Re: Several GnuPG instances, with their corresponding agents

2019-03-12 Thread Konstantin Boyandin (lists) via Gnupg-users 

On 2019-03-11 19:56, Phil Pennock wrote:
On 2019-03-10 at 01:25 -0500, Konstantin Boyandin via Gnupg-users 
wrote:

I would like to use, whenever I like, manually builds (such as current
2.2.13).

Question: how do I keep several GnuPG versions installed, every 
version

with its own gpg-agent?


After running ./configure [--args], take a look at the generated
`config.h` file.  Some of these can't be easily overridden at configure
time, but you can patch between configure and build.

As to whether you break at the "directory" or "socket location" level
... remember that GnuPG regards the contents of the directory as its
fiefdom and is free to move things around, often with auto-upgrade 
logic

which might get in the way if you want to try to downgrade.

Specifically, the defines which matter here are:
  GNUPG_DEFAULT_HOMEDIR
  anything ending _SOCK_NAME

I recommend, if doing this, that you just change GNUPG_DEFAULT_HOMEDIR
and do not try to share one config directory between multiple
concurrently-installed versions of GnuPG.

Myself, I install to /opt/gnupg/ and leave the homedir to the default.
If a user account needs to use the newer GnuPG instead of the system
one, it's the responsibility of that account to manage the directory.
If one account is trying to use both system and current GnuPG, that's a
logic error elsewhere which should be cleaned up.


Thanks for the pieces of advice. I conclude that the only safe way to 
share same keys is to re-import all the keys manually into every 
corresponding GnuPG version's key ring.


To me, there's nothing wrong in using different versions of GnuPG under 
the same account: system-wide applications using the OS-provided 
version, and in separated environment I can run newer version, if I need 
its specific features. As soon as they have everything separated, agents 
sockets included, I see no possible problems.


Sincerely,
Konstantin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg is destroying my messages ...

2016-11-07 Thread Wols Lists 
(Note I'm not subscribed, please cc me on replies)

Basically, I'm very frustrated that gpg is losing random emails of mine.
The problem is I am NOT using it by default, but every now and then it
will "grab" a message I send. I then can only access it by typing in my
pass-phrase. (And, iirc, the menu bar displays and says DON'T sign,
DON'T encrypt!!!)

Why on earth - HOW on earth - is it encrypting messages without needing
my key? And why is it doing it? I need gpg for the odd message, but it's
a right royal pain when it does this as messages refuse to save in sent,
and I can't access emails I've sent without a load of grief.

I can't even find out how to strip this blasted encryption from my own
messages so I can see them without problem!

I'm using the gpg plug-in for thunderbird ...

Cheers,
Wol

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: smartcard reader

2016-10-20 Thread lists 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

>Are there any new options that weren't listed already?

yubikey4

Although I had very good experience with the SPR 532 (and a lot of trouble with 
another Cyberjack reader, the Comfort IIRC), the yubikey token has a better 
trade-off between usability and security for me.

Mainly because its usable on mobile devices through openkeychain, but good 
support of 4k RSA keys is also welcome. Lack of a pin-pad is the main drawback. 
Tamper resistance and firmware source may be other discussion topics.


Regards,
Michel
- --
This mail scanned by NSA Internet Security
-BEGIN PGP SIGNATURE-

iQJRBAEBCgA7NBxNaWNoZWwgTWVzc2Vyc2NobWlkdCA8bWFpbEBtaWNoZWwtbWVz
c2Vyc2NobWlkdC5kZT4FAlgJAu8ACgkQvTGBzyTSHbXPgw/+MQF13bXPrfVB6PS/
QkmVWiXJV2T18hm7jeg3V3eusGX2pgiRxZ6quK0xuB1zYpSOqmBHJYwE7CE+AZcK
x0Z95JQSGGQ5cnZl1npsk41vMibdvr5LVYLRGT4h5VNPubOzp6BAV+Az9yMk1q8d
wE8AU2mONWyoyWhZibZ/K5wFWG8neoIJKB1c9xh7FskncdCd3F/Hf0w0MdfAuf5H
q8lDXaMfhTBBqNk913V04cp/tn5rTTiTQ2MqyNglqhmNBUDD6DaCD3KF8ycgqXmC
WGNgWNnmxfDdEI7sGo+p9IF0lQNYdRWcTtUyNs3QZZr0+xw0qLQI3cDMm+VKoes6
3RTZc3/m6kltjVOoq8vcPl7HAoiBojHzt1oC4ggXsQ3NQCJaiLKns15TlQ4QzI3Y
0Z5admjxEKq9rZ84knwwXWVucHLBUZ2+lQm7vZISyHkFXHZhCb9BwOlRKv//Jxsd
DAhlKjOoryWae23P5NtOyRLaY9OSQQi8iNGKevgAqLMiboTr6L4gj6fIhRBp3BG+
72nKUsWyTxs89mvx3rDtbRJ+6LzWt1njOoozbxm3fc844ml3Nh1P1SIe709sy0iH
yzoMFv3iiLC3WB/vYEkSjGQaDRk3FYu8c0wcushInSBHG+gDTjQgTxxbtOoL1sx+
TPTWrPpI1yWWlUx2mS7ffXkDfy4=
=hCnc
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: every keyserver submit/retrieve returns " ERR 167772346 No keyserver available " ?

2016-10-10 Thread lists 
hi

On Mon, Oct 10, 2016, at 02:17 AM, Werner Koch wrote:
> To which ADNS version is dirmngr linked?

libadnd1 v1.5.0

ldd `which dirmngr`
linux-vdso.so.1 (0x7fffb67ed000)
>>  libadns.so.1 => /usr/lib64/libadns.so.1 (0x7f8ebb2d6000)
libassuan.so.0 => /usr/lib64/libassuan.so.0 (0x7f8ebb0c3000)
libgpg-error.so.0 => /usr/lib64/libgpg-error.so.0 
(0x7f8ebaeaf000)
libgcrypt.so.20 => /usr/lib64/libgcrypt.so.20 
(0x7f8ebaba2000)
libksba.so.8 => /usr/lib64/libksba.so.8 (0x7f8eba96b000)
libnpth.so.0 => /usr/lib64/libnpth.so.0 (0x7f8eba765000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x7f8eba548000)
libgnutls.so.28 => /usr/lib64/libgnutls.so.28 
(0x7f8eba232000)
libldap-2.4.so.2 => /usr/lib64/libldap-2.4.so.2 
(0x7f8eb9fe4000)
libc.so.6 => /lib64/libc.so.6 (0x7f8eb9c3c000)
libdl.so.2 => /lib64/libdl.so.2 (0x7f8eb9a38000)
/lib64/ld-linux-x86-64.so.2 (0x556c975e7000)
libz.so.1 => /lib64/libz.so.1 (0x7f8eb9821000)
libp11-kit.so.0 => /usr/lib64/libp11-kit.so.0 
(0x7f8eb95df000)
libtasn1.so.6 => /usr/lib64/libtasn1.so.6 (0x7f8eb93cb000)
libnettle.so.4 => /usr/lib64/libnettle.so.4 (0x7f8eb9199000)
libhogweed.so.2 => /usr/lib64/libhogweed.so.2 
(0x7f8eb8f6a000)
libgmp.so.10 => /usr/lib64/libgmp.so.10 (0x7f8eb8ce3000)
liblber-2.4.so.2 => /usr/lib64/liblber-2.4.so.2 
(0x7f8eb8ad3000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x7f8eb88bc000)
libsasl2.so.3 => /usr/lib64/libsasl2.so.3 (0x7f8eb869f000)
libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x7f8eb8436000)
libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 
(0x7f8eb8042000)
libffi.so.4 => /usr/lib64/libffi.so.4 (0x7f8eb7e39000)

rpm -q --whatprovides /usr/lib64/libadns.so.1
libadns1-1.5.0-196.1.x86_64

> Did you build it yourself?

