Re: ACS APG8201-B2

[Felix E. Klee]

No idea what to do. Guess I’ll fix my modded SPR332 and continue using
that.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ACS APG8201-B2

[Felix E. Klee]

Thank you, Werner!

I attached the log. When grepping for “pin”, I find (prefix stripped):

DBG: ccid-driver:   bPINSupport 3  verification modification
PIN-Block-2 : no
DBG: asking for PIN '||Please unlock the card%0A%0A\x1eNumber\x1f:
0005 64D5%0AHolder\x1f: Felix Klee'
PIN callback returned error: IPC call has been cancelled

In the reference manual I find a section titled “SECURE PIN VERIFY”:

https://www.acs.com.hk/download-manual/10212/REF-APG8201-B2-1.00.pdf

It looks like it should support entry of the PIN via the pinpad.


scd.log
Description: Binary data
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ACS APG8201-B2

[Felix E. Klee]

Is there anything I can try, or is the pinpad on the ACS APG8201-B2
simply not supported?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

ACS APG8201-B2

[Felix E. Klee]

I got a nice little portable card reader with pinpad, the ACS
[APG8201-B2][1].

`gpg --card-status` works fine with my OpenPGP card. The problem is that
when I try to decrypt a file, then GnuPG asks for the PIN using
`/usr/bin/pinentry-gtk-2`.

*How do I make GnuPG ask for the PIN via the pinpad?*

With my [modded SCM SPR332 v2][2] card reader, I don’t have that
problem.

[1]: 
https://www.acs.com.hk/en/products/456/apg8201-b2-smart-card-reader-with-pinpad/
[2]: https://github.com/feklee/0.332

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

On Fri, Jan 5, 2024 at 2:43 PM Werner Koch  wrote:
> That is right.  The ssh-agent protocol has no means to tell the
> ssh-agent or gpg-agent some important environment cariabales, like the
> current tty or DISPLAY.

Interesting, thanks for the look behind the scenes!

> I am so used to run the updatestartuptty that I don't even think about
> this. It is the first thing I do when I ssh into my laptop.

I have to do it twice, though, until it works. In my `~/.bashrc` I have:

gpg-connect-agent updatestartuptty /bye

Right after logging in (auto login on Ubuntu / WSL 2), I get:

gpg-connect-agent: no running gpg-agent - starting
'/usr/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established

That looks good, but somehow it doesn’t work:

$ ssh some_server
sign_and_send_pubkey: signing failed for RSA "cardno:18 698 015"
from agent: agent refused operation
sign_and_send_pubkey: signing failed for RSA "(none)" from agent:
    agent refused operation
felix@some_server: Permission denied (publickey).

After starting `tmux`, which runs `gpg-connect-agent` again, everything
works fine. I get the PIN entry dialog, and I can connect by SSH.

This is a non-issue, not really worth debugging. I start `tmux` every
time anyhow.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

On Fri, Nov 24, 2023 at 9:09 AM Felix E. Klee  wrote:
> In addition, I need:
>
> gpg-connect-agent updatestartuptty /bye

or otherwise, I get no PIN entry dialog / prompt

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg --card-status

[Felix E. Klee]

On Sat, Dec 30, 2023 at 11:30 PM Felix E. Klee  wrote:
> Example output with line numbers:
>
> 01 Reader ...: Yubico YubiKey CCID 00 00
> 02 Application ID ...: D276000124010304000618698015
> 03 Application type .: OpenPGP
> 04 Version ..: 3.4
> 05 Manufacturer .: Yubico
> 06 Serial number : 18698015
> 07 Name of cardholder: [not set]
> 08 Language prefs ...: [not set]
> 09 Salutation ...:
> 10 URL of public key : [not set]
> 11 Login data ...: [not set]
> 12 Signature PIN : not forced
> 13 Key attributes ...: rsa4096 rsa4096 rsa4096
> 14 Max. PIN lengths .: 127 127 127
> 15 PIN retry counter : 3 0 3
> 16 Signature counter : 0
> 17 KDF setting ..: off
> 18 Signature key : 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
>D589
> 19   created : 2023-06-29 03:50:43
> 20 Encryption key: DBBD 3239 D0F1 4326 808D  FC8F 7CC0 2D68 D2E3
>1736
> 21   created : 2023-06-29 03:50:43
> 22 Authentication key: 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
>D589
> 23   created : 2023-06-29 03:50:43
> 24 General key info..: pub  rsa4096/1BE349D11B6ED589 2023-06-29
>Felix E. Klee (YubiKey) 
> 25 sec>  rsa4096/1BE349D11B6ED589  created: 2023-06-29  expires:
>never
> 26 card-no: 0006 18698015
> 27 ssb>  rsa4096/7CC02D68D2E31736  created: 2023-06-29  expires:
>never
> 28 card-no: 0006 18698015
> 29 ssb#  rsa4096/32B106F6877CC64B  created: 2023-11-22  expires:
>never

Thanks for all the input! My current state of knowledge is:

  * Lines 18, 20, 22: Fingerprints identifying the secret keys stored on
the card.

A fingerprint is an SHA-1 hash of: corresponding public key + some
meta data

The fingerprints displayed on these lines are stored on the card.

  * Lines 25, 27, 29: Information about availability of secret keys on
the card.

The numbers are long key IDs. A long key ID is the last 16
characters of a fingerprint.

The fingerprints displayed on these lines are generated from the
public keys stored on disk.

Here:

  - sec: Secret primary key

  - ssb: Secret sub key

  - >: Secret key is available on the card

  - #: Secret key is missing from the card

For a summary concerning how the fingerprints are calculated, I found:

https://blog.djoproject.net/2020/05/03/main-differences-between-a-gnupg-fingerprint-a-ssh-fingerprint-and-a-keygrip/

Please correct me where I’m wrong!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee via Gnupg-users]

Thanks, Ingo!

Looking at my log, I realize that I indeed uploaded the primary key when
I did `keytocard`. I did not do `key 2` to select the authentication sub
key. Instead I was assuming that GnuPG does automatically select the
right sub key. There was a warning about moving the primary key, which I
ignored.

Today I fixed that, and now all works consistently:

$ gpg --card-status
[…]
Signature key : 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
Encryption key: DBBD 3239 D0F1 4326 808D  FC8F 7CC0 2D68 D2E3
1736
  created : 2023-06-29 03:50:43
Authentication key: 9DFF AD98 566A 604F 7290  7C24 32B1 06F6 877C
C64B
  created : 2023-11-22 15:14:14
General key info..: pub  rsa4096/1BE349D11B6ED589 2023-06-29 Felix
E. Klee (YubiKey) 
sec>  rsa4096/1BE349D11B6ED589  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb>  rsa4096/7CC02D68D2E31736  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb>  rsa4096/32B106F6877CC64B  created: 2023-11-22  expires: never
card-no: 0006 18698015
$ gpg --export-ssh-key yubikey
ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== openpgp:0x877CC64B
$ ssh-add -L
ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== cardno:18 698 015
ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== (none)

Weird only is that `ssh-add -L` outputs the key twice.

