Re: OpenLDAP schema to store OpenPGP keys?
On Thu, 03 Feb 2011, Sascha Silbe wrote: Excerpts from 's message of Mon Feb 20 10:56:32 +0100 2006: Walter Haidinger schrieb am Samstag, dem 18. Feber 2006: Now, I'd like to setup an OpenLDAP server to store the OpenPGP keys (for use with GnuPG). [...] However, I was unable to find any schema definiton... http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip Like Walter, I'd like to add OpenPGP keys to an LDAP server, but can't locate the schema used / understood by GnuPG. The file mentioned above has since gone. Where did the schema come from originally? If the license is GPL compatible, would it be possibly to include it as part of the GnuPG documentation? It came from PGP Corporation in 2003, licensed BSD style. I've dug through my old mail and restored the file at http://www.palfrader.org/pgp/PGPKeyserverSchema.zip Cheers, -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Printing Keys and using OCR (was: Proofreadable base64)
On Fri, 21 Sep 2007, Brian Smith wrote: Peter Palfrader wrote: Nice idea. When trying to find decent backup methods for my new Tor identity key I cam accross this thread. I played all day with ocr and friends. In the course I wrote a small script that does what you suggest. I tried to keep it small enough to print it along with whatever data you have - I clearly failed there. But other than that it works nicely. That didn't work out so well at first - gocr had real trouble distinguishing zeroes and the letter D like Delta. Why not use a 2D barcode like a QR code? A QR code will hold most typical keys, is easy for machines to read, is small, and has redundancy features that allow it to work even if you hole-punch or black out part of the code. Because I like to have a fallback to entering the data manually. Who knows how easy it will be to get barcode software for a specific version of barcodes 10 years in the future. And will it even compile? -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Printing Keys and using OCR (was: Proofreadable base64)
On Mon, 28 May 2007, Peter S. May wrote: Not meaning to kick a dead thread This must be a zombie by now :) I've come up with something which I haven't yet tried to implement but which I think would be interesting to try. Let's call it proofreadable base64. It's not terribly efficient, but we're going for recoverability more than efficiency. It goes something like this: We can assume that each line of our medium is capable of relaying 76 relatively legible characters. The first 32 are data in normal base64. Then, there is a space and a CRC-24 as specified in OpenPGP. Then, there are two spaces. After this, the first part of the line is repeated, except it is as if it were filtered through the command: tr 'A-Za-z0-9+/=' '0-9A-Z+/=a-z' Nice idea. When trying to find decent backup methods for my new Tor identity key I cam accross this thread. I played all day with ocr and friends. In the course I wrote a small script that does what you suggest. I tried to keep it small enough to print it along with whatever data you have - I clearly failed there. But other than that it works nicely. I used the OCR-A font available from a CTAN[0] mirror near you to print the output of my script. Then I used gocr[1][2] (0.41-1 as shipped in debian etch) to turn a scan back into data. That didn't work out so well at first - gocr had real trouble distinguishing zeroes and the letter D like Delta. Fortunately gocr has an option to disable its internal recognition engine and instead use a mode whereby it asks you about characters it doesn't recognize - initially that's all of them - and writes that to a database. In the end it asked me for about 300 chars out of 8000 - most of them at the beginning of the text - but produced the original text with only a few mishaps, which were caught easily using the encoding described above. [maybe I should also try a more recent version of gocr] If anybody wants to play with this, I uploaded my two scans to http://asteria.noreply.org/~weasel/ocr/ To use gocr with the database learning and its internal recognition engine turned off simply mkdir db; gocr -m 256 -m 130 -i 1.ppm -o 1.txt