No, sourced from distro repo here,


https://build.opensuse.org/package/show?project=security%3Aprivacy=gpg2


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: every keyserver submit/retrieve returns " ERR 167772346 No keyserver available " ?

2016-10-09 Thread lists 
hi

On Sun, Oct 9, 2016, at 10:26 AM, Kristian Fiskerstrand wrote:
>> What am I missing?

> For one thing a

just fyi, more here @

https://bugs.gnupg.org/gnupg/issue2745

> $ dig +trace hkps.pool.sks-keyservers.net to see resolver results,

>From the machine on which I'm running gpg

dig +trace hkps.pool.sks-keyservers.net

; <<>> DiG 9.10.3-P4 <<>> +trace hkps.pool.sks-keyservers.net
;; global options: +cmd
.   173 IN  NS  
b.root-servers.net.
.   173 IN  NS  
g.root-servers.net.
.   173 IN  NS  
e.root-servers.net.
.   173 IN  NS  
a.root-servers.net.
.   173 IN  NS  
d.root-servers.net.
.   173 IN  NS  
c.root-servers.net.
.   173 IN  NS  
i.root-servers.net.
.   173 IN  NS  
l.root-servers.net.
.   173 IN  NS  
h.root-servers.net.
.   173 IN  NS  
f.root-servers.net.
.   173 IN  NS  
j.root-servers.net.
.   173 IN  NS  
k.root-servers.net.
.   173 IN  NS  
m.root-servers.net.
.   3573IN  RRSIG   NS 8 0 518400 
2016102205 2016100904 39291 . 
SeIwCb0CKHIaVgEXAVNJ3UJdAmnNyOWmU0TpXSSM58RibXDGmtrJKPkj 
+EkxIRItWeRvECSa+oqsnc513uhilK94+t4P7395m4AokdlkXjaH3bjh 
Dxqt8CmA+k9+7/T54x/ZeAsYD2we3FAD7x/lyu8+zRDkFHO0wQ5MekhV 
WXebhc4OkXNbr5/b65xkjStFrWC7uvOxfVOHtxzObTi5OR8AFisYPsfQ 
6Pwu0HtTaJim9wFQgjF60nhzqfFH82Z1qmxWpkTWsaUXKYdETwKmc5l/ 
ilDni8/Y0f6sQXUsv/J8oTLSDPw6A9n9lJrlKLa7vM3ZDSgw9NVLHtju tWECvA==
;; Received 525 bytes from 10.19.2.100#53(10.19.2.100) in 0 ms

net.172800  IN  NS  
d.gtld-servers.net.
net.172800  IN  NS  
m.gtld-servers.net.
net.172800  IN  NS  
j.gtld-servers.net.
net.172800  IN  NS  
k.gtld-servers.net.
net.172800  IN  NS  
i.gtld-servers.net.
net.172800  IN  NS  
f.gtld-servers.net.
net.172800  IN  NS  
l.gtld-servers.net.
net.172800  IN  NS  
b.gtld-servers.net.
net.172800  IN  NS  
h.gtld-servers.net.
net.172800  IN  NS  
c.gtld-servers.net.
net.172800  IN  NS  
a.gtld-servers.net.
net.172800  IN  NS  
g.gtld-servers.net.
net.172800  IN  NS  
e.gtld-servers.net.
net.86400   IN  DS  35886 8 2 
7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE
net.86400   IN  RRSIG   DS 8 1 86400 
2016102205 2016100904 39291 . 
FKrdz/REDbJ/00oUK5owedOwz7rtKZlzdPH8Tv4XbcSgdzZRjoBSVy4N 
CSxgzJIn7TxhQSJtaVYNpGRNc2vN0uq9SUwntkFs5DOUUv7fGvuRGzgT 
QOl2u+XKjmDHbTem8RoFJvMMr0UeqS/v7cKnFSvZyxgM43y0IEaA42wt 
1q3vOAk93+SD6C0GkYQCb6IQT+UfYACKlkPt/v7UC3S6CjovpLeJKvTv 
7P7ON+AbDUaa9SVp+JBvOhAkgstAHQzbNY9uSeTo+gSEpIncqmnQnfO3 
sFUt1iXyfDm7ySkq1u71OpMOxWR5e7DkvBR1trBNcfhqLekxEQztZFPx 4msUpQ==
;; Received 877 bytes from 199.7.91.13#53(d.root-servers.net) 
in 102 ms

sks-keyservers.net. 172800  IN  NS  ns2.kfwebs.net.
sks-keyservers.net. 172800  IN  NS  
ns2.sks-keyservers.net.
sks-keyservers.net. 172800  IN  NS  
ns6.sks-keyservers.net.
sks-keyservers.net. 172800  IN  NS  
ns9.sks-keyservers.net.
sks-keyservers.net. 172800  IN  NS  
ns13.sks-keyservers.net.
sks-keyservers.net. 86400   IN  DS  30729 8 1 
625547BEB5EEF7FDB7683462BD9453BD0A886542
sks-keyservers.net. 86400   IN  RRSIG   DS 8 2 86400 
20161015045546 20161008034546 2480 net. 
EiPMbb2zOb9Lt9rK/iYKN0d1FIWWpzyEEREngvVlbqK2WZASGvPpJbou 
ZQfS0YIUNVUaSd6mDYCJ21hibUwi7EJ++o4ChfUfrqxXFwF3Dy/j90pp 
72G18kYgFtAEt9uA8xEpUrOR4yvKRmnh4FRemk8jYKVDw6bmhksJ1yh/ +sc=
;; Received 574 bytes from 192.43.172.30#53(i.gtld-servers.net) 
in 42 ms

hkps.pool.SKS-KEYSERVERS.NET. 60 IN A   140.211.169.202
hkps.pool.SKS-KEYSERVERS.NET. 60

every keyserver submit/retrieve returns " ERR 167772346 No keyserver available " ?

2016-10-09 Thread lists 
I'm trying to get gpg2 up & running on linux.

I've installed

gpg2 --version
gpg (GnuPG) 2.1.15
libgcrypt 1.7.3
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 

This is free software: you are free to change and redistribute 
it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/test/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, 
TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

I can generate key pairs and rev certs OK.

But when I try to upload/retrieve from any keyserver, I get "ERR 167772346 No 
keyserver available ".

Here's an attempt with keyserver == pool @ hkps://hkps.pool.sks-keyservers.net

gpg -v --debug-all --recv-keys 0x673A03E4C1DB921F
gpg: reading options from '/home/test/.gnupg/gpg.conf'
gpg: enabled debug flags: packet mpi crypto filter iobuf memory 
cache memstat trust hashing cardio ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_3 <- # Home: /home/test/.gnupg
gpg: DBG: chan_3 <- # Config: /home/test/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.1.15 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.1.15
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER --clear 
hkps://hkps.pool.sks-keyservers.net
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_GET -- 0x673A03E4C1DB921F
gpg: DBG: chan_3 <- ERR 167772346 No keyserver available 

gpg: keyserver receive failed: No keyserver available
gpg: DBG: chan_3 -> BYE
gpg: DBG: [not enabled in the source] stop
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
  outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: secmem usage: 0/65536 bytes in 0 blocks


I've tried a bunch of different keyservers with always the same result.

