the man page 
Werner has said that gpg4win is more of a desktop application

> The pdf manual which gets installed with this kit contains no references
> and the readme only tells me that gpg.conf gets created during install.   

Attached are the gpg man page as well as an (out-of-date, sorry) options.skel 
that explains a lot of the common options.

> I would like to see examples of how to add further keyrings but also 
> it would be good to know what other options & features could be used 
> if configured properly.

Perhaps if we knew exactly what it is you're trying to accomplish.  There are 
many ways of sharing keyrings, which is best is difficult to say without more 
information.

If you'd like, you may email me directly

- -- 
John P. Clizbe  Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net  or
 mailto:pgp-public-k...@gingerbear.net?subject=help

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11-svn5166-2009-09-28 (Windows XP)
Comment: When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Comment: Be part of the £33† ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iJwEAQECAAYFAkruxTgACgkQvh+YERi7Nzq3ygP/Qp/hpeIwqEH333cCBoKa4pdX
Uyl/HkMDbvY8oLbwCtrNoNEnUvwz6ygubdzFLWuroNrpagGL2nGYaSpXwEaGFrXa
vv/lvBaSglW1vYiKqkRWgPTy7pXFuFDcMpXaATP0os+9AK4VGj/z58FV9kyYUJQD
6rsVIirDtx8fJIr9ZAaIRgQBEQIABgUCSu7FOAAKCRAdBKxKYI0qEH+FAKDpTmBs
zT2g4m8QTh3+R0FFlP/4QQCgyl0skei7ZzBjbOpo7Zn6d9HdX7w=
=bggn
-END PGP SIGNATURE-
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg.conf

2009-11-02 Thread David Gray 
Hi

 

Could anyone point me in the right direction for a manual/examples 

on how to edit the gpg.conf file for GnuPG 2.0.12 (GPG 4 Win)? 

 

The pdf manual which gets installed with this kit contains no references


and the readme only tells me that gpg.conf gets created during install.


 

I would like to see examples of how to add further keyrings but also it
would 

be good to know what other options & features could be used if
configured properly. 

 

Thanks 

Dave 


Registered Office: Turpin Distribution Services Ltd, Pegasus Drive, Stratton 
Business Park, Biggleswade, Bedfordshire, SG18 8TQ, UK. * Registered in 
England No. 1331778 * This email may contain confidential information 
and/or copyright material. This email is intended for the use of the addressee 
only. Any unauthorised use may be unlawful. If you receive this email by 
mistake, please advise the sender immediately by using the reply facility in 
your email software.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: No secret key under different account

2009-11-02 Thread David Gray 

What are peoples thoughts on which is the best option: 

a) copy the secring.gpg & pubring.gpg files to the second user account? 
b) export and import the keys to the second user account? 
c) add a reference to the second account's gpg.conf file? 


Also could anyone please give me an example of the syntax for adding keyring
references to gpg.conf? 

Thanks 
Dave 

-Original Message-
From: gnupg-users-boun...@gnupg.org [mailto:gnupg-users-boun...@gnupg.org] On 
Behalf Of John Clizbe
Sent: 30 October 2009 21:27
To: GnuPG Users
Subject: Re: No secret key under different account

David Gray wrote:
> 
> Hi,
> Thanks for the info, that makes sense. 
> 
> That does however mean that I will end up with two sets of keyring 
> files, does anyone know a way to share them to certain priv'd users on a 
> server.

Add the extra keyring(s) with 'keyring ' or 'secret-keyring 
' line(s) in those users' gpg.conf file


-- 
John P. Clizbe  Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net  or
 mailto:pgp-public-k...@gingerbear.net?subject=help

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: No secret key under different account

2009-10-30 Thread David Gray 

Hi, 
Thanks for the info, that makes sense. 

That does however mean that I will end up with two sets of keyring
files,
does anyone know a way to share them to certain priv'd users on a
server. 

Regards
Dave 


-Original Message-
From: Robert Hill [mailto:rh...@wfubmc.edu] 
Sent: 30 October 2009 14:43
To: David Gray
Subject: RE: No secret key under different account

Logon to the server as the account you wish to use to encrypt the files.
Import public key as you did prior and sign the key as you did prior.
This worked for me.  I am not in my office, but there are 2 command line
steps that need to be done, on is import and the other I think is sign.
It appears that each user that is to encrypt has to follow this
procedure.

