Re: Upgrade woes
Werner Koch writes: > If you copy ~/.gnupg make sure to copy also subdirectories and hidden > files (cp -a). You also need to stop any running agent but gpg will > show you a warning if you forget this. I used midnight commander to copy. I think it included everything and was set to preserve attributes. I'll try again with cp -a. >> I chrooted into the old system and tried to export the keys, but it just >> keeps commplaining: error receiving key from agent, permission denied. > > That are the private keys which you might have not copied > (~/.gnupg/private-keys-v1.d) What copy? I said I chrooted into the original system. >> Is there a way to get it to stop using this dang agent stuff and just >> prompt me for the password normally like it used to? > > No. We use the agent for more than 20 years and you used it with > 2.2.27 too. Then how do you convince the agent to work in a chroot? At first it just keep saying inappropriate ioctl for the device. I tried bind mounting /sys, /proc, /dev, and /dev/pts into the chroot and it changed to the permission denied error without any prompting for my password. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Upgrade woes
So I upgraded to the new release of Debian a while back. I just realized I forgot to migrate my gpg keys to the new system. Old one was running 2.2.27, and now I am running 2.2.40. I tried copying the .gnupg directory to the new system, but gpg -k wouldn't show any keys. I seem to remember the last time I upgraded, I had to export and import the keys to get them to be recognized. I chrooted into the old system and tried to export the keys, but it just keeps commplaining: error receiving key from agent, permission denied. Is there a way to get it to stop using this dang agent stuff and just prompt me for the password normally like it used to? ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pinetry and emacs
Pankaj Jangid writes: > I faced the same issue when I started Emacs from virtual terminal > window. But I do not get the issue when launching from directly GUI. I > am on MacOS. Even if you run emacs from a terminal emulator, as long as you are in a GUI environment, then the gui pinentry should be used afaik. I'm using a remote server via ssh so I'm restricted to the terminal. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pinetry and emacs
Phillip Susi writes: > It was pinentry-curses. I tried switching to pinentry-tty and it rapes > the tty even worse than the curses one. At least some keystrokes > occasionally had some effect with the curses one. With This one nothing > I hit would do anything. Couldn't get it to eventually think I entered > a wrong password and give up, couldn't C-c, C-g, or C-z; I just had to > use ~. to force ssh to hang up. Why and how is this program so abusive > of the terminal? Weird... I ran strace on the program from another terminal and could see that it was reading each keystroke, but continued to read after seeing the \r. I hit C-j ( \n ) and it finally recognized the end of input. I'm thinking that it requires that tty mode that appends a \n to a \r to be enabled, but it doesn't bother enabling it when it takes over the tty. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pinetry and emacs
Christian Chavez writes: > Have you tried checking with update-alternatives which pinentry is default > selected? > I remember having to switch mine from pinentry-gnome to pinentry-tty on my > machine (I don't use emacs though). It was pinentry-curses. I tried switching to pinentry-tty and it rapes the tty even worse than the curses one. At least some keystrokes occasionally had some effect with the curses one. With This one nothing I hit would do anything. Couldn't get it to eventually think I entered a wrong password and give up, couldn't C-c, C-g, or C-z; I just had to use ~. to force ssh to hang up. Why and how is this program so abusive of the terminal? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
pinetry and emacs
I have installed the pinetry module and run M-x pinentry-start, as well as added allow-emacs-pinentry to ~/.gnupg/gpg-agent.conf, yet whenever I try signing an email in mu4e, pinentry gets into a fight with emacs over the tty and everything goes all fscked up. Why is this? Why does pinentry still try to take over the terminal instead of contacting emacs? For that matter, why can both programs fight over it? I thoguht only one process group was the foreground group, and only that process group could read input from the tty. Instead it seems like both programs are reading some of the input and so I can't get emacs to switch buffers, nor pinentry to enter the correct password, nor cancel. I'm on Ubuntu 20.04 with pinentry 1.1.0 and emacs 26.3. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg encrypt always creates a new encrypted file
Anil Kumar Pippalapalli via Gnupg-users writes: > Hello, > I am trying to encrypt a file on my system using gpg —encrypt command but it > always creates a new encrypted file I want to overwrite the original file > instead so that I can only open it using passphrase. Is this possible. gpg -encrypt foo && mv foo.gpg foo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird
Werner Koch writes: > authenticated encryption is different from signed and encrypted mails. > There are relative easy attacks on the encryption layer if standard > encryption modes like CBC (as in S/MIME) are used. Whether this really > affects users is a different question but they can be used to leverage > implementation flaws in MUAs to full plaintext leaks. This is known for > 20 years and made it last year again to the media under the term EFAIL. I'm confused. I thought the whole efail thing was about crafting a plain text message that says "Good signature verified" and fools the user even though it was never run through pgp or had its signature verified with s/mime. > Granted, encrypted+signed mails can to a large extend also mitigate the > threat. But there are still reasons why signatures can't be used or > need to be verified only at a latter time in the workflow. > > OpenPGP had a mitigation against this since 2000 and was widely deployed > by 2003. However S/MIME never implemented this despite of 10 years old > RFCs describing methods for such a mitigation, called authenticated > encryption (AE or AEAD). AFAICS, that is for encryption+sign. If you just want to sign, it sounds like you are saying that is broken. I don't see how. You can't modify the message and keep the hash unchanged, and you can't encrypt a new hash because you don't have the sender's private key. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird
Werner Koch via Gnupg-users writes: > Still, TB is still subject to those attacks because their primary > encryption protocol is S/MIME and the last time I checked S/MIME (well, > CMS for the nitpickers) does not supoport any kind of authenticated > encryption. In contarst OpenPGP provides this nearly for 2 decades. What do you mean? S/MIME authenticates the user's identity via the CA. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to improve our GUIs (was: We have GOT TO make things simpler)
Andreas Boehlk writes: > I do not agree with this one. IMHO the verification with a trusted GPG-Key is > absolutely sufficiant and the checksum-proof is not needed at all. True, since validating the signature means validating the secure hash of the contents. That is, the checkum is reisistant to accidental corruption, but the secure hash is *also* resistant to intentional manipulation. The latter is a superset of the former. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird
Philipp Klaus Krause writes: > While having OpenPGP support directly in Thunderbird is probably a good > thing, I found it convenient to just use the gpg kerys for Email > encryption and signing (and conversely, being able to just use keys > imported via Enigmail to encrypt files using gpg). > It would be really nice, if Thunderbird could add an option to use the > gpg key storage instead of its own, but so far the developers want to > always keep the Thunderbird key storage separately (thoug they are > considering functionality to import keys from gpg to Thunderbird): Why the heck don't they just run gpg the way enigmail did? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We have GOT TO make things simpler
Jeff Allen via Gnupg-users writes: > So what? If the goal is private communication, ProtonMail and Tutanota > are nearly effortless ways to achieve it. Sign up for a free account How do you figure that? If they aren't encrypting mail then how is it private? Or or is it using some other form of encryption ( s/mime )? If that's the case then why don't you just use that yourself and skip the centralized web site for holding your key? > I disagree. No widely used OpenPGP implementation is going to > automatically encrypt replies to encrypted email out of the box. With Of course they do. If they don't, then they utterly fail to maintain your privacy. > ProtonMail you have to import your correspondent's public key and flip > an encryption switch in settings. You have to do that with GnuPG too, > whether you are working from the command line or using > Thunderbird/Enigmail or a GUI front-end. iirc, it may poke you to import the key, but at least it tells you "hey! I can't encrypt this without the key. Unless you *really* don't want to encrypt this?" Silently sending the reply unencrypted is entirely unacceptable. > Sure it's a solution. I have accounts at both. Most of my email is not > encrypted because, as the original poster pointed out, most people I > communicate with are not particularly interested in privacy. When a > private discussion _is_ required, I suggest that we have it on one of > those platforms. All my family members have ProtonMail accounts. They > don't use them most of the time. They have Gmail accounts for daily > use. But when we discuss financial matters or anything else we'd rather > not have Google a party to, ProtonMail is the answer. If someone tells > me they have a Tutanota account or are willing to get one, I say "fine!" > and give them my Tutanota address. So you think it is easier to sign up for some dedicated private webmail service that can only communicate securely with other people using that service than to run proper e2e on a real mail client? I suppose that's a matter of opinion, but it certainly is less secure and conveinient. And by conveinient I mean it is annoying to have both parties switch to some silly web site instead of just following their normal and preferred email routine. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We have GOT TO make things simpler