I guess playing with encodings other than base64 might be the next step. There was a strong point made for simply using base16, maybe with different characters that play nicely with gocr using OCR-A. Optar[2] is another nice tool which I tried today. While it does not provide the fallback to typing it all in option it shows promise. Using the default values I still had several bitflips after scanning in the printout tho. Future tests will probably include changing optar's paramters to larger dots (I don't need 200kb per page), and maybe preprocessing the data with par2. Cheers, Peter 0. http://www.ctan.org/ http://www.ctan.org/cgi-bin/search.py?metadataSearch=ocr-ametadataSearchSubmit=Search 1. http://packages.debian.org/gocr http://packages.debian.org/etch/gocr http://jocr.sourceforge.net/ 2. http://ronja.twibright.com/optar/ 3. http://www.par2.net/ -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ #!/usr/bin/perl use strict; use warnings; use Digest::SHA1 qw(sha1_hex); use MIME::Base64; if (@ARGV != 1 || $ARGV[0] !~ /^-[de]$/) { die Usage: $0 -d|-e\n; }; if ($ARGV[0] eq '-e') { # encoding. not needed for decoding undef $/; my ($bytes, $totallength, $totalhash, $line); $bytes = STDIN; $totallength = length($bytes); $totalhash = sha1_hex($bytes); $line = 1; printf(line data in base64 first 12 chars base64 with tr\n); printf( of sha1 in hex 'A-Za-z0-9+/=' '0-9A-Z+/=a-z'\n); printf(-A-B-C-\n); while (length($bytes) 0) { my ($this, $encoded, $tred, $hash); $this = substr($bytes, 0, 18, ''); $encoded = encode_base64($this, ''); ($tred = $encoded) =~ tr#A-Za-z0-9+/=#0-9A-Z+/=a-z#; $hash = substr( sha1_hex($this), 0, 12); printf(%06d %-24s %s %-24s\n, $line++, $encoded, $hash, $tred); }; printf(-A-B-C-\n); print(XX total length: $totallength\n); print(XX SHA1: $totalhash\n); } else { # decoding my (@bytes, $line, $found_marker, $exit); $exit = 0; $line = 0; $found_marker = 0; while (STDIN) { chomp; if ($_ eq '-A-B-C-') { $found_marker = 1; last; }; }; unless ($found_marker) { die (Did not find start marker '-A-B-C-' in input\n); }; $found_marker = 0; while (STDIN) { $line++; chomp; if ($_ eq '-A-B-C-') { $found_marker = 1; last; }; my ($l, $d, $h, $t, $t2, $decoded_d, $decoded_t, $hashd, $hasht, $bytes) = split; $bytes = ''; ($t2 = $t) =~ tr#0-9A-Z+/=a-z#A-Za-z0-9+/=#; $decoded_d = decode_base64($d); $decoded_t = decode_base64($t2); $hashd = substr( sha1_hex($decoded_d), 0
minimize not cleaning up broken binding sigs
I notice that gpg (1.4.6-svn4217) does only clean signatures from UIDs, not from subkeys: | Command minimize | User ID Peter Palfrader: 605 signatures removed | [..] | | [EMAIL PROTECTED]:~/tmp/g$ gpg --list-sigs | ./pubring.gpg | - | pub 1024D/94C09C7F 1999-11-10 | uid Peter Palfrader | sig 3N 94C09C7F 2006-08-03 Peter Palfrader [..] | uid [jpeg image of size 7974] | sig 3N 94C09C7F 2006-08-03 Peter Palfrader | sub 1024D/AFA44BDD 2003-07-09 [expires: 2008-08-02] | sig 94C00910 2005-06-05 [User ID not found] | sig 94C09C7F 2006-08-03 Peter Palfrader | sub 2048g/E8F4A328 2003-07-09 [expires: 2008-08-02] | sig 94C00910 2005-06-05 [User ID not found] | sig 94C00910 2005-06-05 [User ID not found] | sig 94C09C7F 2006-08-03 Peter Palfrader Should it clean those broken binding sigs by '94C00910' too? Cheers, Peter -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyserver Software Recommendations
On Sat, 12 Aug 2006, David Shaw wrote: On Sat, Aug 12, 2006 at 10:42:45AM -0700, John Schofield wrote: A year later, is SKS still the most-recommended keyserver software? In short, yes. Given your requirements, SKS is the best (and really only) choice. Make the effort, and if you have problems, ask on the SKS mailing list: http://lists.nongnu.org/mailman/listinfo/sks-devel If you run sarge on the servers my package might be of use. You'll have to build it yourself from source. Checkout the tree using svn co https://svn.clearairturbulence.org/debian-sks/trunk/sks and then dpkg-buildpackage -rfakeroot -uc -us it after installing the build dependencies. The package is not really of the quality I'ld like it to be, but it's not all that bad either. Peter -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] key too large?
