Confused about signing inline vs siging with attached signature.

[Steven W. Orr]

I decided to try sending my email with a signature attached instead of using
an inline signature. Now my friend with Outlook Express is telling me that the
message body is blank and that in order for him to see the message, he now has
to open the text attachment. (He is not verifying the signature.) I'm using
gpg2/Thunderbird/Enigmail and I sent a message to an address which then
forwards back to me. Here's the structure I see when it comes back:

From: "Steven W. Orr" 
Organization: SysLang
User-Agent: Thunderbird 2.0.0.21 (X11/20090320)
MIME-Version: 1.0
To: li...@tivoli.mv.com
Subject: 2nd shot at testing the
X-Enigmail-Version: 0.96.0
OpenPGP: id=F0BE3724;
url=http://steveo.syslang.net/steveo-pubkey.asc
X-GPG-PUBLIC_KEY: 
http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xF0BE3724
X-GPG-FINGRPRINT: 5E2A 0119 8E98 730A 87DF  205C 4485 72E1 F0BE 3724
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="enig3D16DCFA59224E3B4529154E"
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00 autolearn=ham
version=3.2.5 country=US US **
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on saturn.syslang.net

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--enig3D16DCFA59224E3B4529154E
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

EFS Emergency Farding System

--=20
Time flies like the wind. Fruit flies like a banana. Stranger things have=
  .0.
happened but none stranger than this. Does your driver's license say Orga=
n ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all=
- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net


--enig3D16DCFA59224E3B4529154E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkqOq5AACgkQRIVy4fC+NyQCSgCdGoPfFC8XP1zbLI6E/trYSaXK
DK0AniX4K8dxp3L3FPvMUAEqKknifvMI
=D4Y4
-END PGP SIGNATURE-

--enig3D16DCFA59224E3B4529154E--

Should I not be using the MIME signature or is there something he should
change at his end (besides OE), or is this question something that is not gpg2
related in the first place?

TIA

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Two convicted in U.K. for refusal to decrypt data

[Steven W. Orr]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/13/09 09:41, quoth the dragon:
> If you're in control of the computer the files reside on, and were in
> control of it when the files were created and last accessed, the chances
> that you *don't* know the key for the encryption is so slim as to be
> nonexistant.

Scuze me? I thought this was the gnupg list! I'm sorta new at this stuff but
I'm expecting just a bit more expertise from the people contributing to this
conversation.

First of all, I am running Thunderbird + Enigmail and I have gone out of my
way to set "Add my own key to the recipients" to be OFF. I very much want
email that I encrypt to others to not be readable by me at all. I am not a
child pornographer or a terrorist and I do not have anything to hide except my
own personal privacy. My personal choice is that if I send a message to
someone and it is encrypted then I do *not*, by default, want to be able to
see what I sent in my own sent-mail folder. If I want that option then I can
simply Bcc myself when I send it.

Second, I happen to be a Defendant in a case in US Federal Court. (Ever heard
the phrase "Don't make a Federal case out of it?") They did. And they're right
now in the process of losing big time against us. My only regret is that when
we were served and I had nothing to hide, I wish that some of my email that I
was required to turn over as part of the Discovery process had been encrypted.
I would dearly have wanted them to come to me and say "Hey! This is encrypted
so you have to decrypt it." and my response would have been "Sorry Your Honor,
but I have no ability to decrypt that message. It can only be decrypted by the
recipient.

And yes, when I first started learning about this stuff, I did initially add
my key when encrypting and between Enigmail and gnupg.conf and gpg-agent.conf
it actually took a bit to figure out how to shut it off.

So, when we talk about "chances that you *don't* know the key for the
encryption is so slim as to be nonexistant", I think it's time for a few of us
to take a step backwards and remember what the issue is here. As it sits right
now, I do *not* know if the people who were in trouble in the UK are the
encryptors or the decryptors and I also don't know if the encryptors even
added their own keys to the message.

- --
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkqESM4ACgkQRIVy4fC+NyQ5xACfSeTYbNZAX7pqIVd5G2WQaS33
uvMAn2gYIW8xaOIUpKtz+qk23IXM2rsK
=pXGO
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: pool.sks-keyservers.net connection error

[Steven W. Orr]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/11/09 12:04, quoth Jason Locklin:

>> Timestamp: Tuesday 11 Aug 2009, 11:31  --400 (Eastern Daylight Time)
> 
> I would avoid OpenDNS as they break a lot of stuff. If your ISP DNS
> servers are down, I would suggest emailing them.
> 
> For now, the IP address of pool.sks-keyservers.net is 76.184.75.94
> You can use the ip address directly until your DNS servers are back up.

