LAST CALL: Invitation to the 8th OpenPGP Email Summit

2024-05-23 Thread Patrick Brunschwig
On behalf of the Wau Holland Stiftung, I'm happy to invite you to the
8th OpenPGP Email Summit which will take place:

  Friday, June 7 & Saturday, June 8 2024
   in Dietzenbach near Frankfurt, at the Hotel Sonnenhof


If you plan to attend the event, then *please add yourself* to the
cryptpad until *May 30, 2024* latest:
https://cryptpad.fr/sheet/#/2/sheet/edit/eSLKf+dpna9ZSmDLeLiWeMFh/


SCHEDULE OVERVIEW
=

Hacking Day: Thursday, June 6, 2024
Main Event:  Friday June 7 & Saturday June 8, 2024


REGISTRATION & EVENT DETAILS


All details including the agenda are available on the web site:
https://wiki.gnupg.org/OpenPGPEmailSummit202406


ABOUT THE OpenPGP EMAIL SUMMIT
==

This is an event open for anybody involved in the development of email
clients using OpenPGP for encryption, and related software.

We already had 7 OpenPGP Email Summits at various locations in Europe.
These are meetings by technical experts of projects and tools dealing
with OpenPGP with a focus on email encryption. The goals are to better
get to know each other, and to discuss and work on issues that hopefully
improve certain aspects of OpenPGP-based email encryption. For details, see
   https://wiki.gnupg.org/OpenPGPEmailSummit202406


Looking forward to meeting you in Dietzenbach
-Patrick

-- 
Wau-Holland-Stiftung   W
Zeiseweg 9 H O L L A N D
22765 Hamburg/GermanyS T I F T U N G
http://www.wauland.de





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users


Invitation to the 8th OpenPGP Email Summit

2024-05-14 Thread Patrick Brunschwig
On behalf of the Wau Holland Stiftung, I'm happy to invite you to the
8th OpenPGP Email Summit which will take place:

  Friday, June 7 & Saturday, June 8 2024
   in Dietzenbach near Frankfurt, at the Hotel Sonnenhof


SCHEDULE OVERVIEW
=

Hacking Day: Thursday, June 6, 2024
Main Event:  Friday June 7 & Saturday June 8, 2024


REGISTRATION & EVENT DETAILS


All details including the agenda are available on the web site:
https://wiki.gnupg.org/OpenPGPEmailSummit202406


ABOUT THE OpenPGP EMAIL SUMMIT
==

This is an event open for anybody involved in the development of email
clients using OpenPGP for encryption, and related software.

We already had 7 OpenPGP Email Summits at various locations in Europe.
These are meetings by technical experts of projects and tools dealing
with OpenPGP with a focus on email encryption. The goals are to better
get to know each other, and to discuss and work on issues that hopefully
improve certain aspects of OpenPGP-based email encryption. For details, see
   https://wiki.gnupg.org/OpenPGPEmailSummit202406


Looking forward to meeting you in Dietzenbach
-Patrick

-- 
Wau-Holland-Stiftung   W
Zeiseweg 9 H O L L A N D
22765 Hamburg/GermanyS T I F T U N G
http://www.wauland.de



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users


Request for Comment: keys.openpgp.org Organization

2022-07-22 Thread Patrick Brunschwig
This is a cross-post to openpgp-em...@enigmail.net,
gnupg-users@gnupg.org, autocr...@lists.mayfirst.org
and open...@ietf.org.
Please reply to openpgp-em...@enigmail.net

During the last OpenPGP Email Summit[1] we agreed that we would like to
transition the keyserver on keys.openpgp.org (KOO) from a one-person
show into an open community project. Vincent, Lars, dkg and I
volunteered to form a Bootstrapping Committee that would propose a new
structure and governing rules for this community by end of July.

I'm very happy to announce today that we completed this task ahead of
time. We have prepared a proposal for a constitution, together with
several supporting documents, and would now like to invite everyone
interested in OpenPGP for feedback to our proposals. Please provide your
feedback until Aug. 21, 2022 on the OpenPGP Summit Email list
(openpgp-em...@enigmail.net).

Below is a summary of the proposed constitution. The complete
constitution and all supporting documents can be found on Gitlab:
https://gitlab.com/hagrid-keyserver/bootstrap-committee/-/tree/main

We are planning to set up the organization according the following
schedule (under the assumption that the feedback is such that the
schedule is feasible):
1. Comment period for the constitution: until Aug. 21, 222
2. Publish first version of constitution: 1w later
3. Invitation for voting body +4w
4. First election of the board +2w
5. Publish election results +3d
6. Install 1st Board

We agreed that Patrick will be responsible for the complete process.


Summary of the keys.openpgp.org Constitution


High Level Summary
--
keys.openpgp.org (KOO) is a service providing a verifying key server to
the OpenPGP ecosystem. The service is operated by the operations team as
guided by the Board. The Board is elected by the Voting Body, which is
formed by individuals that are active in the OpenPGP ecosystem.

The Board
-
The Board offers advice, guidance, and support to the operations
team, and helps ensure the ongoing operation of the KOO service.
If and when the KOO organization gets funds, the Board decides how
to spend them. The Board consists of 3-5 individuals. Board members are
elected for a 1-year term, and may be on the Board for up to 3 years in
a row. Board votes are decided by simple majority, except when replacing
the whole operations team, which must be a unanimous vote by all members.

The Board nominates one of its members as secretary. The secretary takes
meeting minutes and organizes the next election. Board meeting minutes
are published.

The Board takes care of KOO Enhancement Proposals (KEP) that may be
submitted by any voting member. Any KEP requires adoption by at least
one Board member in order to be considered by the Board. The Board may
approve or reject any KEP under consideration, or may ask the KEP author
for revisions before re-consideration.

Board members self-nominate themselves via a public mailing list.
Elected members are asked to ensure that no organization or affiliation
is over-represented in the Board.

The Voting Body
---
The voting body serves to elect the Board Members. It consists of voting
members. Eligible for membership are all those individuals who use
OpenPGP, implement it, provide services to help use it, produce
documentation, provide training, etc. Voting members are nominated by
existing members and approved by the Board. Membership expires after 3
years of inactivity (defined by participating in the votes and elections).

Membership in the initial voting body is open to anyone who has attended
any of the past OpenPGP E-mail Summits[2]. This only applies to the
election of the first Board.

The Operations Team
---
The operations team maintains the Hagrid software, and operates the
servers providing the service of the key server. It has final say in how
the software works, and how the service is provided. The operations team
reports on their activities to the Board and the public. The operations
team is self-organized, except for the right of the Board to replace the
operations team entirely.

Initial Formation of the KOO Organization
-
The KOO Bootstrap Committee will organize the process to establish the
KOO organization as follows:

1. Request for feedback from the OpenPGP community (public
   announcement).
2. Incorporate the community feedback and publish the 1st KOO
   Constitution.
3. Invite attendees of the past OpenPGP E-mail Summits to join the
   Voting Body.
4. Organize the election of the first Board.
5. The constitution is considered ratified once the 1st elected Board
   is installed.

In order to ensure continuity, 2 of the 5 initial Board members will
have a term limit of max. 2 years.

Voting Process
--
Voting and elections are done publicly and are attributable.
Votes for Board elections are done by signed commits via merge
requests on a dedica

Re: Looking for new Maintainer for gpgOSX

2022-07-03 Thread Patrick Brunschwig
I'm happy to announce that Ralph Seichter has taken over the lead for
gpgOSX. Ralph already started to work on the code, and I transferred the
 ownership of the project to him.

Many thanks to Ralph for takin over so quickly!

-Patrick

Patrick Brunschwig wrote on 26.06.2022 18:12:
> gpgOSX is a free pre-packaged install-able distribution of standard
> GnuPG 2.x  for macOS. I am maintaining it since the release of GnuPG
> 2.1.0 back in 2014.
> 
> As many of you know, I'm also maintaining Enigmail. Since OpenPGP
> support is part of Thunderbird, my involvement with Enigmail has reduced
> a lot, and so has my involvement with GnuPG. Furthermore, I don't have a
> Mac anymore, and it has become more and more difficult and cumbersome to
> continue maintaining and building gpgOSX. I am therefore looking for
> someone who would want to step in and take over the project.
> 
> If you're interested, then please get in touch with me.
> 
> Thanks,
> Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users


Looking for new Maintainer for gpgOSX

2022-06-26 Thread Patrick Brunschwig
gpgOSX is a free pre-packaged install-able distribution of standard
GnuPG 2.x  for macOS. I am maintaining it since the release of GnuPG
2.1.0 back in 2014.

As many of you know, I'm also maintaining Enigmail. Since OpenPGP
support is part of Thunderbird, my involvement with Enigmail has reduced
a lot, and so has my involvement with GnuPG. Furthermore, I don't have a
Mac anymore, and it has become more and more difficult and cumbersome to
continue maintaining and building gpgOSX. I am therefore looking for
someone who would want to step in and take over the project.

If you're interested, then please get in touch with me.

Thanks,
Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: [openpgp-email] Invitation to the 6th OpenPGP Email Summit

2022-05-15 Thread Patrick Brunschwig
The OpenPGP Email Summit will start in 12 Days. If you want to attend,
then please add your name to the following Cryptpad, such that we can
plan for food, drinks etc.

https://cryptpad.fr/pad/#/2/pad/edit/EtMIfWF2q6qP+c3iv8qNH+x0/

See you soon!
-Patrick

Patrick Brunschwig wrote on 18.04.2022 11:43:
> I'm happy to announce the 6th OpenPGP Email Summit which will take place
>
> Friday, May 27 & Saturday, May 28, 2022
>   in Geneva (Switzerland) at the offices of Proton AG
>  (the company behind ProtonMail and OpenPGP.js)
>
> For those who are interested in chatting, hacking or starting
> discussions prior to the "real" summit, there is the option to already
> meet on Thursday, May 26.
>
> REGISTRATION
> 
>
> If you want to attend, please add yourself to the following cryptpad:
> https://cryptpad.fr/pad/#/2/pad/edit/EtMIfWF2q6qP+c3iv8qNH+x0/
>
> If you need funding for your travel/hotel expenses, then please get
> in contact with me.
>
>
> ABOUT THE OpenPGP EMAIL SUMMIT
> ==
>
> This is an event open for anybody involved in the development of email
> clients using OpenPGP for encryption, and related software.
>
> We already had 5 OpenPGP Email Summits at various locations in Europe.
> These are meetings by technical experts of projects and tools dealing
> with OpenPGP with a focus on email encryption. The goals are to better
> get to know each other, and to discuss and work on several technical
> issues that hopefully improve certain aspects of OpenPGP-based email
> encryption. For details, see
>   https://wiki.gnupg.org/OpenPGPEmailSummits
>
>
>
> NOTES
> =
> This is a meeting of those who develop software. Thus, we will have a
> lot of tech talk about key servers, key exchange, subject encryption,
> password recovery, etc.
>
> Thus, feel free to join us if you are working in the area of
> - TECHNICAL DETAILS
> - for SENDING or PROCESSING ENCRYPTED EMAILS
> - with OpenPGP
> - in a project or product.
>
> Note that this is neither a well-organized conference nor a commercial
> meeting. The agenda will be driven by the attendees. Anyone may propose
> any topic for discussion, as long as he/she is ready to lead the discussion.
>
> More details are available on the web site:
> https://wiki.gnupg.org/OpenPGPEmailSummit202205
>
>
> Looking forward to meeting you in Geneva
> -Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users


Invitation to the 6th OpenPGP Email Summit

2022-04-18 Thread Patrick Brunschwig
I'm happy to announce the 6th OpenPGP Email Summit which will take place

Friday, May 27 & Saturday, May 28, 2022
  in Geneva (Switzerland) at the offices of Proton AG
 (the company behind ProtonMail and OpenPGP.js)

For those who are interested in chatting, hacking or starting
discussions prior to the "real" summit, there is the option to already
meet on Thursday, May 26.

REGISTRATION


If you want to attend, please add yourself to the following cryptpad:
https://cryptpad.fr/pad/#/2/pad/edit/EtMIfWF2q6qP+c3iv8qNH+x0/

If you need funding for your travel/hotel expenses, then please get
in contact with me.


ABOUT THE OpenPGP EMAIL SUMMIT
==

This is an event open for anybody involved in the development of email
clients using OpenPGP for encryption, and related software.

We already had 5 OpenPGP Email Summits at various locations in Europe.
These are meetings by technical experts of projects and tools dealing
with OpenPGP with a focus on email encryption. The goals are to better
get to know each other, and to discuss and work on several technical
issues that hopefully improve certain aspects of OpenPGP-based email
encryption. For details, see
  https://wiki.gnupg.org/OpenPGPEmailSummits



NOTES
=
This is a meeting of those who develop software. Thus, we will have a
lot of tech talk about key servers, key exchange, subject encryption,
password recovery, etc.

Thus, feel free to join us if you are working in the area of
- TECHNICAL DETAILS
- for SENDING or PROCESSING ENCRYPTED EMAILS
- with OpenPGP
- in a project or product.

Note that this is neither a well-organized conference nor a commercial
meeting. The agenda will be driven by the attendees. Anyone may propose
any topic for discussion, as long as he/she is ready to lead the discussion.

More details are available on the web site:
https://wiki.gnupg.org/OpenPGPEmailSummit202205


Looking forward to meeting you in Geneva
-Patrick


-- 
Patrick Brunschwig
mailto:patr...@enigmail.net
PGP fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users


GpgOSX for Apple Silicon

2020-11-24 Thread Patrick Brunschwig
I have created a first version of GpgOSX 2.2.25 for the new Apple
Silicon architecture (ARM processor).

However, I don't have a machine to test my build, thus I can't verify if
it works. Therefore, if someone has access to an ARM-based Mac, then
please get in touch with me.

Thanks,
Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Thunderbird / Enigmail / Autocrypt

2020-11-21 Thread Patrick Brunschwig
If you think about using the current stable version of Thunderbird
(version 78), then there is no Enigmail and no Autocrypt. OpenPGP has
been implemented directly in Thunderbird, but there is currently no
Autocrypt support in Thunderbird.

-Patrick

Daniel Bossert via Gnupg-users wrote on 20.11.2020 10:23:
> Hello all
> 
> How secure is it to use Thundebrird with Autocrypt? I use Sylpheed at the 
> moment, but it is not that comfortable to use as Thunderbird.
> Also, when I send an email, the signature will be shown instead like with 
> thunderbid just an info that the mail is signed
> 
> Do you have some inputs?
> 
> Regards
> Daniel
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


agent_genkey failed: Invalid flag

2020-06-11 Thread Patrick Brunschwig
A user of Enigmail tried to create a key using the following command:

/usr/bin/gpg2 --charset utf-8 --display-charset utf-8 \
--no-auto-check-trustdb --batch --no-tty --no-verbose --status-fd 2 \
--gen-key
%echo Generating key
Key-Type: EDDSA
Key-Curve: Ed25519
Key-Usage: sign
Subkey-Type: ECDH
Subkey-Curve: Curve25519
Subkey-Usage: encrypt
Name-Real: [name]
Name-Email: [email]
Expire-Date: 1825

gpg reports the following error:

gpg: agent_genkey failed: Invalid flag
gpg: key generation failed: Invalid flag
[GNUPG:] ERROR key_generate 16777288
[GNUPG:] KEY_NOT_CREATED

Any idea what could be wrong here?

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Exchange between muiltiple OpenPGP implementations

2020-05-31 Thread Patrick Brunschwig
Peter Lebbing wrote on 31.05.2020 11:07:
> Hi,
> 
> On 31/05/2020 10:01, Patrick Brunschwig wrote:
>> The only "problem" might be that you have different keys on different
>> key rings. But this is not necessarily a problem - you use different
>> keys for different purposes and you can import and export the keys
>> between the tools if needed.
> 
> Does the new TB implementation support TOFU? If so, you lose your TOFU
> historical data and identity assertions when you would export/import to
> a different OpenPGP implementation. That'd be a shame. Maybe there's a
> need for a standardised interchange format for that.

TB chose (unfortunately in my eyes) to currently only support explicit
trust using their own trust handling. I hope that future versions will
support other methods.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Certified OpenPGP-encryption after release of Thunderbird 78

2020-05-31 Thread Patrick Brunschwig
Andreas Boehlk Computer-Service wrote on 31.05.2020 11:09:
> Hello Patrick,
> 
> 
> Am 31.05.2020 um 10:01 schrieb Patrick Brunschwig:
>> Mark wrote on 31.05.2020 01:28:
>>> Doesn't TB also need your secret keys to decrypt messages?  
>>
>> With smartcard support via GnuPG, all secret key operations are handled
>> by GnuPG, and all public key operations are handled by TB (Note: the
>> standard case, without smartcard support, will be that all keys are in
>> Thunderbird).
>>
>> The use-cases are clearly distinct:
>> - encryption: you only need public keys
>> - decryption: you only need secret keys
>> - signing: you only need secret keys
>> - verification: you only need public keys
>>
> The standard user will not be able to work with that "solution".
> Compared to the "enigmail-solution" this is the hell and bound to fail.

Let's first define Standard users. The majority of users who use
smartcards that *I* know are expert or power users. They can handle this.

The "Standard users" I have in mind don't use GnuPG for anything else
than encrypting mails, and they don't use smartcards either. They won't
have this issue in any way.

>>> Also what if you need your public keys outside of TB such as encrypting
>>> a file?
>>
>> That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird
>> is that you use it for email.
>>
> That is correct, but nevertheless it is mandatory to have and use a
> single key-store.

For which use-case precisely? If you only use OpenPGP for emails (and
given the users I know who had support cases in the past, this is true
for the majority of the Enigmail users), then this is irrelevant.

To be quite clear: Thunderbird will not support GnuPG for scenarios
other than handling secret keys. And that's only because the OpenPGP
library they use can't handle smartcards yet. Once the library will
support smartcards, I expect that GnuPG support will be removed entirely.

Note: I'm not a Thunderbird developer and I don't drive Thunderbird
decisions -- this is simply my expectation of what will happen.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

2020-05-31 Thread Patrick Brunschwig
Mark wrote on 31.05.2020 01:28:
> Doesn't TB also need your secret keys to decrypt messages?  

With smartcard support via GnuPG, all secret key operations are handled
by GnuPG, and all public key operations are handled by TB (Note: the
standard case, without smartcard support, will be that all keys are in
Thunderbird).

The use-cases are clearly distinct:
- encryption: you only need public keys
- decryption: you only need secret keys
- signing: you only need secret keys
- verification: you only need public keys

> Also what if you need your public keys outside of TB such as encrypting
> a file?

That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird
is that you use it for email.

