LAST CALL: Invitation to the 8th OpenPGP Email Summit

[Patrick Brunschwig]

On behalf of the Wau Holland Stiftung, I'm happy to invite you to the
8th OpenPGP Email Summit which will take place:

  Friday, June 7 & Saturday, June 8 2024
   in Dietzenbach near Frankfurt, at the Hotel Sonnenhof


If you plan to attend the event, then *please add yourself* to the
cryptpad until *May 30, 2024* latest:
https://cryptpad.fr/sheet/#/2/sheet/edit/eSLKf+dpna9ZSmDLeLiWeMFh/


SCHEDULE OVERVIEW
=

Hacking Day: Thursday, June 6, 2024
Main Event:  Friday June 7 & Saturday June 8, 2024


REGISTRATION & EVENT DETAILS


All details including the agenda are available on the web site:
https://wiki.gnupg.org/OpenPGPEmailSummit202406


ABOUT THE OpenPGP EMAIL SUMMIT
==

This is an event open for anybody involved in the development of email
clients using OpenPGP for encryption, and related software.

We already had 7 OpenPGP Email Summits at various locations in Europe.
These are meetings by technical experts of projects and tools dealing
with OpenPGP with a focus on email encryption. The goals are to better
get to know each other, and to discuss and work on issues that hopefully
improve certain aspects of OpenPGP-based email encryption. For details, see
   https://wiki.gnupg.org/OpenPGPEmailSummit202406


Looking forward to meeting you in Dietzenbach
-Patrick

-- 
Wau-Holland-Stiftung   W
Zeiseweg 9 H O L L A N D
22765 Hamburg/GermanyS T I F T U N G
http://www.wauland.de





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Invitation to the 8th OpenPGP Email Summit

[Patrick Brunschwig]

On behalf of the Wau Holland Stiftung, I'm happy to invite you to the
8th OpenPGP Email Summit which will take place:

  Friday, June 7 & Saturday, June 8 2024
   in Dietzenbach near Frankfurt, at the Hotel Sonnenhof


SCHEDULE OVERVIEW
=

Hacking Day: Thursday, June 6, 2024
Main Event:  Friday June 7 & Saturday June 8, 2024


REGISTRATION & EVENT DETAILS


All details including the agenda are available on the web site:
https://wiki.gnupg.org/OpenPGPEmailSummit202406


ABOUT THE OpenPGP EMAIL SUMMIT
==

This is an event open for anybody involved in the development of email
clients using OpenPGP for encryption, and related software.

We already had 7 OpenPGP Email Summits at various locations in Europe.
These are meetings by technical experts of projects and tools dealing
with OpenPGP with a focus on email encryption. The goals are to better
get to know each other, and to discuss and work on issues that hopefully
improve certain aspects of OpenPGP-based email encryption. For details, see
   https://wiki.gnupg.org/OpenPGPEmailSummit202406


Looking forward to meeting you in Dietzenbach
-Patrick

-- 
Wau-Holland-Stiftung   W
Zeiseweg 9 H O L L A N D
22765 Hamburg/GermanyS T I F T U N G
http://www.wauland.de



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Request for Comment: keys.openpgp.org Organization

[Patrick Brunschwig]

This is a cross-post to openpgp-em...@enigmail.net,
gnupg-users@gnupg.org, autocr...@lists.mayfirst.org
and open...@ietf.org.
Please reply to openpgp-em...@enigmail.net

During the last OpenPGP Email Summit[1] we agreed that we would like to
transition the keyserver on keys.openpgp.org (KOO) from a one-person
show into an open community project. Vincent, Lars, dkg and I
volunteered to form a Bootstrapping Committee that would propose a new
structure and governing rules for this community by end of July.

I'm very happy to announce today that we completed this task ahead of
time. We have prepared a proposal for a constitution, together with
several supporting documents, and would now like to invite everyone
interested in OpenPGP for feedback to our proposals. Please provide your
feedback until Aug. 21, 2022 on the OpenPGP Summit Email list
(openpgp-em...@enigmail.net).

Below is a summary of the proposed constitution. The complete
constitution and all supporting documents can be found on Gitlab:
https://gitlab.com/hagrid-keyserver/bootstrap-committee/-/tree/main

We are planning to set up the organization according the following
schedule (under the assumption that the feedback is such that the
schedule is feasible):
1. Comment period for the constitution: until Aug. 21, 222
2. Publish first version of constitution: 1w later
3. Invitation for voting body +4w
4. First election of the board +2w
5. Publish election results +3d
6. Install 1st Board

We agreed that Patrick will be responsible for the complete process.


Summary of the keys.openpgp.org Constitution


High Level Summary
--
keys.openpgp.org (KOO) is a service providing a verifying key server to
the OpenPGP ecosystem. The service is operated by the operations team as
guided by the Board. The Board is elected by the Voting Body, which is
formed by individuals that are active in the OpenPGP ecosystem.

The Board
-
The Board offers advice, guidance, and support to the operations
team, and helps ensure the ongoing operation of the KOO service.
If and when the KOO organization gets funds, the Board decides how
to spend them. The Board consists of 3-5 individuals. Board members are
elected for a 1-year term, and may be on the Board for up to 3 years in
a row. Board votes are decided by simple majority, except when replacing
the whole operations team, which must be a unanimous vote by all members.

The Board nominates one of its members as secretary. The secretary takes
meeting minutes and organizes the next election. Board meeting minutes
are published.

The Board takes care of KOO Enhancement Proposals (KEP) that may be
submitted by any voting member. Any KEP requires adoption by at least
one Board member in order to be considered by the Board. The Board may
approve or reject any KEP under consideration, or may ask the KEP author
for revisions before re-consideration.

Board members self-nominate themselves via a public mailing list.
Elected members are asked to ensure that no organization or affiliation
is over-represented in the Board.

The Voting Body
---
The voting body serves to elect the Board Members. It consists of voting
members. Eligible for membership are all those individuals who use
OpenPGP, implement it, provide services to help use it, produce
documentation, provide training, etc. Voting members are nominated by
existing members and approved by the Board. Membership expires after 3
years of inactivity (defined by participating in the votes and elections).

Membership in the initial voting body is open to anyone who has attended
any of the past OpenPGP E-mail Summits[2]. This only applies to the
election of the first Board.

The Operations Team
---
The operations team maintains the Hagrid software, and operates the
servers providing the service of the key server. It has final say in how
the software works, and how the service is provided. The operations team
reports on their activities to the Board and the public. The operations
team is self-organized, except for the right of the Board to replace the
operations team entirely.

Initial Formation of the KOO Organization
-
The KOO Bootstrap Committee will organize the process to establish the
KOO organization as follows:

1. Request for feedback from the OpenPGP community (public
   announcement).
2. Incorporate the community feedback and publish the 1st KOO
   Constitution.
3. Invite attendees of the past OpenPGP E-mail Summits to join the
   Voting Body.
4. Organize the election of the first Board.
5. The constitution is considered ratified once the 1st elected Board
   is installed.

In order to ensure continuity, 2 of the 5 initial Board members will
have a term limit of max. 2 years.

Voting Process
--
Voting and elections are done publicly and are attributable.
Votes for Board elections are done by signed commits via merge
requests on a 

Re: Looking for new Maintainer for gpgOSX

[Patrick Brunschwig]

I'm happy to announce that Ralph Seichter has taken over the lead for
gpgOSX. Ralph already started to work on the code, and I transferred the
 ownership of the project to him.

Many thanks to Ralph for takin over so quickly!

-Patrick

Patrick Brunschwig wrote on 26.06.2022 18:12:
> gpgOSX is a free pre-packaged install-able distribution of standard
> GnuPG 2.x  for macOS. I am maintaining it since the release of GnuPG
> 2.1.0 back in 2014.
> 
> As many of you know, I'm also maintaining Enigmail. Since OpenPGP
> support is part of Thunderbird, my involvement with Enigmail has reduced
> a lot, and so has my involvement with GnuPG. Furthermore, I don't have a
> Mac anymore, and it has become more and more difficult and cumbersome to
> continue maintaining and building gpgOSX. I am therefore looking for
> someone who would want to step in and take over the project.
> 
> If you're interested, then please get in touch with me.
> 
> Thanks,
> Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Looking for new Maintainer for gpgOSX

[Patrick Brunschwig]

gpgOSX is a free pre-packaged install-able distribution of standard
GnuPG 2.x  for macOS. I am maintaining it since the release of GnuPG
2.1.0 back in 2014.

As many of you know, I'm also maintaining Enigmail. Since OpenPGP
support is part of Thunderbird, my involvement with Enigmail has reduced
a lot, and so has my involvement with GnuPG. Furthermore, I don't have a
Mac anymore, and it has become more and more difficult and cumbersome to
continue maintaining and building gpgOSX. I am therefore looking for
someone who would want to step in and take over the project.

If you're interested, then please get in touch with me.

Thanks,
Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [openpgp-email] Invitation to the 6th OpenPGP Email Summit

[Patrick Brunschwig]

The OpenPGP Email Summit will start in 12 Days. If you want to attend,
then please add your name to the following Cryptpad, such that we can
plan for food, drinks etc.

https://cryptpad.fr/pad/#/2/pad/edit/EtMIfWF2q6qP+c3iv8qNH+x0/

See you soon!
-Patrick

Patrick Brunschwig wrote on 18.04.2022 11:43:
> I'm happy to announce the 6th OpenPGP Email Summit which will take place
>
> Friday, May 27 & Saturday, May 28, 2022
>   in Geneva (Switzerland) at the offices of Proton AG
>  (the company behind ProtonMail and OpenPGP.js)
>
> For those who are interested in chatting, hacking or starting
> discussions prior to the "real" summit, there is the option to already
> meet on Thursday, May 26.
>
> REGISTRATION
> 
>
> If you want to attend, please add yourself to the following cryptpad:
> https://cryptpad.fr/pad/#/2/pad/edit/EtMIfWF2q6qP+c3iv8qNH+x0/
>
> If you need funding for your travel/hotel expenses, then please get
> in contact with me.
>
>
> ABOUT THE OpenPGP EMAIL SUMMIT
> ==
>
> This is an event open for anybody involved in the development of email
> clients using OpenPGP for encryption, and related software.
>
> We already had 5 OpenPGP Email Summits at various locations in Europe.
> These are meetings by technical experts of projects and tools dealing
> with OpenPGP with a focus on email encryption. The goals are to better
> get to know each other, and to discuss and work on several technical
> issues that hopefully improve certain aspects of OpenPGP-based email
> encryption. For details, see
>   https://wiki.gnupg.org/OpenPGPEmailSummits
>
>
>
> NOTES
> =
> This is a meeting of those who develop software. Thus, we will have a
> lot of tech talk about key servers, key exchange, subject encryption,
> password recovery, etc.
>
> Thus, feel free to join us if you are working in the area of
> - TECHNICAL DETAILS
> - for SENDING or PROCESSING ENCRYPTED EMAILS
> - with OpenPGP
> - in a project or product.
>
> Note that this is neither a well-organized conference nor a commercial
> meeting. The agenda will be driven by the attendees. Anyone may propose
> any topic for discussion, as long as he/she is ready to lead the discussion.
>
> More details are available on the web site:
> https://wiki.gnupg.org/OpenPGPEmailSummit202205
>
>
> Looking forward to meeting you in Geneva
> -Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Invitation to the 6th OpenPGP Email Summit

[Patrick Brunschwig]

I'm happy to announce the 6th OpenPGP Email Summit which will take place

Friday, May 27 & Saturday, May 28, 2022
  in Geneva (Switzerland) at the offices of Proton AG
 (the company behind ProtonMail and OpenPGP.js)

For those who are interested in chatting, hacking or starting
discussions prior to the "real" summit, there is the option to already
meet on Thursday, May 26.

REGISTRATION


If you want to attend, please add yourself to the following cryptpad:
https://cryptpad.fr/pad/#/2/pad/edit/EtMIfWF2q6qP+c3iv8qNH+x0/

If you need funding for your travel/hotel expenses, then please get
in contact with me.


ABOUT THE OpenPGP EMAIL SUMMIT
==

This is an event open for anybody involved in the development of email
clients using OpenPGP for encryption, and related software.

We already had 5 OpenPGP Email Summits at various locations in Europe.
These are meetings by technical experts of projects and tools dealing
with OpenPGP with a focus on email encryption. The goals are to better
get to know each other, and to discuss and work on several technical
issues that hopefully improve certain aspects of OpenPGP-based email
encryption. For details, see
  https://wiki.gnupg.org/OpenPGPEmailSummits



NOTES
=
This is a meeting of those who develop software. Thus, we will have a
lot of tech talk about key servers, key exchange, subject encryption,
password recovery, etc.

Thus, feel free to join us if you are working in the area of
- TECHNICAL DETAILS
- for SENDING or PROCESSING ENCRYPTED EMAILS
- with OpenPGP
- in a project or product.

Note that this is neither a well-organized conference nor a commercial
meeting. The agenda will be driven by the attendees. Anyone may propose
any topic for discussion, as long as he/she is ready to lead the discussion.

More details are available on the web site:
https://wiki.gnupg.org/OpenPGPEmailSummit202205


Looking forward to meeting you in Geneva
-Patrick


-- 
Patrick Brunschwig
mailto:patr...@enigmail.net
PGP fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

GpgOSX for Apple Silicon

[Patrick Brunschwig]

I have created a first version of GpgOSX 2.2.25 for the new Apple
Silicon architecture (ARM processor).

However, I don't have a machine to test my build, thus I can't verify if
it works. Therefore, if someone has access to an ARM-based Mac, then
please get in touch with me.

Thanks,
Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Thunderbird / Enigmail / Autocrypt

[Patrick Brunschwig]

If you think about using the current stable version of Thunderbird
(version 78), then there is no Enigmail and no Autocrypt. OpenPGP has
been implemented directly in Thunderbird, but there is currently no
Autocrypt support in Thunderbird.

-Patrick

Daniel Bossert via Gnupg-users wrote on 20.11.2020 10:23:
> Hello all
> 
> How secure is it to use Thundebrird with Autocrypt? I use Sylpheed at the 
> moment, but it is not that comfortable to use as Thunderbird.
> Also, when I send an email, the signature will be shown instead like with 
> thunderbid just an info that the mail is signed
> 
> Do you have some inputs?
> 
> Regards
> Daniel
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

agent_genkey failed: Invalid flag

[Patrick Brunschwig]

A user of Enigmail tried to create a key using the following command:

/usr/bin/gpg2 --charset utf-8 --display-charset utf-8 \
--no-auto-check-trustdb --batch --no-tty --no-verbose --status-fd 2 \
--gen-key
%echo Generating key
Key-Type: EDDSA
Key-Curve: Ed25519
Key-Usage: sign
Subkey-Type: ECDH
Subkey-Curve: Curve25519
Subkey-Usage: encrypt
Name-Real: [name]
Name-Email: [email]
Expire-Date: 1825

gpg reports the following error:

gpg: agent_genkey failed: Invalid flag
gpg: key generation failed: Invalid flag
[GNUPG:] ERROR key_generate 16777288
[GNUPG:] KEY_NOT_CREATED

Any idea what could be wrong here?

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Exchange between muiltiple OpenPGP implementations

[Patrick Brunschwig]

Peter Lebbing wrote on 31.05.2020 11:07:
> Hi,
> 
> On 31/05/2020 10:01, Patrick Brunschwig wrote:
>> The only "problem" might be that you have different keys on different
>> key rings. But this is not necessarily a problem - you use different
>> keys for different purposes and you can import and export the keys
>> between the tools if needed.
> 
> Does the new TB implementation support TOFU? If so, you lose your TOFU
> historical data and identity assertions when you would export/import to
> a different OpenPGP implementation. That'd be a shame. Maybe there's a
> need for a standardised interchange format for that.

TB chose (unfortunately in my eyes) to currently only support explicit
trust using their own trust handling. I hope that future versions will
support other methods.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

[Patrick Brunschwig]

Andreas Boehlk Computer-Service wrote on 31.05.2020 11:09:
> Hello Patrick,
> 
> 
> Am 31.05.2020 um 10:01 schrieb Patrick Brunschwig:
>> Mark wrote on 31.05.2020 01:28:
>>> Doesn't TB also need your secret keys to decrypt messages?  
>>
>> With smartcard support via GnuPG, all secret key operations are handled
>> by GnuPG, and all public key operations are handled by TB (Note: the
>> standard case, without smartcard support, will be that all keys are in
>> Thunderbird).
>>
>> The use-cases are clearly distinct:
>> - encryption: you only need public keys
>> - decryption: you only need secret keys
>> - signing: you only need secret keys
>> - verification: you only need public keys
>>
> The standard user will not be able to work with that "solution".
> Compared to the "enigmail-solution" this is the hell and bound to fail.

Let's first define Standard users. The majority of users who use
smartcards that *I* know are expert or power users. They can handle this.

The "Standard users" I have in mind don't use GnuPG for anything else
than encrypting mails, and they don't use smartcards either. They won't
have this issue in any way.

>>> Also what if you need your public keys outside of TB such as encrypting
>>> a file?
>>
>> That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird
>> is that you use it for email.
>>
> That is correct, but nevertheless it is mandatory to have and use a
> single key-store.

For which use-case precisely? If you only use OpenPGP for emails (and
given the users I know who had support cases in the past, this is true
for the majority of the Enigmail users), then this is irrelevant.

To be quite clear: Thunderbird will not support GnuPG for scenarios
other than handling secret keys. And that's only because the OpenPGP
library they use can't handle smartcards yet. Once the library will
support smartcards, I expect that GnuPG support will be removed entirely.

Note: I'm not a Thunderbird developer and I don't drive Thunderbird
decisions -- this is simply my expectation of what will happen.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

[Patrick Brunschwig]

Mark wrote on 31.05.2020 01:28:
> Doesn't TB also need your secret keys to decrypt messages?  

With smartcard support via GnuPG, all secret key operations are handled
by GnuPG, and all public key operations are handled by TB (Note: the
standard case, without smartcard support, will be that all keys are in
Thunderbird).

The use-cases are clearly distinct:
- encryption: you only need public keys
- decryption: you only need secret keys
- signing: you only need secret keys
- verification: you only need public keys

> Also what if you need your public keys outside of TB such as encrypting
> a file?

That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird
is that you use it for email.

> The reason I'm asking is that awhile ago I posted about unknown files in
> my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found
> out those are key rings used by a program I have called Power Archiver.
> I'm not sure why it has it own set of keys, still awaiting an
> explanation from support. If every app is not using the same pair of key
> rings (and there is no synchronization between them) could that not lead
> to problems?

