Re: Unattended/batch key signing

2016-03-14 Thread Tobias Mueller 
Hi!

On Mo, 2016-03-14 at 11:55 +0100, Werner Koch wrote:
>    --quick-sign-key fpr [names]
>    --quick-lsign-key fpr [names]
> 
>   Directly sign a key from the passphrase without any
>   further user interaction. 
That's already quite helpful.

Can I make GnuPG not save the signature for a name in the local keyring
but export it to, same stdout?

The reason is that I don't necessarily want my regular keyring to carry
the signature just yet. From what I understand of the currently
believed best practices, I would want to send the signature to the
email address first to verify that the person does indeed have access
to the mailbox.

Currently, this seems to require a rather artistic dance of exporting a
key, deleting all but one UID from a key, signing, and minimally
exporting. For each UID on a key.  Not even gpgme seems to be of help
here. Mainly, because I don't see how to make gpgme work with the
default secret keys, but a temporary public keyring.

Cheers,
  Tobi

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A problem in the web of trust model or a gnupg bug?

2016-02-26 Thread Tobias Mueller 
Hi.

On Do, 2016-02-25 at 08:24 +0100, Werner Koch wrote:
> Thus I am not convinced that the revocation reasons are useful for
> any automated evaluation.
Can I tell GnuPG that I, as a user, am convinced that the superseded
revocation reason is correct?

I've grepped through the gpg man page and only found "superseded" once,
not related to evaluating trust in a key.

Cheers,
  Tobi

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Python GPG libraries

2015-07-25 Thread Tobias Mueller 
Hi.

On Thu, Jul 23, 2015 at 03:35:09PM -0400, F Rafi wrote:
> Does anyone use a GPG library to embed file encryption processes within
> python code? Which libraries do you use? Any recommendations?
As far as I understand, the GPGME-based pygpgme is the
embraced library: https://launchpad.net/pygpgme

The others don't use gpgme but call gpg themselves.

There have been many discussions on this list and elsewhere
discussing the ability to use gnupg as a library from Python.
>From what I understand, they all have their issues.
The python-gnupg ones are easier to use, but lack features like signing keys.
pygpgme does not seem to be actively maintained and lacks support for,
e.g. exporting secret keys (or public keys in a --export-minimal) fashion.

Cheers,
  Tobi

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Defaults

2015-03-20 Thread Tobias Mueller 
On Wed, Mar 18, 2015 at 09:09:30AM +0100, Werner Koch wrote:
> Create a new key:
> 
>   $ gpg --no-options --quick-gen-key 'test key '
>   About to create a key for:
>   "test key "
>   
>   Continue? (Y/n) y
>   public and secret key created and signed.
>   
>   pub   rsa2048/50C4476F 2015-03-18
> Key fingerprint = 11E9 91C2 36E0 21A6 1E35  A682 68CC E4C2 50C4 476F
>   uid   [ultimate] test key 
>   sub   rsa2048/807D0FF4 2015-03-18
Is there anything in this listing that would allow me to quickly copy and paste
(e.g. double click and middle click) in order to further work with the key,
e.g. edit or encrypt to?
The short key id would probably do, but the "rsa2048/" prefix prevents me from 
simply double clicking it.
The fingerprint would probably be better to identify the key, but, similarly,
the spaces prevent me from selecting it easily.

>   
> What are the preferences:  
>   
>   $ gpg --no-options --edit-key 50C4476F
  
>   gpg (GnuPG) 2.1.3-beta26; Copyright (C) 2015 Free Software Foundation, Inc.
>   Secret key is available.
>   
>   pub  rsa2048/50C4476F
 

I thought short keyids are dangerous and should not be used,
cf. .  If that's the case then it might be a good
idea to fade them out as much as possible.

Cheers,
  Tobi

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Sign key and export for each UID

2015-01-20 Thread Tobias Mueller 
Hi.

On Tue, Dec 02, 2014 at 05:04:58PM +0530, Robin Mathew Rajan wrote:
> This shell script might help you.
> [...]
> http://mirror.roe.ch/rel/scripts/gpg/gpg-sign-keys.sh-25
hm.  I understood that best practises include signing each UID
separately rather than signing all UIDs on the key.  I don't see your
script signing every UID separately.

I was also hoping for less shell script and more of something I could
dictate to my mom over the phone.

Cheers,
  Tobi

> On 02-12-2014 PM 02:05, Tobias Mueller wrote:
> > Hi.
> > 
> > I'm digging up this thread because it asked the same question I have,
> > but it hasn't really been answered:
> > 
> > On Tue, Sep 17, 2013 at 06:23:35AM +, atair wrote:
> >> Is there a way to achieve the same signatures from gpg command line?
> >> For example
> >> $ gpg -a --export 
> >> exports the complete key and not just the signature. However, I
> >> understand the gpg-man pages in a way that it's possible to do a
> >> $ gpg -u  --edit-key 
> >>> sign 
> >>> sign 
> >>> ...
> >>> q
> > 
> > What are the best practises for signing another person's key (i.e. all the 
> > UIDs 
> > on a key)?
> > 
> > And how do you follow those using gnupg?  And is there a batch mode to 
> > automate that process?
> > 
> > Cheers,
> >   Tobi
> > 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg / Enigmail behavior after disabling Gnome Keyring

2014-12-12 Thread Tobias Mueller 

On Thu, Dec 11, 2014 at 02:11:22AM +0100, outa wrote:
> Has anyone experienced the same problem and could point me to a solution?
Not necessarily a solution, but a pointer to a discussion which took place:
http://lists.gnupg.org/pipermail/gnupg-devel/2014-August/thread.html#28689

Cheers,
  Tobi

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 31C3, keysigning party

2014-12-12 Thread Tobias Mueller 
Hi.