Logging in via SSH with the authentication sub key now works as
expected, all smooth.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

Thanks, Ingo!

Looking at my log, I realize that I indeed uploaded the primary key when
I did `keytocard`. I did not do `key 2` to select the authentication sub
key. Instead I was assuming that GnuPG does automatically select the
right sub key. There was a warning about moving the primary key, which I
ignored.

Today I fixed that, and now all works consistently:

$ gpg --card-status
[…]
Signature key : 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
Encryption key: DBBD 3239 D0F1 4326 808D  FC8F 7CC0 2D68 D2E3
1736
  created : 2023-06-29 03:50:43
Authentication key: 9DFF AD98 566A 604F 7290  7C24 32B1 06F6 877C
C64B
  created : 2023-11-22 15:14:14
General key info..: pub  rsa4096/1BE349D11B6ED589 2023-06-29 Felix
E. Klee (YubiKey) 
sec>  rsa4096/1BE349D11B6ED589  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb>  rsa4096/7CC02D68D2E31736  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb>  rsa4096/32B106F6877CC64B  created: 2023-11-22  expires: never
card-no: 0006 18698015
$ gpg --export-ssh-key yubikey
ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== openpgp:0x877CC64B
$ ssh-add -L
ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== cardno:18 698 015
ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== (none)

Weird only is that `ssh-add -L` outputs the key twice.

Logging in via SSH with the authentication sub key now works as
expected, all smooth.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg --card-status

[Felix E. Klee]

Example output with line numbers:

01 Reader ...: Yubico YubiKey CCID 00 00
02 Application ID ...: D276000124010304000618698015
03 Application type .: OpenPGP
04 Version ..: 3.4
05 Manufacturer .: Yubico
06 Serial number : 18698015
07 Name of cardholder: [not set]
08 Language prefs ...: [not set]
09 Salutation ...:
10 URL of public key : [not set]
11 Login data ...: [not set]
12 Signature PIN : not forced
13 Key attributes ...: rsa4096 rsa4096 rsa4096
14 Max. PIN lengths .: 127 127 127
15 PIN retry counter : 3 0 3
16 Signature counter : 0
17 KDF setting ..: off
18 Signature key : 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
   D589
19   created : 2023-06-29 03:50:43
20 Encryption key: DBBD 3239 D0F1 4326 808D  FC8F 7CC0 2D68 D2E3
   1736
21   created : 2023-06-29 03:50:43
22 Authentication key: 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
   D589
23   created : 2023-06-29 03:50:43
24 General key info..: pub  rsa4096/1BE349D11B6ED589 2023-06-29
   Felix E. Klee (YubiKey) 
25 sec>  rsa4096/1BE349D11B6ED589  created: 2023-06-29  expires:
   never
26 card-no: 0006 18698015
27 ssb>  rsa4096/7CC02D68D2E31736  created: 2023-06-29  expires:
   never
28 card-no: 0006 18698015
29 ssb#  rsa4096/32B106F6877CC64B  created: 2023-11-22  expires:
   never

Lines 18, 20, 22: Fingerprint. I read somewhere that this a hash of the
key. But of which one? The public key? The private key? What hash
function?

Line 25: “sec>” means secret primary key. Where does the key ID come
from? Is it read from the card? Or it read from the public key ring on
disk?

Line 27: “ssb>” means secret sub key.

Line 29: “ssb#” means secret sub key, but without the matching secret
key on the card. This I just learned from Ingo Klöcker in another
thread.

If there is any authoritative documentation, please let me know! So far,
I’ve puzzled the info together, piece by piece from various resources on
the web.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee via Gnupg-users]

Thanks for pointing out that the signature key and the authentication
keys are identical:

$ gpg --card-status
[…]
Signature key : 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
Encryption key: DBBD 3239 D0F1 4326 808D  FC8F 7CC0 2D68 D2E3
1736
  created : 2023-06-29 03:50:43
Authentication key: 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
[…]
sec>  rsa4096/1BE349D11B6ED589  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb>  rsa4096/7CC02D68D2E31736  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb#  rsa4096/32B106F6877CC64B  created: 2023-11-22  expires: never

At the same time, the key IDs are different:

$ gpg --list-keys --keyid-format LONG yubi...@f76.eu
pub   rsa4096/1BE349D11B6ED589 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
uid [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096/7CC02D68D2E31736 2023-06-29 [E]
sub   rsa4096/32B106F6877CC64B 2023-11-22 [A]

How does that go together?

I thought the long key ID is the last 16 characters of the fingerprint.
And the fingerprint is a 40 character hash of the public (or private?)
key.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

Thanks for pointing out that the signature key and the authentication
keys are identical:

$ gpg --card-status
[…]
Signature key : 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
Encryption key: DBBD 3239 D0F1 4326 808D  FC8F 7CC0 2D68 D2E3
1736
  created : 2023-06-29 03:50:43
Authentication key: 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
[…]
sec>  rsa4096/1BE349D11B6ED589  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb>  rsa4096/7CC02D68D2E31736  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb#  rsa4096/32B106F6877CC64B  created: 2023-11-22  expires: never

At the same time, here the key IDs are different:

$ gpg --list-keys --keyid-format LONG yubi...@f76.eu
pub   rsa4096/1BE349D11B6ED589 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
uid [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096/7CC02D68D2E31736 2023-06-29 [E]
sub   rsa4096/32B106F6877CC64B 2023-11-22 [A]

How does that go together?

