Re: WKD question
Werner Koch via Gnupg-users wrote: > On Sun, 2 Aug 2020 07:38, Dmitry Alexandrov said: >> I dunno why @w...@gnupg.org did that > > I have a post-it on my CA laptop to add a signing subkey to my new key, I > should really do that soon. Maybe, you would like to update an expired key in DNS as well? By the way, it would be nice, if GPG were not interpreting locating an expired key as success, but continued with the next method instead: $$ gpg --auto-key-locate dane,wkd --locate-key w...@gnupg.org gpg: key F2AD85AC1E42B367: public key "Werner Koch " imported gpg: Total number processed: 1 gpg: imported: 1 pub dsa2048 2007-12-31 [SC] [expired: 2018-12-31] 80615870F5BAD690333686D0F2AD85AC1E42B367 uid [ expired] Werner Koch >> BTW, does anyone remember, how to command gpg(1) to print the above in a >> human-readable format? There was some incantation, IIRC, but GPGʼs > > gpg --locate-external-key -v f...@example.rog > > looks up f...@example.org even if a key with that user id already exists. No, thanks, thatʼs not what I forgot, I was nonplussed by the fact, that --with-subkey-fingerprint has no any effect when --show-key is implied, while --with-colons has []. @kloec...@kde.org had resolved [<1803396.a0EWGg1j7a@breq>] my confusion already. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD question
Ingo Klöcker wrote: > On Sonntag, 2. August 2020 06:38:21 CEST Dmitry Alexandrov wrote: >> >> $ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url >> w...@gnupg.org)" | gpg --with-colons >> gpg: WARNING: no command supplied. Trying to guess what you mean ... >> pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-: >> uid:w...@gnupg.org: >> sub:-:256:18:3CD7B3A055039224:1538149415:1643626805::: > >> BTW, does anyone remember, how to command gpg(1) to print the above in a >> human-readable format? There was some incantation, IIRC, but GPGʼs options >> are so tangled, that I have failed to find it. > > Do you mean "gpg --show-key" resp. "gpg --show-key --with-subkey-fingerprint"? Yes, exactly. Indeed, in contrast with --with-colons, --with-subkey-fingerprint alone does nothing: $ wget -qO - ‹…› | gpg gpg: WARNING: no command supplied. Trying to guess what you mean ... pub ed25519 2018-09-28 [SC] [expires: 2027-01-31] AEA84EDCF01AD86C4701C85C63113AE866587D0A uid w...@gnupg.org sub cv25519 2018-09-28 [E] [expires: 2022-01-31] $ wget -qO - ‹…› | gpg --with-subkey-fingerprint gpg: WARNING: no command supplied. Trying to guess what you mean ... pub ed25519 2018-09-28 [SC] [expires: 2027-01-31] AEA84EDCF01AD86C4701C85C63113AE866587D0A uid w...@gnupg.org sub cv25519 2018-09-28 [E] [expires: 2022-01-31] $ wget -qO - ‹…› | gpg --show-key --with-subkey-fingerprint pub ed25519 2018-09-28 [SC] [expires: 2027-01-31] AEA84EDCF01AD86C4701C85C63113AE866587D0A uid w...@gnupg.org sub cv25519 2018-09-28 [E] [expires: 2022-01-31] E05BA20ED4F17768613B03C53CD7B3A055039224 Thank you. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD question
Stefan Claas wrote: > One more question, I tried to verify Werner's signature, from postings here > on the ML, but his signature could not be verified, due to a missing pub key > (0xFF80AE9D1DEC358D). But when looking at Wiktor's WKD checker a key is > present, but with a different Fingerprint. > > https://metacode.biz/openpgp/web-key-directory Well, thatʼs seems to be true: $ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url w...@gnupg.org)" | gpg --with-colons gpg: WARNING: no command supplied. Trying to guess what you mean ... pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-: uid:w...@gnupg.org: sub:-:256:18:3CD7B3A055039224:1538149415:1643626805::: I dunno why @w...@gnupg.org did that, but whatever his reasons were, the fact that he was _able_ to do that, is exactly the key reason why proper (write-only) keyserver networks (SKS- or Hockeypuck-based) are indispensable. Use them, not WKD or proprietary keyserver services, when you want to get a key by a given fingerprint. In other words, when enabling --auto-key-retrieve, make sure that --keyserver is set to something like hkps://keyserver.ubuntu.com. IIUC, there is, unfortunately, still no way to configure multiple keyservers for retrieval (contrary to locating). BTW, does anyone remember, how to command gpg(1) to print the above in a human-readable format? There was some incantation, IIRC, but GPGʼs options are so tangled, that I have failed to find it. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD question
Stefan Claas wrote: > Enigmail for Thunderbird on a fresh Ubuntu system > when clicking on a signed message from a friend, which has properly set-up > WKD Thunderbird/Enigmail can not fetch the pub key. :-( Unfortunately, ‘can not’ is not very informative description. Does it return any error? How do you know that even tries? > What have I to do that this works? I thought that GnuPG and Enigmail nowadays > defaults to WKD too. You mean, that you expect, that GPG should silently fetch absent keys when checking signatures out of a box? No, it does not do that: | '--auto-key-retrieve' | '--no-auto-key-retrieve' | These options enable or disable the automatic retrieving of keys | from a keyserver when verifying signatures made by keys that are | not on the local keyring. The default is '--no-auto-key-retrieve'. | | If the method "wkd" is included in the list of methods given to | 'auto-key-locate', the signer's user ID is part of the signature, | and the option '--disable-signer-uid' is not used, the "wkd" method | may also be used to retrieve a key. | | Note that this option makes a "web bug" like behavior possible. | Keyserver or Web Key Directory operators can see which keys you | request, so by sending you a message signed by a brand new key | (which you naturally will not have on your local keyring), the | operator can tell both your IP address and the time when you | verified the signature. — (info "(gnupg) GPG Configuration Options") signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