> The reason I'm asking is that awhile ago I posted about unknown files in
> my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found
> out those are key rings used by a program I have called Power Archiver.
> I'm not sure why it has it own set of keys, still awaiting an
> explanation from support. If every app is not using the same pair of key
> rings (and there is no synchronization between them) could that not lead
> to problems?

The only "problem" might be that you have different keys on different
key rings. But this is not necessarily a problem - you use different
keys for different purposes and you can import and export the keys
between the tools if needed.

-Patrick

> On 5/30/2020 12:57 PM, Patrick Brunschwig wrote:
>> Mark wrote on 30.05.2020 20:54:
>>> So then do you have multiple pairs of key rings? One pair for TB78 and
>>> its built in PGP and another pair as part of GNUPG?
>> No exactly. You have your secret keys with GnuPG, and your public keys
>> with Thunderbird. No synchronization required.
>>
>> -Patrick
>>> If so how do you keep them synchronized?
>>>
>>> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
>>>> Robert J. Hansen wrote on 30.05.2020 01:07:
>>>>>> If TB 78 is going to have native support of openGPG encryption, then the
>>>>>> original person in the thread should be able to export all of the keys
>>>>>> in their key rings, and import all of those keys into TB 78, or am I
>>>>>> missing one of the gotchas with
>>>>>> TV 78 and it's openGPG encryption support.
>>>>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
>>>>> even import a key*."
>>>> I'm sorry, but that is simply not true. There is a known bug in the
>>>> library used by Thunderbird (RNP) that leads to crashes when importing
>>>> _certain_ keys. But I succeeded in importing all of my keys without any
>>>> problems (more than 1.000), except for 5 V3-keys. I can definitely say
>>>> that it's not just broken, and it can import keys.
>>>>
>>>>> I'm not kidding.  It is so far from complete that Kai Englert, who leads
>>>>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
>>>>> TB until version 78.2, or about a three-month delay.
>>>> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
>>>> but users may still enable it manually.
>>>>
>>>>> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
>>>> No, it's incomplete - work in progress. That's not quite the same.
>>>>
>>>> -Patrick




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

2020-05-30 Thread Patrick Brunschwig
Mark wrote on 30.05.2020 20:54:
> So then do you have multiple pairs of key rings? One pair for TB78 and
> its built in PGP and another pair as part of GNUPG?

No exactly. You have your secret keys with GnuPG, and your public keys
with Thunderbird. No synchronization required.

-Patrick
> 
> If so how do you keep them synchronized?
> 
> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
>> Robert J. Hansen wrote on 30.05.2020 01:07:
>>>> If TB 78 is going to have native support of openGPG encryption, then the
>>>> original person in the thread should be able to export all of the keys
>>>> in their key rings, and import all of those keys into TB 78, or am I
>>>> missing one of the gotchas with
>>>> TV 78 and it's openGPG encryption support.
>>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
>>> even import a key*."
>> I'm sorry, but that is simply not true. There is a known bug in the
>> library used by Thunderbird (RNP) that leads to crashes when importing
>> _certain_ keys. But I succeeded in importing all of my keys without any
>> problems (more than 1.000), except for 5 V3-keys. I can definitely say
>> that it's not just broken, and it can import keys.
>>
>>> I'm not kidding.  It is so far from complete that Kai Englert, who leads
>>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
>>> TB until version 78.2, or about a three-month delay.
>> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
>> but users may still enable it manually.
>>
>>> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
>> No, it's incomplete - work in progress. That's not quite the same.
>>
>> -Patrick
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Certified OpenPGP-encryption after release of Thunderbird 78

2020-05-30 Thread Patrick Brunschwig
Robert J. Hansen wrote on 30.05.2020 01:07:
>> If TB 78 is going to have native support of openGPG encryption, then the
>> original person in the thread should be able to export all of the keys
>> in their key rings, and import all of those keys into TB 78, or am I
>> missing one of the gotchas with
>> TV 78 and it's openGPG encryption support.
> 
> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
> even import a key*."

I'm sorry, but that is simply not true. There is a known bug in the
library used by Thunderbird (RNP) that leads to crashes when importing
_certain_ keys. But I succeeded in importing all of my keys without any
problems (more than 1.000), except for 5 V3-keys. I can definitely say
that it's not just broken, and it can import keys.

> I'm not kidding.  It is so far from complete that Kai Englert, who leads
> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
> TB until version 78.2, or about a three-month delay.

Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
but users may still enable it manually.

> At present, as of -Beta3, TB78's OpenPGP support is badly broken.

No, it's incomplete - work in progress. That's not quite the same.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Certified OpenPGP-encryption after release of Thunderbird 78

2020-05-30 Thread Patrick Brunschwig
Robert J. Hansen wrote on 30.05.2020 01:26:
>> 1. Will key management and crypto happen in the same process as
>> IMAP/POP/SMTP, GUI, JavaScript and everything else? If so - do you
>> believe it's acceptable?
> 
> It should be an easy learning curve for Enigmail users.  That isn't the
> same as finding it acceptable, though.
> 
> Back in the mid-'90s PGP came out with a GUI for PGP 5, and it's
> universally agreed at user interface was horrific.  (See "Why Johnny
> Can't Encrypt" for a detailed teardown.)  The problem was that this
> horrific user interface became the standard user interface, and most
> OpenPGP key managers ever since have adopted it.  Those that haven't
> adopted it, nobody uses, because their UI is so different than
> everything else.
> 
>> 2. Is there any real plan to have working smartcard support in the
>> near future?
> 
> No.  There's some talk about supporting it, but as far as I know there's
> no plan to do it.  It's still at the "you know, it'd be kind of nice
> if..." stage, not the "we really should do this" stage.

The plan is to support smartcards (by using GnuPG for private key
operations). This is already working partially, and is foreseen to be
available in TB 78.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Should gpg try to connect to TCP/993?

2019-10-23 Thread Patrick Brunschwig
Bjarni Runar Einarsson wrote on 23.10.2019 21:35:
[...]
>>> Each active TCP/IP connection has an open file descriptor. So, if
>>> Enigmail's gpg launcher hasn't taken care to close unneeded file
>>> descriptors after fork() and before exec()
> [...]
>> Should the `Enigmail's gpg launcher` take care of that? Maybe
>> is a bug or something?
> 
> IMO, yes, if this is what is going on it is almost certainly a
> bug. Whatever code is calling exec() should be closing file
> descriptors first. Not doing so can lead to all sorts of wasted
> resources and even deadlocks if processes depend on file
> descriptors getting properly closed in a timely fashion.

Your guess is perfectly right, that's exactly what happens. Enigmail
uses a standard library provided by Mozilla for add-ons to execute
processes. Earlier versions of the library did close all file
descriptors correctly. But the library is written in JavaScript, and
closing all file descriptors could sometimes lead to Thunderbird/Firefox
crashes. Therefore that part has been disabled.

It's therefore not surprising to see such open connections from gpg
processes, but I don't consider this bad.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Future OpenPGP Support in Thunderbird

2019-10-19 Thread Patrick Brunschwig
Jeff Allen via Gnupg-users wrote on 18.10.2019 16:02:
[...]
> My take on your original explanation of the reason for Enigmail's
> pending demise is that a changed Thunderbird plug-in scheme makes it
> more efficient to build Enigmail functionality into the MUA.

That's only the 2nd half of the explanation. 1st and foremost, the
changed plugin scheme comes along with a completely new API (that does
not even exist completely by now). This would require me to rewrite
almost all of Enigmail from scratch. I don't have enough free time for
doing that, nor would I be interested in it. This, and nothing else, was
initially the reason why we started the discussion with the Thunderbird
team.

> Why not stick with that and focus on what has made Enigmail
> successful?
What is the reason in your eyes that made Enigmail successful?

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Future OpenPGP Support in Thunderbird

2019-10-17 Thread Patrick Brunschwig
Binarus wrote on 16.10.2019 17:37:
> 
> 
> On 16.10.2019 13:07, Patrick Brunschwig wrote:
>> worry for me. The main problem is the additional complexity that it
>> brings if you require an external component that you cannot *fully*
>> control. This covers topics like different behavior of different
>> versions, but also configuration issues, users rights to install
>> something on their PC and more. Gpgme may handle some of these issues,
>> but the fact remains: an external component makes things a lot more
>> complex, especially for support.
> 
> I think this is the usual trade-off. One has to put time
> 
> - either in understanding the APIs and command line parameters of a
> library / utility, and to keep up with changes, or
> 
> - in re-inventing the wheel, which in this case for sure will cost much
> more time and eventually produce catastrophic security breaches and
> software which is drastically inferior compared to what we have now.
> 
> After all, everybody uses libraries and utilities. It is just reasonable
> to have an expert work on a library or utility which uses techniques and
> mathematical stuff which non-specialists never will understand in
> detail, and have the non-specialists use that library or utility,
> instead of letting them re-develop the same stuff, probably introducing
> all sorts of security flaws and producing inferior software.
> 
> When I have a bash script under Linux which invokes a compiler using a
> complicated command line, I wouldn't come to the idea to re-develop that
> compiler and integrate it directly into bash because that compiler's
> command line switches could change in the next version ...
> 
> I am still convinced that re-writing GnuPG (including all functions like
> hardware tokens, subject encryption etc.) in a secure manner is a
> hundred times more complex and a million times more error-prone than
> tracking a few changes to its command line switches or error codes ever
> could be. Apart from that, there is GpgME, as already has been stated.

In all cases, we certainly won't re-write GnuPG or similar. The question
on the table is: do we continue to use GnuPG (be it directly or via
gpgme), or do we use a different OpenPGP implementation (and if yes
which one). There are certainly good arguments for both.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Future OpenPGP Support in Thunderbird

2019-10-16 Thread Patrick Brunschwig
Werner Koch wrote on 16.10.2019 13:54:
> On Wed, 16 Oct 2019 13:07, Patrick Brunschwig said:
> 
>> something on their PC and more. Gpgme may handle some of these issues,
>> but the fact remains: an external component makes things a lot more
>> complex, especially for support.
> 
> Right GPGME handles this all pretty well and I have suggested often
> enough that you should move to GPGME so that we can better support
> Enigmail.  Your comment about external components is right from a
> company POV; however Enigmail is also an external component to TB and
> thus TB suffers from very similar problem.  GpgOL and GnuPG both are

Which is why the step to implement OpenPGP in Thunderbird is the right
way to go.

> maintained by us and thus I know very well this helps to reduce
> friction.

We're getting slightly off-topic, but still:
You're perfectly right with everything you say. But you seem to
underestimate the difference between zipping an extension that is pure
JavaScript, and preparing an extension that needs to contain compiled
libraries for multiple platforms in order to cater for all variants of
pre-installed GnuPG installations and all variations of Thunderbird
installations (to be precise, at the very least I'd have to ship for 6
platforms: Win/mac/Linux * 32/64 bit).

Frankly speaking, if I would consider to switch to a library instead of
calling GnuPG directly, I would at first evaluate OpenPGP.js in Enigmail
-- that would be a lot more natural.

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Future OpenPGP Support in Thunderbird

2019-10-16 Thread Patrick Brunschwig
Binarus wrote on 16.10.2019 10:47:
> 
> On 14.10.2019 16:15, Jeff Allen via Gnupg-users wrote:
>>> I don't know either, but perhaps it is in the debug logs the Enigmail
>>> team analyzes?
>>
>> I have used Enigmail since its inception and have never knowingly
>> submitted a log or answered a survey and have always assumed Enigmail
>> does not phone home.
> 
> I am sure that it doesn't phone home. However, to give an example, I had

You can be certain that I'd never implement that.
[...]
> I suppose that the Enigmail team gets quite a lot of such debug logs.
> But I still can't tell (and currently don't have the time to
> investigate) if those logs can tell which keys had been generated by
> Enigmail and which had been generated externally, so the whole thing was
> a guess anyway.

Yes, I did and do get quite a lot of debugging log files, and even more
support requests. And I really speak from experience when I say that the
vast majority of the users of Enigmail don't store their private keys on
external devices.

[...]

> So why not take Enigmail, integrate it into TB, and bundle Gpg4Win setup
> with TB setup? All software they ever could develop themselves will be
> inferior compared to that package, at least in the first time.

I have almost 17 years of experience with supporting Enigmail. About 90%
of all support requests that I get turn out to be setup issues with
GnuPG. Interestingly, most of them are on Linux, even though all Linux
distributions I know ship GnuPG. The bundling/shipping would not be a
worry for me. The main problem is the additional complexity that it
brings if you require an external component that you cannot *fully*
control. This covers topics like different behavior of different
versions, but also configuration issues, users rights to install
something on their PC and more. Gpgme may handle some of these issues,
but the fact remains: an external component makes things a lot more
complex, especially for support.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Future OpenPGP Support in Thunderbird

2019-10-14 Thread Patrick Brunschwig
Binarus wrote on 13.10.2019 18:27:
[...]
> 1) The schedule
> 
> We have all been educated to update our applications (notably, "internet
> applications" like browser and email clients) as soon as updates are
> available; at least, this is true for security updates.
> 
> Despite release plans, I think nobody knows for sure how much time
> actually will pass between TB 72's predecessor and TB 78, and how many
> security updates will be released between these versions.
> 
> During that time, I either can't use Enigmail (if I decide to install
> the security updates), or I have to ignore the security updates
> (possibly putting me to risk).
> 
> Did I understand this correctly?

The current stable version of Thunderbird is 68 (and 60 for a few more
weeks); the next stable version will be 78. Users of Enigmail staying on
the stable version of Thunderbird will receive all security updates
until TB 78 will be available. Thunderbird 69 ... 77 are only released
as beta versions that are not intended for end users.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Future OpenPGP Support in Thunderbird

2019-10-13 Thread Patrick Brunschwig
Werner Koch via Gnupg-users wrote on 13.10.2019 11:56:
> On Sat, 12 Oct 2019 12:43, Chris Narkiewicz said:
> 
>> Do you know why they resited OpenPGP adoption it so much?
> 
> iirc, they said that they want to support only one protocol and settled
> for S/MIME.  This still did not explain why they rejected our proposal
> to clean up their S/MIME code and implement missing stuff so that TB
> could be used for tasks of the German administrative and to be
> compatible with a wider range of S/MIME implementations.  The plan was
> to do that all within TB and without external dependencies.

I think there are two reasons why TB changed their minds:
1. there are different people working on Thunderbird than years ago.
2. in the past, TB was a direct part of Mozilla. Now, Thunderbird is an
independent organization under the umbrella of the Mozilla Foundation,
with an independent council and their own independent financial income
stream.

These two factors lead to a completely different mindset towards what is
good for TB.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Future OpenPGP Support in Thunderbird

2019-10-12 Thread Patrick Brunschwig



BruderB wrote on 12.10.2019 10:43:
> Hej all,
> 
> Am 12.10.19 um 08:23 schrieb Robert J. Hansen:
>> they're going to insist on running their own keyring internal to
>> Thunderbird which isn't shared with anything else.  (I imagine
>> *importing* from a GnuPG keyring will be supported, but *sharing* a
>> keyring is right out.)
> 
> _They_ can insist on whatever they want. If they close their shop
> towards external built keys (for example with xca), they hopefully won't
> find much acceptance.

The vast majority of users of Enigmail (somewhere around 98%) don't use
external built keys. The vast majority of users also don't use GnuPG for
anything else than email. These users don't care where their key is
stored, nor which software under the hood is used for the crypto. All
they care is that encryption works smoothly.

I'm sorry, but everything written here is pure speculation. We are still
in the phase of considering our options. Depending on the chosen
approach, we may just as well end up with something completely different
than what you'd imagine.

The most important aspects from our side are the following: The chosen
solution must run smoothly for the ~20M users of Thunderbird without
causing a large amount of support/setup issues. We want to have
something that satisfies as many users of Enigmail as possible. We
certainly don't want to have people run away from Thunderbird because of
OpenPGP.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Future OpenPGP Support in Thunderbird

2019-10-08 Thread Patrick Brunschwig
The Thunderbird developers have announced that they will implement
OpenPGP support in Thunderbird 78 [1]. Support for Thunderbird in
Enigmail will therefore be discontinued.

I'd like to explain in the following paragraphs what this will mean for
Enigmail, and why this is an inevitable step.

The Future of Enigmail
--
I will continue to support and maintain Enigmail for Thunderbird 68
until 6 months after Thunderbird 78 will have been released (i.e. a few
months beyond Thunderbird 68 EOL). Enigmail will not run anymore on
Thunderbird 72 beta and newer.

Will this be the end of Enigmail?

No! I will continue to maintain and support Enigmail for Postbox, which
is running on a different release schedule than Thunderbird for the
foreseeable future.

Why Is This Happening?
--
The Mozilla developers have been and still are actively working on
removing old code from their code base. This affects not only
Thunderbird itself, but also add-ons. While it was possible for
Thunderbird to keep old "legacy" add-ons alive for a certain time, the
time has come for Thunderbird to stop supporting them [2]. Thunderbird
78 will no longer to support the APIs that Enigmail requires and only
allow new "WebExtensions".

WebExtensions have a completely different API than classical add-ons,
and a much reduced set of capabilities to hook into the user interface.
For Enigmail to continue to work, it would therefore be required to
rewrite it from scratch. However, that's beyond my available time
limitations.

The Thunderbird developers and I have therefore agreed that it's much
better to implement OpenPGP support directly in Thunderbird. The set of
functionalities will be different than what Enigmail offers, and at
least initially likely be less feature-rich. But in my eyes, this is by
far outweighed by the fact that OpenPGP will be part of Thunderbird and
no add-on and no third-party tool will be required.

-Patrick


[1]
https://blog.mozilla.org/thunderbird/2019/10/thunderbird-enigmail-and-openpgp/
[2] https://groups.google.com/forum/#!topic/tb-planning/-E8Yw6POxEE





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Invitation to the 5th OpenPGP Email Summit

2019-09-08 Thread Patrick Brunschwig
Up to now, I only got 12 replies.