What am I missing?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg: signing failed: Invalid IPC response

2016-01-24 Thread lists 
Hello!

After upgrading my packages (now on gnupg 2.1.9), I am getting an error
when trying to sign:

$ echo "test"|gpg2 -sa
gpg: signing failed: Invalid IPC response
-BEGIN PGP MESSAGE-

gpg: signing failed: Invalid IPC response

gpg-agent.conf contains:
pinentry-program /usr/local/bin/pinentry-gtk-2

and pinentry-gtk2 is asking for the passphrase properly.

This is all on OpenBSD, and everything has been working fine prior to updating 
to 2.1.9.

Here is some debug info from gpg-agent:

2016-01-24 09:26:33 gpg-agent[9415] listening on socket 
'/home/XX/.gnupg/S.gpg-agent'
2016-01-24 09:26:33 gpg-agent[13435] gpg-agent (GnuPG) 2.1.9 started
2016-01-24 09:26:34 gpg-agent[13435] handler 0x1817b661300 for fd 5 started
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 -> OK Pleased to meet you, 
process 12746
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 <- RESET
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 -> OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 <- OPTION ttytype=xterm
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 -> OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 <- OPTION display=:0
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 -> OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 <- OPTION 
xauthority=/home/XX/.Xauthority
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 -> OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 <- OPTION allow-pinentry-notify
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 -> OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 <- OPTION agent-awareness=2.1.0
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 -> OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 <- AGENT_ID
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 -> ERR 67109139 Unknown IPC 
command 
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 <- HAVEKEY X
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 -> OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 <- RESET
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 -> OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 <- SIGKEY X
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 -> OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 <- SETKEYDESC 
Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22%22%0A256-bit+EDDSA+key,+ID+,%0Acreated+XXX+(main+key+ID+).%0A
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 -> OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 <- SETHASH 10 
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 -> OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_5 <- PKSIGN
2016-01-24 09:26:34 gpg-agent[13435] starting a new PIN Entry
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- OK Pleased to meet you, 
process 13435
2016-01-24 09:26:34 gpg-agent[13435] DBG: connection to PIN entry established
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 -> OPTION grab
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 -> OPTION ttytype=xterm
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 -> OPTION 
allow-external-password-cache
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 -> OPTION default-ok=_OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 -> OPTION 
default-cancel=_Cancel
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 -> OPTION default-yes=_Yes
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- ERR 83886254 Unknown option 

2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 -> OPTION default-no=_No
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- ERR 83886254 Unknown option 

2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 -> OPTION default-prompt=PIN:
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 -> OPTION default-pwmngr=_Save 
in password manager
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 -> OPTION default-cf-visi=Do 
you really want to make your passphrase visible on the screen?
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- ERR 83886254 Unknown option 

2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 -> OPTION default-tt-visi=Make 
passphrase visible
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- ERR 83886254 Unknown option 

2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 -> OPTION default-tt-hide=Hide 
passphrase
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- ERR 83886254 Unknown option 

2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 -> OPTION 
touch-file=/home/XX/.gnupg/S.gpg-agent
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- OK
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 -> GETINFO pid
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- D 14005
2016-01-24 09:26:34 gpg-agent[13435] DBG: chan_6 <- OK
2016-01-24 09:26:34 gpg-agent[13435]

smart card OpenId

2012-12-19 Thread Richi Lists 
Has anybody here used an OpenPGP card for authenticating OpenId?

There are lots of options on 
http://www.crypto-stick.com/en/certificate-authentication
And browsing them branches into even more options, and at some point I
lose track of the link to OpenPGP cards.

So, If anybody uses such a setup, I would be glad to know which route
you took.

Rgds
Richard


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Same key on different smart cards

2012-12-19 Thread Richi Lists 
Ok, let me try to explain my problem/wish a bit more elaborate.

I have a smart card (crypto-stick) where my private sub-keys are stored
for signing emails and debian packages, decrypting emails and
authenticating ssh.
I have multiple computers that are set up to use this smart card for all
these tasks.
My notebook also has full disk encryption set up to use the decryption
key on that smart card to decrypt the luks key in the init ramdrive.
So far so good. 
But now I'm afraid of what happens if my smart card breaks or I loose
it. 
So, I prepared another smart card with the exact same sub keys in the
hope to use both smart cards seamlessly interchangeable. 
As you just told me, I have to delete the stubs and prepare for the
other card. That sounds good enough for the signing, email decryption
and ssh tasks. It's a bit more work intensive for the full disk
encryption part. And it's not really what I had in mind with seamlessly
interchangeable.
Now, another solution would be to have different keys on the cards, so I
didn't have to delete the stubs each time I switch the smart card.
This would work well for the full disk encryption and ssh part. But for
the signing and email decryption part, that would now be two different
identities.
I hope my intents are a bit clearer now.

Rgds
Richard


On Do, 2012-12-13 at 10:43 +0100, Hauke Laging wrote:
 Am Do 13.12.2012, 08:43:53 schrieb Richi Lists:
 
  But as far as I understand, for eMail signing and decryption, it needs
  to be the same key on all cards.
 
 I have not checked that but I don't think so. Wouldn't make sense. When using 
 key A, why should gpg-agent care, where key B is stored?
 
 
  I set up two crypto sticks to contain the same sub keys. But the unique
  id of the card seems to be stored in the private key stub
  (~/.gnupg/secring.gpg). Thus if I try to use the second card, I get an
  error telling me to insert the correct card.
 
 What do you want? The signing key on one smartcard, the decryption key on the 
 other? If so, why have you stored both keys on the same card?
 
 
  Is it possible to manage the same identity with multiple smart cards?
 
 That is a different problem. This is not directly supported by GnuPG but 
 possible by a workaround: After changing the smartcard you can delete the 
 secret keys and register the smartcard afterwards. Then the card reference is 
 updated.
 
 
 Hauke



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Same key on different smart cards

2012-12-13 Thread Richi Lists 
Hi,

I want to have a second and third smart card as fallback.
For full disk encryption and ssh it would be ok to have different keys.
But as far as I understand, for eMail signing and decryption, it needs
to be the same key on all cards.
I set up two crypto sticks to contain the same sub keys. But the unique
id of the card seems to be stored in the private key stub
(~/.gnupg/secring.gpg). Thus if I try to use the second card, I get an
error telling me to insert the correct card.
Is it possible to manage the same identity with multiple smart cards? 
Of course I could use a separate smart card with every computer and have
the stub match the card, but I want to be able to use whatever smart
card I have closest. And in case one breaks, just use the next one.
An what is the best approach for this?

Rgds
Richard


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

SmartCard reader

2012-10-24 Thread Richi Lists 
Hi,

how are the chances that I can use an agrolis (http://argolis.com/) usb
smart card reader with GPG?
It shows up as /dev/ttyACM0 

Rgds
Richard


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Signing eMails doesn't work anymore

2012-09-13 Thread Richi Lists 
Now I had a similar problem with debian packages.

That's what I got from dpkg-buildpackage : 

dpkg-buildpackage: warning: Failed to sign .dsc and .changes file
Checking signature on .changes
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
No signature on ./flightpred_0.0.35~precise_source.changes.

I tried both of the following in .bashrc : 
export GPGKEY=E8401492
export GPGKEY=E8401492!