-Original Message-
From: gnupg-users-boun...@gnupg.org
[mailto:gnupg-users-boun...@gnupg.org] On Behalf Of David Gray
Sent: Friday, October 30, 2009 10:25 AM
To: gnupg-users@gnupg.org
Subject: No secret key under different account

Hello all, 

GPG 2.0.12
Windows Server 2003  



I've written a C# application which scans for input files and decrypts
using GPG. 
This applications works fine when run under the account (Administrator)
that GPG was installed under but when run from a different account
(SQLService) I get this error. 

gpg: encrypted with ELG key, ID 891AB7E7  gpg: decryption failed: No
secret
key
Error Decrypting C:\Program
Files\GNU\GnuPG\work\KLIOLB_20091002_11235900.PGP

I've given full permissions to the SQLService account. 

Are there any permissions I need to set within GPG or do I need to
specify anything else on the command line when running under a different
account? 

The GPG command looks like this

gpg --passphrase-fd 0 --batch --output KLIOLB_20091005_10021900.TMP
--decrypt KLIOLB_20091005_10021900.PGP

Thanks in advance. 

Dave  





Registered Office: Turpin Distribution Services Ltd, Pegasus Drive, Stratton 
Business Park, Biggleswade, Bedfordshire, SG18 8TQ, UK. * Registered in 
England No. 1331778 * This email may contain confidential information 
and/or copyright material. This email is intended for the use of the addressee 
only. Any unauthorised use may be unlawful. If you receive this email by 
mistake, please advise the sender immediately by using the reply facility in 
your email software.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

No secret key under different account

2009-10-30 Thread David Gray 
Hello all, 

GPG 2.0.12
Windows Server 2003  



I've written a C# application which scans for input files and decrypts using
GPG. 
This applications works fine when run under the account (Administrator) that
GPG was installed 
under but when run from a different account (SQLService) I get this error. 

gpg: encrypted with ELG key, ID 891AB7E7  gpg: decryption failed: No secret
key
Error Decrypting C:\Program
Files\GNU\GnuPG\work\KLIOLB_20091002_11235900.PGP

I've given full permissions to the SQLService account. 

Are there any permissions I need to set within GPG or do I need to specify 
anything else on the command line when running under a different account? 

The GPG command looks like this

gpg --passphrase-fd 0 --batch --output KLIOLB_20091005_10021900.TMP
--decrypt KLIOLB_20091005_10021900.PGP

Thanks in advance. 

Dave  







smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

can't connect to `C:/Program Files/GNU/GnuPG//S.gpg-agent'

2009-10-29 Thread David Gray 
Hi, 

Has anyone got any idea how to resolve the following error: 

can't connect to `C:/Program Files/GNU/GnuPG//S.gpg-agent'

I get this error when issuing the following command 

gpg --passphrase-fd 0 --batch --output out.dat --decrypt in.pgp

This worked fine until a few days ago but now it won't work at all.  

There's nothing wrong with the file because it decrypts fine without the

passphrase-fd argument. 

Setup is Windows XP Pro and PGP is...

C:\Program Files\GNU\GnuPG\Work>gpg --version
gpg (GnuPG) 2.0.12 (Gpg4win 2.0.0)
libgcrypt 1.4.4
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Program Files/GNU/GnuPG/
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Regards
Dave 

Registered Office: Turpin Distribution Services Ltd, Pegasus Drive, Stratton 
Business Park, Biggleswade, Bedfordshire, SG18 8TQ, UK. * Registered in 
England No. 1331778 * This email may contain confidential information 
and/or copyright material. This email is intended for the use of the addressee 
only. Any unauthorised use may be unlawful. If you receive this email by 
mistake, please advise the sender immediately by using the reply facility in 
your email software.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Testing the exit status

2009-10-12 Thread David Gray 
Hi Werner, 

Thanks for the info.  I'm still not clear on how to use the argument
"status-fd 2"
though.  Could you possibly give me an example? 

I originally opened the file doc/DETAILS with notepad but it was quite
unreadable. 

Downloaded Starksoft GnuPG wrapper but it's not compatible with GPG v2.
Contacted the 
auther who is looking at an upgrade. 