On Thu, 13 Jul 2006, David Shaw wrote: gpg (GnuPG) 1.4.4-cvs, looks like a snapshot built around April 5th, probably r4114. I don't see the problem on a different host with what is quite likely r4189. There are no meaningful changes in gpgkeys_hkp between those two revisions. Can you reproduce this with --keyserver-options use-temp-files keep-temp-files and send me the temp file? http://asteria.noreply.org/~weasel/gpg-20061714/tempin.txt http://asteria.noreply.org/~weasel/gpg-20061714/tempout.txt | [EMAIL PROTECTED]:~/public_html/gpg-20061714$ cat tempin.txt | VERSION 1 | PROGRAM 1.4.4-cvs | SCHEME hkp | HOST keyserver.noreply.org | PORT 80 | PATH / | COMMAND SEND | | | INFO DE7AAF6E94C09C7F BEGIN | pub:DE7AAF6E94C09C7F:17:1024:942264711:0: | uid:Peter Palfrader:951840856:0: | sig:DBD245FCB3B2A12C:10:976528694:0 | sig:21AB0663B1AE9060:10:1042281434:0 [...] | sub:7284C301B86DCE5F:16:2048:942264776:0:r | sub:5AF2C377E8F4A328:16:2048:1057717115:1154458341: | INFO DE7AAF6E94C09C7F END | KEY 94c09c7f BEGIN | -BEGIN PGP PUBLIC KEY BLOCK- | Version: GnuPG v1.4.4-cvs (GNU/Linux) | | mQGiBDgp0YcRBACN9s8EycXRsu9ym3Sjou1NlPc+xz4ExlWtDOBoSlTzEJs0P/px | xyPaZ+ampr//fT+6EZXsgl4EmbQzW+boPsJ9tXkD9owm36djlsgfMcSUBf7PS7Eu [...] | xCdqABIHZUdQRwABAQkQ3nqvbpTAnH9CPQCg2MeKjGOkR1974Y2FKcn2mk9bguMA | oNI5EZKAzGXwZ+Hzpty0cfNDLk+I | =Tbd+ | -END PGP PUBLIC KEY BLOCK- | KEY 94c09c7f END | [EMAIL PROTECTED]:~/public_html/gpg-20061714$ cat tempout.txt | VERSION 1 | PROGRAM 1.4.4-cvs | | KEY 94c09c7f FAILED 8 HTH -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] key too large?
On Fri, 14 Jul 2006, David Shaw wrote: On Fri, Jul 14, 2006 at 04:14:43PM +0200, Peter Palfrader wrote: On Thu, 13 Jul 2006, David Shaw wrote: gpg (GnuPG) 1.4.4-cvs, looks like a snapshot built around April 5th, probably r4114. I don't see the problem on a different host with what is quite likely r4189. There are no meaningful changes in gpgkeys_hkp between those two revisions. Can you reproduce this with --keyserver-options use-temp-files keep-temp-files and send me the temp file? http://asteria.noreply.org/~weasel/gpg-20061714/tempin.txt http://asteria.noreply.org/~weasel/gpg-20061714/tempout.txt Aha, fixed, thanks. Your armored key just happened to have text in it that looked like the KEY ... delimiter. Thanks -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] key too large?
On Fri, 14 Jul 2006, Peter Palfrader wrote: I wonder if my key is too large for SKS to like: [EMAIL PROTECTED]:~$ gpg --send 94c09c7f gpg: sending key 94C09C7F to hkp server keyserver.noreply.org gpgkeys: HTTP post error 22: url returned error 500 gpgkeys: no KEY 94c09c7f END found gpg: keyserver internal error gpg: keyserver send failed: keyserver error If so, maybe we could patch SKS to allow larger keys? *sigh* Actually this appears to be a GnuPG problem? ./keyserver/gpgkeys_hkp.c: fprintf(console,gpgkeys: no KEY %s END found\n,keyid); -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] key too large?
On Thu, 13 Jul 2006, David Shaw wrote: On Fri, Jul 14, 2006 at 12:32:39AM +0200, Peter Palfrader wrote: On Fri, 14 Jul 2006, Peter Palfrader wrote: I wonder if my key is too large for SKS to like: [EMAIL PROTECTED]:~$ gpg --send 94c09c7f gpg: sending key 94C09C7F to hkp server keyserver.noreply.org gpgkeys: HTTP post error 22: url returned error 500 gpgkeys: no KEY 94c09c7f END found gpg: keyserver internal error gpg: keyserver send failed: keyserver error If so, maybe we could patch SKS to allow larger keys? *sigh* Actually this appears to be a GnuPG problem? Version? At least for the recent code, It's very hard to see how you got that error. The code just doesn't flow that way. gpg (GnuPG) 1.4.4-cvs, looks like a snapshot built around April 5th, probably r4114. I don't see the problem on a different host with what is quite likely r4189. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Cipher Question