If I try the following manually, then it works: 
gpg --clearsign -u 'E8401492!' flightpred_0.0.35~precise.dsc

The next thing I tried was :
dpkg-buildpackage -kE8401492!
dpkg-buildpackage -k${GPGKEY}

They both work, but that makes me wonder what I set the GPGKEY env var for?

Rgds
Richard


On Di, 2012-08-28 at 10:47 +0200, Werner Koch wrote:
   gpg --sign -u 'E8401492!' -v setup_my_system.sh
 
 to force using the first key on your card.
 
 
 Salam-Shalom,
 
Werner
 



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing the email address of a key

2012-09-07 Thread Richi Lists 
That worked.
Thanks a lot!

Rgds
Richard

On Do, 2012-08-30 at 10:48 +0200, Peter Lebbing wrote:
 On 30/08/12 10:25, Richi Lists wrote:
  Using the primary key was what I tried first. But when I saw the error
  message signing failed, I thought I'd have to force the proper signing
  subkey, like I have to do for signing emails.
  
  My setup is more or less the following:
  http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups
  with the addition of a sub key for ssh authentication:
  http://www.programmierecke.net/howto/gpg-ssh.html - section with
  smartcard (openpgp)
 
 The thing is that for a new UID, you need the, what they call, master key. 
 That
 would be the primary key. So when you followed the instructions under the
 heading Remove the master key from the keyring, you where after that unable 
 to
 use your master/primary key to create a new UID.
 
 So you go back a little in the document to the part where you had your USB 
 stick
 with the primary key and all subkeys guarded by Orcs or some other fearsome
 creature. Plead with the creature to have your USB stick back, once again 
 follow
 the section Go offline, import your primary key from the USB stick (wipe 
 away
 the Orc spittle before inserting; ignore the chew marks on the protective 
 cap).
 
 After you have created the new UID with the primary key and exported the whole
 to the USB stick, re-remove the primary key from the system.
 
 Oh, by the way, the reason you need the exclamation mark to specify which key 
 to
 use to sign is because you have two signing keys. Apparently GnuPG tries it 
 with
 the one you don't have the secret part for if you don't give the exclamation
 mark. But bear in mind the difference between a signature on a key(/UID) and 
 on
 data. The signing subkey is for signatures on data.
 
 Good luck,
 
 Peter.
 



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing the email address of a key

2012-08-30 Thread Richi Lists 
Using the primary key was what I tried first. But when I saw the error
message signing failed, I thought I'd have to force the proper signing
subkey, like I have to do for signing emails.

My setup is more or less the following:
http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups
with the addition of a sub key for ssh authentication:
http://www.programmierecke.net/howto/gpg-ssh.html - section with
smartcard (openpgp)

Rgds
Richard

$ gpg --edit-key 0AE275A9
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/0AE275A9  created: 2012-08-07  expires: 2022-08-05  usage:
SC  
 trust: ultimate  validity: ultimate
sub  2048R/8760DB3E  created: 2012-08-07  expires: never   usage:
E   
sub  2048R/E8401492  created: 2012-08-07  expires: never   usage:
S   
sub  2048R/5A097EF6  created: 2012-08-07  expires: never   usage:
S   
sub  2048R/EC980139  created: 2012-08-07  expires: 2022-08-05  usage:
E   
[ultimate] (1). Richard Ulrich (ulrichard) richi...@gmail.com

gpg adduid
Real name: Richard Ulrich
Email address: ri...@paraeasy.ch
Comment: ulrichard
You selected this USER-ID:
Richard Ulrich (ulrichard) ri...@paraeasy.ch

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: secret key parts are not available
gpg: signing failed: general error


$ gpg --list-keys
/home/richi/.gnupg/pubring.gpg
--
pub   2048R/0AE275A9 2012-08-07 [expires: 2022-08-05]
uid  Richard Ulrich (ulrichard) richi...@gmail.com
sub   2048R/8760DB3E 2012-08-07
sub   2048R/E8401492 2012-08-07
sub   2048R/5A097EF6 2012-08-07
sub   2048R/EC980139 2012-08-07 [expires: 2022-08-05]


$ gpg --card-status
Application ID ...: D276000124010205115F
Version ..: 2.0
Manufacturer .: ZeitControl
Serial number : 115F
Name of cardholder: Richard Ulrich
Language prefs ...: de
Sex ..: male
URL of public key : [not set]
Login data ...: [not set]
Private DO 1 .: [not set]
Private DO 2 .: [not set]
Private DO 3 .: [not set]
Signature PIN : not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 6
Signature key : 6555 FA9F AEEF 386C 50E2  7AE1 02EC 6014 E840 1492
  created : 2012-08-07 19:01:59
Encryption key: 3A6C CF0A C29F 3DFC 60AF  DCCE 31AA D811 8760 DB3E
  created : 2012-08-07 19:00:54
Authentication key: 2C12 F55B 69D3 088E BFD9  C010 BABF AE12 5A09 7EF6
  created : 2012-08-07 19:04:12
General key info..: pub  2048R/E8401492 2012-08-07 Richard Ulrich
(ulrichard) richi...@gmail.com
sec#  2048R/0AE275A9  created: 2012-08-07  expires: 2022-08-05
ssb  2048R/8760DB3E  created: 2012-08-07  expires: never 
  card-no: 0005 115F
ssb  2048R/E8401492  created: 2012-08-07  expires: never 
  card-no: 0005 115F
ssb  2048R/5A097EF6  created: 2012-08-07  expires: never 
  card-no: 0005 115F



On Mi, 2012-08-29 at 14:11 +0200, Peter Lebbing wrote:
 On 29/08/12 13:53, Richi Lists wrote:
  I can't get it to work wether I try it on the primary or the sub key and
  whether I use gpg or gpg2.
  [...]
  
  $ gpg2 -v --edit-key E8401492!
  [...]
  
  gpg: using subkey E8401492 instead of primary key 0AE275A9
  Secret key is available.
 
 Why are you forcing using the subkey? An UID is /always/ on the primary key, 
 it
 makes no sense to make an UID on the subkey. I think.
 
 Simply losing the exclamation mark should fix it, or just specify
 
 $ gpg2 --edit-key 0AE275A9
 
 Also, apart from UIDs on subkeys making no sense, it would seem to me that an
 UID needs to be bound with a Certification-capable signing key, whereas your
 signing subkey E8401492 can only make signatures on data. That's probably why
 GnuPG says:
 
  gpg: signing failed: Unusable secret key
 
 Although it could also be that the secret part for that subkey is simply not
 available? I'm not sure whether the secret key is available message I quoted
 above pertains to the primary key or the secret subkey you forced on the 
 command
 line.
 
 If you still have problems after this explanation, please provide more data
 about your setup. You have two encryption subkeys, two data signature subkeys,
 and GnuPG complains that there are secret parts missing. It will be a lot 
 easier
 to help you if you can explain what pieces of data are where :).
 
 Peter.
 



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing the email address of a key

2012-08-29 Thread Richi Lists 
I can't get it to work wether I try it on the primary or the sub key and
whether I use gpg or gpg2.