*Reminder: Please send me a mail if you plan to come*

Thanks,
Patrick


On 18.06.2019 13:05, Patrick Brunschwig wrote:
> I'm happy to announce the 5th OpenPGP Email Summit which will take place
> 
>   Saturday, October 12 until Sunday, October 13, 2019
>   in Berlin (Germany) at the Onion Space.
> 
> Last year, the idea came up that it would be nice if some of the topics
> discussed could directly be prototyped. I have therefore booked the
> Onion Space for Monday and Tuesday (October 14/15), such that those who
> are interested can directly start working on their product.
> 
> ABOUT THE OpenPGP EMAIL SUMMIT
> ==
> 
> This is an event open for anybody involved in the development of email
> clients using OpenPGP for encryption, and related software.
> 
> We already had four OpenPGP Email Summits at various locations in
> Europe. These are meetings by technical experts of projects and tools
> dealing with OpenPGP with a focus on email encryption. The goals are to
> better get to know each other, and to discuss and work on several
> technical issues that hopefully improve certain aspects of OpenPGP-based
> email encryption. For details, see
>   https://wiki.gnupg.org/OpenPGPEmailSummits
> 
> 
> REGISTRATION
> 
> If you want to attend, please *send an informal email* to:
>  patr...@enigmail.net
> 
> Please let me know if you plan to stay on Monday and/or Tuesday.
> 
> If you need funding for your travel/hotel expenses, then please get
> in contact with me.
> 
> 
> NOTES
> =
> This is a meeting of those who develop software. Thus, we will have a
> lot of tech talk about key servers, key exchange, subject encryption,
> password recovery, etc. If you just are interested in these topics as a
> user, you probably will be bored to death .
> 
> Thus, feel free to join us if you are working in the area of
> - TECHNICAL DETAILS
> - for SENDING or PROCESSING ENCRYPTED EMAILS
> - with OpenPGP
> - in a project or product.
> 
> Note however, that due to capacity reasons we cannot have more
> than 1-2 people from each project. We can host about 30 attendees.
> 
> Note that this is still neither a well-organized conference nor a
> commercial meeting. The agenda will be driven by the attendees. Anyone
> may propose any topic for discussion, as long as he/she is ready to lead
> the discussion.
> 
> More details are/will be available on the web site:
> https://wiki.gnupg.org/OpenPGPEmailSummit201910
> 
> 
> Looking forward to meeting you in Berlin
> -Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Enigmail

2019-07-31 Thread Patrick Brunschwig
On 31.07.2019 14:26, David wrote:
> Consider the fact that for 30 times Enigmail refused to accept the
> passphrase for da...@gbenet.com
> 
> I decided to send an encrypted email to Erich. When selecting his
> private key there was no automatic tick in postmaster. But a tick in
> Erich's public key
> 
> On sending I thought I was going to be asked for david's passphrase yet
> again - but no - the email passed very quickly.
> 
> This begs the following questions:
> 
> (1) Why is postmaster always selcected as the default public key?
> (2) Why is it on failing 30 times to accept david's passphrase why does
> enigmail mysteriously remember it when it rejected 30 times?
> 
> Answers on a postcard please

I start to believe that your expectation of what should happen differs
from what actually happens.

The way things work in Enigmail are as follows: you select a *sender
account* in the Thunderbird message composition window. Based on that
sender account configuration (and nothing else), Enigmail decides which
key to use for *signing* your message. Remember, the passphrase is
needed for signing, not for encryption -  it does not matter if
Postmaster or Erich are in the recipients list.

If you get a dialog to choose the key(s) _after_ you hit the send
button, then those are the keys to which the message is *encrypted* to.
But again, you don't need a passphrase for any of these keys. Thus, if
you tell me that you expected to have to tick Postmaster in the dialog,
then that won't let you choose the key for signing.

HTH
-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Enigmail

2019-07-31 Thread Patrick Brunschwig
On 31.07.2019 13:46, David wrote:
> Hello Erich,
> 
> I did what you said - associated each email address with  it's own key.
> I then shut down Thunderbird re-started and carried out the following test:
> 
> Test One:
> 
> I sent an encrypted and signed email to site-admin from postmaster. I
> received the email - it took 6 attempts to decrypt it.
> 
> I then decided to reply - so I sent an encrypted and signed email to
> postmaster - I was unable to  sign as site-admin - after 9 attempts of
> entering the passphrase - each time rejected by Enigmail. I was unable
> to send a signed and encrypted email to postmaster.

I'm sorry, but there's a misunderstanding. Enigmail does /not/ query
your passphrase. Enigmail calls GnuPG, and GnuPG asks for your
passphrase if needed. If the passphrase is rejected that's not related
to Enigmail.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Enigmail

2019-07-31 Thread Patrick Brunschwig
On 31.07.2019 08:56, David wrote:
> Patrick Brunschwig:
>> On 31.07.2019 00:36, David wrote:
>>> Andrew Gallagher:
>>>>
>>>>> On 30 Jul 2019, at 18:47, David  wrote:
>>>>>
>>>>> Hello Stefan,
>>>>>
>>>>> I have three email accounts with their own keys - Enigmail does not
>>>>> support this - you have to have one key and that's it.
>>>>
>>>> That is simply not true. I used enigmail with multiple keys for years 
>>>> without any issues. If you’re having issues configuring it, perhaps ask on 
>>>> the enigmail list.
>>>>
>>>> A
>>>>
>>>
>>> I have done so - but have got no advice on the correct settings in
>>> Thunderbird or Enigmail.
>>
>> That's not true. I have asked you for more details on the Enigmail
>> mailing list. But instead of responding, you came here to ask the same
>> questions.
>>
>> As Enigmail uses GnuPG for any crypto-operations, I don't think that the
>> problem is in Enigmail, but in your setup. Feel free to answer my
>> questions on the Enigmail mailing list, and I'll continue to try to find
>> out what goes wrong.
>>
>> -Patrick
>>
> 
> Hello Patrick,
> 
> I did not approach this list for answers - I just asked if anyone knew
> of an alternative. I then got drawn in to what was the problem.
> 
> People say "Oh your settings are wrong" But the FAIL to give the RIGHT
> SETTINGS!! And then go waffling on
> 
> I have turned back the clock some 20 years - so have no settings to
> support further keys.
> 
> Having said that - I would appreciate exactly what settings will work to
> enable me to sign with other emails and the public key associated with
> it and to be able to encrypt and sign with differing emails and keys.
> 
> I want specific instructions - not moaning and groaning my settings are
> wrong and I don't know what I'm doing - that approach does not lead to a
> solution.

Here are the instructions:

1. Open the Thunderbird Account Settings (menu Tools > Account Settings)
2. switch to the tab "OpenPGP Security"
3. make sure that "Enable OpenPGP support" is checked
4. click on the button "Select key"
5. select the key that matches the email address of the account

Repeat Steps 2-5 for each and every of your accounts/email addresses.

If you follow(ed) these instructions, then everything else /should/ go
automatically and you /should/ not have any issues. If you do have
issues, then there are no simple instructions - we have to dig to find
out what's wrong.

The questions I asked on the Enigmail mailing list are the 1st step into
trying to find out why things don't work as expected, as I assumed that
-- as a long-term user -- you already did configure Enigmail correctly.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Enigmail

2019-07-30 Thread Patrick Brunschwig
On 31.07.2019 00:36, David wrote:
> Andrew Gallagher:
>>
>>> On 30 Jul 2019, at 18:47, David  wrote:
>>>
>>> Hello Stefan,
>>>
>>> I have three email accounts with their own keys - Enigmail does not
>>> support this - you have to have one key and that's it.
>>
>> That is simply not true. I used enigmail with multiple keys for years 
>> without any issues. If you’re having issues configuring it, perhaps ask on 
>> the enigmail list.
>>
>> A
>>
> 
> I have done so - but have got no advice on the correct settings in
> Thunderbird or Enigmail.

That's not true. I have asked you for more details on the Enigmail
mailing list. But instead of responding, you came here to ask the same
questions.

As Enigmail uses GnuPG for any crypto-operations, I don't think that the
problem is in Enigmail, but in your setup. Feel free to answer my
questions on the Enigmail mailing list, and I'll continue to try to find
out what goes wrong.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Avoiding hardcoded paths when static-compiling

2019-07-13 Thread Patrick Brunschwig
On 12.07.2019 21:21, Konstantin Ryabitsev wrote:
> Hi, all:
> 
> I provide an RPM package called gnupg22-static for those who need to run
> newer versions of GnuPG on CentOS-7 environments (it's stuck on
> gnupg-2.0 there). For compilation, I use the convenient STATIC=1
> mechanism, but there's still the problem that all paths end up being
> hardcoded to the RPM buildroot environment.
> 
> The full build command is:
> make -f build-aux/speedo.mk STATIC=1 CUSTOM_SWDB=1 INSTALL_PREFIX=. 
> this-native
> In the RPM context, the INSTALL_PREFIX ends up being inside a buildroot
> location, like so:
> 
> /builddir/build/BUILD/gnupg-2.2.17/
> 
> However, the final installation of this will be in /opt/gnupg22, which
> means that if a binary needs to call another binary, it will try to
> execute /builddir/build/BUILD/gnupg-2.2.17/bin/foo (and fail).
> 
> I can't set INSTALL_PREFIX=/opt/gnupg22, because that will make the RPM
> build fail (it cannot write outside of /builddir), so I need a way to
> tell the binaries during build time that their final install path will
> be different than the path used during build.
> I am able to use gpg and gpgv this way by setting agent-program and
> dirmngr-program config values, but trying to make this work with
> gpg-wks-server fails.
> 
> Any pointers on how I can make this work without hardcoding bogus
> build-time paths?

I have the same situation for building gpgOSX. The solution is this:

./configure \
--with-pinentry-pgm=${TARGET_DIR}/bin/pinentry \
--with-agent-pgm=${TARGET_DIR}/bin/gpg-agent \
--with-scdaemon-pgm=${TARGET_DIR}/libexec/scdaemon \
--with-dirmngr-pgm=${TARGET_DIR}/bin/dirmngr \
--with-dirmngr-ldap-pgm=${TARGET_DIR}/libexec/dirmngr_ldap \
--with-protect-tool-pgm=${TARGET_DIR}/libexec/gpg-protect-tool \
etc.


-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


How to delete flooded key

2019-07-10 Thread Patrick Brunschwig
First users ask for support on getting rid of the keys flooded with
signatures.

Is it sufficient to run "gpg --delete-keys 0x...", and wait for quite a
while, or does it require other measures?

Thanks,
Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Invitation to the 5th OpenPGP Email Summit

2019-06-18 Thread Patrick Brunschwig
I'm happy to announce the 5th OpenPGP Email Summit which will take place

  Saturday, October 12 until Sunday, October 13, 2019
  in Berlin (Germany) at the Onion Space.

Last year, the idea came up that it would be nice if some of the topics
discussed could directly be prototyped. I have therefore booked the
Onion Space for Monday and Tuesday (October 14/15), such that those who
are interested can directly start working on their product.

ABOUT THE OpenPGP EMAIL SUMMIT
==

This is an event open for anybody involved in the development of email
clients using OpenPGP for encryption, and related software.

We already had four OpenPGP Email Summits at various locations in
Europe. These are meetings by technical experts of projects and tools
dealing with OpenPGP with a focus on email encryption. The goals are to
better get to know each other, and to discuss and work on several
technical issues that hopefully improve certain aspects of OpenPGP-based
email encryption. For details, see
  https://wiki.gnupg.org/OpenPGPEmailSummits


REGISTRATION

If you want to attend, please *send an informal email* to:
 patr...@enigmail.net

Please let me know if you plan to stay on Monday and/or Tuesday.

If you need funding for your travel/hotel expenses, then please get
in contact with me.


NOTES
=
This is a meeting of those who develop software. Thus, we will have a
lot of tech talk about key servers, key exchange, subject encryption,
password recovery, etc. If you just are interested in these topics as a
user, you probably will be bored to death .

Thus, feel free to join us if you are working in the area of
- TECHNICAL DETAILS
- for SENDING or PROCESSING ENCRYPTED EMAILS
- with OpenPGP
- in a project or product.

Note however, that due to capacity reasons we cannot have more
than 1-2 people from each project. We can host about 30 attendees.

Note that this is still neither a well-organized conference nor a
commercial meeting. The agenda will be driven by the attendees. Anyone
may propose any topic for discussion, as long as he/she is ready to lead
the discussion.

More details are/will be available on the web site:
https://wiki.gnupg.org/OpenPGPEmailSummit201910


Looking forward to meeting you in Berlin
-Patrick


-- 
Patrick Brunschwig
mailto:patr...@enigmail.net
PGP fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Johnny-You-Are-Fired

2019-05-17 Thread Patrick Brunschwig
On 16.05.2019 21:27, Stefan Claas wrote:
> Am Thu, 16 May 2019 18:11:27 +0200
> schrieb Patrick Brunschwig :
> 
>> On 15.05.2019 17:17, Stefan Claas wrote:
>>> Hi all,
>>>
>>> I have read this in German News and wonder why
>>> MUAs in 2019 are still vulnerable?
>>>
>>> https://github.com/RUB-NDS/Johnny-You-Are-Fired/  
>>
>> This is mostly a summary of the various failures that were discovered
>> with EFAIL and shortly thereafter. Most MUAs have been fixed against
>> these attacks by now.
> 
> Are you sure? I remember Efail. Why would the BSI and press publish
> then such things recently? I would assume that no one is interested
> in old news or summaries regarding Efail.

I can only speak for Enigmail (and to some degree for Thunderbird).
The errors described where Enigmail is mentioned/affected were all
discovered last spring/summer (i.e. shortly after EFAIL), and were
addressed last year.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Johnny-You-Are-Fired

2019-05-16 Thread Patrick Brunschwig
On 15.05.2019 17:17, Stefan Claas wrote:
> Hi all,
> 
> I have read this in German News and wonder why
> MUAs in 2019 are still vulnerable?
> 
> https://github.com/RUB-NDS/Johnny-You-Are-Fired/

This is mostly a summary of the various failures that were discovered
with EFAIL and shortly thereafter. Most MUAs have been fixed against
these attacks by now.

For example, the tests with Enigmail were performed using version 1.9.8,
which was released almost 2 years ago, that is long before EFAIL was
published. The same is true for most other products.

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


4th OpenPGP Email Summit - Update

2018-10-07 Thread Patrick Brunschwig
It's 2 weeks until the Summit. Here are some updates:

- Friday evening: we will meet at the Winery (Trois Tilleuls Street 1, 1170 – 
Brussels, www.winery.be ). People from Mailfence will be there from 19:30, I 
will arrive a little later.

- if you plan to come, but didn't tell me yet, please send me an email.

- we will start on Saturday at 09:30. If you have any issues such as finding 
the location or with local logistics, here is my phone number: +41 78 631 6622

- we will have a plenary session on Saturday. If you have something you think 
is worth sharing with everyone, then that would be the perfect occasion for a 
short presentation.

See https://wiki.gnupg.org/OpenPGPEmailSummit201810 for details.

I'm looking forward to meeting you all.

-Patrick

-- 
Patrick Brunschwig
mailto:patr...@enigmail.net
PGP fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Invitation to the 4th OpenPGP Email Summit

2018-06-06 Thread Patrick Brunschwig
I'm happy to announce the 4th OpenPGP Email Summit which will take place

  Saturday, October 20 until Sunday, October 21, 2018
  in Brussles (Belgium).


This is an event open for anybody involved in the development of email
clients using OpenPGP for encryption, and related software.

In 2015 and 2016 we already had tree OpenPGP Email Summits. These are
meetings by technical experts of projects and tools dealing with OpenPGP
with a focus on email encryption. The goals are to better get to know
each other, and to discuss and work on several technical issues that
hopefully improve certain aspects of OpenPGP-based email encryption.
For details, see
  https://wiki.gnupg.org/OpenPGPEmailSummits


REGISTRATION

If you want to attend, please *send an informal email* to:
 patr...@enigmail.net

I will then let you know more details about the location, hotel, etc.

If you need funding for your travel/hotel expenses, then please also get
in contact with me.


NOTES
=
This is a meeting of those who develop software. Thus, we will have a
lot of tech talk about key servers, key exchange, subject encryption,
password recovery, etc. If you just are interested in these topics as a
user, you probably will be bored to death ;-).

Thus, feel free to join us if you are working in the area of
- TECHNICAL DETAILS
- for SENDING or PROCESSING ENCRYPTED EMAILS
- with OpenPGP
- in a project or product.

Note however, that due to capacity reasons we cannot have more
than 1-2 people from each project. We can host about 30 attendees.

Note that this is still neither a well-organized conference nor a
commercial meeting. The agenda will be driven by the attendees. Anyone
may propose any topic for discussion, as long as he/she is ready to lead
the discussion.

More details are/will be available on the web site:
https://wiki.gnupg.org/OpenPGPEmailSummit201810


Looking forward to meet you in Brussels
-Patrick


-- 
Patrick Brunschwig
mailto:patr...@enigmail.net
PGP fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: efail is imho only a html rendering bug

2018-05-21 Thread Patrick Brunschwig
On 21.05.18 16:56, Klaus Römer wrote:
> Internet works because we have standards.
> Rfc 3986 states that URLs have to be ecoded.
> Redering-Engies which send unencodes content including whitespaces and 
> newlines to an external Server are seriously broken.
> 
> (Only to point the finger at the real bug)

You only refer to one type of possible vulnerabilities that Efail
discovered. Even if there are no remote calls involved, it is still
possible to trick the user into sending a reply that contains decrypted
content.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Efail - Possible Measures?

2018-05-19 Thread Patrick Brunschwig
In the light of the Efail vulnerability I am asking myself if it's
really needed to decrypt non-regular types of emails at all. In other
words, should we decrypt a multipart/encrypted MIME part at all if we
detect an irregular MIME structure?

If we would not decrypt irregular MIME structures, there cannot be an
issue with HTML displaying. This would be a good thing, if you're an
addon and you can't change the application you live in. I know that some
mail clients do this already, but all those clients that are affected by
Efail apparently don't.

I would consider the following "regular" MIME structures:

1. top-level MIME part is multipart/encrypted.
2. an attached email (Content-Type = message/rfc822) containing a
multipart/encrypted MIME part as direct child.

Does anyone know of other relevant types of message structures?
Does anyone see a reason why NOT to do that?

-Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Efail or OpenPGP is safer than S/MIME

2018-05-19 Thread Patrick Brunschwig
On 19.05.18 14:15, Werner Koch wrote:
> On Fri, 18 May 2018 12:18, patr...@enigmail.net said:
> 
>> How far back will that solution work? I.e. is this supported by all
>> 2.0.x and 2.2.x versions of gpg?
> 
> 2.0.19 (2012) was the first to introduce DECRYPTION_INFO  In any case
> 2.0 is end-of-life.  In theory we could backport that to 1.4 but I don't
> think that makes sense.

Enigmail runs on many long-term Linux distributions that still ship
older, presumably patched, versions of GnuPG. For example, Red Hat EL
6.9/Centos 6.9 contains GnuPG 2.0.14, but current versions of Thunderbird.

GnuPG 2.0.x will therefore still be relevant for me for many years to come.

-Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Efail or OpenPGP is safer than S/MIME

2018-05-18 Thread Patrick Brunschwig
On 17.05.18 13:03, Werner Koch wrote:
> If you parse DECRYTPION_INFO beplease consider that its current
> defineion (in master) is:
> 
> *** DECRYPTION_INFO   []
> Print information about the symmetric encryption algorithm and the
> MDC method.  This will be emitted even if the decryption fails.
> For an AEAD algorithm AEAD_ALGO is not 0.  GPGSM currently does
> not print such a status.
> 
> The important print is that MDC_METHOD will be 0 with the forthcoming
> AEAD algorithm.  Thus you need to check whether 3rd argument is there.
> 
>  mdc_method = atoi(arg_1)
>  aead_algo = have_3_args? atoi(arg_3) : 0
>  if (!mdc_method && !aeadalgo)
> return DECRYPTION_FAILED
> 
> That is what I implement in GPGME this morning.

How far back will that solution work? I.e. is this supported by all
2.0.x and 2.2.x versions of gpg?

Thanks,
Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Efail or OpenPGP is safer than S/MIME

2018-05-17 Thread Patrick Brunschwig
On 17.05.18 10:07, Werner Koch wrote:
> On Thu, 17 May 2018 08:59, patr...@enigmail.net said:
> 
>> Within 12 hours after the release I got 5 bug reports/support requests
> 
> Kudos to Enigmail for acting as our guinea pig.  I implemented the same
> thing in GPGME this morning (see my mail to enigmail users).
> 
> What shall we do now?  Provide a separate tool to decrypt and clean HTML
> messages or add a tool to Enigmail to do just this?

Good question... Thunderbird is working on fixing the HTML display
issue. But I think we should really start enforcing users to enable MDC.
I therefore would prefer keeping the barrier high. In any case, this is
nothing that I could implement with a week or two.

-Patrick





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Breaking MIME concatenation

2018-05-17 Thread Patrick Brunschwig
On 16.05.18 21:50, Lukas Pitschl | GPGTools wrote:
> 
>> Am 16.05.2018 um 06:21 schrieb Patrick Brunschwig :
>>
>> Content-Type: mutlipart/mixed; boundary="WRAPPER"
>> Content-Description: Efail protection wrapper
>>
>> --WRAPPER
>> Content-Type: text/html
>>
>> 
>> 
>> 
>>
>> --WRAPPER
>> (result of PGP/MIME decryption)
>> —WRAPPER—
> 
> Looks alright so far, does the same work for inline PGP? Is there
> a particular for the specific inline-styles?

At least in Enigmail, inline-PGP is not affected by remote URL calls.
The reason is that Enigmail reads the encrypted message data from the
displayed message, and then replaces the displayed message content with
the decrypted message. In other words, if the secretly to-be-decrypted
message part is not displayed, then Enigmail won't come into action.

> In macOS Mail we will disable remote content loading completely
> and prevent the user from re-enabling it for encrypted messages.

The same is currently being developed in Thunderbird (using the "Simple
HTML" mode), together with a clean fix for the DOM tree issues.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Efail or OpenPGP is safer than S/MIME

2018-05-17 Thread Patrick Brunschwig
On 15.05.18 11:14, Andrew Gallagher wrote:
> On 14/05/18 14:44, Andrew Gallagher wrote:
>> I would humbly suggest that we stop worrying about which side of the
>> GPG/MUA fence the ball is on, and fix it on *both* sides.
> 
> I have just opened tickets in both GnuPG and Enigmail for the respective
> integrity check mitigations.
> 
> https://dev.gnupg.org/T3981
> https://sourceforge.net/p/enigmail/bugs/838/
> 
> Please let's avoid a finger-pointing contest. Belt and braces. :-)

So, just that you are aware of the consequences of this change. I
implemented the check for "gpg: WARNING: message was not integrity
protected" in Enigmail 2.0.4.

Within 12 hours after the release I got 5 bug reports/support requests
from users who can't read their (old?) mails anymore. And the day in
Europe has only just begun -- many users did not yet upgrade ...

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Breaking MIME concatenation

2018-05-15 Thread Patrick Brunschwig
On 15.05.18 17:53, Lukas Pitschl | GPGTools wrote:
> 
>> Am 15.05.2018 um 17:44 schrieb Patrick Brunschwig :
>>
>> I already tried a while ago to trick the Thunderbird HTML rendering
>> engine with tricks like this... They don't work. The rendering engine
>> ignores the  tag (and also tags like ).
>>
>> I think the correct solution must be to treat each MIME part
>> independently, i.e. it needs to be parsed independently by the HTML
>> engine and produce its own DOM tree. At the end, you can concatenate
>> these DOM trees and create a single correct HTML document.
> 
> I have also already tried to implement a similar fix for Apple Mail a few 
> days ago,
> using  which did work, but is probably a too naive attempt
> to mitigate against these XSS-kind of attacks. 
> 
> So I absolutely concur with Patricks statement, that the Mime Parsers have
> to be adjusted to treat every text/html part as single DOM tree or even use 
> different
> web document instances to represent the message.   

I have actually thought through this during a sleepless night, and I
believe that it could work as a quick and easy to implement *short term*
measure until the mail clients have fixed the HTML rendering.

If we embed the complete result that we get from gpg into the following
wrapper, then we should be able to mitigate at least any known form of
the attack when it comes to calling a remote URL during message reading:


Content-Type: mutlipart/mixed; boundary="WRAPPER"
Content-Description: Efail protection wrapper

--WRAPPER
Content-Type: text/html





--WRAPPER
(result of PGP/MIME decryption)
--WRAPPER--


Does anyone see a major hole in this that I may have overseen? If not,
then I think I'll implement this in Enigmail until Thunderbird has fixed
this properly.

-Patrick






signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Breaking MIME concatenation

2018-05-15 Thread Patrick Brunschwig
On 15.05.18 16:59, Andrew Gallagher wrote:
> It struck me at lunch that it might be possible for gnupg itself to
> scupper the MIME concatenation (direct exfiltration) technique mentioned
> in efail, and thereby plug the leaks in multiple vulnerable clients at
> once. This would however require it to be naughty with its output.
> 
> MIME concatenation works because in many clients the individual MIME
> parts of a message are not kept isolated from each other after they are
> passed to the rendering engine. Instead, they are concatenated together
> into a single document, perhaps with some separator such as an hline.
> This is dangerous because an HTML parser will interpret that document as
> a single unit, breaking all sorts of same-origin hygiene.
> 
> The primary technique for exfiltration is to wrap the target document in
> an active HTML tag such as . But HTML requires the
> quoted string to be safe, and there is no way for the efail attack to
> perform input sanitation on the target document before the HTML parser
> gets its hands on it.
> 
> Bear with me, because this is *not* a fully thought-out plan, merely an
> idea. ;-)
> 
> So gnupg could (under circumstances likely to prevail inside a mail
> client) prefix and/or suffix its output with an HTML content-injection
> string specially designed to break out of whatever active element the
> efail attack might be using. It could be as simple as prefacing the
> output document with the perfectly valid HTML tag:
> 
> 

I already tried a while ago to trick the Thunderbird HTML rendering
engine with tricks like this... They don't work. The rendering engine
ignores the  tag (and also tags like ).

I think the correct solution must be to treat each MIME part
independently, i.e. it needs to be parsed independently by the HTML
engine and produce its own DOM tree. At the end, you can concatenate
these DOM trees and create a single correct HTML document.

-Patrick

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Efail or OpenPGP is safer than S/MIME

2018-05-15 Thread Patrick Brunschwig
On 14.05.18 19:32, Werner Koch wrote:
[...]
>> 1. change the default behaviour of GPG so that any integrity failure is
>> fatal by default, even for old ciphersuites (we could have a flag to
> 
> I am all in favor of this and even considered to that some time ago.
> However, not too long ago we removed support for PGP-2 keys which
> unfortunately resulted in lots of angry mails from people who now think
> they need to use gnupg 1.4 every day because they seem to read mails
> From the last century on a regular base.  Well, they think and they were
> quite vocal.  Now telling them they need to enable an option to read
> certain not that old mail (e.g. creating by other OpenPGP
> implementations) will a) lead to even more angry mails and b) they will
> keep on using that option for all mails.  Thus my tentative plan was to
> make the next major version hard fail on messages without MDC and slowly
> start using our forthcoming AEAD encryption mode.
> 
> Well okay, with the new support of the Ehtmlfail paper we could now
> point to that paper and always hard error out if no MDC is used even for
> old algorithms.  Shall we consider this?

Yes, I think that's a good idea.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: OS X - can't open GnuPG-2.2.5.dmg

2018-03-11 Thread Patrick Brunschwig
On 11.03.18 16:14, Stefan Claas wrote:
> 
> 
> Am 10.03.18 um 18:49 schrieb Patrick Brunschwig:
>> On 06.03.18 20:06, Stefan Claas wrote:
>>> Hi,
>>>
>>> just tried to update my GnuPG install on my iMac,
>>> from the SourceForge repository, but the image
>>> won't open. The shasum matches and with DiskUtility
>>> it shows also that the .dmg is o.k.
>>>
>>> Downloaded several times, with the same result. :-(
>> The file opens fine on my Mac. I suspect that either there is a problem
>> with your OS (a reboot may help), or your iMac doesn't fulfill the
>> minimum installation requirements (macOS 10.9 or newer, running in
>> 64-bit mode).
>>
> Well, i am running 10.11.6 and tried also again with 2.2.4 which works.
> 
> Tried also to open the 2.2.5 .dmg with Pacifist but it can't open it either.

I fear I know what's wrong. For some reason that I still need to
discover, the image is created with the new APFS file system instead of
the HFS+. I'll see how to fix this.

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: OS X - can't open GnuPG-2.2.5.dmg

2018-03-10 Thread Patrick Brunschwig
On 06.03.18 20:06, Stefan Claas wrote:
> Hi,
> 
> just tried to update my GnuPG install on my iMac,
> from the SourceForge repository, but the image
> won't open. The shasum matches and with DiskUtility
> it shows also that the .dmg is o.k.
> 
> Downloaded several times, with the same result. :-(

The file opens fine on my Mac. I suspect that either there is a problem
with your OS (a reboot may help), or your iMac doesn't fulfill the
minimum installation requirements (macOS 10.9 or newer, running in
64-bit mode).

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How Can I Uninstall GnuPG-2.1.20 from my MacOS

2017-04-10 Thread Patrick Brunschwig
On 10.04.17 11:47, Gaston wrote:
> Hi All,
> 
> Cloud you tell me how to uninstall it? I can not find any instructions
> in the FAQ.
> 
> OS: MacOS 12.2.4
> GnuPG: 2.1.20 (downloaded from
> https://sourceforge.net/p/gpgosx/docu/Download/)

Open a Termina an execute the following line:

sudo rm -rf /usr/local/gnupg-2.1

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: I figured out how to change the algorithms,

2017-03-20 Thread Patrick Brunschwig
On 20.03.17 10:56, zap wrote:
> Okay, I was doing this to ecnrypt my files, not emails for the most part...
> 
> I did however wonder, what you actually said, because I had pgp
> encryption on and for some reason I couldn't read it through enigmail.

I assume that's due to a configuration issue. But it's impossible to
tell without further information, like what is the error message you are
getting.

-Patrick



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Which GPG version?

2016-08-01 Thread Patrick Brunschwig
On 01.08.16 19:28, Peter Lebbing wrote:
> On 01/08/16 17:54, whi...@mixnym.net wrote:
>> I see that there are three versions of GnuPG available. Assuming no hardware
>> constraints, is there any reason to choose Classic 1.4 or Stable 2.0 instead
>> of Modern 2.1?  It appears to do everything the others can and more.
> 
> I think usually the constraints are software constraints. But 1.4 might be 
> more
> appropriate in for instance a headless server. I suppose that counts as a
> hardware constraint indeed :-).
> 
> I'd say, go for 2.1. I think 2.0 is more for people who wish to stick to 2.0 
> for
> whatever reason. If you don't have any particular motivation to use 2.0 or 
> 1.4,
> you should go for 2.1.

I see the world a little different :-)

2.1 is the current development branch, where we sometimes see heavy
changes that can cause bugs, crashes and incompatibilities with other
software.

2.0 is stable and only receives a limited number of well-tested changes
and security fixes.

If you want to try new features like curve-based encryption, or if you
are a developer, then go for 2.1. Otherwise, if you are a regular
end-user, then go for 2.0 and wait with upgrading until 2.1 has become
mature. This will result in 2.2 being released.

Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Email Self-Defense

2016-02-23 Thread Patrick Brunschwig
On 23.02.16 02:08, NIIBE Yutaka wrote:
> Hello,
> 
> While we translate the "Email Self-Defense" guide into Japanese, I
> have a thing (or will have more) to clarify.
> 
> In this section 5b, it says:
> 
> https://emailselfdefense.fsf.org/en/#step-5b
> 
> When using GnuPG, make a habit of glancing at that bar.  The
> program will warn you there if you get an email encrypted with a key
> that can't be trusted.
> 
> "The program" here means Enigmail with GnuPG, I suppose.

Yes.

> I think that it's quite rare to encounter this particular case; a user
> would need to have a revoked or expired key (of themselves).
>
> If it means an email with signature (encrypted or not), it makes more
> sense to me.  I think that it would be better to explain more likely
> cases.
> 
> How do you think?

Enigmail displays various information in the status bar, such as:
(1) Good signature (hopefully mostly)
(2) "Bad signature" (Enigmail v1.8) / "Unverified signature" (v1.9) in
case the signature is bad
(3) "Unverified signature" together with an "Import" button in case the
signature is from an unknown key
(4) Good signature, but key is not trusted
(5) Good signature, but key is expired or revoked

The last one happens quite frequently if you look at old mails, but
hardly on current mails. I think the guide refers to (2) and/or (4), but
I'm not the author of the document ...


-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Keyserver lookup failure, redux

2015-09-23 Thread Patrick Brunschwig
On 23.09.15 10:25, Robert J. Hansen wrote:
>>   $ gpg -v --keyserver hkp://pool.sks-keyservers.net --recv-key 0xD6B98E10
> 
> quorra:~ rjh$ gpg -v --keyserver hkp://pool.sks-keyservers.net
> --recv-key 0xD6B98E10
> gpg: keyserver receive failed: No route to host
> 

I can confirm that the exact above command works for me (on OS X), with
gpg 2.1.8:

gpg: no running Dirmngr - starting '/usr/local/gnupg-2.1/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: connection to the dirmngr established
gpg: data source: http://openpgp.andrew.kvalhe.im:11371
gpg: armor header: Version: SKS 1.1.5
gpg: armor header: Comment: Hostname: openpgp.andrew.kvalhe.im
gpg: pub  dsa2048/D6B98E10 2008-07-30  Robert J. Hansen 
(etc.)


HTH
-Patrick



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Enigmail and p≡p are together for developing Enigmail/p≡p

2015-09-08 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

The following press release was published yesterday (unfortunately I
had no time to re-post it earlier):


Encryption add-on Enigmail and pretty Easy privacy (p≡p)[1] are
joining in development of a solution for the well-known mail client
Thunderbird. The goal is to make encryption as easy as possible, said
Enigmail's project lead Patrick Brunschwig and p≡p's head of
development Volker Birk in a common press release. Enigmail and p≡p
will offer p≡p technology for any Thunderbird user. Thunderbird is
still most popular among free email programs on desktop PCs and Laptops.

"Enigmail offers the most-used solution for mail encryption as Free
Software for many years now. But we don't want to rest on our
laurels.", Brunschwig explains. "Still way too few people are able to
encrypt. But this is inevitable to protect privacy." That is to be
changed with the partnership. "p≡p is offering the possibility to
encrypt fully automatically. This way our users are gaining the
highest amount of security, while even not be touched by the process
at all. At the same time p≡p is offering compatibility to OpenPGP and
S/MIME, which is necessary to integrate into mail infrastructures."

"Being the trailblazer, Enigmail managed to provide one of the
greatest user interfaces for mail encryption.", Birk says. "To date
Enigmail is still the front-runner here. Together with Enigmail we're
thinking beyond this: the default for email has to be encrypted and
not unencrypted! For this purpose p≡p is offering the possibility to
encrypt without any user interaction needed like managing keys.
Thunderbird is for p≡p a strategic platform in Free Software: no other
free mail program has reached this spread. Therefore, it was the
logical choice to ask our colleagues at Enigmail for a cooperation.
Who else could deliver more know-how of integrating encryption into
Thunderbird?"

The development partnership is meant to lead into common project
Enigmail/p≡p. As release date for a very first version Enigmail and
p≡p are aiming for December 2015.


[1] http://pep-project.org/
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJV7wiEAAoJENsRh7ndX2k7FswP/2qajDgWQF8Xsbl2/+ugrZr1
CaxQu3V7O7b9XXIA0kbAsy8qsVFlXAJoshEM75f6QWQ6P4nYBvB0C4zR2PU6Cl4/
eiPqkgMt831yF2gQ4tTbtu95NA6UvRZcDdVhdlZ/+KKT4e4RtUEKMkcncCA5A4tT
HePpDDBPUsLCiMuFnkoMwVb4K6sRRD6nNddRwfegZN2E/ch5dglP2c3Gs8sF8Ewd
jR9S/PlroVzZEsA7lrXbG/Q9xHj4XyGgndklpq06HoGgDyKjfUsgu/scewlKl3FR
SmDwOTp9OQObhJKh7u2B5+IcGy+fRcsu5tHGNZ4cJaM5NaeWQuX/ynUWUqpuVzkR
vzcO2FMrnnR0z2lF4MPhwASrRTXUiFD31i90AOVaAxBRMA3+iRdW+ZThe/wZ5ev/
H8IXoninN5zAcdp0wnXZGScqJOHNE63Ard/Vy3vSN0TukBK0A7NpvuWRQ3R2n6Ek
oAqr+8XGIBeNMfkj5Owsh1dKYPsBj9luzcJ65Nvtcb4l6OggCwGnRFelKgigxuEk
RNiAmZk8mKNWcG95wxwTq63t27eVMkXSbt12rkt1WeSFl4FPfKRAhI3+nt3CkhvV
ZCmjVuKuWL9eWZ5qlt2gWDs9O9wWubKKEKwcP090VzVVY5iqa+jjmF81944fLFqX
RQwQ1HO9vO7uiT/lNI5y
=83XF
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: OSX: How to install gpg without Admin password

2015-08-30 Thread Patrick Brunschwig
You'll need to set the path to pinentry in gpg-agent.conf Something like:
pinentry-program /home/xyz/pinentry-mac.app/Contents/MacOS/pinentry-mac

-Patrick

On 29.08.15 19:13, Dan Bryant wrote:
> OK, this worked in getting the binaries extracted and by setting PATH
> and DYNLD_LIBRARY_PATH I can get the bins to load and dump version
> information... SUCCESS...
> 
> Now my biggest problem is getting the agent and pinentry (I assume) to
> talk to gpg.
> 
> I was hoping I could set bindir, libdir, libexecdir with gpgconf
> (gpgconf.conf) but I can't seem to figure out how to convice gpg to
> look in nonstandard paths for binaries and libraries.  Seems to be
> ignoring PATH environment.
> 
> Suggestions?
> 
> On Thu, Aug 27, 2015 at 1:31 AM, Patrick Brunschwig
>  wrote:
>> On 26.08.15 17:16, Dan Bryant wrote:
>>> I have a monitored OS X laptop that I would like to put GNU Privacy
>>> Guard (gpg) on. Of course I can't because I don't have Admin rights,
>>> but I was hoping there is a way to install it in user space through a
>>> virtual environment or chroot, or some other wizardry, or by exacting
>>> the package files.
>>>
>>> Obviously I only need console access to the app.
>>
>>
>> Just download a DMG file, open (=mount) it, and copy the PKG file to
>> some temporary location. Then use pkgutil in a terminal to unpack the
>> PKG file to some temp directory. Then copy whatever you need to your
>> home directory.
>>
>> man pkgutil will tell you how to use it.
>>
>> -Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: OSX: How to install gpg without Admin password

2015-08-26 Thread Patrick Brunschwig
On 26.08.15 17:16, Dan Bryant wrote:
> I have a monitored OS X laptop that I would like to put GNU Privacy
> Guard (gpg) on. Of course I can't because I don't have Admin rights,
> but I was hoping there is a way to install it in user space through a
> virtual environment or chroot, or some other wizardry, or by exacting
> the package files.
> 
> Obviously I only need console access to the app.