On Fri, 19 May 2006, Dan Smythe wrote: If I use Twofish or Blowfish as my cipher of choice, what key length does the gpg use? See section 9.2 of http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-18.txt Peter -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Delete uid from keyserver
On Sun, 21 May 2006, Svein Halvor Halvorsen wrote: Hi! If an uid is no longer in use, but the key itself is. Eg. I've updated the key by removing an uid, and later added a new one. What is the best practice when it comes to reflect the cahnges on the keyservers? Should I just upload my new key, merging the new uids with the old, and leave it at that? Or should I revoke the entire key, then upload the new one (which is practically the same, only with an updated uid list)? You can revoke uids (gpg --edit, then select the uid with its number, then revuid). This won't make them disappear from the keyservers, but it will mark the UID as no longer being a valid UID for that key in GnuPG and other OpenPGP implementations. As you might have noticed, you cannot remove uids, or anything for that matter, from keyservers. Peter -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
fetching DE415B0E from sks ([don't know]: invalid packet (ctb=2d))
Hi, running 1.4.4-cvs, when I try to download DE415B0E I get the following error: | [EMAIL PROTECTED]:~$ gpg --keyserver random.sks.penguin.de --recv 94c09c7f DE415B0E | gpg: requesting key DE415B0E from hkp server random.sks.penguin.de | gpg: requesting key 94C09C7F from hkp server random.sks.penguin.de | gpg: key DE415B0E: public key Susumu OSAWA [EMAIL PROTECTED] imported | gpg: [don't know]: invalid packet (ctb=2d) | gpg: read_block: read error: invalid packet | gpg: Total number processed: 1 | gpg: imported: 1 While it imports the key in question, it breaks the current download action, not fetching additional keys given on the command line. It also aborting any --refresh-keys in mid-action. Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fetching DE415B0E from sks ([don't know]: invalid packet (ctb=2d))
On Fri, 07 Apr 2006, David Shaw wrote: On Fri, Apr 07, 2006 at 03:40:43PM +0200, Peter Palfrader wrote: Hi, running 1.4.4-cvs, when I try to download DE415B0E I get the following error: | [EMAIL PROTECTED]:~$ gpg --keyserver random.sks.penguin.de --recv 94c09c7f DE415B0E | gpg: requesting key DE415B0E from hkp server random.sks.penguin.de | gpg: requesting key 94C09C7F from hkp server random.sks.penguin.de | gpg: key DE415B0E: public key Susumu OSAWA [EMAIL PROTECTED] imported | gpg: [don't know]: invalid packet (ctb=2d) | gpg: read_block: read error: invalid packet | gpg: Total number processed: 1 | gpg: imported: 1 While it imports the key in question, it breaks the current download action, not fetching additional keys given on the command line. This is a feature, believe it or not. During an import (and a keyserver --recv-keys or --refresh-keys is really just an import), GPG reads packets off the input stream. Once any of those packets prove invalid (a packet starting with 2D is invalid), there is no way to know where it is in the stream - how many bytes should it jump ahead to get back on the track. I don't believe it's a feature - yet :) I think a --refresh should always try to refresh all keys. As it is in this case - with a key with evil packets on the keyserver - I'm stuck in a situation where gpg --refresh-keys only updates half of my keyring. I can see a point in aborting in the case of gpg --recv, but it's confusing that it starts fetching keys starting with the last. Maybe that could be turned around. Cheers, Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dns cert support