The only "problem" might be that you have different keys on different
key rings. But this is not necessarily a problem - you use different
keys for different purposes and you can import and export the keys
between the tools if needed.

-Patrick

> On 5/30/2020 12:57 PM, Patrick Brunschwig wrote:
>> Mark wrote on 30.05.2020 20:54:
>>> So then do you have multiple pairs of key rings? One pair for TB78 and
>>> its built in PGP and another pair as part of GNUPG?
>> No exactly. You have your secret keys with GnuPG, and your public keys
>> with Thunderbird. No synchronization required.
>>
>> -Patrick
>>> If so how do you keep them synchronized?
>>>
>>> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
>>>> Robert J. Hansen wrote on 30.05.2020 01:07:
>>>>>> If TB 78 is going to have native support of openGPG encryption, then the
>>>>>> original person in the thread should be able to export all of the keys
>>>>>> in their key rings, and import all of those keys into TB 78, or am I
>>>>>> missing one of the gotchas with
>>>>>> TV 78 and it's openGPG encryption support.
>>>>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
>>>>> even import a key*."
>>>> I'm sorry, but that is simply not true. There is a known bug in the
>>>> library used by Thunderbird (RNP) that leads to crashes when importing
>>>> _certain_ keys. But I succeeded in importing all of my keys without any
>>>> problems (more than 1.000), except for 5 V3-keys. I can definitely say
>>>> that it's not just broken, and it can import keys.
>>>>
>>>>> I'm not kidding.  It is so far from complete that Kai Englert, who leads
>>>>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
>>>>> TB until version 78.2, or about a three-month delay.
>>>> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
>>>> but users may still enable it manually.
>>>>
>>>>> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
>>>> No, it's incomplete - work in progress. That's not quite the same.
>>>>
>>>> -Patrick




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

[Patrick Brunschwig]

Mark wrote on 30.05.2020 20:54:
> So then do you have multiple pairs of key rings? One pair for TB78 and
> its built in PGP and another pair as part of GNUPG?

No exactly. You have your secret keys with GnuPG, and your public keys
with Thunderbird. No synchronization required.

-Patrick
> 
> If so how do you keep them synchronized?
> 
> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
>> Robert J. Hansen wrote on 30.05.2020 01:07:
>>>> If TB 78 is going to have native support of openGPG encryption, then the
>>>> original person in the thread should be able to export all of the keys
>>>> in their key rings, and import all of those keys into TB 78, or am I
>>>> missing one of the gotchas with
>>>> TV 78 and it's openGPG encryption support.
>>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
>>> even import a key*."
>> I'm sorry, but that is simply not true. There is a known bug in the
>> library used by Thunderbird (RNP) that leads to crashes when importing
>> _certain_ keys. But I succeeded in importing all of my keys without any
>> problems (more than 1.000), except for 5 V3-keys. I can definitely say
>> that it's not just broken, and it can import keys.
>>
>>> I'm not kidding.  It is so far from complete that Kai Englert, who leads
>>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
>>> TB until version 78.2, or about a three-month delay.
>> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
>> but users may still enable it manually.
>>
>>> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
>> No, it's incomplete - work in progress. That's not quite the same.
>>
>> -Patrick
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

[Patrick Brunschwig]

Robert J. Hansen wrote on 30.05.2020 01:07:
>> If TB 78 is going to have native support of openGPG encryption, then the
>> original person in the thread should be able to export all of the keys
>> in their key rings, and import all of those keys into TB 78, or am I
>> missing one of the gotchas with
>> TV 78 and it's openGPG encryption support.
> 
> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
> even import a key*."

I'm sorry, but that is simply not true. There is a known bug in the
library used by Thunderbird (RNP) that leads to crashes when importing
_certain_ keys. But I succeeded in importing all of my keys without any
problems (more than 1.000), except for 5 V3-keys. I can definitely say
that it's not just broken, and it can import keys.

> I'm not kidding.  It is so far from complete that Kai Englert, who leads
> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
> TB until version 78.2, or about a three-month delay.

Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
but users may still enable it manually.

> At present, as of -Beta3, TB78's OpenPGP support is badly broken.

No, it's incomplete - work in progress. That's not quite the same.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

[Patrick Brunschwig]

Robert J. Hansen wrote on 30.05.2020 01:26:
>> 1. Will key management and crypto happen in the same process as
>> IMAP/POP/SMTP, GUI, JavaScript and everything else? If so - do you
>> believe it's acceptable?
> 
> It should be an easy learning curve for Enigmail users.  That isn't the
> same as finding it acceptable, though.
> 
> Back in the mid-'90s PGP came out with a GUI for PGP 5, and it's
> universally agreed at user interface was horrific.  (See "Why Johnny
> Can't Encrypt" for a detailed teardown.)  The problem was that this
> horrific user interface became the standard user interface, and most
> OpenPGP key managers ever since have adopted it.  Those that haven't
> adopted it, nobody uses, because their UI is so different than
> everything else.
> 
>> 2. Is there any real plan to have working smartcard support in the
>> near future?
> 
> No.  There's some talk about supporting it, but as far as I know there's
> no plan to do it.  It's still at the "you know, it'd be kind of nice
> if..." stage, not the "we really should do this" stage.

The plan is to support smartcards (by using GnuPG for private key
operations). This is already working partially, and is foreseen to be
available in TB 78.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Should gpg try to connect to TCP/993?

[Patrick Brunschwig]

Bjarni Runar Einarsson wrote on 23.10.2019 21:35:
[...]
>>> Each active TCP/IP connection has an open file descriptor. So, if
>>> Enigmail's gpg launcher hasn't taken care to close unneeded file
>>> descriptors after fork() and before exec()
> [...]
>> Should the `Enigmail's gpg launcher` take care of that? Maybe
>> is a bug or something?
> 
> IMO, yes, if this is what is going on it is almost certainly a
> bug. Whatever code is calling exec() should be closing file
> descriptors first. Not doing so can lead to all sorts of wasted
> resources and even deadlocks if processes depend on file
> descriptors getting properly closed in a timely fashion.

Your guess is perfectly right, that's exactly what happens. Enigmail
uses a standard library provided by Mozilla for add-ons to execute
processes. Earlier versions of the library did close all file
descriptors correctly. But the library is written in JavaScript, and
closing all file descriptors could sometimes lead to Thunderbird/Firefox
crashes. Therefore that part has been disabled.

It's therefore not surprising to see such open connections from gpg
processes, but I don't consider this bad.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Future OpenPGP Support in Thunderbird

[Patrick Brunschwig]

Jeff Allen via Gnupg-users wrote on 18.10.2019 16:02:
[...]
> My take on your original explanation of the reason for Enigmail's
> pending demise is that a changed Thunderbird plug-in scheme makes it
> more efficient to build Enigmail functionality into the MUA.

That's only the 2nd half of the explanation. 1st and foremost, the
changed plugin scheme comes along with a completely new API (that does
not even exist completely by now). This would require me to rewrite
almost all of Enigmail from scratch. I don't have enough free time for
doing that, nor would I be interested in it. This, and nothing else, was
initially the reason why we started the discussion with the Thunderbird
team.

> Why not stick with that and focus on what has made Enigmail
> successful?
What is the reason in your eyes that made Enigmail successful?

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Future OpenPGP Support in Thunderbird

[Patrick Brunschwig]

Binarus wrote on 16.10.2019 17:37:
> 
> 
> On 16.10.2019 13:07, Patrick Brunschwig wrote:
>> worry for me. The main problem is the additional complexity that it
>> brings if you require an external component that you cannot *fully*
>> control. This covers topics like different behavior of different
>> versions, but also configuration issues, users rights to install
>> something on their PC and more. Gpgme may handle some of these issues,
>> but the fact remains: an external component makes things a lot more
>> complex, especially for support.
> 
> I think this is the usual trade-off. One has to put time
> 
> - either in understanding the APIs and command line parameters of a
> library / utility, and to keep up with changes, or
> 
> - in re-inventing the wheel, which in this case for sure will cost much
> more time and eventually produce catastrophic security breaches and
> software which is drastically inferior compared to what we have now.
> 
> After all, everybody uses libraries and utilities. It is just reasonable
> to have an expert work on a library or utility which uses techniques and
> mathematical stuff which non-specialists never will understand in
> detail, and have the non-specialists use that library or utility,
> instead of letting them re-develop the same stuff, probably introducing
> all sorts of security flaws and producing inferior software.
> 
> When I have a bash script under Linux which invokes a compiler using a
> complicated command line, I wouldn't come to the idea to re-develop that
> compiler and integrate it directly into bash because that compiler's
> command line switches could change in the next version ...
> 
> I am still convinced that re-writing GnuPG (including all functions like
> hardware tokens, subject encryption etc.) in a secure manner is a
> hundred times more complex and a million times more error-prone than
> tracking a few changes to its command line switches or error codes ever
> could be. Apart from that, there is GpgME, as already has been stated.

In all cases, we certainly won't re-write GnuPG or similar. The question
on the table is: do we continue to use GnuPG (be it directly or via
gpgme), or do we use a different OpenPGP implementation (and if yes
which one). There are certainly good arguments for both.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Future OpenPGP Support in Thunderbird

[Patrick Brunschwig]

Werner Koch wrote on 16.10.2019 13:54:
> On Wed, 16 Oct 2019 13:07, Patrick Brunschwig said:
> 
>> something on their PC and more. Gpgme may handle some of these issues,
>> but the fact remains: an external component makes things a lot more
>> complex, especially for support.
> 
> Right GPGME handles this all pretty well and I have suggested often
> enough that you should move to GPGME so that we can better support
> Enigmail.  Your comment about external components is right from a
> company POV; however Enigmail is also an external component to TB and
> thus TB suffers from very similar problem.  GpgOL and GnuPG both are

Which is why the step to implement OpenPGP in Thunderbird is the right
way to go.

> maintained by us and thus I know very well this helps to reduce
> friction.

We're getting slightly off-topic, but still:
You're perfectly right with everything you say. But you seem to
underestimate the difference between zipping an extension that is pure
JavaScript, and preparing an extension that needs to contain compiled
libraries for multiple platforms in order to cater for all variants of
pre-installed GnuPG installations and all variations of Thunderbird
installations (to be precise, at the very least I'd have to ship for 6
platforms: Win/mac/Linux * 32/64 bit).

Frankly speaking, if I would consider to switch to a library instead of
calling GnuPG directly, I would at first evaluate OpenPGP.js in Enigmail
-- that would be a lot more natural.

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Future OpenPGP Support in Thunderbird

[Patrick Brunschwig]

Binarus wrote on 16.10.2019 10:47:
> 
> On 14.10.2019 16:15, Jeff Allen via Gnupg-users wrote:
>>> I don't know either, but perhaps it is in the debug logs the Enigmail
>>> team analyzes?
>>
>> I have used Enigmail since its inception and have never knowingly
>> submitted a log or answered a survey and have always assumed Enigmail
>> does not phone home.
> 
> I am sure that it doesn't phone home. However, to give an example, I had

You can be certain that I'd never implement that.
[...]
> I suppose that the Enigmail team gets quite a lot of such debug logs.
> But I still can't tell (and currently don't have the time to
> investigate) if those logs can tell which keys had been generated by
> Enigmail and which had been generated externally, so the whole thing was
> a guess anyway.

Yes, I did and do get quite a lot of debugging log files, and even more
support requests. And I really speak from experience when I say that the
vast majority of the users of Enigmail don't store their private keys on
external devices.

[...]

> So why not take Enigmail, integrate it into TB, and bundle Gpg4Win setup
> with TB setup? All software they ever could develop themselves will be
> inferior compared to that package, at least in the first time.

I have almost 17 years of experience with supporting Enigmail. About 90%
of all support requests that I get turn out to be setup issues with
GnuPG. Interestingly, most of them are on Linux, even though all Linux
distributions I know ship GnuPG. The bundling/shipping would not be a
worry for me. The main problem is the additional complexity that it
brings if you require an external component that you cannot *fully*
control. This covers topics like different behavior of different
versions, but also configuration issues, users rights to install
something on their PC and more. Gpgme may handle some of these issues,
but the fact remains: an external component makes things a lot more
complex, especially for support.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Future OpenPGP Support in Thunderbird

[Patrick Brunschwig]

Binarus wrote on 13.10.2019 18:27:
[...]
> 1) The schedule
> 
> We have all been educated to update our applications (notably, "internet
> applications" like browser and email clients) as soon as updates are
> available; at least, this is true for security updates.
> 
> Despite release plans, I think nobody knows for sure how much time
> actually will pass between TB 72's predecessor and TB 78, and how many
> security updates will be released between these versions.
> 
> During that time, I either can't use Enigmail (if I decide to install
> the security updates), or I have to ignore the security updates
> (possibly putting me to risk).
> 
> Did I understand this correctly?

The current stable version of Thunderbird is 68 (and 60 for a few more
weeks); the next stable version will be 78. Users of Enigmail staying on
the stable version of Thunderbird will receive all security updates
until TB 78 will be available. Thunderbird 69 ... 77 are only released
as beta versions that are not intended for end users.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Future OpenPGP Support in Thunderbird

[Patrick Brunschwig]

Werner Koch via Gnupg-users wrote on 13.10.2019 11:56:
> On Sat, 12 Oct 2019 12:43, Chris Narkiewicz said:
> 
>> Do you know why they resited OpenPGP adoption it so much?
> 
> iirc, they said that they want to support only one protocol and settled
> for S/MIME.  This still did not explain why they rejected our proposal
> to clean up their S/MIME code and implement missing stuff so that TB
> could be used for tasks of the German administrative and to be
> compatible with a wider range of S/MIME implementations.  The plan was
> to do that all within TB and without external dependencies.

I think there are two reasons why TB changed their minds:
1. there are different people working on Thunderbird than years ago.
2. in the past, TB was a direct part of Mozilla. Now, Thunderbird is an
independent organization under the umbrella of the Mozilla Foundation,
with an independent council and their own independent financial income
stream.

These two factors lead to a completely different mindset towards what is
good for TB.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Future OpenPGP Support in Thunderbird

[Patrick Brunschwig]

BruderB wrote on 12.10.2019 10:43:
> Hej all,
> 
> Am 12.10.19 um 08:23 schrieb Robert J. Hansen:
>> they're going to insist on running their own keyring internal to
>> Thunderbird which isn't shared with anything else.  (I imagine
>> *importing* from a GnuPG keyring will be supported, but *sharing* a
>> keyring is right out.)
> 
> _They_ can insist on whatever they want. If they close their shop
> towards external built keys (for example with xca), they hopefully won't
> find much acceptance.

The vast majority of users of Enigmail (somewhere around 98%) don't use
external built keys. The vast majority of users also don't use GnuPG for
anything else than email. These users don't care where their key is
stored, nor which software under the hood is used for the crypto. All
they care is that encryption works smoothly.

I'm sorry, but everything written here is pure speculation. We are still
in the phase of considering our options. Depending on the chosen
approach, we may just as well end up with something completely different
than what you'd imagine.

The most important aspects from our side are the following: The chosen
solution must run smoothly for the ~20M users of Thunderbird without
causing a large amount of support/setup issues. We want to have
something that satisfies as many users of Enigmail as possible. We
certainly don't want to have people run away from Thunderbird because of
OpenPGP.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Future OpenPGP Support in Thunderbird

[Patrick Brunschwig]

The Thunderbird developers have announced that they will implement
OpenPGP support in Thunderbird 78 [1]. Support for Thunderbird in
Enigmail will therefore be discontinued.

I'd like to explain in the following paragraphs what this will mean for
Enigmail, and why this is an inevitable step.

The Future of Enigmail
--
I will continue to support and maintain Enigmail for Thunderbird 68
until 6 months after Thunderbird 78 will have been released (i.e. a few
months beyond Thunderbird 68 EOL). Enigmail will not run anymore on
Thunderbird 72 beta and newer.

Will this be the end of Enigmail?

No! I will continue to maintain and support Enigmail for Postbox, which
is running on a different release schedule than Thunderbird for the
foreseeable future.

Why Is This Happening?
--
The Mozilla developers have been and still are actively working on
removing old code from their code base. This affects not only
Thunderbird itself, but also add-ons. While it was possible for
Thunderbird to keep old "legacy" add-ons alive for a certain time, the
time has come for Thunderbird to stop supporting them [2]. Thunderbird
78 will no longer to support the APIs that Enigmail requires and only
allow new "WebExtensions".

WebExtensions have a completely different API than classical add-ons,
and a much reduced set of capabilities to hook into the user interface.
For Enigmail to continue to work, it would therefore be required to
rewrite it from scratch. However, that's beyond my available time
limitations.

The Thunderbird developers and I have therefore agreed that it's much
better to implement OpenPGP support directly in Thunderbird. The set of
functionalities will be different than what Enigmail offers, and at
least initially likely be less feature-rich. But in my eyes, this is by
far outweighed by the fact that OpenPGP will be part of Thunderbird and
no add-on and no third-party tool will be required.

-Patrick


[1]
https://blog.mozilla.org/thunderbird/2019/10/thunderbird-enigmail-and-openpgp/
[2] https://groups.google.com/forum/#!topic/tb-planning/-E8Yw6POxEE





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Invitation to the 5th OpenPGP Email Summit

[Patrick Brunschwig]

Up to now, I only got 12 replies.

