Re: Using a GnuPG crypted RSA key for SSH
On Thu May 2, 2024 at 3:55 PM CEST, Ming Kuang via Gnupg-users wrote: > https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066957.html > https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066960.html Just for the record, I find the explanation in the later email rather dubious: systemd can certainly manage a dependence on shared resource, and concurrent running of two processes at once. My deep suspicion is that we have here just a little case of the NIH syndrome (plus, a lack of understanding of containerized systems like my MicroOS). I still haven’t investigated this piece of Werner’s advice: > Using no-autostart in the common.conf might be useful. We use it always > when running a remote gpg. Best, Matěj -- http://matej.ceplovi.cz/blog/, @mcepl@floss.social GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 In political activity men sail a boundless and bottomless sea; there is neither harbor for shelter nor floor for anchorage, neither starting point nor appointed destination. -- Michael Oakeshott: Rationalism in Politics E09FEF25D96484AC.asc Description: application/pgp-keys signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to download commit packages from gnupg phabricator?
On Wed Mar 6, 2024 at 1:20 PM CET, Vladimir Nikishkin via Gnupg-users wrote: > Dear All, > > I would like to try the GnuPG Password Manager > (https://dev.gnupg.org/source/gpgpass/) https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgpass.git;a=summary And it has ability to download a snapshot of each commit. Matěj -- http://matej.ceplovi.cz/blog/, @mcepl@floss.social GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 To err is human, to purr feline. E09FEF25D96484AC.asc Description: application/pgp-keys signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [gpg-agent] Empty OPTION xauthority=
On Mon Mar 4, 2024 at 9:13 AM CET, Werner Koch wrote: > Because all components of gnupg will start gpg-agent and the other > daemons oin the fly and make sure that only one is started. Do I understand it correctly that gnupg contains smaller version of systemd (dependency activation) inside of itself and that clashes with systemd? Is there some way how to switch it off and to make individual parts of gnupg behaving just The Unix Way™, do one thing (cryptographic operations, gpg-agenting or whatever) and do it well? > I have no idea what this is about. In case you need to play interesting > games with the sockets, the gpgconf.ctl mechanism might be helpful. MicroOS by openSUSE (and Fedora Atomic and many others, every Linux distro has its own variant of this, I guess) are container-oriented systems, where only minimal host system is used to run multiple isolated containers (Docker/Podman, distrobox, or Flatpak). SELinux and other methods are used to keep these containers isolated from the host system and one from another, sockets are under proper circumstances accessible. > Using no-autostart in the common.conf might be useful. We use it always > when running a remote gpg. That looks interesting, I will look into that. Best, Matěj -- http://matej.ceplovi.cz/blog/, @mcepl@floss.social GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Ludwig Boltzmann, who spent much of his life studying statistical mechanics, died in 1906, by his own hand. Paul Ehrenfest, carrying on the work, died similarly in 1933. Now it is our turn to study statistical mechanics. -- David L. Goodstein “States of Matter” E09FEF25D96484AC.asc Description: application/pgp-keys signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Your message to Gnupg-users awaits moderator approval
On Mon Mar 4, 2024 at 2:19 PM CET, gnupg-users-owner wrote: > Your mail to 'Gnupg-users' with the subject > > Re: [gpg-agent] Empty OPTION xauthority= > > Is being held until the list moderator can review it for approval. > > The reason it is being held: > > Message body is too big: 63276 bytes with a limit of 40 KB > > Either the message will get posted to the list, or you will receive > notification of the moderator's decision. If you would like to cancel > this posting, please visit the following URL: > > > https://lists.gnupg.org/mailman/confirm/gnupg-users/c419b7597f95abe2ff1d83ed3340aeb711643a59 Hi, I have enabled in my email client the feature attaching signing key and I thought that the attachment is just few (in single units) kB long, but suddenly I am getting the warning messages like this one. My key has been signed by 60+ signatures, but still 45K just for that seems excessive. Is there some way how to generate something meaningful, which would be smaller? Best, Matěj -- http://matej.ceplovi.cz/blog/, @mcepl@floss.social GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 A philosopher like Plato, according to Luther’s colorful imagery, remains like a cow who looks at a new door, refusing to enter? E09FEF25D96484AC.asc Description: application/pgp-keys signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [gpg-agent] Empty OPTION xauthority=