On Tue, 04 Apr 2006, David Shaw wrote: Also, is there a tool that produces a snippet which is ready for inclusion into a zone file anywhere? Something similar to ssh-keygen for SSHFP RRs: [EMAIL PROTECTED]:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key -g galaxy IN TYPE44 \# 22 01 01 40cc5559546421d15fe9c1064713636a02373ad2 [EMAIL PROTECTED]:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key galaxy IN SSHFP 1 1 40cc5559546421d15fe9c1064713636a02373ad2 Good idea. I just checked one in to the GnuPG SVN. It seems it considers whitespace part of the fpr when creating IPGP data. For instance: | [EMAIL PROTECTED]:~/local/src/gnupg/gnupg14/tools$ ./make-dns-cert -f '5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E 94C0 9C7F' -n foo | foo TYPE37 \# 31 0006 00 19 5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E 94C0 9C7F ^^ | [EMAIL PROTECTED]:~/local/src/gnupg/gnupg14/tools$ ./make-dns-cert -f '5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E94C09C7F' -n foo | foo TYPE37 \# 30 0006 00 18 5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E94C09C7F ^^ It should just ignore whitespace when counting fingerprint length. | ./make-dns-cert -f '5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E94C09C7F' -n foo | foo TYPE37 \# 26 0006 00 14 5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E94C09C7F This should fix it: Index: make-dns-cert.c === --- make-dns-cert.c (revision 4091) +++ make-dns-cert.c (working copy) @@ -24,6 +24,7 @@ #ifdef HAVE_GETOPT_H #include getopt.h #endif +#include ctype.h #include stdio.h #include stdlib.h #include string.h @@ -97,7 +98,20 @@ if(fpr) { - fprlen=strlen(fpr); + const char *tmp = fpr; + while (*tmp) + { + if (isxdigit(*tmp)) + { + fprlen++; + } + else if (!isspace(*tmp)) + { + printf(Fingerprint must consist of only hex digits (and whitespace)\n); + return 1; + } + tmp++; + } if(fprlen%2) { printf(Fingerprint must be an even number of characters\n); And a second patch that uses stderr for errors on top of this one: --- make-dns-cert.c.orig2006-04-05 09:57:48.725050937 +0200 +++ make-dns-cert.c 2006-04-05 10:00:23.675749478 +0200 @@ -45,20 +45,20 @@ fd=open(keyfile,O_RDONLY); if(fd==-1) { - printf(Cannot open key file %s: %s\n,keyfile,strerror(errno)); + fprintf(stderr, Cannot open key file %s: %s\n,keyfile,strerror(errno)); return 1; } err=fstat(fd,statbuf); if(err==-1) { - printf(Unable to stat key file %s: %s\n,keyfile,strerror(errno)); + fprintf(stderr, Unable to stat key file %s: %s\n,keyfile,strerror(errno)); goto fail; } if(statbuf.st_size32768) { - printf(Key %s too large for CERT encoding\n,keyfile); + fprintf(stderr, Key %s too large for CERT encoding\n,keyfile); goto fail; } @@ -73,7 +73,7 @@ err=read(fd,buffer,1024); if(err==-1) { - printf(Unable to read key file %s: %s\n,keyfile,strerror(errno)); + fprintf(stderr, Unable to read key file %s: %s\n,keyfile,strerror(errno)); goto fail; } @@ -107,14 +107,14 @@ } else if (!isspace(*tmp)) { - printf(Fingerprint must consist of only hex digits (and whitespace)\n); + fprintf(stderr, Fingerprint must consist of only hex digits (and whitespace)\n); return 1; } tmp++; } if(fprlen%2) { - printf(Fingerprint must be an even number of characters\n); + fprintf(stderr, Fingerprint must be an even number of characters\n); return 1; } @@ -127,7 +127,7 @@ if(!fpr !url) { - printf(Cannot generate a CERT without either a fingerprint or URL\n); + fprintf(stderr, Cannot generate a CERT without either a fingerprint or URL\n); return 1; } @@ -150,13 +150,13 @@ } static void -usage(void) +usage(FILE *f) { - printf(make-dns-cert\n); - printf(\t-f\tfingerprint\n); - printf(\t-u\tURL\n); - printf(\t-k\tkey file\n); - printf(\t-n\tDNS name\n); + fprintf(f, make-dns-cert\n); + fprintf(f, \t-f\tfingerprint\n); + fprintf(f, \t-u\tURL\n); + fprintf(f, \t-k\tkey file\n); + fprintf(f, \t-n\tDNS name\n); } int @@ -167,7 +167,7 @@ if(argc==1) { - usage(); + usage(stderr); return 0; } else if(argc1 strcmp(argv[1],--version)==0) @@ -177,7 +177,7 @@ } else if(argc1 strcmp(argv[1],--help)==0) { - usage(); + usage(stdout); return 0; } @@ -186,7 +186,7 @@ { default: case 'h': - usage(); + usage(stdout); exit(0); case 'f': @@ -208,14
Re: dns cert support