Rgds
Richard

$ gpg2 -v --edit-key E8401492!
gpg (GnuPG) 2.0.17; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: using subkey E8401492 instead of primary key 0AE275A9
Secret key is available.

gpg: using PGP trust model
pub  2048R/0AE275A9  created: 2012-08-07  expires: 2022-08-05  usage:
SC  
 trust: ultimate  validity: ultimate
sub  2048R/8760DB3E  created: 2012-08-07  expires: never   usage:
E   
sub  2048R/E8401492  created: 2012-08-07  expires: never   usage:
S   
sub  2048R/5A097EF6  created: 2012-08-07  expires: never   usage:
S   
sub  2048R/EC980139  created: 2012-08-07  expires: 2022-08-05  usage:
E   
[ultimate] (1). Richard Ulrich (ulrichard) richi...@gmail.com

gpg adduid
Real name: Richard Ulrich
Email address: ri...@paraeasy.ch
Comment: ulrichard
You selected this USER-ID:
Richard Ulrich (ulrichard) ri...@paraeasy.ch

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: secret key parts are not available
gpg: signing failed: Unusable secret key



$ gpg2 -s -v -u E8401492! setup_my_system.sh
gpg: no secret subkey for public subkey EC980139 - ignoring
gpg: using subkey E8401492 instead of primary key 0AE275A9
gpg: writing to `setup_my_system.sh.gpg'
gpg: using subkey E8401492 instead of primary key 0AE275A9
gpg: RSA/SHA1 signature from: E8401492 Richard Ulrich (ulrichard)
richi...@gmail.com


On Mi, 2012-08-29 at 08:49 +0200, Peter Lebbing wrote:
 On 28/08/12 21:54, Richi Lists wrote:
  Will this also write also to the smart-card or are the changes only in
  the local keyring?
 
 UIDs are not stored on the smartcard, so it does not matter.
 
  I'm a bit hesitant because the full disk encryption on my netbook works
  also with the same key, and I don't want to reinstall the whole thing.
 
 Understandable. If I understand correctly, you used GnuPG to encrypt the file
 that unlocks your netbook? In that case, the *uid commands should be safe,
 because they do not influence decryption of files. To be on the safe side, 
 keep
 a copy of your key as it is now, and after you changed the e-mail address, try
 to decrypt some file. If that works, it should also decrypt the file that
 unlocks your netbook.
 
 It is wise to keep a copy of your key as it is now around just in case, 
 anyway.
 If you do something wrong, you can take the backup and start over.
 
 Peter.
 



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Signing eMails doesn't work anymore

2012-08-28 Thread Richi Lists 
Hi Werner,

the ! exclamation mark did the trick! 
I tried specifying the subkey I wanted before, but only the exclamation
mark makes it work. 
With the exclamation mark, also signing in evolution works again.
Is this documented somewhere?

Thanks a lot.
Richard

On Di, 2012-08-28 at 10:47 +0200, Werner Koch wrote:
 On Mon, 27 Aug 2012 22:57, ricu...@gmail.com said:
 
  #gpg --sign setup_my_system.sh
  gpg: sending command `SCD PKSIGN' to agent failed: ec=6.18
 
 The error is:
 
   $ gpg-error 6.18
   100663314 = (6, 18) = [...] = (SCD, Wrong secret key used)
 
 
 The scdaemon would have printed this to its log file:
 
fingerprint on card does not match requested one
 
 please run the sign command again using the option -v to see what key
 is being used.
 
 Also try:
 
   gpg --sign -u 'E8401492!' -v setup_my_system.sh
 
 to force using the first key on your card.
 
 
 Salam-Shalom,
 
Werner
 



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing the email address of a key

2012-08-28 Thread Richi Lists 
Will this also write also to the smart-card or are the changes only in
the local keyring?
I'm a bit hesitant because the full disk encryption on my netbook works
also with the same key, and I don't want to reinstall the whole thing.

Rgds
Richard

On Di, 2012-08-28 at 10:49 +0200, Peter Lebbing wrote:
 On 28/08/12 10:37, Werner Koch wrote:
gpg --edit-key YOURKEYID
  
addkey
  
  # Now follow the prompts
 
 Surely, Werner meant adduid which adds a new e-mail address, and not 
 addkey
 which adds a new subkey.
 
 HTH,
 
 Peter.
 



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problem with GPG

2011-08-09 Thread lists . gnupg-users 
Hello Werner,

Yesterday, Aug 8, Werner Koch wrote to lists.gnupg-us...@duinheks.nl about...:

WK  You should better use
WK   gpg --batch --sign --armour --clearsig --passphrase-fd 0 --yes -o 
$1.asc $1

I will do that in future.

WK  to avoid the mv.  Even better use gpg-agent.

That will take some thinking. Will look into it.

WK gpg: pkglue.c:41: mpi_from_sexp: Assertion `data' failed.
WK Aborted
WK  Please show us the output of 
WK /usr/bin/gpg --version 

Of course:
  $ gpg --version
  gpg (GnuPG) 2.0.18
  libgcrypt 1.5.0
  Copyright (C) 2011 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later
  http://gnu.org/licenses/gpl.html
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  Home: ~/.gnupg
  Supported algorithms:
  Pubkey: RSA, ELG, DSA
  Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
  CAMELLIA192, CAMELLIA256
  Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  Compression: Uncompressed, ZIP, ZLIB, BZIP2

Regards,

Hans.


J.D.H. Beekhuizen
e-mail: jdh.beekhui...@duinheks.nl
tel:+31(0)714015437
fax:+31(0)714017198

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Problem with GPG

2011-08-08 Thread lists . gnupg-users 

Hello,

I call PGP from Pine with a simple script:
  #!/bin/sh
  echo  | /usr/bin/gpg --batch --sign --armour --clearsig 
--passphrase-fd 0 $1
  mv $1.asc $2
  Lately I noticed that it did not work, withour giving me any
  warning.

When I use it 'by hand' I see an error:
  echo xxx | /usr/bin/gpg --batch --sign
--armour --clearsig --passphrase-fd test
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA1
  gpg: pkglue.c:41: mpi_from_sexp: Assertion `data' failed.
  Aborted

What's happening and how can I repair it?

The file test contains nothing spectacular:
  /home/jbeekhui/.gnupg/pubring.gpg
  -
  pub  1024D/4F702D4A 2001-10-27 Johannes D.H. Beekhuizen
   Key fingerprint = C913 300F FEF9 92BE 8320  07B4 2DF2 2641 4F70 2D4A
  uidJohannes Beekhuizen
  sub  1024g/1074CC1A 2001-10-27

I'm running GNUpg 2.0.18 under SlackWare 13.0, built with the
libraries:
  libgpg-error  1.9
  libgrypt  1.5.0
  libksba   1.2.0
  libassuan 2.0.2

Maby yhnals for any helpful help,

Hans Beekhuizen.


J.D.H. Beekhuizen
e-mail: jdh.beekhui...@duinheks.nl
tel:+31(0)714015437
fax:+31(0)714017198

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [OT] passphrases Was: Re: Allowing paste into pinentry-gtk-2?

2011-04-18 Thread lists 
I think a lot of this password philosophy is nonsense for most people. The only 
things that are likely to be brute-forced are Edge devices with some sort of 
tactical purpose. Average Joe user is more at risk from phishing or another 
social engineering tactic.

I'm a big fan of ridiculously large passwords that are completely 
unintelligible that include all sorts of !)/GJhj32;': characters for static 
non-user based accounts. Now that password has to be stored though, which then 
gets into how should the password itself be secured...

-Devin
Sent on the Sprint® Now Network from my BlackBerry®

-Original Message-
From: David Shaw ds...@jabberwocky.com
Sender: gnupg-users-boun...@gnupg.org
Date: Mon, 18 Apr 2011 22:21:49 
To: Robert J. Hansenr...@sixdemonbag.org
Cc: GnuPG Usersgnupg-users@gnupg.org
Subject: Re: [OT] passphrases Was: Re: Allowing paste into pinentry-gtk-2?