Jeff Allen via Gnupg-users writes: > The original poster, perhaps unintentionally, stated the real reason the > masses have not adopted PGP, "Please do appreciate that the persons who > we are convincing and instructing are not particularly interested in > privacy." That's it in a nutshell. The masses are not particularly > interested in privacy. If they were, they'd abandon Gmail and Yahoo and > all the other providers who make no excuse for the fact their economic > model depends on users being not particularly interested in privacy. Bingo! And as long as the user is not interested in it, and won't learn how to properly use it, all they will get is the veneer of privacy and learn the hard way that they really aren't secure. You just can't make security idiot proof. There was also mention of "legally binding digital signatures" in practice. So far, the ones I have seen are nothing more than a web site that you log into with a username/password, click sign, and it adds a nice forged signature to the pdf document with an attestation that the server verified your identity at such and such a time. That's not a cryptographic signature in any way and only an idiot would consider it "legally binding". Yet that is exactly how I signed the contract to purchase my house a little over two years ago. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Enforcing password complexity for private keys
David Milet writes: > To answer suggestions in other replies, our developers are savvy enough, and > we do have recurring training in place to stress the importance of good > passwords. But we know also that some developers will choose the weakest > password the system allows, making them the weakest link. And some will just write down the password on a sticky note stuck to their monitor. The more annoying you make password requirements, the more likely this becomes. Don't smartcards have a built in lockout policy that makes it impossible to brute-force the password anyhow? Given that, password complexity is a moot point. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple dev one signing key
On 3/8/2019 2:05 PM, john doe wrote: > Hi, > > I'm considering working on a project that has only for now a couple of > developers. > As part of that project everything that will be released will need to be > gpg signed. > > What is the best way forward? > - One signing key accessible on the release system > - Eatch dev having a copy of the key to be able to sign a release > - Other suggestions Each dev just uses their own key to sign a release? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Discrepancies in extracted photo-id images from dumps
Are you on some sort of drugs? I can not find anything that makes any
sense or has anything at all to do with the previous messages in this
thread you quoted. I see nothing here but the ramblings of a nutter.
What the heck is all of this nonsense and what does it have to do with
this thread?
On 1/21/2019 12:29 PM, justina colmena via Gnupg-users wrote:
> On January 19, 2019 9:56:00 AM AKST, "Ingo Klöcker" wrote:
>> On Samstag, 19. Januar 2019 17:10:38 CET Stefan Claas wrote:
>>> Method used with GnuPG:
>>>
>>> In gpg.conf i put: photo-viewer "cat > %K.%t"
>>>
>>> and then i used this one liner:
>>>
>>> for filename in ./*.pgp; do gpg --list-keys --list-options show-photo
>>> --keyring "${filename}"; done
>>
>> This will result in at most 1 image per key because your fake
>> photo-viewer
>> overwrites photos for keys containing multiple photo-ids (%K.%t is
>> identical
>> for all photo-ids of a key). Using
>> photo-viewer "cat > %K.%U.%t"
>> instead should fix this.
>
> Yes, I agree it's about time somebody clocked the $#!+ out of some of these
> EFF f*ckers and called them out on their bull crap, because you're not one of
> them, as you have so excused yourself.
>
> Other than that, well, all we ever get from Gnu/EFF is, "Don't talk to the
> cops!" And come to find out they have already snitched on us, grossly
> misrepresented us to the aforementioned cops, and cooked up false police
> reports against us that go on permanent record without the due process of
> law, and without any communication to us of our loss of rights and
> representation.
>
> We would like to work with the cops and educate them on due process and civil
> rights, but the truth is, you're either a criminal or a snitch the minute you
> talk to a cop, they punish you just the same either way, all the dishonest
> lawyers, corrupt judges, and stacked juries on their side, and if you haven't
> "lost your gun rights" already, they just take you in for a mental evaluation
> and have a doctor declare you irrevocably incompetent to possess a firearm
> for the rest of your life of cop-calling victimhood.
>
> And it's actually ten times worse than that, because when you try to find
> employment or housing with that on your record, your potential employer sees
> an unfounded and unproven, but indefeasible accusation of murder on your
> permanent record.
>
> Add to that the off-duty *armed* lynch mob from the local PD, the local NSA
> neighborhood crime watch with the moms in tennis shoes screaming ch!ld
> pr0nogr4phy, and we have a full-blown East German DDR Stasi in the USA.
> Somehow I don't believe the situation in Europe is much if at all better,
> because that political garbage is all coming from somewhere in the EU.
>
> You've got email problems at KDE.