Regards
David 




-Original Message-
From: Werner Koch [mailto:w...@gnupg.org] 
Sent: 12 October 2009 11:00
To: David Gray
Cc: gnupg-users@gnupg.org
Subject: Re: Testing the exit status

On Mon, 12 Oct 2009 11:29, david.g...@turpin-distribution.com said:

> Can you tell me what the numeric arguments are for status-fd?  

That is the file descriptor obn which output should happen.  Usualy you
woul use
  --status-fd 2 
to output to stderr; however how can use arbitrary file descriptors.




> I've downloaded the source for GPG and looked at the doc/DETAILS 
> file but on Windows this is unreadable. 

Read it in an editor (e.g. notepad).  As with all code we use Unix line
endings (LF) and not Windows line endings (CR,LF).




> Also it seems as if gpgme is not available for Windows, is this
correct?

It is available for Windows.  Simply install gpg4win (the light version
is sufficient) and you find the gpgme dll in the install directory.
libgpgme-11.dll is the native one, libgpgme-glib-11.dll is the one to
use with GLIB based software and libgpgme-qt-11.dll the one to use with
QT based software.  Note that the file gpgme-w32spawn.exe must be in the
same directory as the DLL.  The header file is identical for Unix and
Windows, a manual is online at
http://gnupg.org/documentation/manuals.en.html .

> I'm running GPG from a C# application using the Process class.  If I
> understand 

There is a C# wrapper for GPGME as well, please use a search machine to
locate it.

> correctly then you are suggesting I use status-fd to redirect to a
file
> and then 
> open this to interrogate the results. 

No, you need to use pipes for that.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

Registered Office: Turpin Distribution Services Ltd, Pegasus Drive, Stratton 
Business Park, Biggleswade, Bedfordshire, SG18 8TQ, UK. * Registered in 
England No. 1331778 * This email may contain confidential information 
and/or copyright material. This email is intended for the use of the addressee 
only. Any unauthorised use may be unlawful. If you receive this email by 
mistake, please advise the sender immediately by using the reply facility in 
your email software.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpgme on Windows

2009-10-12 Thread David Gray 
Hi all, 

Been doing some searching this morning to see if gpgme is available for 
Windows and can be used commercially.  Is anyone using this product on
Windows 
under .net 3.5 (C#) that can give advice? 

Also does anyone know where the Windows download site is?

Thanks in advance 
Dave  
 
Registered Office: Turpin Distribution Services Ltd, Pegasus Drive, Stratton 
Business Park, Biggleswade, Bedfordshire, SG18 8TQ, UK. * Registered in 
England No. 1331778 * This email may contain confidential information 
and/or copyright material. This email is intended for the use of the addressee 
only. Any unauthorised use may be unlawful. If you receive this email by 
mistake, please advise the sender immediately by using the reply facility in 
your email software.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Testing the exit status

2009-10-12 Thread David Gray 
Hi, 
Thanks for the input. 

Can you tell me what the numeric arguments are for status-fd?  
I've downloaded the source for GPG and looked at the doc/DETAILS 
file but on Windows this is unreadable. 

Also it seems as if gpgme is not available for Windows, is this correct?


I'm running GPG from a C# application using the Process class.  If I
understand 
correctly then you are suggesting I use status-fd to redirect to a file
and then 
open this to interrogate the results. 

Thanks & regards
Dave 


-Original Message-
From: Werner Koch [mailto:w...@gnupg.org] 
Sent: 10 October 2009 15:14
To: David Gray
Cc: gnupg-users@gnupg.org
Subject: Re: Testing the exit status

On Fri,  9 Oct 2009 13:47, david.g...@turpin-distribution.com said:

> Does GPG return different status codes when it exits? 
> I'm specifically looking for different types of error, such 
> as file not found, key not found, invalid passphrase etc. 
 
This would not be reliable.  There are just too many stati to map them
to exit codes.  What you need to do is to use the status lines
(--status-fd N) - or just go with gpgme.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

Registered Office: Turpin Distribution Services Ltd, Pegasus Drive, Stratton 
Business Park, Biggleswade, Bedfordshire, SG18 8TQ, UK. * Registered in 
England No. 1331778 * This email may contain confidential information 
and/or copyright material. This email is intended for the use of the addressee 
only. Any unauthorised use may be unlawful. If you receive this email by 
mistake, please advise the sender immediately by using the reply facility in 
your email software.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Testing the exit status

2009-10-09 Thread David Gray 
Hi, 

Does GPG return different status codes when it exits? 
I'm specifically looking for different types of error, such 
as file not found, key not found, invalid passphrase etc. 