I thought the long key ID is the last 16 characters of the fingerprint.
And the fingerprint is a 40 character hash of the public (or private?)
key.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

So `gpg --card-status` imports [SC] and [E], but not [A]:

$ rm ~/.gnupg/private-keys-v1.d/*
$ ls -a1 ~/.gnupg/private-keys-v1.d/
.
..
$ gpg --card-status
[…]
Signature key : 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
Encryption key: DBBD 3239 D0F1 4326 808D  FC8F 7CC0 2D68 D2E3
1736
  created : 2023-06-29 03:50:43
Authentication key: 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
[…]
sec>  rsa4096/1BE349D11B6ED589  created: 2023-06-29  expires: never
card-no: 0006 18698016
ssb>  rsa4096/7CC02D68D2E31736  created: 2023-06-29  expires: never
card-no: 0006 18698016
ssb#  rsa4096/32B106F6877CC64B  created: 2023-11-22  expires: never
$ gpg --list-keys --keyid-format LONG --with-keygrip yubi...@f76.eu
pub   rsa4096/1BE349D11B6ED589 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
  Keygrip = 0E67508AC6866D82ABB95E0B53CF5D18DC48A786
uid [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096/7CC02D68D2E31736 2023-06-29 [E]
  Keygrip = 07D6164F019D2EDF59C650992CF93776B2DD17F2
sub   rsa4096/32B106F6877CC64B 2023-11-22 [A]
  Keygrip = 9C67E5BBB72EF0BF2625792F8F134CE4FD961FF5
$ ls -a1 ~/.gnupg/private-keys-v1.d/
.
..
07D6164F019D2EDF59C650992CF93776B2DD17F2.key
0E67508AC6866D82ABB95E0B53CF5D18DC48A786.key

To me it looks like [A] is on the Yubikey, as it should.

*But how do I get the private key stub for [A] imported?*

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

On Thu, Nov 23, 2023 at 10:17 AM Felix E. Klee 
wrote:
> Can you explain why the output of `ssh-add -L` did not change? Also
> why is it not the same as the output from `gpg --export-ssh-key
> yubi...@f76.eu`?

OK, I may have found the issue:

$ grep -rl Use-for-ssh ~/.gnupg/private-keys-v1.d/*
.gnupg/private-keys-v1.d/0E67508AC6866D82ABB95E0B53CF5D18DC48A786.key

That’s the key grip of the master key:

$ gpg -k --with-keygrip yubi...@f76.eu
pub   rsa4096 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
  Keygrip = 0E67508AC6866D82ABB95E0B53CF5D18DC48A786
uid   [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096 2023-06-29 [E]
  Keygrip = 07D6164F019D2EDF59C650992CF93776B2DD17F2
sub   rsa4096 2023-11-22 [A]
  Keygrip = 9C67E5BBB72EF0BF2625792F8F134CE4FD961FF5

I don’t remember adding this, but I guess I did, maybe some months ago.
Anyhow, now I removed `Use-for-ssh` from that key.

I then added the keygrip of the authentication key to
`~/.gnupg/sshcontrol`. However, that doesn’t work:

$ ssh-add -l
The agent has no identities.

Only if I add the key grip of the master key to `~/.gnupg/sshcontrol`,
then `ssh-add -l` is happy. But this seems wrong.

I notice that the private key stub of the authentication sub key isn’t
present in `~/.gnupg/private-keys-v1.d`:

$ ls -1 ~/.gnupg/private-keys-v1.d/
07D6164F019D2EDF59C650992CF93776B2DD17F2.key
0E67508AC6866D82ABB95E0B53CF5D18DC48A786.key
250CD54A263D092C462509D83D034E4BAAF73311.key
BB1D7402E4603D0C12512AB235B12FE1F4BD9667.key

*How do I generate the private key stub for the authentication sub key?*

`gpg --card-status` doesn’t do it.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

On Thu, Nov 23, 2023 at 2:19 PM Stephan Verbücheln via Gnupg-users
 wrote:
> Host gitlab.com
> HostName gitlab.com
> User git
> IdentityAgent ${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh

Thanks, that works. Even the variable is expanded.

In addition, I need:

gpg-connect-agent updatestartuptty /bye

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

On Wed, Nov 22, 2023 at 8:57 PM Werner Koch  wrote:
> Here is the snippet from by ~/.bashrc

I have a similar config. Thank you for the detailed explanation!

Only the following line does not work right after autologin (default
with Ubuntu / WSL2), seems like something is not ready yet.

gpg-connect-agent updatestartuptty /bye

> What is in your ~/.gnupg/sshcontrol file?

It’s empty, with only comments at the top. I left it that way, and
proceeded as follows:

> Instead of putting this into sshcontrol you may also put them into the
> private-keys-v1.d/.key file with a line:
>
>   Use-for-ssh: yes

I added that to 0E67508AC6866D82ABB95E0B53CF5D18DC48A786.key, which is
my master key.  But it still doesn’t work, see below.

Should I add a file with the authentication key instead?

>   gpg --export-ssh-key
>
> Adds a comment with the keyid - is that one correct?  Does it match what
> you see with
>
>   ssh-add -L

Output:

$ gpg -k --with-keygrip yubi...@f76.eu
pub   rsa4096 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
  Keygrip = 0E67508AC6866D82ABB95E0B53CF5D18DC48A786
uid   [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096 2023-06-29 [E]
  Keygrip = 07D6164F019D2EDF59C650992CF93776B2DD17F2
sub   rsa4096 2023-11-22 [A]
  Keygrip = 9C67E5BBB72EF0BF2625792F8F134CE4FD961FF5
$ gpg --export-ssh-key yubi...@f76.eu
ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== openpgp:0x877CC64B
$ ssh-add -L
ssh-rsa B3NzaC1yc2EDAQABAAACAQCpsX4nQnLh3SJDdIDkdX0DFY4c2uFu
6QJRPrXyub32Ae5SX+3rQnhj/7U8PGFG5LbRT8NVHMyxmoXAHda3wZ1Za3mTC8oWUPSz
dIlSgB7HrVNvmP0fvk0b1V9BOkBJrV6RMMNLEssiD9PCiI95z1+uEbxr9tZAJO/lDYnU
jhEK6PykBhQiJISHpWnWmE0qj+84wQ+/cEPJYnt4tgqLuFH+COFGBVuN6DDi6ubbDlCy
693UqQjWSNi1A34JmUKFOw5Kt0It3Qj3nNVdm8/hRiVZ84qPVbF1Vvp0gZ9k1sFg+3O9
LZYo0vZ73gLMx6AjO1A+Cqcef/e6O+aT+CVgINQ6oaDMyKtHkD7caflg8nPrmiVASxTe
nn51W3Uiu1wksrtEH2HCUcLXpMWKNTjjwpUUTSmMy4m069K5SENsjzsMsHiN2cTxdNu5
CufP1Q3XtGI4VCdW5ql0vgZMCPHIuXHLyFpz9scc2I68B8YnoMzzH0CDyLpjudBRlup+
BZD1g2xlCWB9f+43Oy+Ibf5wAW8/gjk5ly6fhQwB712GTHXNKpPl2ymXgtP2v0K48TE7
OsIfR0sBk2LbwuXr2tLB1WYgrNYs8YY83u/HC6RWHskrcIRq75ahcdeTu8Ukdz1VhAdL
sk25F529lMjW0CgshB9xvFxCwFzcGMmHniuMjoFN6Q== cardno:18 698 015
$ ssh-add -l
4096 SHA256:Pun8mwtl04HFOK8Z1LbCRZ/oQLgZDpkgNHU5/E1MM8I cardno:18 69
8 015 (RSA)

As you see, the public keys are different. `ssh-add -L` does not add the
key ID. So I’ve no idea what is going on.