>
> X-Authenticated-User? Is KDE high on drugs to pimp out your private email
> address like that to the whole mailing list? Or is KDE (= "K" DEutscheland)
> the German equivalent of KKK in the United States? Right, right, right. It's
> all love and free software and it runs on Ubuntu in Africa, same as
> everywhere else.
>
>> On Samstag, 19. Januar 2019 17:10:38 CET Stefan Claas wrote:
> Look. I realize it's automatically generated by your email client "reply"
> function, but is that supposed to be an English-language sentence with a
> German-language locale time-zone date-stamp mashed into the middle of it?
> Some of you Germans drink so much beer you can't tell what time the sun is
> supposed to come up in the morning.
>
> Everything is either proprietary and locked down, or too broken and crippled
> to be usable, and there's no viable free software left anywhere, because of
> all the bull crap and the H1-B labor Mob from the East Indies. Microsoft is
> behind this, I'm telling you. They bought out GitHub. The Halloween
> Documents, the SCO fiasco, the whole Groklaw.net saga, nobody ever got fired
> for buying Apple, IBM, AT&T, and Cisco, either, and it's all coming back,
> closed source, slammed shut right in our faces.
>
> How can people be so insufferably rude?
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Won't recognize my secret key
On 6/21/2018 10:41 PM, NIIBE Yutaka wrote: > Basically, secring.gpg only has the information of expiration when it's > created. After changing expiration, it is only recorded in pubring.gpg. > So, it is recommended to do somthing like: Makes sense. >$ gpg --homedir ~/.gnupg.old --export-secret-keys | \ > gpg --homedir ~/.gnupg --import > > (instead of doing --import ~/.gnupg/secring.gpg directly.) > > However, in gnupg/g10/migrate.c, GnuPG itself does that (!). This > should be fixed. The first thing I did was delete ~/.gnupg.old and re-import just like that ( which of course, did not work ). I re-imported only the public key today with --recv-keys and that got the updated selfsig. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Won't recognize my secret key
I just noticed that I do have a bunch of key files in ~/.gnupg/private-keys-v1.d, even though gpg -K does not show them. Ahah, gpg -K -v shows them... it seems to think they are all expired. It lists the expiration date on my current key as 2018-1-6. I believe that was the *original* expiration date, but then I extended it. gpg 2.1 seems to be failing to recognize the extension. On 6/21/2018 11:27 AM, Phillip Susi wrote: > Ok, so if I checkout and build 2.0.31, remove ~/.gnupg, and import my > keyring, all of my private keys show up. If I check out and build 2.1.1 > and run /usr/local/bin/gpg -K, it upgrades to the new key format and > throws out my private keys: > > gpg: starting migration from earlier GnuPG versions > gpg: porting secret keys from '/home/psusi/.gnupg/secring.gpg' to gpg-agent > gpg: key A70FB705: secret key imported > gpg: migration succeeded > /home/psusi/.gnupg/pubring.gpg > -- > sec# rsa2048/A70FB705 2011-12-13 > uid [ unknown] Phillip Susi > uid [ unknown] Phillip Susi > > Any suggestions on how to further debug this? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Won't recognize my secret key
Ok, so if I checkout and build 2.0.31, remove ~/.gnupg, and import my keyring, all of my private keys show up. If I check out and build 2.1.1 and run /usr/local/bin/gpg -K, it upgrades to the new key format and throws out my private keys: gpg: starting migration from earlier GnuPG versions gpg: porting secret keys from '/home/psusi/.gnupg/secring.gpg' to gpg-agent gpg: key A70FB705: secret key imported gpg: migration succeeded /home/psusi/.gnupg/pubring.gpg -- sec# rsa2048/A70FB705 2011-12-13 uid [ unknown] Phillip Susi uid [ unknown] Phillip Susi Any suggestions on how to further debug this? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Won't recognize my secret key
On 6/19/2018 3:05 PM, Phillip Susi wrote: > gpg keeps telling me that I have no secret key. Even after I deleted > the .gnupg directory and copied the pubring and secring from another > computer where it works, this system keeps saying I have no secret keys. > Why does it keep throwing out my secret keys? I have built gnupg-2.0.31 from source and found it to work. gnupg-2.2.4 refuses to import my private keys ( but will import a newly created test key ). So something broke somewhere between 2.0 and 2.2, but apparently 2.1 was a development branch, and it likes to yell at you that you shouldn't be using production keys and refuses to import any private keys, so I can't test to see where it lost the ability to import *my* private key. Is there a way to turn off this damn protection so I can continue to bisect? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: git repo won't build for lack of source files?