*Reminder: Please send me a mail if you plan to come*

Thanks,
Patrick


On 18.06.2019 13:05, Patrick Brunschwig wrote:
> I'm happy to announce the 5th OpenPGP Email Summit which will take place
> 
>   Saturday, October 12 until Sunday, October 13, 2019
>   in Berlin (Germany) at the Onion Space.
> 
> Last year, the idea came up that it would be nice if some of the topics
> discussed could directly be prototyped. I have therefore booked the
> Onion Space for Monday and Tuesday (October 14/15), such that those who
> are interested can directly start working on their product.
> 
> ABOUT THE OpenPGP EMAIL SUMMIT
> ==
> 
> This is an event open for anybody involved in the development of email
> clients using OpenPGP for encryption, and related software.
> 
> We already had four OpenPGP Email Summits at various locations in
> Europe. These are meetings by technical experts of projects and tools
> dealing with OpenPGP with a focus on email encryption. The goals are to
> better get to know each other, and to discuss and work on several
> technical issues that hopefully improve certain aspects of OpenPGP-based
> email encryption. For details, see
>   https://wiki.gnupg.org/OpenPGPEmailSummits
> 
> 
> REGISTRATION
> 
> If you want to attend, please *send an informal email* to:
>  patr...@enigmail.net
> 
> Please let me know if you plan to stay on Monday and/or Tuesday.
> 
> If you need funding for your travel/hotel expenses, then please get
> in contact with me.
> 
> 
> NOTES
> =
> This is a meeting of those who develop software. Thus, we will have a
> lot of tech talk about key servers, key exchange, subject encryption,
> password recovery, etc. If you just are interested in these topics as a
> user, you probably will be bored to death .
> 
> Thus, feel free to join us if you are working in the area of
> - TECHNICAL DETAILS
> - for SENDING or PROCESSING ENCRYPTED EMAILS
> - with OpenPGP
> - in a project or product.
> 
> Note however, that due to capacity reasons we cannot have more
> than 1-2 people from each project. We can host about 30 attendees.
> 
> Note that this is still neither a well-organized conference nor a
> commercial meeting. The agenda will be driven by the attendees. Anyone
> may propose any topic for discussion, as long as he/she is ready to lead
> the discussion.
> 
> More details are/will be available on the web site:
> https://wiki.gnupg.org/OpenPGPEmailSummit201910
> 
> 
> Looking forward to meeting you in Berlin
> -Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[Patrick Brunschwig]

On 31.07.2019 14:26, David wrote:
> Consider the fact that for 30 times Enigmail refused to accept the
> passphrase for da...@gbenet.com
> 
> I decided to send an encrypted email to Erich. When selecting his
> private key there was no automatic tick in postmaster. But a tick in
> Erich's public key
> 
> On sending I thought I was going to be asked for david's passphrase yet
> again - but no - the email passed very quickly.
> 
> This begs the following questions:
> 
> (1) Why is postmaster always selcected as the default public key?
> (2) Why is it on failing 30 times to accept david's passphrase why does
> enigmail mysteriously remember it when it rejected 30 times?
> 
> Answers on a postcard please

I start to believe that your expectation of what should happen differs
from what actually happens.

The way things work in Enigmail are as follows: you select a *sender
account* in the Thunderbird message composition window. Based on that
sender account configuration (and nothing else), Enigmail decides which
key to use for *signing* your message. Remember, the passphrase is
needed for signing, not for encryption -  it does not matter if
Postmaster or Erich are in the recipients list.

If you get a dialog to choose the key(s) _after_ you hit the send
button, then those are the keys to which the message is *encrypted* to.
But again, you don't need a passphrase for any of these keys. Thus, if
you tell me that you expected to have to tick Postmaster in the dialog,
then that won't let you choose the key for signing.

HTH
-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[Patrick Brunschwig]

On 31.07.2019 13:46, David wrote:
> Hello Erich,
> 
> I did what you said - associated each email address with  it's own key.
> I then shut down Thunderbird re-started and carried out the following test:
> 
> Test One:
> 
> I sent an encrypted and signed email to site-admin from postmaster. I
> received the email - it took 6 attempts to decrypt it.
> 
> I then decided to reply - so I sent an encrypted and signed email to
> postmaster - I was unable to  sign as site-admin - after 9 attempts of
> entering the passphrase - each time rejected by Enigmail. I was unable
> to send a signed and encrypted email to postmaster.

I'm sorry, but there's a misunderstanding. Enigmail does /not/ query
your passphrase. Enigmail calls GnuPG, and GnuPG asks for your
passphrase if needed. If the passphrase is rejected that's not related
to Enigmail.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[Patrick Brunschwig]

On 31.07.2019 08:56, David wrote:
> Patrick Brunschwig:
>> On 31.07.2019 00:36, David wrote:
>>> Andrew Gallagher:
>>>>
>>>>> On 30 Jul 2019, at 18:47, David  wrote:
>>>>>
>>>>> Hello Stefan,
>>>>>
>>>>> I have three email accounts with their own keys - Enigmail does not
>>>>> support this - you have to have one key and that's it.
>>>>
>>>> That is simply not true. I used enigmail with multiple keys for years 
>>>> without any issues. If you’re having issues configuring it, perhaps ask on 
>>>> the enigmail list.
>>>>
>>>> A
>>>>
>>>
>>> I have done so - but have got no advice on the correct settings in
>>> Thunderbird or Enigmail.
>>
>> That's not true. I have asked you for more details on the Enigmail
>> mailing list. But instead of responding, you came here to ask the same
>> questions.
>>
>> As Enigmail uses GnuPG for any crypto-operations, I don't think that the
>> problem is in Enigmail, but in your setup. Feel free to answer my
>> questions on the Enigmail mailing list, and I'll continue to try to find
>> out what goes wrong.
>>
>> -Patrick
>>
> 
> Hello Patrick,
> 
> I did not approach this list for answers - I just asked if anyone knew
> of an alternative. I then got drawn in to what was the problem.
> 
> People say "Oh your settings are wrong" But the FAIL to give the RIGHT
> SETTINGS!! And then go waffling on
> 
> I have turned back the clock some 20 years - so have no settings to
> support further keys.
> 
> Having said that - I would appreciate exactly what settings will work to
> enable me to sign with other emails and the public key associated with
> it and to be able to encrypt and sign with differing emails and keys.
> 
> I want specific instructions - not moaning and groaning my settings are
> wrong and I don't know what I'm doing - that approach does not lead to a
> solution.

Here are the instructions:

1. Open the Thunderbird Account Settings (menu Tools > Account Settings)
2. switch to the tab "OpenPGP Security"
3. make sure that "Enable OpenPGP support" is checked
4. click on the button "Select key"
5. select the key that matches the email address of the account

Repeat Steps 2-5 for each and every of your accounts/email addresses.

If you follow(ed) these instructions, then everything else /should/ go
automatically and you /should/ not have any issues. If you do have
issues, then there are no simple instructions - we have to dig to find
out what's wrong.

The questions I asked on the Enigmail mailing list are the 1st step into
trying to find out why things don't work as expected, as I assumed that
-- as a long-term user -- you already did configure Enigmail correctly.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[Patrick Brunschwig]

On 31.07.2019 00:36, David wrote:
> Andrew Gallagher:
>>
>>> On 30 Jul 2019, at 18:47, David  wrote:
>>>
>>> Hello Stefan,
>>>
>>> I have three email accounts with their own keys - Enigmail does not
>>> support this - you have to have one key and that's it.
>>
>> That is simply not true. I used enigmail with multiple keys for years 
>> without any issues. If you’re having issues configuring it, perhaps ask on 
>> the enigmail list.
>>
>> A
>>
> 
> I have done so - but have got no advice on the correct settings in
> Thunderbird or Enigmail.

That's not true. I have asked you for more details on the Enigmail
mailing list. But instead of responding, you came here to ask the same
questions.

As Enigmail uses GnuPG for any crypto-operations, I don't think that the
problem is in Enigmail, but in your setup. Feel free to answer my
questions on the Enigmail mailing list, and I'll continue to try to find
out what goes wrong.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Avoiding hardcoded paths when static-compiling

[Patrick Brunschwig]

On 12.07.2019 21:21, Konstantin Ryabitsev wrote:
> Hi, all:
> 
> I provide an RPM package called gnupg22-static for those who need to run
> newer versions of GnuPG on CentOS-7 environments (it's stuck on
> gnupg-2.0 there). For compilation, I use the convenient STATIC=1
> mechanism, but there's still the problem that all paths end up being
> hardcoded to the RPM buildroot environment.
> 
> The full build command is:
> make -f build-aux/speedo.mk STATIC=1 CUSTOM_SWDB=1 INSTALL_PREFIX=. 
> this-native
> In the RPM context, the INSTALL_PREFIX ends up being inside a buildroot
> location, like so:
> 
> /builddir/build/BUILD/gnupg-2.2.17/
> 
> However, the final installation of this will be in /opt/gnupg22, which
> means that if a binary needs to call another binary, it will try to
> execute /builddir/build/BUILD/gnupg-2.2.17/bin/foo (and fail).
> 
> I can't set INSTALL_PREFIX=/opt/gnupg22, because that will make the RPM
> build fail (it cannot write outside of /builddir), so I need a way to
> tell the binaries during build time that their final install path will
> be different than the path used during build.
> I am able to use gpg and gpgv this way by setting agent-program and
> dirmngr-program config values, but trying to make this work with
> gpg-wks-server fails.
> 
> Any pointers on how I can make this work without hardcoding bogus
> build-time paths?

I have the same situation for building gpgOSX. The solution is this:

./configure \
--with-pinentry-pgm=${TARGET_DIR}/bin/pinentry \
--with-agent-pgm=${TARGET_DIR}/bin/gpg-agent \
--with-scdaemon-pgm=${TARGET_DIR}/libexec/scdaemon \
--with-dirmngr-pgm=${TARGET_DIR}/bin/dirmngr \
--with-dirmngr-ldap-pgm=${TARGET_DIR}/libexec/dirmngr_ldap \
--with-protect-tool-pgm=${TARGET_DIR}/libexec/gpg-protect-tool \
etc.


-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How to delete flooded key

[Patrick Brunschwig]

First users ask for support on getting rid of the keys flooded with
signatures.

Is it sufficient to run "gpg --delete-keys 0x...", and wait for quite a
while, or does it require other measures?

Thanks,
Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Invitation to the 5th OpenPGP Email Summit

[Patrick Brunschwig]

I'm happy to announce the 5th OpenPGP Email Summit which will take place

  Saturday, October 12 until Sunday, October 13, 2019
  in Berlin (Germany) at the Onion Space.

Last year, the idea came up that it would be nice if some of the topics
discussed could directly be prototyped. I have therefore booked the
Onion Space for Monday and Tuesday (October 14/15), such that those who
are interested can directly start working on their product.

ABOUT THE OpenPGP EMAIL SUMMIT
==

This is an event open for anybody involved in the development of email
clients using OpenPGP for encryption, and related software.

We already had four OpenPGP Email Summits at various locations in
Europe. These are meetings by technical experts of projects and tools
dealing with OpenPGP with a focus on email encryption. The goals are to
better get to know each other, and to discuss and work on several
technical issues that hopefully improve certain aspects of OpenPGP-based
email encryption. For details, see
  https://wiki.gnupg.org/OpenPGPEmailSummits


REGISTRATION

If you want to attend, please *send an informal email* to:
 patr...@enigmail.net

Please let me know if you plan to stay on Monday and/or Tuesday.

If you need funding for your travel/hotel expenses, then please get
in contact with me.


NOTES
=
This is a meeting of those who develop software. Thus, we will have a
lot of tech talk about key servers, key exchange, subject encryption,
password recovery, etc. If you just are interested in these topics as a
user, you probably will be bored to death .

Thus, feel free to join us if you are working in the area of
- TECHNICAL DETAILS
- for SENDING or PROCESSING ENCRYPTED EMAILS
- with OpenPGP
- in a project or product.

Note however, that due to capacity reasons we cannot have more
than 1-2 people from each project. We can host about 30 attendees.

Note that this is still neither a well-organized conference nor a
commercial meeting. The agenda will be driven by the attendees. Anyone
may propose any topic for discussion, as long as he/she is ready to lead
the discussion.

More details are/will be available on the web site:
https://wiki.gnupg.org/OpenPGPEmailSummit201910


Looking forward to meeting you in Berlin
-Patrick


-- 
Patrick Brunschwig
mailto:patr...@enigmail.net
PGP fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Johnny-You-Are-Fired

[Patrick Brunschwig]

On 16.05.2019 21:27, Stefan Claas wrote:
> Am Thu, 16 May 2019 18:11:27 +0200
> schrieb Patrick Brunschwig :
> 
>> On 15.05.2019 17:17, Stefan Claas wrote:
>>> Hi all,
>>>
>>> I have read this in German News and wonder why
>>> MUAs in 2019 are still vulnerable?
>>>
>>> https://github.com/RUB-NDS/Johnny-You-Are-Fired/  
>>
>> This is mostly a summary of the various failures that were discovered
>> with EFAIL and shortly thereafter. Most MUAs have been fixed against
>> these attacks by now.
> 
> Are you sure? I remember Efail. Why would the BSI and press publish
> then such things recently? I would assume that no one is interested
> in old news or summaries regarding Efail.

I can only speak for Enigmail (and to some degree for Thunderbird).
The errors described where Enigmail is mentioned/affected were all
discovered last spring/summer (i.e. shortly after EFAIL), and were
addressed last year.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Johnny-You-Are-Fired

[Patrick Brunschwig]

On 15.05.2019 17:17, Stefan Claas wrote:
> Hi all,
> 
> I have read this in German News and wonder why
> MUAs in 2019 are still vulnerable?
> 
> https://github.com/RUB-NDS/Johnny-You-Are-Fired/

This is mostly a summary of the various failures that were discovered
with EFAIL and shortly thereafter. Most MUAs have been fixed against
these attacks by now.

For example, the tests with Enigmail were performed using version 1.9.8,
which was released almost 2 years ago, that is long before EFAIL was
published. The same is true for most other products.

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

4th OpenPGP Email Summit - Update

[Patrick Brunschwig]

It's 2 weeks until the Summit. Here are some updates:

- Friday evening: we will meet at the Winery (Trois Tilleuls Street 1, 1170 – 
Brussels, www.winery.be ). People from Mailfence will be there from 19:30, I 
will arrive a little later.

- if you plan to come, but didn't tell me yet, please send me an email.

- we will start on Saturday at 09:30. If you have any issues such as finding 
the location or with local logistics, here is my phone number: +41 78 631 6622

- we will have a plenary session on Saturday. If you have something you think 
is worth sharing with everyone, then that would be the perfect occasion for a 
short presentation.

See https://wiki.gnupg.org/OpenPGPEmailSummit201810 for details.

I'm looking forward to meeting you all.

-Patrick

-- 
Patrick Brunschwig
mailto:patr...@enigmail.net
PGP fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Invitation to the 4th OpenPGP Email Summit

[Patrick Brunschwig]

I'm happy to announce the 4th OpenPGP Email Summit which will take place

  Saturday, October 20 until Sunday, October 21, 2018
  in Brussles (Belgium).


This is an event open for anybody involved in the development of email
clients using OpenPGP for encryption, and related software.

In 2015 and 2016 we already had tree OpenPGP Email Summits. These are
meetings by technical experts of projects and tools dealing with OpenPGP
with a focus on email encryption. The goals are to better get to know
each other, and to discuss and work on several technical issues that
hopefully improve certain aspects of OpenPGP-based email encryption.
For details, see
  https://wiki.gnupg.org/OpenPGPEmailSummits


REGISTRATION

If you want to attend, please *send an informal email* to:
 patr...@enigmail.net

I will then let you know more details about the location, hotel, etc.

If you need funding for your travel/hotel expenses, then please also get
in contact with me.


NOTES
=
This is a meeting of those who develop software. Thus, we will have a
lot of tech talk about key servers, key exchange, subject encryption,
password recovery, etc. If you just are interested in these topics as a
user, you probably will be bored to death ;-).

Thus, feel free to join us if you are working in the area of
- TECHNICAL DETAILS
- for SENDING or PROCESSING ENCRYPTED EMAILS
- with OpenPGP
- in a project or product.

Note however, that due to capacity reasons we cannot have more
than 1-2 people from each project. We can host about 30 attendees.

Note that this is still neither a well-organized conference nor a
commercial meeting. The agenda will be driven by the attendees. Anyone
may propose any topic for discussion, as long as he/she is ready to lead
the discussion.

More details are/will be available on the web site:
https://wiki.gnupg.org/OpenPGPEmailSummit201810


Looking forward to meet you in Brussels
-Patrick


-- 
Patrick Brunschwig
mailto:patr...@enigmail.net
PGP fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: efail is imho only a html rendering bug

[Patrick Brunschwig]

On 21.05.18 16:56, Klaus Römer wrote:
> Internet works because we have standards.
> Rfc 3986 states that URLs have to be ecoded.
> Redering-Engies which send unencodes content including whitespaces and 
> newlines to an external Server are seriously broken.
> 
> (Only to point the finger at the real bug)

You only refer to one type of possible vulnerabilities that Efail
discovered. Even if there are no remote calls involved, it is still
possible to trick the user into sending a reply that contains decrypted
content.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Efail - Possible Measures?

[Patrick Brunschwig]

In the light of the Efail vulnerability I am asking myself if it's
really needed to decrypt non-regular types of emails at all. In other
words, should we decrypt a multipart/encrypted MIME part at all if we
detect an irregular MIME structure?

If we would not decrypt irregular MIME structures, there cannot be an
issue with HTML displaying. This would be a good thing, if you're an
addon and you can't change the application you live in. I know that some
mail clients do this already, but all those clients that are affected by
Efail apparently don't.

I would consider the following "regular" MIME structures:

1. top-level MIME part is multipart/encrypted.
2. an attached email (Content-Type = message/rfc822) containing a
multipart/encrypted MIME part as direct child.

Does anyone know of other relevant types of message structures?
Does anyone see a reason why NOT to do that?

-Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Efail or OpenPGP is safer than S/MIME

[Patrick Brunschwig]

On 19.05.18 14:15, Werner Koch wrote:
> On Fri, 18 May 2018 12:18, patr...@enigmail.net said:
> 
>> How far back will that solution work? I.e. is this supported by all
>> 2.0.x and 2.2.x versions of gpg?
> 
> 2.0.19 (2012) was the first to introduce DECRYPTION_INFO  In any case
> 2.0 is end-of-life.  In theory we could backport that to 1.4 but I don't
> think that makes sense.

Enigmail runs on many long-term Linux distributions that still ship
older, presumably patched, versions of GnuPG. For example, Red Hat EL
6.9/Centos 6.9 contains GnuPG 2.0.14, but current versions of Thunderbird.

GnuPG 2.0.x will therefore still be relevant for me for many years to come.

-Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Efail or OpenPGP is safer than S/MIME

[Patrick Brunschwig]

On 17.05.18 13:03, Werner Koch wrote:
> If you parse DECRYTPION_INFO beplease consider that its current
> defineion (in master) is:
> 
> *** DECRYPTION_INFO   []
> Print information about the symmetric encryption algorithm and the
> MDC method.  This will be emitted even if the decryption fails.
> For an AEAD algorithm AEAD_ALGO is not 0.  GPGSM currently does
> not print such a status.
> 
> The important print is that MDC_METHOD will be 0 with the forthcoming
> AEAD algorithm.  Thus you need to check whether 3rd argument is there.
> 
>  mdc_method = atoi(arg_1)
>  aead_algo = have_3_args? atoi(arg_3) : 0
>  if (!mdc_method && !aeadalgo)
> return DECRYPTION_FAILED
> 
> That is what I implement in GPGME this morning.