I'm sorry but I switched from my ISP's DNS as my resolver to OpenDNS and life
has generally been better ever since. I found that a major performance issue
for lots of people is that the resolver provided by the ISP is frequently very
slow. I'd like to know more specifics on "they break lots of stuff".

I'm completely stumped as to what you might have to offer but if there's
something I should know I really want to hear it.

- --
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkqCRicACgkQRIVy4fC+NyQPfgCdHIz4hBCQYoTSSqRZGzhCkEHA
cFwAnjJbdm30XOhFbhc7hWsh00hfH9ek
=pZQg
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Solved: Helping a friend setting up with gpg and gpgoe

[Steven W. Orr]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/01/09 15:01, quoth Steven W. Orr:
> I got my friend to install WinPT which seems to include GnuPG. He created his
> keypair. He received my key and signed my key. He sent me my key back and he
> also sent me his key which I then signed and sent back to him. So far, so 
> good.
> 
> When he tried to send me a test message that was encrypted and signed, I had a
> problem.
> 
> gpg command line and output:,/usr/bin/gpg2 --charset utf8  --batch --no-tty
> --status-fd 2 -d --use-agent ,gpg: CRC error; 75B297 - DC375B,gpg: quoted
> printable character in armor - probably a buggy MTA has been used
> 
> I then took the message and put it in its own file and re-ran the command:
> 
> /usr/bin/gpg2 --charset utf8  --batch --no-tty --status-fd 2 -d \
>   --use-agent < msg
> 
> Here's the output:
> 
> [GNUPG:] ENC_TO 365AF334C8DCF2FD 16 0
> [GNUPG:] USERID_HINT 365AF334C8DCF2FD Steven W. Orr 
> [GNUPG:] NEED_PASSPHRASE 365AF334C8DCF2FD 448572E1F0BE3724 16 0
> [GNUPG:] GOOD_PASSPHRASE
> gpg: encrypted with 2048-bit ELG key, ID C8DCF2FD, created 2009-05-01
>   "Steven W. Orr "
> [GNUPG:] BEGIN_DECRYPTION
> [GNUPG:] PLAINTEXT 62 1246469472
> [GNUPG:] PLAINTEXT_LENGTH 5
> ouyeegpg: Signature made Wed Jul  1 13:31:12 2009 EDT using DSA key ID 
> 2DEAE0D9
> [GNUPG:] SIG_ID 66jyI28aSXZdKfZZHPYxaaB6rxI 2009-07-01 1246469472
> [GNUPG:] GOODSIG $fingerprint_and_address
> gpg: Good signature from $address
> [GNUPG:] VALIDSIG 39D66598BCB7627A7C232C3069F3AAFF2DEAE0D9 2009-07-01
> 1246469472 0 4 0 17 2 00 39D66598BCB7627A7C232C3069F3AAFF2DEAE0D9
> [GNUPG:] TRUST_FULLY
> [GNUPG:] DECRYPTION_OKAY
> [GNUPG:] GOODMDC
> [GNUPG:] END_DECRYPTION
> 
> Is there something obvious that he needs to do? Does he have to send 7-bit
> ASCII? I'm not sure how to proceed.
> 
> TIA
> 

I was able to solve the problem. I'm replying to the list for everyone and for
 all future generations.

He was sending text and html as separate attachments.  For reasons that are
not completely clear to me, I was able to verify and decrypt the message from
inside Thunderbird/Enigma by selecting: View->Message Body As->Plain text.

So, people shou7ld always *send* plain text, but in case they don't, this
trick may help the situation.


- --
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkpME+0ACgkQRIVy4fC+NySB1ACePLJLgztm8GpjRX9a1PQPPziy
fz4AniWMr9tBxdOyvImLfobLB7w/gcRk
=Za8J
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Helping a friend setting up with gpg and gpgoe

[Steven W. Orr]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I got my friend to install WinPT which seems to include GnuPG. He created his
keypair. He received my key and signed my key. He sent me my key back and he
also sent me his key which I then signed and sent back to him. So far, so good.

