LAST CALL: Invitation to the 8th OpenPGP Email Summit
On behalf of the Wau Holland Stiftung, I'm happy to invite you to the 8th OpenPGP Email Summit which will take place: Friday, June 7 & Saturday, June 8 2024 in Dietzenbach near Frankfurt, at the Hotel Sonnenhof If you plan to attend the event, then *please add yourself* to the cryptpad until *May 30, 2024* latest: https://cryptpad.fr/sheet/#/2/sheet/edit/eSLKf+dpna9ZSmDLeLiWeMFh/ SCHEDULE OVERVIEW = Hacking Day: Thursday, June 6, 2024 Main Event: Friday June 7 & Saturday June 8, 2024 REGISTRATION & EVENT DETAILS All details including the agenda are available on the web site: https://wiki.gnupg.org/OpenPGPEmailSummit202406 ABOUT THE OpenPGP EMAIL SUMMIT == This is an event open for anybody involved in the development of email clients using OpenPGP for encryption, and related software. We already had 7 OpenPGP Email Summits at various locations in Europe. These are meetings by technical experts of projects and tools dealing with OpenPGP with a focus on email encryption. The goals are to better get to know each other, and to discuss and work on issues that hopefully improve certain aspects of OpenPGP-based email encryption. For details, see https://wiki.gnupg.org/OpenPGPEmailSummit202406 Looking forward to meeting you in Dietzenbach -Patrick -- Wau-Holland-Stiftung W Zeiseweg 9 H O L L A N D 22765 Hamburg/GermanyS T I F T U N G http://www.wauland.de signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Invitation to the 8th OpenPGP Email Summit
On behalf of the Wau Holland Stiftung, I'm happy to invite you to the 8th OpenPGP Email Summit which will take place: Friday, June 7 & Saturday, June 8 2024 in Dietzenbach near Frankfurt, at the Hotel Sonnenhof SCHEDULE OVERVIEW = Hacking Day: Thursday, June 6, 2024 Main Event: Friday June 7 & Saturday June 8, 2024 REGISTRATION & EVENT DETAILS All details including the agenda are available on the web site: https://wiki.gnupg.org/OpenPGPEmailSummit202406 ABOUT THE OpenPGP EMAIL SUMMIT == This is an event open for anybody involved in the development of email clients using OpenPGP for encryption, and related software. We already had 7 OpenPGP Email Summits at various locations in Europe. These are meetings by technical experts of projects and tools dealing with OpenPGP with a focus on email encryption. The goals are to better get to know each other, and to discuss and work on issues that hopefully improve certain aspects of OpenPGP-based email encryption. For details, see https://wiki.gnupg.org/OpenPGPEmailSummit202406 Looking forward to meeting you in Dietzenbach -Patrick -- Wau-Holland-Stiftung W Zeiseweg 9 H O L L A N D 22765 Hamburg/GermanyS T I F T U N G http://www.wauland.de signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Request for Comment: keys.openpgp.org Organization
This is a cross-post to openpgp-em...@enigmail.net, gnupg-users@gnupg.org, autocr...@lists.mayfirst.org and open...@ietf.org. Please reply to openpgp-em...@enigmail.net During the last OpenPGP Email Summit[1] we agreed that we would like to transition the keyserver on keys.openpgp.org (KOO) from a one-person show into an open community project. Vincent, Lars, dkg and I volunteered to form a Bootstrapping Committee that would propose a new structure and governing rules for this community by end of July. I'm very happy to announce today that we completed this task ahead of time. We have prepared a proposal for a constitution, together with several supporting documents, and would now like to invite everyone interested in OpenPGP for feedback to our proposals. Please provide your feedback until Aug. 21, 2022 on the OpenPGP Summit Email list (openpgp-em...@enigmail.net). Below is a summary of the proposed constitution. The complete constitution and all supporting documents can be found on Gitlab: https://gitlab.com/hagrid-keyserver/bootstrap-committee/-/tree/main We are planning to set up the organization according the following schedule (under the assumption that the feedback is such that the schedule is feasible): 1. Comment period for the constitution: until Aug. 21, 222 2. Publish first version of constitution: 1w later 3. Invitation for voting body +4w 4. First election of the board +2w 5. Publish election results +3d 6. Install 1st Board We agreed that Patrick will be responsible for the complete process. Summary of the keys.openpgp.org Constitution High Level Summary -- keys.openpgp.org (KOO) is a service providing a verifying key server to the OpenPGP ecosystem. The service is operated by the operations team as guided by the Board. The Board is elected by the Voting Body, which is formed by individuals that are active in the OpenPGP ecosystem. The Board - The Board offers advice, guidance, and support to the operations team, and helps ensure the ongoing operation of the KOO service. If and when the KOO organization gets funds, the Board decides how to spend them. The Board consists of 3-5 individuals. Board members are elected for a 1-year term, and may be on the Board for up to 3 years in a row. Board votes are decided by simple majority, except when replacing the whole operations team, which must be a unanimous vote by all members. The Board nominates one of its members as secretary. The secretary takes meeting minutes and organizes the next election. Board meeting minutes are published. The Board takes care of KOO Enhancement Proposals (KEP) that may be submitted by any voting member. Any KEP requires adoption by at least one Board member in order to be considered by the Board. The Board may approve or reject any KEP under consideration, or may ask the KEP author for revisions before re-consideration. Board members self-nominate themselves via a public mailing list. Elected members are asked to ensure that no organization or affiliation is over-represented in the Board. The Voting Body --- The voting body serves to elect the Board Members. It consists of voting members. Eligible for membership are all those individuals who use OpenPGP, implement it, provide services to help use it, produce documentation, provide training, etc. Voting members are nominated by existing members and approved by the Board. Membership expires after 3 years of inactivity (defined by participating in the votes and elections). Membership in the initial voting body is open to anyone who has attended any of the past OpenPGP E-mail Summits[2]. This only applies to the election of the first Board. The Operations Team --- The operations team maintains the Hagrid software, and operates the servers providing the service of the key server. It has final say in how the software works, and how the service is provided. The operations team reports on their activities to the Board and the public. The operations team is self-organized, except for the right of the Board to replace the operations team entirely. Initial Formation of the KOO Organization - The KOO Bootstrap Committee will organize the process to establish the KOO organization as follows: 1. Request for feedback from the OpenPGP community (public announcement). 2. Incorporate the community feedback and publish the 1st KOO Constitution. 3. Invite attendees of the past OpenPGP E-mail Summits to join the Voting Body. 4. Organize the election of the first Board. 5. The constitution is considered ratified once the 1st elected Board is installed. In order to ensure continuity, 2 of the 5 initial Board members will have a term limit of max. 2 years. Voting Process -- Voting and elections are done publicly and are attributable. Votes for Board elections are done by signed commits via merge requests on a
Re: Looking for new Maintainer for gpgOSX
I'm happy to announce that Ralph Seichter has taken over the lead for gpgOSX. Ralph already started to work on the code, and I transferred the ownership of the project to him. Many thanks to Ralph for takin over so quickly! -Patrick Patrick Brunschwig wrote on 26.06.2022 18:12: > gpgOSX is a free pre-packaged install-able distribution of standard > GnuPG 2.x for macOS. I am maintaining it since the release of GnuPG > 2.1.0 back in 2014. > > As many of you know, I'm also maintaining Enigmail. Since OpenPGP > support is part of Thunderbird, my involvement with Enigmail has reduced > a lot, and so has my involvement with GnuPG. Furthermore, I don't have a > Mac anymore, and it has become more and more difficult and cumbersome to > continue maintaining and building gpgOSX. I am therefore looking for > someone who would want to step in and take over the project. > > If you're interested, then please get in touch with me. > > Thanks, > Patrick signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Looking for new Maintainer for gpgOSX
gpgOSX is a free pre-packaged install-able distribution of standard GnuPG 2.x for macOS. I am maintaining it since the release of GnuPG 2.1.0 back in 2014. As many of you know, I'm also maintaining Enigmail. Since OpenPGP support is part of Thunderbird, my involvement with Enigmail has reduced a lot, and so has my involvement with GnuPG. Furthermore, I don't have a Mac anymore, and it has become more and more difficult and cumbersome to continue maintaining and building gpgOSX. I am therefore looking for someone who would want to step in and take over the project. If you're interested, then please get in touch with me. Thanks, Patrick signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [openpgp-email] Invitation to the 6th OpenPGP Email Summit
The OpenPGP Email Summit will start in 12 Days. If you want to attend, then please add your name to the following Cryptpad, such that we can plan for food, drinks etc. https://cryptpad.fr/pad/#/2/pad/edit/EtMIfWF2q6qP+c3iv8qNH+x0/ See you soon! -Patrick Patrick Brunschwig wrote on 18.04.2022 11:43: > I'm happy to announce the 6th OpenPGP Email Summit which will take place > > Friday, May 27 & Saturday, May 28, 2022 > in Geneva (Switzerland) at the offices of Proton AG > (the company behind ProtonMail and OpenPGP.js) > > For those who are interested in chatting, hacking or starting > discussions prior to the "real" summit, there is the option to already > meet on Thursday, May 26. > > REGISTRATION > > > If you want to attend, please add yourself to the following cryptpad: > https://cryptpad.fr/pad/#/2/pad/edit/EtMIfWF2q6qP+c3iv8qNH+x0/ > > If you need funding for your travel/hotel expenses, then please get > in contact with me. > > > ABOUT THE OpenPGP EMAIL SUMMIT > == > > This is an event open for anybody involved in the development of email > clients using OpenPGP for encryption, and related software. > > We already had 5 OpenPGP Email Summits at various locations in Europe. > These are meetings by technical experts of projects and tools dealing > with OpenPGP with a focus on email encryption. The goals are to better > get to know each other, and to discuss and work on several technical > issues that hopefully improve certain aspects of OpenPGP-based email > encryption. For details, see > https://wiki.gnupg.org/OpenPGPEmailSummits > > > > NOTES > = > This is a meeting of those who develop software. Thus, we will have a > lot of tech talk about key servers, key exchange, subject encryption, > password recovery, etc. > > Thus, feel free to join us if you are working in the area of > - TECHNICAL DETAILS > - for SENDING or PROCESSING ENCRYPTED EMAILS > - with OpenPGP > - in a project or product. > > Note that this is neither a well-organized conference nor a commercial > meeting. The agenda will be driven by the attendees. Anyone may propose > any topic for discussion, as long as he/she is ready to lead the discussion. > > More details are available on the web site: > https://wiki.gnupg.org/OpenPGPEmailSummit202205 > > > Looking forward to meeting you in Geneva > -Patrick signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Invitation to the 6th OpenPGP Email Summit
I'm happy to announce the 6th OpenPGP Email Summit which will take place Friday, May 27 & Saturday, May 28, 2022 in Geneva (Switzerland) at the offices of Proton AG (the company behind ProtonMail and OpenPGP.js) For those who are interested in chatting, hacking or starting discussions prior to the "real" summit, there is the option to already meet on Thursday, May 26. REGISTRATION If you want to attend, please add yourself to the following cryptpad: https://cryptpad.fr/pad/#/2/pad/edit/EtMIfWF2q6qP+c3iv8qNH+x0/ If you need funding for your travel/hotel expenses, then please get in contact with me. ABOUT THE OpenPGP EMAIL SUMMIT == This is an event open for anybody involved in the development of email clients using OpenPGP for encryption, and related software. We already had 5 OpenPGP Email Summits at various locations in Europe. These are meetings by technical experts of projects and tools dealing with OpenPGP with a focus on email encryption. The goals are to better get to know each other, and to discuss and work on several technical issues that hopefully improve certain aspects of OpenPGP-based email encryption. For details, see https://wiki.gnupg.org/OpenPGPEmailSummits NOTES = This is a meeting of those who develop software. Thus, we will have a lot of tech talk about key servers, key exchange, subject encryption, password recovery, etc. Thus, feel free to join us if you are working in the area of - TECHNICAL DETAILS - for SENDING or PROCESSING ENCRYPTED EMAILS - with OpenPGP - in a project or product. Note that this is neither a well-organized conference nor a commercial meeting. The agenda will be driven by the attendees. Anyone may propose any topic for discussion, as long as he/she is ready to lead the discussion. More details are available on the web site: https://wiki.gnupg.org/OpenPGPEmailSummit202205 Looking forward to meeting you in Geneva -Patrick -- Patrick Brunschwig mailto:patr...@enigmail.net PGP fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
GpgOSX for Apple Silicon
I have created a first version of GpgOSX 2.2.25 for the new Apple Silicon architecture (ARM processor). However, I don't have a machine to test my build, thus I can't verify if it works. Therefore, if someone has access to an ARM-based Mac, then please get in touch with me. Thanks, Patrick signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Thunderbird / Enigmail / Autocrypt
If you think about using the current stable version of Thunderbird (version 78), then there is no Enigmail and no Autocrypt. OpenPGP has been implemented directly in Thunderbird, but there is currently no Autocrypt support in Thunderbird. -Patrick Daniel Bossert via Gnupg-users wrote on 20.11.2020 10:23: > Hello all > > How secure is it to use Thundebrird with Autocrypt? I use Sylpheed at the > moment, but it is not that comfortable to use as Thunderbird. > Also, when I send an email, the signature will be shown instead like with > thunderbid just an info that the mail is signed > > Do you have some inputs? > > Regards > Daniel > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
agent_genkey failed: Invalid flag
A user of Enigmail tried to create a key using the following command: /usr/bin/gpg2 --charset utf-8 --display-charset utf-8 \ --no-auto-check-trustdb --batch --no-tty --no-verbose --status-fd 2 \ --gen-key %echo Generating key Key-Type: EDDSA Key-Curve: Ed25519 Key-Usage: sign Subkey-Type: ECDH Subkey-Curve: Curve25519 Subkey-Usage: encrypt Name-Real: [name] Name-Email: [email] Expire-Date: 1825 gpg reports the following error: gpg: agent_genkey failed: Invalid flag gpg: key generation failed: Invalid flag [GNUPG:] ERROR key_generate 16777288 [GNUPG:] KEY_NOT_CREATED Any idea what could be wrong here? -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Exchange between muiltiple OpenPGP implementations
Peter Lebbing wrote on 31.05.2020 11:07: > Hi, > > On 31/05/2020 10:01, Patrick Brunschwig wrote: >> The only "problem" might be that you have different keys on different >> key rings. But this is not necessarily a problem - you use different >> keys for different purposes and you can import and export the keys >> between the tools if needed. > > Does the new TB implementation support TOFU? If so, you lose your TOFU > historical data and identity assertions when you would export/import to > a different OpenPGP implementation. That'd be a shame. Maybe there's a > need for a standardised interchange format for that. TB chose (unfortunately in my eyes) to currently only support explicit trust using their own trust handling. I hope that future versions will support other methods. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Andreas Boehlk Computer-Service wrote on 31.05.2020 11:09: > Hello Patrick, > > > Am 31.05.2020 um 10:01 schrieb Patrick Brunschwig: >> Mark wrote on 31.05.2020 01:28: >>> Doesn't TB also need your secret keys to decrypt messages? >> >> With smartcard support via GnuPG, all secret key operations are handled >> by GnuPG, and all public key operations are handled by TB (Note: the >> standard case, without smartcard support, will be that all keys are in >> Thunderbird). >> >> The use-cases are clearly distinct: >> - encryption: you only need public keys >> - decryption: you only need secret keys >> - signing: you only need secret keys >> - verification: you only need public keys >> > The standard user will not be able to work with that "solution". > Compared to the "enigmail-solution" this is the hell and bound to fail. Let's first define Standard users. The majority of users who use smartcards that *I* know are expert or power users. They can handle this. The "Standard users" I have in mind don't use GnuPG for anything else than encrypting mails, and they don't use smartcards either. They won't have this issue in any way. >>> Also what if you need your public keys outside of TB such as encrypting >>> a file? >> >> That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird >> is that you use it for email. >> > That is correct, but nevertheless it is mandatory to have and use a > single key-store. For which use-case precisely? If you only use OpenPGP for emails (and given the users I know who had support cases in the past, this is true for the majority of the Enigmail users), then this is irrelevant. To be quite clear: Thunderbird will not support GnuPG for scenarios other than handling secret keys. And that's only because the OpenPGP library they use can't handle smartcards yet. Once the library will support smartcards, I expect that GnuPG support will be removed entirely. Note: I'm not a Thunderbird developer and I don't drive Thunderbird decisions -- this is simply my expectation of what will happen. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Mark wrote on 31.05.2020 01:28: > Doesn't TB also need your secret keys to decrypt messages? With smartcard support via GnuPG, all secret key operations are handled by GnuPG, and all public key operations are handled by TB (Note: the standard case, without smartcard support, will be that all keys are in Thunderbird). The use-cases are clearly distinct: - encryption: you only need public keys - decryption: you only need secret keys - signing: you only need secret keys - verification: you only need public keys > Also what if you need your public keys outside of TB such as encrypting > a file? That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird is that you use it for email. > The reason I'm asking is that awhile ago I posted about unknown files in > my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found > out those are key rings used by a program I have called Power Archiver. > I'm not sure why it has it own set of keys, still awaiting an > explanation from support. If every app is not using the same pair of key > rings (and there is no synchronization between them) could that not lead > to problems? The only "problem" might be that you have different keys on different key rings. But this is not necessarily a problem - you use different keys for different purposes and you can import and export the keys between the tools if needed. -Patrick > On 5/30/2020 12:57 PM, Patrick Brunschwig wrote: >> Mark wrote on 30.05.2020 20:54: >>> So then do you have multiple pairs of key rings? One pair for TB78 and >>> its built in PGP and another pair as part of GNUPG? >> No exactly. You have your secret keys with GnuPG, and your public keys >> with Thunderbird. No synchronization required. >> >> -Patrick >>> If so how do you keep them synchronized? >>> >>> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote: >>>> Robert J. Hansen wrote on 30.05.2020 01:07: >>>>>> If TB 78 is going to have native support of openGPG encryption, then the >>>>>> original person in the thread should be able to export all of the keys >>>>>> in their key rings, and import all of those keys into TB 78, or am I >>>>>> missing one of the gotchas with >>>>>> TV 78 and it's openGPG encryption support. >>>>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot >>>>> even import a key*." >>>> I'm sorry, but that is simply not true. There is a known bug in the >>>> library used by Thunderbird (RNP) that leads to crashes when importing >>>> _certain_ keys. But I succeeded in importing all of my keys without any >>>> problems (more than 1.000), except for 5 V3-keys. I can definitely say >>>> that it's not just broken, and it can import keys. >>>> >>>>> I'm not kidding. It is so far from complete that Kai Englert, who leads >>>>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in >>>>> TB until version 78.2, or about a three-month delay. >>>> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_ >>>> but users may still enable it manually. >>>> >>>>> At present, as of -Beta3, TB78's OpenPGP support is badly broken. >>>> No, it's incomplete - work in progress. That's not quite the same. >>>> >>>> -Patrick signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Mark wrote on 30.05.2020 20:54: > So then do you have multiple pairs of key rings? One pair for TB78 and > its built in PGP and another pair as part of GNUPG? No exactly. You have your secret keys with GnuPG, and your public keys with Thunderbird. No synchronization required. -Patrick > > If so how do you keep them synchronized? > > On 5/30/2020 9:17 AM, Patrick Brunschwig wrote: >> Robert J. Hansen wrote on 30.05.2020 01:07: >>>> If TB 78 is going to have native support of openGPG encryption, then the >>>> original person in the thread should be able to export all of the keys >>>> in their key rings, and import all of those keys into TB 78, or am I >>>> missing one of the gotchas with >>>> TV 78 and it's openGPG encryption support. >>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot >>> even import a key*." >> I'm sorry, but that is simply not true. There is a known bug in the >> library used by Thunderbird (RNP) that leads to crashes when importing >> _certain_ keys. But I succeeded in importing all of my keys without any >> problems (more than 1.000), except for 5 V3-keys. I can definitely say >> that it's not just broken, and it can import keys. >> >>> I'm not kidding. It is so far from complete that Kai Englert, who leads >>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in >>> TB until version 78.2, or about a three-month delay. >> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_ >> but users may still enable it manually. >> >>> At present, as of -Beta3, TB78's OpenPGP support is badly broken. >> No, it's incomplete - work in progress. That's not quite the same. >> >> -Patrick >> >> ___ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Robert J. Hansen wrote on 30.05.2020 01:07: >> If TB 78 is going to have native support of openGPG encryption, then the >> original person in the thread should be able to export all of the keys >> in their key rings, and import all of those keys into TB 78, or am I >> missing one of the gotchas with >> TV 78 and it's openGPG encryption support. > > You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot > even import a key*." I'm sorry, but that is simply not true. There is a known bug in the library used by Thunderbird (RNP) that leads to crashes when importing _certain_ keys. But I succeeded in importing all of my keys without any problems (more than 1.000), except for 5 V3-keys. I can definitely say that it's not just broken, and it can import keys. > I'm not kidding. It is so far from complete that Kai Englert, who leads > the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in > TB until version 78.2, or about a three-month delay. Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_ but users may still enable it manually. > At present, as of -Beta3, TB78's OpenPGP support is badly broken. No, it's incomplete - work in progress. That's not quite the same. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Robert J. Hansen wrote on 30.05.2020 01:26: >> 1. Will key management and crypto happen in the same process as >> IMAP/POP/SMTP, GUI, JavaScript and everything else? If so - do you >> believe it's acceptable? > > It should be an easy learning curve for Enigmail users. That isn't the > same as finding it acceptable, though. > > Back in the mid-'90s PGP came out with a GUI for PGP 5, and it's > universally agreed at user interface was horrific. (See "Why Johnny > Can't Encrypt" for a detailed teardown.) The problem was that this > horrific user interface became the standard user interface, and most > OpenPGP key managers ever since have adopted it. Those that haven't > adopted it, nobody uses, because their UI is so different than > everything else. > >> 2. Is there any real plan to have working smartcard support in the >> near future? > > No. There's some talk about supporting it, but as far as I know there's > no plan to do it. It's still at the "you know, it'd be kind of nice > if..." stage, not the "we really should do this" stage. The plan is to support smartcards (by using GnuPG for private key operations). This is already working partially, and is foreseen to be available in TB 78. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Should gpg try to connect to TCP/993?
Bjarni Runar Einarsson wrote on 23.10.2019 21:35: [...] >>> Each active TCP/IP connection has an open file descriptor. So, if >>> Enigmail's gpg launcher hasn't taken care to close unneeded file >>> descriptors after fork() and before exec() > [...] >> Should the `Enigmail's gpg launcher` take care of that? Maybe >> is a bug or something? > > IMO, yes, if this is what is going on it is almost certainly a > bug. Whatever code is calling exec() should be closing file > descriptors first. Not doing so can lead to all sorts of wasted > resources and even deadlocks if processes depend on file > descriptors getting properly closed in a timely fashion. Your guess is perfectly right, that's exactly what happens. Enigmail uses a standard library provided by Mozilla for add-ons to execute processes. Earlier versions of the library did close all file descriptors correctly. But the library is written in JavaScript, and closing all file descriptors could sometimes lead to Thunderbird/Firefox crashes. Therefore that part has been disabled. It's therefore not surprising to see such open connections from gpg processes, but I don't consider this bad. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird
Jeff Allen via Gnupg-users wrote on 18.10.2019 16:02: [...] > My take on your original explanation of the reason for Enigmail's > pending demise is that a changed Thunderbird plug-in scheme makes it > more efficient to build Enigmail functionality into the MUA. That's only the 2nd half of the explanation. 1st and foremost, the changed plugin scheme comes along with a completely new API (that does not even exist completely by now). This would require me to rewrite almost all of Enigmail from scratch. I don't have enough free time for doing that, nor would I be interested in it. This, and nothing else, was initially the reason why we started the discussion with the Thunderbird team. > Why not stick with that and focus on what has made Enigmail > successful? What is the reason in your eyes that made Enigmail successful? -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird
Binarus wrote on 16.10.2019 17:37: > > > On 16.10.2019 13:07, Patrick Brunschwig wrote: >> worry for me. The main problem is the additional complexity that it >> brings if you require an external component that you cannot *fully* >> control. This covers topics like different behavior of different >> versions, but also configuration issues, users rights to install >> something on their PC and more. Gpgme may handle some of these issues, >> but the fact remains: an external component makes things a lot more >> complex, especially for support. > > I think this is the usual trade-off. One has to put time > > - either in understanding the APIs and command line parameters of a > library / utility, and to keep up with changes, or > > - in re-inventing the wheel, which in this case for sure will cost much > more time and eventually produce catastrophic security breaches and > software which is drastically inferior compared to what we have now. > > After all, everybody uses libraries and utilities. It is just reasonable > to have an expert work on a library or utility which uses techniques and > mathematical stuff which non-specialists never will understand in > detail, and have the non-specialists use that library or utility, > instead of letting them re-develop the same stuff, probably introducing > all sorts of security flaws and producing inferior software. > > When I have a bash script under Linux which invokes a compiler using a > complicated command line, I wouldn't come to the idea to re-develop that > compiler and integrate it directly into bash because that compiler's > command line switches could change in the next version ... > > I am still convinced that re-writing GnuPG (including all functions like > hardware tokens, subject encryption etc.) in a secure manner is a > hundred times more complex and a million times more error-prone than > tracking a few changes to its command line switches or error codes ever > could be. Apart from that, there is GpgME, as already has been stated. In all cases, we certainly won't re-write GnuPG or similar. The question on the table is: do we continue to use GnuPG (be it directly or via gpgme), or do we use a different OpenPGP implementation (and if yes which one). There are certainly good arguments for both. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird
Werner Koch wrote on 16.10.2019 13:54: > On Wed, 16 Oct 2019 13:07, Patrick Brunschwig said: > >> something on their PC and more. Gpgme may handle some of these issues, >> but the fact remains: an external component makes things a lot more >> complex, especially for support. > > Right GPGME handles this all pretty well and I have suggested often > enough that you should move to GPGME so that we can better support > Enigmail. Your comment about external components is right from a > company POV; however Enigmail is also an external component to TB and > thus TB suffers from very similar problem. GpgOL and GnuPG both are Which is why the step to implement OpenPGP in Thunderbird is the right way to go. > maintained by us and thus I know very well this helps to reduce > friction. We're getting slightly off-topic, but still: You're perfectly right with everything you say. But you seem to underestimate the difference between zipping an extension that is pure JavaScript, and preparing an extension that needs to contain compiled libraries for multiple platforms in order to cater for all variants of pre-installed GnuPG installations and all variations of Thunderbird installations (to be precise, at the very least I'd have to ship for 6 platforms: Win/mac/Linux * 32/64 bit). Frankly speaking, if I would consider to switch to a library instead of calling GnuPG directly, I would at first evaluate OpenPGP.js in Enigmail -- that would be a lot more natural. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird
Binarus wrote on 16.10.2019 10:47: > > On 14.10.2019 16:15, Jeff Allen via Gnupg-users wrote: >>> I don't know either, but perhaps it is in the debug logs the Enigmail >>> team analyzes? >> >> I have used Enigmail since its inception and have never knowingly >> submitted a log or answered a survey and have always assumed Enigmail >> does not phone home. > > I am sure that it doesn't phone home. However, to give an example, I had You can be certain that I'd never implement that. [...] > I suppose that the Enigmail team gets quite a lot of such debug logs. > But I still can't tell (and currently don't have the time to > investigate) if those logs can tell which keys had been generated by > Enigmail and which had been generated externally, so the whole thing was > a guess anyway. Yes, I did and do get quite a lot of debugging log files, and even more support requests. And I really speak from experience when I say that the vast majority of the users of Enigmail don't store their private keys on external devices. [...] > So why not take Enigmail, integrate it into TB, and bundle Gpg4Win setup > with TB setup? All software they ever could develop themselves will be > inferior compared to that package, at least in the first time. I have almost 17 years of experience with supporting Enigmail. About 90% of all support requests that I get turn out to be setup issues with GnuPG. Interestingly, most of them are on Linux, even though all Linux distributions I know ship GnuPG. The bundling/shipping would not be a worry for me. The main problem is the additional complexity that it brings if you require an external component that you cannot *fully* control. This covers topics like different behavior of different versions, but also configuration issues, users rights to install something on their PC and more. Gpgme may handle some of these issues, but the fact remains: an external component makes things a lot more complex, especially for support. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird
Binarus wrote on 13.10.2019 18:27: [...] > 1) The schedule > > We have all been educated to update our applications (notably, "internet > applications" like browser and email clients) as soon as updates are > available; at least, this is true for security updates. > > Despite release plans, I think nobody knows for sure how much time > actually will pass between TB 72's predecessor and TB 78, and how many > security updates will be released between these versions. > > During that time, I either can't use Enigmail (if I decide to install > the security updates), or I have to ignore the security updates > (possibly putting me to risk). > > Did I understand this correctly? The current stable version of Thunderbird is 68 (and 60 for a few more weeks); the next stable version will be 78. Users of Enigmail staying on the stable version of Thunderbird will receive all security updates until TB 78 will be available. Thunderbird 69 ... 77 are only released as beta versions that are not intended for end users. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird
Werner Koch via Gnupg-users wrote on 13.10.2019 11:56: > On Sat, 12 Oct 2019 12:43, Chris Narkiewicz said: > >> Do you know why they resited OpenPGP adoption it so much? > > iirc, they said that they want to support only one protocol and settled > for S/MIME. This still did not explain why they rejected our proposal > to clean up their S/MIME code and implement missing stuff so that TB > could be used for tasks of the German administrative and to be > compatible with a wider range of S/MIME implementations. The plan was > to do that all within TB and without external dependencies. I think there are two reasons why TB changed their minds: 1. there are different people working on Thunderbird than years ago. 2. in the past, TB was a direct part of Mozilla. Now, Thunderbird is an independent organization under the umbrella of the Mozilla Foundation, with an independent council and their own independent financial income stream. These two factors lead to a completely different mindset towards what is good for TB. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird
BruderB wrote on 12.10.2019 10:43: > Hej all, > > Am 12.10.19 um 08:23 schrieb Robert J. Hansen: >> they're going to insist on running their own keyring internal to >> Thunderbird which isn't shared with anything else. (I imagine >> *importing* from a GnuPG keyring will be supported, but *sharing* a >> keyring is right out.) > > _They_ can insist on whatever they want. If they close their shop > towards external built keys (for example with xca), they hopefully won't > find much acceptance. The vast majority of users of Enigmail (somewhere around 98%) don't use external built keys. The vast majority of users also don't use GnuPG for anything else than email. These users don't care where their key is stored, nor which software under the hood is used for the crypto. All they care is that encryption works smoothly. I'm sorry, but everything written here is pure speculation. We are still in the phase of considering our options. Depending on the chosen approach, we may just as well end up with something completely different than what you'd imagine. The most important aspects from our side are the following: The chosen solution must run smoothly for the ~20M users of Thunderbird without causing a large amount of support/setup issues. We want to have something that satisfies as many users of Enigmail as possible. We certainly don't want to have people run away from Thunderbird because of OpenPGP. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Future OpenPGP Support in Thunderbird
The Thunderbird developers have announced that they will implement OpenPGP support in Thunderbird 78 [1]. Support for Thunderbird in Enigmail will therefore be discontinued. I'd like to explain in the following paragraphs what this will mean for Enigmail, and why this is an inevitable step. The Future of Enigmail -- I will continue to support and maintain Enigmail for Thunderbird 68 until 6 months after Thunderbird 78 will have been released (i.e. a few months beyond Thunderbird 68 EOL). Enigmail will not run anymore on Thunderbird 72 beta and newer. Will this be the end of Enigmail? No! I will continue to maintain and support Enigmail for Postbox, which is running on a different release schedule than Thunderbird for the foreseeable future. Why Is This Happening? -- The Mozilla developers have been and still are actively working on removing old code from their code base. This affects not only Thunderbird itself, but also add-ons. While it was possible for Thunderbird to keep old "legacy" add-ons alive for a certain time, the time has come for Thunderbird to stop supporting them [2]. Thunderbird 78 will no longer to support the APIs that Enigmail requires and only allow new "WebExtensions". WebExtensions have a completely different API than classical add-ons, and a much reduced set of capabilities to hook into the user interface. For Enigmail to continue to work, it would therefore be required to rewrite it from scratch. However, that's beyond my available time limitations. The Thunderbird developers and I have therefore agreed that it's much better to implement OpenPGP support directly in Thunderbird. The set of functionalities will be different than what Enigmail offers, and at least initially likely be less feature-rich. But in my eyes, this is by far outweighed by the fact that OpenPGP will be part of Thunderbird and no add-on and no third-party tool will be required. -Patrick [1] https://blog.mozilla.org/thunderbird/2019/10/thunderbird-enigmail-and-openpgp/ [2] https://groups.google.com/forum/#!topic/tb-planning/-E8Yw6POxEE signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Invitation to the 5th OpenPGP Email Summit