The key exported by `ssh-add -L` works. I get asked for the PIN, the
Yubikey blinks, and then I’m in:

$ ssh u...@example.com
[user@example ~]$

The key exported by `gpg --export-ssh-key yubi...@f76.eu` does not work:

$ ssh u...@example.com
u...@example.com: Permission denied (publickey).

As it works with the key exported with `ssh-add -L`, maybe I should not
complain. However what confuses me is that the output of `ssh-add -L`
does not change after I replaced the authentication subkey.

Can you explain why the output of `ssh-add -L` did not change? Also why
is it not the same as the output from `gpg --export-ssh-key
yubi...@f76.eu`?

(Background: I replaced the authentication subkey because the first time
I added it, I forgot to make a backup of the updated secret key.)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee via Gnupg-users]

On Tue, Nov 21, 2023 at 12:38 AM Ingo Klöcker  wrote:
> $ gpg --export-ssh-key 1B6ED589

Thanks, this worked! I then added the key on the remote system to:

~/.ssh/authorized_keys

However, I could not log in.  SSH reports:

Permission denied (publickey).

I then tried exporting the key using `ssh-add`:

ssh-add -L >~/.ssh/id_rsa.pub

If I add this key to `authorized_keys`, I can log in, after unlocking my
Yubikey with a PIN. Great! Or not, read on.

Now it gets a bit weird: Apparently the key exported by `ssh-add` is not
tied to my authentication key! I noticed this because I replaced the
authentication key. They key exported by `ssh-add` did not change. I can
still log in using that key. So I assume that key is based on the my
signature key `1B6ED589`:

$ gpg --list-keys --keyid-format SHORT yubi...@f76.eu
pub   rsa4096/1B6ED589 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
uid [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096/D2E31736 2023-06-29 [E]
sub   rsa4096/877CC64B 2023-11-22 [A]

Should I better use the authentication key exported by GPG for SSH? But
how to make that work?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

On Tue, Nov 21, 2023 at 12:38 AM Ingo Klöcker  wrote:
> $ gpg --export-ssh-key 1B6ED589

Thanks, this worked! I then added the key on the remote system to:

~/.ssh/authorized_keys

However, I could not log in.  SSH reports:

Permission denied (publickey).

I then tried exporting the key using `ssh-add`:

ssh-add -L >~/.ssh/id_rsa.pub

If I add this key to `authorized_keys`, I can log in, after unlocking my
Yubikey with a PIN. Great! Or not, read on.

Now it gets a bit weird: Apparently the key exported by `ssh-add` is not
tied to my authentication key! I noticed this because I replaced the
authentication key. They key exported by `ssh-add` did not change. I can
still log in using that key. So I assume that key is based on the my
signature key `1B6ED589`:

$ gpg --list-keys --keyid-format SHORT yubi...@f76.eu
pub   rsa4096/1B6ED589 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
uid [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096/D2E31736 2023-06-29 [E]
sub   rsa4096/877CC64B 2023-11-22 [A]

Should I better use the authentication key exported by GPG for SSH? But
how to make that work?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Cannot export SSH public key

[Felix E. Klee]

I added an authentication key to my existing key .

$ gpg --edit-key --expert yubi...@f76.eu
> addkey

I selected:

8: RSA (set your own capabilities)
S: disable sign capability
E: disable encrypt capability
A: enable authenticate capability
4096: key size
0: expiry (never)

However, I cannot export it for SSH:

$ gpg --list-keys --keyid-format SHORT yubi...@f76.eu
pub   rsa4096/1B6ED589 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
uid [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096/D2E31736 2023-06-29 [E]
sub   rsa4096/FBA5B1E5 2023-11-20 [A]

$ gpg --export-ssh-key FBA5B1E5
gpg: key "FBA5B1E5" not found: Unusable public key
gpg: export as ssh key failed: Unusable public key

GnuPG version:

$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

    Home: /home/felix/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

What’s wrong here?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Finding all files encrypted with a certain key

[Felix E. Klee]

On Wed, Oct 25, 2023 at 9:23 PM Werner Koch  wrote:
> > gpg: decryption failed: No secret key
> >
> > I wonder how to get rid of that.
>
> grep -v on stderr ;-).

Thanks, I was thinking about that. But I think simply using find, as
suggested by Andrew and raf, is sufficient and simple.

> I think it is time to make things like this easier. Actually
> re-encrypt support has been on our feature list for many years.

That would be fancy. Personally, I’m happy with a bit of shell
scripting. My use case is rather simple, and I don’t need to do
re-encryption very often.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Finding all files encrypted with a certain key

[Felix E. Klee]

On Tue, Oct 24, 2023 at 5:12 PM Andrew Gallagher 
wrote:
> GNU `file` will print the encryption key ID:

Interesting. I wonder if there is any disadvantage of using `file` over
Werner’s proposal.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Finding all files encrypted with a certain key

[Felix E. Klee]

On Wed, Oct 25, 2023 at 10:08 AM raf via Gnupg-users
 wrote:
> > How do I do that for a massive directory tree?
>
> With my rawhide (rh) program (github.com/raforg/rawhide) you can do it
> with something like this:
>
>  rh /path '"*.gpg" && "*PGP*encrypted*BEF6EFD3 8FE8DCA0*".what'

Very interesting, may look into that. But first working with Werner’s
solution.

> Also, in case you need to re-encrypt regularly, I recommend assigning
> some label to the key and putting it in the filename (e.g.
> blah.gpg.key23).

I may do that.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Finding all files encrypted with a certain key

[Felix E. Klee]

On Tue, Oct 24, 2023 at 5:21 PM Werner Koch  wrote:
> encrypted-to-me-p.sh
> --8<---cut here---start->8---
> #/bin/sh
> gpg -d  --status-fd 1 -o /dev/null 2>/dev/null "$1" | awk '
> $1=="[GNUPG:]" && $2=="ENC_TO" && $3=="BEF6EFD38FE8DCA0" {print $1; exit 0}'
> --8<---cut here---end--->8---

Thank you! I modified that a bit, to make it more readable to me and fix
a little bug: The second `$1` doesn’t expand to the file name. Also, I
had to pass `--pinentry-mode cancel`. Otherwise it would ask me for the
PIN of my smartcard. See below for my version.

