Re: A postmortem on Efail
On Sun, 20 May 2018 02:26:47 -0400 "Robert J. Hansen"wrote: > Writing just for myself -- not for GnuPG and not for Enigmail and > definitely not for my employer -- I put together a postmortem on > Efail. You may find it worth reading. You may also not. Your > mileage will probably vary. :) > > https://medium.com/@cipherpunk/efail-a-postmortem-4bef2cea4c08 > Thank you for the postmortem. I don't know any users of GnuPG who still have to work with non-MDC OpenPGP messages (frankly, don't know any GnuPG users IRL, but working on it). But it seems to me that GnuPG is so widely widespread because it was so stable and there was no breaking upgrades, so users didn't expect any breaking change at all. I, as a user, don't need support for non-MDC messages and surely PGP 2.6, but I can imagine how challenging it can be to upgrade a system, which was state-of-the-art years ago, but right now is obsolete. Really it's not an upgrade, but rebuild from the scratch. And some parts of the system are probably proprietary, so cooperation from vendors is required. And the fact that obsolete features weren't dropped due to users feedback means that GnuPG upstream understands this too. But something has to change, it can't go like this forever, we do need breaking changes to remove outdated parts. I trust upstream's judgement. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: use gpg-agent for ssh login
> On 04/05/18 08:58, Dmitrii Tcvetkov wrote: > > gpg-agent will list identity only if key has Authenticate capability > > and it's keygrip is listed in ${HOME}/.gnupg/sshcontrol > > That's incorrect. If you insert an OpenPGP smartcard with a key in the > Authenticate slot, it will make that key available to the SSH agent > system. That is regardless of listing in sshcontrol. > > The difference is that if you list it in sshcontrol, and a server > indicates acceptance of that key, the pinentry will prompt you to > insert that smartcard for authentication even when the smartcard is > not inserted. Whereas if it is not in sshcontrol and not currently > inserted either, the key will never be offered to the server in the > first place. Interesting, thanks you. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: use gpg-agent for ssh login
> Hi, > > I'm trying to configure gpg-agent and SSH with a GnuPG Key Card > Version 3.3, but ssh only drops the message: "the agent has no > identities." in response to "ssh-add -L". > > My system: > Linux (K)ubuntu 16.04 > > My software versions: > gpg 1.4.20 > gpg-agent 2.1.11 > libgcrypt 1.6.5 > > My configuration: > Starting the agent: > killall scdaemon > killall gpg-agent > eval $( gpg-agent --daemon --enable-ssh-support ) > Setting the environment variables: > SSH_AGENT_PID=2588 > GPG_AGENT_INFO=$HOME/.gnupg/S.gpg-agent:2588:1 > SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh > GPG_TTY=/dev/pts/1 (corresponding to used terminal) > > note that 2588 is the PID of the gpg-agent here. > scdaemon is running (started by gpg-agent) > pcscd is NOT running. > > .gnupg/gpg.conf: > use-agent > > .gnupg/gpg-agent.conf: > enable-ssh-support > default-cache-ttl 21600 > default-cache-ttl-ssh 21600 > pinentry-program /usr/bin/pinentry-gtk-2 > > After carefully reviewing my configuration and restarting my agent I > still get a message "The agent has no identities." in response to > "ssh-add -L". However, the status of the smart-card looks fine and > all the keys are present on the card. Why does ssh not see the keys? > Does anyone have a suggestion for changes? Are there specific issues > with the card version 3.3? gpg-agent will list identity only if key has Authenticate capability and it's keygrip is listed in ${HOME}/.gnupg/sshcontrol To get key's keygrip you can use "gpg -K --with-keygrip". You want to list keygrip of the specific subkey with the Authenticate capability, not it's primary key. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why gpg 2.1.9 cannot export secret key without passphrase?
On Fri, 27 Nov 2015 12:05:36 +0100 Guilhem Moulinwrote: >I think this is incorrect. gpg --export's output is always in the >OpenPGP format (possibly armored), while as of 2.1 private material is >stored in another format (in ~/.gnupg/private-keys-v1.d/$KEYGRIP.key). >Thus the agent asks for the passphrase to decrypt the private key, and >gpg reencrypts it on the fly (using the same passphrase). Yes, I confused it with OpenSSH key output, sorry. On Fri, 27 Nov 2015 14:58:01 +0200 Andrey Utkin wrote: > P. S. I haven't received 2 of 3 replies to my gmail mailbox, had to go > to maillist archive to review the thread. Have this happened to > anybody else, is this a known issue? > I'm sorry, reason is I replied only to mailing list without sending message directly to your address. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why gpg 2.1.9 cannot export secret key without passphrase?
On Tue, 24 Nov 2015 03:16:31 +0200 Andrey Utkinwrote: > $ gpg --export-secret-keys > (pops a Xorg dialog window from my console, driving me nuts) > (i give empty passphrase) > (it asks me whether i am sure I want no passphrase) > (I say yes) > gpg: key : error receiving key from agent: No passphrase > given - skipped > > Why is there such a _policy_? > Maybe I am lost and I am using Windows which re-asks everything and > still refuses to do what I want? > Hello. In this case passphrase is needed to decrypt private key from keyring. Becuase of passphrase is not provided gpg-agent can't give gpg the private key. Private key exports in cleartext. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users