Up to now, I only got 12 replies. *Reminder: Please send me a mail if you plan to come* Thanks, Patrick On 18.06.2019 13:05, Patrick Brunschwig wrote: > I'm happy to announce the 5th OpenPGP Email Summit which will take place > > Saturday, October 12 until Sunday, October 13, 2019 > in Berlin (Germany) at the Onion Space. > > Last year, the idea came up that it would be nice if some of the topics > discussed could directly be prototyped. I have therefore booked the > Onion Space for Monday and Tuesday (October 14/15), such that those who > are interested can directly start working on their product. > > ABOUT THE OpenPGP EMAIL SUMMIT > == > > This is an event open for anybody involved in the development of email > clients using OpenPGP for encryption, and related software. > > We already had four OpenPGP Email Summits at various locations in > Europe. These are meetings by technical experts of projects and tools > dealing with OpenPGP with a focus on email encryption. The goals are to > better get to know each other, and to discuss and work on several > technical issues that hopefully improve certain aspects of OpenPGP-based > email encryption. For details, see > https://wiki.gnupg.org/OpenPGPEmailSummits > > > REGISTRATION > > If you want to attend, please *send an informal email* to: > patr...@enigmail.net > > Please let me know if you plan to stay on Monday and/or Tuesday. > > If you need funding for your travel/hotel expenses, then please get > in contact with me. > > > NOTES > = > This is a meeting of those who develop software. Thus, we will have a > lot of tech talk about key servers, key exchange, subject encryption, > password recovery, etc. If you just are interested in these topics as a > user, you probably will be bored to death . > > Thus, feel free to join us if you are working in the area of > - TECHNICAL DETAILS > - for SENDING or PROCESSING ENCRYPTED EMAILS > - with OpenPGP > - in a project or product. > > Note however, that due to capacity reasons we cannot have more > than 1-2 people from each project. We can host about 30 attendees. > > Note that this is still neither a well-organized conference nor a > commercial meeting. The agenda will be driven by the attendees. Anyone > may propose any topic for discussion, as long as he/she is ready to lead > the discussion. > > More details are/will be available on the web site: > https://wiki.gnupg.org/OpenPGPEmailSummit201910 > > > Looking forward to meeting you in Berlin > -Patrick signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Enigmail
On 31.07.2019 14:26, David wrote: > Consider the fact that for 30 times Enigmail refused to accept the > passphrase for da...@gbenet.com > > I decided to send an encrypted email to Erich. When selecting his > private key there was no automatic tick in postmaster. But a tick in > Erich's public key > > On sending I thought I was going to be asked for david's passphrase yet > again - but no - the email passed very quickly. > > This begs the following questions: > > (1) Why is postmaster always selcected as the default public key? > (2) Why is it on failing 30 times to accept david's passphrase why does > enigmail mysteriously remember it when it rejected 30 times? > > Answers on a postcard please I start to believe that your expectation of what should happen differs from what actually happens. The way things work in Enigmail are as follows: you select a *sender account* in the Thunderbird message composition window. Based on that sender account configuration (and nothing else), Enigmail decides which key to use for *signing* your message. Remember, the passphrase is needed for signing, not for encryption - it does not matter if Postmaster or Erich are in the recipients list. If you get a dialog to choose the key(s) _after_ you hit the send button, then those are the keys to which the message is *encrypted* to. But again, you don't need a passphrase for any of these keys. Thus, if you tell me that you expected to have to tick Postmaster in the dialog, then that won't let you choose the key for signing. HTH -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Enigmail
On 31.07.2019 13:46, David wrote: > Hello Erich, > > I did what you said - associated each email address with it's own key. > I then shut down Thunderbird re-started and carried out the following test: > > Test One: > > I sent an encrypted and signed email to site-admin from postmaster. I > received the email - it took 6 attempts to decrypt it. > > I then decided to reply - so I sent an encrypted and signed email to > postmaster - I was unable to sign as site-admin - after 9 attempts of > entering the passphrase - each time rejected by Enigmail. I was unable > to send a signed and encrypted email to postmaster. I'm sorry, but there's a misunderstanding. Enigmail does /not/ query your passphrase. Enigmail calls GnuPG, and GnuPG asks for your passphrase if needed. If the passphrase is rejected that's not related to Enigmail. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Enigmail
On 31.07.2019 08:56, David wrote: > Patrick Brunschwig: >> On 31.07.2019 00:36, David wrote: >>> Andrew Gallagher: >>>> >>>>> On 30 Jul 2019, at 18:47, David wrote: >>>>> >>>>> Hello Stefan, >>>>> >>>>> I have three email accounts with their own keys - Enigmail does not >>>>> support this - you have to have one key and that's it. >>>> >>>> That is simply not true. I used enigmail with multiple keys for years >>>> without any issues. If you’re having issues configuring it, perhaps ask on >>>> the enigmail list. >>>> >>>> A >>>> >>> >>> I have done so - but have got no advice on the correct settings in >>> Thunderbird or Enigmail. >> >> That's not true. I have asked you for more details on the Enigmail >> mailing list. But instead of responding, you came here to ask the same >> questions. >> >> As Enigmail uses GnuPG for any crypto-operations, I don't think that the >> problem is in Enigmail, but in your setup. Feel free to answer my >> questions on the Enigmail mailing list, and I'll continue to try to find >> out what goes wrong. >> >> -Patrick >> > > Hello Patrick, > > I did not approach this list for answers - I just asked if anyone knew > of an alternative. I then got drawn in to what was the problem. > > People say "Oh your settings are wrong" But the FAIL to give the RIGHT > SETTINGS!! And then go waffling on > > I have turned back the clock some 20 years - so have no settings to > support further keys. > > Having said that - I would appreciate exactly what settings will work to > enable me to sign with other emails and the public key associated with > it and to be able to encrypt and sign with differing emails and keys. > > I want specific instructions - not moaning and groaning my settings are > wrong and I don't know what I'm doing - that approach does not lead to a > solution. Here are the instructions: 1. Open the Thunderbird Account Settings (menu Tools > Account Settings) 2. switch to the tab "OpenPGP Security" 3. make sure that "Enable OpenPGP support" is checked 4. click on the button "Select key" 5. select the key that matches the email address of the account Repeat Steps 2-5 for each and every of your accounts/email addresses. If you follow(ed) these instructions, then everything else /should/ go automatically and you /should/ not have any issues. If you do have issues, then there are no simple instructions - we have to dig to find out what's wrong. The questions I asked on the Enigmail mailing list are the 1st step into trying to find out why things don't work as expected, as I assumed that -- as a long-term user -- you already did configure Enigmail correctly. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Enigmail
On 31.07.2019 00:36, David wrote: > Andrew Gallagher: >> >>> On 30 Jul 2019, at 18:47, David wrote: >>> >>> Hello Stefan, >>> >>> I have three email accounts with their own keys - Enigmail does not >>> support this - you have to have one key and that's it. >> >> That is simply not true. I used enigmail with multiple keys for years >> without any issues. If you’re having issues configuring it, perhaps ask on >> the enigmail list. >> >> A >> > > I have done so - but have got no advice on the correct settings in > Thunderbird or Enigmail. That's not true. I have asked you for more details on the Enigmail mailing list. But instead of responding, you came here to ask the same questions. As Enigmail uses GnuPG for any crypto-operations, I don't think that the problem is in Enigmail, but in your setup. Feel free to answer my questions on the Enigmail mailing list, and I'll continue to try to find out what goes wrong. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Avoiding hardcoded paths when static-compiling
On 12.07.2019 21:21, Konstantin Ryabitsev wrote: > Hi, all: > > I provide an RPM package called gnupg22-static for those who need to run > newer versions of GnuPG on CentOS-7 environments (it's stuck on > gnupg-2.0 there). For compilation, I use the convenient STATIC=1 > mechanism, but there's still the problem that all paths end up being > hardcoded to the RPM buildroot environment. > > The full build command is: > make -f build-aux/speedo.mk STATIC=1 CUSTOM_SWDB=1 INSTALL_PREFIX=. > this-native > In the RPM context, the INSTALL_PREFIX ends up being inside a buildroot > location, like so: > > /builddir/build/BUILD/gnupg-2.2.17/ > > However, the final installation of this will be in /opt/gnupg22, which > means that if a binary needs to call another binary, it will try to > execute /builddir/build/BUILD/gnupg-2.2.17/bin/foo (and fail). > > I can't set INSTALL_PREFIX=/opt/gnupg22, because that will make the RPM > build fail (it cannot write outside of /builddir), so I need a way to > tell the binaries during build time that their final install path will > be different than the path used during build. > I am able to use gpg and gpgv this way by setting agent-program and > dirmngr-program config values, but trying to make this work with > gpg-wks-server fails. > > Any pointers on how I can make this work without hardcoding bogus > build-time paths? I have the same situation for building gpgOSX. The solution is this: ./configure \ --with-pinentry-pgm=${TARGET_DIR}/bin/pinentry \ --with-agent-pgm=${TARGET_DIR}/bin/gpg-agent \ --with-scdaemon-pgm=${TARGET_DIR}/libexec/scdaemon \ --with-dirmngr-pgm=${TARGET_DIR}/bin/dirmngr \ --with-dirmngr-ldap-pgm=${TARGET_DIR}/libexec/dirmngr_ldap \ --with-protect-tool-pgm=${TARGET_DIR}/libexec/gpg-protect-tool \ etc. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to delete flooded key
First users ask for support on getting rid of the keys flooded with signatures. Is it sufficient to run "gpg --delete-keys 0x...", and wait for quite a while, or does it require other measures? Thanks, Patrick signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Invitation to the 5th OpenPGP Email Summit
I'm happy to announce the 5th OpenPGP Email Summit which will take place Saturday, October 12 until Sunday, October 13, 2019 in Berlin (Germany) at the Onion Space. Last year, the idea came up that it would be nice if some of the topics discussed could directly be prototyped. I have therefore booked the Onion Space for Monday and Tuesday (October 14/15), such that those who are interested can directly start working on their product. ABOUT THE OpenPGP EMAIL SUMMIT == This is an event open for anybody involved in the development of email clients using OpenPGP for encryption, and related software. We already had four OpenPGP Email Summits at various locations in Europe. These are meetings by technical experts of projects and tools dealing with OpenPGP with a focus on email encryption. The goals are to better get to know each other, and to discuss and work on several technical issues that hopefully improve certain aspects of OpenPGP-based email encryption. For details, see https://wiki.gnupg.org/OpenPGPEmailSummits REGISTRATION If you want to attend, please *send an informal email* to: patr...@enigmail.net Please let me know if you plan to stay on Monday and/or Tuesday. If you need funding for your travel/hotel expenses, then please get in contact with me. NOTES = This is a meeting of those who develop software. Thus, we will have a lot of tech talk about key servers, key exchange, subject encryption, password recovery, etc. If you just are interested in these topics as a user, you probably will be bored to death . Thus, feel free to join us if you are working in the area of - TECHNICAL DETAILS - for SENDING or PROCESSING ENCRYPTED EMAILS - with OpenPGP - in a project or product. Note however, that due to capacity reasons we cannot have more than 1-2 people from each project. We can host about 30 attendees. Note that this is still neither a well-organized conference nor a commercial meeting. The agenda will be driven by the attendees. Anyone may propose any topic for discussion, as long as he/she is ready to lead the discussion. More details are/will be available on the web site: https://wiki.gnupg.org/OpenPGPEmailSummit201910 Looking forward to meeting you in Berlin -Patrick -- Patrick Brunschwig mailto:patr...@enigmail.net PGP fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Johnny-You-Are-Fired
On 16.05.2019 21:27, Stefan Claas wrote: > Am Thu, 16 May 2019 18:11:27 +0200 > schrieb Patrick Brunschwig : > >> On 15.05.2019 17:17, Stefan Claas wrote: >>> Hi all, >>> >>> I have read this in German News and wonder why >>> MUAs in 2019 are still vulnerable? >>> >>> https://github.com/RUB-NDS/Johnny-You-Are-Fired/ >> >> This is mostly a summary of the various failures that were discovered >> with EFAIL and shortly thereafter. Most MUAs have been fixed against >> these attacks by now. > > Are you sure? I remember Efail. Why would the BSI and press publish > then such things recently? I would assume that no one is interested > in old news or summaries regarding Efail. I can only speak for Enigmail (and to some degree for Thunderbird). The errors described where Enigmail is mentioned/affected were all discovered last spring/summer (i.e. shortly after EFAIL), and were addressed last year. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Johnny-You-Are-Fired
On 15.05.2019 17:17, Stefan Claas wrote: > Hi all, > > I have read this in German News and wonder why > MUAs in 2019 are still vulnerable? > > https://github.com/RUB-NDS/Johnny-You-Are-Fired/ This is mostly a summary of the various failures that were discovered with EFAIL and shortly thereafter. Most MUAs have been fixed against these attacks by now. For example, the tests with Enigmail were performed using version 1.9.8, which was released almost 2 years ago, that is long before EFAIL was published. The same is true for most other products. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
4th OpenPGP Email Summit - Update
It's 2 weeks until the Summit. Here are some updates: - Friday evening: we will meet at the Winery (Trois Tilleuls Street 1, 1170 – Brussels, www.winery.be ). People from Mailfence will be there from 19:30, I will arrive a little later. - if you plan to come, but didn't tell me yet, please send me an email. - we will start on Saturday at 09:30. If you have any issues such as finding the location or with local logistics, here is my phone number: +41 78 631 6622 - we will have a plenary session on Saturday. If you have something you think is worth sharing with everyone, then that would be the perfect occasion for a short presentation. See https://wiki.gnupg.org/OpenPGPEmailSummit201810 for details. I'm looking forward to meeting you all. -Patrick -- Patrick Brunschwig mailto:patr...@enigmail.net PGP fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Invitation to the 4th OpenPGP Email Summit
I'm happy to announce the 4th OpenPGP Email Summit which will take place Saturday, October 20 until Sunday, October 21, 2018 in Brussles (Belgium). This is an event open for anybody involved in the development of email clients using OpenPGP for encryption, and related software. In 2015 and 2016 we already had tree OpenPGP Email Summits. These are meetings by technical experts of projects and tools dealing with OpenPGP with a focus on email encryption. The goals are to better get to know each other, and to discuss and work on several technical issues that hopefully improve certain aspects of OpenPGP-based email encryption. For details, see https://wiki.gnupg.org/OpenPGPEmailSummits REGISTRATION If you want to attend, please *send an informal email* to: patr...@enigmail.net I will then let you know more details about the location, hotel, etc. If you need funding for your travel/hotel expenses, then please also get in contact with me. NOTES = This is a meeting of those who develop software. Thus, we will have a lot of tech talk about key servers, key exchange, subject encryption, password recovery, etc. If you just are interested in these topics as a user, you probably will be bored to death ;-). Thus, feel free to join us if you are working in the area of - TECHNICAL DETAILS - for SENDING or PROCESSING ENCRYPTED EMAILS - with OpenPGP - in a project or product. Note however, that due to capacity reasons we cannot have more than 1-2 people from each project. We can host about 30 attendees. Note that this is still neither a well-organized conference nor a commercial meeting. The agenda will be driven by the attendees. Anyone may propose any topic for discussion, as long as he/she is ready to lead the discussion. More details are/will be available on the web site: https://wiki.gnupg.org/OpenPGPEmailSummit201810 Looking forward to meet you in Brussels -Patrick -- Patrick Brunschwig mailto:patr...@enigmail.net PGP fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: efail is imho only a html rendering bug
On 21.05.18 16:56, Klaus Römer wrote: > Internet works because we have standards. > Rfc 3986 states that URLs have to be ecoded. > Redering-Engies which send unencodes content including whitespaces and > newlines to an external Server are seriously broken. > > (Only to point the finger at the real bug) You only refer to one type of possible vulnerabilities that Efail discovered. Even if there are no remote calls involved, it is still possible to trick the user into sending a reply that contains decrypted content. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Efail - Possible Measures?