How far back will that solution work? I.e. is this supported by all
2.0.x and 2.2.x versions of gpg?

Thanks,
Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Efail or OpenPGP is safer than S/MIME

[Patrick Brunschwig]

On 17.05.18 10:07, Werner Koch wrote:
> On Thu, 17 May 2018 08:59, patr...@enigmail.net said:
> 
>> Within 12 hours after the release I got 5 bug reports/support requests
> 
> Kudos to Enigmail for acting as our guinea pig.  I implemented the same
> thing in GPGME this morning (see my mail to enigmail users).
> 
> What shall we do now?  Provide a separate tool to decrypt and clean HTML
> messages or add a tool to Enigmail to do just this?

Good question... Thunderbird is working on fixing the HTML display
issue. But I think we should really start enforcing users to enable MDC.
I therefore would prefer keeping the barrier high. In any case, this is
nothing that I could implement with a week or two.

-Patrick





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Breaking MIME concatenation

[Patrick Brunschwig]

On 16.05.18 21:50, Lukas Pitschl | GPGTools wrote:
> 
>> Am 16.05.2018 um 06:21 schrieb Patrick Brunschwig <patr...@enigmail.net>:
>>
>> Content-Type: mutlipart/mixed; boundary="WRAPPER"
>> Content-Description: Efail protection wrapper
>>
>> --WRAPPER
>> Content-Type: text/html
>>
>> 
>> 
>> 
>>
>> --WRAPPER
>> (result of PGP/MIME decryption)
>> —WRAPPER—
> 
> Looks alright so far, does the same work for inline PGP? Is there
> a particular for the specific inline-styles?

At least in Enigmail, inline-PGP is not affected by remote URL calls.
The reason is that Enigmail reads the encrypted message data from the
displayed message, and then replaces the displayed message content with
the decrypted message. In other words, if the secretly to-be-decrypted
message part is not displayed, then Enigmail won't come into action.

> In macOS Mail we will disable remote content loading completely
> and prevent the user from re-enabling it for encrypted messages.

The same is currently being developed in Thunderbird (using the "Simple
HTML" mode), together with a clean fix for the DOM tree issues.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Efail or OpenPGP is safer than S/MIME

[Patrick Brunschwig]

On 15.05.18 11:14, Andrew Gallagher wrote:
> On 14/05/18 14:44, Andrew Gallagher wrote:
>> I would humbly suggest that we stop worrying about which side of the
>> GPG/MUA fence the ball is on, and fix it on *both* sides.
> 
> I have just opened tickets in both GnuPG and Enigmail for the respective
> integrity check mitigations.
> 
> https://dev.gnupg.org/T3981
> https://sourceforge.net/p/enigmail/bugs/838/
> 
> Please let's avoid a finger-pointing contest. Belt and braces. :-)

So, just that you are aware of the consequences of this change. I
implemented the check for "gpg: WARNING: message was not integrity
protected" in Enigmail 2.0.4.

Within 12 hours after the release I got 5 bug reports/support requests
from users who can't read their (old?) mails anymore. And the day in
Europe has only just begun -- many users did not yet upgrade ...

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Breaking MIME concatenation

[Patrick Brunschwig]

On 15.05.18 17:53, Lukas Pitschl | GPGTools wrote:
> 
>> Am 15.05.2018 um 17:44 schrieb Patrick Brunschwig <patr...@enigmail.net>:
>>
>> I already tried a while ago to trick the Thunderbird HTML rendering
>> engine with tricks like this... They don't work. The rendering engine
>> ignores the  tag (and also tags like ).
>>
>> I think the correct solution must be to treat each MIME part
>> independently, i.e. it needs to be parsed independently by the HTML
>> engine and produce its own DOM tree. At the end, you can concatenate
>> these DOM trees and create a single correct HTML document.
> 
> I have also already tried to implement a similar fix for Apple Mail a few 
> days ago,
> using  which did work, but is probably a too naive attempt
> to mitigate against these XSS-kind of attacks. 
> 
> So I absolutely concur with Patricks statement, that the Mime Parsers have
> to be adjusted to treat every text/html part as single DOM tree or even use 
> different
> web document instances to represent the message.   

I have actually thought through this during a sleepless night, and I
believe that it could work as a quick and easy to implement *short term*
measure until the mail clients have fixed the HTML rendering.

If we embed the complete result that we get from gpg into the following
wrapper, then we should be able to mitigate at least any known form of
the attack when it comes to calling a remote URL during message reading:


Content-Type: mutlipart/mixed; boundary="WRAPPER"
Content-Description: Efail protection wrapper

--WRAPPER
Content-Type: text/html





--WRAPPER
(result of PGP/MIME decryption)
--WRAPPER--


Does anyone see a major hole in this that I may have overseen? If not,
then I think I'll implement this in Enigmail until Thunderbird has fixed
this properly.

-Patrick






signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Efail or OpenPGP is safer than S/MIME

[Patrick Brunschwig]

On 14.05.18 19:32, Werner Koch wrote:
[...]
>> 1. change the default behaviour of GPG so that any integrity failure is
>> fatal by default, even for old ciphersuites (we could have a flag to
> 
> I am all in favor of this and even considered to that some time ago.
> However, not too long ago we removed support for PGP-2 keys which
> unfortunately resulted in lots of angry mails from people who now think
> they need to use gnupg 1.4 every day because they seem to read mails
> From the last century on a regular base.  Well, they think and they were
> quite vocal.  Now telling them they need to enable an option to read
> certain not that old mail (e.g. creating by other OpenPGP
> implementations) will a) lead to even more angry mails and b) they will
> keep on using that option for all mails.  Thus my tentative plan was to
> make the next major version hard fail on messages without MDC and slowly
> start using our forthcoming AEAD encryption mode.
> 
> Well okay, with the new support of the Ehtmlfail paper we could now
> point to that paper and always hard error out if no MDC is used even for
> old algorithms.  Shall we consider this?

Yes, I think that's a good idea.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OS X - can't open GnuPG-2.2.5.dmg

[Patrick Brunschwig]

On 11.03.18 16:14, Stefan Claas wrote:
> 
> 
> Am 10.03.18 um 18:49 schrieb Patrick Brunschwig:
>> On 06.03.18 20:06, Stefan Claas wrote:
>>> Hi,
>>>
>>> just tried to update my GnuPG install on my iMac,
>>> from the SourceForge repository, but the image
>>> won't open. The shasum matches and with DiskUtility
>>> it shows also that the .dmg is o.k.
>>>
>>> Downloaded several times, with the same result. :-(
>> The file opens fine on my Mac. I suspect that either there is a problem
>> with your OS (a reboot may help), or your iMac doesn't fulfill the
>> minimum installation requirements (macOS 10.9 or newer, running in
>> 64-bit mode).
>>
> Well, i am running 10.11.6 and tried also again with 2.2.4 which works.
> 
> Tried also to open the 2.2.5 .dmg with Pacifist but it can't open it either.

I fear I know what's wrong. For some reason that I still need to
discover, the image is created with the new APFS file system instead of
the HFS+. I'll see how to fix this.

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OS X - can't open GnuPG-2.2.5.dmg

[Patrick Brunschwig]

On 06.03.18 20:06, Stefan Claas wrote:
> Hi,
> 
> just tried to update my GnuPG install on my iMac,
> from the SourceForge repository, but the image
> won't open. The shasum matches and with DiskUtility
> it shows also that the .dmg is o.k.
> 
> Downloaded several times, with the same result. :-(

The file opens fine on my Mac. I suspect that either there is a problem
with your OS (a reboot may help), or your iMac doesn't fulfill the
minimum installation requirements (macOS 10.9 or newer, running in
64-bit mode).

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How Can I Uninstall GnuPG-2.1.20 from my MacOS

[Patrick Brunschwig]

On 10.04.17 11:47, Gaston wrote:
> Hi All,
> 
> Cloud you tell me how to uninstall it? I can not find any instructions
> in the FAQ.
> 
> OS: MacOS 12.2.4
> GnuPG: 2.1.20 (downloaded from
> https://sourceforge.net/p/gpgosx/docu/Download/)

Open a Termina an execute the following line:

sudo rm -rf /usr/local/gnupg-2.1

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: I figured out how to change the algorithms,

[Patrick Brunschwig]

On 20.03.17 10:56, zap wrote:
> Okay, I was doing this to ecnrypt my files, not emails for the most part...
> 
> I did however wonder, what you actually said, because I had pgp
> encryption on and for some reason I couldn't read it through enigmail.

I assume that's due to a configuration issue. But it's impossible to
tell without further information, like what is the error message you are
getting.

-Patrick



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Which GPG version?

[Patrick Brunschwig]

On 01.08.16 19:28, Peter Lebbing wrote:
> On 01/08/16 17:54, whi...@mixnym.net wrote:
>> I see that there are three versions of GnuPG available. Assuming no hardware
>> constraints, is there any reason to choose Classic 1.4 or Stable 2.0 instead
>> of Modern 2.1?  It appears to do everything the others can and more.
> 
> I think usually the constraints are software constraints. But 1.4 might be 
> more
> appropriate in for instance a headless server. I suppose that counts as a
> hardware constraint indeed :-).
> 
> I'd say, go for 2.1. I think 2.0 is more for people who wish to stick to 2.0 
> for
> whatever reason. If you don't have any particular motivation to use 2.0 or 
> 1.4,
> you should go for 2.1.

I see the world a little different :-)

2.1 is the current development branch, where we sometimes see heavy
changes that can cause bugs, crashes and incompatibilities with other
software.

2.0 is stable and only receives a limited number of well-tested changes
and security fixes.

If you want to try new features like curve-based encryption, or if you
are a developer, then go for 2.1. Otherwise, if you are a regular
end-user, then go for 2.0 and wait with upgrading until 2.1 has become
mature. This will result in 2.2 being released.

Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Email Self-Defense

[Patrick Brunschwig]

On 23.02.16 02:08, NIIBE Yutaka wrote:
> Hello,
> 
> While we translate the "Email Self-Defense" guide into Japanese, I
> have a thing (or will have more) to clarify.
> 
> In this section 5b, it says:
> 
> https://emailselfdefense.fsf.org/en/#step-5b
> 
> When using GnuPG, make a habit of glancing at that bar.  The
> program will warn you there if you get an email encrypted with a key
> that can't be trusted.
> 
> "The program" here means Enigmail with GnuPG, I suppose.

Yes.

> I think that it's quite rare to encounter this particular case; a user
> would need to have a revoked or expired key (of themselves).
>
> If it means an email with signature (encrypted or not), it makes more
> sense to me.  I think that it would be better to explain more likely
> cases.
> 
> How do you think?

Enigmail displays various information in the status bar, such as:
(1) Good signature (hopefully mostly)
(2) "Bad signature" (Enigmail v1.8) / "Unverified signature" (v1.9) in
case the signature is bad
(3) "Unverified signature" together with an "Import" button in case the
signature is from an unknown key
(4) Good signature, but key is not trusted
(5) Good signature, but key is expired or revoked

The last one happens quite frequently if you look at old mails, but
hardly on current mails. I think the guide refers to (2) and/or (4), but
I'm not the author of the document ...


-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver lookup failure, redux

[Patrick Brunschwig]

On 23.09.15 10:25, Robert J. Hansen wrote:
>>   $ gpg -v --keyserver hkp://pool.sks-keyservers.net --recv-key 0xD6B98E10
> 
> quorra:~ rjh$ gpg -v --keyserver hkp://pool.sks-keyservers.net
> --recv-key 0xD6B98E10
> gpg: keyserver receive failed: No route to host
> 

I can confirm that the exact above command works for me (on OS X), with
gpg 2.1.8:

gpg: no running Dirmngr - starting '/usr/local/gnupg-2.1/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: connection to the dirmngr established
gpg: data source: http://openpgp.andrew.kvalhe.im:11371
gpg: armor header: Version: SKS 1.1.5
gpg: armor header: Comment: Hostname: openpgp.andrew.kvalhe.im
gpg: pub  dsa2048/D6B98E10 2008-07-30  Robert J. Hansen 
(etc.)


HTH
-Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Enigmail and p≡p are together for developing Enigmail/p≡p

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

The following press release was published yesterday (unfortunately I
had no time to re-post it earlier):


Encryption add-on Enigmail and pretty Easy privacy (p≡p)[1] are
joining in development of a solution for the well-known mail client
Thunderbird. The goal is to make encryption as easy as possible, said
Enigmail's project lead Patrick Brunschwig and p≡p's head of
development Volker Birk in a common press release. Enigmail and p≡p
will offer p≡p technology for any Thunderbird user. Thunderbird is
still most popular among free email programs on desktop PCs and Laptops.

"Enigmail offers the most-used solution for mail encryption as Free
Software for many years now. But we don't want to rest on our
laurels.", Brunschwig explains. "Still way too few people are able to
encrypt. But this is inevitable to protect privacy." That is to be
changed with the partnership. "p≡p is offering the possibility to
encrypt fully automatically. This way our users are gaining the
highest amount of security, while even not be touched by the process
at all. At the same time p≡p is offering compatibility to OpenPGP and
S/MIME, which is necessary to integrate into mail infrastructures."

"Being the trailblazer, Enigmail managed to provide one of the
greatest user interfaces for mail encryption.", Birk says. "To date
Enigmail is still the front-runner here. Together with Enigmail we're
thinking beyond this: the default for email has to be encrypted and
not unencrypted! For this purpose p≡p is offering the possibility to
encrypt without any user interaction needed like managing keys.
Thunderbird is for p≡p a strategic platform in Free Software: no other
free mail program has reached this spread. Therefore, it was the
logical choice to ask our colleagues at Enigmail for a cooperation.
Who else could deliver more know-how of integrating encryption into
Thunderbird?"

The development partnership is meant to lead into common project
Enigmail/p≡p. As release date for a very first version Enigmail and
p≡p are aiming for December 2015.


[1] http://pep-project.org/
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJV7wiEAAoJENsRh7ndX2k7FswP/2qajDgWQF8Xsbl2/+ugrZr1
CaxQu3V7O7b9XXIA0kbAsy8qsVFlXAJoshEM75f6QWQ6P4nYBvB0C4zR2PU6Cl4/
eiPqkgMt831yF2gQ4tTbtu95NA6UvRZcDdVhdlZ/+KKT4e4RtUEKMkcncCA5A4tT
HePpDDBPUsLCiMuFnkoMwVb4K6sRRD6nNddRwfegZN2E/ch5dglP2c3Gs8sF8Ewd
jR9S/PlroVzZEsA7lrXbG/Q9xHj4XyGgndklpq06HoGgDyKjfUsgu/scewlKl3FR
SmDwOTp9OQObhJKh7u2B5+IcGy+fRcsu5tHGNZ4cJaM5NaeWQuX/ynUWUqpuVzkR
vzcO2FMrnnR0z2lF4MPhwASrRTXUiFD31i90AOVaAxBRMA3+iRdW+ZThe/wZ5ev/
H8IXoninN5zAcdp0wnXZGScqJOHNE63Ard/Vy3vSN0TukBK0A7NpvuWRQ3R2n6Ek
oAqr+8XGIBeNMfkj5Owsh1dKYPsBj9luzcJ65Nvtcb4l6OggCwGnRFelKgigxuEk
RNiAmZk8mKNWcG95wxwTq63t27eVMkXSbt12rkt1WeSFl4FPfKRAhI3+nt3CkhvV
ZCmjVuKuWL9eWZ5qlt2gWDs9O9wWubKKEKwcP090VzVVY5iqa+jjmF81944fLFqX
RQwQ1HO9vO7uiT/lNI5y
=83XF
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OSX: How to install gpg without Admin password

[Patrick Brunschwig]

You'll need to set the path to pinentry in gpg-agent.conf Something like:
pinentry-program /home/xyz/pinentry-mac.app/Contents/MacOS/pinentry-mac

-Patrick

On 29.08.15 19:13, Dan Bryant wrote:
 OK, this worked in getting the binaries extracted and by setting PATH
 and DYNLD_LIBRARY_PATH I can get the bins to load and dump version
 information... SUCCESS...
 
 Now my biggest problem is getting the agent and pinentry (I assume) to
 talk to gpg.
 
 I was hoping I could set bindir, libdir, libexecdir with gpgconf
 (gpgconf.conf) but I can't seem to figure out how to convice gpg to
 look in nonstandard paths for binaries and libraries.  Seems to be
 ignoring PATH environment.
 
 Suggestions?
 
 On Thu, Aug 27, 2015 at 1:31 AM, Patrick Brunschwig
 patr...@enigmail.net wrote:
 On 26.08.15 17:16, Dan Bryant wrote:
 I have a monitored OS X laptop that I would like to put GNU Privacy
 Guard (gpg) on. Of course I can't because I don't have Admin rights,
 but I was hoping there is a way to install it in user space through a
 virtual environment or chroot, or some other wizardry, or by exacting
 the package files.

 Obviously I only need console access to the app.


 Just download a DMG file, open (=mount) it, and copy the PKG file to
 some temporary location. Then use pkgutil in a terminal to unpack the
 PKG file to some temp directory. Then copy whatever you need to your
 home directory.

 man pkgutil will tell you how to use it.

 -Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OSX: How to install gpg without Admin password

[Patrick Brunschwig]

On 26.08.15 17:16, Dan Bryant wrote:
 I have a monitored OS X laptop that I would like to put GNU Privacy
 Guard (gpg) on. Of course I can't because I don't have Admin rights,
 but I was hoping there is a way to install it in user space through a
 virtual environment or chroot, or some other wizardry, or by exacting
 the package files.
 
 Obviously I only need console access to the app.


Just download a DMG file, open (=mount) it, and copy the PKG file to
some temporary location. Then use pkgutil in a terminal to unpack the
PKG file to some temp directory. Then copy whatever you need to your
home directory.

man pkgutil will tell you how to use it.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Proposal of OpenPGP Email Validation

[Patrick Brunschwig]

On 29.07.15 14:07, Neal H. Walfield wrote:
 At Wed, 29 Jul 2015 01:03:53 +0100,
 MFPA wrote:
 On Tuesday 28 July 2015 at 11:46:10 PM, in
 mid:87vbd3nbnx.wl-n...@walfield.org, Neal H. Walfield wrote:
 At Tue, 28 Jul 2015 19:22:29 +0100, MFPA wrote:
 It also eliminates any attempt to to establish a link
 between the key and the email address in the UID.

 I'm not so sure.  Recall that we are not attempting to
 protect against attacks by nation states.  As such,
 performing a week of computation each year is going to
 be too much to maintain for those who upload fake keys.

 And too much for people with multiple email addresses.
 