No single-page manual on gnupg.org (was: Passphrase Pop up)
Dmitry Alexandrov wrote: > — (info "(gnupg) GPG Esoteric Options") Or <https://www.gnupg.org/documentation/manuals/gnupg-devel/GPG-Esoteric-Options.html> on the WWW. Which reminds me... Dear Werner (or anyone else who can edit the website), it would really help those, who do not use Emacs (itʼs odd, but there are such people!), if there would be single-page version of the manual (makeinfo --html --no-split ...) — just like all software on gnu.org has. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Passphrase Pop up
Ian Maclauchlan wrote: > Hi there we recently upgrade our Windows server from 2008 to 2019 and Gnu to > 3.1.12 ?? GNU is a vague operating system (just like, e. g., ‘UNIX’) and it has no versions per se. GnuPG version 3 does not exist yet. The stable release is 2.2.21. I guess, you mean GnuPG 2.1.12. (Why not the latest, by the way?) > Since then the command line > > type passphrase.txt | gpg --passphrase-fd 0 --no-tty --batch -o exp.txt -d > extract_ *.txt.pgp > > has stopped working as the passphrase window keeps popping up. > Can someone please help me. ‘The GNU Privacy Guard Manual’ can (emphasis mine): | '--passphrase-fd N' | Read the passphrase from file descriptor N. Only the first line | will be read from file descriptor N. If you use 0 for N, the | passphrase will be read from STDIN. This can only be used if only | one passphrase is supplied. | | Note that since Version 2.0 this passphrase is only used if the | option '--batch' has also been given. Since Version 2.1 the | *'--pinentry-mode'* also needs to be set to 'loopback'. — (info "(gnupg) GPG Esoteric Options") > The information in this email is confidential... Nope, youʼve just posted it to the public mailing list. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Have gpg-preset-passphrase always required a keygrip? (was: Newbie question.)
Peter Lebbing wrote: > You can actually unlock keys the way GnuPG intends to do that with: > > $ my-unlocker | /usr/lib/gnupg/gpg-preset-passphrase --preset > > You can find the keygrip for your keys with: > > $ gpg --with-keygrip --list-secret-keys > > You do need it for every subkey you want to use like this separately, Hm... Did not gpg-preset-passphrase(1) worked perfectly on any NAMEs (IDs, UIDs) as well some time ago? Or is that me, who have some false memories? signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: keyserver refresh failed: No keyserver available
Jerry wrote: > I have not been able to refresh the keys on my system. I have run the > following command with the error as shown. > > gpg2 --refresh-keys > gpg: enabled debug flags: memstat > gpg: refreshing 168 keys from hkp://pool.sks-keyservers.net > gpg: keyserver refresh failed: No keyserver available > I don't believe it is a firewall problem, since there is no entry in the > firewall log to even suggest that gpg2 tried to access anything. That is, your have not tried to check the connection on the same machine but with some other tool first? Why? FWIW, HKP is HTTP on port 11371. > I have a Windows 10 machine that is using Kleopatra, on the same network, and > it is working perfectly. I do not remember for sure, but is not it, at least, preconfigured to use HKPS, i. e. HTTP/TLS on port 443, if not some proprietary keyserver instead of SKS pool? signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: decrypt aes256 encrypted file without gpg-agent
Fourhundred Thecat <400the...@gmx.ch> wrote: > In fact, gpg epitomizes a perfect anti-UNIX design. (See Eric S. Raymond for > details, what UNIX philosophy means) > I believe this project is going in the wrong direction, and bad design > decisions are being made. Was not it you who have just complained about introduction of gpg-agent, that is about switching from a solid rock tool to a set of independent programs that are communicating via textual streams — in other words, about GPGv2 be much more UNIX-wayish that GPGv1? > There are more examples of bad design. > For instance, even for basic operations (encrypt, decrypt) ‹…› gpg still > requires my ~/.gnupg/ to be writable (cannot me on read-only filesystem) Heh. Use of files as a temporal storage medium or just unique entities for anything from sockets to boolean flags, and therefore a need for writable FS to store them, is a hallmark of UNIX-way design. You might believe that UNIX-way design is a bad design, of course, and that GPG should have joined the trend of moving _away_ from it before it had became a mainstream (cf. systemd, Wayland, etc); but saying ‘UNIX’ to mean ‘cool’ looks funny as hell. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: decrypt aes256 encrypted file without gpg-agent