On Sun Mar 3, 2024 at 10:05 AM CET, Werner Koch wrote: > > am running it on host with systemd --user services (configuration > > Take care, the use of systemd is racy and support will be removed in > 2.6. 1. Could you please explain why it is racy? Why from all services only gpg is unsuitable for systemd treatment? It is just one socket as any other, isn’t it? Could you point to some issue ticket, email thread, blog post explaining the problem? 2. When running on MicroOS system (or Fedora Atomic) how could you guarantee that there is only one gpg-agent and gpg doesn't try to run it inside of a container, thus making it inacessible to other containers on the system (Flatpak or podman) and to the host system? I don't see any other solution than running permanently one gpg-agent on the host system open to everybody, which systemd --user service seems to provide nicely. > gpg takes the value for xauthority from the envvar XAUTHORITY. In your > case it seems that this envvar is set to the empty string which results > in the above synax error. Using xauthority without a value and thus > without the '=' removes the value from gpg-agent's environment. Yes, thank you for kicking me in the right direction, I found a bug in distrobox (https://github.com/89luca89/distrobox/pull/1252). > In theory it would be possible to ignore the empty string but given that > we have the code this way for 20 year the risk of a regression is to > high. What? You know there is a vulnerability in gpg (actually, couldn't the particularly modified environment be abused for some DoD style attack?) and you don't want to fix it, because you had that bug there long enough? I probably do not understand what you were trying to say. > Please figure out why XAUTHORITY is set to the empty sting. > XAUTHORITY is only needed if you don't use ~/.Xauthority to store the > X11 magic cookies; see xauth(1). I have Wayland-only system (based on sway), so whole XAUTH* variables are nonsensical here. Best, Matěj -- http://matej.ceplovi.cz/blog/, @mcepl@floss.social GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Monday, December 9th. We skip the bus tour of Stockholm to attend the economics lecture. Our guest status is again good for front row seats. We hear about the theory of auctions. There are integrals and derivatives. It’s like physics except physics works. E09FEF25D96484AC.asc Description: application/pgp-keys signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [gpg-agent] Empty OPTION xauthority=
On Sun Mar 3, 2024 at 10:05 AM CET, Werner Koch wrote: > > am running it on host with systemd --user services (configuration > > Take care, the use of systemd is racy and support will be removed in > 2.6. 1. Could you please explain why it is racy? Why from all services only gpg is unsuitable for systemd treatment? It is just one socket as any other, isn’t it? Could you point to some issue ticket, email thread, blog post explaining the problem? 2. When running on MicroOS system (or Fedora Atomic) how could you guarantee that there is only one gpg-agent and gpg doesn't try to run it inside of a container, thus making it inacessible to other containers on the system (Flatpak or podman) and to the host system? I don't see any other solution than running permanently one gpg-agent on the host system open to everybody, which systemd --user service seems to provide nicely. > gpg takes the value for xauthority from the envvar XAUTHORITY. In your > case it seems that this envvar is set to the empty string which results > in the above synax error. Using xauthority without a value and thus > without the '=' removes the value from gpg-agent's environment. Yes, thank you for kicking me in the right direction, I found a bug in distrobox (https://github.com/89luca89/distrobox/pull/1252). > In theory it would be possible to ignore the empty string but given that > we have the code this way for 20 year the risk of a regression is to > high. What? You know there is a vulnerability in gpg (actually, couldn't the particularly modified environment be abused for some DoD style attack?) and you don't want to fix it, because you had that bug there long enough? I probably do not understand what you were trying to say. > Please figure out why XAUTHORITY is set to the empty sting. > XAUTHORITY is only needed if you don't use ~/.Xauthority to store the > X11 magic cookies; see xauth(1). I have Wayland-only system (based on sway), so whole XAUTH* variables are nonsensical here. Best, Matěj -- http://matej.ceplovi.cz/blog/, @mcepl@floss.social GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Monday, December 9th. We skip the bus tour of Stockholm to attend the economics lecture. Our guest status is again good for front row seats. We hear about the theory of auctions. There are integrals and derivatives. It’s like physics except physics works. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