When he tried to send me a test message that was encrypted and signed, I had a
problem.

gpg command line and output:,/usr/bin/gpg2 --charset utf8  --batch --no-tty
- --status-fd 2 -d --use-agent ,gpg: CRC error; 75B297 - DC375B,gpg: quoted
printable character in armor - probably a buggy MTA has been used

I then took the message and put it in its own file and re-ran the command:

/usr/bin/gpg2 --charset utf8  --batch --no-tty --status-fd 2 -d \
--use-agent < msg

Here's the output:

[GNUPG:] ENC_TO 365AF334C8DCF2FD 16 0
[GNUPG:] USERID_HINT 365AF334C8DCF2FD Steven W. Orr 
[GNUPG:] NEED_PASSPHRASE 365AF334C8DCF2FD 448572E1F0BE3724 16 0
[GNUPG:] GOOD_PASSPHRASE
gpg: encrypted with 2048-bit ELG key, ID C8DCF2FD, created 2009-05-01
  "Steven W. Orr "
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] PLAINTEXT 62 1246469472
[GNUPG:] PLAINTEXT_LENGTH 5
ouyeegpg: Signature made Wed Jul  1 13:31:12 2009 EDT using DSA key ID 2DEAE0D9
[GNUPG:] SIG_ID 66jyI28aSXZdKfZZHPYxaaB6rxI 2009-07-01 1246469472
[GNUPG:] GOODSIG $fingerprint_and_address
gpg: Good signature from $address
[GNUPG:] VALIDSIG 39D66598BCB7627A7C232C3069F3AAFF2DEAE0D9 2009-07-01
1246469472 0 4 0 17 2 00 39D66598BCB7627A7C232C3069F3AAFF2DEAE0D9
[GNUPG:] TRUST_FULLY
[GNUPG:] DECRYPTION_OKAY
[GNUPG:] GOODMDC
[GNUPG:] END_DECRYPTION

Is there something obvious that he needs to do? Does he have to send 7-bit
ASCII? I'm not sure how to proceed.

TIA

- --
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkpLsqYACgkQRIVy4fC+NyRYzwCfe54jIJeeOov4uCPLe9bZqc0k
1PUAn2LcDLCV9kmkoaoxEX6yTnCMRlrh
=YPfP
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Separate stdout and stderr -- Any Command or shell script??

[Steven W. Orr]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 06/24/09 02:56, quoth littleBrain:
> Hi All, 
> 
> I am newbie to GPG. 
> I have got an application where it uses the following command to decrypt GPG
> encrypted messages. 
> 
> /usr/local/bin/gpg --no-tty --passphrase-fd 0 -d /tmp/testXX.gpg 
> 
> This often (at least rarely) returns an error. One such example is: 
> 
> Decrypted message body 
> =-=-=-=-=-= 
> cut 
>   } 
> ! sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2); 
> 
>gpg: Signature made Fri May 25 13:11:36 2007 PDT using DSA key ID ***
> gpg: Good signature from "" 
> gpg: WARNING: message was not integrity protected 
>ret.code = KADM5_OK; 
>   if (! CHANGEPW_SERVICE(rqstp)) { 
> --- 573,586  
> cut 
> 
> =-=-=-=-=-=-=-=-=- 
> 
> Key ID and email is deleted for security reasons.
> 
> And I see, error and the decrypted message (stdOut??) are spewed out in the
> body. 
> 
> I would like to separate these error messages to bottom of the message and
> standard decrypted output to the top of the body. 
> 
> Could someone please help me to use some command or a shell script to
> achieve this? 
> 
> Any help would be highly appreciated... 

When a program writes to stdout it goes to channel 1. stderr is channel 2. So
if you do something like

pgp [args] 1> out 2> err

then you can do separate things with the output versus the error channels.

You can try it yourself. Just run your command different ways:

cmd 1> /dev/null   # See only error messages
cmd 2> /dev/null   # See only the output and discard the error channel
cmd 2>&1   # See all of the output and error channel
   # all delivered to the output channel
cmd 1>&2   # Send everything to the error channel
cmd > outpluserror 2>&1 # Put both output and errors into one file.

Wasn't that easy?

Make sense?



> 
> ~ 
> littleBrain


- --
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkpCMyEACgkQRIVy4fC+NyTkEgCeKlbmN9rFPCbIeGsWzCLaprM+
GEsAn3xQLxRY5hjPxw5CJHz0ru1XXzPK
=U7Kd
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cannot pass in input and passphrase at the same time in batch mode?