Just download a DMG file, open (=mount) it, and copy the PKG file to
some temporary location. Then use pkgutil in a terminal to unpack the
PKG file to some temp directory. Then copy whatever you need to your
home directory.

man pkgutil will tell you how to use it.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Proposal of OpenPGP Email Validation

2015-07-29 Thread Patrick Brunschwig
On 29.07.15 14:07, Neal H. Walfield wrote:
> At Wed, 29 Jul 2015 01:03:53 +0100,
> MFPA wrote:
>> On Tuesday 28 July 2015 at 11:46:10 PM, in
>> , Neal H. Walfield wrote:
>>> At Tue, 28 Jul 2015 19:22:29 +0100, MFPA wrote:
 It also eliminates any attempt to to establish a link
 between the key and the email address in the UID.
>>
>>> I'm not so sure.  Recall that we are not attempting to
>>> protect against attacks by nation states.  As such,
>>> performing a week of computation each year is going to
>>> be too much to maintain for those who upload fake keys.
>>
>> And too much for people with multiple email addresses.
> 
> It doesn't have to be per-email address.  It is sufficient to attach
> it to the primary key.

This allows me to have patr...@enigmail.net verified OK. Then I add a
new UID mall...@evil.com and delete patr...@enigmail.net from the key.
And then I upload my key to the keyservers network, and I'll end up
where we are now.

>> This still seems less rigorous to me than having to receive an email
>> sent to that address and decrypt it with that key. I guess it's a case
>> of swings and roundabouts.
> 
> Well, I don't like the CA model and that's what Nico is basically
> proposing (with less rigorous checks).  Another huge disadvantage is
> that user's have to actively participate by replying to emails /
> visiting a link.
> 
> Using PoW, no human intervention is required and there is no central
> authority.  PoW relies on the assumption that conducting an attack is
> too expensive to do / maintain.

The whole point of this exercise is to verify that the key and the email
address(es) belong _together_. I don't see how PoW could do this, or I
didn't understand it well enough.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Proposal of OpenPGP Email Validation

2015-07-28 Thread Patrick Brunschwig
On 28.07.15 16:46, Ingo Klöcker wrote:
> On Monday 27 July 2015 21:05:26 Ludwig Hügelschäfer wrote:
>> Hi Ingo,
>>
>> On 27.07.15 16:31, Ingo Klöcker wrote:
>>> This whole concept of a whitelist of "trusted validation servers"
>>> included in the email clients sounds a lot like the CA certificate
>>> bundles included in browsers and/or OSes. Who is going to maintain
>>> this whitelist?
>>
>> Whilelists: The OpenPGP-aware clients. There aren't so many of them,
>> so that's manageable.
> 
> Speaking for KMail how can I be sure that somebody who claims that his 
> validation server can be trusted can actually be trusted and should therefore 
> be added to the whitelist? KDE avoids this problem for the CA certificate 
> bundle by relying on the certificate bundles provided by the Linux 
> distributors or by Mozilla.

Let's face it: KDE doesn't /avoid/ this problem. It just shifts the
problem to someone else -- the Linux distributors or Mozilla ;)

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Proposal of OpenPGP Email Validation

2015-07-27 Thread Patrick Brunschwig
On 27.07.15 14:15, Neal H. Walfield wrote:
> Hi,
> 
> I guess you mean this:
> 
>   The idea I have in mind is roughly as follows: if you upload a key to
>   a keyserver, the keyserver would send an encrypted email to every UID
>   in the key. Each encrypted mail contains a unique link to confirm the
>   email address. Once all email addresses are confirmed, the key is
>   validated and the keyserver will allow access to it just like with any
>   regular keyserver.
> 
> This approach is not going to stop a nation state.  A nation state can
> intercept the mail, decrypt it and follow the link.

If the email can be decrypted, then any email can be decrypted, which
would turn OpenPGP useless.

> For the same reason, it is not going to stop a user's ISP.  Given
> Microsoft's et al.'s willingness to cooperate with the NSA, these are
> not very good starting conditions.

If (and only if) the user stores his private key on his computer, and
the connection to the validating key server is HTTPS with PFS, I don't
really agree.

In any case, the target users are not the Edward Snowdens of this world,
but the 99% of people who just want to communicate easily with each
other and don't want to be bothered too much with key complicated key
lookup/verification scenarios.

> The approach also has another problem: which key servers are going to
> do this?  There are 100s of key servers.  I'm not going to reply to
> mails from each one, sorry.

The idea is that these servers are separate from the keyserver network.
That is, a relatively small set of servers that would only do validation
of email addresses. Validated keys would then be uploaded to normal key
servers.

> This also seems like a nice way to spam someone.  Generate a key,
> upload it to a key server and they have a bunch of mails from the key
> server.  Based on this, I suspect that it won't take long for the key
> servers to be blacklisted?

True, but this only serves the purpose of spamming someone without any
further action. You cannot send specific text to those who get spammed,
that's thus not very interesting. But in general, that's certainly
something to consider (such as only accepting one key at a time and only
accepting N keys per hour from some IP address).

> Have you considered these issues?  Do you have any thoughts about how
> to avoid these problems or do you think they are not real problems?
> 
> 
> Regarding the design: personally, I wouldn't have the user follow a
> link that includes a swiss number, but have the user reply to the
> mail, include the swiss number and sign it.

That's a good idea indeed.

> I'd also consider having the key servers publish the validations.  If
> you chain the validations (include the hash of the previous validation
> in the current validation) you can detect if the key servers serve a
> fake key to a specific user.

Sounds like a good idea.

-Patrick



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: GnuPG 2.1.3 Fails to Compile OS X

2015-04-12 Thread Patrick Brunschwig
It's a clang build error (clang-602.0.49).

-Patrick

On 13.04.15 00:00, Ethan Sherriff wrote:
> Sorry didn't see what you said about the error occuring with GNU GCC,
> what version are you using? On OS X Yosemite 10.10.3 (Latest Public Beta
> 14D131, XCode 6.3 6D570), with GNU GCC 4.9.2 installed from source,
> gnupg-2.1.3 builds fine.
> 
> From: Dominyk Tiller 
> Sent: ‎12/‎04/‎2015 21:01
> To: gnupg-users@gnupg.org 
> Subject: GnuPG 2.1.3 Fails to Compile OS X
> 
> Hey Werner,
> 
> Thanks for the new release!
> 
> I'm having some issues making it compile on OS X, right across
> 10.8-10.10.3. Tried both Apple's Clang and GNU's GCC so I'm presuming
> the error isn't compiler-specific.
> 
> It's throwing slightly different errors on OS X 10.8 than it is on 10.9
> and 10.10. The 10.8 error is:
> 
> =
> t-stringhelp.c:488:3: error: function definition is not allowed here
>   {
>   ^
> t-stringhelp.c:536:4: error: expected ';' at end of declaration
>   }
>^
>;
> 2 errors generated.
> make[3]: *** [t-stringhelp.o] Error 1
> =
> 
> 
> 
> And the 10.9 - 10.10.3 error is just:
> 
> =
> t-stringhelp.c:488:3: error: function definition is not allowed here
>   {
>   ^
> 1 error generated.
> make[3]: *** [t-stringhelp.o] Error 1
> =
> 
> Have attached various compile logs.
> 
> Cheers,
> 
> Dom
> 
> -- 
> Sent from OS X. If you wish to communicate more securely my PGP Public
> Key is 0x872524db9d74326c.
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: German ct magazine postulates death of pgp encryption

2015-03-01 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01.03.15 18:11, MFPA wrote:
> 
> 
> On Sunday 1 March 2015 at 2:41:33 PM, in 
> , Patrick Brunschwig wrote:
> 
> 
> 
>> The idea I have in mind is roughly as follows: if you upload a
>> key to a keyserver, the keyserver would send an encrypted email
>> to every UID in the key. Each encrypted mail contains a unique
>> link to confirm the email address. Once all email addresses are
>> confirmed, the key is validated and the keyserver will allow 
>> access to it just like with any regular keyserver.
> 
> What about keys with UIDs containing no email address?

The purpose of such a keyserver would be primarily targeted to email.
Thus I think such keys should be refused.

- -Patrick


-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJU80j+AAoJENsRh7ndX2k7fN4P/jxwiXiQuQ/fcor8yKkC1SqA
TYnpQ2Z6ko1vY93repX5E1h9UrMvUOuMYHq7NECDftY2LSU/UFn0V7WpiAtdn+IO
eweI6cCMZmkdv8VVt9+dy7eZbjQ2jBGWpKzJmYAw4pxO0QJBHrEL9TLhxWBz4wDi
yAEOVQDrM3hl0O5NY8fX7Q249HwUWf/db0TC5lAA+he0mC9rjjNaAaq7yLGwTy/O
+vb/BxNRkvppYLKU8/naSSVGEwVfj2tw6y0fQbyfRiNSfh351Q9sVcwC3vTkHnUz
ldb6up4w5tRP6VY6yQ7m+mpAh1V1NX9J+h8Fi/kMGFfd3sfjYLduwPudJ17HmQr1
CAtOx/DnOXvIHMup1ZwENI1shaewNpxQoMHr/xCIEUaM2It8dwcVxdZ3f2KGGZ5F
LdEBEvjRyHPhCT8G8XB3WHoEWWXWrHEC1loy5Fpv6QeCobrkzQetPW6rNCvX8Cyp
nlST6TZoG0wBPonoKPQo+zPYBReBN+eUVuTb4Pe2WyhR4EY/7bsIdEa921lMekh5
fcnaI68McYpK2um6Mq686zArTu/KsJPRp868dVPNIEzW7gIZOjoKIdg0PGPpMQh/
NcpTi1vHeLZg4bYasXxpKG29dsAMfKGw/ImNkTyHhNZAw+1ykIeC4G4F/LFqlMaQ
v+FzDXhpGilTKyqMxmzH
=pm11
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: German ct magazine postulates death of pgp encryption

2015-03-01 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01.03.15 16:38, Kristian Fiskerstrand wrote:
>>> In general I believe this to be an insufficient form of 
>>> identification that really doesn't provide much of anything 
>>> useful, but at least the PGP keyserver does it reasonably sane
>>> in its methodology by creating a signature from their CA on
>>> the key. Whether you put any merit to having such a CA
>>> signature or not is left up to the user (excluding for now the
>>> "fun" related to the spammy number of signatures from it)
> 
>> Yes, I know. The re-confirmation every few months together with 
>> re-signing the keys is among the things I dislike about 
>> keyserver.pgp.com. But in general, I think that keyservers need
>> to go in that direction if we want to enable easy use of OpenPGP
>> in email (which requires in some way or another to download
>> missing keys automatically).
> 
> You wouldn't need the keyservers to be involved in this at all.
> Anyone could set up such a mail verification CA outside of the
> keyserver network.

Perfectly correct, yes. This is exactly what I'm proposing. I believe
that the current keyserver network cannot do this. I just don't have
the time to (also) work on this...

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJU8zyAAAoJENsRh7ndX2k7cNAQAJXErgNTCbTqEwhtUcW0l7KR
hfchokWcOfgdMmNIKz9A2AD8mQ7Ckdxmn/ANGzNLSzZHjCT4+npjdEe/Q0XxcUf6
ajtntcQsdUBvpC/K4gPDg+V1g3EEZkUPHDeKvgCWvZIQ+57zjsg6T/0c4EEfdNWP
jwZDceP17wsLcTy3OdHhVrMJkgF/HFR4GaGzWNUzBFxtfeoK7kNhkvxKDbhajmcY
wiCgzz++cZmi7T4tf/hrdi65zB9zxzIOgvfeJvDpuuCUAGGYNtofJrIL4H3RNlSc
LfEmbpIwEfJltgeaEpfHBRzTtbxzAr7STvYSQNBwcCb+ksa2EWLzpPjbTfBUWaMt
91oW/qrW2TcEPxPHxnR1dlrAVmm3gE253plO8rljllr5csrUgLiT7tGalAwxv5Es
ITycw3lWUoxDRA1enqHnRgeig3MQNLGqZ5hbFYTs5sHYbKcpHG5Gl4TVnRKIWyCj
KMuXqy1ibV5kIlbP70D/g5Ss2M3iUyYl/tHf1pA5WKMU2EguLL42A9LCIPkqMFO7
5a1+xRAo1ZzkHpNUgACI73F/IuNTPXA7bPSa298sLB55teNFjWK5N8oPPs03e4OQ
W3oEoENnhgdUmDNd5soiM3yVgabGw8vBQC+/PD9Uz9Ee8AnxspxhQMdYacE467fJ
0ALTnk9tVO6Qt3vCjR3J
=Mejp
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: German ct magazine postulates death of pgp encryption

2015-03-01 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01.03.15 15:58, Kristian Fiskerstrand wrote:
> On 03/01/2015 03:41 PM, Patrick Brunschwig wrote:
>> On 27.02.15 20:56, Werner Koch wrote:
>>> On Fri, 27 Feb 2015 17:26, patr...@enigmail.net said:
> 
>>>> that anyone can upload _every_ key to a keyserver is an
>>>> issue. If keyservers would do some sort of verification
>>>> (e.g. confirmation of the email addresses) then this would
>>>> lead to much more reliable data.
> 
>>> We have such a system. It is called S/MIME.
> 
>>> Ever tried to find an S/MIME (X.509) key (aka certificate) for
>>> an arbitrary mail address?  The only working solution to get
>>> such a key is by sending a mail and asking for the key.  You
>>> can do the very same with PGP of course.  Keyservers along with
>>> visting cards are much nicer.
> 
>>> So, why is there no public service to distribute X.509 keys? 
>>> Because nobody want to be legally responsible for such a key 
>>> unless you push a stack of money over the table for a qualified
>>>  signature certificate.
> 
>> I would not go that far as trying to guarantee the identity of 
>> key. But I think if a keyserver could do some basic verification
>> of keys, it would make OpenPGP a lot easier to use for email.
> 
>> The idea I have in mind is roughly as follows: if you upload a
>> key to a keyserver, the keyserver would send an encrypted email
>> to every UID in the key. Each encrypted mail contains a unique
>> link to confirm the email address. Once all email addresses are
>> confirmed, the key is validated and the keyserver will allow
>> access to it just like with any regular keyserver.
> 
> 
> You already have a variant of this at https://keyserver.pgp.com 
> (although I don't recall if they send the requests encrypted, I 
> haven't looked into the service in years)
> 
> In general I believe this to be an insufficient form of
> identification that really doesn't provide much of anything useful,
> but at least the PGP keyserver does it reasonably sane in its
> methodology by creating a signature from their CA on the key.
> Whether you put any merit to having such a CA signature or not is
> left up to the user (excluding for now the "fun" related to the
> spammy number of signatures from it)

Yes, I know. The re-confirmation every few months together with
re-signing the keys is among the things I dislike about
keyserver.pgp.com. But in general, I think that keyservers need to go
in that direction if we want to enable easy use of OpenPGP in email
(which requires in some way or another to download missing keys
automatically).

- -Patrick

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJU8zHGAAoJENsRh7ndX2k7dNMQAKpRyStQFPRszQ4V52VS9Cuk
NTwUeRJ/ZIpM4OU0g1/3pXCMRI3xlSz0ts0Dh2ddMo2xcso5kS1X64DzrR6Sj6XT
AF2hBr9rkU+vZN7KAjdlvOPbZruXZEqCQlLm0aAxVPDRY+AKC4YSTKHR4OvAnlyY
mSFXDG7T/m6n8stwWrkY1M3PzD7UJCXH9Qsfb98oYOcP62MJlZW7H2byIgwVHvCK
ijnCJ7YZNRYTpOwfn2WtN+hP5AksrF1uQwQn/ApbgOVuvPwIl2+MhdbY9wjzv3WB
QFD4472Xho1vLsvT+qTHAskI4l5InnIhuxDVVRsr7OAGjbNPmSiph18+3A1vQOuy
mkkBUYJblifM2hmhKTBTNhJyD/TYvhVrC35Tb3J+eq2RhaStivjlKFH9tH9FgBBR
tz1R8OIdq4A3ZyHPYXBvvuYe+geZmUEOOAtTA7JDPvXrwrtLeGKvNJ31UaFd7kGd
odk5PNRscWJIeQfSEwNCUyzzKexWjj14OFLCd4D9ylNVEHWhHOCEgMmgZaAVIduH
oE5ChgCWLx44WQPA5O+bMEY4+WYJaJEk/tkwLHuY9CB98kGd3DmdK5BCh4WI6NLX
O0Z3b7gDQfTxdi5fHJtHA16rtigA4zpkKz3Z4kgJUzVfnf2ikcU4+ppJX/Pd+4jZ
Wt5Mq+MmViexsE/J/BFA
=c5nb
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: German ct magazine postulates death of pgp encryption

2015-03-01 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 27.02.15 20:56, Werner Koch wrote:
> On Fri, 27 Feb 2015 17:26, patr...@enigmail.net said:
> 
>> that anyone can upload _every_ key to a keyserver is an issue. If
>> keyservers would do some sort of verification (e.g. confirmation
>> of the email addresses) then this would lead to much more
>> reliable data.
> 
> We have such a system. It is called S/MIME.
> 
> Ever tried to find an S/MIME (X.509) key (aka certificate) for an 
> arbitrary mail address?  The only working solution to get such a 
> key is by sending a mail and asking for the key.  You can do the 
> very same with PGP of course.  Keyservers along with visting cards 
> are much nicer.
> 
> So, why is there no public service to distribute X.509 keys? 
> Because nobody want to be legally responsible for such a key
> unless you push a stack of money over the table for a qualified
> signature certificate.

