Re: gpg on read-only filesystem

2019-10-22 Thread Friedhelm Waitzmann 
Hello!

Fourhundred Thecat:

>Also, I consider it good practice to have / mounted read-only, and I
>don't understand why gpg would need to open trustdb.gpg in rw mode, when
>using  simple operations such as gpg --verify.

>gpg: Fatal: can't open '/root/.gnupg/trustdb.gpg': Operation not permitted

A solution for the verify use case: Just read the manual
()
and use “--no-auto-check-trustdb”.

HTH
Friedhelm


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: --lsign --add-me or the invisible WoT

2019-08-01 Thread Friedhelm Waitzmann 
Stefan Claas:

>I lsign Bob's key so third parties do not know (normally) that I did
>this. But how could my friend Alice trust Bob's key she has without
>my non-exportable lsign sig?

>What I tried to propose is an additional parameter, like --add-me
>which would write a 'blob' to a second file.db where I can export
>then Bob's blob (non-compatible to SKS etc.) with my --lsign sig,
>and give it to my friend Alice.

I think, this can be done with GnuPG as it is:

In the following GnuPG invocations $TEMP_KEYRING stands for a
temporary key ring:

(1) export Bob's key from your default key ring, minimize it, and
import it into the temporary one.
$ gpg --export-options=export-minimal \
--export =user_id_of_Bob | \
gpg --no-default-keyring --keyring=$TEMP_KEYRING --import

Now you have Bob's public key minimized in the temporary key
ring.

(2) lsign a user id of Bob:
$ gpg --no-default-keyring --keyring=$TEMP_KEYRING \
--lsign =user_id_of_Bob

(3) export this version of Bob's public key into a public key
block Bob.pubkey, that you can give to Alice:
$ gpg --no-default-keyring --keyring=$TEMP_KEYRING \
--export-options=export-local-sigs \
--output Bob.pubkey \
--export

(4) import your local signature into your default key ring:
$ gpg --import-options=import-local-sigs --import Bob.pubkey

>Later If Alice knows Bob better
>or personally knows him she can --lsign --add-me Bob's key ('blob')
>too and give it to her friend Mary.

Alice would do the same:  Import Bob's keyblock Bob.pubkey
into a temporary key ring using
--import-options=import-local-sigs, lsign it there, export it
using --export-options=export-local-sigs into
Bob.pubkey, give Bob.pubkey to Mary and import
Bob.pubkey using --import-options=import-local-sigs in
her default key ring.


Regards
Friedhelm


binkQZjTBxcza.bin
Description: PGP Key 0xD0B55F3592C00CED.


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg troubles

2018-10-28 Thread Friedhelm Waitzmann 
Roland Siemons (P) at Fri., 2018-10-12:

>3/ Assisted remotely by some of you, I was able to sort out a very
>strange problem with decryption. The solution was found by manipulating
>my key from inside the gpg shell using the command line. I am not very
>experienced with the command line. A major difficulty for those for whom
>this is not daily bread and butter is that mistakes are easily made.
>Hence the great value of GUIs.

>4/ I observed some unclarities in the GnuPG manual
>(www.gnupg.org/gph/en/manual.html), here below under A.

This is the GnuPG privacy handbook rather than the GnuPG manual.
I suggest that you read the GnuPG manual
() also, as
it is the definitve instruction how to use GnuPG.

>And perhaps also
>some bugs in gpg, here below under B (please consider). Here is my
>experience:

>A/ I tried to revoke some subkeys, following the said manual (heading
>"Revoking key components"). gpg pretended to do the job. Everything
>looked fine. But it did'nt! After several hours of analysis (up to
>checking if GnuPG was installed consistently on my system), I found the
>issue: After the revkey procedure it is necessary to command "quit".

A better way of committing the changes is typing in «save».

Please see the GnuPG manual
().

For the «--edit-key» main command (given at the command line) it
lists the sub commands (to be typed into the edit key command
shell):

save

Save all changes to the keyrings and quit.

quit

Quit the program without updating the keyrings. 

>Instead of quitting, gpg then asks "do you want to save yr changes" (or
>something like that).

This is to remind you that you are about to discard your changes.

>And only then the subkeys were revoked. The said
>manual does mention the command "quit" only once, and not even in a
>general place explaining the operations of gpg, and in fact without any
>explanation as to the impact of that command.

The GnuPG manual (not the privacy handbook) mentions both of
«save» and «quit» and explains the difference.

>Of course I am happy to
>have found out, but let's hope that I remember when after perhaps 2
>years time I have to use gpg shell again

Just remember to read the GnuPG manual also.

>B/ It is not at all clear to me how to start the gpg shell.

This isn't a general («the») GnuPG shell for all GnuPG commands,
it is a shell for the limited set of «--edit-key» sub commands.
That is, the «--edit-key» specified at the GnuPG invocation
command line lets GnuPG run an interactive interpreter for the
«--edit-key» subcommands that have to be typed in.

>For example:
>1/ if (under the CMD terminal) I command "gpg -K", the lists of private
>keys is returned,

Generating this list doesn't need to ask the user to type any sub
commands, so there is no «--list-secret-keys» shell.

>but I am also returned to CMD, that is, kicked out of
>the gpg shell.

If GnuPG has written this list into its standard output channel,
the job is done, thus GnuPG terminates, nobody is «kicked out».

>2/ if (CMD) I command "gpg --edit-key X" (where X is key identifier), I
>do indeed enter the gpg shell, the screen showing "gpg>".

You enter the shell that recognizes the limited set of the
«--edit-key» sub commands.

>That all may be allright, HOWEVER:

>3/ if (CMD) I command "gpg", the return is: "gpg: WARNING: no command
>supplied.  Trying to guess what you mean ...  gpg: Go ahead and
>type your message . 

Please read the GnuPG manual
():

   «gpg may be run with no commands. In this case it will perform
   a reasonable action depending on the type of file it is given
   as input (an encrypted message is decrypted, a signature is
   verified, a file containing keys is listed, etc.).»

So GnuPG expects that you type in an encrypted message, a
detached signature, a clear‐signed message, a public key block, etc.

>Then if I type a gpg command, everything stalls.

Here you cannot type a GnuPG command, because GnuPG wants input,
i.e. data.  As you haven't specified any input file on the
command line, GnuPG wants this data through its standard input
channel, that is, typed in from the keyboard.

>No results whatsoever.

Unless the end of data is signalled (by typing the end‐of‐file
character, with UNIX usually control d, with MS Windows perhaps
control z), GnuPG repeats reading input lines.

>Even the command "quit" gives no results.

This «quit» is counted an input line of data, too.

>So I force quit by Ctrl-C.
>So, in general, how to start the gpg shell?

You don't in general start the GnuPG shell.  You put a command on
the invocation command line.  This command may or may not be an
interactive command.

If it is (as with «--edit-key»), GnuPG starts a sub command shell
(as with «--edit-key») to read and execute further sub

Re: Hi ,request help on a problem with gnupg that gpg decryption does not return after creating the decrypted file

2018-05-12 Thread Friedhelm Waitzmann 
arinit:

>gpg --debug-all -vvv --batch --pinentry-mode loopback --passphrase-file -o 
>“ouputfile” --yes –decrypt “file to decrypt”

Doesn't »--passphrase-file« need an argument, does it?  If so,
gpg looks for a passphrase file named »-o«.


Friedhelm


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users