[Steven W. Orr]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 06/22/09 22:25, quoth Joe Korn:
> Hi Harry,
> 
> We ran into the same problem and the only way we were able to get around it
> was by storing the pass phrase in a file and using the TYPE command instead
> of the echo.  Curious to see if anyone else found a better solution
> 
> Regards,
> 
> Joe K

I'm gonna go out on a limb here and suggest that gpg is not going to look for
a passphrase from stdin. Instead it's going to look for input from /dev/tty.
IF I'm right (and I'm just guessing here) then the only way to get what you're
trying to do is to write your program in expect.

Expect: The program for people who have to be running from a console.

> 
> On Thu, Jun 18, 2009 at 8:41 PM, Harry wrote:
>> Hello guys,
>> 
>> I ran into a problem when using gpg to sign and encrypt. I have a test
>> run below (in bash):
>> 
>> $echo abcd | gpg -u b...@xyz.com --output message.pgp -r al...@123.com -se
>> --passphrase-fd 0 << EOF <123456 > 
>> There is no error but after decrypt message.pgp, the file content is
>> empty. In above run, "abcd" is the input plain text to be encrypted,
>> 123456 is the passphrase for b...@xyz.com's private key that is used for
>> signing the file.
>> 
>> My requirements are "abcd" can not be saved in a file, it has to be sent
>> to gpg as stdin. So is the passphrase, it can not be saved in a file too.
>> 
>> 
>> It looks like when input and passphrase are all passed in as stdin, gpg
>> only takes passphrase and consider input text as empty, which result into
>> an empty encrypt file.
>> 
>> Is there anyway to solve this?
>> 
>> I tried
>> 
>> $echo abcd | gpg -u b...@xyz.com --batch --output message.pgp -r
>> al...@123.com -se --passphrase "123456"
>> 
>> but gpg gave error like: gpg: skipped `...@xyz.com': bad passphrase gpg:
>> [stdin]: sign+encrypt failed: bad passphrase
>> 
>> Thanks!

- --
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkpAV3kACgkQRIVy4fC+NyQ6/QCeO2WdyaJ/4lbqPPpUa53m0EJI
0k0An0ThpG/QG2uCw1Z3qgJD5e9E9leL
=sBym
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Why do people send email with an attached public key?

[Steven W. Orr]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I see that there are some people who send their messages (especially to this
list) with their messages signed via an attached signature. I can't imagine
that this question hasn't been asked before, but is there an advantage to
doing this vs having an inline signature?

BTW, I run a mailinglist which strips all attachments. If I use a signature
attachment, am I further limiting an already limited audience?

TIA

- --
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAko8FQUACgkQRIVy4fC+NyRPNwCfTw4RIcwpGCU3BKhLbM98sZv/
fTYAniJqtkhQXyOshzwbFU3dO4xQO8qu
=NI2H
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Need help understanding the difference between assigning owner trust and key validity.

[Steven W. Orr]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

There's a pgp concept that I'm not comfortable with. It has to do with the
difference between owner trust and key validity. And I say comfortable, not
because I don't like it or that I don't think it doesn't work; I just don't
feel like I understand it well enough to be doing it right.

When I got your key, AND I know it came from you, then I set your key in my
ring with owner trust of "trusted". But I didn't set the key validity. My
understanding is that if I set your key validity then I'm signing my
public key with your public key. (Someone please correct me if I'm way off.)

Then for other people to see that I trust you, I would then have to re-upload
my public key to the keyserver network. Only those people who would refresh my
key from the servers would then see that I trust you.

Can someone please confirm that what I just said is correct?

If this is true, then how do I know how often I need to refresh the public
keys that I have on my keyring?

Thanks.

- --
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkozRiIACgkQRIVy4fC+NySw0wCdHYE9agGrPZ6Yl72D2w0m/+Mq
mPYAniaTL8RMAEFMX6h4hFyvjUcKjW6S
=s2ou
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Avoid pinentry-gtk-2 when using console!

[Steven W. Orr]

On Saturday, May 30th 2009 at 16:58 -, quoth Roger:


Is there a method to avoid using pinentry-gtk-2 when using a console
within X and specify using pinentry or pinentry-curses?