I would not go that far as trying to guarantee the identity of key.
But I think if a keyserver could do some basic verification of keys,
it would make OpenPGP a lot easier to use for email.

The idea I have in mind is roughly as follows: if you upload a key to
a keyserver, the keyserver would send an encrypted email to every UID
in the key. Each encrypted mail contains a unique link to confirm the
email address. Once all email addresses are confirmed, the key is
validated and the keyserver will allow access to it just like with any
regular keyserver.

This way, we have a simple verification of the access to the private
the key, as well as access to the email addresses contained in the UID
by quite a simple means. I would say this is about as reliable as
sending an email to someone requesting their key.

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJU8yUaAAoJENsRh7ndX2k7Iz4P/j+rS8ZzqI62rQfc8RbNfPuT
1tinBE7Bf73PaZ+hpHCdEAcRUGhM64yRtNUAwovQt00sfdalF4WNKzdlItavMMLG
YtsgaEgZNf8JQlhC2u++Pxo7x7YlHXIuU5Wdu7rbSJXTSfacII7QPSIK39iMUDB5
Je4xUiQSBUeFgm0HLIlnuZMn4KLEPIdthss8golOYBZisSJM8lsucneKSH/4z7sf
d2zvfqRUVtyC9wtnzXDX0VmTP0m+LfVaug5fWyNB87yDKrWG6jqmttIm6vMFH534
RgHjjOCE5dzw0QIXfgv9d0xOFAGoMqt18UPAn/H7bxTJ2OAXHLvugBvfQxLrCO5N
Lb4PjICyC/PB6L+thQS8uG6a7CKDV+nU7MIxRzkFtFVmG4L0Ew8JWViQP6tFwUd6
UUxc3DS+kAPprGmG9sOpzf29c3nDkS1Fe697dOtKAexJ3MTT2Ygc1ZbkDGRhtiM8
5ahjYSxtw/cCRKwXOi40DzDlNG3h1L71q87hJk5m+Ithcz4qkCgLdjzisJZBQd2U
2ObU1Nzjg18bJlXeyoNYve/CdjRp8EHlckdFJr/rBWy10u2vn9kL8Eq3HXDtOZGR
V6va5bxt1jxOYiieAPpZ28Wr+TbxWR8Ih9dNkxCn19a5Hy0QtYYAVnJSrXEtv84y
4vjnCrxlE6QAkouU6XjB
=m2JV
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: German ct magazine postulates death of pgp encryption

2015-02-27 Thread Patrick Brunschwig
On 27.02.15 13:11, Kristian Fiskerstrand wrote:
> On 02/27/2015 12:43 PM, Hauke Laging wrote:
>> Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker:
> 
>>> Maybe implementation with an opt-in could preserve publishing
>>> of faked keys on public keyservers?
> 
>> We need keyservers which are a lot better that today's. IMHO
>> that also means that a keyserver should tell a client for each
>> offered certificate whether it (or a trusted keyserver) has made
>> such an email verification.
> 
> The keyservers have no role in this, they are pure data store and
> can never act as a CA. That would bring up a can of worm of issues,
> both politically and legally, I wouldn't want to see the first case
> where a keyserver operator was sued for permitting a "fake key"
> (the term itself is very misleading, the key itself isn't fake at
> all, but a fully valid key where the UID has not been mated to its
> holder through proper validation).

But that's the main primary reason of the article at all. The fact
that anyone can upload _every_ key to a keyserver is an issue. If
keyservers would do some sort of verification (e.g. confirmation of
the email addresses) then this would lead to much more reliable data.
Furthermore, we need a feature to allow keys to be removed in case the
true owner of an email address requests it.

I know that this collides with today's keyservers and it also collides
with keyservers exchanging keys between each other, but I strongly
believe that this would make keyservers more trustworthy than today.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Question about group line use in GnuPG

2015-02-22 Thread Patrick Brunschwig
On 22.02.15 09:29, Ludwig Hügelschäfer wrote:
> Hi Anthony,
> 
> On 22.02.15 01:32, Anthony Papillion wrote:
> 
>> Thanks for your quick response. It looks like I may have fixed
>> the problem. Basically, when I use Enigmail for the group line,
>> it needs it in the form of
> 
>> group =key1,key2,key3
> 
>> But when I do it from the terminal, it needs to be in the form
>> of
> 
>> group pgp...@yahoogroups.com=key1,key2,key3
> 
>> Copying the group line in my gpg.conf file and removing the 
>> brackets made if work as expected.
> 
> Which Enigmail version are you using?

As far as I know, group entries should be space-separated, not by comma.
I.e. group =key1 key2 key3

Furthermore, the current release version of Enigmail cannot handle <>
as part of the group name.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: [Announce] GnuPG 2.1.2 released

2015-02-12 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 11.02.15 20:40, Werner Koch wrote:
> Hello!
> 
> The GnuPG Project is pleased to announce the availability of the 
> third release of GnuPG modern: Version 2.1.2.

The "usual" installer for Mac OS X is now available from
https://sourceforge.net/p/gpgosx/docu/Download/


- -Patrick

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJU3ONdAAoJENsRh7ndX2k7o6EP+weTsb+ziwUfWYa6RCwwchn6
yRaAVGqGtsAOPZFHoodZq0P2ijOtuZn6vgFlWeHUqSV08eg3pIfX/zdm5yEkp/Gu
Xe1x8yARXXacLmLaRKmw9+7bBnzFaYOVLjUo92VBH6eLWypuMl1pUY4PwpuWUxoa
pX/wnX0mnd3sh9skwpGlMfQCWBjlwe8KIJEtE7odGhTwXHpCW0wGOLxb8eDXB5od
kVYakaqscdRwVHnQ0aPeA0cBKN8nqK158L/Wia1S9m+ZhDjskK9lclXLEhnT3TMr
4T2cijlhojAC9IgiplP/pwwcl7grEQvfF4CaEalfUFRZclY9AHI3wtw50MU35RFs
a/v4OGlY6edD1wZ8kuSDSPcAoC1B/qFSw5MrSi3aGPzN1ERXNjc6g/liOl5bn/Eh
PqEUDox+g3SGGutqmmkp7Du5flwT5Cqxtys5cyOsk7ZYzQg6ApPNS/uFhTauYNw8
8T090SHEgpBqqAxU/kQEIwnh4AfiHfC/9EpmXTv2PpXeYItGlUuDgEQJ3ds2UsIt
jLxn1r86kew+W9pI+aBbuQ+Gf0lQCgiXHzWYaVWvixWQe+hzcsAxnjhBLwu7TBmo
uWSWeHnd8aqZ+1qqueY5WCIXeihCSjm27RIc549qR/bohN1r0isZv2+MZjMZ0IIg
3Km6HP92CucB2tKhdjL/
=X6xw
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Specifying passphrase for batch key generation

2015-01-15 Thread Patrick Brunschwig
On 15.01.15 09:56, Werner Koch wrote:
> On Wed, 14 Jan 2015 21:59, jose.casti...@gmail.com said:
> 
>> Now that we cannot specify a passphrase in the batch parameters, what
>> is the preferred method for batch key generation with a specified
>> passphrase?
> 
> Thanks for this question.  The Enigmail folks also asked on how to do
> this and my answer was to switch to pinentry-mode=loopback.  Revisiting
> the code, it seems that there could be an easier solution.  I see no
> reason why we should not allow passing a passphrase along with the
> parameters for the key generation.  After all if the user wants to work
> around the Pinentry, they should be allowed to do that - at least for
> the key generation.
> 
> It requires a bit of code but I think it is worth to have it in 2.1.2.

Even easier!

Thanks a lot
-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: gpg-connect-agent querying max-cache-ttl

2015-01-10 Thread Patrick Brunschwig
On 09.01.15 21:24, Rob Fries wrote:
> Hi,
> 
>  
> 
> I have done a lot of searching and have not found much to cover my use
> case. Please direct me to any previous discussions if there are any!
> 
>  
> 
> Basically, I have stand alone system where files are automatically
> encrypted and decrypted for processing. This is currently setup using
> quintuple-agent, but we want to use something which is maintained.
> 
> I am looking to use gpg-agent to store the passphrase, which is entered
> using gpg-preset-passphrase. This all works perfectly other than
> max-cache-ttl removing the passphrase.
> 
>  
> 
> I am looking for a way to query the max-cache-ttl  time for gpg-agent so
> I can have an alert as this time approaches.
> 
> This will give me a heads up before I need to enter a passphrase with
> gpg-preset-passphrase so it can be planned for an optimal time.
> 
>  
> 
> I know there are ways to query some information from gpg-agent with
> gpg-connect-agent, but I have not found any central documentation on how
> to query this.

You should use gpgconf for this.

https://www.gnupg.org/documentation/manuals/gnupg/gpgconf.html

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Import pubkey to Thunderbird/Enigmail/Gpg4Win

2015-01-08 Thread Patrick Brunschwig
On 08.01.15 16:59, gnupgpacker wrote:
> Hello,
> if importing a public gpg rsa key to current Thunderbird/Enigmail/Gpg4Win on
> Win7-64, there is an issue with German Umlaute, pls refer to attached
> screenshot.
> 
> Exported key has been created by GPG-1.4.18/Win7-64, importing Enigmail
> works with GPG4Win (GPG-2.0.26)/Win7-64.
> 
> Everything (signing, encryption...) works as expected, so maybe it is a
> display error only!?
> Bugfix possible?

That's a problem with Enigmail, not GnuPG.

It's only a display problem; if you go to the key manager, you should
see the Umlauts correctly. And no, this can't be properly fixed.

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: [Announce] GnuPG 2.1.1 released

2014-12-19 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 18.12.14 09:58, Werner Koch wrote:
> On Wed, 17 Dec 2014 18:02, patr...@enigmail.net said:
> 
>> I created an installer for GnuPG 2.1.1 on Mac OS X, available
>> from here:
> 
> Is that one already useful for general public and shall I add it to
> the download page?

Yes, it is - I'd love to see it on the download page :-)

- -Patrick

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJUlFURAAoJEMk25cDiHiw+ObwIAMMjdG1j5i+3imGktJE2Z1ZS
Fp7deEyCFGt7eX3GJS5mKOKBUCmEI8uOofcFhp8V9hh41FSNXrXBMIHU13MElQsB
2rx7Kc3HKFge1adJ2GHuXr5KACt7x7XFVWp+Wevpdt+JfFZUZw3NhhUSq/UXQ4uX
DZ4MmXcWMpmYCPpJmkF8CMhGAMCqGmSdgrJQ7mHbL+gFIGclrSqtJARsCXa+uN8R
HsZB45bzveohzGS7hVk3u9E8d+Urec6RD/o/VxBarIEpAV7boivgegwRwlb4bE1l
kWvzc9g2ycYv9oche6F/TS3+5/e+VK0xYWGxb+mlFqo+EMZDOYLZ8dJ74j/I+pc=
=K7CN
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: [Announce] GnuPG 2.1.1 released

2014-12-17 Thread Patrick Brunschwig
On 16.12.14 17:36, Werner Koch wrote:
> Hello!
> 
> The GnuPG Project is pleased to announce the availability of the
> second release of GnuPG modern: Version 2.1.1.
> 
> The GNU Privacy Guard (GnuPG) is a complete and free implementation of
> the OpenPGP standard as defined by RFC-4880 and better known as PGP.
> 
> GnuPG, also known as GPG, allows to encrypt and sign data and
> communication, features a versatile key management system as well as
> access modules for public key directories.  GnuPG itself is a command
> line tool with features for easy integration with other applications.
> A wealth of frontend applications and libraries making use of GnuPG
> are available.  Since version 2 GnuPG provides support for S/MIME and
> Secure Shell in addition to OpenPGP.
> 
> GnuPG is Free Software (meaning that it respects your freedom). It can
> be freely used, modified and distributed under the terms of the GNU
> General Public License.
> 
> Three different versions of GnuPG are actively maintained:
> 
> - GnuPG "modern" (2.1) is the latest development with a lot of new
>   features.  This announcement is about the first release of this
>   version.
> 
> - GnuPG "stable" (2.0) is the current stable version for general use.
>   This is what most users are currently using.
> 
> - GnuPG "classic" (1.4) is the old standalone version which is most
>   suitable for older or embedded platforms.
> 
> You may not install "modern" (2.1) and "stable" (2.0) at the same
> time.  However, it is possible to install "classic" (1.4) along with
> any of the other versions.

I created an installer for GnuPG 2.1.1 on Mac OS X, available from here:

http://sourceforge.net/projects/gpgosx/files/GnuPG-2.1.1.dmg/download

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Beta for 2.1.1 available

2014-11-24 Thread Patrick Brunschwig
On 24.11.14 09:24, Werner Koch wrote:
[...]
> 
> GnuPG changes in 2.1.1-beta35
> -
> 
[...]
>  * Fixed build problems on Mac OS X

All fixed indeed! I created the first GnuPG build that did not require a
single patch on OS X :-)

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: The Facts:

2014-11-15 Thread Patrick Brunschwig
On 15.11.14 12:52, da...@gbenet.com wrote:
> The steps I have taken to move my /.gnupg folder
> 
> Background:
> 
> I have two laptops (1) a 32 bit LXD laptop-1 (2) a 64 bit LXD
> laptop-2 one mouse and one WD 1.0 TB (1,000,202,043,392 bytes)
> external drive that plugs into the USB port of either laptop-1 or
> laptop-2 = david@laptop-1:/media/store$.
> 
> Laptop-1 and laptop-2 are a mirror image of each. They contain the
> same software. I copied programmes like Thunderbird Firefox from
> laptop-1 to laptop-2 without any problems.

Why don't you simply do this:

1. on your old laptop:

tar zcf gnupg-backup.tgz $HOME/.gnupg


2. Copy the resulting file "gnupg-backup.tgz" to your new laptop


3. on your new laptop:

tar zxf gnupg-backup.tgz


-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: GnuPG 2.1.0 for Mac OS X Available

2014-11-09 Thread Patrick Brunschwig
On 09.11.14 21:51, Nicholas Cole wrote:
> Hi Patrick,
> 
> Thanks for this! It's a really useful resource.
> 
> Are you able to explain how you managed to get GnuPG-2.1 to compile?

See the scripts in the git source tree:
https://sourceforge.net/p/gpgosx/source/ci/master/tree/create_gpg

I have XCode 6.1 plus a very small set of tools from MacPorts (wget,
pkg-config).

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Error building GnuPG modern 2.1.0 on Yosemite

2014-11-09 Thread Patrick Brunschwig
Apply this patch before doing ./configure and it will build OK:

<https://sourceforge.net/p/gpgosx/source/ci/master/tree/patches/makefile.patch>

-Patrick

On 09.11.14 22:56, Mel Brands wrote:
> Werner, 
> 
> Thank you! Patching with -p1 fixed the compilation issue but now I've
> run into a linking issue (I'm using the latest libgpg-error 1.17). 
> 
> This is the error that occurs near the very end:
> 
> 
> gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include -g
> -O2 -Wall -Wno-pointer-sign -Wpointer-arith   -o t-sexputil t-sexputil.o
> libcommon.a ../gl/libgnu.a -L/usr/local/lib -lgcrypt -lgpg-error
> -lassuan -L/usr/local/lib -lgpg-error -L/usr/local/lib -lgpg-error  -liconv 
> Undefined symbols for architecture x86_64:
>   "_default_errsource", referenced from:
>   _parse_ber_header in libcommon.a(libcommon_a-tlv.o)
>   _parse_sexp in libcommon.a(libcommon_a-tlv.o)
> ld: symbol(s) not found for architecture x86_64
> collect2: ld returned 1 exit status
> make[3]: *** [t-sexputil] Error 1
> make[2]: *** [all] Error 2
> make[1]: *** [all-recursive] Error 1
> make: *** [all] Error 2
> --
> 
> According to this post, using a "stable" libgpg-error used to fix this
> issue back in the
> May: http://lists.gnupg.org/pipermail/gnupg-users/2014-May/049786.html
> 
> I've tried Libgpg-error 1.16/1.17 and they have all failed to link
> properly with Gnupg 2.1.0. Libgpg-error 1.16/1.17 gives identical errors
> as the one above and 1.15 itself fails to compile with the following:
> 
> ---
> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I..
> -DLOCALEDIR=\"/usr/local/share/locale\" -g -O2 -Wall -Wpointer-arith -MT
> libgpg_error_la-estream.lo -MD -MP -MF .deps/libgpg_error_la-estream.Tpo
> -c estream.c  -fno-common -DPIC -o .libs/libgpg_error_la-estream.o
> estream.c:3502: error: conflicting types for '_gpgrt_fseeko'
> gpgrt-int.h:108: error: previous declaration of '_gpgrt_fseeko' was here
> estream.c:3528: error: conflicting types for '_gpgrt_ftello'
> gpgrt-int.h:110: error: previous declaration of '_gpgrt_ftello' was here
> make[3]: *** [libgpg_error_la-estream.lo] Error 1
> make[2]: *** [all] Error 2
> make[1]: *** [all-recursive] Error 1
> make: *** [all] Error 2
> -
> 
> Thanks for any insight!
> 
> Mel
> 
> PS: To answer Patrick Brunschwig, I'm using Xcode 6.1 on OS X 10.10
>  (everything's updated to the latest versions available).
> 
> On Fri, Nov 7, 2014 at 1:44 AM, Werner Koch  <mailto:w...@gnupg.org>> wrote:
> 
> On Thu,  6 Nov 2014 19:37, bigh...@gmail.com
> <mailto:bigh...@gmail.com> said:
> 
> > I tried to compile 2.1.0 today and ran into an issue. I have the
> > latest autoconf/m4/gnu toolchain and all of the latest libraries that
> > GnuPG needs.
> 
> It is kind of funny that GnuPG as most autoconf enabled programs build
> fine on so many Unix platform but not on OS X we should be a modern
> Unix.
> 
> One of the reasons might be that GnuPG uses a small part of gnulib (gl/)
> but does not follow all the gnulib updates to avoid regressions.
> 
> > ../gl/stdint.h:62:31: error: _types/_intmax_t.h: No such file or 
> directory
> > ../gl/stdint.h:63:32: error: _types/_uintmax_t.h: No such file or 
> directory
> 
> This problem seems to cause by the hack below.  We hoped that this would
> fix the problems but obviously it didn't on all machines.  You may try
> to revert that patch.
> 
> For 2.0.1 I'd really like to get access to a decent OS X box to test the
> build before releasing it.
> 
> 
> Salam-Shalom,
> 
>Werner
> 
> 
> commit f5592fcff308007322a201c970a6d5e8763c9fe3
> Author: Werner Koch mailto:w...@gnupg.org>>
> Date:   Wed Oct 29 15:41:28 2014 +0100
> 
> Fix stdint.h problem for Apple.
> 
> * gl/stdint_.h [__APPLE__]: Include hack.
> --
> 
> Patch suggested by Patrick Brunschwig.
> 
> Modified   gl/stdint_.h
> diff --git a/gl/stdint_.h b/gl/stdint_.h
> index 19577e7..1118e8d 100644
> --- a/gl/stdint_.h
> +++ b/gl/stdint_.h
> @@ -55,6 +55,13 @@
>  # include @ABSOLUTE_STDINT_H@
>  #endif
> 
> +#ifdef __APPLE__
> +  /* Apple's implementation of  is bugy; we therefore use
> + the source definitions.  */
> +# include <_types/_intmax_t.h>
> +# include <_types/_uintmax_t.h>
> +#endif
> +
>  /*  defines some of the stdint.h types as well, on glibc,
> IRIX 6.5, and OpenBSD 3.8 (via ).
> MacOS X 10.4.6  includes  (which is us), but
> 
> 
> 
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
> 
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


GnuPG 2.1.0 for Mac OS X Available

2014-11-09 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I'm happy to announce the first release of the "GnuPG for OSX" project
- - a new distribution of GnuPG 2.1 for Mac OS X ready to download and
install.