In the light of the Efail vulnerability I am asking myself if it's really needed to decrypt non-regular types of emails at all. In other words, should we decrypt a multipart/encrypted MIME part at all if we detect an irregular MIME structure? If we would not decrypt irregular MIME structures, there cannot be an issue with HTML displaying. This would be a good thing, if you're an addon and you can't change the application you live in. I know that some mail clients do this already, but all those clients that are affected by Efail apparently don't. I would consider the following "regular" MIME structures: 1. top-level MIME part is multipart/encrypted. 2. an attached email (Content-Type = message/rfc822) containing a multipart/encrypted MIME part as direct child. Does anyone know of other relevant types of message structures? Does anyone see a reason why NOT to do that? -Patrick signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Efail or OpenPGP is safer than S/MIME
On 19.05.18 14:15, Werner Koch wrote: > On Fri, 18 May 2018 12:18, patr...@enigmail.net said: > >> How far back will that solution work? I.e. is this supported by all >> 2.0.x and 2.2.x versions of gpg? > > 2.0.19 (2012) was the first to introduce DECRYPTION_INFO In any case > 2.0 is end-of-life. In theory we could backport that to 1.4 but I don't > think that makes sense. Enigmail runs on many long-term Linux distributions that still ship older, presumably patched, versions of GnuPG. For example, Red Hat EL 6.9/Centos 6.9 contains GnuPG 2.0.14, but current versions of Thunderbird. GnuPG 2.0.x will therefore still be relevant for me for many years to come. -Patrick signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Efail or OpenPGP is safer than S/MIME
On 17.05.18 13:03, Werner Koch wrote: > If you parse DECRYTPION_INFO beplease consider that its current > defineion (in master) is: > > *** DECRYPTION_INFO [] > Print information about the symmetric encryption algorithm and the > MDC method. This will be emitted even if the decryption fails. > For an AEAD algorithm AEAD_ALGO is not 0. GPGSM currently does > not print such a status. > > The important print is that MDC_METHOD will be 0 with the forthcoming > AEAD algorithm. Thus you need to check whether 3rd argument is there. > > mdc_method = atoi(arg_1) > aead_algo = have_3_args? atoi(arg_3) : 0 > if (!mdc_method && !aeadalgo) > return DECRYPTION_FAILED > > That is what I implement in GPGME this morning. How far back will that solution work? I.e. is this supported by all 2.0.x and 2.2.x versions of gpg? Thanks, Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Efail or OpenPGP is safer than S/MIME
On 17.05.18 10:07, Werner Koch wrote: > On Thu, 17 May 2018 08:59, patr...@enigmail.net said: > >> Within 12 hours after the release I got 5 bug reports/support requests > > Kudos to Enigmail for acting as our guinea pig. I implemented the same > thing in GPGME this morning (see my mail to enigmail users). > > What shall we do now? Provide a separate tool to decrypt and clean HTML > messages or add a tool to Enigmail to do just this? Good question... Thunderbird is working on fixing the HTML display issue. But I think we should really start enforcing users to enable MDC. I therefore would prefer keeping the barrier high. In any case, this is nothing that I could implement with a week or two. -Patrick signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Breaking MIME concatenation
On 16.05.18 21:50, Lukas Pitschl | GPGTools wrote: > >> Am 16.05.2018 um 06:21 schrieb Patrick Brunschwig <patr...@enigmail.net>: >> >> Content-Type: mutlipart/mixed; boundary="WRAPPER" >> Content-Description: Efail protection wrapper >> >> --WRAPPER >> Content-Type: text/html >> >> >> >> >> >> --WRAPPER >> (result of PGP/MIME decryption) >> —WRAPPER— > > Looks alright so far, does the same work for inline PGP? Is there > a particular for the specific inline-styles? At least in Enigmail, inline-PGP is not affected by remote URL calls. The reason is that Enigmail reads the encrypted message data from the displayed message, and then replaces the displayed message content with the decrypted message. In other words, if the secretly to-be-decrypted message part is not displayed, then Enigmail won't come into action. > In macOS Mail we will disable remote content loading completely > and prevent the user from re-enabling it for encrypted messages. The same is currently being developed in Thunderbird (using the "Simple HTML" mode), together with a clean fix for the DOM tree issues. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Efail or OpenPGP is safer than S/MIME
On 15.05.18 11:14, Andrew Gallagher wrote: > On 14/05/18 14:44, Andrew Gallagher wrote: >> I would humbly suggest that we stop worrying about which side of the >> GPG/MUA fence the ball is on, and fix it on *both* sides. > > I have just opened tickets in both GnuPG and Enigmail for the respective > integrity check mitigations. > > https://dev.gnupg.org/T3981 > https://sourceforge.net/p/enigmail/bugs/838/ > > Please let's avoid a finger-pointing contest. Belt and braces. :-) So, just that you are aware of the consequences of this change. I implemented the check for "gpg: WARNING: message was not integrity protected" in Enigmail 2.0.4. Within 12 hours after the release I got 5 bug reports/support requests from users who can't read their (old?) mails anymore. And the day in Europe has only just begun -- many users did not yet upgrade ... -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Breaking MIME concatenation
On 15.05.18 17:53, Lukas Pitschl | GPGTools wrote: > >> Am 15.05.2018 um 17:44 schrieb Patrick Brunschwig <patr...@enigmail.net>: >> >> I already tried a while ago to trick the Thunderbird HTML rendering >> engine with tricks like this... They don't work. The rendering engine >> ignores the tag (and also tags like ). >> >> I think the correct solution must be to treat each MIME part >> independently, i.e. it needs to be parsed independently by the HTML >> engine and produce its own DOM tree. At the end, you can concatenate >> these DOM trees and create a single correct HTML document. > > I have also already tried to implement a similar fix for Apple Mail a few > days ago, > using which did work, but is probably a too naive attempt > to mitigate against these XSS-kind of attacks. > > So I absolutely concur with Patricks statement, that the Mime Parsers have > to be adjusted to treat every text/html part as single DOM tree or even use > different > web document instances to represent the message. I have actually thought through this during a sleepless night, and I believe that it could work as a quick and easy to implement *short term* measure until the mail clients have fixed the HTML rendering. If we embed the complete result that we get from gpg into the following wrapper, then we should be able to mitigate at least any known form of the attack when it comes to calling a remote URL during message reading: Content-Type: mutlipart/mixed; boundary="WRAPPER" Content-Description: Efail protection wrapper --WRAPPER Content-Type: text/html --WRAPPER (result of PGP/MIME decryption) --WRAPPER-- Does anyone see a major hole in this that I may have overseen? If not, then I think I'll implement this in Enigmail until Thunderbird has fixed this properly. -Patrick signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Efail or OpenPGP is safer than S/MIME
On 14.05.18 19:32, Werner Koch wrote: [...] >> 1. change the default behaviour of GPG so that any integrity failure is >> fatal by default, even for old ciphersuites (we could have a flag to > > I am all in favor of this and even considered to that some time ago. > However, not too long ago we removed support for PGP-2 keys which > unfortunately resulted in lots of angry mails from people who now think > they need to use gnupg 1.4 every day because they seem to read mails > From the last century on a regular base. Well, they think and they were > quite vocal. Now telling them they need to enable an option to read > certain not that old mail (e.g. creating by other OpenPGP > implementations) will a) lead to even more angry mails and b) they will > keep on using that option for all mails. Thus my tentative plan was to > make the next major version hard fail on messages without MDC and slowly > start using our forthcoming AEAD encryption mode. > > Well okay, with the new support of the Ehtmlfail paper we could now > point to that paper and always hard error out if no MDC is used even for > old algorithms. Shall we consider this? Yes, I think that's a good idea. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OS X - can't open GnuPG-2.2.5.dmg
On 11.03.18 16:14, Stefan Claas wrote: > > > Am 10.03.18 um 18:49 schrieb Patrick Brunschwig: >> On 06.03.18 20:06, Stefan Claas wrote: >>> Hi, >>> >>> just tried to update my GnuPG install on my iMac, >>> from the SourceForge repository, but the image >>> won't open. The shasum matches and with DiskUtility >>> it shows also that the .dmg is o.k. >>> >>> Downloaded several times, with the same result. :-( >> The file opens fine on my Mac. I suspect that either there is a problem >> with your OS (a reboot may help), or your iMac doesn't fulfill the >> minimum installation requirements (macOS 10.9 or newer, running in >> 64-bit mode). >> > Well, i am running 10.11.6 and tried also again with 2.2.4 which works. > > Tried also to open the 2.2.5 .dmg with Pacifist but it can't open it either. I fear I know what's wrong. For some reason that I still need to discover, the image is created with the new APFS file system instead of the HFS+. I'll see how to fix this. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OS X - can't open GnuPG-2.2.5.dmg
On 06.03.18 20:06, Stefan Claas wrote: > Hi, > > just tried to update my GnuPG install on my iMac, > from the SourceForge repository, but the image > won't open. The shasum matches and with DiskUtility > it shows also that the .dmg is o.k. > > Downloaded several times, with the same result. :-( The file opens fine on my Mac. I suspect that either there is a problem with your OS (a reboot may help), or your iMac doesn't fulfill the minimum installation requirements (macOS 10.9 or newer, running in 64-bit mode). -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How Can I Uninstall GnuPG-2.1.20 from my MacOS
On 10.04.17 11:47, Gaston wrote: > Hi All, > > Cloud you tell me how to uninstall it? I can not find any instructions > in the FAQ. > > OS: MacOS 12.2.4 > GnuPG: 2.1.20 (downloaded from > https://sourceforge.net/p/gpgosx/docu/Download/) Open a Termina an execute the following line: sudo rm -rf /usr/local/gnupg-2.1 -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: I figured out how to change the algorithms,
On 20.03.17 10:56, zap wrote: > Okay, I was doing this to ecnrypt my files, not emails for the most part... > > I did however wonder, what you actually said, because I had pgp > encryption on and for some reason I couldn't read it through enigmail. I assume that's due to a configuration issue. But it's impossible to tell without further information, like what is the error message you are getting. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which GPG version?
On 01.08.16 19:28, Peter Lebbing wrote: > On 01/08/16 17:54, whi...@mixnym.net wrote: >> I see that there are three versions of GnuPG available. Assuming no hardware >> constraints, is there any reason to choose Classic 1.4 or Stable 2.0 instead >> of Modern 2.1? It appears to do everything the others can and more. > > I think usually the constraints are software constraints. But 1.4 might be > more > appropriate in for instance a headless server. I suppose that counts as a > hardware constraint indeed :-). > > I'd say, go for 2.1. I think 2.0 is more for people who wish to stick to 2.0 > for > whatever reason. If you don't have any particular motivation to use 2.0 or > 1.4, > you should go for 2.1. I see the world a little different :-) 2.1 is the current development branch, where we sometimes see heavy changes that can cause bugs, crashes and incompatibilities with other software. 2.0 is stable and only receives a limited number of well-tested changes and security fixes. If you want to try new features like curve-based encryption, or if you are a developer, then go for 2.1. Otherwise, if you are a regular end-user, then go for 2.0 and wait with upgrading until 2.1 has become mature. This will result in 2.2 being released. Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Email Self-Defense
On 23.02.16 02:08, NIIBE Yutaka wrote: > Hello, > > While we translate the "Email Self-Defense" guide into Japanese, I > have a thing (or will have more) to clarify. > > In this section 5b, it says: > > https://emailselfdefense.fsf.org/en/#step-5b > > When using GnuPG, make a habit of glancing at that bar. The > program will warn you there if you get an email encrypted with a key > that can't be trusted. > > "The program" here means Enigmail with GnuPG, I suppose. Yes. > I think that it's quite rare to encounter this particular case; a user > would need to have a revoked or expired key (of themselves). > > If it means an email with signature (encrypted or not), it makes more > sense to me. I think that it would be better to explain more likely > cases. > > How do you think? Enigmail displays various information in the status bar, such as: (1) Good signature (hopefully mostly) (2) "Bad signature" (Enigmail v1.8) / "Unverified signature" (v1.9) in case the signature is bad (3) "Unverified signature" together with an "Import" button in case the signature is from an unknown key (4) Good signature, but key is not trusted (5) Good signature, but key is expired or revoked The last one happens quite frequently if you look at old mails, but hardly on current mails. I think the guide refers to (2) and/or (4), but I'm not the author of the document ... -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyserver lookup failure, redux
On 23.09.15 10:25, Robert J. Hansen wrote: >> $ gpg -v --keyserver hkp://pool.sks-keyservers.net --recv-key 0xD6B98E10 > > quorra:~ rjh$ gpg -v --keyserver hkp://pool.sks-keyservers.net > --recv-key 0xD6B98E10 > gpg: keyserver receive failed: No route to host > I can confirm that the exact above command works for me (on OS X), with gpg 2.1.8: gpg: no running Dirmngr - starting '/usr/local/gnupg-2.1/bin/dirmngr' gpg: waiting for the dirmngr to come up ... (5s) gpg: connection to the dirmngr established gpg: data source: http://openpgp.andrew.kvalhe.im:11371 gpg: armor header: Version: SKS 1.1.5 gpg: armor header: Comment: Hostname: openpgp.andrew.kvalhe.im gpg: pub dsa2048/D6B98E10 2008-07-30 Robert J. Hansen(etc.) HTH -Patrick signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Enigmail and p≡p are together for developing Enigmail/p≡p
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The following press release was published yesterday (unfortunately I had no time to re-post it earlier): Encryption add-on Enigmail and pretty Easy privacy (p≡p)[1] are joining in development of a solution for the well-known mail client Thunderbird. The goal is to make encryption as easy as possible, said Enigmail's project lead Patrick Brunschwig and p≡p's head of development Volker Birk in a common press release. Enigmail and p≡p will offer p≡p technology for any Thunderbird user. Thunderbird is still most popular among free email programs on desktop PCs and Laptops. "Enigmail offers the most-used solution for mail encryption as Free Software for many years now. But we don't want to rest on our laurels.", Brunschwig explains. "Still way too few people are able to encrypt. But this is inevitable to protect privacy." That is to be changed with the partnership. "p≡p is offering the possibility to encrypt fully automatically. This way our users are gaining the highest amount of security, while even not be touched by the process at all. At the same time p≡p is offering compatibility to OpenPGP and S/MIME, which is necessary to integrate into mail infrastructures." "Being the trailblazer, Enigmail managed to provide one of the greatest user interfaces for mail encryption.", Birk says. "To date Enigmail is still the front-runner here. Together with Enigmail we're thinking beyond this: the default for email has to be encrypted and not unencrypted! For this purpose p≡p is offering the possibility to encrypt without any user interaction needed like managing keys. Thunderbird is for p≡p a strategic platform in Free Software: no other free mail program has reached this spread. Therefore, it was the logical choice to ask our colleagues at Enigmail for a cooperation. Who else could deliver more know-how of integrating encryption into Thunderbird?" The development partnership is meant to lead into common project Enigmail/p≡p. As release date for a very first version Enigmail and p≡p are aiming for December 2015. [1] http://pep-project.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJV7wiEAAoJENsRh7ndX2k7FswP/2qajDgWQF8Xsbl2/+ugrZr1 CaxQu3V7O7b9XXIA0kbAsy8qsVFlXAJoshEM75f6QWQ6P4nYBvB0C4zR2PU6Cl4/ eiPqkgMt831yF2gQ4tTbtu95NA6UvRZcDdVhdlZ/+KKT4e4RtUEKMkcncCA5A4tT HePpDDBPUsLCiMuFnkoMwVb4K6sRRD6nNddRwfegZN2E/ch5dglP2c3Gs8sF8Ewd jR9S/PlroVzZEsA7lrXbG/Q9xHj4XyGgndklpq06HoGgDyKjfUsgu/scewlKl3FR SmDwOTp9OQObhJKh7u2B5+IcGy+fRcsu5tHGNZ4cJaM5NaeWQuX/ynUWUqpuVzkR vzcO2FMrnnR0z2lF4MPhwASrRTXUiFD31i90AOVaAxBRMA3+iRdW+ZThe/wZ5ev/ H8IXoninN5zAcdp0wnXZGScqJOHNE63Ard/Vy3vSN0TukBK0A7NpvuWRQ3R2n6Ek oAqr+8XGIBeNMfkj5Owsh1dKYPsBj9luzcJ65Nvtcb4l6OggCwGnRFelKgigxuEk RNiAmZk8mKNWcG95wxwTq63t27eVMkXSbt12rkt1WeSFl4FPfKRAhI3+nt3CkhvV ZCmjVuKuWL9eWZ5qlt2gWDs9O9wWubKKEKwcP090VzVVY5iqa+jjmF81944fLFqX RQwQ1HO9vO7uiT/lNI5y =83XF -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OSX: How to install gpg without Admin password
