detached signature, "can't hash datafile: No data"
Hello, I wanted to verify an install file so I downloaded file.dmg and the accompanying detached signature.asc. The public key was imported and verified. Using GnuPG, I used the command: gpg --verify signature.asc file.dmg and.. "Good signature from..." However, when I try to verify signature.asc independently using the command: gpg --verify signature.asc it states: gpg: no signed data gpg: can't hash datafile: No data Shouldn't I be able to verify the signature independently? S.B. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint associated public key does not match displayed public key
> Don't do that. Seriously. This is like saying "I want to learn how to > farm like my grandparents did!" Farming is hard enough: voluntarily > doing without, you know, *electricity* is just crazy. (In the United > States, many farms were without electricity until the 1940s!) > These easy-to-use tools exist for a reason: to make GnuPG easy to use. > If you insist on doing things the hard way you have only yourself to > blame. First learn how to use GnuPG, and then figure out how to use > GnuPG like you would if it was 1992 after you've got your basic skills down. Haha. You're good with these. I don't want to be farming without electricity. You may want to check out a mailing list like PGPNET, which exists specifically to give people experience in sending/receiving encrypted mail. :) > I immediately did it. I saw you there. Using Thunderbird. Figuring it out. > Thank you all for all the good advice. S.B. On Mon, Dec 20, 2021 at 4:50 PM Robert J. Hansen wrote: > > > seems as though my entry into this realm was clearly... bad. I wanted > > to learn the system without using separate encryption software like > > kleopatra. I wanted to know how to do it with just gpg and any email > > provider. It's difficult, and I have a lot to learn. > > Don't do that. Seriously. This is like saying "I want to learn how to > farm like my grandparents did!" Farming is hard enough: voluntarily > doing without, you know, *electricity* is just crazy. (In the United > States, many farms were without electricity until the 1940s!) > > These easy-to-use tools exist for a reason: to make GnuPG easy to use. > If you insist on doing things the hard way you have only yourself to > blame. First learn how to use GnuPG, and then figure out how to use > GnuPG like you would if it was 1992 after you've got your basic skills down. > > > and... I was hoping that, since I have your email, key ID, and fingerprint > > ;) > > I could write an encrypted message to your sixdemonbag email. I'd > > completely understand if you'd rather not. I just have now found > > myself luring friends and relatives into learning this with me and > > exchanging encrypted emails and... it's not going well. > > You may want to check out a mailing list like PGPNET, which exists > specifically to give people experience in sending/receiving encrypted > mail. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint associated public key does not match displayed public key
> Well, it depends. We have no idea what the .asc file in Disk/users/SamiBadri contains. It could be your public key. Or it could be somebody else's public key. Or it could be something other than a public key. That was my mistake. When I generated my first key pair I used the command: gpg --armor --export sami.ba...@gmail.com> ~/Desktop/SamiB.asc I moved it into my user folder. That's the file I uploaded to openpgp.org. It is the public key block. > You shouldn't assume anything if you are dealing with encryption software. You should be sure what you are doing. Otherwise, in the extreme, you could jeopardize the lives of other people. I absolutely understand. > You can use the command gpg --show-key But, as with using a proper email client you should probably also use a > proper graphical tool for working with GnuPG. On Linux, I suggest using Kleopatra. On Windows, I recommend gpg4win. I'm researching other email clients and will definitely get a GnuPG graphical tool. PGP Tool for Mac looks ok. > Alternatively, you could have a look at Mailvelope (https://mailvelope.com). It's a browser add-on that will extend GMail (and many other webmail providers) with OpenPGP support. I'm looking at Mailvelope and FlowCrypt for Gmail extensions. On Sat, Dec 18, 2021 at 3:23 PM Ingo Klöcker wrote: > > On Freitag, 17. Dezember 2021 18:04:04 CET S.B. via Gnupg-users wrote: > > > Otherwise, you can simply send your exported key to the person you want to > > > give your public key to. > > > > Yeah so, I can attach the .asc file that's in my Disk/users/SamiBadri > > folder (it's the only .asc file I've seen), but I'm assuming that is > > my public key. Is that correct? > > Well, it depends. We have no idea what the .asc file in Disk/users/SamiBadri > contains. It could be your public key. Or it could be somebody else's public > key. Or it could be something other than a public key. > > Quite frankly, I suggest that you follow Robert's advice and start your > learning experience with OpenPGP by using an email client that supports > OpenPGP out-of-the-box. All decent email clients should have a functionality > to attach your public key to an email without you having to attach some file > manually. > > > Is there anyway to send your private key? > > Sure. You can send any file to anyone, so, of course, you can do the same with > your private key (unless it's stored