I started "GnuPG for OSX" to provide up to date distributions of GnuPG
on Mac. Unlike GPG Tools, this project "only" provides the complete
standard gpg tool suite, and no additional software.

The distribution requires Mac OS X 10.7 or newer and a 64-bit processor.

The software is available from:
http://sourceforge.net/projects/gpgosx/files/GnuPG-2.1.0.dmg/download

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJUX7T6AAoJEMk25cDiHiw+Kq8IAL2u1dYTniPOpFHvPg5JFM5D
EN2ebaLhOfpic6/xZ0BEtaeYWDYa09QaIKsQzRH9q0n03dLEdzrjpLJFSQLuNH4o
xjSoJCM3PYtWg7d6ySHPyfePhAKal5u+jQ3z6zsoWccyaNKiHVYvXebU0Nanjr+R
RKEi6qdTSD4KcVOVbb0T/wvRjRaJz8lRwFaCXm9nxViaudXko/hQuO3Dl4UY2m/C
vGbDMSN4qyICMi7B3uLD/uC1gXnn3zYgXRaZVS3MSkKmAgsHUgsDAEGvzXXhcGmn
i7s+JjOrkhStufpahPpDjAsnOXG8Jk12+3GFhRsxTv9RPU5qXdcpfGzv7ZGdt4w=
=/cuU
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Error building GnuPG modern 2.1.0 on Yosemite

2014-11-08 Thread Patrick Brunschwig
On 07.11.14 07:44, Werner Koch wrote:
> On Thu,  6 Nov 2014 19:37, bigh...@gmail.com said:
> 
>> I tried to compile 2.1.0 today and ran into an issue. I have the
>> latest autoconf/m4/gnu toolchain and all of the latest libraries that
>> GnuPG needs.
> 
> It is kind of funny that GnuPG as most autoconf enabled programs build
> fine on so many Unix platform but not on OS X we should be a modern
> Unix. 
> 
> One of the reasons might be that GnuPG uses a small part of gnulib (gl/)
> but does not follow all the gnulib updates to avoid regressions.
> 
>> ../gl/stdint.h:62:31: error: _types/_intmax_t.h: No such file or directory
>> ../gl/stdint.h:63:32: error: _types/_uintmax_t.h: No such file or directory
> 
> This problem seems to cause by the hack below.  We hoped that this would
> fix the problems but obviously it didn't on all machines.  You may try
> to revert that patch.
> 
> For 2.0.1 I'd really like to get access to a decent OS X box to test the
> build before releasing it.

I'm currently using Mavericks (10.9) with Xcode 6.1. I can imagine that
this is different on Yosemite (10.10) and/or a different version of
XCode. :-(

Which version of XCode do you (Mel) use?

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Problem compiling GnuPG 2.1.0 on OS X 10.10

2014-11-08 Thread Patrick Brunschwig
On 07.11.14 06:41, Ramsey Dow wrote:
> Hello, I am having a build failure with GnuPG 2.1.0 on OS X 10.10 using Xcode 
> 6.1's compiler tools.
> 
> I have successfully compiled and installed all of the prerequisite libraries 
> (npth 1.1, libgpg-error 1.17, libksba 1.3.1, and libassuan 2.1.2). My build 
> sequence is as follows:
> 
> gpg --verify $MRT/cache/gnupg-2.1.0.tar.bz2.sig
> tar xjf $MRT/cache/gnupg-2.1.0.tar.bz2
> pushd gnupg-2.1.0
> ./configure --prefix=$MRTRT
> make
> 
> The compilation fails while linking t-sexputil in common. Here are the last 
> few lines of the build process:
> 
> gcc -DHAVE_CONFIG_H -I. -I..  -I../gl -I../intl 
> -DLOCALEDIR=\"/Users/ramsey/Developer/MRT/runtime/share/locale\" 
> -DGNUPG_BINDIR="\"/Users/ramsey/Developer/MRT/runtime/bin\"" 
> -DGNUPG_LIBEXECDIR="\"/Users/ramsey/Developer/MRT/runtime/libexec\"" 
> -DGNUPG_LIBDIR="\"/Users/ramsey/Developer/MRT/runtime/lib/gnupg\"" 
> -DGNUPG_DATADIR="\"/Users/ramsey/Developer/MRT/runtime/share/gnupg\"" 
> -DGNUPG_SYSCONFDIR="\"/Users/ramsey/Developer/MRT/runtime/etc/gnupg\"" 
> -DGNUPG_LOCALSTATEDIR="\"/Users/ramsey/Developer/MRT/runtime/var\""
> -I/Users/ramsey/Developer/MRT/runtime/include 
> -I/Users/ramsey/Developer/MRT/runtime/include 
> -I/Users/ramsey/Developer/MRT/runtime/include -g -O2 -Wall -Wno-pointer-sign 
> -Wpointer-arith -MT t-sexputil.o -MD -MP -MF .deps/t-sexputil.Tpo -c -o 
> t-sexputil.o t-sexputil.c
> mv -f .deps/t-sexputil.Tpo .deps/t-sexputil.Po
> gcc -I/Users/ramsey/Developer/MRT/runtime/include 
> -I/Users/ramsey/Developer/MRT/runtime/include 
> -I/Users/ramsey/Developer/MRT/runtime/include -g -O2 -Wall -Wno-pointer-sign 
> -Wpointer-arith   -o t-sexputil t-sexputil.o libcommon.a ../gl/libgnu.a 
> -L/Users/ramsey/Developer/MRT/runtime/lib -lgcrypt -lgpg-error -lassuan 
> -L/Users/ramsey/Developer/MRT/runtime/lib -lgpg-error 
> -L/Users/ramsey/Developer/MRT/runtime/lib -lgpg-error  -liconv 
> Undefined symbols for architecture x86_64:
>   "_default_errsource", referenced from:
>   _parse_ber_header in libcommon.a(libcommon_a-tlv.o)
>   _parse_sexp in libcommon.a(libcommon_a-tlv.o)
> ld: symbol(s) not found for architecture x86_64
> clang: error: linker command failed with exit code 1 (use -v to see 
> invocation)
> make[3]: *** [t-sexputil] Error 1
> make[2]: *** [all] Error 2
> make[1]: *** [all-recursive] Error 1
> make: *** [all] Error 2
> 
> I'm not sure why this error is occurring, which is why I am reporting it 
> here, per instructions in the README. Am I forgetting to specify an option to 
> configure? Is the configuration subsystem missing something about my system's 
> setup? Please advise. I'm happy to provide any other details if necessary.

You'll need to apply the following patch for compiling GnuPG (the patch
is made to be applied before ./configure is executed):



And most likely, you'll run into another build error in dirmgr. This can
be fixed by editing dirmgr/Makefile and deleting "-R/path/to/somewhere"
from LDFLAGS

-Patrick




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: PGP/MIME considered harmful for mobile

2011-02-25 Thread Patrick Brunschwig
On 25.02.11 07:43, Robert J. Hansen wrote:
> On 2/24/11 10:15 PM, Daniel Kahn Gillmor wrote:
>> my colleague is using the application named "email", version 2.2.2 on a
>> stock 2.2.1 motorola droid.
> 
> My problem is reproducible on a stock Droid X running 2.2.something --
> just got off a very long flight, funeral in the morning: I'll dig the
> precise version number tomorrow.

The only mail client on Android I know of to handle OpenPGP messages is
K9 (together with APG). But K9 only supports inline-PGP, PGP/MIME
messages are not displayed.

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: recursive gpg

2008-08-08 Thread Patrick Brunschwig
David SMITH wrote:
> On Thu, Aug 07, 2008 at 09:54:13AM -0600, Eliot, Christopher wrote:
>> gpg  `find . -type f`
>> will get you pretty close.
> 
> Close, but if you've got lots of files, you'll hit the maximum command
> line length limit.

You have these two options:

a) find . -type f -excec gpg  {} \;
"{}" stands for the found filename

b) find . -type f | xargs gpg 

HTH
-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: filtering signed email with thunderbird

2008-05-02 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ramon Loureiro wrote:
> Hi!
> 
> Is it possible to make a thunderbird filter that save my signed msgs in
> some folder?
> What in the email header must the filter check to see it has a (valid)
> signature?
> Or must it look for "BEGIN PGP..." strings into the body of the msg?

Not really. Unfortunately Thunderbird doesn't allow to easily extend
message filter for such purposes, that's why there is no such feature in
Enigmail.

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBSBtWiXcOpHodsOiwAQKX1wf+O+mbdUNhE3qJ08bDr5K2A1hvz3dwM6k2
rn5EUNAuMOt0bQictRi2tB8XojktFnzngzNvDPbwBI2XglyV5WAQOkMqwK+3MTxI
pxHJlsJPnJPNOEcXhwyVNlFWDRVFp/J/LdmGbW0ov2wF56bhsMsDGpeoMldLmiYW
zjHk+TZ+TP0kC/X8z57jYXYp3TrDXI2oriXSxioIjtNHTW2B+UKNrAwaVEBgteHo
1NYu2GF/4FjQDwHdVaI3TA+JyG+Jp4PTEMUYrfTb6ZlbZgMOnpwcgr7fQd1AMjE4
o5aq2tqOa29QXTtR4pHCgESI0fCedBD2e0czuRbXiIUi6j61O6b+dw==
=z9iv
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: GnuPG v2.x?

2008-04-07 Thread Patrick Brunschwig
Werner Koch wrote:
[...]
> necessary enhancements to their S/MIME implementation.  The way Mozilla
> works is basically: Show a positive result but don't annoy the user if
> the signature is suspicious.  The fact that Mozilla may fall back to 40
> bit RC4 encryption may indicate that the developers do not consider
> privacy a major goal.

I think that last statement is no longer true. As of Thunderbird 2.0,
SeaMonkey 1.1 and Firefox 2.0 all 40 bit algorithms are disabled by
default (but the user may still enable them if he knows how to change
hidden prefs).

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: GnuPG agent and non-shell application

2007-11-14 Thread Patrick Brunschwig
Noiano wrote:
> Hi everybody
> I have GnuPg 1.4.6 installed and I have my .gnupg directory as a
> symbolic link pointing to an encrypted partition. As soon as I need
> my keys I mount the encrypted partition and the symbolic link is
> resolved with no problem. The problem is the use of gnupg agent: I
> type gpg-agent --daemon > gpg-agent-info so that the variable
> information are stored to that file. Under my .bashrc I have added
> the following line "source gpg-agent-info" so that the variable is
> correctly set up.
> The problem is the use of gnupg agent with program such as
> thunderbird, kpgp. They cannot see the variable GPG_AGENT_INFO as
> all shells do. I cannot set anything in .xsession because the
> encrypted partition isn't mounted on boot but on demand. Could you
> please tell me a reasonable solution for this matter?

Start Thunderbird (or kgpg) with a wrapper program that checks if
gpg-agent is running and if yes export GPG_AGENT_INFO from your
gpg-agent-info file. I found that gpg-connect-agent is quite nice to do
this.

Something like this should do the job:

#!/bin/bash
source /path/to/gpg-agent-info
export GPG_AGENT_INFO

gpg-connect-agent 

Re: Decrpytion not automatically possbible

2007-08-21 Thread Patrick Brunschwig
Burkhard Schroeder wrote:
> Hi,
> 
> a got the same problem with Thunderbird and Evolution: encryption is
> working perfect, but decryption not. I have to store the textfile
> manually, and then to decrypt it as a file :-(
> 
> But I did not change nothing.
> 
> I got the message only in german:
> 
> Fehler - Entschlüsselung fehlgeschlagen
> 
> gpg Kommandozeile und Ausgabe:
> /usr/bin/gpg --charset utf8 --batch --no-tty --status-fd 2 -d --use-agent
> gpg: Schwierigkeiten mit dem Agenten - Agent-Ansteuerung wird abgeschaltet
> gpg: Passwortsatz kann im Batchmodus nicht abgefragt werden
> gpg: Ungültige Passphrase; versuchen Sie es bitte noch einmal ...
> gpg: Passwortsatz kann im Batchmodus nicht abgefragt werden
> gpg: Ungültige Passphrase; versuchen Sie es bitte noch einmal ...
> gpg: Passwortsatz kann im Batchmodus nicht abgefragt werden
> gpg: verschlüsselt mit 4096-Bit ELG-E Schlüssel, ID 488E0745, erzeugt
> 2005-07-23
> "Burkhard Schroeder <[EMAIL PROTECTED]>"
> gpg: Entschlüsselung mit Public-Key-Verfahren fehlgeschlagen: Falsche
> Passphrase
> gpg: Entschlüsselung fehlgeschlagen: Geheimer Schlüssel ist nicht vorhanden

I don't know why Evolution would try to use gpg-agent, but at least in
Thunderbird/Enigmail make sure that the option "Use gpg-agent for
passphrases" is turned OFF. Furthermore, make sure that there is no
GPG_AGENT_INFO environment variable set.

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: [Announce] GnuPG 2.0.6 released

2007-08-16 Thread Patrick Brunschwig
Werner Koch wrote:
> 
>  * Improved Windows support.

Werner, do you also plan to create binary releases (i.e. installers) for
Windows?

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: OpenPGP and usability

2007-08-13 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Werner Koch wrote:
> On Fri, 10 Aug 2007 13:43, [EMAIL PROTECTED] said:
> 
>> At least Thunderbird openly invites plugins and Enigmail is a good one.
> 
> Let Patrick explain you why there are still problems.

The user interface may be nice indeed, and the whole extension seems to
be quite well-integrated into Thunderbird, but in the background I can
tell you there are many hacks and workarounds needed to get things
running. Still, after more than 6 years of development, there are parts
of the code in Enigmail that I would call fragile

> Have you ever tried to work with the Mozilla Foundation on allowing
> better integration of certain plugins?  For example supporting non-NSS
> based crypto?

The main problem is that Thunderbird is very open for add-ons related to
the user interface, but once you dig into the core of the application,
it's no longer so well extensible. This is especially true for some of
the existing core parts. Some bits date back to Netscape 4.0 (or even
earlier) and have not been redesigned ever since then -- you can imagine
 what follows now.

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRsAI3HcOpHodsOiwAQKEUwf9HdlzC7+03LJ9tO/L9I6dcWGiRB9pVNGa
MScLKFL1PaiR7HEJu58Ch/CHwXWwPQPG5gjc5icDJWm2ruDtJ6/G7iATnY5L5hIL
+5m8PhNAS1lmIFT1yuxsvgsVkTBtL+JVGImTjm95rL2TuTaehpqwYPYM5Ki8hQkK
8OL+d1FLz2ZR/toLD8Xa4bD1gwqC/ml7+1qnmnzc82EJ3V1sAfuMohs3+vnrTN5Y
9+KfP9QyVbVeUMWdDRQG5KxJn5oysnz61r46RmCSIIuE9G/aWUHf6wxSLoR0JPX6
HISmJF2T/COEYzh2QolwBfAUM1ceCvsblfgxsZCKmXEy2x4xXYS57w==
=f+42
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: OpenPGP and usability

2007-08-09 Thread Patrick Brunschwig
Werner Koch wrote:
> On Wed,  8 Aug 2007 20:20, [EMAIL PROTECTED] said:
> 
>> What precisely would you need (or send)? I would be open to implement
>> such a "solution" in Enigmail, if it helps!
> 
> I am considering to have a new header like
> 
>   Gpgol-content-type: application/pgp-encrypted
> 
> to supplement the Outlook generated Content-type.  The problem is that
> there is no way in Outlook/MAPI to override all content-types - Outlook
> has its own idea on how to set them.  Tough it is possible to set the
> content-type of the top body, there is no way to set any conent type
> below that an thus we would end up with text/plain instead
> applaiction/pgp-encrypted for the first part.
> 
> I have not yet implemented that in gpgol.  I did some tests last year
> and they showed that it will be possible.
> 
> It would also be possible to fixup the content type later using an SMTP
> proxy but that won't be easy to install.  A new MAPI transport provider
> could also fixup such things but I fear that this will raise all kinds
> of compatibility problems.

I would actually call the content type

X-Gpgol-content-type: application/pgp-encrypted

I think at least concerning Enigmail, I could handle this properly.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: OpenPGP and usability

2007-08-08 Thread Patrick Brunschwig
Werner Koch wrote:
>> Problem 2: PGP/MIME.  Correspondents who were using PGP/MIME for
>> attachments found massive interoperability problems.  Apparently,
>> Enigmail has an idiosyncratic way of doing PGP/MIME which causes
>> heartache and woe for non-Enigmail users.  (I haven't confirmed this;
>> this is just according to him.)
> 
> It is really a shame that the one Free Software project which is known
> by more than the computer geeks - namely Mozilla - is refusing to
> support an established standard like PGP/MIME.  We have had several
> implementations of it over the years for the new mail componnent (now
> known as Thunderbird) but all of them have been refused without giving
> good reasons.
> 
> In this regard Thunderbird is no better than Outlook!

But there is Enigmail, and I'm doing my best to integrate .it as neatly
as possible into Thunderbird ;-)

> BTW: We would be able to solve the Outlook PGP/MIME sending problem if
> we could informally agree on a variant of the Content-Type header which
> gets checked by PGP/MIME aware MUAs before they use the real
> Content-Type.  Yes, it would be an ugly hack but very helpful.

What precisely would you need (or send)? I would be open to implement
such a "solution" in Enigmail, if it helps!