I've already tried recompiling gnupg & pinentry (using -gtk -qt3). :-/


This bugs me because I'm working on the console and have to move my
fingers from the keyboard to my mouse (or whatever) to enter the pin
into the X widget instead of console!


Whatever program you're using that is invoking gpg has the DISPLAY 
variable set. What you can do is to create a shell wrapper that shuts 
DISPLAY off. e.g., I'm running alpine, so I *could* create an alpine 
command a la


#! /bin/bash
unset DISPLAY
/usr/bin/alpine "$@"
exit

The only caveat is that whatever program you use will suffer the loss of 
access to your entire DISPLAY, not just pinentry


--
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how to sign files inside a folder?

[Steven W. Orr]

On Tuesday, May 26th 2009 at 23:38 -, quoth John Clizbe:

=>Faramir wrote:
=>> Hello,
=>> I saw a question in the support list in Spanish language, and it is
=>> about how to sign files inside a folder, in Windows OS, without using
=>> additional tools. The goal is to have a tree of folders, with files
=>> inside, and to sign individually each file (with detached signature, if
=>> I am not wrong).
=>> 
=>> Since I have never had to do something like that, I don't have the
=>> faintest idea about how to do it, if it is possible to do it.
=>> 
=>> Compressing the folder an signing the compressed file is what
=>> the person behind the question wants to avoid.
=>
=>I saw that one.
=>
=>I don't know about doing it "without using additional tools". The
=>windows CMD shell doesn't give one a boatload of useful commands.
=>
=>I'd pull the RC1 of MSYS 1.0.11 cause this is a snap with bash and find.
=>Using his .TXT example:
=>
=>cd 
=>for file in $(find . -name \*.[tT][xX]][tT] -print);  \
=>  do echo $file;  \
=>  gpg --passphrase deafbeef -u 0xdecafbad -sb $file ; \
=>done

fyi, that's why they invented -iname option. :-)

for file in $(find . -iname \*.txt -print);

the semi is not needed.

But if the list of filenames is large, you could end up overflowing your 
shell buffer. Another way to do it that would prevent that from 
happening...

find . -iname \*.txt -print | 
while read file
do
  echo $file
  gpg --passphrase deafbeef -u 0xdecafbad -sb $file
done

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can't enter passphrase in su session.

[Steven W. Orr]

On Wednesday, May 20th 2009 at 17:36 -, quoth Chris Babcock:

=>On Wed, 20 May 2009 20:00:42 +0100
=>mike _  wrote:
=>
=>> Can anyone offer any insight in this issue?
=>
=>http://www.joshstaiger.org/archives/2005/07/bash_profile_vs.html
=>
=>In .bash_profile, you will have something *like* this:
=>if test -f $HOME/.gpg-agent-info &&kill -0 `cut -d: -f 2 
$HOME/.gpg-agent-info`\
=>2>/dev/null; then
=> GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
=> export GPG_AGENT_INFO
=>else
=> eval `/usr/bin/gpg-agent --daemon`
=> echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
=>fi
=>
=>You *may* have something like this:
=>
=>if [ -f /etc/bashrc ]; then
=>. /etc/bashrc
=>fi
=>
=>
=>The code to launch gpg-agent needs to be in .bashrc if you want it to
=>execute for su users. If your .bash_profile executes your .bashrc as
=>above then you can remove the definition from .bash_profile.

This topic is getting far more complicated than you might expect. Setting 
environment variables needs to be done from your .bash_profile . It 
happens once when you log in and all child processes inherit the resulting 
variables. 

If you use su then you do not go through the .bash_profile unless you use 
the - option. i.e., "su - bob" will go through bob's .bash_profile but 

"su bob" will only go through the .bashrc .

The same is true of ssh. If you ssh to a host to create a session then you 
will go through the .bash_profile but if you ssh to a host to just execute 
a command then you will only go through the .bashrc . 

The proper way to deal with this is to:

* Source in your .bashrc from your .bash_profile
* Set all of your environment variables in your .bash_profile
* Check in your .bashrc to see if PS1 is set. If not then you are not in 
an interactive session and you need to set critical environment variables. 
Usually PATH is the only one you need to set.

if [[ -n "${PS1}" ]]
then
: Do interactive stuff. Set aliases and variables, etc.
else
. ~/.bash_pathset
fi

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can't enter passphrase in su session.