I'm using the Windows version if that makes any difference.

Rgds
Dave 
Registered Office: Turpin Distribution Services Ltd, Pegasus Drive, Stratton 
Business Park, Biggleswade, Bedfordshire, SG18 8TQ, UK. * Registered in 
England No. 1331778 * This email may contain confidential information 
and/or copyright material. This email is intended for the use of the addressee 
only. Any unauthorised use may be unlawful. If you receive this email by 
mistake, please advise the sender immediately by using the reply facility in 
your email software.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Signing vs. encrypting was: Cipher v public key.

2006-05-31 Thread David Gray 

Hi, 

Thanks to all who have responded to these questions.  Getting my head around
it 
Now.  

Will suggest to the customer that we use signed & encrypted transmissions.
The only 
Issue we then have is that they wish to be custodians of the private key,
they are 
Looking into commerical methods for secure key distribution. 

The other issue is the IT manager at the customer site is wary of Gnu
software and is 
Going to look at commerical offering, PGP I assume.  Apart from the lack 
Of cost are there any other good reason I can give for using GPG? 

Thanks 
Dave 
 

-Original Message-
From: Andreas Martin [mailto:[EMAIL PROTECTED] 
Sent: 31 May 2006 10:31
To: gnupg-users@gnupg.org
Subject: Signing vs. encrypting was: Cipher v public key.


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Laurent Jumet schrieb:
 > When sending a message like this one, signed, compressed but not
crypted,
> is there anything that goes bad, in security terms?
> This is to avoid problems with line lenghth and charsets through 
> internet
> 

In security terms, lots of things can go bad when sending anything through
the internet ;-)

Encrypting protects against unauthorised reading of the plaintext, but not
from manipulating the encrypted data. Signing protects against manipulation
of the data, but not against unauthorised reading of the plaintext. (In fact
it does not avoid the manipulation itself, but you are able to detect, that
the data has been manipulated).

Signing and encrypting are two totally different things (not to mention
compressing). So if you want "save" transmissions you have to do both,
signing and encrypting!

Problems with line length and charset shouldn't occur during the
transmission of your mails, because Mail Transport Agents don't take care of
the mailbody (and the headers are not signed or encrypted). What exactly do
you want?

Regards


Andreas

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iQCVAwUBRH1iX+f8mJnBT5ROAQJkTQP/YxiOftW6mNv2DntzOQp0KxACJmzW00Xu
cqLQcaW9AKhGpovrwMIWfz0GoIa8wtPP4EEn6nKWpJ6qZo3ossmcVCuJo76nvIpO
BH2Cx/p0w66rrB0tc9Qqx8nLIz9rNQJgRcN9z+PRaHihB75ulkHCQIACWnyeeQB2
9bWwUcB9Xmc=
=0cYA
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
<>___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Cipher v public key.

2006-05-31 Thread David Gray 

 
> Sorry I may be missing the point but why does it now show AES or 
> AES256 as a pukey?

>Do you mean "does it _now_ show" or "does it _not_ show"?

I meant why does it not show AES256 and also meant pubkey not 
pukey. More speed less haste I think :-) 



> Home: /SYS$LOGIN/gnupg
> Supported algorithms:
> Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
> Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
> Hash: MD5, SHA1, RIPEMD160, SHA256
> Compression: Uncompressed, ZIP, ZLIB

AES is listed as a cipher, because ist is an algorithm for symmetric
encryption. It cannot be used as a public/secret-key algorithm (neither now,
nor in future).

Ok, thanks for the clarification. 

Dave 


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

V1.4.3 for VMS

2006-05-30 Thread David Gray 
Hi, 

Does anyone know if GnuPG v1.4.3 has been ported to VMS?  
I can't find it anywhere on the net and the version hosted by HP is
v1.2.3 

Dave. 


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Cipher v public key.