On Wed, 05 Apr 2006, Werner Koch wrote: On Wed, 5 Apr 2006 10:02:28 +0200, Peter Palfrader said: + const char *tmp = fpr; + while (*tmp) + { + if (isxdigit(*tmp)) Will segv on many non-glibc systems if you pass non-ascii characters to it. Never ever use isfoo functions without additional checks. ick. Index: make-dns-cert.c === --- make-dns-cert.c (revision 4091) +++ make-dns-cert.c (working copy) @@ -97,7 +97,22 @@ if(fpr) { - fprlen=strlen(fpr); + const char *tmp = fpr; + while (*tmp) + { + if ((*tmp = 'A' *tmp = 'F') || + (*tmp = 'a' *tmp = 'f') || + (*tmp = '0' *tmp = '9')) + { + fprlen++; + } + else if (*tmp != ' ' *tmp != '\t') + { + printf(Fingerprint must consist of only hex digits (and whitespace)\n); + return 1; + } + tmp++; + } if(fprlen%2) { printf(Fingerprint must be an even number of characters\n); -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dns cert support
On Tue, 04 Apr 2006, Peter Palfrader wrote: On Mon, 03 Apr 2006, Werner Koch wrote: * New auto-key-locate option that takes an ordered list of methods to locate a key if it is not available at encryption time (-r or --recipient). Possible methods include cert (use DNS CERT as per RFC2538bis, pka (use DNS PKA), ldap (consult the LDAP server for the domain in question), keyserver (use the currently defined keyserver), as well as arbitrary keyserver URIs that will be contacted for the key. * Able to retrieve keys using DNS CERT records as per RFC-2538bis (currently in draft): http://www.josefsson.org/rfc2538bis How would I try to retrieve the key for [EMAIL PROTECTED] from DNS[1] using GnuPG's command line, other than simulating an encryption (like in gpg --auto-key-locate cert --recipient [EMAIL PROTECTED] --encrypt) to the user in question? I notice that if I have both, a IPGP and a PGP CERT RR that GnuPG fails to import the key some of the time: | [EMAIL PROTECTED]:~/tmp/g$ echo fo | gpg --auto-key-locate cert --recipient [EMAIL PROTECTED] --encrypt | gpg: [EMAIL PROTECTED]: skipped: public key not found | gpg: [stdin]: encryption failed: public key not found | [EMAIL PROTECTED]:~/tmp/g$ echo fo | gpg --auto-key-locate cert --recipient [EMAIL PROTECTED] --encrypt | gpg: [EMAIL PROTECTED]: skipped: public key not found | gpg: [stdin]: encryption failed: public key not found | [EMAIL PROTECTED]:~/tmp/g$ echo fo | gpg --auto-key-locate cert --recipient [EMAIL PROTECTED] --encrypt | gpg: ./trustdb.gpg: trustdb created | gpg: key 94C09C7F: public key Peter Palfrader imported } ;; ANSWER SECTION: } peter.palfrader.org.43200 IN CERT6 0 0 FFsAyW1dVK7hIGuvhN56r26UwJx/ } peter.palfrader.org.43200 IN CERTPGP 0 0 mQGiBDgp0YcRBACN9s8EycXRsu9ym3Sjou1N. Is having them both not supported or is there a bug somewhere? Cheers, Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
dns cert support (was: GnuPG 1.4.3 released)
On Mon, 03 Apr 2006, Werner Koch wrote: * New auto-key-locate option that takes an ordered list of methods to locate a key if it is not available at encryption time (-r or --recipient). Possible methods include cert (use DNS CERT as per RFC2538bis, pka (use DNS PKA), ldap (consult the LDAP server for the domain in question), keyserver (use the currently defined keyserver), as well as arbitrary keyserver URIs that will be contacted for the key. * Able to retrieve keys using DNS CERT records as per RFC-2538bis (currently in draft): http://www.josefsson.org/rfc2538bis How would I try to retrieve the key for [EMAIL PROTECTED] from DNS[1] using GnuPG's command line, other than simulating an encryption (like in gpg --auto-key-locate cert --recipient [EMAIL PROTECTED] --encrypt) to the user in question? Also, is there a tool that produces a snippet which is ready for inclusion into a zone file anywhere? Something similar to ssh-keygen for SSHFP RRs: [EMAIL PROTECTED]:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key -g galaxy IN TYPE44 \# 22 01 01 40cc5559546421d15fe9c1064713636a02373ad2 [EMAIL PROTECTED]:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key galaxy IN SSHFP 1 1 40cc5559546421d15fe9c1064713636a02373ad2 Cheers, Peter 1. no, peter.palfrader.org. does not yet have a RR of type 37 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
segfault in gnupg14 (was: How to sign with non-subkey?)