You'll need to set the path to pinentry in gpg-agent.conf Something like: pinentry-program /home/xyz/pinentry-mac.app/Contents/MacOS/pinentry-mac -Patrick On 29.08.15 19:13, Dan Bryant wrote: OK, this worked in getting the binaries extracted and by setting PATH and DYNLD_LIBRARY_PATH I can get the bins to load and dump version information... SUCCESS... Now my biggest problem is getting the agent and pinentry (I assume) to talk to gpg. I was hoping I could set bindir, libdir, libexecdir with gpgconf (gpgconf.conf) but I can't seem to figure out how to convice gpg to look in nonstandard paths for binaries and libraries. Seems to be ignoring PATH environment. Suggestions? On Thu, Aug 27, 2015 at 1:31 AM, Patrick Brunschwig patr...@enigmail.net wrote: On 26.08.15 17:16, Dan Bryant wrote: I have a monitored OS X laptop that I would like to put GNU Privacy Guard (gpg) on. Of course I can't because I don't have Admin rights, but I was hoping there is a way to install it in user space through a virtual environment or chroot, or some other wizardry, or by exacting the package files. Obviously I only need console access to the app. Just download a DMG file, open (=mount) it, and copy the PKG file to some temporary location. Then use pkgutil in a terminal to unpack the PKG file to some temp directory. Then copy whatever you need to your home directory. man pkgutil will tell you how to use it. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OSX: How to install gpg without Admin password
On 26.08.15 17:16, Dan Bryant wrote: I have a monitored OS X laptop that I would like to put GNU Privacy Guard (gpg) on. Of course I can't because I don't have Admin rights, but I was hoping there is a way to install it in user space through a virtual environment or chroot, or some other wizardry, or by exacting the package files. Obviously I only need console access to the app. Just download a DMG file, open (=mount) it, and copy the PKG file to some temporary location. Then use pkgutil in a terminal to unpack the PKG file to some temp directory. Then copy whatever you need to your home directory. man pkgutil will tell you how to use it. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
On 29.07.15 14:07, Neal H. Walfield wrote: At Wed, 29 Jul 2015 01:03:53 +0100, MFPA wrote: On Tuesday 28 July 2015 at 11:46:10 PM, in mid:87vbd3nbnx.wl-n...@walfield.org, Neal H. Walfield wrote: At Tue, 28 Jul 2015 19:22:29 +0100, MFPA wrote: It also eliminates any attempt to to establish a link between the key and the email address in the UID. I'm not so sure. Recall that we are not attempting to protect against attacks by nation states. As such, performing a week of computation each year is going to be too much to maintain for those who upload fake keys. And too much for people with multiple email addresses. It doesn't have to be per-email address. It is sufficient to attach it to the primary key. This allows me to have patr...@enigmail.net verified OK. Then I add a new UID mall...@evil.com and delete patr...@enigmail.net from the key. And then I upload my key to the keyservers network, and I'll end up where we are now. This still seems less rigorous to me than having to receive an email sent to that address and decrypt it with that key. I guess it's a case of swings and roundabouts. Well, I don't like the CA model and that's what Nico is basically proposing (with less rigorous checks). Another huge disadvantage is that user's have to actively participate by replying to emails / visiting a link. Using PoW, no human intervention is required and there is no central authority. PoW relies on the assumption that conducting an attack is too expensive to do / maintain. The whole point of this exercise is to verify that the key and the email address(es) belong _together_. I don't see how PoW could do this, or I didn't understand it well enough. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
On 28.07.15 16:46, Ingo Klöcker wrote: On Monday 27 July 2015 21:05:26 Ludwig Hügelschäfer wrote: Hi Ingo, On 27.07.15 16:31, Ingo Klöcker wrote: This whole concept of a whitelist of trusted validation servers included in the email clients sounds a lot like the CA certificate bundles included in browsers and/or OSes. Who is going to maintain this whitelist? Whilelists: The OpenPGP-aware clients. There aren't so many of them, so that's manageable. Speaking for KMail how can I be sure that somebody who claims that his validation server can be trusted can actually be trusted and should therefore be added to the whitelist? KDE avoids this problem for the CA certificate bundle by relying on the certificate bundles provided by the Linux distributors or by Mozilla. Let's face it: KDE doesn't /avoid/ this problem. It just shifts the problem to someone else -- the Linux distributors or Mozilla ;) -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
On 27.07.15 14:15, Neal H. Walfield wrote: Hi, I guess you mean this: The idea I have in mind is roughly as follows: if you upload a key to a keyserver, the keyserver would send an encrypted email to every UID in the key. Each encrypted mail contains a unique link to confirm the email address. Once all email addresses are confirmed, the key is validated and the keyserver will allow access to it just like with any regular keyserver. This approach is not going to stop a nation state. A nation state can intercept the mail, decrypt it and follow the link. If the email can be decrypted, then any email can be decrypted, which would turn OpenPGP useless. For the same reason, it is not going to stop a user's ISP. Given Microsoft's et al.'s willingness to cooperate with the NSA, these are not very good starting conditions. If (and only if) the user stores his private key on his computer, and the connection to the validating key server is HTTPS with PFS, I don't really agree. In any case, the target users are not the Edward Snowdens of this world, but the 99% of people who just want to communicate easily with each other and don't want to be bothered too much with key complicated key lookup/verification scenarios. The approach also has another problem: which key servers are going to do this? There are 100s of key servers. I'm not going to reply to mails from each one, sorry. The idea is that these servers are separate from the keyserver network. That is, a relatively small set of servers that would only do validation of email addresses. Validated keys would then be uploaded to normal key servers. This also seems like a nice way to spam someone. Generate a key, upload it to a key server and they have a bunch of mails from the key server. Based on this, I suspect that it won't take long for the key servers to be blacklisted? True, but this only serves the purpose of spamming someone without any further action. You cannot send specific text to those who get spammed, that's thus not very interesting. But in general, that's certainly something to consider (such as only accepting one key at a time and only accepting N keys per hour from some IP address). Have you considered these issues? Do you have any thoughts about how to avoid these problems or do you think they are not real problems? Regarding the design: personally, I wouldn't have the user follow a link that includes a swiss number, but have the user reply to the mail, include the swiss number and sign it. That's a good idea indeed. I'd also consider having the key servers publish the validations. If you chain the validations (include the hash of the previous validation in the current validation) you can detect if the key servers serve a fake key to a specific user. Sounds like a good idea. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.1.3 Fails to Compile OS X
It's a clang build error (clang-602.0.49). -Patrick On 13.04.15 00:00, Ethan Sherriff wrote: Sorry didn't see what you said about the error occuring with GNU GCC, what version are you using? On OS X Yosemite 10.10.3 (Latest Public Beta 14D131, XCode 6.3 6D570), with GNU GCC 4.9.2 installed from source, gnupg-2.1.3 builds fine. From: Dominyk Tiller mailto:dominyktil...@gmail.com Sent: 12/04/2015 21:01 To: gnupg-users@gnupg.org mailto:gnupg-users@gnupg.org Subject: GnuPG 2.1.3 Fails to Compile OS X Hey Werner, Thanks for the new release! I'm having some issues making it compile on OS X, right across 10.8-10.10.3. Tried both Apple's Clang and GNU's GCC so I'm presuming the error isn't compiler-specific. It's throwing slightly different errors on OS X 10.8 than it is on 10.9 and 10.10. The 10.8 error is: = t-stringhelp.c:488:3: error: function definition is not allowed here { ^ t-stringhelp.c:536:4: error: expected ';' at end of declaration } ^ ; 2 errors generated. make[3]: *** [t-stringhelp.o] Error 1 = And the 10.9 - 10.10.3 error is just: = t-stringhelp.c:488:3: error: function definition is not allowed here { ^ 1 error generated. make[3]: *** [t-stringhelp.o] Error 1 = Have attached various compile logs. Cheers, Dom -- Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: German ct magazine postulates death of pgp encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 27.02.15 20:56, Werner Koch wrote: On Fri, 27 Feb 2015 17:26, patr...@enigmail.net said: that anyone can upload _every_ key to a keyserver is an issue. If keyservers would do some sort of verification (e.g. confirmation of the email addresses) then this would lead to much more reliable data. We have such a system. It is called S/MIME. Ever tried to find an S/MIME (X.509) key (aka certificate) for an arbitrary mail address? The only working solution to get such a key is by sending a mail and asking for the key. You can do the very same with PGP of course. Keyservers along with visting cards are much nicer. So, why is there no public service to distribute X.509 keys? Because nobody want to be legally responsible for such a key unless you push a stack of money over the table for a qualified signature certificate. I would not go that far as trying to guarantee the identity of key. But I think if a keyserver could do some basic verification of keys, it would make OpenPGP a lot easier to use for email. The idea I have in mind is roughly as follows: if you upload a key to a keyserver, the keyserver would send an encrypted email to every UID in the key. Each encrypted mail contains a unique link to confirm the email address. Once all email addresses are confirmed, the key is validated and the keyserver will allow access to it just like with any regular keyserver. This way, we have a simple verification of the access to the private the key, as well as access to the email addresses contained in the UID by quite a simple means. I would say this is about as reliable as sending an email to someone requesting their key. - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJU8yUaAAoJENsRh7ndX2k7Iz4P/j+rS8ZzqI62rQfc8RbNfPuT 1tinBE7Bf73PaZ+hpHCdEAcRUGhM64yRtNUAwovQt00sfdalF4WNKzdlItavMMLG YtsgaEgZNf8JQlhC2u++Pxo7x7YlHXIuU5Wdu7rbSJXTSfacII7QPSIK39iMUDB5 Je4xUiQSBUeFgm0HLIlnuZMn4KLEPIdthss8golOYBZisSJM8lsucneKSH/4z7sf d2zvfqRUVtyC9wtnzXDX0VmTP0m+LfVaug5fWyNB87yDKrWG6jqmttIm6vMFH534 RgHjjOCE5dzw0QIXfgv9d0xOFAGoMqt18UPAn/H7bxTJ2OAXHLvugBvfQxLrCO5N Lb4PjICyC/PB6L+thQS8uG6a7CKDV+nU7MIxRzkFtFVmG4L0Ew8JWViQP6tFwUd6 UUxc3DS+kAPprGmG9sOpzf29c3nDkS1Fe697dOtKAexJ3MTT2Ygc1ZbkDGRhtiM8 5ahjYSxtw/cCRKwXOi40DzDlNG3h1L71q87hJk5m+Ithcz4qkCgLdjzisJZBQd2U 2ObU1Nzjg18bJlXeyoNYve/CdjRp8EHlckdFJr/rBWy10u2vn9kL8Eq3HXDtOZGR V6va5bxt1jxOYiieAPpZ28Wr+TbxWR8Ih9dNkxCn19a5Hy0QtYYAVnJSrXEtv84y 4vjnCrxlE6QAkouU6XjB =m2JV -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: German ct magazine postulates death of pgp encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01.03.15 16:38, Kristian Fiskerstrand wrote: In general I believe this to be an insufficient form of identification that really doesn't provide much of anything useful, but at least the PGP keyserver does it reasonably sane in its methodology by creating a signature from their CA on the key. Whether you put any merit to having such a CA signature or not is left up to the user (excluding for now the fun related to the spammy number of signatures from it) Yes, I know. The re-confirmation every few months together with re-signing the keys is among the things I dislike about keyserver.pgp.com. But in general, I think that keyservers need to go in that direction if we want to enable easy use of OpenPGP in email (which requires in some way or another to download missing keys automatically). You wouldn't need the keyservers to be involved in this at all. Anyone could set up such a mail verification CA outside of the keyserver network. Perfectly correct, yes. This is exactly what I'm proposing. I believe that the current keyserver network cannot do this. I just don't have the time to (also) work on this... - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJU8zyAAAoJENsRh7ndX2k7cNAQAJXErgNTCbTqEwhtUcW0l7KR hfchokWcOfgdMmNIKz9A2AD8mQ7Ckdxmn/ANGzNLSzZHjCT4+npjdEe/Q0XxcUf6 ajtntcQsdUBvpC/K4gPDg+V1g3EEZkUPHDeKvgCWvZIQ+57zjsg6T/0c4EEfdNWP jwZDceP17wsLcTy3OdHhVrMJkgF/HFR4GaGzWNUzBFxtfeoK7kNhkvxKDbhajmcY wiCgzz++cZmi7T4tf/hrdi65zB9zxzIOgvfeJvDpuuCUAGGYNtofJrIL4H3RNlSc LfEmbpIwEfJltgeaEpfHBRzTtbxzAr7STvYSQNBwcCb+ksa2EWLzpPjbTfBUWaMt 91oW/qrW2TcEPxPHxnR1dlrAVmm3gE253plO8rljllr5csrUgLiT7tGalAwxv5Es ITycw3lWUoxDRA1enqHnRgeig3MQNLGqZ5hbFYTs5sHYbKcpHG5Gl4TVnRKIWyCj KMuXqy1ibV5kIlbP70D/g5Ss2M3iUyYl/tHf1pA5WKMU2EguLL42A9LCIPkqMFO7 5a1+xRAo1ZzkHpNUgACI73F/IuNTPXA7bPSa298sLB55teNFjWK5N8oPPs03e4OQ W3oEoENnhgdUmDNd5soiM3yVgabGw8vBQC+/PD9Uz9Ee8AnxspxhQMdYacE467fJ 0ALTnk9tVO6Qt3vCjR3J =Mejp -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: German ct magazine postulates death of pgp encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01.03.15 18:11, MFPA wrote: On Sunday 1 March 2015 at 2:41:33 PM, in mid:54f3251d.20...@enigmail.net, Patrick Brunschwig wrote: The idea I have in mind is roughly as follows: if you upload a key to a keyserver, the keyserver would send an encrypted email to every UID in the key. Each encrypted mail contains a unique link to confirm the email address. Once all email addresses are confirmed, the key is validated and the keyserver will allow access to it just like with any regular keyserver. What about keys with UIDs containing no email address? The purpose of such a keyserver would be primarily targeted to email. Thus I think such keys should be refused. - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJU80j+AAoJENsRh7ndX2k7fN4P/jxwiXiQuQ/fcor8yKkC1SqA TYnpQ2Z6ko1vY93repX5E1h9UrMvUOuMYHq7NECDftY2LSU/UFn0V7WpiAtdn+IO eweI6cCMZmkdv8VVt9+dy7eZbjQ2jBGWpKzJmYAw4pxO0QJBHrEL9TLhxWBz4wDi yAEOVQDrM3hl0O5NY8fX7Q249HwUWf/db0TC5lAA+he0mC9rjjNaAaq7yLGwTy/O +vb/BxNRkvppYLKU8/naSSVGEwVfj2tw6y0fQbyfRiNSfh351Q9sVcwC3vTkHnUz ldb6up4w5tRP6VY6yQ7m+mpAh1V1NX9J+h8Fi/kMGFfd3sfjYLduwPudJ17HmQr1 CAtOx/DnOXvIHMup1ZwENI1shaewNpxQoMHr/xCIEUaM2It8dwcVxdZ3f2KGGZ5F LdEBEvjRyHPhCT8G8XB3WHoEWWXWrHEC1loy5Fpv6QeCobrkzQetPW6rNCvX8Cyp nlST6TZoG0wBPonoKPQo+zPYBReBN+eUVuTb4Pe2WyhR4EY/7bsIdEa921lMekh5 fcnaI68McYpK2um6Mq686zArTu/KsJPRp868dVPNIEzW7gIZOjoKIdg0PGPpMQh/ NcpTi1vHeLZg4bYasXxpKG29dsAMfKGw/ImNkTyHhNZAw+1ykIeC4G4F/LFqlMaQ v+FzDXhpGilTKyqMxmzH =pm11 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: German ct magazine postulates death of pgp encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01.03.15 15:58, Kristian Fiskerstrand wrote: On 03/01/2015 03:41 PM, Patrick Brunschwig wrote: On 27.02.15 20:56, Werner Koch wrote: On Fri, 27 Feb 2015 17:26, patr...@enigmail.net said: that anyone can upload _every_ key to a keyserver is an issue. If keyservers would do some sort of verification (e.g. confirmation of the email addresses) then this would lead to much more reliable data. We have such a system. It is called S/MIME. Ever tried to find an S/MIME (X.509) key (aka certificate) for an arbitrary mail address? The only working solution to get such a key is by sending a mail and asking for the key. You can do the very same with PGP of course. Keyservers along with visting cards are much nicer. So, why is there no public service to distribute X.509 keys? Because nobody want to be legally responsible for such a key unless you push a stack of money over the table for a qualified signature certificate. I would not go that far as trying to guarantee the identity of key. But I think if a keyserver could do some basic verification of keys, it would make OpenPGP a lot easier to use for email. The idea I have in mind is roughly as follows: if you upload a key to a keyserver, the keyserver would send an encrypted email to every UID in the key. Each encrypted mail contains a unique link to confirm the email address. Once all email addresses are confirmed, the key is validated and the keyserver will allow access to it just like with any regular keyserver. You already have a variant of this at https://keyserver.pgp.com (although I don't recall if they send the requests encrypted, I haven't looked into the service in years) In general I believe this to be an insufficient form of identification that really doesn't provide much of anything useful, but at least the PGP keyserver does it reasonably sane in its methodology by creating a signature from their CA on the key. Whether you put any merit to having such a CA signature or not is left up to the user (excluding for now the fun related to the spammy number of signatures from it) Yes, I know. The re-confirmation every few months together with re-signing the keys is among the things I dislike about keyserver.pgp.com. But in general, I think that keyservers need to go in that direction if we want to enable easy use of OpenPGP in email (which requires in some way or another to download missing keys automatically). - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJU8zHGAAoJENsRh7ndX2k7dNMQAKpRyStQFPRszQ4V52VS9Cuk NTwUeRJ/ZIpM4OU0g1/3pXCMRI3xlSz0ts0Dh2ddMo2xcso5kS1X64DzrR6Sj6XT AF2hBr9rkU+vZN7KAjdlvOPbZruXZEqCQlLm0aAxVPDRY+AKC4YSTKHR4OvAnlyY mSFXDG7T/m6n8stwWrkY1M3PzD7UJCXH9Qsfb98oYOcP62MJlZW7H2byIgwVHvCK ijnCJ7YZNRYTpOwfn2WtN+hP5AksrF1uQwQn/ApbgOVuvPwIl2+MhdbY9wjzv3WB QFD4472Xho1vLsvT+qTHAskI4l5InnIhuxDVVRsr7OAGjbNPmSiph18+3A1vQOuy mkkBUYJblifM2hmhKTBTNhJyD/TYvhVrC35Tb3J+eq2RhaStivjlKFH9tH9FgBBR tz1R8OIdq4A3ZyHPYXBvvuYe+geZmUEOOAtTA7JDPvXrwrtLeGKvNJ31UaFd7kGd odk5PNRscWJIeQfSEwNCUyzzKexWjj14OFLCd4D9ylNVEHWhHOCEgMmgZaAVIduH oE5ChgCWLx44WQPA5O+bMEY4+WYJaJEk/tkwLHuY9CB98kGd3DmdK5BCh4WI6NLX O0Z3b7gDQfTxdi5fHJtHA16rtigA4zpkKz3Z4kgJUzVfnf2ikcU4+ppJX/Pd+4jZ Wt5Mq+MmViexsE/J/BFA =c5nb -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: German ct magazine postulates death of pgp encryption