on a smartcard in a read-protected slot). > > A decent email client should not offer a functionality to attach your secret > key to an email. So, if you stick to what your email client offers you, then > you should be safe. > > > I want to know so that I don't do it accidentally. > > Then don't attach random files you find on your disk to your emails without > knowing what those files contain. > > > Also, if I > > use the cat SamiB.asc command, the terminal reveals a certificate (and > > I assume that's my public key certificate). > > You shouldn't assume anything if you are dealing with encryption software. You > should be sure what you are doing. Otherwise, in the extreme, you could > jeopardize the lives of other people. > > > Can I copy/paste and send > > that as a txt attachment? Will they be able to do anything with it? > > For instance, let's say they don't have my email, key ID, or > > fingerprint, only the pgp public key block (aka certificate), can you > > do anything with a txt-type file that only shows the certificate in > > armor? > > If you send someone the public key block of your public key, e.g. some file > that contains something like > > -BEGIN PGP PUBLIC KEY BLOCK- > > [...] > -END PGP PUBLIC KEY BLOCK- > > then this person can import your public key in their keyring and use it to > verify signatures made by you and to encrypt text or files for you. > > You can use the command > gpg --show-key to have a look at the key (or keys) contained in SamiB.asc. But, as with using > a proper email client you should probably also use a proper graphical tool for > working with GnuPG. On Linux, I suggest using Kleopatra. On Windows, I > recommend gpg4win. > > > Lastly, I see that you have attached a signature .asc file with your > > email. I can import that file, and compare to? > > No, you cannot import that file. You need an email client that supports > OpenPGP to do anything useful with it. > > Alternatively, you could have a look at Mailvelope (https://mailvelope.com). > It's a browser add-on that will extend GMail (and many other webmail > providers) with OpenPGP support. > > Regards, > Ingo > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint associated public key does not match displayed public key
> Did you notice the command is "gpg --import < certificate.txt"? Yes, sorry. I did type the command correctly. >> I placed the file in my .gnupg hidden folder. > > Then you'd need to do "gpg --import < ~/.gnupg/certificate.txt". If certificate.txt isn't in your current directory, you need to tell Linux where to look for it. It worked. I placed the txt file (copied and pasted) certificate in my .gnugp folder and it went through. > Please stop using that resource. As mentioned above, it's shockingly bad. To be fair. The resource didn't actually tell me to do it that way. It only supplied me with the command. The method was my roundabout way of making it work (based on my underivative understanding). It seems as though my entry into this realm was clearly... bad. I wanted to learn the system without using separate encryption software like kleopatra. I wanted to know how to do it with just gpg and any email provider. It's difficult, and I have a lot to learn. and... I was hoping that, since I have your email, key ID, and fingerprint ;) I could write an encrypted message to your sixdemonbag email. I'd completely understand if you'd rather not. I just have now found myself luring friends and relatives into learning this with me and exchanging encrypted emails and... it's not going well. > On Fri, Dec 17, 2021 at 9:24 PM Robert J. Hansen wrote: > > > What other keys would it hold? > > Behold: > > pub ed25519/1E7A94D4E87F91D5 2021-02-22 [SC] >7D8EC4B85B6FEDD6C10D3C791E7A94D4E87F91D5 > uid [ultimate] Robert J. Hansen > uid [ultimate] Robert J. Hansen > sub cv25519/7D6CCDB66CA1202F 2021-02-22 [E] > > > My public certificate has two keys: an Edwards-25519 signing key and a > Curve-25519 encryption key. > > Back in the '90s, certificates almost always held a single key that was > used for both encryption and signing. Then we realized, "if the courts > force us to give our decryption key to the cops so they can read our > traffic, we're also giving them the ability to impersonate us." Since > then, virtually every OpenPGP certificate has had at least two keys: one > for signing and one for encryption. > > There are cases where three or more keys are appropriate, but they're > kind of outside the scope of the current discussion. > > >> Sure it does. I did that no more than twenty minutes ago myself. > > > > So I typed the gpg --import > certificate.txt command and it says "no > > such file or directory: certificate.txt" (certificate has a different > > name of course). > > Did you notice the command is "gpg --import < certificate.txt"? > > > I placed the file in my .gnupg hidden folder. > > Then you'd need to do "gpg --import < ~/.gnupg/certificate.txt". If > certificate.txt isn't in your current directory, you need to tell Linux > where to look for it. > > > Here is really the root of my problem. As you probably know, I'm not > > using a Web Key Service/Directory enabled email provider, so if I were > > to get an encrypted message intended for me, I'd have to copy the > > encryption text, paste it into txt file, then import/decrypt it like > > that with: gpg --decrypt ~/Desktop/encryptedfile.txt | perl > > -MMIME::QuotedPrint -0777 -nle 'print decode_qp($_)' > > That's shockingly bad. > > Try using an email client with OpenPGP support built-in. On Linux the > two major choices are Evolution and Thunderbird. > > > That's a command I found online from a source that I've been using for > > learning pgp. > > Please stop using that resource. As mentioned above, it's shockingly bad. > > As the FAQ says, "The good news is the internet is a treasure trove of > information. The bad news is that the internet is a festering sewer of > misinformation, conspiracy theories, and half-informed speculations all > masquerading as informed commentary." ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint associated public key does not match displayed public key