On 6/20/2018 1:52 PM, Phillip Susi wrote: > I cloned the git repo and checked out gnupg-2.2.4, ran ./autogen.sh, > ./configure, then when I try to make, it is apparently missing some files: > > make[2]: Entering directory '/home/psusi/gnupg/common' > make[2]: *** No rule to make target 'audit-events.h', needed by 'all'. > Stop. > > > What gives? Apparently you have to configure with --enable-maintainer-mode to avoid this. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
git repo won't build for lack of source files?
I cloned the git repo and checked out gnupg-2.2.4, ran ./autogen.sh, ./configure, then when I try to make, it is apparently missing some files: make[2]: Entering directory '/home/psusi/gnupg/common' make[2]: *** No rule to make target 'audit-events.h', needed by 'all'. Stop. What gives? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Won't recognize my secret key
gpg keeps telling me that I have no secret key. Even after I deleted the .gnupg directory and copied the pubring and secring from another computer where it works, this system keeps saying I have no secret keys. Why does it keep throwing out my secret keys? Working system: C:\Users\psusi\AppData\Roaming\gnupg>gpg --version gpg (GnuPG) 2.0.28 (Gpg4win 2.2.5) C:\Users\psusi\AppData\Roaming\gnupg>gpg -K C:/Users/psusi/AppData/Roaming/gnupg/secring.gpg sec# 2048R/A70FB705 2011-12-13 uid Phillip Susi uid Phillip Susi ssb 2048R/51FEF1C9 2011-12-13 ssb 2048R/FA9EEEF9 2011-12-14 ssb 2048R/3348AAF0 2013-11-26 ssb 2048R/BDCC7F92 2013-11-26 ssb 2048R/9C8E5E51 2014-10-29 ssb 2048R/93A02CCD 2014-10-29 ssb 2048R/5CBBA516 2015-10-05 ssb 2048R/10850B71 2015-10-05 ssb 2048R/6100FE84 2017-01-06 ssb 2048R/0F60068B 2017-01-06 Broken system: psusi@devserv:~$ gpg --version gpg: WARNING: unsafe permissions on homedir '/home/psusi/.gnupg' gpg (GnuPG) 2.2.4 psusi@devserv:~$ gpg -K gpg: WARNING: unsafe permissions on homedir '/home/psusi/.gnupg' /home/psusi/.gnupg/pubring.kbx -- sec# rsa2048 2011-12-13 [SCA] 1B49F933916A37A3F45A1812015F4DD4A70FB705 uid [ultimate] Phillip Susi uid [ultimate] Phillip Susi signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Different signing & encryption keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 08/12/2014 03:05 PM, Werner Koch wrote: > On Tue, 12 Aug 2014 19:50, ps...@ubuntu.com said: >> We used to use different keys for signing and encrypting ( DSA & >> El Gammel ), but these days just seem to use a single RSA key by >> default. > > That is not the case. GnuPG creates an RSA signing key and an RSA > encryption subkey by default. These are different keys because > the common wisdom is to use one key for one purpose. How do you tell which one is which? It used to be that the 'D' prefix meant DSA, which was signing only, and 'g' or 'G' was for el gammel signing or encryption, but now they all just show 'R'. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBCgAGBQJT6snIAAoJEI5FoCIzSKrwWWAH/1la7+90/TlY+FwRdAHNoZG4 9Kk+ZjLfL8twbL2jOvD7f7AjhCyA5DI+ywCzCCVzIMJMfVsxM5ljn9GrZJPY9bZd FR72YUvNMQroJwmWWPm0U69hIl10YLkwjBNvaHp8XJLOILnqXv2+kvbGO/dQpsR5 f7NSjAMz2vhtXY+LvNTzKOcNoW24NwUKxebayE9EwKzwNkXyAuR4A6ECYpMZhjeH LtySj9LxmuOpA3nVGnOAmUK5EUnVuHUi6UGoufyMNnifpeiwlxIIy5TchJkzB9to CK0tUOxYNFUwm+A3xXBRonaurkE1DKGYQT4w4nsbFbjinV/jfH5KA9U/AF8KnwM= =hcaf -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Different signing & encryption keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 We used to use different keys for signing and encrypting ( DSA & El Gammel ), but these days just seem to use a single RSA key by default. Is it still possible and/or beneficial to use two separate subkeys for signing and encrypting? -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBCgAGBQJT6lPyAAoJEI5FoCIzSKrwMPQH/RXU3ab1KRPKa3OIrd8wcJDM