On Apr 18, 2011, at 6:56 PM, Robert J. Hansen wrote:

 Yes, well, that would mean that a 32-character English passphrase will
 average about 64 bits of randomness. Is that really enough to protect
 a key from an offline brute force attack? I think not, but am open to
 being persuaded. :)
 
 As I've said a few times now, no question about is X really sufficient to 
 protect a passphrase from being broken? can be answered without a lot of 
 context.  Who are you worried about breaking it?  How hard will they try?
 
 To give you an example, RC5-64 was a giant distributed network of computers 
 run by hobbyists using spare CPU cycles, trying to brute-force a 64-bit key.  
 Their volunteer network was much larger than anyone outside of 
 megacorporations or First World intelligence agencies or major crime 
 syndicates have.
 
 It took them eighteen months.

Actually around 58 months: just under 5 years.

 64-bit crypto isn't good for long-term storage, but if you want to foil 
 someone who doesn't have megacorporation-level resources for a period of 
 months or years, it'll do just fine.  Against First World intelligence 
 agencies it might take a few seconds.

Are you asserting that there exists a group that can brute-force a 64-bit key 
in a few seconds?

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG failing to decrypt all files

2011-04-13 Thread lists 
Hi!

I have a curious problem. I just installed GPG4win and I'm having issues with 
my tests. I randomly selected three files from my desktop to encrypt. Two were 
clear text and one was an xlsx. I encrypted them in a folder with no errors. It 
did package them in a gzipped tarball I believe. When I decrypted, Kleopatra 
insisted there were no errors. However when I went to check only two of the 
files were present (one ascii and the xslx). The one that didn't decrypt was a 
bat file, so I thought it may exclude those from the tar so I changed it to a 
.txt extension to no avail.after testing for a bit I thought it was a fluke and 
moved on.

I then tried setting up GPG4win on a user's computer and encrypted 101 files. 
Mostly Excel and Word binaries (before they went XML). The same thing happened. 
101 files selected for Encryption, 100 files decrypted. We saved a copy (only 
modifying the name) of the Excel file and out of 102 files, only 101 decrypted! 
And the copy encrypted/decrypted fine. The original file was still missing.

I went back to check my first error on my computer with verbose logging, and I 
clipped what I thought was relevant below (input/out errors) from the gpgagent 
daemon. Am I doing something wrong? Can I check to see what was encrypted 
file-by-file to ensure all files are archiving properly?

I'm hoping to replace a securitybox install with this. Any help would be 
appreciated.

gpg-agent[5844]: chan_00F0 - GETINFO cmd_has_option GET_PASSPHRASE repeat
gpg-agent[5844]: chan_00F0 - OK
gpg-agent[5844]: chan_00F0 - GET_PASSPHRASE --data --repeat=0 -- 
24ECA7F198F175DFFAC198448D37D03FD154F634 X X 
Please+enter+the+passphrase+to+unlock+the+secret+key+for+the+OpenPGP+certificate:%0A%22user+(test)+u...@domain.com%22%0A2048-bit+RSA+key,+ID+D154F634,%0Acreated+2011-03-31.%0A
2011-04-13 11:51:58 gpg-agent[5844] DBG: agent_get_cache 
`24ECA7F198F175DFFAC198448D37D03FD154F634'...
2011-04-13 11:51:58 gpg-agent[5844] DBG: ... miss
2011-04-13 11:51:58 gpg-agent[5844] starting a new PIN Entry
gpg-agent[5844]: chan_00E8 - OK Your orders please
2011-04-13 11:51:58 gpg-agent[5844] DBG: connection to PIN entry established
gpg-agent[5844]: chan_00E8 - OPTION grab
gpg-agent[5844]: chan_00E8 - OK
gpg-agent[5844]: chan_00E8 - OPTION ttyname=/dev/tty
gpg-agent[5844]: chan_00E8 - OK
gpg-agent[5844]: chan_00E8 - OPTION default-ok=_OK
gpg-agent[5844]: chan_00E8 - OK
gpg-agent[5844]: chan_00E8 - OPTION default-cancel=_Cancel
gpg-agent[5844]: chan_00E8 - OK
gpg-agent[5844]: chan_00E8 - OPTION default-prompt=PIN:
gpg-agent[5844]: chan_00E8 - OK
gpg-agent[5844]: chan_00E8 - OPTION touch-file=C:\Documents and 
Settings\user\Application Data\gnupg\S.gpg-agent
gpg-agent[5844]: chan_00E8 - OK
gpg-agent[5844]: chan_00E8 - GETINFO pid
gpg-agent[5844]: chan_00E8 - D 3856
gpg-agent[5844]: chan_00E8 - OK
gpg-agent[5844]: chan_00F0 - INQUIRE PINENTRY_LAUNCHED 3856
gpg-agent[5844]: chan_00F0 - END
gpg-agent[5844]: chan_00E8 - SETDESC Please enter the passphrase to unlock 
the secret key for the OpenPGP certificate:%0A%22user (test) 
u...@domain.com%22%0A2048-bit RSA key, ID D154F634,%0Acreated 2011-03-31.%0A
gpg-agent[5844]: chan_00E8 - OK
gpg-agent[5844]: chan_00E8 - SETPROMPT Passphrase
gpg-agent[5844]: chan_00E8 - OK
gpg-agent[5844]: chan_00E8 - [[Confidential data not shown]]
2011-04-13 11:51:58 gpg-agent[5844] handler 0x98c for fd 220 started
gpg-agent[5844]: chan_00DC - OK Pleased to meet you
gpg-agent[5844]: chan_00DC - OPTION ttyname=/dev/tty
gpg-agent[5844]: chan_00DC - OK
gpg-agent[5844]: chan_00DC - OPTION allow-pinentry-notify
gpg-agent[5844]: chan_00DC - OK
gpg-agent[5844]: chan_00DC - SCD SERIALNO
2011-04-13 11:51:58 gpg-agent[5844] new connection to SCdaemon established 
(reusing)
gpg-agent[5844]: chan_00EC - SERIALNO
gpg-agent[5844]: chan_00EC - ERR 100663404 Card error SCD
gpg-agent[5844]: chan_00DC - ERR 100663404 Card error SCD
gpg-agent[5844]: chan_00DC - BYE
gpg-agent[5844]: chan_00DC - OK closing connection
gpg-agent[5844]: chan_00EC - RESTART
gpg-agent[5844]: chan_00EC - OK
2011-04-13 11:51:58 gpg-agent[5844] handler 0x98c for fd 220 terminated
2011-04-13 11:52:00 gpg-agent[5844] handler 0xce0 for fd 192 started
gpg-agent[5844]: chan_00C0 - OK Pleased to meet you
gpg-agent[5844]: chan_00C0 - OPTION ttyname=/dev/tty
gpg-agent[5844]: chan_00C0 - OK
gpg-agent[5844]: chan_00C0 - OPTION allow-pinentry-notify
gpg-agent[5844]: chan_00C0 - OK
gpg-agent[5844]: chan_00C0 - SCD SERIALNO
2011-04-13 11:52:00 gpg-agent[5844] new connection to SCdaemon established 
(reusing)
gpg-agent[5844]: chan_00EC - SERIALNO
gpg-agent[5844]: chan_00EC - ERR 100663404 Card error SCD
gpg-agent[5844]: chan_00C0 - ERR 100663404 Card error SCD
gpg-agent[5844]: chan_00C0 - BYE
gpg-agent[5844]: chan_00C0 - OK closing connection

Re: what are the sub keys

2011-03-24 Thread Lists . gnupg 

On Wed, Mar 23, 2011 at 10:58:38PM +0100 Also sprach Ingo Klöcker:


I claim that of all 4096 keys that can be found on the public keyservers
most have been created by people who just went for the highest number.
Because bigger must be better, right?