On Thu, Dec 11, 2014 at 01:49:36PM +0100, Peter Lebbing wrote:
> Probably monkeyscan from monkeysign...
FWIW: A tool with a similar goal is GNOME Keysign:
https://github.com/muelli/geysigning (Note that the repository will move, so 
this link will become defunct)
Contrasting caff or monkeysign, it does not rely on keyservers.

Cheers,
  Tobi

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Sign key and export for each UID

2014-12-02 Thread Tobias Mueller 
Hi.

I'm digging up this thread because it asked the same question I have,
but it hasn't really been answered:

On Tue, Sep 17, 2013 at 06:23:35AM +, atair wrote:
> Is there a way to achieve the same signatures from gpg command line?
> For example
> $ gpg -a --export 
> exports the complete key and not just the signature. However, I
> understand the gpg-man pages in a way that it's possible to do a
> $ gpg -u  --edit-key 
> > sign 
> > sign 
> > ...
> > q

What are the best practises for signing another person's key (i.e. all the UIDs 
on a key)?

And how do you follow those using gnupg?  And is there a batch mode to automate 
that process?

Cheers,
  Tobi

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Non-interactively signing UIDs on a key

2014-11-05 Thread Tobias Mueller 
Hello.

While investigating the state of the art of Python bindings
I came across the problem of signing other people's keys.
For example, in https://github.com/isislovecruft/python-gnupg/issues/29
is a complaint about the behaviour of --sign-key:

By default, --sign-key drops you into an interactive prompt asking 
Really sign all user IDs? (y/N) and afterwards, regardless of your 
answer, drops you off in the gpg> interactive prompt (where you have 
to type save and quit and so forth). By default (because it's meant 
to be automateable) python-gnupg uses --no-tty to disable all 
interactivity, and trying to use --sign-key with --no-tty will 
produce an error message saying gpg: Sorry, no terminal at all 
requested - can't get input. Further, gpg won't listen to you if you 
try to use anything like --no-tty --passphrase-fd 0 --sign-key or 
any of the other passphrase input options. Not to deter anyone, 
because I'll take all the help I can get, but this is not going to 
be a fun set of patches, I'm afraid. :/

In https://bitbucket.org/vinay.sajip/python-gnupg/issue/15/how-to-sign-a-key
the author of that library states:

Signing a key is not supported, as it involves back-and-forth 
interacting with the gpg executable (signing a key is part of the 
options for editing a key). If there were a way of doing it using a 
one-off command (e.g. providing the id of the public key to sign, 
the trust level, and the private key to sign with) then this could 
be implemented.

With pygpgme, it seems at least possible to sign a key, but it doesn't look 
very convenient:
http://bazaar.launchpad.net/~jamesh/pygpgme/trunk/view/head:/gpgme/editutil.py#L110


My question is: Is there indeed no (simple) way to sign a UID on a
key non-interactively with GnuPG?

If there is a way, how could it be used by the libraries mentioned above?



Cheers,
  Tobi

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Errormessage KGPG in Mint KDE 13

2012-09-10 Thread Tobias Mueller 
Heya :)

On Mon, Sep 10, 2012 at 04:32:19PM +0200, Albrecht Will wrote:
> if I start KGPG I get an error-message translated from German to English): 
FWIW: If you start your applications with "LC_ALL=C" in the environment 
variables, you should get genuine messages, i.e. type "export LC_ALL=C" 
before then typing "kgpg".

> "The start of GNUPG failed..., 
> Details: gpg: Optionendatei ' ~/.gnupg/options': file or folder not found.
> 
> Can anyone help?
> 
Seems as if gpg can't find ~/.gnupg/options...

Cheers,
  Tobi

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Parsing SKS key dumps

2012-09-09 Thread Tobias Mueller 
Hey folks :)

For the fun of it, I tried to parse a few weekly dumps (i.e. from here:
http://keys.niif.hu/keydump/) and very often,
not even GnuPG can successfully parse the packets, i.e. gpg
--list-packets fails. Usually with "gpg: mpi too large for this
implementation (56104 bits)" but there is a myriad of errors, i.e.
gpg: subpacket of type 16 too short
gpg: mpi larger than indicated length (517 bytes)
gpg: mpi larger than indicated length (0 bytes)
gpg: signature packet: unhashed data too long
gpg: signature packet: hashed data too long
gpg: mpi larger than indicated length (514 bytes)
gpg: packet(14) too short

I usually can parse 30 to 40 out of the 206 or 207 dumps (probably
containing 15k keys each).

I wonder why that is.

Is that just malicious data which landed in the pool?

Or is SKS better on parsing OpenPGP packets than GnuPG?
Because one offending key seems to be 0x5df5c3733a6ced98 which,
according to


is successfully parsed by SKS. Same thing for 0xb51b4b095356aac8 or
0x857625223295AAB2.

These appear to be keys that carry signature from 0x9710B89BCA57AD7C,
the "PGP Global Directory Verification Key".

Cheers,
  Tobi

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users