[Steven W. Orr]

On Wednesday, May 20th 2009 at 15:00 -, quoth mike _:

=>I have an account, bob, on a machine that is used for building rpms
=>and then creating and signing a repository.
=>
=>If I log in to the machine as bob via ssh and run
=>
=>$ gpg -a --detach-sign somedir/repodata/repomd.xml
=>
=>then all is well.
=>
=>As the bob account will be used by multiple people I want to block ssh
=>logins for bob and have people log in via ssh with their own account
=>and use 'su -' to become the user. This then leaves a trail in the log
=>of who became bob when. But, if I log in to the machine as myself,
=>then do
=>
=>$ su - bob
=>
=>Then run
=>
=>$ gpg -a --detach-sign somedir/repodata/repomd.xml
=>
=>I get
=>
=>gpg: using PGP trust model
=>gpg: key B97DE878: accepted as trusted key
=>
=>You need a passphrase to unlock the secret key for
=>user: "Bob"
=>4096-bit RSA key, ID B97DE878, created 2009-05-19
=>
=>can't connect to `/home/bob/.gnupg/S.gpg-agent': No such file or directory
=>gpg: no running gpg-agent - starting one
=>gpg-agent[29808]: command get_passphrase failed: Operation cancelled
=>gpg: cancelled by user
=>gpg: no default secret key: General error
=>gpg: signing failed: General error
=>
=>I'm never given a chance to enter the passphrase, gpg just declares
=>failure and tells me I canceled the operation. Which I didn't.
=>
=>I've compared the output of 'env' for both an ssh login session and
=>'su -' session and apart from a few variables relating to ssh, they're
=>the same.
=>
=>There must be something different about the sessions that explains why
=>I'm never given a chance to enter the passphrase in the 'su -'
=>session, but I'm at a loss as to what.
=>
=>I did try searching the mailing lists and Google, but 'su' results in
=>an huge amount of (at least seemingly) irrelevant hits, so I gave up
=>fairly quickly!
=>
=>Can anyone offer any insight in this issue?

I'm going to take a stab at this one. If I'm wrong then I expect to be 
suitibly chastised.

It seems like you need to read the man page on gpg-agent to make sure that 
whether you log in directly, via su or via ssh, that the GPG_AGENT_INFO 
variable be properly set. If you log in via X then you probably have the 
variable set as part of your session. su will prevent that env var from 
being passed through by default. That is configurable by using -m or by 
using sudo instead of su and suitably configuring your sudoers file. Also, 
ssh can be configured to set the variable, but you probably jujst want to 
do it in your .bash_profile dependant on how DISPLAY is set.

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: There are actually two public keys?

[Steven W. Orr]

On Saturday, May 16th 2009 at 23:40 -, quoth David Shaw:

=>On May 16, 2009, at 9:14 PM, Lucio Capuani wrote:
=>
=>> > Can anyone explain why there is a difference between signing and
=>> > encrypting keypairs, even for the same type (RSA)?
=>> 
=>> As far as I've understood from the documentation, one of the reason
=>> should be that it would be good practice to keep the signing key valid
=>> indefinitely (thus, having one that never expires so old signatures
=>> can be verified too) and renew the cryptographic one pretty often for
=>> security reason. As before, I'd love to get confirmations or denials
=>> of that ;), and if there's else about it.
=>
=>That's one of the reasons.  There were actually a good few reasons for the
=>switch at the time (the "PGP 3" timeframe, which became the PGP 5.0 product).
=>One reason was legal, and not technical.  RSA was still patented at the time,
=>so that couldn't as easily be used.  DSA was chosen, but DSA can't encrypt,
=>which pretty much required a multiple key (primary key + subkeys) solution.
=>In addition, though, the multiple key solution was chosen for its flexibility,
=>as you noted.  It is handy to be able to make multiple subkeys and regenerate
=>them as needed.
=>
=>One thing the multiple subkey design makes possible is to keep the primary key
=>offline altogether, and just use subkeys for all the day to day encryption and
=>signing needs.  In this way of working, the primary key is only used for two
=>purposes: to make new subkeys when that becomes necessary, and to sign other
=>people's keys.  When it is not in use (i.e. most of the time), the primary key
=>is stored on separate media (say, a CD-ROM or USB stick).  See the
=>--export-secret-subkeys description in the GPG manual for more on this.
=>
=>Note, though, that if you want a single key for everything, you can still do
=>that.  Generate yourself an RSA key using the --expert flag, and you can
=>create a key that is capable of both encrypting and signing in a single key.
=>It's unusual, and I don't recommend it, but GPG will happily use it.