On 27.02.15 13:11, Kristian Fiskerstrand wrote: On 02/27/2015 12:43 PM, Hauke Laging wrote: Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker: Maybe implementation with an opt-in could preserve publishing of faked keys on public keyservers? We need keyservers which are a lot better that today's. IMHO that also means that a keyserver should tell a client for each offered certificate whether it (or a trusted keyserver) has made such an email verification. The keyservers have no role in this, they are pure data store and can never act as a CA. That would bring up a can of worm of issues, both politically and legally, I wouldn't want to see the first case where a keyserver operator was sued for permitting a fake key (the term itself is very misleading, the key itself isn't fake at all, but a fully valid key where the UID has not been mated to its holder through proper validation). But that's the main primary reason of the article at all. The fact that anyone can upload _every_ key to a keyserver is an issue. If keyservers would do some sort of verification (e.g. confirmation of the email addresses) then this would lead to much more reliable data. Furthermore, we need a feature to allow keys to be removed in case the true owner of an email address requests it. I know that this collides with today's keyservers and it also collides with keyservers exchanging keys between each other, but I strongly believe that this would make keyservers more trustworthy than today. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Question about group line use in GnuPG
On 22.02.15 09:29, Ludwig Hügelschäfer wrote: Hi Anthony, On 22.02.15 01:32, Anthony Papillion wrote: Thanks for your quick response. It looks like I may have fixed the problem. Basically, when I use Enigmail for the group line, it needs it in the form of group pgp...@yahoogroups.com=key1,key2,key3 But when I do it from the terminal, it needs to be in the form of group pgp...@yahoogroups.com=key1,key2,key3 Copying the group line in my gpg.conf file and removing the brackets made if work as expected. Which Enigmail version are you using? As far as I know, group entries should be space-separated, not by comma. I.e. group pgp...@yahoogroups.com=key1 key2 key3 Furthermore, the current release version of Enigmail cannot handle as part of the group name. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.2 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 11.02.15 20:40, Werner Koch wrote: Hello! The GnuPG Project is pleased to announce the availability of the third release of GnuPG modern: Version 2.1.2. The usual installer for Mac OS X is now available from https://sourceforge.net/p/gpgosx/docu/Download/ - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJU3ONdAAoJENsRh7ndX2k7o6EP+weTsb+ziwUfWYa6RCwwchn6 yRaAVGqGtsAOPZFHoodZq0P2ijOtuZn6vgFlWeHUqSV08eg3pIfX/zdm5yEkp/Gu Xe1x8yARXXacLmLaRKmw9+7bBnzFaYOVLjUo92VBH6eLWypuMl1pUY4PwpuWUxoa pX/wnX0mnd3sh9skwpGlMfQCWBjlwe8KIJEtE7odGhTwXHpCW0wGOLxb8eDXB5od kVYakaqscdRwVHnQ0aPeA0cBKN8nqK158L/Wia1S9m+ZhDjskK9lclXLEhnT3TMr 4T2cijlhojAC9IgiplP/pwwcl7grEQvfF4CaEalfUFRZclY9AHI3wtw50MU35RFs a/v4OGlY6edD1wZ8kuSDSPcAoC1B/qFSw5MrSi3aGPzN1ERXNjc6g/liOl5bn/Eh PqEUDox+g3SGGutqmmkp7Du5flwT5Cqxtys5cyOsk7ZYzQg6ApPNS/uFhTauYNw8 8T090SHEgpBqqAxU/kQEIwnh4AfiHfC/9EpmXTv2PpXeYItGlUuDgEQJ3ds2UsIt jLxn1r86kew+W9pI+aBbuQ+Gf0lQCgiXHzWYaVWvixWQe+hzcsAxnjhBLwu7TBmo uWSWeHnd8aqZ+1qqueY5WCIXeihCSjm27RIc549qR/bohN1r0isZv2+MZjMZ0IIg 3Km6HP92CucB2tKhdjL/ =X6xw -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Specifying passphrase for batch key generation
On 15.01.15 09:56, Werner Koch wrote: On Wed, 14 Jan 2015 21:59, jose.casti...@gmail.com said: Now that we cannot specify a passphrase in the batch parameters, what is the preferred method for batch key generation with a specified passphrase? Thanks for this question. The Enigmail folks also asked on how to do this and my answer was to switch to pinentry-mode=loopback. Revisiting the code, it seems that there could be an easier solution. I see no reason why we should not allow passing a passphrase along with the parameters for the key generation. After all if the user wants to work around the Pinentry, they should be allowed to do that - at least for the key generation. It requires a bit of code but I think it is worth to have it in 2.1.2. Even easier! Thanks a lot -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.1 released
On 16.12.14 17:36, Werner Koch wrote: Hello! The GnuPG Project is pleased to announce the availability of the second release of GnuPG modern: Version 2.1.1. The GNU Privacy Guard (GnuPG) is a complete and free implementation of the OpenPGP standard as defined by RFC-4880 and better known as PGP. GnuPG, also known as GPG, allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries making use of GnuPG are available. Since version 2 GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Three different versions of GnuPG are actively maintained: - GnuPG modern (2.1) is the latest development with a lot of new features. This announcement is about the first release of this version. - GnuPG stable (2.0) is the current stable version for general use. This is what most users are currently using. - GnuPG classic (1.4) is the old standalone version which is most suitable for older or embedded platforms. You may not install modern (2.1) and stable (2.0) at the same time. However, it is possible to install classic (1.4) along with any of the other versions. I created an installer for GnuPG 2.1.1 on Mac OS X, available from here: http://sourceforge.net/projects/gpgosx/files/GnuPG-2.1.1.dmg/download -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Beta for 2.1.1 available
On 24.11.14 09:24, Werner Koch wrote: [...] GnuPG changes in 2.1.1-beta35 - [...] * Fixed build problems on Mac OS X All fixed indeed! I created the first GnuPG build that did not require a single patch on OS X :-) -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The Facts:
On 15.11.14 12:52, da...@gbenet.com wrote: The steps I have taken to move my /.gnupg folder Background: I have two laptops (1) a 32 bit LXD laptop-1 (2) a 64 bit LXD laptop-2 one mouse and one WD 1.0 TB (1,000,202,043,392 bytes) external drive that plugs into the USB port of either laptop-1 or laptop-2 = david@laptop-1:/media/store$. Laptop-1 and laptop-2 are a mirror image of each. They contain the same software. I copied programmes like Thunderbird Firefox from laptop-1 to laptop-2 without any problems. Why don't you simply do this: 1. on your old laptop: tar zcf gnupg-backup.tgz $HOME/.gnupg 2. Copy the resulting file gnupg-backup.tgz to your new laptop 3. on your new laptop: tar zxf gnupg-backup.tgz -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG 2.1.0 for Mac OS X Available
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I'm happy to announce the first release of the GnuPG for OSX project - - a new distribution of GnuPG 2.1 for Mac OS X ready to download and install. I started GnuPG for OSX to provide up to date distributions of GnuPG on Mac. Unlike GPG Tools, this project only provides the complete standard gpg tool suite, and no additional software. The distribution requires Mac OS X 10.7 or newer and a 64-bit processor. The software is available from: http://sourceforge.net/projects/gpgosx/files/GnuPG-2.1.0.dmg/download - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJUX7T6AAoJEMk25cDiHiw+Kq8IAL2u1dYTniPOpFHvPg5JFM5D EN2ebaLhOfpic6/xZ0BEtaeYWDYa09QaIKsQzRH9q0n03dLEdzrjpLJFSQLuNH4o xjSoJCM3PYtWg7d6ySHPyfePhAKal5u+jQ3z6zsoWccyaNKiHVYvXebU0Nanjr+R RKEi6qdTSD4KcVOVbb0T/wvRjRaJz8lRwFaCXm9nxViaudXko/hQuO3Dl4UY2m/C vGbDMSN4qyICMi7B3uLD/uC1gXnn3zYgXRaZVS3MSkKmAgsHUgsDAEGvzXXhcGmn i7s+JjOrkhStufpahPpDjAsnOXG8Jk12+3GFhRsxTv9RPU5qXdcpfGzv7ZGdt4w= =/cuU -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Error building GnuPG modern 2.1.0 on Yosemite
Apply this patch before doing ./configure and it will build OK: https://sourceforge.net/p/gpgosx/source/ci/master/tree/patches/makefile.patch -Patrick On 09.11.14 22:56, Mel Brands wrote: Werner, Thank you! Patching with -p1 fixed the compilation issue but now I've run into a linking issue (I'm using the latest libgpg-error 1.17). This is the error that occurs near the very end: gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -o t-sexputil t-sexputil.o libcommon.a ../gl/libgnu.a -L/usr/local/lib -lgcrypt -lgpg-error -lassuan -L/usr/local/lib -lgpg-error -L/usr/local/lib -lgpg-error -liconv Undefined symbols for architecture x86_64: _default_errsource, referenced from: _parse_ber_header in libcommon.a(libcommon_a-tlv.o) _parse_sexp in libcommon.a(libcommon_a-tlv.o) ld: symbol(s) not found for architecture x86_64 collect2: ld returned 1 exit status make[3]: *** [t-sexputil] Error 1 make[2]: *** [all] Error 2 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 -- According to this post, using a stable libgpg-error used to fix this issue back in the May: http://lists.gnupg.org/pipermail/gnupg-users/2014-May/049786.html I've tried Libgpg-error 1.16/1.17 and they have all failed to link properly with Gnupg 2.1.0. Libgpg-error 1.16/1.17 gives identical errors as the one above and 1.15 itself fails to compile with the following: --- libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -DLOCALEDIR=\/usr/local/share/locale\ -g -O2 -Wall -Wpointer-arith -MT libgpg_error_la-estream.lo -MD -MP -MF .deps/libgpg_error_la-estream.Tpo -c estream.c -fno-common -DPIC -o .libs/libgpg_error_la-estream.o estream.c:3502: error: conflicting types for '_gpgrt_fseeko' gpgrt-int.h:108: error: previous declaration of '_gpgrt_fseeko' was here estream.c:3528: error: conflicting types for '_gpgrt_ftello' gpgrt-int.h:110: error: previous declaration of '_gpgrt_ftello' was here make[3]: *** [libgpg_error_la-estream.lo] Error 1 make[2]: *** [all] Error 2 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 - Thanks for any insight! Mel PS: To answer Patrick Brunschwig, I'm using Xcode 6.1 on OS X 10.10 (everything's updated to the latest versions available). On Fri, Nov 7, 2014 at 1:44 AM, Werner Koch w...@gnupg.org mailto:w...@gnupg.org wrote: On Thu, 6 Nov 2014 19:37, bigh...@gmail.com mailto:bigh...@gmail.com said: I tried to compile 2.1.0 today and ran into an issue. I have the latest autoconf/m4/gnu toolchain and all of the latest libraries that GnuPG needs. It is kind of funny that GnuPG as most autoconf enabled programs build fine on so many Unix platform but not on OS X we should be a modern Unix. One of the reasons might be that GnuPG uses a small part of gnulib (gl/) but does not follow all the gnulib updates to avoid regressions. ../gl/stdint.h:62:31: error: _types/_intmax_t.h: No such file or directory ../gl/stdint.h:63:32: error: _types/_uintmax_t.h: No such file or directory This problem seems to cause by the hack below. We hoped that this would fix the problems but obviously it didn't on all machines. You may try to revert that patch. For 2.0.1 I'd really like to get access to a decent OS X box to test the build before releasing it. Salam-Shalom, Werner commit f5592fcff308007322a201c970a6d5e8763c9fe3 Author: Werner Koch w...@gnupg.org mailto:w...@gnupg.org Date: Wed Oct 29 15:41:28 2014 +0100 Fix stdint.h problem for Apple. * gl/stdint_.h [__APPLE__]: Include hack. -- Patch suggested by Patrick Brunschwig. Modified gl/stdint_.h diff --git a/gl/stdint_.h b/gl/stdint_.h index 19577e7..1118e8d 100644 --- a/gl/stdint_.h +++ b/gl/stdint_.h @@ -55,6 +55,13 @@ # include @ABSOLUTE_STDINT_H@ #endif +#ifdef __APPLE__ + /* Apple's implementation of stdint.h is bugy; we therefore use + the source definitions. */ +# include _types/_intmax_t.h +# include _types/_uintmax_t.h +#endif + /* sys/types.h defines some of the stdint.h types as well, on glibc, IRIX 6.5, and OpenBSD 3.8 (via machine/types.h). MacOS X 10.4.6 sys/types.h includes stdint.h (which is us), but -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.1.0 for Mac OS X Available
On 09.11.14 21:51, Nicholas Cole wrote: Hi Patrick, Thanks for this! It's a really useful resource. Are you able to explain how you managed to get GnuPG-2.1 to compile? See the scripts in the git source tree: https://sourceforge.net/p/gpgosx/source/ci/master/tree/create_gpg I have XCode 6.1 plus a very small set of tools from MacPorts (wget, pkg-config). -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem compiling GnuPG 2.1.0 on OS X 10.10
On 07.11.14 06:41, Ramsey Dow wrote: Hello, I am having a build failure with GnuPG 2.1.0 on OS X 10.10 using Xcode 6.1's compiler tools. I have successfully compiled and installed all of the prerequisite libraries (npth 1.1, libgpg-error 1.17, libksba 1.3.1, and libassuan 2.1.2). My build sequence is as follows: gpg --verify $MRT/cache/gnupg-2.1.0.tar.bz2.sig tar xjf $MRT/cache/gnupg-2.1.0.tar.bz2 pushd gnupg-2.1.0 ./configure --prefix=$MRTRT make The compilation fails while linking t-sexputil in common. Here are the last few lines of the build process: gcc -DHAVE_CONFIG_H -I. -I.. -I../gl -I../intl -DLOCALEDIR=\/Users/ramsey/Developer/MRT/runtime/share/locale\ -DGNUPG_BINDIR=\/Users/ramsey/Developer/MRT/runtime/bin\ -DGNUPG_LIBEXECDIR=\/Users/ramsey/Developer/MRT/runtime/libexec\ -DGNUPG_LIBDIR=\/Users/ramsey/Developer/MRT/runtime/lib/gnupg\ -DGNUPG_DATADIR=\/Users/ramsey/Developer/MRT/runtime/share/gnupg\ -DGNUPG_SYSCONFDIR=\/Users/ramsey/Developer/MRT/runtime/etc/gnupg\ -DGNUPG_LOCALSTATEDIR=\/Users/ramsey/Developer/MRT/runtime/var\ -I/Users/ramsey/Developer/MRT/runtime/include -I/Users/ramsey/Developer/MRT/runtime/include -I/Users/ramsey/Developer/MRT/runtime/include -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -MT t-sexputil.o -MD -MP -MF .deps/t-sexputil.Tpo -c -o t-sexputil.o t-sexputil.c mv -f .deps/t-sexputil.Tpo .deps/t-sexputil.Po gcc -I/Users/ramsey/Developer/MRT/runtime/include -I/Users/ramsey/Developer/MRT/runtime/include -I/Users/ramsey/Developer/MRT/runtime/include -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -o t-sexputil t-sexputil.o libcommon.a ../gl/libgnu.a -L/Users/ramsey/Developer/MRT/runtime/lib -lgcrypt -lgpg-error -lassuan -L/Users/ramsey/Developer/MRT/runtime/lib -lgpg-error -L/Users/ramsey/Developer/MRT/runtime/lib -lgpg-error -liconv Undefined symbols for architecture x86_64: _default_errsource, referenced from: _parse_ber_header in libcommon.a(libcommon_a-tlv.o) _parse_sexp in libcommon.a(libcommon_a-tlv.o) ld: symbol(s) not found for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation) make[3]: *** [t-sexputil] Error 1 make[2]: *** [all] Error 2 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 I'm not sure why this error is occurring, which is why I am reporting it here, per instructions in the README. Am I forgetting to specify an option to configure? Is the configuration subsystem missing something about my system's setup? Please advise. I'm happy to provide any other details if necessary. You'll need to apply the following patch for compiling GnuPG (the patch is made to be applied before ./configure is executed): https://sourceforge.net/p/gpgosx/source/ci/master/tree/patches/makefile.patch And most likely, you'll run into another build error in dirmgr. This can be fixed by editing dirmgr/Makefile and deleting -R/path/to/somewhere from LDFLAGS -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Error building GnuPG modern 2.1.0 on Yosemite
On 07.11.14 07:44, Werner Koch wrote: On Thu, 6 Nov 2014 19:37, bigh...@gmail.com said: I tried to compile 2.1.0 today and ran into an issue. I have the latest autoconf/m4/gnu toolchain and all of the latest libraries that GnuPG needs. It is kind of funny that GnuPG as most autoconf enabled programs build fine on so many Unix platform but not on OS X we should be a modern Unix. One of the reasons might be that GnuPG uses a small part of gnulib (gl/) but does not follow all the gnulib updates to avoid regressions. ../gl/stdint.h:62:31: error: _types/_intmax_t.h: No such file or directory ../gl/stdint.h:63:32: error: _types/_uintmax_t.h: No such file or directory This problem seems to cause by the hack below. We hoped that this would fix the problems but obviously it didn't on all machines. You may try to revert that patch. For 2.0.1 I'd really like to get access to a decent OS X box to test the build before releasing it. I'm currently using Mavericks (10.9) with Xcode 6.1. I can imagine that this is different on Yosemite (10.10) and/or a different version of XCode. :-( Which version of XCode do you (Mel) use? -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME considered harmful for mobile
On 25.02.11 07:43, Robert J. Hansen wrote: On 2/24/11 10:15 PM, Daniel Kahn Gillmor wrote: my colleague is using the application named email, version 2.2.2 on a stock 2.2.1 motorola droid. My problem is reproducible on a stock Droid X running 2.2.something -- just got off a very long flight, funeral in the morning: I'll dig the precise version number tomorrow. The only mail client on Android I know of to handle OpenPGP messages is K9 (together with APG). But K9 only supports inline-PGP, PGP/MIME messages are not displayed. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: recursive gpg
David SMITH wrote: On Thu, Aug 07, 2008 at 09:54:13AM -0600, Eliot, Christopher wrote: gpg arguments `find . -type f` will get you pretty close. Close, but if you've got lots of files, you'll hit the maximum command line length limit. You have these two options: a) find . -type f -excec gpg arguments {} \; {} stands for the found filename b) find . -type f | xargs gpg arguments HTH -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: filtering signed email with thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ramon Loureiro wrote: Hi! Is it possible to make a thunderbird filter that save my signed msgs in some folder? What in the email header must the filter check to see it has a (valid) signature? Or must it look for BEGIN PGP... strings into the body of the msg? Not really. Unfortunately Thunderbird doesn't allow to easily extend message filter for such purposes, that's why there is no such feature in Enigmail. - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBSBtWiXcOpHodsOiwAQKX1wf+O+mbdUNhE3qJ08bDr5K2A1hvz3dwM6k2 rn5EUNAuMOt0bQictRi2tB8XojktFnzngzNvDPbwBI2XglyV5WAQOkMqwK+3MTxI pxHJlsJPnJPNOEcXhwyVNlFWDRVFp/J/LdmGbW0ov2wF56bhsMsDGpeoMldLmiYW zjHk+TZ+TP0kC/X8z57jYXYp3TrDXI2oriXSxioIjtNHTW2B+UKNrAwaVEBgteHo 1NYu2GF/4FjQDwHdVaI3TA+JyG+Jp4PTEMUYrfTb6ZlbZgMOnpwcgr7fQd1AMjE4 o5aq2tqOa29QXTtR4pHCgESI0fCedBD2e0czuRbXiIUi6j61O6b+dw== =z9iv -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG v2.x?