I cannot resist offering the following quote from Neil Stephenson's
Cryptonomicon, which makes a similar observation:


So the length of the key that you use is, in and of itself, a code of
sorts. A knowledgeable government eavesdropper, noting Randy's and
Avi's use of a 4096-bit key, will conclude one of the following:
  --Avi doesn't know what he's talking about. This can be ruled out
with a bit of research into his past accomplishments. Or,
  --Avi is clinically paranoid. This can also be ruled out with some
research. Or,
  --Avi is extremely optimistic about the future development of
computer technology, or pessimistic about the political climate, or
both. Or,
  --Avi has a planning horizon that extends over a period of at least
a century.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: what are the sub keys

2011-03-22 Thread Lists . gnupg 

On Sat, Mar 19, 2011 at 11:36:57PM -0400 Also sprach Robert J. Hansen:

On 3/19/11 10:34 PM, Jonathan Ely wrote:


but be sure to set your preferences and choose a 4096 over 2048.


Why?  This is like saying, I like the bank vault on my front door, but
I wish it was thicker: I want the extra security.  Key length is only a
small part (arguably the smallest part) of communications security.



I agree that 4096 may seem like overkill, but I think the recommendation
to max out one's RSA key size is defensible. Here's why:

1. Modern computers are fast; it costs us almost nothing in terms of
   computation time to use a 4096-bit key.

2. Modern computers are fast, and getting faster all the time; remember
   that your security margin may need to be good not just today, but
   against all the attacks that are possible in the future, for as long
   as your data needs to remain secure (decades, for some people). Once
   upon a time, 1024-bit keys were considered perfectly adequate; most
   experts urge against generating keys today with that strength.

I agree that an awful lot of fuss is made over key length, sometimes to
the exclusion of other, much more likely attack vectors. However, until
someone describes for me a compelling reason NOT to bump key length up
to 4096, my view remains: Why not?

Special case, relating to this thread's original question:

Some software which is designed to interface with GnuPG, or otherwise
implement PGP keys, may not support arbitrary key lengths.
E.G. Evolution used to have a 160-bit hash hard-coded into it's gnupg
integration (it may still--I haven't used Evolution in a while), which
meant that to remain DSS-compliant, you could only sign email with a
1024-bit DSA key. DSA-2 keys could not be supported directly by
Evolution. You could circumvent the key-stregth limit by using an RSA
key as long as you liked. However, in cases when a particular piece of
software may require use of a key which does not meet your general-use
criteria, for whatever reason, generating a sub-key which meets the
requirements can allow you to use the specific feature you need, while
still enabling you to use other sub-keys for less restrictive
applications.

--
Le hasard favorise l'esprit préparé.
  --Louis Pasteur


pgp8BcUjLpUkr.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: what are the sub keys

2011-03-22 Thread Lists . gnupg 

On Tue, Mar 22, 2011 at 08:28:57AM -0700 Also sprach Robert J. Hansen:


IME, engineering starting from a base maxim of, why not?, ultimately
leads to curious things that leave you scratching your head (like the
aforementioned, why are you using SHA512 with DSA-1K?).  This is why I
would much rather start from a base maxim of, why?  I'd much rather be
accused of favoring minimalism than maximalism.



I agree that Why Not? by itself is not an argument in favor of doing
something, unless it is balanced by a Why? 


So, one can compare the pros and cons of using a longer key, with some
items ending up in the Why do it column, and some ending up in Why not.

My point is that in the Why use 4096-bit RSA? column, we have a few
items, including a much longer lifetime for the key and encrypted data,
as factoring attacks get better in the future (they never get worse),
whereas in the why not column, we have--so far as I can see--nothing
(apart from special usage scenarios, as I exeplified above).

There is a greater margin of security in a 4096-bit key over a 2048-bit
key (all other factors being equal), even if it is only theoretical. 
Sure, there are other, more important security considerations; perhaps

not in spite of them, but because of them, one can say Use the maximum
key length supported, and move on to more important considerations. 


--
Le hasard favorise l'esprit préparé.
  --Louis Pasteur

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Smart Card Physical Best Practices?

2011-03-01 Thread Lists . gnupg 

On Sat, Feb 26, 2011 at 09:40:07PM -0500 Also sprach David Tomaschik:


I've recently received my smart card, but was wondering what the best
practices are, mainly from a physical standpoint.  When I use it in
my laptop reader, it sticks about 2 out of the side, and I have some
concern about this (i.e., getting damaged by being pushed into
something, etc.).  I am using the Authentication key on it for SSH,
and the normal signing  encryption operations, so I suppose I need it
when sending signed email and signing into a system.  Do most people
leave it in the computer most of the time, or just insert it as
needed?  This brings to mind: how many insertion cycles can these
cards handle?  Looking online, various smart cards are rated anywhere
from 10,000 to 250,000 insertions.  (At 10,000, as few as 10
insertions per day would net a 3 year lifetime.)



If you are concerned with the insertion-limited lifetime, and with other
possible kinds of damage to the smart card itself, perhaps you should
consider getting one of the versions with the SIM removal option.

Pop the chip out of the card and put it inside one of those USB tokens
that take them. Then the SIM itself is always (at least partially)
protected inside a casing, and the insertion problem is offloaded onto
the USB mechanism (which is more expendable). If the USB token fails
eventually, take the SIM out and put it in a new one; you may have been
using it for years by then, but your effective insertion count is 2.

As an added bonus, you may use your OpenPGP card on any computer with a
USB port, without needing a separate card reader available.

--
Le hasard favorise l'esprit préparé.
  --Louis Pasteur


pgpOJgEYqnxrY.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why do we use a different key to sign than to encrypt

2011-03-01 Thread Lists . gnupg 

On Tue, Mar 01, 2011 at 01:13:16PM + Also sprach Guy Halford-Thompson:

Not GPG specific, but I was wondering if someone could point me in the
direction of some resources that explain why we use different keys to
sign and encrypt (for cases where the same key _could_ do both e.g.
RSA).  


This may not be the whole story, but I did manage to find this:

http://www.di-mgt.com.au/rsa_alg.html#weaknesses

--
Le hasard favorise l'esprit préparé.
  --Louis Pasteur


pgpbqg3nFtKvE.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Some SHA-2 news

2011-02-20 Thread Lists . gnupg 
On Sun, Feb 20, 2011 at 07:19:15AM -0500 Also sprach Jerry:
 On Sat, 19 Feb 2011 14:55:14 -0500
 Robert J. Hansen r...@sixdemonbag.org articulated:
 
  On 2/19/11 9:53 AM, lists.gn...@mephisto.fastmail.net wrote:
   Think we'll see this included one day in OpenPGP, or will we just
   skip to SHA-3 when it's ready?
  
  Usually, algorithms are added due to existing users with a strong need
  -- e.g., CAMELLIA came about because users in the Pacific Rim needed
  it.
  
  I'm unaware of anyone saying, the SHA-2s are great, but they're too
  slow on 64-bit processors.  And until there is, the odds of OpenPGP
  adoption are practically nil, IMO.
 