> Key(s): a certificate holds at least one, but usually more than one. I see. So, a certificate (aka pgp public key block) holds at least one key (+ pertinent metadata that changes/updates depending on use, etc.), but usually more. What other keys would it hold? The paired secret key? No. Other public keys in my key ring? Unlikely. If the certificate is made for encryption of a message that only one specific secret key can decrypt. Why would it hold more than one key? >> But the import command doesn't work with txt. > Sure it does. I did that no more than twenty minutes ago myself. So I typed the gpg --import > certificate.txt command and it says "no such file or directory: certificate.txt" (certificate has a different name of course). I placed the file in my .gnupg hidden folder. Here is really the root of my problem. As you probably know, I'm not using a Web Key Service/Directory enabled email provider, so if I were to get an encrypted message intended for me, I'd have to copy the encryption text, paste it into txt file, then import/decrypt it like that with: gpg --decrypt ~/Desktop/encryptedfile.txt | perl -MMIME::QuotedPrint -0777 -nle 'print decode_qp($_)' That's a command I found online from a source that I've been using for learning pgp. What am I missing? Does this only work well with WKS/D enabled message services? On Fri, Dec 17, 2021 at 12:42 PM Robert J. Hansen wrote: > > > The document snapshot analogy really helps. > > I'm glad it's helped! > > >> No, and I'm going to strongly encourage you to stop asking > > implementation questions. > > > > I think I'll take that advice. > > When you think you're ready, we'll be here to answer your implementation > questions. It would break my heart if you thought you should never ask > them -- I just, only, think that diving into implementation details is > almost always a bad idea for new users. > > If you want to teach someone poetry you start by showing them the witty > banter and playful puns in Shakespeare, and encourage them to laugh and > enjoy the show. Learning about iambic pentameter can wait. :) > > > I'm getting the picture now. The pgp key block is really the > > certificate. The certificate holds the key and metadata. > > Key(s): a certificate holds at least one, but usually more than one. > Beyond that minor detail you've got it perfect. > > >> gpg --import < certificate.asc > > > > So, when dealing with a displayed certificate (what I was calling a > > pgp public key block), the only method I thought of was copying and > > pasting it onto a txt file. But the import command doesn't work with > > txt. > > Sure it does. I did that no more than twenty minutes ago myself. > > How were you trying to do this? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint associated public key does not match displayed public key
> Please reply inline unless your email client makes this difficult. I will be doing that from now on. I'm not sure of any other way besides manually copying and pasting, but that's not a problem. > There is a Frequently Asked Questions document that you may want to read if you haven't done so already: I read the whole thing. It helped a little, but there was a lot that I just don't get (yet). I'll be reading through it again, along with the users archives, and the manual itself. I've started on a journey here, I see that. There's a lot to learn. But I am thrilled to learn it all. I do appreciate all the help. > The easiest way is to use WKD/WKS (Web Key Directory/Service) if your email provider supports this because then some OpenPGP-aware automatically download your key when someone enters your email address into their email client. I don't think gmail supports WKD. I'll look into a WKS/D supporting email provider. > Otherwise, you can simply send your exported key to the person you want to give your public key to. Yeah so, I can attach the .asc file that's in my Disk/users/SamiBadri folder (it's the only .asc file I've seen), but I'm assuming that is my public key. Is that correct? Is there anyway to send your private key? I want to know so that I don't do it accidentally. Also, if I use the cat SamiB.asc command, the terminal reveals a certificate (and I assume that's my public key certificate). Can I copy/paste and send that as a txt attachment? Will they be able to do anything with it? For instance, let's say they don't have my email, key ID, or fingerprint, only the pgp public key block (aka certificate), can you do anything with a txt-type file that only shows the certificate in armor? Lastly, I see that you have attached a signature .asc file with your email. I can import that file, and compare to? S.B. On Fri, Dec 17, 2021 at 7:02 AM Ingo Klöcker wrote: > > Please reply inline unless your email client makes this difficult. As you can > see from the replies to your messages that's what we prefer on this mailing > list. It helps to make the context of the replies more clear. > > There is a Frequently Asked Questions document that you may want to read if > you haven't done so already: > https://gnupg.org/faq/gnupg-faq.html > > On Freitag, 17. Dezember 2021 02:43:25 CET S.B. via Gnupg-users wrote: > > When you want to give someone your public key, do you normally just > > give your email, fingerprint, key ID, or the armor form key block? > > The easiest way is to use WKD/WKS (Web Key Directory/Service) if your email > provider supports this because then some OpenPGP-aware automatically download > your key when someone enters your email address into their email client. I > don't think gmail supports WKD. > > Otherwise, you can simply send your exported key to the person you want to > give your public key to. You may want to use the option "--export-options > export-minimal" when exporting your key to keep the armor form key block > small. > > It may also make sense to upload your key to some keyservers, so that people > can get your key without first having to contact you. > > Regards, > Ingo > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint associated public key does not match displayed public key
> Think of them as two different snapshots of the same document at different points in time, as various minor edits are made to it. But the important bits, the stuff you care about, will be consistent through revisions so long as the fingerprint remains unchanged. The document snapshot analogy really helps. > No, and I'm going to strongly encourage you to stop asking implementation questions. I think I'll take that advice. > What you're calling a "key block" is a certificate, not a key. A certificate includes cryptographic keys and metadata about those keys. I'm getting the picture now. The pgp key block is really the certificate. The certificate holds the key and metadata. > gpg --import < certificate.asc So, when dealing with a displayed certificate (what I was calling a pgp public key block), the only method I thought of was copying and pasting it onto a txt file. But the import command doesn't work with txt. I was thinking of converting the txt to asc using a conversion app but then I knew that it can't be that difficult. If the only thing you have is the person's certificate, and it's not in an .asc format, is there any other way of importing it into your key ring? Or are all public key imports obtained via asc files? S.B. On Fri, Dec 17, 2021 at 4:43 AM Robert J. Hansen wrote: > > > That key block did not match the one on his profile. That’s what > > confused me. But I’m learning (from you guys) that the key blocks > > don’t necessarily have to match. So I can assume that: > > More accurately, they're very unlikely to match. The version on his > site may lack some signatures or user IDs present on the keyserver copy, > or vice-versa. Think of them as two different snapshots of the same > document at different points in time, as various minor edits are made to > it. But the important bits, the stuff you care about, will be > consistent through revisions so long as the fingerprint remains unchanged. > > > - the fingerprint is specific for the secret key component of the > > generated key pair and does not change. > > No, and I'm going to strongly encourage you to stop asking > implementation questions. You're not ready for them. For now, learn > how to use the system, and only then start paying attention to the fine > detail of how the system is implemented. > > But if you insist, see section 12.2 of RFC4880. "A V4 fingerprint is > the 160-bit SHA-1 hash of the octet 0x99, followed by the two-octet > packet length, followed by the entire Public-Key packet starting with > the version field. The Key ID is the low-order 64 bits of the fingerprint." > > > - the pgp public key is, in a way, fluid. It can take many different > > forms but encrypts specifically for the matching secret key only. The > > same public key can have different key blocks. > > No. This will probably become easier to understand if we use the > correct language. *Keys* are not fluid. *Certificates* can be. What > you're calling a "key block" is a certificate, not a key. A certificate > includes cryptographic keys and metadata about those keys. The keys > generally don't change (although I can think of pathological cases where > they do). The metadata about those keys can change a lot. > > Most of the data in a certificate is metadata. > > > - I could’ve used the keyserver-obtained public key (retrieved via the > > fingerprint), or I could’ve used the displayed public key that was > > given in armor text form. They are one and the same, even though > > their revealed text is different. > > You could have used it and the odds are quite good it wouldn't have > mattered in the slightest. > > > When you want to give someone your public key, do you normally just > > give your email, fingerprint, key ID, or the armor form key block? > > I use WKS. > > > is there a command i could've used to directly import the key using > > the displayed key block? I've tried some different ones I found in > > various places but nothing worked. > > gpg --import < certificate.asc ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint associated public key does not match displayed public key