2006-05-30 Thread David Gray 





On Fri, May 26, 2006 at 05:20:04PM +0100, David Gray wrote:


>> AES256 is listed as a cipher but not a public key?  What is the
>> The difference?  I was hoping to use asymmetric keys with me 
>> Giving the public key to the customer.  As mentioned before this all 
>> Works fine but I'm not sure which alogorithm I'm using when encrypting. 

> You're using both an asymmetric key (RSA, DSA, ELG-E), and symmetric key
(AES, CAST5, TWOFISH, etc) when you encrypt.

Sorry I may be missing the point but why does it now show AES or AES256 as a
pukey? 


Home: /SYS$LOGIN/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256
Compression: Uncompressed, ZIP, ZLIB


Cheers

Dave 




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Cipher v public key.

2006-05-30 Thread David Gray 

Hi, 

Yes I've had a few people tell me that the version I'm using needs 
upgrading so I'm going to download the latest version from HP. 

I would like the exchange of encrypted data to be using asymmetric keys and
this 
is the route I'm trying to steer the customer.  They have said they want
AES256 as 
the encryption algo but are open to advice on symmetric v asymmetric.  

A concern they have expressed is that if we use pubkey then the secret key
needs 
to be generated by me. they don't seem too keen on this as they would like
to 
have control over this and have the option to change the key twice a year.  

As I understand it this then means we have to look at secure options 
for them distributing the secret key to me.  They are looking into a
commerical method 
for key delivery right now. 


Whilst typing this message the download link has arrived for GPG from HP.
The version they 
host is...

GNUPG-1_2_3_AXP.EXE! for Alpha 
GNUPG-1_2_3_VAX.EXE! for VAX 

Anyone know if the later versions are available for VMS? 

Thanks 
Dave 

 




-Original Message-
From: Robert J. Hansen [mailto:[EMAIL PROTECTED] 
Sent: 26 May 2006 17:35
To: David Gray
Cc: 'gnupg-users@gnupg.org'
Subject: Re: Cipher v public key.


David Gray wrote:
> $ gpg --version
> gpg (GnuPG) 1.2.3

This is an old version.  You should probably consider upgrading to 1.4.3.

> AES256 is listed as a cipher but not a public key?  What is the
> The difference?  I was hoping to use asymmetric keys with me 
> Giving the public key to the customer.  As mentioned before this all 
> Works fine but I'm not sure which alogorithm I'm using when encrypting. 

Asymmetric and symmetric algorithms are fundamentally different.  They work
in different ways and are used for different purposes.  For that reason, the
asymmetric algorithms ("pubkey") are listed separately from symmetric
algorithms ("cipher").

The terminology is, admittedly, a bit confusing.

> So after all that my question really is, how do I set the alogorithm 
> to AES256 in windows so I can test decrypts on VMS?

First decide the kind of encryption you want.  AES256 just says "I want
AES256 to be part of the solution"; it doesn't declare what the solution is
going to be.

AES256 can be used as part of RFC2440 messages (OpenPGP).  AES256 can be
used as part of GnuPG symmetrically-encrypted messages, with no public keys
involved.  Or AES256 can be used as a raw algorithm in any of many different
modes.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Cipher v public key.

2006-05-26 Thread David Gray 
Hi all, 

Just starting a project where one of our customers will be sending 
encrypted data files from their windows based servers to be 
decrytpted on our VMS servers.   

They have not yet decided which product they will use for for encryption 
but I'm hoping to steer them down the GnuPG path as I've done a quick 
test and it works perfectly between those two operating systems.  

One question they have asked which I'm not sure of the answer is that can 
GnuPG handle the AES256 alogorithm?  The gpg --version on my VMS system 
shows... 

$ gpg --version
gpg (GnuPG) 1.2.3
Copyright (C) 2003 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under certain
conditions. See the file COPYING for details.
 
Home: /SYS$LOGIN/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256
Compression: Uncompressed, ZIP, ZLIB


AES256 is listed as a cipher but not a public key?  What is the 
The difference?  I was hoping to use asymmetric keys with me 
Giving the public key to the customer.  As mentioned before this all 
Works fine but I'm not sure which alogorithm I'm using when encrypting. 

So after all that my question really is, how do I set the alogorithm to
AES256 
in windows so I can test decrypts on VMS? 

Thanks in advance
Dave 
 


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: question about compiling gpg with cygwin

2006-05-26 Thread David Gray 
Hi all, 

Just starting a project where one of our customers will be sending 
encrypted data files from their windows based servers to be 
decrytpted on our VMS servers.   