On Tue, 21 Mar 2006, Simon Josefsson wrote: [EMAIL PROTECTED]:~$ echo foo |gpg -a -s -v -u b565716f gpg: using subkey AABB1F7B instead of primary key B565716F gpg: writing to stdout gpg: using subkey AABB1F7B instead of primary key B565716F gpg: RSA/SHA1 signature from: AABB1F7B Simon Josefsson [EMAIL PROTECTED] -BEGIN PGP MESSAGE- Version: GnuPG v1.4.2.2 (GNU/Linux) owGbwMvMwMS4XF34xKrd8tWMp7mSGFwURP6l5edzdZxiYWBkYjBhZQKJ6Io0MACB KAN/QXaibmJKSlFqcbFDel5pQbpeflF6VmKxQ2pFSWleSr5ecn4uAxenAMzQy+bM /4v/zBGfa+XAOvOGXqTUwQde0rPmL9P6KDS/8HLSjbKjN5fM+bfO0StszgfhZK0N R3X5lKuSzsUa1B5fWvKed/HOTZ9rbrUw8ZdwuT9d33bV/8xzcbFLe+y//76ttcg8 v3G1sbjG1kSh62GcnIEmgay1uU4C06ezaT7wbJ1222IN60yGD7w3DwAA =HgpN -END PGP MESSAGE- [EMAIL PROTECTED]:~$ While handling this block my gpg segfaulted. | [EMAIL PROTECTED]:~$ gpg blurb | foo | gpg: Signature made Tue Mar 21 16:00:14 2006 CET using RSA key ID AABB1F7B | | gpg: Segmentation fault caught ... exiting | zsh: segmentation fault gpg blurb After enabling coredumps: #0 0x08066b35 in is_valid_mailbox (name=0x20 Address 0x20 out of bounds) at misc.c:1112 1112 return !( !name (gdb) bt #0 0x08066b35 in is_valid_mailbox (name=0x20 Address 0x20 out of bounds) at misc.c:1112 #1 0x0806111c in get_pka_address (sig=0x8188cf0) at mainproc.c:1350 #2 0x08061198 in pka_uri_from_sig (sig=0x812f9c0) at mainproc.c:1377 #3 0x08062181 in check_sig_and_print (c=0x8133820, node=0x812faf8) at mainproc.c:1576 #4 0x080628cb in proc_tree (c=0x8133820, node=0x8131698) at mainproc.c:1965 #5 0x0805e84c in release_list (c=0x8133820) at mainproc.c:97 #6 0x08060ed1 in do_proc_packets (c=0x8133820, a=0x812d538) at mainproc.c:1323 #7 0x08060c8e in proc_packets (anchor=0x8188cf0, a=0x8188cf0) at mainproc.c:1135 #8 0x08054c22 in handle_compressed (procctx=0x8188cf0, cd=0x812d490, callback=0, passthru=0x8188cf0) at compress.c:326 #9 0x0805fcf8 in proc_compressed (c=0x8131638, pkt=0x812d480) at mainproc.c:756 #10 0x08060f28 in do_proc_packets (c=0x8131638, a=0x812d538) at mainproc.c:1281 #11 0x08060c8e in proc_packets (anchor=0x8188cf0, a=0x8188cf0) at mainproc.c:1135 #12 0x0804fc75 in main (argc=0, argv=0xbf9db188) at gpg.c:3736 full: #0 0x08066b35 in is_valid_mailbox (name=0x20 Address 0x20 out of bounds) at misc.c:1112 No locals. #1 0x0806111c in get_pka_address (sig=0x8188cf0) at mainproc.c:1350 pka = (pka_info_t *) 0x0 nd = (struct notation *) 0x8188cf0 notation = (struct notation *) 0x8188cf0 #2 0x08061198 in pka_uri_from_sig (sig=0x812f9c0) at mainproc.c:1377 No locals. #3 0x08062181 in check_sig_and_print (c=0x8133820, node=0x812faf8) at mainproc.c:1576 uri = 0x8188cf0 [EMAIL PROTECTED] sig = (PKT_signature *) 0x812f9c0 astr = 0x810c42a RSA rc = 9 is_expkey = 0 is_revkey = 0 #4 0x080628cb in proc_tree (c=0x8133820, node=0x8131698) at mainproc.c:1965 n1 = 0x812faf8 rc = 135826672 #5 0x0805e84c in release_list (c=0x8133820) at mainproc.c:97 No locals. #6 0x08060ed1 in do_proc_packets (c=0x8133820, a=0x812d538) at mainproc.c:1323 pkt = (PACKET *) 0x8131790 rc = 0 any_data = 1 newpkt = 0 [...] Latest svn on ia32, debian sarge. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: add notation to self sig
Malte Gell schrieb am Donnerstag, dem 16. März 2006: On Tuesday 07 March 2006 23:12, Peter Palfrader wrote: I wanted to add a notation to my self sig on my key by giving --cert-notation on the command line and then updating the cipher gpg --cert-notation [EMAIL PROTECTED] This notation looks interesting, does any MUA or even GnuPG directly honor it and automagically use PGP/MIME or is it more a comment for correspondents? The notation name came up on the IETF openpgp workinggroup's list a bit over a year ago[0]. I am not aware of anything in the Free Software world that uses it yet, but the PGP products by pgp.com do. As far as I know (and that's all second hand, so don't blame me if it isn't correct), all versions PGP Universal, Satellite and Desktop 9.x should do it as long as they're not using MAPI. Oh, and PGP on the Blackberry doesn't either. Peter 0 http://www.mhonarc.org/archive/html/ietf-openpgp/2005-01/msg3.html -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: add notation to self sig