What I don’t like is the `2>/dev/null` because that may mask actual
error messages. I specified `--quiet`. That works to some extend, but I
still get:

gpg: decryption failed: No secret key

I wonder how to get rid of that.

My version:

#/bin/sh

filename=$1
enc_sub_key=04FDF78D1679DD94

gpg --decrypt \
--pinentry-mode cancel \
--status-fd 1 \
--quiet \
--output /dev/null "$1" |
awk -v filename="$filename" \
-v enc_sub_key="$enc_sub_key" \
'
$1=="[GNUPG:]" &&
$2=="ENC_TO" &&
$3==enc_sub_key {
print filename
exit 0
}'

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Finding all files encrypted with a certain key

[Felix E. Klee]

For the purpose of re-encryption with a new key, I’d like to find all
files that are encrypted with my key BEF6EFD38FE8DCA0. All encrypted
files, independent of key, have the extension `.gpg`.

How do I do that for a massive directory tree?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: YubiKey/OpenPGP card connection issues for non-root user

[Felix E. Klee]

The issue persists. Sometimes the readers (just now the YubiKey) are not
visible to the user. But they are always to root k. I then disabled the
PC/SC daemon:

[felix@felix-arch ~]$ sudo systemctl disable pcscd
Removed "/etc/systemd/system/sockets.target.wants/pcscd.socket".
    [felix@felix-arch ~]$ sudo systemctl stop pcscd
Warning: Stopping pcscd.service, but it can still be activated by:
  pcscd.socket

Afterwards, `gpg --card-status` immediately showed the card status to
the ordinary user.

However, this solution is not good. As I mentioned before, I may want to
use PC/SC in the future, and I may also just accidentally re-enable it.
So it would be better to have a solution where the PC/SC daemon does not
cause some race condition.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: YubiKey/OpenPGP card connection issues for non-root user

[Felix E. Klee]

On Mon, Aug 7, 2023 at 3:30 PM Werner Koch  wrote:
> > I also tried killing root’s gpg-agent, to avoid conflicts with that
> > of the user, but that didn’t help either.
>
> Right a second scdaemon might have grabbed the device. If you don't
> need it as root put into root's gpg-agent.conf "disable-scdaemon".
>
> Another option is to put
>
> pcsc-shared

Thanks, good to know about this option. However, I hope that fixing
PC/SC access has solved the issue. See my other message.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: YubiKey/OpenPGP card connection issues for non-root user

[Felix E. Klee]

On Mon, Aug 7, 2023 at 9:00 AM NIIBE Yutaka  wrote:
> Please note that there may be two methods to access the device in
> scdaemon:
>
>   * in-stock CCID driver of scdaemon
>   * the PC/SC service
>
> Your output shows that you are connecting the smartcard reader through
> the PC/SC service.

Interesting. I assume the problem is down to a race-condition with the
two competing for access. That would explain its apparent randomness.

> If it's not your intention and your scdaemon has support of in-stock
> CCID driver, I'd recommend not to use the PC/SC service. Perhaps,
> simply uninstall pcscd.

I prefer not to, because: I may install the PC/SC service again in the
future and then I likely will have forgotten about our conversation
here.

> If you have a reason using PC/SC service (say, for example, you need
> the service for other applications and other cards, as well as your
> use of OpenPGP smartcard for GnuPG), please make sure that you
> configure the PC/SC service correctly.

Indeed it was not properly set up:

[felix@felix-arch ~]$ opensc-tool -l
No smart card readers found.

I added a Polkit rule following the [instructions][1] for PC/SC:

[root@felix-arch ~]# cat /etc/polkit-1/rules.d/01-pcscd.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.user == "felix") {
    return polkit.Result.YES;
}
});

Now it works:

[felix@felix-arch ~]$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0Yes Yubico YubiKey CCID 00 00

I should see in the upcoming days whether that solves the issue.

Thank you!

[1]: https://github.com/LudovicRousseau/PCSC/blob/master/doc/README.polkit

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: YubiKey/OpenPGP card connection issues for non-root user

[Felix E. Klee]

On Thu, Aug 3, 2023 at 9:28 PM Michael Richardson
 wrote:
> I think you need to make sure that it's not VMware that's failing to
> plug the device through in a timely manner.

I have configured the VMware guest to automatically take over these
devices from the Windows 10 host:

usb.autoConnect.device0 = "0x04e6:0xe003"
[…]
usb.autoConnect.device7 = "0x1050:0x0404"

> dmesg -w

I just played around. After unplugging the YubiKey, I connected the
SPR332:

[felix@felix-arch ~]$ sudo dmesg -w
[…]
[ 5135.728320] usb 2-1: new full-speed USB device number 6 using
uhci_hcd
[ 5136.137546] usb 2-1: New USB device found, idVendor=04e6,
idProduct=e003, bcdDevice= 7.01
[ 5136.137551] usb 2-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=5
[ 5136.137553] usb 2-1: Product: SPRx32 USB Smart Card Reader
[ 5136.137554] usb 2-1: Manufacturer: SCM Microsystems Inc.
[ 5136.137555] usb 2-1: SerialNumber: 51271741200012
^C
[felix@felix-arch ~]$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
[felix@felix-arch ~]$ sudo gpg --card-status
Reader ...: SCM Microsystems Inc. SPR 532 [CCID Interface]
(51271741200012) 00 00
Application ID ...: D276000124010303000564D5
Application type .: OpenPGP
Version ..: 3.3
Manufacturer .: ZeitControl
Serial number : 64D5
Name of cardholder: Felix Klee
Language prefs ...: en
Salutation ...: Mr.
URL of public key :

https://sks-keyservers.net/pks/lookup?op=get=0x5EF8B6017F668171259945D6BEF6EFD38FE8DCA0
Login data ...: [not set]
Signature PIN : forced
Key attributes ...: rsa4096 rsa4096 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 3 3
Signature counter : 10
KDF setting ..: off
Signature key : 5EF8 B601 7F66 8171 2599 45D6 BEF6 EFD3 8FE8
DCA0
  created : 2016-12-17 10:49:18
Encryption key: 27BF BB40 70FC 6351 189E 79FE 04FD F78D 1679
DD94
  created : 2016-12-17 10:49:18
Authentication key: [none]
General key info..: pub rsa4096/BEF6EFD38FE8DCA0 2016-12-17 Felix E.
Klee 
sec> rsa4096/BEF6EFD38FE8DCA0 created: 2016-12-17 expires:
2020-11-10 card-no: 0005 64D5
ssb> rsa4096/04FDF78D1679DD94 created: 2016-12-17 expires:
2020-11-10 card-no: 0005 64D5
[felix@felix-arch ~]$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

As you can see, I can connect to it as root but not as regular user.
Sometimes connection as regular user works, sometimes not. Sometimes I
just have to wait for a while, can be minutes, and then it works.