They have not yet decided which product they will use for for encryption 
but I'm hoping to steer them down the GnuPG path as I've done a quick 
test and it works perfectly between those two operating systems.  

One question they have asked which I'm not sure of the answer is that can 
GnuPG handle the AES256 alogorithm?  The gpg --version on my VMS system 
shows... 

$ gpg --version
gpg (GnuPG) 1.2.3
Copyright (C) 2003 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under certain
conditions. See the file COPYING for details.
 
Home: /SYS$LOGIN/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256
Compression: Uncompressed, ZIP, ZLIB


AES256 is listed as a cipher but not a public key?  What is the 
The difference?  I was hoping to use asymmetric keys with me 
Giving the public key to the customer.  As mentioned before this all 
Works fine but I'm not sure which alogorithm I'm using when encrypting. 

So after all that my question really is, how do I set the alogorithm to
AES256 
in windows so I can test decrypts on VMS? 

Thanks in advance
Dave 
 


 



  


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Rijndael usage

2006-05-10 Thread David Gray 
Hi David, 
Thanks for the info, even if it's not what I wanted to hear.  :-)  

What do you mean by "raw Rijndael"?   

The C# code that the software house are using is shown below,  even if 
I clone this program am I likely to be able to decrypt without them sending 
me a key in ASCII format? 

Thanks 
David. 


public string DecodeString(byte[] encodedsource)
{
System.Text.UTF8Encoding encoding = new
System.Text.UTF8Encoding();
byte[] bytes = encodedsource;

MemoryStream memstream = new MemoryStream();
memstream.Write(bytes, 0, bytes.Length);
memstream.Position = 0;

SymmetricAlgorithm algorithm =
SymmetricAlgorithm.Create("RijnDael");
algorithm.Key = key;
algorithm.IV = iv;
ICryptoTransform transform = algorithm.CreateDecryptor();

CryptoStream cryptstream = new CryptoStream(memstream,
transform, CryptoStreamMode.Read);

StreamReader reader = new StreamReader(cryptstream);
string returnstring = reader.ReadToEnd();
memstream.Dispose();
reader.Dispose();
cryptstream.Dispose();

return returnstring;
}


-Original Message-
From: David Shaw [mailto:[EMAIL PROTECTED] 
Sent: 09 May 2006 22:16
To: gnupg-users@gnupg.org
Subject: Re: Rijndael usage


On Tue, May 09, 2006 at 03:55:15PM +0100, David Gray wrote:
> Hello all,
> 
> Wonder if anyone could give advice on using GnuPG to decrypt
> Files encoded with the Rijndael cipher.  
> 
> One of our customers is using a software house to build a website that
> will send encrypted order files to us (the distributor of their stock).
The
> files 
> Are basically CSV format data files.   
> 
> I've received an email from them containing two symmetric keys for 
> testing
> purposes.  These do not look like any I've seen before...  
> 
> key: "ABCDE%^$ABCDE-99" and
> iv: "[EMAIL PROTECTED]"
> 
> (Values changed for email)

You can't use GPG or PGP to decrypt this.  It looks like they're encrypting
using raw Rijndael.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Rijndael usage

2006-05-09 Thread David Gray 
Hello all, 

Wonder if anyone could give advice on using GnuPG to decrypt 
Files encoded with the Rijndael cipher.  

One of our customers is using a software house to build a website that 
will send encrypted order files to us (the distributor of their stock).  The
files 
Are basically CSV format data files.   

I've received an email from them containing two symmetric keys for testing 
purposes.  These do not look like any I've seen before...  

key: "ABCDE%^$ABCDE-99" and 
iv: "[EMAIL PROTECTED]"

(Values changed for email) 

I've used GnuPG and PGP in the past and keys have always distributed as text
files 
In the format below

-BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v1.2.3 (OpenVMS/Alpha)
.
.
.
-END PGP PUBLIC KEY BLOCK-

Which can be imported into the local keyring and then used from there.  

I've asked for an example of how the software house use these keys
internally but 
The example they gave is in C# which I don't know. 

I'm going to do the decryption on OpenVMS but could certainly translate a
unix style 
command line example if anyone could post. 

Thanks in advance 
David. 


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users