 It doesn't have to be per-email address.  It is sufficient to attach
 it to the primary key.

This allows me to have patr...@enigmail.net verified OK. Then I add a
new UID mall...@evil.com and delete patr...@enigmail.net from the key.
And then I upload my key to the keyservers network, and I'll end up
where we are now.

 This still seems less rigorous to me than having to receive an email
 sent to that address and decrypt it with that key. I guess it's a case
 of swings and roundabouts.
 
 Well, I don't like the CA model and that's what Nico is basically
 proposing (with less rigorous checks).  Another huge disadvantage is
 that user's have to actively participate by replying to emails /
 visiting a link.
 
 Using PoW, no human intervention is required and there is no central
 authority.  PoW relies on the assumption that conducting an attack is
 too expensive to do / maintain.

The whole point of this exercise is to verify that the key and the email
address(es) belong _together_. I don't see how PoW could do this, or I
didn't understand it well enough.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Proposal of OpenPGP Email Validation

[Patrick Brunschwig]

On 28.07.15 16:46, Ingo Klöcker wrote:
 On Monday 27 July 2015 21:05:26 Ludwig Hügelschäfer wrote:
 Hi Ingo,

 On 27.07.15 16:31, Ingo Klöcker wrote:
 This whole concept of a whitelist of trusted validation servers
 included in the email clients sounds a lot like the CA certificate
 bundles included in browsers and/or OSes. Who is going to maintain
 this whitelist?

 Whilelists: The OpenPGP-aware clients. There aren't so many of them,
 so that's manageable.
 
 Speaking for KMail how can I be sure that somebody who claims that his 
 validation server can be trusted can actually be trusted and should therefore 
 be added to the whitelist? KDE avoids this problem for the CA certificate 
 bundle by relying on the certificate bundles provided by the Linux 
 distributors or by Mozilla.

Let's face it: KDE doesn't /avoid/ this problem. It just shifts the
problem to someone else -- the Linux distributors or Mozilla ;)

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Proposal of OpenPGP Email Validation

[Patrick Brunschwig]

On 27.07.15 14:15, Neal H. Walfield wrote:
 Hi,
 
 I guess you mean this:
 
   The idea I have in mind is roughly as follows: if you upload a key to
   a keyserver, the keyserver would send an encrypted email to every UID
   in the key. Each encrypted mail contains a unique link to confirm the
   email address. Once all email addresses are confirmed, the key is
   validated and the keyserver will allow access to it just like with any
   regular keyserver.
 
 This approach is not going to stop a nation state.  A nation state can
 intercept the mail, decrypt it and follow the link.

If the email can be decrypted, then any email can be decrypted, which
would turn OpenPGP useless.

 For the same reason, it is not going to stop a user's ISP.  Given
 Microsoft's et al.'s willingness to cooperate with the NSA, these are
 not very good starting conditions.

If (and only if) the user stores his private key on his computer, and
the connection to the validating key server is HTTPS with PFS, I don't
really agree.

In any case, the target users are not the Edward Snowdens of this world,
but the 99% of people who just want to communicate easily with each
other and don't want to be bothered too much with key complicated key
lookup/verification scenarios.

 The approach also has another problem: which key servers are going to
 do this?  There are 100s of key servers.  I'm not going to reply to
 mails from each one, sorry.

The idea is that these servers are separate from the keyserver network.
That is, a relatively small set of servers that would only do validation
of email addresses. Validated keys would then be uploaded to normal key
servers.

 This also seems like a nice way to spam someone.  Generate a key,
 upload it to a key server and they have a bunch of mails from the key
 server.  Based on this, I suspect that it won't take long for the key
 servers to be blacklisted?

True, but this only serves the purpose of spamming someone without any
further action. You cannot send specific text to those who get spammed,
that's thus not very interesting. But in general, that's certainly
something to consider (such as only accepting one key at a time and only
accepting N keys per hour from some IP address).

 Have you considered these issues?  Do you have any thoughts about how
 to avoid these problems or do you think they are not real problems?
 
 
 Regarding the design: personally, I wouldn't have the user follow a
 link that includes a swiss number, but have the user reply to the
 mail, include the swiss number and sign it.

That's a good idea indeed.

 I'd also consider having the key servers publish the validations.  If
 you chain the validations (include the hash of the previous validation
 in the current validation) you can detect if the key servers serve a
 fake key to a specific user.

Sounds like a good idea.

-Patrick



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1.3 Fails to Compile OS X

[Patrick Brunschwig]

It's a clang build error (clang-602.0.49).

-Patrick

On 13.04.15 00:00, Ethan Sherriff wrote:
 Sorry didn't see what you said about the error occuring with GNU GCC,
 what version are you using? On OS X Yosemite 10.10.3 (Latest Public Beta
 14D131, XCode 6.3 6D570), with GNU GCC 4.9.2 installed from source,
 gnupg-2.1.3 builds fine.
 
 From: Dominyk Tiller mailto:dominyktil...@gmail.com
 Sent: ‎12/‎04/‎2015 21:01
 To: gnupg-users@gnupg.org mailto:gnupg-users@gnupg.org
 Subject: GnuPG 2.1.3 Fails to Compile OS X
 
 Hey Werner,
 
 Thanks for the new release!
 
 I'm having some issues making it compile on OS X, right across
 10.8-10.10.3. Tried both Apple's Clang and GNU's GCC so I'm presuming
 the error isn't compiler-specific.
 
 It's throwing slightly different errors on OS X 10.8 than it is on 10.9
 and 10.10. The 10.8 error is:
 
 =
 t-stringhelp.c:488:3: error: function definition is not allowed here
   {
   ^
 t-stringhelp.c:536:4: error: expected ';' at end of declaration
   }
^
;
 2 errors generated.
 make[3]: *** [t-stringhelp.o] Error 1
 =
 
 
 
 And the 10.9 - 10.10.3 error is just:
 
 =
 t-stringhelp.c:488:3: error: function definition is not allowed here
   {
   ^
 1 error generated.
 make[3]: *** [t-stringhelp.o] Error 1
 =
 
 Have attached various compile logs.
 
 Cheers,
 
 Dom
 
 -- 
 Sent from OS X. If you wish to communicate more securely my PGP Public
 Key is 0x872524db9d74326c.
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users
 


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 27.02.15 20:56, Werner Koch wrote:
 On Fri, 27 Feb 2015 17:26, patr...@enigmail.net said:
 
 that anyone can upload _every_ key to a keyserver is an issue. If
 keyservers would do some sort of verification (e.g. confirmation
 of the email addresses) then this would lead to much more
 reliable data.
 
 We have such a system. It is called S/MIME.
 
 Ever tried to find an S/MIME (X.509) key (aka certificate) for an 
 arbitrary mail address?  The only working solution to get such a 
 key is by sending a mail and asking for the key.  You can do the 
 very same with PGP of course.  Keyservers along with visting cards 
 are much nicer.
 
 So, why is there no public service to distribute X.509 keys? 
 Because nobody want to be legally responsible for such a key
 unless you push a stack of money over the table for a qualified
 signature certificate.

I would not go that far as trying to guarantee the identity of key.
But I think if a keyserver could do some basic verification of keys,
it would make OpenPGP a lot easier to use for email.

The idea I have in mind is roughly as follows: if you upload a key to
a keyserver, the keyserver would send an encrypted email to every UID
in the key. Each encrypted mail contains a unique link to confirm the
email address. Once all email addresses are confirmed, the key is
validated and the keyserver will allow access to it just like with any
regular keyserver.

This way, we have a simple verification of the access to the private
the key, as well as access to the email addresses contained in the UID
by quite a simple means. I would say this is about as reliable as
sending an email to someone requesting their key.

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJU8yUaAAoJENsRh7ndX2k7Iz4P/j+rS8ZzqI62rQfc8RbNfPuT
1tinBE7Bf73PaZ+hpHCdEAcRUGhM64yRtNUAwovQt00sfdalF4WNKzdlItavMMLG
YtsgaEgZNf8JQlhC2u++Pxo7x7YlHXIuU5Wdu7rbSJXTSfacII7QPSIK39iMUDB5
Je4xUiQSBUeFgm0HLIlnuZMn4KLEPIdthss8golOYBZisSJM8lsucneKSH/4z7sf
d2zvfqRUVtyC9wtnzXDX0VmTP0m+LfVaug5fWyNB87yDKrWG6jqmttIm6vMFH534
RgHjjOCE5dzw0QIXfgv9d0xOFAGoMqt18UPAn/H7bxTJ2OAXHLvugBvfQxLrCO5N
Lb4PjICyC/PB6L+thQS8uG6a7CKDV+nU7MIxRzkFtFVmG4L0Ew8JWViQP6tFwUd6
UUxc3DS+kAPprGmG9sOpzf29c3nDkS1Fe697dOtKAexJ3MTT2Ygc1ZbkDGRhtiM8
5ahjYSxtw/cCRKwXOi40DzDlNG3h1L71q87hJk5m+Ithcz4qkCgLdjzisJZBQd2U
2ObU1Nzjg18bJlXeyoNYve/CdjRp8EHlckdFJr/rBWy10u2vn9kL8Eq3HXDtOZGR
V6va5bxt1jxOYiieAPpZ28Wr+TbxWR8Ih9dNkxCn19a5Hy0QtYYAVnJSrXEtv84y
4vjnCrxlE6QAkouU6XjB
=m2JV
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01.03.15 16:38, Kristian Fiskerstrand wrote:
 In general I believe this to be an insufficient form of 
 identification that really doesn't provide much of anything 
 useful, but at least the PGP keyserver does it reasonably sane
 in its methodology by creating a signature from their CA on
 the key. Whether you put any merit to having such a CA
 signature or not is left up to the user (excluding for now the
 fun related to the spammy number of signatures from it)
 
 Yes, I know. The re-confirmation every few months together with 
 re-signing the keys is among the things I dislike about 
 keyserver.pgp.com. But in general, I think that keyservers need
 to go in that direction if we want to enable easy use of OpenPGP
 in email (which requires in some way or another to download
 missing keys automatically).
 
 You wouldn't need the keyservers to be involved in this at all.
 Anyone could set up such a mail verification CA outside of the
 keyserver network.

Perfectly correct, yes. This is exactly what I'm proposing. I believe
that the current keyserver network cannot do this. I just don't have
the time to (also) work on this...

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJU8zyAAAoJENsRh7ndX2k7cNAQAJXErgNTCbTqEwhtUcW0l7KR
hfchokWcOfgdMmNIKz9A2AD8mQ7Ckdxmn/ANGzNLSzZHjCT4+npjdEe/Q0XxcUf6
ajtntcQsdUBvpC/K4gPDg+V1g3EEZkUPHDeKvgCWvZIQ+57zjsg6T/0c4EEfdNWP
jwZDceP17wsLcTy3OdHhVrMJkgF/HFR4GaGzWNUzBFxtfeoK7kNhkvxKDbhajmcY
wiCgzz++cZmi7T4tf/hrdi65zB9zxzIOgvfeJvDpuuCUAGGYNtofJrIL4H3RNlSc
LfEmbpIwEfJltgeaEpfHBRzTtbxzAr7STvYSQNBwcCb+ksa2EWLzpPjbTfBUWaMt
91oW/qrW2TcEPxPHxnR1dlrAVmm3gE253plO8rljllr5csrUgLiT7tGalAwxv5Es
ITycw3lWUoxDRA1enqHnRgeig3MQNLGqZ5hbFYTs5sHYbKcpHG5Gl4TVnRKIWyCj
KMuXqy1ibV5kIlbP70D/g5Ss2M3iUyYl/tHf1pA5WKMU2EguLL42A9LCIPkqMFO7
5a1+xRAo1ZzkHpNUgACI73F/IuNTPXA7bPSa298sLB55teNFjWK5N8oPPs03e4OQ
W3oEoENnhgdUmDNd5soiM3yVgabGw8vBQC+/PD9Uz9Ee8AnxspxhQMdYacE467fJ
0ALTnk9tVO6Qt3vCjR3J
=Mejp
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01.03.15 18:11, MFPA wrote:
 
 
 On Sunday 1 March 2015 at 2:41:33 PM, in 
 mid:54f3251d.20...@enigmail.net, Patrick Brunschwig wrote:
 
 
 
 The idea I have in mind is roughly as follows: if you upload a
 key to a keyserver, the keyserver would send an encrypted email
 to every UID in the key. Each encrypted mail contains a unique
 link to confirm the email address. Once all email addresses are
 confirmed, the key is validated and the keyserver will allow 
 access to it just like with any regular keyserver.
 
 What about keys with UIDs containing no email address?

The purpose of such a keyserver would be primarily targeted to email.
Thus I think such keys should be refused.

- -Patrick


-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJU80j+AAoJENsRh7ndX2k7fN4P/jxwiXiQuQ/fcor8yKkC1SqA
TYnpQ2Z6ko1vY93repX5E1h9UrMvUOuMYHq7NECDftY2LSU/UFn0V7WpiAtdn+IO
eweI6cCMZmkdv8VVt9+dy7eZbjQ2jBGWpKzJmYAw4pxO0QJBHrEL9TLhxWBz4wDi
yAEOVQDrM3hl0O5NY8fX7Q249HwUWf/db0TC5lAA+he0mC9rjjNaAaq7yLGwTy/O
+vb/BxNRkvppYLKU8/naSSVGEwVfj2tw6y0fQbyfRiNSfh351Q9sVcwC3vTkHnUz
ldb6up4w5tRP6VY6yQ7m+mpAh1V1NX9J+h8Fi/kMGFfd3sfjYLduwPudJ17HmQr1
CAtOx/DnOXvIHMup1ZwENI1shaewNpxQoMHr/xCIEUaM2It8dwcVxdZ3f2KGGZ5F
LdEBEvjRyHPhCT8G8XB3WHoEWWXWrHEC1loy5Fpv6QeCobrkzQetPW6rNCvX8Cyp
nlST6TZoG0wBPonoKPQo+zPYBReBN+eUVuTb4Pe2WyhR4EY/7bsIdEa921lMekh5
fcnaI68McYpK2um6Mq686zArTu/KsJPRp868dVPNIEzW7gIZOjoKIdg0PGPpMQh/
NcpTi1vHeLZg4bYasXxpKG29dsAMfKGw/ImNkTyHhNZAw+1ykIeC4G4F/LFqlMaQ
v+FzDXhpGilTKyqMxmzH
=pm11
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01.03.15 15:58, Kristian Fiskerstrand wrote:
 On 03/01/2015 03:41 PM, Patrick Brunschwig wrote:
 On 27.02.15 20:56, Werner Koch wrote:
 On Fri, 27 Feb 2015 17:26, patr...@enigmail.net said:
 
 that anyone can upload _every_ key to a keyserver is an
 issue. If keyservers would do some sort of verification
 (e.g. confirmation of the email addresses) then this would
 lead to much more reliable data.
 
 We have such a system. It is called S/MIME.
 
 Ever tried to find an S/MIME (X.509) key (aka certificate) for
 an arbitrary mail address?  The only working solution to get
 such a key is by sending a mail and asking for the key.  You
 can do the very same with PGP of course.  Keyservers along with
 visting cards are much nicer.
 
 So, why is there no public service to distribute X.509 keys? 
 Because nobody want to be legally responsible for such a key 
 unless you push a stack of money over the table for a qualified
  signature certificate.
 
 I would not go that far as trying to guarantee the identity of 
 key. But I think if a keyserver could do some basic verification
 of keys, it would make OpenPGP a lot easier to use for email.
 
 The idea I have in mind is roughly as follows: if you upload a
 key to a keyserver, the keyserver would send an encrypted email
 to every UID in the key. Each encrypted mail contains a unique
 link to confirm the email address. Once all email addresses are
 confirmed, the key is validated and the keyserver will allow
 access to it just like with any regular keyserver.
 
 
 You already have a variant of this at https://keyserver.pgp.com 
 (although I don't recall if they send the requests encrypted, I 
 haven't looked into the service in years)
 
 In general I believe this to be an insufficient form of
 identification that really doesn't provide much of anything useful,
 but at least the PGP keyserver does it reasonably sane in its
 methodology by creating a signature from their CA on the key.
 Whether you put any merit to having such a CA signature or not is
 left up to the user (excluding for now the fun related to the
 spammy number of signatures from it)

Yes, I know. The re-confirmation every few months together with
re-signing the keys is among the things I dislike about
keyserver.pgp.com. But in general, I think that keyservers need to go
in that direction if we want to enable easy use of OpenPGP in email
(which requires in some way or another to download missing keys
automatically).

- -Patrick

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJU8zHGAAoJENsRh7ndX2k7dNMQAKpRyStQFPRszQ4V52VS9Cuk
NTwUeRJ/ZIpM4OU0g1/3pXCMRI3xlSz0ts0Dh2ddMo2xcso5kS1X64DzrR6Sj6XT
AF2hBr9rkU+vZN7KAjdlvOPbZruXZEqCQlLm0aAxVPDRY+AKC4YSTKHR4OvAnlyY
mSFXDG7T/m6n8stwWrkY1M3PzD7UJCXH9Qsfb98oYOcP62MJlZW7H2byIgwVHvCK
ijnCJ7YZNRYTpOwfn2WtN+hP5AksrF1uQwQn/ApbgOVuvPwIl2+MhdbY9wjzv3WB
QFD4472Xho1vLsvT+qTHAskI4l5InnIhuxDVVRsr7OAGjbNPmSiph18+3A1vQOuy
mkkBUYJblifM2hmhKTBTNhJyD/TYvhVrC35Tb3J+eq2RhaStivjlKFH9tH9FgBBR
tz1R8OIdq4A3ZyHPYXBvvuYe+geZmUEOOAtTA7JDPvXrwrtLeGKvNJ31UaFd7kGd
odk5PNRscWJIeQfSEwNCUyzzKexWjj14OFLCd4D9ylNVEHWhHOCEgMmgZaAVIduH
oE5ChgCWLx44WQPA5O+bMEY4+WYJaJEk/tkwLHuY9CB98kGd3DmdK5BCh4WI6NLX
O0Z3b7gDQfTxdi5fHJtHA16rtigA4zpkKz3Z4kgJUzVfnf2ikcU4+ppJX/Pd+4jZ
Wt5Mq+MmViexsE/J/BFA
=c5nb
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Patrick Brunschwig]

On 27.02.15 13:11, Kristian Fiskerstrand wrote:
 On 02/27/2015 12:43 PM, Hauke Laging wrote:
 Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker:
 
 Maybe implementation with an opt-in could preserve publishing
 of faked keys on public keyservers?
 