Thank you guys. This is helping. No, I did not export the key. Using the fingerprint, I downloaded the asc file from openpgp.org and placed it into my disk/users/SamiBadri, and then used the command: cat filename, to reveal the key block. That key block did not match the one on his profile. That’s what confused me. But I’m learning (from you guys) that the key blocks don’t necessarily have to match. So I can assume that: - the fingerprint is specific for the secret key component of the generated key pair and does not change. - the pgp public key is, in a way, fluid. It can take many different forms but encrypts specifically for the matching secret key only. The same public key can have different key blocks. - I could’ve used the keyserver-obtained public key (retrieved via the fingerprint), or I could’ve used the displayed public key that was given in armor text form. They are one and the same, even though their revealed text is different. Is all this correct? When you want to give someone your public key, do you normally just give your email, fingerprint, key ID, or the armor form key block? and... is there a command i could've used to directly import the key using the displayed key block? I've tried some different ones I found in various places but nothing worked. Thank you guys. S.B. On Thu, Dec 16, 2021 at 11:12 AM Robert J. Hansen via Gnupg-users wrote: > > > when i compared the imported pgp public key block (which I obtained > > using the import command and the provided fingerprint) to the > > displated pgp public key block, they didn't match > > > > shouldn't they match? > > No. > > The key block is not a human-readable format. It's a binary format > that's meant to be read by computers. > > Imagine a word processing document. You open up a blank document and > type "Hello, World!". You save that as document-1. Then you think > about it, erase your text, write something else, delete that, too, and > after some more hemming and hawing you go back to "Hello, World!". You > save this as document-2. > > Now open up document-1 and document-2 in a hex editor. Despite the fact > they have exactly the same *human-meaningful* information, the two > documents will look different to a computer. Things like a timestamp > for when it was last edited, things like a revision history, things > like... etc. > > For all human purposes, document-1 and document-2 are the same. But > they're different on disk, and that's okay. > > The exact same thing happens with OpenPGP certificates. When you import > the certificate, GnuPG starts tracking other information -- the same way > the word processor does. But that doesn't mean the certificate is > *different*, really, not in any way you care about. > > Hope this helps! > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint associated public key does not match displayed public key
maybe I'm not explaining it well. I was able to import a public key using: gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys fingerprint* the fingerprint was provided to me by the intended recipient via their profile page. the profile page also displayed the pgp public key block when i compared the imported pgp public key block (which I obtained using the import command and the provided fingerprint) to the displated pgp public key block, they didn't match shouldn't they match? thank you On Thu, Dec 16, 2021 at 8:34 AM Ingo Klöcker wrote: > > On Donnerstag, 16. Dezember 2021 12:52:28 CET S.B. via Gnupg-users wrote: > > Here is my situation: I have imported a public key using > > gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys fingerprint* > > > > *provided by the intended recipient on their profile page > > > > The person also displayed the pgp public key block text (in armor) but > > not as an asc file. I first tried importing the block directly into > > gpg but couldn't figure it out. > > > > when comparing the imported key (again, obtained via the keyserver > > using the fingerprint) to the displayed public key block, they do not > > match. > > How do you do this, i.e. what commands are you using? > > > Reasons for this (I think) are: > > 1. either the fingerprint or the key has been changed but not updated > > on the profile page > > The fingerprint of an OpenPGP key never changes (except if its creation time > changes). > > Regards, > Ingo > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
fingerprint associated public key does not match displayed public key
Hello GnuPG world, I'm a new (and obsessed) pgp user, so please bear with me. Also, I hope I'm in the right place. I read through some archives and the questions seemed a little advanced. I hope I'm not annoying anyone here. I use GnuPG 2.3.3 on a MacBook Pro running Mac OS Monterey (v. 12.0.1) Here is my situation: I have imported a public key using gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys fingerprint* *provided by the intended recipient on their profile page The person also displayed the pgp public key block text (in armor) but not as an asc file. I first tried importing the block directly into gpg but couldn't figure it out. when comparing the imported key (again, obtained via the keyserver using the fingerprint) to the displayed public key block, they do not match. Reasons for this (I think) are: 1. either the fingerprint or the key has been changed but not updated on the profile page 2. it's a scam/hack 3. I don't understand what's going on (most likely reason) Any help would be appreciated. Thank you. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