 Out of simple morbid curiosity, other than the time and effort needed
 to adopt the code, is there any downside to this venture?
 

I can't really see much downside, except, as has been noted, a possible
lack of demand. I don't believe security is affected one way or the
other. It's just a matter of a slight performance improvement on certain
hardware. With SHA-3 so close on the horizon, though, I find it doubtful
that a minor re-working of SHA-2 would gather much adoption.

It somewhat surprises me, even, that NIST bothered with it. I suppose
someone, somewhere, must be saying the SHA-2s are great, but they're
too slow...  or why would anyone have put the work in to extend the
standard, as has been done? I think understanding this was the
motivation for my original post.


pgpY8kpGwg6eU.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Help with OpenPGP plugin in Mozilla Thunderbird and Claws Mail

2011-02-16 Thread Lists . gnupg-users 
On Tue, Feb 15, 2011 at 05:38:47AM -0800 Also sprach AgoristTeen1994:
 
 Okay thanks for the help though I'm still somewhat confused...I understand
 that they key id is the entire keypair, but then how do  I found out what is
 just my public key, and just my secret key, the reason Im asking is that if
 I want to give my public key to someone, then I apparently give the entire
 keyid since that has my secret key too..or am I wrong on that and I can give
 them the entire keyid? Thanks again and have a nice day.
 -- 

There is a distinction I believe you are missing; please feel free to
admonish me if I am oversimplifying things, however:

The Key ID is not the entire key pair; it merely represents the key
pair. It is a unique name for your key pair, if you would like to think
of it that way.

When you give someone your Key ID, you are not literally giving them any
part of your Secret or Public key--you are merely giving them a
convenient way to reference it. The actual public key can be quite long,
and inconvenient to read out to someone, or jot down on the back of a
cocktail napkin, so we have these Key IDs to use as short-hand.

If you have your public key published somewhere, such as on a key
server, the Key ID is a way for other people to unambiguously look up
the full key. If you have more than one key pair (e.g. one for personal
use, and one for work), the Key ID of each key pair (which will be
unique to each) is a way to tell them apart on such a key server, or
within your own keychain.

Note, however, that only giving someone your Key ID does not help them
to encrypt messages to you, or verify your signature, if they do not
have someplace to access the actual key (like a public key server). It
just helps them look up your individual key if it is in such a place.

Generally speaking, good OpenPGP implementations (like GnuPG) will
require that you explicitly state you want to export your _Secret_ key
before they will ever spit it out (e.g. gpg --export-secret-keys is
pretty obvious). Under all other circumstances, when you issue a command
to export a key, it will release only the public part of the key pair.

Hope this helps,
Kevin

-- 
Le hasard favorise l'esprit préparé.
  --Louis Pasteur


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Help with OpenPGP plugin in Mozilla Thunderbird and Claws Mail

2011-02-15 Thread Lists . gnupg 
On Tue, Feb 15, 2011 at 05:38:47AM -0800 Also sprach AgoristTeen1994:
 
 Okay thanks for the help though I'm still somewhat confused...I understand
 that they key id is the entire keypair, but then how do  I found out what is
 just my public key, and just my secret key, the reason Im asking is that if
 I want to give my public key to someone, then I apparently give the entire
 keyid since that has my secret key too..or am I wrong on that and I can give
 them the entire keyid? Thanks again and have a nice day.
 -- 

There is a distinction I believe you are missing; please feel free to
admonish me if I am oversimplifying things, however:

The Key ID is not the entire key pair; it merely represents the key
pair. It is a unique name for your key pair, if you would like to think
of it that way.

When you give someone your Key ID, you are not literally giving them any
part of your Secret or Public key--you are merely giving them a
convenient way to reference it. The actual public key can be quite long,
and inconvenient to read out to someone, or jot down on the back of a
cocktail napkin, so we have these Key IDs to use as short-hand.

If you have your public key published somewhere, such as on a key
server, the Key ID is a way for other people to unambiguously look up
the full key. If you have more than one key pair (e.g. one for personal
use, and one for work), the Key ID of each key pair (which will be
unique to each) is a way to tell them apart on such a key server, or
within your own keychain.

Note, however, that only giving someone your Key ID does not help them
to encrypt messages to you, or verify your signature, if they do not
have someplace to access the actual key (like a public key server). It
just helps them look up your individual key if it is in such a place.

Generally speaking, good OpenPGP implementations (like GnuPG) will
require that you explicitly state you want to export your _Secret_ key
before they will ever spit it out (e.g. gpg --export-secret-keys is
pretty obvious). Under all other circumstances, when you issue a command
to export a key, it will release only the public part of the key pair.

Hope this helps,
Kevin

-- 
Le hasard favorise l'esprit préparé.
  --Louis Pasteur


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: MacGPG2 2.0.17

2011-01-26 Thread Lists 
On Tue, Jan 25, 2011 at 02:17:01AM -0500 Also sprach Charly Avital:

 I have not run the GPGTools installer, I have run the MacGPG2 2.0.17
 released a few hours ago by Ben Donnachie...

My understanding is the GPGTools installer is a meta-package, which (as of
the time I downloaded and installed it) includes the same build of GnuPG
2.0.17. I figured it wouldn't hurt to use the pre-packaged Tools installer
to get GPGMail and everything else at the same time, since presumably all
the pieces would be versions which would interoperate correctly.

 And *everything* related to MacGPG2, Thunderbird+Enigmail and GPGMail
 1.3.2.RC1 is running just fine...

I don't doubt that everything works, in your case. I have had different
results on different platforms.

On a machine running 10.6.6, which was freshly installed about two weeks
ago, most components of GPGTools seemed to work, however, when I tried to
generate test keys (either from the CLI, or from the GUI key management
app), the process would always stall at the random number phase.

On a different machine running 10.6.6 Server, gpg-agent fails to launch
(whereas gpg-agent worked fine, from the same GPGTools installer, on the
OS X Desktop machine above).

I tried on a third machine (also a client/desktop), with similar results
to the desktop above.

I have no doubt that on certain computers, it works perfectly, given the
variability of errors on the different platforms I have tried it on so
far. However, since GnuPG from MacPorts seems to work for me consistently,
on all the platforms I have tried it on, I'm going to stick with that for
now. I'll revisit the GPGTools/MacGPG2 installers again later, when I have
more time to chase these bugs.

Cheers,
Kevin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: very short plaintexts symmetrically encrypted

2010-01-11 Thread lists . gnupg-users 


On Sun, 10 Jan 2010 14:02 +0100, Werner Koch w...@gnupg.org wrote:
 On Sun, 10 Jan 2010 04:44:35 -0500, ved...@hush.com wrote:
 
  symmetrical encryption is a simple way to avoid signing, while 
  still maintaining relative reliability of knowledge as to who sent 
  the message
 
 That is not true.  For example you can't detect a replay or MitM
 attack.

Forgive me, but how is a MitM attack possible against a symmetric cypher
using a shared, secret key?

A MitM attack is really an attack on key exchange, as it requires the
MitM to intercept at least one public key, and substitute another (one
of his own) for it. Using symmetric crpyto, however, the key must be
prearranged, or exchanged by some other trusted means. Assuming only the
sender and receiver of the message know the secret key, I fail to see
what a MitM can accomplish. Of course, if we just broadcast the secret
key on the Internet, or something, then it's not much good--but anyone
using symmetric crypto should know better.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users