Werner Koch wrote: [...] necessary enhancements to their S/MIME implementation. The way Mozilla works is basically: Show a positive result but don't annoy the user if the signature is suspicious. The fact that Mozilla may fall back to 40 bit RC4 encryption may indicate that the developers do not consider privacy a major goal. I think that last statement is no longer true. As of Thunderbird 2.0, SeaMonkey 1.1 and Firefox 2.0 all 40 bit algorithms are disabled by default (but the user may still enable them if he knows how to change hidden prefs). -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG agent and non-shell application
Noiano wrote: Hi everybody I have GnuPg 1.4.6 installed and I have my .gnupg directory as a symbolic link pointing to an encrypted partition. As soon as I need my keys I mount the encrypted partition and the symbolic link is resolved with no problem. The problem is the use of gnupg agent: I type gpg-agent --daemon gpg-agent-info so that the variable information are stored to that file. Under my .bashrc I have added the following line source gpg-agent-info so that the variable is correctly set up. The problem is the use of gnupg agent with program such as thunderbird, kpgp. They cannot see the variable GPG_AGENT_INFO as all shells do. I cannot set anything in .xsession because the encrypted partition isn't mounted on boot but on demand. Could you please tell me a reasonable solution for this matter? Start Thunderbird (or kgpg) with a wrapper program that checks if gpg-agent is running and if yes export GPG_AGENT_INFO from your gpg-agent-info file. I found that gpg-connect-agent is quite nice to do this. Something like this should do the job: #!/bin/bash source /path/to/gpg-agent-info export GPG_AGENT_INFO gpg-connect-agent EOT /echo OK EOT if [ $? -ne 0 ]; then ## gpg-agent is not running unset GPG_AGENT_INFO fi exec /path/to/thunderbird $@ -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Decrpytion not automatically possbible
Burkhard Schroeder wrote: Hi, a got the same problem with Thunderbird and Evolution: encryption is working perfect, but decryption not. I have to store the textfile manually, and then to decrypt it as a file :-( But I did not change nothing. I got the message only in german: Fehler - Entschlüsselung fehlgeschlagen gpg Kommandozeile und Ausgabe: /usr/bin/gpg --charset utf8 --batch --no-tty --status-fd 2 -d --use-agent gpg: Schwierigkeiten mit dem Agenten - Agent-Ansteuerung wird abgeschaltet gpg: Passwortsatz kann im Batchmodus nicht abgefragt werden gpg: Ungültige Passphrase; versuchen Sie es bitte noch einmal ... gpg: Passwortsatz kann im Batchmodus nicht abgefragt werden gpg: Ungültige Passphrase; versuchen Sie es bitte noch einmal ... gpg: Passwortsatz kann im Batchmodus nicht abgefragt werden gpg: verschlüsselt mit 4096-Bit ELG-E Schlüssel, ID 488E0745, erzeugt 2005-07-23 Burkhard Schroeder [EMAIL PROTECTED] gpg: Entschlüsselung mit Public-Key-Verfahren fehlgeschlagen: Falsche Passphrase gpg: Entschlüsselung fehlgeschlagen: Geheimer Schlüssel ist nicht vorhanden I don't know why Evolution would try to use gpg-agent, but at least in Thunderbird/Enigmail make sure that the option Use gpg-agent for passphrases is turned OFF. Furthermore, make sure that there is no GPG_AGENT_INFO environment variable set. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.0.6 released
Werner Koch wrote: * Improved Windows support. Werner, do you also plan to create binary releases (i.e. installers) for Windows? -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP and usability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Werner Koch wrote: On Fri, 10 Aug 2007 13:43, [EMAIL PROTECTED] said: At least Thunderbird openly invites plugins and Enigmail is a good one. Let Patrick explain you why there are still problems. The user interface may be nice indeed, and the whole extension seems to be quite well-integrated into Thunderbird, but in the background I can tell you there are many hacks and workarounds needed to get things running. Still, after more than 6 years of development, there are parts of the code in Enigmail that I would call fragile Have you ever tried to work with the Mozilla Foundation on allowing better integration of certain plugins? For example supporting non-NSS based crypto? The main problem is that Thunderbird is very open for add-ons related to the user interface, but once you dig into the core of the application, it's no longer so well extensible. This is especially true for some of the existing core parts. Some bits date back to Netscape 4.0 (or even earlier) and have not been redesigned ever since then -- you can imagine what follows now. - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRsAI3HcOpHodsOiwAQKEUwf9HdlzC7+03LJ9tO/L9I6dcWGiRB9pVNGa MScLKFL1PaiR7HEJu58Ch/CHwXWwPQPG5gjc5icDJWm2ruDtJ6/G7iATnY5L5hIL +5m8PhNAS1lmIFT1yuxsvgsVkTBtL+JVGImTjm95rL2TuTaehpqwYPYM5Ki8hQkK 8OL+d1FLz2ZR/toLD8Xa4bD1gwqC/ml7+1qnmnzc82EJ3V1sAfuMohs3+vnrTN5Y 9+KfP9QyVbVeUMWdDRQG5KxJn5oysnz61r46RmCSIIuE9G/aWUHf6wxSLoR0JPX6 HISmJF2T/COEYzh2QolwBfAUM1ceCvsblfgxsZCKmXEy2x4xXYS57w== =f+42 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP and usability
Werner Koch wrote: Problem 2: PGP/MIME. Correspondents who were using PGP/MIME for attachments found massive interoperability problems. Apparently, Enigmail has an idiosyncratic way of doing PGP/MIME which causes heartache and woe for non-Enigmail users. (I haven't confirmed this; this is just according to him.) It is really a shame that the one Free Software project which is known by more than the computer geeks - namely Mozilla - is refusing to support an established standard like PGP/MIME. We have had several implementations of it over the years for the new mail componnent (now known as Thunderbird) but all of them have been refused without giving good reasons. In this regard Thunderbird is no better than Outlook! But there is Enigmail, and I'm doing my best to integrate .it as neatly as possible into Thunderbird ;-) BTW: We would be able to solve the Outlook PGP/MIME sending problem if we could informally agree on a variant of the Content-Type header which gets checked by PGP/MIME aware MUAs before they use the real Content-Type. Yes, it would be an ugly hack but very helpful. What precisely would you need (or send)? I would be open to implement such a solution in Enigmail, if it helps! -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Ownership of usb device with udev.
Guillaume Yziquel wrote: Werner Koch a écrit : On Fri, 29 Jun 2007 11:38, [EMAIL PROTECTED] said: Visibly, purging pcscd does not solve the problem. Concerning permissions, I guess I have some work to do: Indeed. That is your problem. Use lsusb to figure out where the SCR335 is attached and the manually update the ownership for testing. The HOWTO has hints on how to install the hotplug stuff. I read the hotplug stuff was deprecated, and that udev should be used instead. The output of lsusb -v concerning the smart card reader follows. My main problem is that I do not really understand how udev works. I understood there was lots of renaming involved. And with all these renamings, I do not really know how to make ownership changes. I'd really love to find a good document on how udev works. In particular with debian. The basic idea with udev is that you define rules for defining the group and permission of devices (and other actions such as launching applications). Here is a how-to that explains how these things work: http://reactivated.net/writing_udev_rules.html In your case you should create a file containing something like the example below (everything on one line) and place it into /etc/udev/rules.d. Check the README in /etc/udev/rules.d for the file naming conventions. SYSFS{idProduct}==5115, SYSFS{idVendor}==04e6, MODE=660, GROUP=myspecialgroup HTH -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can't run GPG --recv-keys under Windows Vista.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alessandro Vesely wrote: Henry Hertz Hobbit wrote: 1. Vista considers the %ProgramFiles% area as semi-protected. Since GnuPG is installing into this area, it is a reason for concern. Next question is Why is GnuPG installing into this area? According to Microsoft's recommendations (for those who care ;-) ) %ProgramFiles% is the place where executable programs should be installed to. That's the place where *any* software should be installed, such that programs and user data are separate. - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRl2QlXcOpHodsOiwAQJrAggAg5VeykM3WuMIKJ1ucNfaJtRA6TJNtYEn ERg5lH2ZMHSf7EGDaIJHAGqkeMZQcF5Ovcbxd+QVEbDx86aGbRBhCHQnxlCF7jDX P6uO5fMSp274sSolWerNWsuDs7c9b6hLJt6HF9UwGQhoEbOGv2duietZWQLQlIt0 JIWeVK1Dl3E9Wx+Al6pFJEOU6TDlmNB4yccZuEzc/IYhGrzkIFuR2A/LEazz84jf FTR7LZMY+C5cGLEszHb8S77wBvjfJxE0q+k8w2dQDmDcsbv5ykrUAYVIfFwcUE1S B3dH42K4jQvspeDxCiZJaw3xUl/egGjUTE5zKaQDc6eQ9merieWIbQ== =olgf -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can't run GPG --recv-keys under Windows Vista.
Moses wrote: Hi, I've installed gpg on Windows Vista recently, but seems not all the functions work well when I try to receive keys from keyserver. Here is the command I typed: gpg --keyserver subkeys.pgp.net --recv-keys After hit RETURN, I got errors immediately like this: gpgkeys: hkp fetch error 1: unsupported protocol The same command works well on Windows XP. I've checked the environment variables %PATH%, and gpg's directory is in it. Any ideas? This is a well-known issue on Vista. See e.g. here for the solution: http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030595.html -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Decrypting multiple files gives errors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is a new security feature. Use the new option --allow-multiple-messages to avoid the error. - -Patrick fourthirtysix wrote: is there another forum where i can ask this? i've used gnupg for a long time and now i'm losing some faith in it's stability due to this problem... thanks fourthirtysix wrote: I'm getting errors when i try to decrypt multiple files at the same time with --decrypt-files. When I do files individually, they seem to decrypt fine. When I do multiple files, the first file decrypts fine, but all the others give errors like this: gpg: encrypted with 2048-bit ELG-E key, ID 12345678, created 2007-01-01 John Smith [EMAIL PROTECTED] gpg: WARNING: multiple plaintexts seen gpg: handle plaintext failed: unexpected data I'm using gpg (GnuPG) 1.4.6 on Ubuntu 7.10 and this error is occuring on two different computers using the same keys. Please help! I don't want to have to decrypt one at a time! Thanks -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRiTBIncOpHodsOiwAQKWrwf/ZvNCU6bA3tmf0/Gw3Do0N2dd9nVW3vQy LbmE8QZwxdUdQwOta9zVZ3WjBrppKqFdyTXUel9/NI0xjJkO/xUZKiPRflDyvCmx lmjkA+WkTCvJdRPz5JIKLzRXkxyPoYCONoPg7ktoyHdTgSZqDVzwt6HZciPNrTAg 0JWlfqgk4TMU+FIHzbZ99DL/xQcUR4zODQHAaWMihM+v+QSBvo3DeLlUT9duFFx7 vKgmLE/KoLnUF3kOd4OD/jvbJieNKDnUhWULl4ZDbspgH5VlpGO+JL2t2vhwLZuo ErAm1z4hNzboH1rV1Qmivsh9Yg77szETUfFEI58ntsrieVz7YhRSWQ== =+TjR -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem interoperating with PGP Univeral?