 We need keyservers which are a lot better that today's. IMHO
 that also means that a keyserver should tell a client for each
 offered certificate whether it (or a trusted keyserver) has made
 such an email verification.
 
 The keyservers have no role in this, they are pure data store and
 can never act as a CA. That would bring up a can of worm of issues,
 both politically and legally, I wouldn't want to see the first case
 where a keyserver operator was sued for permitting a fake key
 (the term itself is very misleading, the key itself isn't fake at
 all, but a fully valid key where the UID has not been mated to its
 holder through proper validation).

But that's the main primary reason of the article at all. The fact
that anyone can upload _every_ key to a keyserver is an issue. If
keyservers would do some sort of verification (e.g. confirmation of
the email addresses) then this would lead to much more reliable data.
Furthermore, we need a feature to allow keys to be removed in case the
true owner of an email address requests it.

I know that this collides with today's keyservers and it also collides
with keyservers exchanging keys between each other, but I strongly
believe that this would make keyservers more trustworthy than today.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about group line use in GnuPG

[Patrick Brunschwig]

On 22.02.15 09:29, Ludwig Hügelschäfer wrote:
 Hi Anthony,
 
 On 22.02.15 01:32, Anthony Papillion wrote:
 
 Thanks for your quick response. It looks like I may have fixed
 the problem. Basically, when I use Enigmail for the group line,
 it needs it in the form of
 
 group pgp...@yahoogroups.com=key1,key2,key3
 
 But when I do it from the terminal, it needs to be in the form
 of
 
 group pgp...@yahoogroups.com=key1,key2,key3
 
 Copying the group line in my gpg.conf file and removing the 
 brackets made if work as expected.
 
 Which Enigmail version are you using?

As far as I know, group entries should be space-separated, not by comma.
I.e. group pgp...@yahoogroups.com=key1 key2 key3

Furthermore, the current release version of Enigmail cannot handle 
as part of the group name.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.2 released

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 11.02.15 20:40, Werner Koch wrote:
 Hello!
 
 The GnuPG Project is pleased to announce the availability of the 
 third release of GnuPG modern: Version 2.1.2.

The usual installer for Mac OS X is now available from
https://sourceforge.net/p/gpgosx/docu/Download/


- -Patrick

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJU3ONdAAoJENsRh7ndX2k7o6EP+weTsb+ziwUfWYa6RCwwchn6
yRaAVGqGtsAOPZFHoodZq0P2ijOtuZn6vgFlWeHUqSV08eg3pIfX/zdm5yEkp/Gu
Xe1x8yARXXacLmLaRKmw9+7bBnzFaYOVLjUo92VBH6eLWypuMl1pUY4PwpuWUxoa
pX/wnX0mnd3sh9skwpGlMfQCWBjlwe8KIJEtE7odGhTwXHpCW0wGOLxb8eDXB5od
kVYakaqscdRwVHnQ0aPeA0cBKN8nqK158L/Wia1S9m+ZhDjskK9lclXLEhnT3TMr
4T2cijlhojAC9IgiplP/pwwcl7grEQvfF4CaEalfUFRZclY9AHI3wtw50MU35RFs
a/v4OGlY6edD1wZ8kuSDSPcAoC1B/qFSw5MrSi3aGPzN1ERXNjc6g/liOl5bn/Eh
PqEUDox+g3SGGutqmmkp7Du5flwT5Cqxtys5cyOsk7ZYzQg6ApPNS/uFhTauYNw8
8T090SHEgpBqqAxU/kQEIwnh4AfiHfC/9EpmXTv2PpXeYItGlUuDgEQJ3ds2UsIt
jLxn1r86kew+W9pI+aBbuQ+Gf0lQCgiXHzWYaVWvixWQe+hzcsAxnjhBLwu7TBmo
uWSWeHnd8aqZ+1qqueY5WCIXeihCSjm27RIc549qR/bohN1r0isZv2+MZjMZ0IIg
3Km6HP92CucB2tKhdjL/
=X6xw
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Specifying passphrase for batch key generation

[Patrick Brunschwig]

On 15.01.15 09:56, Werner Koch wrote:
 On Wed, 14 Jan 2015 21:59, jose.casti...@gmail.com said:
 
 Now that we cannot specify a passphrase in the batch parameters, what
 is the preferred method for batch key generation with a specified
 passphrase?
 
 Thanks for this question.  The Enigmail folks also asked on how to do
 this and my answer was to switch to pinentry-mode=loopback.  Revisiting
 the code, it seems that there could be an easier solution.  I see no
 reason why we should not allow passing a passphrase along with the
 parameters for the key generation.  After all if the user wants to work
 around the Pinentry, they should be allowed to do that - at least for
 the key generation.
 
 It requires a bit of code but I think it is worth to have it in 2.1.2.

Even easier!

Thanks a lot
-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.1 released

[Patrick Brunschwig]

On 16.12.14 17:36, Werner Koch wrote:
 Hello!
 
 The GnuPG Project is pleased to announce the availability of the
 second release of GnuPG modern: Version 2.1.1.
 
 The GNU Privacy Guard (GnuPG) is a complete and free implementation of
 the OpenPGP standard as defined by RFC-4880 and better known as PGP.
 
 GnuPG, also known as GPG, allows to encrypt and sign data and
 communication, features a versatile key management system as well as
 access modules for public key directories.  GnuPG itself is a command
 line tool with features for easy integration with other applications.
 A wealth of frontend applications and libraries making use of GnuPG
 are available.  Since version 2 GnuPG provides support for S/MIME and
 Secure Shell in addition to OpenPGP.
 
 GnuPG is Free Software (meaning that it respects your freedom). It can
 be freely used, modified and distributed under the terms of the GNU
 General Public License.
 
 Three different versions of GnuPG are actively maintained:
 
 - GnuPG modern (2.1) is the latest development with a lot of new
   features.  This announcement is about the first release of this
   version.
 
 - GnuPG stable (2.0) is the current stable version for general use.
   This is what most users are currently using.
 
 - GnuPG classic (1.4) is the old standalone version which is most
   suitable for older or embedded platforms.
 
 You may not install modern (2.1) and stable (2.0) at the same
 time.  However, it is possible to install classic (1.4) along with
 any of the other versions.

I created an installer for GnuPG 2.1.1 on Mac OS X, available from here:

http://sourceforge.net/projects/gpgosx/files/GnuPG-2.1.1.dmg/download

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Beta for 2.1.1 available

[Patrick Brunschwig]

On 24.11.14 09:24, Werner Koch wrote:
[...]
 
 GnuPG changes in 2.1.1-beta35
 -
 
[...]
  * Fixed build problems on Mac OS X

All fixed indeed! I created the first GnuPG build that did not require a
single patch on OS X :-)

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: The Facts:

[Patrick Brunschwig]

On 15.11.14 12:52, da...@gbenet.com wrote:
 The steps I have taken to move my /.gnupg folder
 
 Background:
 
 I have two laptops (1) a 32 bit LXD laptop-1 (2) a 64 bit LXD
 laptop-2 one mouse and one WD 1.0 TB (1,000,202,043,392 bytes)
 external drive that plugs into the USB port of either laptop-1 or
 laptop-2 = david@laptop-1:/media/store$.
 
 Laptop-1 and laptop-2 are a mirror image of each. They contain the
 same software. I copied programmes like Thunderbird Firefox from
 laptop-1 to laptop-2 without any problems.

Why don't you simply do this:

1. on your old laptop:

tar zcf gnupg-backup.tgz $HOME/.gnupg


2. Copy the resulting file gnupg-backup.tgz to your new laptop


3. on your new laptop:

tar zxf gnupg-backup.tgz


-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.1.0 for Mac OS X Available

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I'm happy to announce the first release of the GnuPG for OSX project
- - a new distribution of GnuPG 2.1 for Mac OS X ready to download and
install.

I started GnuPG for OSX to provide up to date distributions of GnuPG
on Mac. Unlike GPG Tools, this project only provides the complete
standard gpg tool suite, and no additional software.

The distribution requires Mac OS X 10.7 or newer and a 64-bit processor.

The software is available from:
http://sourceforge.net/projects/gpgosx/files/GnuPG-2.1.0.dmg/download

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJUX7T6AAoJEMk25cDiHiw+Kq8IAL2u1dYTniPOpFHvPg5JFM5D
EN2ebaLhOfpic6/xZ0BEtaeYWDYa09QaIKsQzRH9q0n03dLEdzrjpLJFSQLuNH4o
xjSoJCM3PYtWg7d6ySHPyfePhAKal5u+jQ3z6zsoWccyaNKiHVYvXebU0Nanjr+R
RKEi6qdTSD4KcVOVbb0T/wvRjRaJz8lRwFaCXm9nxViaudXko/hQuO3Dl4UY2m/C
vGbDMSN4qyICMi7B3uLD/uC1gXnn3zYgXRaZVS3MSkKmAgsHUgsDAEGvzXXhcGmn
i7s+JjOrkhStufpahPpDjAsnOXG8Jk12+3GFhRsxTv9RPU5qXdcpfGzv7ZGdt4w=
=/cuU
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error building GnuPG modern 2.1.0 on Yosemite

[Patrick Brunschwig]

Apply this patch before doing ./configure and it will build OK:

https://sourceforge.net/p/gpgosx/source/ci/master/tree/patches/makefile.patch

-Patrick

On 09.11.14 22:56, Mel Brands wrote:
 Werner, 
 
 Thank you! Patching with -p1 fixed the compilation issue but now I've
 run into a linking issue (I'm using the latest libgpg-error 1.17). 
 
 This is the error that occurs near the very end:
 
 
 gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include -g
 -O2 -Wall -Wno-pointer-sign -Wpointer-arith   -o t-sexputil t-sexputil.o
 libcommon.a ../gl/libgnu.a -L/usr/local/lib -lgcrypt -lgpg-error
 -lassuan -L/usr/local/lib -lgpg-error -L/usr/local/lib -lgpg-error  -liconv 
 Undefined symbols for architecture x86_64:
   _default_errsource, referenced from:
   _parse_ber_header in libcommon.a(libcommon_a-tlv.o)
   _parse_sexp in libcommon.a(libcommon_a-tlv.o)
 ld: symbol(s) not found for architecture x86_64
 collect2: ld returned 1 exit status
 make[3]: *** [t-sexputil] Error 1
 make[2]: *** [all] Error 2
 make[1]: *** [all-recursive] Error 1
 make: *** [all] Error 2
 --
 
 According to this post, using a stable libgpg-error used to fix this
 issue back in the
 May: http://lists.gnupg.org/pipermail/gnupg-users/2014-May/049786.html
 
 I've tried Libgpg-error 1.16/1.17 and they have all failed to link
 properly with Gnupg 2.1.0. Libgpg-error 1.16/1.17 gives identical errors
 as the one above and 1.15 itself fails to compile with the following:
 
 ---
 libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I..
 -DLOCALEDIR=\/usr/local/share/locale\ -g -O2 -Wall -Wpointer-arith -MT
 libgpg_error_la-estream.lo -MD -MP -MF .deps/libgpg_error_la-estream.Tpo
 -c estream.c  -fno-common -DPIC -o .libs/libgpg_error_la-estream.o
 estream.c:3502: error: conflicting types for '_gpgrt_fseeko'
 gpgrt-int.h:108: error: previous declaration of '_gpgrt_fseeko' was here
 estream.c:3528: error: conflicting types for '_gpgrt_ftello'
 gpgrt-int.h:110: error: previous declaration of '_gpgrt_ftello' was here
 make[3]: *** [libgpg_error_la-estream.lo] Error 1
 make[2]: *** [all] Error 2
 make[1]: *** [all-recursive] Error 1
 make: *** [all] Error 2
 -
 
 Thanks for any insight!
 
 Mel
 
 PS: To answer Patrick Brunschwig, I'm using Xcode 6.1 on OS X 10.10
  (everything's updated to the latest versions available).
 
 On Fri, Nov 7, 2014 at 1:44 AM, Werner Koch w...@gnupg.org
 mailto:w...@gnupg.org wrote:
 
 On Thu,  6 Nov 2014 19:37, bigh...@gmail.com
 mailto:bigh...@gmail.com said:
 
  I tried to compile 2.1.0 today and ran into an issue. I have the
  latest autoconf/m4/gnu toolchain and all of the latest libraries that
  GnuPG needs.
 
 It is kind of funny that GnuPG as most autoconf enabled programs build
 fine on so many Unix platform but not on OS X we should be a modern
 Unix.
 
 One of the reasons might be that GnuPG uses a small part of gnulib (gl/)
 but does not follow all the gnulib updates to avoid regressions.
 
  ../gl/stdint.h:62:31: error: _types/_intmax_t.h: No such file or 
 directory
  ../gl/stdint.h:63:32: error: _types/_uintmax_t.h: No such file or 
 directory
 
 This problem seems to cause by the hack below.  We hoped that this would
 fix the problems but obviously it didn't on all machines.  You may try
 to revert that patch.
 
 For 2.0.1 I'd really like to get access to a decent OS X box to test the
 build before releasing it.
 
 
 Salam-Shalom,
 
Werner
 
 
 commit f5592fcff308007322a201c970a6d5e8763c9fe3
 Author: Werner Koch w...@gnupg.org mailto:w...@gnupg.org
 Date:   Wed Oct 29 15:41:28 2014 +0100
 
 Fix stdint.h problem for Apple.
 
 * gl/stdint_.h [__APPLE__]: Include hack.
 --
 
 Patch suggested by Patrick Brunschwig.
 
 Modified   gl/stdint_.h
 diff --git a/gl/stdint_.h b/gl/stdint_.h
 index 19577e7..1118e8d 100644
 --- a/gl/stdint_.h
 +++ b/gl/stdint_.h
 @@ -55,6 +55,13 @@
  # include @ABSOLUTE_STDINT_H@
  #endif
 
 +#ifdef __APPLE__
 +  /* Apple's implementation of stdint.h is bugy; we therefore use
 + the source definitions.  */
 +# include _types/_intmax_t.h
 +# include _types/_uintmax_t.h
 +#endif
 +
  /* sys/types.h defines some of the stdint.h types as well, on glibc,
 IRIX 6.5, and OpenBSD 3.8 (via machine/types.h).
 MacOS X 10.4.6 sys/types.h includes stdint.h (which is us), but
 
 
 
 --
 Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 
 
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users
 


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1.0 for Mac OS X Available

[Patrick Brunschwig]

On 09.11.14 21:51, Nicholas Cole wrote:
 Hi Patrick,
 
 Thanks for this! It's a really useful resource.
 
 Are you able to explain how you managed to get GnuPG-2.1 to compile?

See the scripts in the git source tree:
https://sourceforge.net/p/gpgosx/source/ci/master/tree/create_gpg

I have XCode 6.1 plus a very small set of tools from MacPorts (wget,
pkg-config).

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problem compiling GnuPG 2.1.0 on OS X 10.10

[Patrick Brunschwig]

On 07.11.14 06:41, Ramsey Dow wrote:
 Hello, I am having a build failure with GnuPG 2.1.0 on OS X 10.10 using Xcode 
 6.1's compiler tools.
 
 I have successfully compiled and installed all of the prerequisite libraries 
 (npth 1.1, libgpg-error 1.17, libksba 1.3.1, and libassuan 2.1.2). My build 
 sequence is as follows:
 
 gpg --verify $MRT/cache/gnupg-2.1.0.tar.bz2.sig
 tar xjf $MRT/cache/gnupg-2.1.0.tar.bz2
 pushd gnupg-2.1.0
 ./configure --prefix=$MRTRT
 make
 
 The compilation fails while linking t-sexputil in common. Here are the last 
 few lines of the build process:
 
 gcc -DHAVE_CONFIG_H -I. -I..  -I../gl -I../intl 
 -DLOCALEDIR=\/Users/ramsey/Developer/MRT/runtime/share/locale\ 
 -DGNUPG_BINDIR=\/Users/ramsey/Developer/MRT/runtime/bin\ 
 -DGNUPG_LIBEXECDIR=\/Users/ramsey/Developer/MRT/runtime/libexec\ 
 -DGNUPG_LIBDIR=\/Users/ramsey/Developer/MRT/runtime/lib/gnupg\ 
 -DGNUPG_DATADIR=\/Users/ramsey/Developer/MRT/runtime/share/gnupg\ 
 -DGNUPG_SYSCONFDIR=\/Users/ramsey/Developer/MRT/runtime/etc/gnupg\ 
 -DGNUPG_LOCALSTATEDIR=\/Users/ramsey/Developer/MRT/runtime/var\
 -I/Users/ramsey/Developer/MRT/runtime/include 
 -I/Users/ramsey/Developer/MRT/runtime/include 
 -I/Users/ramsey/Developer/MRT/runtime/include -g -O2 -Wall -Wno-pointer-sign 
 -Wpointer-arith -MT t-sexputil.o -MD -MP -MF .deps/t-sexputil.Tpo -c -o 
 t-sexputil.o t-sexputil.c
 mv -f .deps/t-sexputil.Tpo .deps/t-sexputil.Po
 gcc -I/Users/ramsey/Developer/MRT/runtime/include 
 -I/Users/ramsey/Developer/MRT/runtime/include 
 -I/Users/ramsey/Developer/MRT/runtime/include -g -O2 -Wall -Wno-pointer-sign 
 -Wpointer-arith   -o t-sexputil t-sexputil.o libcommon.a ../gl/libgnu.a 
 -L/Users/ramsey/Developer/MRT/runtime/lib -lgcrypt -lgpg-error -lassuan 
 -L/Users/ramsey/Developer/MRT/runtime/lib -lgpg-error 
 -L/Users/ramsey/Developer/MRT/runtime/lib -lgpg-error  -liconv 
 Undefined symbols for architecture x86_64:
   _default_errsource, referenced from:
   _parse_ber_header in libcommon.a(libcommon_a-tlv.o)
   _parse_sexp in libcommon.a(libcommon_a-tlv.o)
 ld: symbol(s) not found for architecture x86_64
 clang: error: linker command failed with exit code 1 (use -v to see 
 invocation)
 make[3]: *** [t-sexputil] Error 1
 make[2]: *** [all] Error 2
 make[1]: *** [all-recursive] Error 1
 make: *** [all] Error 2
 
 I'm not sure why this error is occurring, which is why I am reporting it 
 here, per instructions in the README. Am I forgetting to specify an option to 
 configure? Is the configuration subsystem missing something about my system's 
 setup? Please advise. I'm happy to provide any other details if necessary.