This is somewhat of a revelation to me, but I admit I'm a little new to 
this so  can't claim that it's a big revelation.

I have read up on the theory of asymmetric crypto and I'm comfortable with 
that side of it, but I'd like to learn more on the technical side, 
especially as it pertains specifically to gpg. I have read the GPG and PGP 
book by Lucas and I also read the old PGP book by Garfinkel. 

I look at the output of gpg2 -K and I never actually saw anything that 
describes what the sec, uid and ssb rows mean.  I don't see a concise 
description of how and when the different data items are used to ref a key 
in a gpg command, e.g., when do I use a fingerprint? what's the proper 
thing to use when specifying an operation? It's sort of analogous to 
knowing how to create a complex definition in C and also being able to 
deref it. (Most programmers, don't usually get it right when they try to 
distinguish between an array of ptrs to ints vs a ptr to an array of 
ints.) How do I make use of multiple subkeys and when and why do I want to 
do this? Things like that. 

Any suggestions?

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Decryption streaming

[Steven W. Orr]

On Friday, May 8th 2009 at 17:30 -, quoth Coffman, Beth C:

=>What is a good way to write a C++ app to decrypt multiple
=>large PGP-encrypted files simultaneously into memory?  I cannot have
=>the plaintext output in a file on disk at any time.  Preferably, one block
=>of data from the file will be decrypted at a time.  Therefore, the entire
=>file or files will not need to reside in memory.
=> 
=>Thanks,
=>Beth

Hi Beth, I don't have the answer to your question, but I will say that you 
need to tighten up on your specs: If your program is running under a 
virtual memory model and you don't want your data to end up on disk then 
you will have to do something with a large hammer to lock pages of memory, 
or something along that line.


-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to import a key from GPG 1.4.9 to PGP ?

[Steven W. Orr]

On Thursday, May 7th 2009 at 02:45 -, quoth Robert J. Hansen:

=>gpg2.20.mani...@dfgh.net wrote:
=>> How to import a key pair (my own secret and public keys) from GPG 1.4.9
=>> to PGP 6.5 ?
=>
=>This is generally not worth doing.  It can be done, but it is not
=>recommended.
=>
=>Is there any possibility of installing PGP 9.x on your XP machine instead?
=>

Great. I'd love to know what's going on here. I tried to read  Faramir's 
 message and I get a command failure.
To: "gnupg-users@gnupg.org" 
Subject: Re: How to import a key from GPG 1.4.9 to PGP ?


/home/steveo/libexec/ppf/ppf_verify: pgp command failed"

gpg: Signature made Thu May  7 02:19:07 2009 EDT using RSA key ID EF733C40
gpg: BAD signature from "Javier Fern


532 > gpg2 --list-keys -v 0x82121A454319410E
gpg: using PGP trust model
pub   2048R/4319410E 2008-04-14
uid  Javier Fernndez Almirall (aka Faramir.cl)
uid  Faramir 
uid   [ revoked] Galdhrim (Javier) 
uid  Javier Fernndez Almirall (GSWoT:CL68) 
uid  Faramir.cl (It's a nickname, of course) 

uid  Javier Fernndez Almirall (CAcert Assurer) 

sub   2048R/1771E69C 2008-04-14 [revoked: 2008-05-16]
sub   2048R/2E6CD89E 2008-04-15
sub   2048R/EF733C40 2008-05-16

The message looked like this:

X-Enigmail-Version: 0.95.7
OpenPGP: id=4319410E;
url=http://tinyurl.com/0x4319410E
X-BeenThere: gnupg-users@gnupg.org
X-Mailman-Version: 2.1.10b1
Precedence: list
List-Id: Help and discussion among users of GnuPG 
List-Unsubscribe: ,

List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,

Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Sender: gnupg-users-boun...@gnupg.org
Errors-To: gnupg-users-boun...@gnupg.org
Status: RO
X-Status: 
X-Keywords: 
X-UID: 2

LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEEyNTYKCmdwZzIuMjAu
bWFuaWFtc0BkZmdoLm5ldCBlc2NyaWJpw7M6Cj4gRGVhciBMaXN0Cj4gCj4gCj4gSG93IHRvIGlt
cG9ydCBhIGtleSBwYWlyIChteSBvd24gc2VjcmV0IGFuZCBwdWJsaWMga2V5cykgZnJvbSBHUEcg
MS40LjkKPiB0byBQR1AgNi41ID8KCiAgRm9yIHdoYXQgSSBoYXZlIHJlYWQgaW4gdGhpcyBsaXN0
LCBJIHRoaW5rIHRoYXQgdmVyc2lvbiBvZiBQR1AgaXMgdmVyeQpvbGQsIGFuZCBjYW4gY2F1c2Ug
cHJvYmxlbXMgYWJvdXQgY29tcGF0aWJpbGl0eS4uLiBCdXQgd2FpdCBmb3Igb3RoZXIKcmVwbGll
cywgbWF5YmUgaXQgY2FuIGJlIGRvbmUgc2FmZWx5LgoKICBCZXN0IFJlZ2FyZHMKLS0tLS1CRUdJ
TiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC45IChNaW5nVzMyKQpDb21t
ZW50OiBVc2luZyBHbnVQRyB3aXRoIE1vemlsbGEgLSBodHRwOi8vZW5pZ21haWwubW96ZGV2Lm9y
ZwoKaVFFY0JBRUJDQUFHQlFKS0FuMWJBQW9KRU1WNGY2UHZjenhBVzdnSCt3U1JuK21qcEgwY1lO
ODV5aDZ2cG9MWApKSVFmT21vRlFCTDk4aTNweUNPL0NXRGVLcFd0bm4yU0xnYk9qWXZJMEgxOUVB
emtpNU5mVURndnQybXBjUDJICnYxQXQ4UmhEUW50cnFtN0l3VkdqUEo2Z2ZLMk9ibzgrM0czRkt3
L0J4VlJnak0zYkpESXpHN3YrZ1dPaDNYOGsKSzBNZnQvSld0bVUyOHdBUnVRTzk0TzdmOHNmT29u
ZXRTc0tZTDdjcHNRblAwbkp3d2U1c0p2YXI0RW9TaW9kQwpzRjZGN0V4azI0SXp3SVVOMnFZeXlV
dHBnVXZYRzUzOStaY2g2TS9IWUJadXg2cTRDNDZmUWZlOGRUL2U0aDcxCmN1MGVSek1WTFpWWDl0
TTVDWTBnNWx4cXJwNnMrR1N6OWJOelFpdUdMQXFwOXJvejZ3bm0vRHFmYlhqM0VKQT0KPVlQSWIK
LS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fXwpHbnVwZy11c2VycyBtYWlsaW5nIGxpc3QKR251cGctdXNlcnNA
Z251cGcub3JnCmh0dHA6Ly9saXN0cy5nbnVwZy5vcmcvbWFpbG1hbi9saXN0aW5mby9nbnVwZy11
c2Vycwo=



Is it me?


-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Question about gpg-agent

[Steven W. Orr]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


I'm running Fedora 10 (if anyone cares) with gnupg2-2.0.10-1.fc10.i386.

I'm up and rolling, but I'd like to know more about configuring the agent. 
I started the agent via the recommended incantation:


eval "$(gpg-agent --daemon)"

in my ~/.kde/AutoStart

and I set

use-agent

in my ~/.gnupg/gpg.conf

I'm not seeing a place that defines what the default values are for the 
gpg-agent. I wanted to change the default TTL for a passphrase so I said


default-cache-ttl 6000

in my .gnupg/gpg-agent.conf

But I also have a gpa.conf and I don't know which is the right place to 
put the change or how to tell what the current settings are.


Also, in my gpg.conf file I have

default-key  5E2A01198E98730A87DF205C448572E1F0BE3724

but in the gpa.conf, I have the following.

*519 > cat .gnupg/gpa.conf
default-key ADA6F1B17880A139848FCE939FD2865783254088
keyserver hkp://random.sks.keyserver.penguin.de

So basically, I'm confused and I don't see any docs to help. Can someone 
help?


TIA

- -- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.

happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.10 (GNU/Linux)

iEYEARECAAYFAkoBxnsACgkQRIVy4fC+NyThMACeNEws5YtKedbY9u0HFzHekAjc
necAn2JksniBJ0zLfateluOWNsy3Jt74
=5PZO
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users