David Shaw wrote: On Sat, Mar 31, 2007 at 11:29:54PM +0200, Patrick Brunschwig wrote: Blumenthal, Uri wrote: I am trying to get cleartext-signed PGP/MIME messages produced by PGP Universal 2.5.3, verified by email clients (Thunderbird-1.5.0.10 + Enigmail-0.94.2 + GPG-1.4.7). So far my experience is: - Pure plaintext (neither PGP/MIME nor PGP/Partitioned) messages are verified OK. - PGP/MIME encrypted and signed messages are decrypted and verified OK. - PGP/MIME or PGP/Partitioned messages (HTML body and/or attachments) fail signature verification, with error message from GPG: Cleartext signature without data I've submitted help request to Enigmail list, but perhaps somebody here can advise me regarding this issue? Maybe there are settings at PGP Universal that should be changed to make its output friendlier? Or maybe there are GPG setting that would allow verification of those emails? I'll be grateful for any help! Thank you! I can provide some more details on this. GnuPG 1.4.7 returns with this error message gpg: can't handle this ambiguous signature data. This is the detached signature that comes with such a message: -BEGIN PGP SIGNATURE- Version: PGP Universal 2.5.3 qANQR1DEDQMBAhH9zteyosL+MwHCPwMFAUYL2iX9zteyosL+MxECC8QAnRhWP2Sx Ex7VcRL+wBVB2C7lksYAAKCYHvRP7E8vA5jKNgigU0o4kbFn4w== =lOCI -END PGP SIGNATURE- That's just a regular signature. How does Enigmail call GPG to do the verification? David To be 100% clear: Uri has sent me the attached message msg-dump-bad.txt, which I extracted to file.txt and file.txt.asc. If I call gpg (1.4.7) with: gpg --verify file.txt.asc file.txt I get: gpg: can't handle this ambiguous signature data That's all the information I have. As far as I can tell, the message itself looks perfectly fine. -Patrick X-Account-Key: account3 X-UIDL: UID26-1174947114 X-Mozilla-Status: 0001 X-Mozilla-Status2: Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Delivery-date: Thu, 29 Mar 2007 10:24:19 -0500 Received: from wmout1.bear.com ([207.162.228.85]:31504) by serv01.siteground172.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.63) (envelope-from [EMAIL PROTECTED]) id 1HWwU7-0001uq-5a for [EMAIL PROTECTED]; Thu, 29 Mar 2007 10:24:19 -0500 Received: from pwepgp1.bear.com ([207.162.228.88]) by wmout1.bear.com with ESMTP; 29 Mar 2007 11:24:21 -0400 Received: from wmout2.bear.com ([207.162.228.86]) by pwepgp1.bear.com (PGP Universal service); Thu, 29 Mar 2007 11:24:21 -0400 X-PGP-Universal: processed; by pwepgp1.bear.com on Thu, 29 Mar 2007 11:24:21 -0400 Received: from bearh2.bear.com ([207.162.228.214]) by wmout2.bear.com with ESMTP; 29 Mar 2007 11:24:21 -0400 X-Bear-PGP: Process Received: from bear.com (localhost [127.0.0.1]) by bearh2.bear.com (8.9.3/8.9.2) with SMTP id LAA13237; Thu, 29 Mar 2007 11:23:43 -0400 (EDT) Received: from whexchmb05.bsna.bsroot.bear.com ([147.107.87.130]) by pwhdtwexcbho01.bsna.bsroot.bear.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 29 Mar 2007 11:23:41 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 MIME-Version: 1.0 Subject: [PGP-signed] Attempt to send plaintext only Date: Thu, 29 Mar 2007 11:23:38 -0400 Message-ID: [EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [PGP-signed] Attempt to send plaintext only Thread-Index: AcdyFjcYbqJ8AwSPSBuZ4iF9Kcxs3Q== From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-OriginalArrivalTime: 29 Mar 2007 15:23:41.0688 (UTC) FILETIME=[3B86B780:01C77216] X-PGP-Encoding-Version: 2.0.2 Content-Type: multipart/signed; boundary=PGP_Universal_46D9C7F5_87BE5EA9_8D4C448C_636331FE; protocol=application/pgp-signature; micalg=pgp-sha1 --PGP_Universal_46D9C7F5_87BE5EA9_8D4C448C_636331FE content-class: urn:content-classes:message Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Yes, Thank you! -- Regards, Uri Blumenthal Disclaimer --PGP_Universal_46D9C7F5_87BE5EA9_8D4C448C_636331FE Content-Type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig Content-Disposition: attachment; filename=PGP.sig -BEGIN PGP SIGNATURE- Version: PGP Universal 2.5.3 qANQR1DEDQMBAhH9zteyosL+MwHCPwMFAUYL2iX9zteyosL+MxECC8QAnRhWP2Sx Ex7VcRL+wBVB2C7lksYAAKCYHvRP7E8vA5jKNgigU0o4kbFn4w== =lOCI -END PGP SIGNATURE- --PGP_Universal_46D9C7F5_87BE5EA9_8D4C448C_636331FE-- Yes, Thank you! -- Regards, Uri Blumenthal Disclaimer -BEGIN PGP SIGNATURE- Version: PGP Universal 2.5.3 qANQR1DEDQMBAhH9zteyosL+MwHCPwMFAUYL2iX9zteyosL+MxECC8QAnRhWP2Sx Ex7VcRL+wBVB2C7lksYAAKCYHvRP7E8vA5jKNgigU0o4kbFn4w== =lOCI -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG incompatible with windows-vista ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Werner Koch wrote: On Wed, 14 Mar 2007 03:41, [EMAIL PROTECTED] said: If anyone is building on Vista (or building elsewhere but using it on Vista), try this patch. I have build a version with that patch. The upx packed gpg.exe binary is available at: ftp://ftp.g10code.com/g10code/scratch/gpg.exe $ sha1sum gpg.exe 9dbde44dc9275e2b4918839c7a789040dda0a64b gpg.exe I happen to have a Vista installation. I tried to download and upload keys from hkp servers -- the patched version of gpg is working fine here :-) - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRfezZ3cOpHodsOiwAQJXngf/V3QLMugZvIPLNSfhcO8iCnqcsirak5XI gRkYLhiJ7YLM19Acw3GjkPtVzgXwC0NmD5Txki++0bQ0723bgBKQC+bdEEHxwziC K32bHQ9SDsnZl6bRvMU+19g/7UPG7wvltoZBwNtphppq9FwVKg4ab2WrqE4HyvuZ SX6Zb9EN6FCTUnKNPkGJ+pPupYdYUSwnt5WBTo/pMB+NZWcxt34T9X0F9yAUb1Q2 l3sEA88XJD9/G0dJQn3xSi9x4Au9nHQqofdBW4vgtSdmBnOYsivAVpkICtnmrjK5 2xg5l4Do/SrWlwF/4l+vT/jHbGeEU8HEhykFIoCLPmPA0CWnDX6vpA== =V+C2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: installed pinentry not found by gpg-agent/gpg2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 snowcrash+gnupg-users wrote: hi, does it really need to be in /usr/bin? as above, i've installed it purposefully in % ls -al `which pinentry-qt` -rwxr-xr-x 1 root admin 2245584 2007-01-21 11:29 /usr/local/bin/pinentry-qt and, the symlink to it already exists, % ls -al `which pinentry` lrwxr-xr-x 1 root admin 11 2007-01-21 11:29 /usr/local/bin/pinentry - pinentry-qt and, i already have, % grep pinentry gpg-agent.conf pinentry-program /usr/local/bin/pinentry-qt Does pinentry-qt work at all? Try to start pinentry-qt from the command line, and if it starts type the following lines on the prompt: SETDESC This is a test GETPIN - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRbSH5ncOpHodsOiwAQI8dgf/R9ZVHD0xjpq2KCDpiUirKq1csnKkJIW0 qTFPpyzU1l4z0AQhAQnYyJM1b99LGercAOpoOfN9oR6iR7CH6uZy8tOOmYT02rbI RQFIfQvtWTQ2fO32l7l/Hy8pPCorkgN0P4CXy/m4JCuCzZWavFmosv7jAWWLF9oO XJdWoDpGsTRNFD+zmBlRFDW+keopqqvk35Avu8syqeKboVMXult+v4GbFtp/RPbX tiUqwBC6eYBRrBh+6wTDIsZRwIRYIL4q9G8zoC18mwVMz+xJtLazwkbICMywjqwA Y/uCMtxQ2LLhf4pUiWNGMRLSbN9axl68xI7khXPIhhg0aC8sjTQV1g== =USg5 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG ?Bineries? to USE PnuPG with Windows?
Tom - Hwy101 wrote: Where are the 'Binaries' for Using PnuPG with Windows; AND, what do I do with to Use PnuPG with Thunderbird, Engimail Extension? Thanks You can get GnuPG from: ftp://ftp.no.gpg4win.org After you have installed GnuPG, start Thunderbird with Enigmail installed. It will usually find GnuPG automatically. Then, the easiest way to get started is to use the Wizard which opens if you compose a new message and click on the PGP icon. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG: remotely controllable function pointer [CVE-2006-6235]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ludwig Hügelschäfer wrote: Hi, Malte Gell wrote on 08.12.2006 14:19 Uhr: Hm, GnuPG 1.4.5 (unpatched)/KMail 1.8.2 reports invalid signed message... Maybe my gpg.conf is messed or is this due to changes in gpg 1.4.5? Thanx. Enigmail didn't even indicate a signed message :-(( True yes. I have to find out why ... - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRXrKpXcOpHodsOiwAQK+YggAwO3L3gFMYb8hXhHxMKNcaCeJjBlrNeEn FUP3F/JSJW+ZRpcCNm8ySsBZFH7iqFDTpmB6Kk5uwR7jSYoaJDk6GyiEhBrPypnd m38akeVa3E593AfgTzMMoQL7JHQoqwoNTRLB1TaxEsUJXKf7eOFXbKhUUrZgblih 5tvjzMasV8A4CcnDF9DFKb/L1moGsz7hCDi46V051jSMGvhpxGj7dwA12dotwJ+5 8HsvKyYuj73BRTagJuphAj7HQfonx9KWhnCCe3VNaHFVH2pOb86HPrbKBpQNySiw 7RBWJj6YyTw5wcQY/VSLAk+CKTfaPViMCh24xX/21NdIK5Vu8NO0PA== =D7yo -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG: remotely controllable function pointer [CVE-2006-6235]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Patrick Brunschwig wrote: Ludwig Hügelschäfer wrote: Hi, Malte Gell wrote on 08.12.2006 14:19 Uhr: Hm, GnuPG 1.4.5 (unpatched)/KMail 1.8.2 reports invalid signed message... Maybe my gpg.conf is messed or is this due to changes in gpg 1.4.5? Thanx. Enigmail didn't even indicate a signed message :-(( True yes. I have to find out why ... Interesting ... I found that Werner's mails are PGP/MIME signed, with micalg=sha1 However, according to RFC 3156, this is not valid, the parameter would have to be as follows, and thus it's not recognized as valid by Enigmail: micalg=pgp-sha1 Is there a new version of the RFC that I'm not aware of, or is it just a bug of Werner's mail client? In general, is it a good idea to interpret the RFC so strictly for this, or is it better to be a bit more relaxed? - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRXrPJHcOpHodsOiwAQKWdQf6A16HoCGb1kNNAa31RGJK0J6mSxB61Khn 4A5Ko9wPUuAegznBToYT+b/ePlx5Cz7Zz2BKaQ1nKN9sxPRwEKWk8Fzjb1+9xb2A gApqkCH2NubvDwj6iAxJkQTgahRLd/QGI7Km+2ltfKlgw8d4Kuo1HNTVN5HjuDAO yzPCT9azZMA2NS0caXG/gkjf4NYLltMpXFFBNM046/MlmJ3IP3r8UHhUxbAU7Zu6 YSyx2n+l87NvvegO6VxSGiLsVDRoZW2i+pqBi9YC5l7WMZPhLPmT8kVfNjUrRDtU K8dqdhsTwmfICyuyVWx3YT6/urW1/xjhKrrEDqn4PTAZLExRptJOTw== =WSu2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg error messag
Jim Dever wrote: David Shaw wrote: You might be able to manipulate things into verifying the signature by editing the file to change the SHA1 string to SHA256, but the real problem is probably in whatever program generated the message. Thanks! I thought that might be the problem although I didn't know how to determine what hash the message was actually using. What's ridiculous is that the message was produced by the PGP Global Directory keyserver. The message is PGP/MIME in HTML format and I don't even see a HASH string in the message source at all. The hash string should be in the message header, something like Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; I'm pretty sure that something is defined -- Enigmail will not try to verify the message if no hash algorithm is provided. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG and PGP Compatibility
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alphax wrote: Conan Purves wrote: Hello everybody, snip When I encode attachments, it gives them a .gpg suffix. My colleagues who are using PGP Desktop cannot decode those files. Though I can decode their files, either using the gpgee contextual menu or automatically through enigmail. Practically speaking, is there a solution for this? My colleagues are most likely going to want to continue using PGP Desktop. Although it's only freeware and not open source, GPGShell http://www.jumaros.de/rsoft/index.html will give you explorer and system tray integration, and let you use a .pgp extension. I've filed an RFE at http://bugzilla.mozdev.org/show_bug.cgi?id=15442. There's no need for an RFE against Enigmail. There are preferences available that allow to modify the default .pgp to something else (the prefs are not available via GUI). - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v1.9.92 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRTYQuXcOpHodsOiwAQJB4Qf/TVOxH8gJ0e8IqfRQA2pdboSm74gHmZvM W2GEX0jfwn9A10MQN82VFJoNLswRQOZpnNzkfsupEkpSe+GHRKsJXQOBRAQvPE9w amJ/i7wr7qDv8hoZGMxlriV2WzAACLyUMzfwFXF7ENx8XNPq07n36DJ/P83O3iRd Y5Oc/iktfFGynQeGHEle0R7QRJRfDEab7+B+9WVbRO6LT2N1g3j4mvCFwdgXdvUU x2fgw59NX/jof/RJMRQcAEQTsbw2Jc1kiq+6TWKNK3TkySuEG2UARmc0PTK5nlYe lfCyE4/o2XqTZA+6pltOQ0oX49xGV/jIhIIuyM8Wlzxy1U4uQAwUEQ== =OEvK -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: German umlauts in passphrase
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Werner Koch wrote: On Mon, 17 Jul 2006 12:27, Karl Kashofer said: So, how would I examine the charset talbles ? The UserID and other information printed by GnuPG is correctly displayed with all the umlauts. How do I find out what character I have to type to get the umlaut in my passphrase? You need to try. There is no conversion inside gpg and gpg uses whatever you type/feed. I see that this is a problem between different platforms. However there is no real solution for this problem because it would break all non-ASCII pasphrases currently in use. How about some new command line parameters that specify the charset of the passphrase provided and/or the charset in which the passphrase is stored on the keyring? - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRL0Cg3cOpHodsOiwAQKrGQgAl3poBbNFZyRzJB7tzMaOidOOJzND5+u9 lqs4fMX2BJpe5k7HDw5n42WXr1/ue/CfDPfxftOagThx/qVVnp/kwDEIvca0Vvbv nFJHnJvl+K9y4jLvW/Xo4TELvx6NV2UucPzAgKamhybuD4jydiUPdpjNHJhYwCu4 5f3oSqzhUeL97XGUFJm/lDCfvSqd4AYNvNvJD50Lkf5S1S5AoxcJIA9ZBVKsJQ5e HMSAFo9n1fhlxIa5HaMTtsXvehfq6B4jUVIeowmGY7HJlS1mS9E7EQyazXYesHNk 9ZoDPPbfxhaj8SlnAeKIydo3nFCEFmOa05Amc/eZ31mwwR6iEzXBNg== =cei8 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Enigmail Problem???
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I don't think it's related to Enigmail since it does not add/modify/remove any code of the addressing widgets. - -Patrick I posted this on the Thunderbird Forums. I thought that it might have something to do with Enigmail/GnuGP... I thought I might get an opinion from another perspective. What do you guys think? Sometimes (maybe 2/5 times) Thunderbird will crash when I start typing an address into the To:/cc:/bcc/etc. entry box to get the autocomplete list of contacts. This happens if I: -write a new message -reply/reply-to-all to a message -forward a message But again, this only happens sometimes; it seems to be random also. When the dialog comes up (in Windows XP) that says Thunderbird is experiencing an error and needs to close... I look in the details, and it says the module name (after thunderbird.exe) is xpcom_core.dll. I've checked the TB directory and xpcom_core.dll *is* there. I thought it might be corrupted, so I searched the internet and downloaded another copy. I replaced it (backing up the old one) and it seemed to help. But about 10 minutes ago, it happened again. I really don't know why this is happening. The only thing I can think of is the Enigmail extension (which has caused problems before) but it is essential to my emails, so I can't afford to unistall it. Versions and extensions: TB: 1.5.0.4 (build 20060516) -Enigmail 0.94.0 -MinimizeToTray 0.0.1 (build 2006030906+) -SwitchProxy Tool 1.4 Installed after crashes (so they logically shouldn't have anything to do with it) -Lightning 0.1 (build) 2006031011 -AboutConfig 0.6 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRJ6sbHcOpHodsOiwAQJDuwgAlj5bleyW2hdn5r57Oy1C4b8pZdWD/hRf CEmgnsoE6YQNAOkSzMyFNYzKgMAYXu5PUZJTDsEetdGPP+AjxTgVhZH8nJ6/It49 Xz6OoyYiW4yvq+EzUYDZuY9B4g82vM5pITj0tYA9fBjuap58pMOV3lYcpmVDh9/N xqOkXgwsTaFyNow4x3rTt+5PYQ0ShPVb4IwMGfViXGGc422e/WXfEjiufO+Pgda3 tBSNpAVZ3LkF7d9PIxkDfOpV84YT1YK4FIxRcTb6/Ch4HdYcXafMjdbRevpW8A4I 5VxO8jdSpe3vHanpF6BZwOf7XrLh1ezBFWeUm8uPJCZMxiB5sH+t2A== =FFM4 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPGOL breaks Enigmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bob Henson wrote: I decided to try GPGOL for the few occasions that I use Outlook. Unfortunately, since installing it, Enigmail's Key Management shows an empty screen and I cannot use GnuPG via Enigmail at all. How do I get out of this, please? In desperation I removed all the programs and registry entries that I could find relating to GPGOL, but it hasn't helped. Does GPGOL install gpg, or does it modify the path to the GnuPG home directory? - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBQ9SS6XcOpHodsOiwAQJJ+Qf/Sg5XHEzUcD03+2Rgt2KULA6qlQY4N3M5 XgrhwtFoq7ZMvdpytIUXbtwPGIIjsqJEZlzNIImb0O12UMD51voQSQQxdZ8NCH9n xygQuohBMRMhlWYkGJ/YT4fhTgk7Y8BzO32Xx4+f14m6YeXHHyXJIBwB1p51fgJX TkIgmZINU+9GOK5z45Y57qk07SePm36kd0x+Blwa61WonEvNLfwTK29qfQNkFR+n 4AOlS/wjVIOeW3FjoF7FRwp2C80krgSCOvR6PuHanI6d5hG/rg+6X5dFncy2tk+i CbbFhupfM4S9EIX3YqZBIV1AsXL2NexwFZ7wQyd0miPsPUk4EDiGXA== =CQon -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users