On Wed, 08 Mar 2006, David Shaw wrote: Thanks, that seems to work (as does --expert and sign). If you're tracking SVN, try the latest. I've added a notation command under --edit-key. Great, thanks. Adding notations and removing all of them works just fine. According to the manual page, setting an empty value should remove a notation: |notation Set a name=value notation for the specified user | ID(s). See --cert-notation for more on how this | works. Setting a value of none removes all nota- | tions, and setting a name with no value removes | that notation alone. However, | [EMAIL PROTECTED]:~/tmp/gpg$ gpg --list-options show-notations --list-sigs | pub 1024D/A12B80B9 2006-03-09 [expires: 2006-03-16] | uid test1 | sig 3A12B80B9 2006-03-09 test1 | sub 2048g/7FAFEDE3 2006-03-09 [expires: 2006-03-16] | sig A12B80B9 2006-03-09 test1 | [EMAIL PROTECTED]:~/tmp/gpg$ gpg --edit test1 [..] | Command notation [EMAIL PROTECTED] | No notations on user ID test1 | Adding notation: [EMAIL PROTECTED] [..] [just doing 'notation [EMAIL PROTECTED]' is not allowed.] | [EMAIL PROTECTED]:~/tmp/gpg$ gpg --list-options show-notations --list-sigs | pub 1024D/A12B80B9 2006-03-09 [expires: 2006-03-16] | uid test1 | sig 3N A12B80B9 2006-03-09 test1 |Signature notation: [EMAIL PROTECTED] | sub 2048g/7FAFEDE3 2006-03-09 [expires: 2006-03-16] | sig A12B80B9 2006-03-09 test1 it seems that this part doesn't work. Also, is issuing a notation again with the same key supposed to replace an existing notation, or should it - as it does now - add a second notation with the same key? Cheers, Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
add notation to self sig
Hey, I wanted to add a notation to my self sig on my key by giving --cert-notation on the command line and then updating the cipher preferences (as a nice way to generate a new self sig): | gpg --cert-notation [EMAIL PROTECTED] --edit 94c09c7f | Command setpref S9 S8 S7 S3 S2 H2 H8 Z2 Z3 Z1 mdc no-ks-modify [...] However, the resulting new self sig does not have the cert notation set. Can anybody tell me what the procedure is to issue a new self sig with cert notations? [Running svn head of gnupg14 as of now.] Cheers, Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --openpgp, MDC and similar flags
On Tue, 29 Nov 2005, Christoph Anton Mitterer wrote: ... as you can see, MDC is set. Referring to http://lists.gnupg.org/pipermail/gnupg-users/2003-May/018442.html and RFC2440 I assume that MDC is still not part of the standard. Why is it activated in my key? (Of course this is a good thing, but I just wonder that if openpgp did not work for MDC, other things might be incompatible, too) 2) What other things does GPG that are beyond RFC2440? 3) Are there any other flags like MDC? I know about keyserver-no-modify but that is documented in RFC2440. GnuPG is staying up to date with the changes that have been proposed after RFC2440 was released. The IETF OpenPGP working group is now in its last steps to release a new internet draft, the current snapshot of their work is 2440bis-15. http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-15.txt MDC and back signatures (0x19) are specified there. HTH, Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UbuntuLinux GPG Still Doesn't Work With Remailers
On Mon, 19 Sep 2005, Guitar Bench wrote: I've been trying now for almost three months and I still can't get the Cypherpunks remailers to accept messages encrypted with Ubuntu Linux/GPG v1.2.5. I know that gpg 1.4 (and probably also 1.2 as well, tho I don't have any systems with that anymore) work with gpg --textmode --cipher-algo 3DES file --recipient $foo --encrypt because those are the options used by Echolot, a remailer pinger. Also note that for forward anonymous traffic you probably shouldn't use type I anyway. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
no-ask-cert-expire during sign-key
Hi, gpg (1.4.1) always asks whether UID certifications should expire on the same day as the primary key: | [EMAIL PROTECTED]:~$ gpg --no-ask-cert-expire --sign-key 52C8180E | [..] | pub 1024D/52C8180E created: 2004-12-11 expires: 2012-12-10 usage: CS | trust: marginal validity: full | Primary key fingerprint: 77FA 0CBE A7BB 268A 312B DB25 3D45 FF99 52C8 180E | | Matthias Bauer [EMAIL PROTECTED] | Matthias Bauer [EMAIL PROTECTED] | | This key is due to expire on 2012-12-10. | Do you want your signature to expire at the same time? (Y/n) I always answer no to this question. Is it possible to change the behaviour of --no-ask-cert-expire to also apply to this case? At least the manpage suggests that it already should do just that: | --no-ask-cert-expire |When making a key signature, prompt for an expiration time. |If this option is not specified, the expiration time is |never. --no-ask-cert-expire disables this option. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users