I also tried killing root’s gpg-agent, to avoid conflicts with that of
the user, but that didn’t help either.

Furthermore, even if udev doesn’t trigger, I should have rw access to
the device file (it’s an SPR332, not sure why it says SPR532):

[felix@felix-arch ~]$ lsusb | grep SPR532
Bus 002 Device 006: ID 04e6:e003 SCM Microsystems, Inc. SPR532
    PinPad SmartCard Reader
[felix@felix-arch ~]$ ls -l /dev/bus/usb/002/006
crw-rw 1 root scard 189, 133 Aug  5 12:02 /dev/bus/usb/002/006
[felix@felix-arch ~]$ groups
scanner saned uucp optical lp audio wheel felix scard plugdev
[felix@felix-arch ~]$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

Why does it work as root but not as regular user?

Any suggestion for a fix, even if crude, is welcome!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

YubiKey/OpenPGP card connection issues for non-root user

[Felix E. Klee]

Recently I set up a YubiKey 5C NFC, and when I connect it to my Linux
system (running in VMware under Windows), it sometimes takes minutes to
be able to use. I.e. it can take forever until I get a successful
response from:

gpg --card-status

OTOH I can immediately get a response when I run the above command as
root. Now I notice that the occasional connection issues I have with the
OpenPGP card in my SCM SPR332 are similar. Furthermore, it happens that
the YubiKey or the card reader suddenly disappear for the ordinary user,
although that is rare.

I have set up udev rules for both. But it seems that sometimes they
don't trigger, or only with a long delay.

[felix@felix-arch ~]$ cd /etc/udev/rules.d/
[felix@felix-arch rules.d]$ cat 70-yubikey.rules
# YubiKey Support
#

ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050",
ENV{ID_MODEL_ID}=="0404", MODE="660", GROUP="scard"
[felix@felix-arch rules.d]$ cat 71-gnupg-ccid.rules # GPG SmartCard
Reader Support
#

ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="04e6",
ENV{ID_MODEL_ID}=="e003", MODE="660", GROUP="scard"

Even without udev rules, I think I should have access to the devices,
because I'm in group `scard`:

[felix@felix-arch ~]$ ls /dev/bus/usb/002/011
/dev/bus/usb/002/011
[felix@felix-arch ~]$ ls -l /dev/bus/usb/002/011
crw-rw 1 root scard 189, 138 Aug  3 14:56 /dev/bus/usb/002/011
[felix@felix-arch ~]$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
[felix@felix-arch ~]$ groups
scanner saned uucp optical lp audio wheel felix scard plugdev
[felix@felix-arch ~]$ lsusb
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 004: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 003 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 003 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 002 Device 011: ID 1050:0404 Yubico.com Yubikey 4/5 CCID
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

How do I fix that?

I am happy to substitute the udev rules with a timer, or to call some
command to give permissions every time I want to use the YubiKey or the
OpenPGP card. I just would like the whole process to be more reliable.
Currently, it’s extremely frustrating.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Use multi-usage key in authentication slot on HW-key for encryption

[Felix Mayr via Gnupg-users]

If your Yubikey supports PIV then you can store more keys with PIV. 
You need

GnuPG 2.3 for full multi-card and multi-card-app (e.g. OpenPGP _and_ PIV)
support.
That sounds great! Is there any documentation on how to use both the PGP 
and PIV-card simultaneously?


So, it looks like it picks up both automatically and it works seamlessly 
- only thing missing now is how to push EEC-P 384 keys onto the device 
(so that I can keep a backup, sadly only 2048bit RSA and ECC-P 384 is 
supported in the PIV-slots). Still looks very nice for now. I hope the 
next email will be signed ;)!


Regards

Felix

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Use multi-usage key in authentication slot on HW-key for encryption

[Felix Mayr via Gnupg-users]

The OpenPGP card standard offers three slots. Each slot is single usage. The
key in the first slot is used for signing (data and keys) exclusively, the key
in the second slot is used for encryption exclusively, and the key in the
third slot is used for authentication (i.e. with ssh) exclusively.

Well, and I reckon this is relatively hardcoded into GnuPG?


If your Yubikey supports PIV then you can store more keys with PIV. You need
GnuPG 2.3 for full multi-card and multi-card-app (e.g. OpenPGP _and_ PIV)
support.
That sounds great! Is there any documentation on how to use both the PGP 
and PIV-card simultaneously?


Regards,

Felix

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: --export-filter not working

[Felix Mayr via Gnupg-users]

Thanks Ingo,

I'll do that (or setup the GPG-code myself to hunt for the bug if 
holidays permit).


Regards,

Felix

Am 15.04.22 um 16:29 schrieb Ingo Klöcker:

On Donnerstag, 14. April 2022 23:27:21 CEST Felix Mayr via Gnupg-users wrote:

Hello all,

so I try to create a file with my public keys and want to exclude some
authorization keys. `--export-filter` should do the job if I understand
correctly, but it doesn't work. (platform: Fedora 35/gpg 2.3.4)

Just using the command here to try filter out encryption-keys doesn't
produce anything usable:
https://dev.gnupg.org/rG86b64876bef0d8c4be8e309fcf3e2ce21e65a947

Notably, importing the resulting file on another machine, there are no
subkeys at all (gpg --list-keys)!

Am I doing/understanding something wrong?


I have added some debug output. It seems that the result for the usage
property is always an empty string. I guess either the above commit never
worked (but the committer surely tested this) or it was broken by a later
commit. In any case, it's a bug. Please submit a bug report.

Regards,
Ingo


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users


--
Felix Mayr, M.Sc.
research assistant

Technical University of Munich
Department of Electrical and Computer Engineering
Simulation of Nanosystems for Energy Conversion

Arcisstraße 21
80333 Munich, Germany

email: felix.m...@tum.de
phone: +49-89-289-26933

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Use multi-usage key in authentication slot on HW-key for encryption

[Felix Mayr via Gnupg-users]

So, I decided to use a Yubikey to store my GPG-subkeys. Using the 
smartcard functionality I can store 3 different subkeys and so thought 
that I could actually store some multi-usage key 
(authentication/encryption) there so I can have per-key-encryption for 
private-data (notably passwords with pass). However, while I can use the 
main encrpytion key in "slot 2" just fine, I can't decrypt with the 
"multi"-purpose key stored in the yubikey anymore (yes, I'm using 
--try-all-secrets).


Is this a limitation of the smartcard standard or just an opioniated 
choice in GPG or am I doing something wrong? If it's not possible with 
the smartcard: can I use the PIV-mode of the yubikey for that purpose?