zJAAnj0lWj6bCM/CZgOtpG2KCpUhVYigpBu6LqwNrxJUmIAa3+05fex29hlkVUxS I2jKFhMQbn/DdxlZrIDw4yrjUobz5gmhAjraJMlRA7G+5FolL/Vd9x4DeU5Yk3bF lS/fq84d9YIQGNHTPHiN8ZeuO11eMdZ9631csAvBRTthx9u7RDRyg/icmWZeQ5LG 4oSPd2RRCTyFC6+xg8RuaHmwY+6KjEUg0CW0IB9EtKv3YzOe/Tl161Y5fddgI8AN /hhSNpudWH5f4zj6oj09dF+3kYu2JiKO1qqvvdHP6fB9XXVNKv3JJgB81R5kY3k= =Afh7 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Different passwords for subkeys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I keep a subkey pair for daily use that I keep a copy of on my work machine, and reissue each yea and the master key only at home. I would like to protect the master key with a password that is different from that used on the daily use subkey, but when I use --edit-key and specify the master key id, and use the passwd command to change the password, it applies it to all subkeys. How can I set a different password only for the master key? -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTx0/vAAoJEI5FoCIzSKrwQz4H/RwNb9yzewefxaESSHI9pUe1 +0gYlEWPeVF/GtLS7E7TQoXWcNnhX6v1h9CFdIRUJZ/NsbZv+dzxS+gODCVzkNpC NGSmotlW4fpStiflq3ZybFq9CJOY1lN+fY9ZxX6oGXZhGE2NegB4PX6SODGMu77n XefMO3YgTQxo4hiA11fa3aU6RuWXc9bxTdjgmEjKc5lGosPSoGnmIcmCiDjRG2Lv 9+oX+rRj1jLPKVxaA03WK/P8CqJXgJlWxnaR5F+bTMbmR7+GKRplhWSP+fpEaEZL CJU+wepjd/tKfW1cZhgvua90+fm15CdjXBNka/BEjbnbIPTBcdqbA0JLCR9SNMM= =v9vy -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Encrypting File with passphrase
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 3/12/2014 9:07 AM, Kumar, Vikash X wrote: > Hi Team, > > Could you please help me to understand the following query. > > We are using gpg encryption method for encryption and decryption > in our application. We have generated the keypairs on server A and > public key is imported on server B also a passphrase say "Strange" > was provided while generating the key. > > Now I am trying to encrypt the file on server B using this public > key, I am able to do so without any matter I pass the passphrase > or not. > > So my ask is, if a key pair is generated with passphrase it won't > restrict the encryption incase incorrect passphrase or no > passphrase is passed? Also I was able to encrypt the file on server > B by providing any random passphrase, but decryption is possible > with correct passphrase only. The passphrase is only used to encrypt the private key so that even if someone gets ahold of your private keyring, they still can't use it. You can skip the password if you want, and that makes as much sense as writing the password down in a script that will be automatically using the private key to decrypt. Encryption only uses the public key, hence there is no password. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTIwsfAAoJEI5FoCIzSKrw5tAH/ih7zw3gm5/YL4Lmf3OePDWN XNpk18RCN2RNdmTSOWV6QZa/b4yt7C8Il95L9F4JwKLhnPrdl2x1mcXBK0+yg/xQ aNmOmsfKUMpu5zyUKuYaQQ/uFxer+zL3Xa456qFLgQF0UjWgYOuhw4LfVKb1Jy7P sxYmkmOWrN+DzciPrNQL2j6a/oGLF1Rz6rsPl7jFFSrVgCXugNIOaDGtzCjT9/dx Ig4L4znz9ZWZ0Z0e6gQEjlVIWjPZVE5FQhp2l9se3sKrXNqtxKIAMBEwtM6XU5In +o03VrQYCU6Iuf3n4wcM511yLufOhc2xrnY6yltMSPVYauSYE4y5KHrS7aFVIl0= =f2Al -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Importing new subkeys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/10/2013 06:27 PM, Doug Barton wrote: > On 12/10/2013 12:42 PM, Phillip Susi wrote: | So my old subkeys are > about to expire so I created some new ones > > Why are you creating new ones instead of simply extending the > expiry of the existing ones? Because I already extended them for a second year once, so I figured it's about time for a new one on the off chance that someone might be trying to crack them using the plethora of public email I have signed using them. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJSp+OPAAoJEI5FoCIzSKrw1F4H/1Va5Vlsge6YMTKNXXkX9Hs7 7VKAfaBePrTs/M7MlmN+dfRpUKYkKiUWxddBREDPPO/5lsSTy2g77uPmH/dIgcPf agE3tl2OAuNh+wurUl1IniJTNwoV0NM+q0QjfJ41FjpnTgsYiS6GE5FI1u0R8Nx2 2I1f6glIBZCoeWJ62nQz/MBCH9C0Scrh8xzYYpYzXBC855r1ehJXSU8x4TdB2gcj //lYRNLTncIhla0UNiMKsauQXeGWuW59zZmSnWuYT2jxEJJi9Ii7/HEKddS+/MtB r2q0If6yo2MTXIDp9fLwXsuTXCXfQgT9dl5CmTVzZK+Axqmvz0VusX/+uyXmcTo= =3mL/ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Importing new subkeys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So my old subkeys are about to expire so I created some new ones at home and exported them with --export-secret-subkeys. When I try to import them at work, gpg just says I already have that key and stops. Why isn't it merging the new subkeys? I ended up having to delete the master key from the keyring in order to import the new subkeys. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSp3zAAAoJEI5FoCIzSKrwa7oH/1ShDWfl3BngAx930jCGExaM nFCDRswSZ1M1ivSMdi3x8QF1pWmuxkjLAfxcItv+xfsmjPgO3ET5e1UZNCIN9M+5 OqBlv4DrqmtrnFxDhE9MmvupazW7Z/HGoK+hC6xter6Bbjyk110B0dfHgndhqR5L eT1yXfDTppH+uKdoEdny2hdg0bKe5Sz5r1eusdi/fp94ixFKYBuRCgSOFJHqpcjL 7pHL3QMysjD7JzJRqxo2gtpPMI7pWv4WAPBo4pOKyhlTL4vwhXaZr0ff1mQ0sk4p xZIhWY9jVcCKbzXiVwQbBV67ViWaY/yJozTNvywuYRe4Wr2KaL/UX5aAHmJnGIY= =+SEe -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On 3/1/2010 3:37 PM, David Shaw wrote: This does the trick, but I still do not understand why --delete-secret-key removes BOTH the primary and subkey secrets when I specifically gave only the ID of the subkey? Shouldn't it remove exactly what I say and no more? It has to do with how keys are specified. In GnuPG, you can specify a key in a number of ways - by name, by (any) fingerprint, and by (any) key ID. So if you have a key named "foobar", and the key ID is and the subkey ID is , you could refer to that key with any of "foobar", "", or "". When you say "--delete-secret-key BBB", you're actually saying delete the whole key. Can this be overridden? I thought that is what the ! suffix was for, but it still deletes the whole thing. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On 3/1/2010 1:57 PM, David Shaw wrote: What you need to do is an --export-secret-subkeys (there is no such command as --delete-primary-keys). So, starting from a state where your whole key (primary and all secondaries) are all imported to your GPG instance, do: Yes, I meant --delete-secret-key gpg --export-secret-subkeys (thekeyid)> my-secondary-keys-only.gpg Then import my-secondary-keys-only.gpg into whichever GPG you want to use it with. If you want to use it with the same one you just exported from, then do: gpg --export-secret-key (thekeyid)> my-real-secret-key.gpg gpg --delete-secret-key (thekeyid) gpg --import my-secondary-keys-only.gpg (i.e. save a copy of the full key, delete it from the keyring, and replace it with the secondary-key-only copy). This does the trick, but I still do not understand why --delete-secret-key removes BOTH the primary and subkey secrets when I specifically gave only the ID of the subkey? Shouldn't it remove exactly what I say and no more? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Offline Primary Key
I would like to keep the private portion of my primary key stored offline and use an expiring secondary key for day to day signing. To accomplish this I have tried backing up the key after creating the secondary signing key, then attempting to delete the private portion of the primary key from the key ring, but even when I explicitly specify the primary key ID to delete with --delete-primary-keys, the secondary private key is also removed. How can I remove ONLY the private part of the primary key, and not the secondary key(s)? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