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Ownership of usb device with udev.

2007-07-03 Thread Patrick Brunschwig
Guillaume Yziquel wrote:
> Werner Koch a écrit :
>> On Fri, 29 Jun 2007 11:38, [EMAIL PROTECTED] said:
>>
>>> Visibly, purging pcscd does not solve the problem. Concerning
>>> permissions, I guess I have some work to do:
>> Indeed.  That is your problem.  Use lsusb to figure out where the SCR335
>> is attached and the manually update the ownership for testing.  The
>> HOWTO has hints on how to install the hotplug stuff.
> 
> I read the hotplug stuff was deprecated, and that udev should be used
> instead. The output of lsusb -v concerning the smart card reader follows.
> 
> My main problem is that I do not really understand how udev works. I
> understood there was lots of renaming involved. And with all these
> renamings, I do not really know how to make ownership changes.
> 
> I'd really love to find a good document on how udev works. In particular
> with debian.

The basic idea with udev is that you define rules for defining the group
and permission of devices (and other actions such as launching
applications). Here is a how-to that explains how these things work:
http://reactivated.net/writing_udev_rules.html

In your case you should create a file containing something like the
example below (everything on one line) and place it into
/etc/udev/rules.d. Check the README in /etc/udev/rules.d for the file
naming conventions.

SYSFS{idProduct}=="5115", SYSFS{idVendor}=="04e6", MODE="660",
GROUP="myspecialgroup"

HTH
-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Can't run GPG --recv-keys under Windows Vista.

2007-05-30 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alessandro Vesely wrote:
> Henry Hertz Hobbit wrote:
>> 1. Vista considers the %ProgramFiles% area as semi-protected.  Since
>>GnuPG is installing into this area, it is a reason for concern.
> 
> Next question is "Why is GnuPG installing into this area?"

According to Microsoft's recommendations (for those who care ;-) )
%ProgramFiles% is the place where executable programs should be
installed to. That's the place where *any* software should be installed,
such that programs and user data are separate.

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRl2QlXcOpHodsOiwAQJrAggAg5VeykM3WuMIKJ1ucNfaJtRA6TJNtYEn
ERg5lH2ZMHSf7EGDaIJHAGqkeMZQcF5Ovcbxd+QVEbDx86aGbRBhCHQnxlCF7jDX
P6uO5fMSp274sSolWerNWsuDs7c9b6hLJt6HF9UwGQhoEbOGv2duietZWQLQlIt0
JIWeVK1Dl3E9Wx+Al6pFJEOU6TDlmNB4yccZuEzc/IYhGrzkIFuR2A/LEazz84jf
FTR7LZMY+C5cGLEszHb8S77wBvjfJxE0q+k8w2dQDmDcsbv5ykrUAYVIfFwcUE1S
B3dH42K4jQvspeDxCiZJaw3xUl/egGjUTE5zKaQDc6eQ9merieWIbQ==
=olgf
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Can't run GPG --recv-keys under Windows Vista.

2007-05-27 Thread Patrick Brunschwig
Moses wrote:
> Hi,
> 
> I've installed gpg on Windows Vista recently, but seems not all the
> functions work well when I try to receive keys from keyserver. Here is
> the command I typed:
> 
>gpg --keyserver subkeys.pgp.net --recv-keys 
> 
> After hit RETURN, I got errors immediately like this:
> 
>gpgkeys: hkp fetch error 1: unsupported protocol
> 
> The same command works well on Windows XP.
> 
> I've checked the environment variables %PATH%, and gpg's directory is in it.
> 
> Any ideas?

This is a well-known issue on Vista. See e.g. here for the solution:
http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030595.html

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Decrypting multiple files gives errors

2007-04-17 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This is a new security feature. Use the new option
"--allow-multiple-messages" to avoid the error.

- -Patrick

fourthirtysix wrote:
> is there another forum where i can ask this?  i've used gnupg for a long time
> and now i'm losing some faith in it's stability due to this problem... 
> thanks
> 
> 
> 
> fourthirtysix wrote:
>> I'm getting errors when i try to decrypt multiple files at the same time
>> with --decrypt-files. When I do files individually, they seem to decrypt
>> fine. When I do multiple files, the first file decrypts fine, but all the
>> others give errors like this:
>>
>> gpg: encrypted with 2048-bit ELG-E key, ID 12345678, created 2007-01-01
>>   "John Smith <[EMAIL PROTECTED]>"
>> gpg: WARNING: multiple plaintexts seen
>> gpg: handle plaintext failed: unexpected data
>>
>> I'm using gpg (GnuPG) 1.4.6 on Ubuntu 7.10 and this error is occuring on
>> two different computers using the same keys.
>>
>> Please help! I don't want to have to decrypt one at a time!
>>
>> Thanks
>>
>>
>>
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRiTBIncOpHodsOiwAQKWrwf/ZvNCU6bA3tmf0/Gw3Do0N2dd9nVW3vQy
LbmE8QZwxdUdQwOta9zVZ3WjBrppKqFdyTXUel9/NI0xjJkO/xUZKiPRflDyvCmx
lmjkA+WkTCvJdRPz5JIKLzRXkxyPoYCONoPg7ktoyHdTgSZqDVzwt6HZciPNrTAg
0JWlfqgk4TMU+FIHzbZ99DL/xQcUR4zODQHAaWMihM+v+QSBvo3DeLlUT9duFFx7
vKgmLE/KoLnUF3kOd4OD/jvbJieNKDnUhWULl4ZDbspgH5VlpGO+JL2t2vhwLZuo
ErAm1z4hNzboH1rV1Qmivsh9Yg77szETUfFEI58ntsrieVz7YhRSWQ==
=+TjR
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Problem interoperating with PGP Univeral?

2007-04-02 Thread Patrick Brunschwig
David Shaw wrote:
> On Sat, Mar 31, 2007 at 11:29:54PM +0200, Patrick Brunschwig wrote:
>> Blumenthal, Uri wrote:
>>> I am trying to get cleartext-signed PGP/MIME messages produced by PGP
>>> Universal 2.5.3, verified by email clients (Thunderbird-1.5.0.10 +
>>> Enigmail-0.94.2 + GPG-1.4.7).
>>>
>>> So far my experience is:
>>>
>>> - Pure plaintext (neither PGP/MIME nor PGP/Partitioned) messages are
>>> verified OK.
>>>
>>> - PGP/MIME encrypted and signed messages are decrypted and verified OK.
>>>
>>> - PGP/MIME or PGP/Partitioned messages (HTML body and/or attachments)
>>> fail signature verification, with error message from GPG:
>>>
>>>   Cleartext signature without data
>>>
>>> I've submitted help request to Enigmail list, but perhaps somebody here
>>> can advise me regarding this issue? Maybe there are settings at PGP
>>> Universal that should be changed to make its output "friendlier"? Or
>>> maybe there are GPG setting that would allow verification of those
>>> emails? 
>>>
>>> I'll be grateful for any help!
>>>
>>> Thank you!
>> I can provide some more details on this. GnuPG 1.4.7 returns with this
>> error message "gpg: can't handle this ambiguous signature data".
>>
>> This is the detached signature that comes with such a message:
>>
>> -BEGIN PGP SIGNATURE-
>> Version: PGP Universal 2.5.3
>>
>> qANQR1DEDQMBAhH9zteyosL+MwHCPwMFAUYL2iX9zteyosL+MxECC8QAnRhWP2Sx
>> Ex7VcRL+wBVB2C7lksYAAKCYHvRP7E8vA5jKNgigU0o4kbFn4w==
>> =lOCI
>> -END PGP SIGNATURE-
> 
> That's just a regular signature.  How does Enigmail call GPG to do the
> verification?
> 
> David


To be 100% clear: Uri has sent me the attached message msg-dump-bad.txt,
which I extracted to file.txt and file.txt.asc.

If I call gpg (1.4.7) with: "gpg --verify file.txt.asc file.txt"

I get: "gpg: can't handle this ambiguous signature data"

That's all the information I have. As far as I can tell, the message
itself looks perfectly fine.

-Patrick
X-Account-Key: account3
X-UIDL: UID26-1174947114
X-Mozilla-Status: 0001
X-Mozilla-Status2: 
Return-path: <[EMAIL PROTECTED]>
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Thu, 29 Mar 2007 10:24:19 -0500
Received: from wmout1.bear.com ([207.162.228.85]:31504)
by serv01.siteground172.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.63)
(envelope-from <[EMAIL PROTECTED]>)
id 1HWwU7-0001uq-5a
for [EMAIL PROTECTED]; Thu, 29 Mar 2007 10:24:19 -0500
Received: from pwepgp1.bear.com ([207.162.228.88])
  by wmout1.bear.com with ESMTP; 29 Mar 2007 11:24:21 -0400
Received: from wmout2.bear.com ([207.162.228.86])
  by pwepgp1.bear.com (PGP Universal service);
  Thu, 29 Mar 2007 11:24:21 -0400
X-PGP-Universal: processed;
by pwepgp1.bear.com on Thu, 29 Mar 2007 11:24:21 -0400
Received: from bearh2.bear.com ([207.162.228.214])
  by wmout2.bear.com with ESMTP; 29 Mar 2007 11:24:21 -0400
X-Bear-PGP: Process
Received: from bear.com (localhost [127.0.0.1])
by bearh2.bear.com (8.9.3/8.9.2) with SMTP id LAA13237;
Thu, 29 Mar 2007 11:23:43 -0400 (EDT)
Received: from whexchmb05.bsna.bsroot.bear.com ([147.107.87.130]) by 
pwhdtwexcbho01.bsna.bsroot.bear.com with Microsoft SMTPSVC(5.0.2195.6713);
 Thu, 29 Mar 2007 11:23:41 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0
MIME-Version: 1.0
Subject: [PGP-signed] Attempt to send plaintext only
Date: Thu, 29 Mar 2007 11:23:38 -0400
Message-ID: <[EMAIL PROTECTED]>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: [PGP-signed] Attempt to send plaintext only
Thread-Index: AcdyFjcYbqJ8AwSPSBuZ4iF9Kcxs3Q==
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
X-OriginalArrivalTime: 29 Mar 2007 15:23:41.0688 (UTC) 
FILETIME=[3B86B780:01C77216]
X-PGP-Encoding-Version: 2.0.2
Content-Type: multipart/signed;
boundary="PGP_Universal_46D9C7F5_87BE5EA9_8D4C448C_636331FE";
protocol="application/pgp-signature";
micalg="pgp-sha1"


--PGP_Universal_46D9C7F5_87BE5EA9_8D4C448C_636331FE
content-class: urn:content-classes:message
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Yes,

Thank you!
--
Regards,
Uri Blumenthal



--PGP_Universal_46D9C7F5_87BE5EA9_8D4C448C_636331FE
Content-Type: application/pgp-signature;
x-mac-type=70674453;
name=PGP.sig
Content-Disposition: attachment; filename=PGP.sig

-BEGIN PGP SIGNATURE-
Version: PGP Universal 2.5.3

qANQR1DEDQMBAhH9zteyosL+MwHCPwMFAUYL2iX9zteyosL+MxECC8QAnRhWP2Sx
Ex7VcRL+wBVB2C7lksYAAKCYHvRP7E8vA5jKNgig

Re: Problem interoperating with PGP Univeral?

2007-03-31 Thread Patrick Brunschwig
Blumenthal, Uri wrote:
> I am trying to get cleartext-signed PGP/MIME messages produced by PGP
> Universal 2.5.3, verified by email clients (Thunderbird-1.5.0.10 +
> Enigmail-0.94.2 + GPG-1.4.7).
> 
> So far my experience is:
> 
> - Pure plaintext (neither PGP/MIME nor PGP/Partitioned) messages are
> verified OK.
> 
> - PGP/MIME encrypted and signed messages are decrypted and verified OK.
> 
> - PGP/MIME or PGP/Partitioned messages (HTML body and/or attachments)
> fail signature verification, with error message from GPG:
> 
>   Cleartext signature without data
> 
> I've submitted help request to Enigmail list, but perhaps somebody here
> can advise me regarding this issue? Maybe there are settings at PGP
> Universal that should be changed to make its output "friendlier"? Or
> maybe there are GPG setting that would allow verification of those
> emails? 
> 
> I'll be grateful for any help!
> 
> Thank you!

I can provide some more details on this. GnuPG 1.4.7 returns with this
error message "gpg: can't handle this ambiguous signature data".

This is the detached signature that comes with such a message:

-BEGIN PGP SIGNATURE-
Version: PGP Universal 2.5.3

qANQR1DEDQMBAhH9zteyosL+MwHCPwMFAUYL2iX9zteyosL+MxECC8QAnRhWP2Sx
Ex7VcRL+wBVB2C7lksYAAKCYHvRP7E8vA5jKNgigU0o4kbFn4w==
=lOCI
-END PGP SIGNATURE-

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: GnuPG incompatible with windows-vista ?

2007-03-14 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Werner Koch wrote:
> On Wed, 14 Mar 2007 03:41, [EMAIL PROTECTED] said:
> 
>> If anyone is building on Vista (or building elsewhere but using it on
>> Vista), try this patch.
> 
> I have build a version with that patch.  The upx packed gpg.exe binary
> is available at:
> 
>  ftp://ftp.g10code.com/g10code/scratch/gpg.exe
> 
> $ sha1sum gpg.exe
> 9dbde44dc9275e2b4918839c7a789040dda0a64b  gpg.exe

I happen to have a Vista installation. I tried to download and upload
keys from hkp servers -- the patched version of gpg is working fine here :-)


- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRfezZ3cOpHodsOiwAQJXngf/V3QLMugZvIPLNSfhcO8iCnqcsirak5XI
gRkYLhiJ7YLM19Acw3GjkPtVzgXwC0NmD5Txki++0bQ0723bgBKQC+bdEEHxwziC
K32bHQ9SDsnZl6bRvMU+19g/7UPG7wvltoZBwNtphppq9FwVKg4ab2WrqE4HyvuZ
SX6Zb9EN6FCTUnKNPkGJ+pPupYdYUSwnt5WBTo/pMB+NZWcxt34T9X0F9yAUb1Q2
l3sEA88XJD9/G0dJQn3xSi9x4Au9nHQqofdBW4vgtSdmBnOYsivAVpkICtnmrjK5
2xg5l4Do/SrWlwF/4l+vT/jHbGeEU8HEhykFIoCLPmPA0CWnDX6vpA==
=V+C2
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: installed pinentry not found by gpg-agent/gpg2

2007-01-22 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

snowcrash+gnupg-users wrote:
> hi,
> 
> does it really need to be in /usr/bin?
> 
> as above, i've installed it purposefully in
> 
> % ls -al `which pinentry-qt`
>  -rwxr-xr-x 1 root admin 2245584 2007-01-21 11:29 /usr/local/bin/pinentry-qt
> 
> and, the symlink to it already exists,
> 
> % ls -al `which pinentry`
>  lrwxr-xr-x 1 root admin 11 2007-01-21 11:29 /usr/local/bin/pinentry
> -> pinentry-qt
> 
> and, i already have,
> 
> % grep pinentry gpg-agent.conf
>  pinentry-program /usr/local/bin/pinentry-qt

Does pinentry-qt work at all? Try to start pinentry-qt from the command
line, and if it starts type the following lines on the prompt:

SETDESC This is a test
GETPIN

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRbSH5ncOpHodsOiwAQI8dgf/R9ZVHD0xjpq2KCDpiUirKq1csnKkJIW0
qTFPpyzU1l4z0AQhAQnYyJM1b99LGercAOpoOfN9oR6iR7CH6uZy8tOOmYT02rbI
RQFIfQvtWTQ2fO32l7l/Hy8pPCorkgN0P4CXy/m4JCuCzZWavFmosv7jAWWLF9oO
XJdWoDpGsTRNFD+zmBlRFDW+keopqqvk35Avu8syqeKboVMXult+v4GbFtp/RPbX
tiUqwBC6eYBRrBh+6wTDIsZRwIRYIL4q9G8zoC18mwVMz+xJtLazwkbICMywjqwA
Y/uCMtxQ2LLhf4pUiWNGMRLSbN9axl68xI7khXPIhhg0aC8sjTQV1g==
=USg5
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: GnuPG ?Bineries? to USE PnuPG with Windows?

2006-12-21 Thread Patrick Brunschwig
Tom - Hwy101 wrote:
> Where are the 'Binaries' for Using PnuPG with Windows; AND, what do I do
> with to Use PnuPG
> with Thunderbird, Engimail Extension?  Thanks

You can get GnuPG from: ftp://ftp.no.gpg4win.org

After you have installed GnuPG, start Thunderbird with Enigmail
installed. It will usually find GnuPG automatically. Then, the easiest
way to get started is to use the Wizard which opens if you compose a new
message and click on the "PGP" icon.

-Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: GnuPG: remotely controllable function pointer [CVE-2006-6235]

2006-12-09 Thread Patrick Brunschwig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Patrick Brunschwig wrote:
> Ludwig Hügelschäfer wrote:
>> Hi,
> 
>> Malte Gell wrote on 08.12.2006 14:19 Uhr:
> 
>>> Hm, GnuPG 1.4.5 (unpatched)/KMail 1.8.2 reports invalid signed
>>> message... Maybe my gpg.conf is messed or is this due to changes in
>>> gpg
>>>> 1.4.5? Thanx.
>> Enigmail didn't even indicate a signed message :-((
> 
> True yes. I have to find out why ...

Interesting ... I found that Werner's mails are PGP/MIME signed, with
micalg=sha1

However, according to RFC 3156, this is not valid, the parameter would
have to be as follows, and thus it's not recognized as valid by Enigmail:
micalg=pgp-sha1

Is there a new version of the RFC that I'm not aware of, or is it just a
bug of Werner's mail client? In general, is it a good idea to interpret
the RFC so strictly for this, or is it "better" to be a bit more relaxed?

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRXrPJHcOpHodsOiwAQKWdQf6A16HoCGb1kNNAa31RGJK0J6mSxB61Khn
4A5Ko9wPUuAegznBToYT+b/ePlx5Cz7Zz2BKaQ1nKN9sxPRwEKWk8Fzjb1+9xb2A
gApqkCH2NubvDwj6iAxJkQTgahRLd/QGI7Km+2ltfKlgw8d4Kuo1HNTVN5HjuDAO
yzPCT9azZMA2NS0caXG/gkjf4NYLltMpXFFBNM046/MlmJ3IP3r8UHhUxbAU7Zu6
YSyx2n+l87NvvegO6VxSGiLsVDRoZW2i+pqBi9YC5l7WMZPhLPmT8kVfNjUrRDtU
K8dqdhsTwmfICyuyVWx3YT6/urW1/xjhKrrEDqn4PTAZLExRptJOTw==
=WSu2
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


  1   2   >