Regards,

Felix

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

--export-filter not working

[Felix Mayr via Gnupg-users]

Hello all,

so I try to create a file with my public keys and want to exclude some 
authorization keys. `--export-filter` should do the job if I understand 
correctly, but it doesn't work. (platform: Fedora 35/gpg 2.3.4)


Just using the command here to try filter out encryption-keys doesn't 
produce anything usable: 
https://dev.gnupg.org/rG86b64876bef0d8c4be8e309fcf3e2ce21e65a947


Notably, importing the resulting file on another machine, there are no 
subkeys at all (gpg --list-keys)!


Am I doing/understanding something wrong?


Best wishes

Felix

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: YubiKey 5C NFC not detected

[Felix E. Klee]

Werner Koch via Gnupg-users  writes:
> scdaemon does not see any reader.  That might simply due to another
> process which uses the reader (the yubikey tools).

None the wiser:

$ cat ~/.gnupg/scdaemon.conf
debug cardio
verbose
log-file /tmp/scd.log
pcsc-shared
$ gpgconf --kill gpg-agent
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
$ cat /tmp/*.log
2022-01-30 20:50:40 scdaemon[416012] listening on socket 
'/run/user/1000/gnupg/S.scdaemon'
2022-01-30 20:50:40 scdaemon[416012] handler for fd -1 started
2022-01-30 20:50:40 scdaemon[416012] ccid open error: skip
2022-01-30 20:50:40 scdaemon[416012] pcsc_list_readers failed: no readers 
available (0x8010002e)

>> gpg (GnuPG) 2.2.32
>
> Note that there is a bug in the reader-port implementation of 2.2.33;
> you better wait for 2.2.34 instead of updating to 2.2.33.

Good to know.  Will keep an eye on it.  Even if 2.2 doesn’t work with
that YubiKey, it does work just fine with the OpenPGP smart card in my
[SPR232 mod][1].  So I don’t want to loose access there.

[1]: https://github.com/feklee/0.332


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: YubiKey 5C NFC not detected

[Felix E. Klee]

Ingo Klöcker  writes:
> $ echo scd getinfo reader_list | gpg-connect-agent --decode

$ ykman config usb -l
OTP
FIDO U2F
FIDO2
OATH
PIV
OpenPGP
YubiHSM Auth
$ gpgconf --kill gpg-agent
$ echo scd getinfo reader_list | gpg-connect-agent --decode
OK

:(


> If scdaemon doesn't see your reader then it's probably not (yet)
> supported by GnuPG's CCID driver. Then you could try to use pcsc by
> adding the option disable-ccid to your scdaemon.conf.

$ echo disable-ccid >~/.gnupg/scdaemon.conf
$ gpgconf --kill gpg-agent
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

:(

> You could also try GnuPG 2.3.4.

Think I’ll wait until it’s in Arch.  At the moment:

$ gpg --version
gpg (GnuPG) 2.2.32


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: YubiKey 5C NFC not detected

[Felix E. Klee]

Ingo Klöcker  writes:
> Are you sure "Yubico Yubi" is the correct value for the reader-port
> option?

It’s what is suggested in the official [Troubleshooting Issues with
GPG][1].  They also suggest:

Yubico Yubikey

That doesn’t work either.  As I realized before, their guides are not up
to date.  [Elsewhere][2] I found that one can scan for devices:

$ gpgconf --kill gpg-agent
$ ykman config usb -l
OTP
FIDO U2F
FIDO2
OATH
PIV
OpenPGP
YubiHSM Auth
$ pcsc_scan -n
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader... |

That just hangs, same when prefixed with `sudo`.

> Did you try without specifying this option?

Yes. 

$ rm .gnupg/scdaemon.conf
$ gpgconf --kill gpg-agent
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

By the way, to make `ykman` see the key, I had to add a udev rule:

$ cat /etc/udev/rules.d/10-security-key.rules
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0666", GROUP="users", 
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407"

Any idea what else I can try?

[1]:
https://support.yubico.com/hc/en-us/articles/360013714479-Troubleshooting-Issues-with-GPG
[2]: https://blog.programster.org/yubikey-link-with-gpg


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

YubiKey 5C NFC not detected

[Felix E. Klee]

I would like to set up a YubiKey 5C NFC for SSH, but it doesn’t get
detected by GnuPG:

$ ykman config usb -l
OTP
FIDO U2F
FIDO2
OATH
PIV
OpenPGP
YubiHSM Auth
$ cat .gnupg/scdaemon.conf
reader-port Yubico Yubi
$ gpgconf --kill gpg-agent
$ ps x | grep scdaemon
  33408 ?SLl0:00 scdaemon --multi-server
  49465 pts/2S+ 0:00 grep scdaemon
$ /usr/lib/gnupg/scdaemon --version
scdaemon (GnuPG) 2.2.32
libgcrypt 1.9.4-unknown
libksba 1.6.0
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
$ gpg --verbose --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

What can I do?


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Limit access to unlocked OpenPGP SmartCard?

[Felix E. Klee]

Well, I think I could extend my SPR332 [mod][1]:

  * Add a push-button that one has to press to close the C7 circuit for
I/O.  Without that button pressed, the smart card cannot communicate
with the reader.  That means, for every operation, one would need to
hold that button, kind of – but not as elegantly – as with a
YubiKey.

  * Using some electronics detect when the green PIN pad ✓-button is
pressed to confirm PIN entry on the reader.  Let it trigger a timer
that cuts I/O for good after a few minutes.

Very likely there are some issues that I don’t see at the moment.

[1]: https://github.com/feklee/0.332


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Limit access to unlocked OpenPGP SmartCard?

[Felix E. Klee]

Jacob Bachmeyer via Gnupg-users  writes:
>> After I unlock an OpenPGP SmartCard V2.1 in my SPR332 [mod][1], […]
>
> Does your smartcard reader have its own keypad for entering the PIN?

yes


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Limit access to unlocked OpenPGP SmartCard?

[Felix E. Klee]

On Thu, 27 Jan 2022 at 14:54, Matthias Apitz  wrote:
> gpgconf --reload scdaemon

Gotta try that, maybe execute it with a timer, better than nothing.

Best would be if the card itself could be configured to only do a
certain number of operations after being unlocked. I think everything
else is pretty much unsafe as well.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Limit access to unlocked OpenPGP SmartCard?

[Felix E. Klee]

After I unlock an OpenPGP SmartCard V2.1 in my SPR332 [mod][1], I can
use it to decrypt as many files as I want.  While this is convenient, it
is not great if the system is compromised and I forget to unplug the
card reader.