Fourhundred Thecat <400the...@gmx.ch> wrote: > In case of gpg, there is one mode where you generate your key pair, change > configuration files, or any other read-write operation. > > But for general usage, there is no reason for the key pair to need to be > writable. Sure. So there is none: $ chmod a-w $GNUPGHOME/pubring.kbx $GNUPGHOME/private-keys-v1.d/* $ echo foo | gpg -qe --default-recipient-self | gpg -qd foo signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: decrypt aes256 encrypted file without gpg-agent
Fourhundred Thecat <400the...@gmx.ch> wrote: > I am protesting the fact, that gpg can no longer be used without the agent. Yet you have not described the reason behind it so far, have you? Why are you sure, that the issue, that make gpg-agent fail to start in your case, is hard to resolve? signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: decrypt aes256 encrypted file without gpg-agent
Fourhundred Thecat <400the...@gmx.ch> wrote: >> On 2020-06-29 14:42, Dmitry Alexandrov wrote: >> Fourhundred Thecat <400the...@gmx.ch> wrote: >>> I am protesting the fact, that gpg can no longer be used without the agent. >> >> Yet you have not described the reason behind it so far, have you? Why are >> you sure, that the issue, that make gpg-agent fail to start in your case, is >> hard to resolve? > > I don't have gpg-agent installed, on this particular server, where I need to > decrypt one file. Ah, so itʼs in fact very easy to resolve — just install gpg-agent. :-) signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: decrypt aes256 encrypted file without gpg-agent
ved...@nym.hush.com wrote: > can GPG2 be made to work from only the command-line without a pine entry > window | '--pinentry-mode MODE' | Set the pinentry mode to MODE. Allowed values for MODE are: | ‹…› | loopback | Redirect Pinentry queries to the caller. Note that in | contrast to Pinentry the user is not prompted again if he | enters a bad password. — (info "(gnupg) GPG Esoteric Options") signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird
Patrick Brunschwig wrote: > The Thunderbird developers have announced that they will implement OpenPGP > support in Thunderbird 78 [1]. A long awaited news indeed! > Support for Thunderbird in Enigmail will therefore be discontinued. Pity, but I hope it will be better that way. In particular I hope, that Mozilla will not follow your example and won’t entice users to proprietary isolated keyserver [0] instead of distributed SKS network thus splitting the keybase. And won’t promote standards [1] that suspiciously resemble embrace-extend-and-extinguish tactics employed against PGP either. [0] https://keys.openpgp.org [1] https://pep.security signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Enigmail] Future OpenPGP Support in Thunderbird
"Hernâni Marques (p≡p foundation)" wrote: > On 08.10.19 18:37, Dmitry Alexandrov wrote: > >> Pity, but I hope it will be better that way. In particular I hope, that >> Mozilla will not follow your example and won’t entice users to proprietary >> isolated keyserver [0] instead of distributed SKS network thus splitting the >> keybase. And won’t promote standards [1] that suspiciously resemble >> embrace-extend-and-extinguish tactics employed against PGP either. >> >> [0] https://keys.openpgp.org >> [1] https://pep.security > > pEp is not against PGP it's just PGP-supporting as much as it makes sense for > interop reasons Well, I’m glad to hear that, but it’s really a pity, that supporting Autocrypt does not make sense for you. > and goes beyond email already today; and it's designed from the very > beginning on to support other crypto[formats] as well (agnosticism on > messaging & crypto[format]) A double pity in light of your decision to not only support but actually _prefer_ other cryptoformats over PGP whenever possible for the sake of ‘forward secrecy’ [1] — that’s when Autocrypt is exactly the extension to PGP that can provide forward secrecy, if needed. [1] | How does p≡p select the most secure way of sending an email or a message? | | When a p≡p user is communicating with another p≡p user: | | 1. if online communication available: OTR through GNUnet. | | 2. if online communication not available: | | a. if anonymizing platform available, OpenPGP through anonymizing platform (i.e. Qabel), | | b. if anonymizing platform not available, fallback to OpenPGP. | | When a p≡p user is communicating with a non-p≡p user then depending on the capabilities of the non-p≡p user: | | 1. if anonymizing and forward secrecy is possible, use that (i.e. OTR over GNUnet). | | 2. if anonymizing but no forward secrecy is possible, use that (i.e. OpenPGP over Qabel). | | 3. if forward secrecy is possible, use that (i.e. OTR). | | 4. if hard cryptography but no forward secrecy is possible, use that (i.e. OpenPGP) | | 5. if only weak cryptography is possible, use that (i.e. S/MIME with commercial CAs) | | 6. send unencrypted. — https://www.pep.security/en/faq/ signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