You'll need to apply the following patch for compiling GnuPG (the patch
is made to be applied before ./configure is executed):

https://sourceforge.net/p/gpgosx/source/ci/master/tree/patches/makefile.patch

And most likely, you'll run into another build error in dirmgr. This can
be fixed by editing dirmgr/Makefile and deleting -R/path/to/somewhere
from LDFLAGS

-Patrick




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error building GnuPG modern 2.1.0 on Yosemite

[Patrick Brunschwig]

On 07.11.14 07:44, Werner Koch wrote:
 On Thu,  6 Nov 2014 19:37, bigh...@gmail.com said:
 
 I tried to compile 2.1.0 today and ran into an issue. I have the
 latest autoconf/m4/gnu toolchain and all of the latest libraries that
 GnuPG needs.
 
 It is kind of funny that GnuPG as most autoconf enabled programs build
 fine on so many Unix platform but not on OS X we should be a modern
 Unix. 
 
 One of the reasons might be that GnuPG uses a small part of gnulib (gl/)
 but does not follow all the gnulib updates to avoid regressions.
 
 ../gl/stdint.h:62:31: error: _types/_intmax_t.h: No such file or directory
 ../gl/stdint.h:63:32: error: _types/_uintmax_t.h: No such file or directory
 
 This problem seems to cause by the hack below.  We hoped that this would
 fix the problems but obviously it didn't on all machines.  You may try
 to revert that patch.
 
 For 2.0.1 I'd really like to get access to a decent OS X box to test the
 build before releasing it.

I'm currently using Mavericks (10.9) with Xcode 6.1. I can imagine that
this is different on Yosemite (10.10) and/or a different version of
XCode. :-(

Which version of XCode do you (Mel) use?

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP/MIME considered harmful for mobile

[Patrick Brunschwig]

On 25.02.11 07:43, Robert J. Hansen wrote:
 On 2/24/11 10:15 PM, Daniel Kahn Gillmor wrote:
 my colleague is using the application named email, version 2.2.2 on a
 stock 2.2.1 motorola droid.
 
 My problem is reproducible on a stock Droid X running 2.2.something --
 just got off a very long flight, funeral in the morning: I'll dig the
 precise version number tomorrow.

The only mail client on Android I know of to handle OpenPGP messages is
K9 (together with APG). But K9 only supports inline-PGP, PGP/MIME
messages are not displayed.

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: recursive gpg

[Patrick Brunschwig]

David SMITH wrote:
 On Thu, Aug 07, 2008 at 09:54:13AM -0600, Eliot, Christopher wrote:
 gpg arguments `find . -type f`
 will get you pretty close.
 
 Close, but if you've got lots of files, you'll hit the maximum command
 line length limit.

You have these two options:

a) find . -type f -excec gpg arguments {} \;
{} stands for the found filename

b) find . -type f | xargs gpg arguments

HTH
-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: filtering signed email with thunderbird

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ramon Loureiro wrote:
 Hi!
 
 Is it possible to make a thunderbird filter that save my signed msgs in
 some folder?
 What in the email header must the filter check to see it has a (valid)
 signature?
 Or must it look for BEGIN PGP... strings into the body of the msg?

Not really. Unfortunately Thunderbird doesn't allow to easily extend
message filter for such purposes, that's why there is no such feature in
Enigmail.

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBSBtWiXcOpHodsOiwAQKX1wf+O+mbdUNhE3qJ08bDr5K2A1hvz3dwM6k2
rn5EUNAuMOt0bQictRi2tB8XojktFnzngzNvDPbwBI2XglyV5WAQOkMqwK+3MTxI
pxHJlsJPnJPNOEcXhwyVNlFWDRVFp/J/LdmGbW0ov2wF56bhsMsDGpeoMldLmiYW
zjHk+TZ+TP0kC/X8z57jYXYp3TrDXI2oriXSxioIjtNHTW2B+UKNrAwaVEBgteHo
1NYu2GF/4FjQDwHdVaI3TA+JyG+Jp4PTEMUYrfTb6ZlbZgMOnpwcgr7fQd1AMjE4
o5aq2tqOa29QXTtR4pHCgESI0fCedBD2e0czuRbXiIUi6j61O6b+dw==
=z9iv
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG v2.x?

[Patrick Brunschwig]

Werner Koch wrote:
[...]
 necessary enhancements to their S/MIME implementation.  The way Mozilla
 works is basically: Show a positive result but don't annoy the user if
 the signature is suspicious.  The fact that Mozilla may fall back to 40
 bit RC4 encryption may indicate that the developers do not consider
 privacy a major goal.

I think that last statement is no longer true. As of Thunderbird 2.0,
SeaMonkey 1.1 and Firefox 2.0 all 40 bit algorithms are disabled by
default (but the user may still enable them if he knows how to change
hidden prefs).

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG agent and non-shell application

[Patrick Brunschwig]

Noiano wrote:
 Hi everybody
 I have GnuPg 1.4.6 installed and I have my .gnupg directory as a
 symbolic link pointing to an encrypted partition. As soon as I need
 my keys I mount the encrypted partition and the symbolic link is
 resolved with no problem. The problem is the use of gnupg agent: I
 type gpg-agent --daemon  gpg-agent-info so that the variable
 information are stored to that file. Under my .bashrc I have added
 the following line source gpg-agent-info so that the variable is
 correctly set up.
 The problem is the use of gnupg agent with program such as
 thunderbird, kpgp. They cannot see the variable GPG_AGENT_INFO as
 all shells do. I cannot set anything in .xsession because the
 encrypted partition isn't mounted on boot but on demand. Could you
 please tell me a reasonable solution for this matter?

Start Thunderbird (or kgpg) with a wrapper program that checks if
gpg-agent is running and if yes export GPG_AGENT_INFO from your
gpg-agent-info file. I found that gpg-connect-agent is quite nice to do
this.

Something like this should do the job:

#!/bin/bash
source /path/to/gpg-agent-info
export GPG_AGENT_INFO

gpg-connect-agent EOT
/echo OK
EOT

if [ $? -ne 0 ]; then
  ## gpg-agent is not running
  unset GPG_AGENT_INFO
fi

exec /path/to/thunderbird $@

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Decrpytion not automatically possbible

[Patrick Brunschwig]

Burkhard Schroeder wrote:
 Hi,
 
 a got the same problem with Thunderbird and Evolution: encryption is
 working perfect, but decryption not. I have to store the textfile
 manually, and then to decrypt it as a file :-(
 
 But I did not change nothing.
 
 I got the message only in german:
 
 Fehler - Entschlüsselung fehlgeschlagen
 
 gpg Kommandozeile und Ausgabe:
 /usr/bin/gpg --charset utf8 --batch --no-tty --status-fd 2 -d --use-agent
 gpg: Schwierigkeiten mit dem Agenten - Agent-Ansteuerung wird abgeschaltet
 gpg: Passwortsatz kann im Batchmodus nicht abgefragt werden
 gpg: Ungültige Passphrase; versuchen Sie es bitte noch einmal ...
 gpg: Passwortsatz kann im Batchmodus nicht abgefragt werden
 gpg: Ungültige Passphrase; versuchen Sie es bitte noch einmal ...
 gpg: Passwortsatz kann im Batchmodus nicht abgefragt werden
 gpg: verschlüsselt mit 4096-Bit ELG-E Schlüssel, ID 488E0745, erzeugt
 2005-07-23
 Burkhard Schroeder [EMAIL PROTECTED]
 gpg: Entschlüsselung mit Public-Key-Verfahren fehlgeschlagen: Falsche
 Passphrase
 gpg: Entschlüsselung fehlgeschlagen: Geheimer Schlüssel ist nicht vorhanden

I don't know why Evolution would try to use gpg-agent, but at least in
Thunderbird/Enigmail make sure that the option Use gpg-agent for
passphrases is turned OFF. Furthermore, make sure that there is no
GPG_AGENT_INFO environment variable set.

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.0.6 released

[Patrick Brunschwig]

Werner Koch wrote:
 
  * Improved Windows support.

Werner, do you also plan to create binary releases (i.e. installers) for
Windows?

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP and usability

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Werner Koch wrote:
 On Fri, 10 Aug 2007 13:43, [EMAIL PROTECTED] said:
 
 At least Thunderbird openly invites plugins and Enigmail is a good one.
 
 Let Patrick explain you why there are still problems.

The user interface may be nice indeed, and the whole extension seems to
be quite well-integrated into Thunderbird, but in the background I can
tell you there are many hacks and workarounds needed to get things
running. Still, after more than 6 years of development, there are parts
of the code in Enigmail that I would call fragile

 Have you ever tried to work with the Mozilla Foundation on allowing
 better integration of certain plugins?  For example supporting non-NSS
 based crypto?

The main problem is that Thunderbird is very open for add-ons related to
the user interface, but once you dig into the core of the application,
it's no longer so well extensible. This is especially true for some of
the existing core parts. Some bits date back to Netscape 4.0 (or even
earlier) and have not been redesigned ever since then -- you can imagine
 what follows now.

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRsAI3HcOpHodsOiwAQKEUwf9HdlzC7+03LJ9tO/L9I6dcWGiRB9pVNGa
MScLKFL1PaiR7HEJu58Ch/CHwXWwPQPG5gjc5icDJWm2ruDtJ6/G7iATnY5L5hIL
+5m8PhNAS1lmIFT1yuxsvgsVkTBtL+JVGImTjm95rL2TuTaehpqwYPYM5Ki8hQkK
8OL+d1FLz2ZR/toLD8Xa4bD1gwqC/ml7+1qnmnzc82EJ3V1sAfuMohs3+vnrTN5Y
9+KfP9QyVbVeUMWdDRQG5KxJn5oysnz61r46RmCSIIuE9G/aWUHf6wxSLoR0JPX6
HISmJF2T/COEYzh2QolwBfAUM1ceCvsblfgxsZCKmXEy2x4xXYS57w==
=f+42
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP and usability

[Patrick Brunschwig]

Werner Koch wrote:
 Problem 2: PGP/MIME.  Correspondents who were using PGP/MIME for
 attachments found massive interoperability problems.  Apparently,
 Enigmail has an idiosyncratic way of doing PGP/MIME which causes
 heartache and woe for non-Enigmail users.  (I haven't confirmed this;
 this is just according to him.)
 
 It is really a shame that the one Free Software project which is known
 by more than the computer geeks - namely Mozilla - is refusing to
 support an established standard like PGP/MIME.  We have had several
 implementations of it over the years for the new mail componnent (now
 known as Thunderbird) but all of them have been refused without giving
 good reasons.
 
 In this regard Thunderbird is no better than Outlook!

But there is Enigmail, and I'm doing my best to integrate .it as neatly
as possible into Thunderbird ;-)

 BTW: We would be able to solve the Outlook PGP/MIME sending problem if
 we could informally agree on a variant of the Content-Type header which
 gets checked by PGP/MIME aware MUAs before they use the real
 Content-Type.  Yes, it would be an ugly hack but very helpful.

What precisely would you need (or send)? I would be open to implement
such a solution in Enigmail, if it helps!

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Ownership of usb device with udev.

[Patrick Brunschwig]

Guillaume Yziquel wrote:
 Werner Koch a écrit :
 On Fri, 29 Jun 2007 11:38, [EMAIL PROTECTED] said:

 Visibly, purging pcscd does not solve the problem. Concerning
 permissions, I guess I have some work to do:
 Indeed.  That is your problem.  Use lsusb to figure out where the SCR335
 is attached and the manually update the ownership for testing.  The
 HOWTO has hints on how to install the hotplug stuff.
 
 I read the hotplug stuff was deprecated, and that udev should be used
 instead. The output of lsusb -v concerning the smart card reader follows.
 
 My main problem is that I do not really understand how udev works. I
 understood there was lots of renaming involved. And with all these
 renamings, I do not really know how to make ownership changes.
 
 I'd really love to find a good document on how udev works. In particular
 with debian.

The basic idea with udev is that you define rules for defining the group
and permission of devices (and other actions such as launching
applications). Here is a how-to that explains how these things work:
http://reactivated.net/writing_udev_rules.html

In your case you should create a file containing something like the
example below (everything on one line) and place it into
/etc/udev/rules.d. Check the README in /etc/udev/rules.d for the file
naming conventions.

SYSFS{idProduct}==5115, SYSFS{idVendor}==04e6, MODE=660,
GROUP=myspecialgroup

HTH
-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can't run GPG --recv-keys under Windows Vista.

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alessandro Vesely wrote:
 Henry Hertz Hobbit wrote:
 1. Vista considers the %ProgramFiles% area as semi-protected.  Since
GnuPG is installing into this area, it is a reason for concern.
 
 Next question is Why is GnuPG installing into this area?

According to Microsoft's recommendations (for those who care ;-) )
%ProgramFiles% is the place where executable programs should be
installed to. That's the place where *any* software should be installed,
such that programs and user data are separate.

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRl2QlXcOpHodsOiwAQJrAggAg5VeykM3WuMIKJ1ucNfaJtRA6TJNtYEn
ERg5lH2ZMHSf7EGDaIJHAGqkeMZQcF5Ovcbxd+QVEbDx86aGbRBhCHQnxlCF7jDX
P6uO5fMSp274sSolWerNWsuDs7c9b6hLJt6HF9UwGQhoEbOGv2duietZWQLQlIt0
JIWeVK1Dl3E9Wx+Al6pFJEOU6TDlmNB4yccZuEzc/IYhGrzkIFuR2A/LEazz84jf
FTR7LZMY+C5cGLEszHb8S77wBvjfJxE0q+k8w2dQDmDcsbv5ykrUAYVIfFwcUE1S
B3dH42K4jQvspeDxCiZJaw3xUl/egGjUTE5zKaQDc6eQ9merieWIbQ==
=olgf
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can't run GPG --recv-keys under Windows Vista.

[Patrick Brunschwig]

Moses wrote:
 Hi,
 
 I've installed gpg on Windows Vista recently, but seems not all the
 functions work well when I try to receive keys from keyserver. Here is
 the command I typed:
 
gpg --keyserver subkeys.pgp.net --recv-keys 
 
 After hit RETURN, I got errors immediately like this:
 
gpgkeys: hkp fetch error 1: unsupported protocol
 
 The same command works well on Windows XP.
 
 I've checked the environment variables %PATH%, and gpg's directory is in it.
 
 Any ideas?

This is a well-known issue on Vista. See e.g. here for the solution:
http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030595.html

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Decrypting multiple files gives errors

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This is a new security feature. Use the new option
--allow-multiple-messages to avoid the error.

- -Patrick

fourthirtysix wrote:
 is there another forum where i can ask this?  i've used gnupg for a long time
 and now i'm losing some faith in it's stability due to this problem... 
 thanks
 
 
 
 fourthirtysix wrote:
 I'm getting errors when i try to decrypt multiple files at the same time
 with --decrypt-files. When I do files individually, they seem to decrypt
 fine. When I do multiple files, the first file decrypts fine, but all the
 others give errors like this:

 gpg: encrypted with 2048-bit ELG-E key, ID 12345678, created 2007-01-01
   John Smith [EMAIL PROTECTED]
 gpg: WARNING: multiple plaintexts seen
 gpg: handle plaintext failed: unexpected data

 I'm using gpg (GnuPG) 1.4.6 on Ubuntu 7.10 and this error is occuring on
 two different computers using the same keys.

 Please help! I don't want to have to decrypt one at a time!

 Thanks



 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRiTBIncOpHodsOiwAQKWrwf/ZvNCU6bA3tmf0/Gw3Do0N2dd9nVW3vQy
LbmE8QZwxdUdQwOta9zVZ3WjBrppKqFdyTXUel9/NI0xjJkO/xUZKiPRflDyvCmx
lmjkA+WkTCvJdRPz5JIKLzRXkxyPoYCONoPg7ktoyHdTgSZqDVzwt6HZciPNrTAg
0JWlfqgk4TMU+FIHzbZ99DL/xQcUR4zODQHAaWMihM+v+QSBvo3DeLlUT9duFFx7
vKgmLE/KoLnUF3kOd4OD/jvbJieNKDnUhWULl4ZDbspgH5VlpGO+JL2t2vhwLZuo
ErAm1z4hNzboH1rV1Qmivsh9Yg77szETUfFEI58ntsrieVz7YhRSWQ==
=+TjR
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problem interoperating with PGP Univeral?

[Patrick Brunschwig]

David Shaw wrote:
 On Sat, Mar 31, 2007 at 11:29:54PM +0200, Patrick Brunschwig wrote:
 Blumenthal, Uri wrote:
 I am trying to get cleartext-signed PGP/MIME messages produced by PGP
 Universal 2.5.3, verified by email clients (Thunderbird-1.5.0.10 +
 Enigmail-0.94.2 + GPG-1.4.7).

 So far my experience is:

 - Pure plaintext (neither PGP/MIME nor PGP/Partitioned) messages are
 verified OK.

 - PGP/MIME encrypted and signed messages are decrypted and verified OK.

 - PGP/MIME or PGP/Partitioned messages (HTML body and/or attachments)
 fail signature verification, with error message from GPG:

   Cleartext signature without data

 I've submitted help request to Enigmail list, but perhaps somebody here
 can advise me regarding this issue? Maybe there are settings at PGP
 Universal that should be changed to make its output friendlier? Or
 maybe there are GPG setting that would allow verification of those
 emails? 

 I'll be grateful for any help!

 Thank you!
 I can provide some more details on this. GnuPG 1.4.7 returns with this
 error message gpg: can't handle this ambiguous signature data.

 This is the detached signature that comes with such a message:

 -BEGIN PGP SIGNATURE-
 Version: PGP Universal 2.5.3

 qANQR1DEDQMBAhH9zteyosL+MwHCPwMFAUYL2iX9zteyosL+MxECC8QAnRhWP2Sx
 Ex7VcRL+wBVB2C7lksYAAKCYHvRP7E8vA5jKNgigU0o4kbFn4w==
 =lOCI
 -END PGP SIGNATURE-
 
 That's just a regular signature.  How does Enigmail call GPG to do the
 verification?
 
 David


To be 100% clear: Uri has sent me the attached message msg-dump-bad.txt,
which I extracted to file.txt and file.txt.asc.

If I call gpg (1.4.7) with: gpg --verify file.txt.asc file.txt

I get: gpg: can't handle this ambiguous signature data

That's all the information I have. As far as I can tell, the message
itself looks perfectly fine.

-Patrick
X-Account-Key: account3
X-UIDL: UID26-1174947114
X-Mozilla-Status: 0001
X-Mozilla-Status2: 
Return-path: [EMAIL PROTECTED]
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Thu, 29 Mar 2007 10:24:19 -0500
Received: from wmout1.bear.com ([207.162.228.85]:31504)
by serv01.siteground172.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.63)
(envelope-from [EMAIL PROTECTED])
id 1HWwU7-0001uq-5a
for [EMAIL PROTECTED]; Thu, 29 Mar 2007 10:24:19 -0500
Received: from pwepgp1.bear.com ([207.162.228.88])
  by wmout1.bear.com with ESMTP; 29 Mar 2007 11:24:21 -0400
Received: from wmout2.bear.com ([207.162.228.86])
  by pwepgp1.bear.com (PGP Universal service);
  Thu, 29 Mar 2007 11:24:21 -0400
X-PGP-Universal: processed;
by pwepgp1.bear.com on Thu, 29 Mar 2007 11:24:21 -0400
Received: from bearh2.bear.com ([207.162.228.214])
  by wmout2.bear.com with ESMTP; 29 Mar 2007 11:24:21 -0400
X-Bear-PGP: Process
Received: from bear.com (localhost [127.0.0.1])
by bearh2.bear.com (8.9.3/8.9.2) with SMTP id LAA13237;
Thu, 29 Mar 2007 11:23:43 -0400 (EDT)
Received: from whexchmb05.bsna.bsroot.bear.com ([147.107.87.130]) by 
pwhdtwexcbho01.bsna.bsroot.bear.com with Microsoft SMTPSVC(5.0.2195.6713);
 Thu, 29 Mar 2007 11:23:41 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0
MIME-Version: 1.0
Subject: [PGP-signed] Attempt to send plaintext only
Date: Thu, 29 Mar 2007 11:23:38 -0400
Message-ID: [EMAIL PROTECTED]
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: [PGP-signed] Attempt to send plaintext only
Thread-Index: AcdyFjcYbqJ8AwSPSBuZ4iF9Kcxs3Q==
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
X-OriginalArrivalTime: 29 Mar 2007 15:23:41.0688 (UTC) 
FILETIME=[3B86B780:01C77216]
X-PGP-Encoding-Version: 2.0.2
Content-Type: multipart/signed;
boundary=PGP_Universal_46D9C7F5_87BE5EA9_8D4C448C_636331FE;
protocol=application/pgp-signature;
micalg=pgp-sha1


--PGP_Universal_46D9C7F5_87BE5EA9_8D4C448C_636331FE
content-class: urn:content-classes:message
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Yes,

Thank you!
--
Regards,
Uri Blumenthal
Disclaimer


--PGP_Universal_46D9C7F5_87BE5EA9_8D4C448C_636331FE
Content-Type: application/pgp-signature;
x-mac-type=70674453;
name=PGP.sig
Content-Disposition: attachment; filename=PGP.sig

-BEGIN PGP SIGNATURE-
Version: PGP Universal 2.5.3

qANQR1DEDQMBAhH9zteyosL+MwHCPwMFAUYL2iX9zteyosL+MxECC8QAnRhWP2Sx
Ex7VcRL+wBVB2C7lksYAAKCYHvRP7E8vA5jKNgigU0o4kbFn4w==
=lOCI
-END PGP SIGNATURE-

--PGP_Universal_46D9C7F5_87BE5EA9_8D4C448C_636331FE--

Yes,

Thank you!
--
Regards,
Uri Blumenthal
Disclaimer

-BEGIN PGP SIGNATURE-
Version: PGP Universal 2.5.3

qANQR1DEDQMBAhH9zteyosL+MwHCPwMFAUYL2iX9zteyosL+MxECC8QAnRhWP2Sx
Ex7VcRL+wBVB2C7lksYAAKCYHvRP7E8vA5jKNgigU0o4kbFn4w==
=lOCI
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG incompatible with windows-vista ?

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Werner Koch wrote:
 On Wed, 14 Mar 2007 03:41, [EMAIL PROTECTED] said:
 
 If anyone is building on Vista (or building elsewhere but using it on
 Vista), try this patch.
 
 I have build a version with that patch.  The upx packed gpg.exe binary
 is available at:
 
  ftp://ftp.g10code.com/g10code/scratch/gpg.exe
 
 $ sha1sum gpg.exe
 9dbde44dc9275e2b4918839c7a789040dda0a64b  gpg.exe

I happen to have a Vista installation. I tried to download and upload
keys from hkp servers -- the patched version of gpg is working fine here :-)


- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRfezZ3cOpHodsOiwAQJXngf/V3QLMugZvIPLNSfhcO8iCnqcsirak5XI
gRkYLhiJ7YLM19Acw3GjkPtVzgXwC0NmD5Txki++0bQ0723bgBKQC+bdEEHxwziC
K32bHQ9SDsnZl6bRvMU+19g/7UPG7wvltoZBwNtphppq9FwVKg4ab2WrqE4HyvuZ
SX6Zb9EN6FCTUnKNPkGJ+pPupYdYUSwnt5WBTo/pMB+NZWcxt34T9X0F9yAUb1Q2
l3sEA88XJD9/G0dJQn3xSi9x4Au9nHQqofdBW4vgtSdmBnOYsivAVpkICtnmrjK5
2xg5l4Do/SrWlwF/4l+vT/jHbGeEU8HEhykFIoCLPmPA0CWnDX6vpA==
=V+C2
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: installed pinentry not found by gpg-agent/gpg2

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

snowcrash+gnupg-users wrote:
 hi,
 
 does it really need to be in /usr/bin?
 
 as above, i've installed it purposefully in
 
 % ls -al `which pinentry-qt`
  -rwxr-xr-x 1 root admin 2245584 2007-01-21 11:29 /usr/local/bin/pinentry-qt
 
 and, the symlink to it already exists,
 
 % ls -al `which pinentry`
  lrwxr-xr-x 1 root admin 11 2007-01-21 11:29 /usr/local/bin/pinentry
 - pinentry-qt
 
 and, i already have,
 
 % grep pinentry gpg-agent.conf
  pinentry-program /usr/local/bin/pinentry-qt

Does pinentry-qt work at all? Try to start pinentry-qt from the command
line, and if it starts type the following lines on the prompt:

SETDESC This is a test
GETPIN

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRbSH5ncOpHodsOiwAQI8dgf/R9ZVHD0xjpq2KCDpiUirKq1csnKkJIW0
qTFPpyzU1l4z0AQhAQnYyJM1b99LGercAOpoOfN9oR6iR7CH6uZy8tOOmYT02rbI
RQFIfQvtWTQ2fO32l7l/Hy8pPCorkgN0P4CXy/m4JCuCzZWavFmosv7jAWWLF9oO
XJdWoDpGsTRNFD+zmBlRFDW+keopqqvk35Avu8syqeKboVMXult+v4GbFtp/RPbX
tiUqwBC6eYBRrBh+6wTDIsZRwIRYIL4q9G8zoC18mwVMz+xJtLazwkbICMywjqwA
Y/uCMtxQ2LLhf4pUiWNGMRLSbN9axl68xI7khXPIhhg0aC8sjTQV1g==
=USg5
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG ?Bineries? to USE PnuPG with Windows?

[Patrick Brunschwig]

Tom - Hwy101 wrote:
 Where are the 'Binaries' for Using PnuPG with Windows; AND, what do I do
 with to Use PnuPG
 with Thunderbird, Engimail Extension?  Thanks

You can get GnuPG from: ftp://ftp.no.gpg4win.org

After you have installed GnuPG, start Thunderbird with Enigmail
installed. It will usually find GnuPG automatically. Then, the easiest
way to get started is to use the Wizard which opens if you compose a new
message and click on the PGP icon.

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG: remotely controllable function pointer [CVE-2006-6235]

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ludwig Hügelschäfer wrote:
 Hi,
 
 Malte Gell wrote on 08.12.2006 14:19 Uhr:
 
 Hm, GnuPG 1.4.5 (unpatched)/KMail 1.8.2 reports invalid signed
 message... Maybe my gpg.conf is messed or is this due to changes in
 gpg
 1.4.5? Thanx.
 
 Enigmail didn't even indicate a signed message :-((

True yes. I have to find out why ...
- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRXrKpXcOpHodsOiwAQK+YggAwO3L3gFMYb8hXhHxMKNcaCeJjBlrNeEn
FUP3F/JSJW+ZRpcCNm8ySsBZFH7iqFDTpmB6Kk5uwR7jSYoaJDk6GyiEhBrPypnd
m38akeVa3E593AfgTzMMoQL7JHQoqwoNTRLB1TaxEsUJXKf7eOFXbKhUUrZgblih
5tvjzMasV8A4CcnDF9DFKb/L1moGsz7hCDi46V051jSMGvhpxGj7dwA12dotwJ+5
8HsvKyYuj73BRTagJuphAj7HQfonx9KWhnCCe3VNaHFVH2pOb86HPrbKBpQNySiw
7RBWJj6YyTw5wcQY/VSLAk+CKTfaPViMCh24xX/21NdIK5Vu8NO0PA==
=D7yo
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG: remotely controllable function pointer [CVE-2006-6235]

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Patrick Brunschwig wrote:
 Ludwig Hügelschäfer wrote:
 Hi,
 
 Malte Gell wrote on 08.12.2006 14:19 Uhr:
 
 Hm, GnuPG 1.4.5 (unpatched)/KMail 1.8.2 reports invalid signed
 message... Maybe my gpg.conf is messed or is this due to changes in
 gpg
 1.4.5? Thanx.
 Enigmail didn't even indicate a signed message :-((
 
 True yes. I have to find out why ...

Interesting ... I found that Werner's mails are PGP/MIME signed, with
micalg=sha1

However, according to RFC 3156, this is not valid, the parameter would
have to be as follows, and thus it's not recognized as valid by Enigmail:
micalg=pgp-sha1

Is there a new version of the RFC that I'm not aware of, or is it just a
bug of Werner's mail client? In general, is it a good idea to interpret
the RFC so strictly for this, or is it better to be a bit more relaxed?

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRXrPJHcOpHodsOiwAQKWdQf6A16HoCGb1kNNAa31RGJK0J6mSxB61Khn
4A5Ko9wPUuAegznBToYT+b/ePlx5Cz7Zz2BKaQ1nKN9sxPRwEKWk8Fzjb1+9xb2A
gApqkCH2NubvDwj6iAxJkQTgahRLd/QGI7Km+2ltfKlgw8d4Kuo1HNTVN5HjuDAO
yzPCT9azZMA2NS0caXG/gkjf4NYLltMpXFFBNM046/MlmJ3IP3r8UHhUxbAU7Zu6
YSyx2n+l87NvvegO6VxSGiLsVDRoZW2i+pqBi9YC5l7WMZPhLPmT8kVfNjUrRDtU
K8dqdhsTwmfICyuyVWx3YT6/urW1/xjhKrrEDqn4PTAZLExRptJOTw==
=WSu2
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg error messag

[Patrick Brunschwig]

Jim Dever wrote:
 David Shaw wrote:
 
 
 You might be able to manipulate things into verifying the signature by
 editing the file to change the SHA1 string to SHA256, but the real
 problem is probably in whatever program generated the message.
 
 Thanks!  I thought that might be the problem although I didn't know how
 to determine what hash the message was actually using.  What's
 ridiculous is that the message was produced by the PGP Global Directory
 keyserver.  The message is PGP/MIME in HTML format and I don't even see
 a HASH string in the message source at all.

The  hash string should be in the message header, something like
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol=application/pgp-signature;

I'm pretty sure that something is defined -- Enigmail will not try to
verify the message if no hash algorithm is provided.

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG and PGP Compatibility

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alphax wrote:
 Conan Purves wrote:
 Hello everybody,
 snip
 When I encode attachments, it gives them a .gpg suffix.  My colleagues
 who are using PGP Desktop cannot decode those files.  Though I can
 decode their files, either using the gpgee contextual menu or
 automatically through enigmail.

 Practically speaking, is there a solution for this?  My colleagues are
 most likely going to want to continue using PGP Desktop.

 
 Although it's only freeware and not open source, GPGShell
 http://www.jumaros.de/rsoft/index.html will give you explorer and
 system tray integration, and let you use a .pgp extension. I've filed an
 RFE at http://bugzilla.mozdev.org/show_bug.cgi?id=15442.


There's no need for an RFE against Enigmail. There are preferences
available that allow to modify the default .pgp to something else (the
prefs are not available via GUI).

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.9.92 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRTYQuXcOpHodsOiwAQJB4Qf/TVOxH8gJ0e8IqfRQA2pdboSm74gHmZvM
W2GEX0jfwn9A10MQN82VFJoNLswRQOZpnNzkfsupEkpSe+GHRKsJXQOBRAQvPE9w
amJ/i7wr7qDv8hoZGMxlriV2WzAACLyUMzfwFXF7ENx8XNPq07n36DJ/P83O3iRd
Y5Oc/iktfFGynQeGHEle0R7QRJRfDEab7+B+9WVbRO6LT2N1g3j4mvCFwdgXdvUU
x2fgw59NX/jof/RJMRQcAEQTsbw2Jc1kiq+6TWKNK3TkySuEG2UARmc0PTK5nlYe
lfCyE4/o2XqTZA+6pltOQ0oX49xGV/jIhIIuyM8Wlzxy1U4uQAwUEQ==
=OEvK
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German umlauts in passphrase

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Werner Koch wrote:
 On Mon, 17 Jul 2006 12:27, Karl Kashofer said:
 
 So, how would I examine the charset talbles ? The UserID and other 
 information 
 printed by GnuPG is correctly displayed with all the umlauts. How do I find 
 out what character I have to type to get the umlaut in my passphrase?
 
 You need to try.  There is no conversion inside gpg and gpg uses
 whatever you type/feed.  I see that this is a problem between
 different platforms.  However there is no real solution for this
 problem because it would break all non-ASCII pasphrases currently in
 use.

How about some new command line parameters that specify the charset of
the passphrase provided and/or the charset in which the passphrase is
stored on the keyring?

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRL0Cg3cOpHodsOiwAQKrGQgAl3poBbNFZyRzJB7tzMaOidOOJzND5+u9
lqs4fMX2BJpe5k7HDw5n42WXr1/ue/CfDPfxftOagThx/qVVnp/kwDEIvca0Vvbv
nFJHnJvl+K9y4jLvW/Xo4TELvx6NV2UucPzAgKamhybuD4jydiUPdpjNHJhYwCu4
5f3oSqzhUeL97XGUFJm/lDCfvSqd4AYNvNvJD50Lkf5S1S5AoxcJIA9ZBVKsJQ5e
HMSAFo9n1fhlxIa5HaMTtsXvehfq6B4jUVIeowmGY7HJlS1mS9E7EQyazXYesHNk
9ZoDPPbfxhaj8SlnAeKIydo3nFCEFmOa05Amc/eZ31mwwR6iEzXBNg==
=cei8
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail Problem???

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I don't think it's related to Enigmail since it does not
add/modify/remove any code of the addressing widgets.

- -Patrick


 I posted this on the Thunderbird Forums. I thought that it might have
 something to do with Enigmail/GnuGP... I thought I might get an
 opinion from another perspective. What do you guys think?
 
 
 
 Sometimes (maybe 2/5 times) Thunderbird will crash when I start
 typing an address into the To:/cc:/bcc/etc. entry box to get the
 autocomplete list of contacts. This happens if I:
 
 -write a new message
 -reply/reply-to-all to a message
 -forward a message
 
 But again, this only happens sometimes; it seems to be random also.
 When the dialog comes up (in Windows XP) that says Thunderbird is
 experiencing an error and needs to close... I look in the details,
 and it says the module name (after thunderbird.exe) is
 xpcom_core.dll. I've checked the TB directory and xpcom_core.dll
 *is* there. I thought it might be corrupted, so I searched the
 internet and downloaded another copy. I replaced it (backing up the
 old one) and it seemed to help. But about 10 minutes ago, it happened
 again.
 
 I really don't know why this is happening. The only thing I can
 think of is the Enigmail extension (which has caused problems before)
 but it is essential to my emails, so I can't afford to unistall it.
 
 Versions and extensions:
 
 TB: 1.5.0.4 (build 20060516)
 
 -Enigmail 0.94.0
 -MinimizeToTray 0.0.1 (build 2006030906+)
 -SwitchProxy Tool 1.4
 
 Installed after crashes (so they logically shouldn't have anything
 to do with it)
 -Lightning 0.1 (build) 2006031011
 -AboutConfig 0.6
 
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRJ6sbHcOpHodsOiwAQJDuwgAlj5bleyW2hdn5r57Oy1C4b8pZdWD/hRf
CEmgnsoE6YQNAOkSzMyFNYzKgMAYXu5PUZJTDsEetdGPP+AjxTgVhZH8nJ6/It49
Xz6OoyYiW4yvq+EzUYDZuY9B4g82vM5pITj0tYA9fBjuap58pMOV3lYcpmVDh9/N
xqOkXgwsTaFyNow4x3rTt+5PYQ0ShPVb4IwMGfViXGGc422e/WXfEjiufO+Pgda3
tBSNpAVZ3LkF7d9PIxkDfOpV84YT1YK4FIxRcTb6/Ch4HdYcXafMjdbRevpW8A4I
5VxO8jdSpe3vHanpF6BZwOf7XrLh1ezBFWeUm8uPJCZMxiB5sH+t2A==
=FFM4
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPGOL breaks Enigmail

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Bob Henson wrote:
 I decided to try GPGOL for the few occasions that I use Outlook.
 Unfortunately, since installing it, Enigmail's Key Management shows an empty
 screen and I cannot use GnuPG via Enigmail at all. How do I get out of this,
 please? In desperation I removed all the programs and registry entries that
 I could find relating to GPGOL, but it hasn't helped.

Does GPGOL install gpg, or does it modify the path to the GnuPG home
directory?

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBQ9SS6XcOpHodsOiwAQJJ+Qf/Sg5XHEzUcD03+2Rgt2KULA6qlQY4N3M5
XgrhwtFoq7ZMvdpytIUXbtwPGIIjsqJEZlzNIImb0O12UMD51voQSQQxdZ8NCH9n
xygQuohBMRMhlWYkGJ/YT4fhTgk7Y8BzO32Xx4+f14m6YeXHHyXJIBwB1p51fgJX
TkIgmZINU+9GOK5z45Y57qk07SePm36kd0x+Blwa61WonEvNLfwTK29qfQNkFR+n
4AOlS/wjVIOeW3FjoF7FRwp2C80krgSCOvR6PuHanI6d5hG/rg+6X5dFncy2tk+i
CbbFhupfM4S9EIX3YqZBIV1AsXL2NexwFZ7wQyd0miPsPUk4EDiGXA==
=CQon
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users