Is there any way to limit how long the OpenPGP SmartCard remains
unlocked?

[1]: https://github.com/feklee/0.332


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Decrypting fails unless card status

[Felix E. Klee]

On Tue, 15 Dec 2020 at 19:45, MFPA
<2017-r3sgs86x8e-lists-gro...@riseup.net> wrote:
> Is that a consequence of using a card?

No. I do have an accessible private key, but it’s more than 9,000 km
away, and traveling is not so easy these days.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Decrypting fails unless card status

[Felix E. Klee]

Since some time, maybe since a minor system update, before decrypting
from my OpenPGP smart card, I always have to run:

gpg --card-status

Otherwise, I get an error message:

$ gpg --faked-system-time 20200101T00 -d world.gpg
gpg: WARNING: running with faked system time: 2020-01-01 00:00:00
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created
2016-12-17
  "Felix E. Klee "
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key

Note that I have to run with faked system time since I cannot extend the
validity of my key. Anyhow, even without faking the time, I get the
error message.

*Any idea how to get `gpg` back to normal?*

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

[Felix Winterhalter]

That's a good article and I think it makes a lot of sense in the
context. I still think PGP is valid for sending encrypted emails if you
exchange public keys beforehand (as he also states he still uses it in
that manner). The web of trust also never did anything for me sadly.

On 12/08/2020 20:29, Ryan McGinnis via Gnupg-users wrote:
> The reasons to abandon PGP for secure communications have been
> accepted in the security community for years.  Here’s one security
> researcher explaining why (there are many others out there with
> similar sentiments): 
>
> https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/
>
> -Ryan McGinnis
> http://www.bigstormpicture.com
> PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
>
>
> Sent from ProtonMail Mobile
>
>
> On Wed, Aug 12, 2020 at 13:07, Felix  <mailto:fe...@audiofair.de>> wrote:
>>
>> I'm not sure that there are solutions orders of magnitude more secure
>> that are available readily.
>>
>> Also people tend to get emails on the go as well that might be
>> encrypted. It's convenient to decrypt emails on a smartphone and not
>> really that insecure if you're using an external device for actual
>> keystorage (such as a Yubikey).
>>
>> I don't actually see what's so silly about the whole thing.
>>
>> On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote:
>>> Well yes I realize that it exists, what I'm saying is why would anyone
>>> use it for secure communications on a smartphone when there are
>>> solutions orders of magnitude more secure and simple to use.  It'd be
>>> like buying a helicopter but deciding you'd still fly only 2 feet off
>>> the ground and stick to paved roads. 
>>>
>>>
>>>
>>> On 8/12/20 11:46 AM, Stefan Claas wrote:
>>>> Ryan McGinnis via Gnupg-users wrote:
>>>>
>>>>> I guess the real question is: what are people using PGP for on mobile
>>>>> devices?  If it's for communication, that's silly.  There are at least a
>>>>> half dozen far, far, far better ways to securely communicate on a
>>>>> smartphone. 
>>>> Well, it is listed by the OpenPGP experts:
>>>>
>>>> https://www.openpgp.org/software/openkeychain/
>>>>
>>>> Regards
>>>> Stefan
>>>>
>>>> --
>>>> my 'hidden' service gopherhole:
>>>> gopher://iria2xobffovwr6h.onion
>>>
>>> ___
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

[Felix]

I'm not sure that there are solutions orders of magnitude more secure
that are available readily.

Also people tend to get emails on the go as well that might be
encrypted. It's convenient to decrypt emails on a smartphone and not
really that insecure if you're using an external device for actual
keystorage (such as a Yubikey).

I don't actually see what's so silly about the whole thing.

On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote:
> Well yes I realize that it exists, what I'm saying is why would anyone
> use it for secure communications on a smartphone when there are
> solutions orders of magnitude more secure and simple to use.  It'd be
> like buying a helicopter but deciding you'd still fly only 2 feet off
> the ground and stick to paved roads. 
>
>
>
> On 8/12/20 11:46 AM, Stefan Claas wrote:
>> Ryan McGinnis via Gnupg-users wrote:
>>
>>> I guess the real question is: what are people using PGP for on mobile
>>> devices?  If it's for communication, that's silly.  There are at least a
>>> half dozen far, far, far better ways to securely communicate on a
>>> smartphone. 
>> Well, it is listed by the OpenPGP experts:
>>
>> https://www.openpgp.org/software/openkeychain/
>>
>> Regards
>> Stefan
>>
>> --
>> my 'hidden' service gopherhole:
>> gopher://iria2xobffovwr6h.onion
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

[Felix]

Just adding my 2 cents to this discussion.

I think it doesn't matter what sort of spyware potentially exists
somewhere out there for some phone, what matters is whether it is on
your phone.

This isn't really about the security of OpenPGP either but about a
fundamental trust in the things we use both hardware and software.

I can recommend this video from 36C3 that talks about hardware security
(spoilers: its absolutely non trivial and nigh impossible to verify):

https://www.youtube.com/watch?v=Hzb37RyagCQ

It's also about threat models that you as the user of software (that you
trust does its job correctly) are trying to protect against.

If an attacker having root access to your device is part of a threat you
want to defend against your only choice is to use a (hopefully) known
good device that performs the encryption/decryption for you.

If you are only interested in end to end encryption where the message
might be intercepted in transit or verification of signatures then
OpenPGP does its job pretty damn well still.

There is not a single encryption algorithm that can't be defeated by
simply having full access to the device it is running on.

Now we can talk about mitigations that exist for the threat model where
the device you are using to read/send messages is compromised and I
think the recommendations in this thread are pretty sound.

I personally have been using OpenKeychain and a Yubikey via NFC. That
means that while any message that I have decrypted might be compromised
the keys used to decrypt are still secure (under the assumption that
Yubikeys are as secure as advertised, see the video above).

For me this is secure enough. For you it might not be.

I think that in general users of software should be aware that the
environment their software is running in is a threat vector, if you do
not trust it or you only trust it so far then only keep information you
can afford to get compromised in it.

If you are a person under close government watch, live in an
authoritarian regime or are a dissident I would of course recommend to
use an airgapped device.

If you are working for a company with important trade secrets you
hopefully don't have access to those on your phone anyway.

If you are a normal person not defending against any sort of advanced
persistent threat I think a smartphone still offers decent (enough)
security in day to day use for non-sensitive information.

And then there is of course still:

https://xkcd.com/538/

In the end it all comes down to: How much effort is the attacker going
to spend on you?

That determines how much effort you need to spend to protect yourself
against them.






___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

[Felix Finch]

On 20200524, Mark wrote:

I think that could be addressed if all those files and directories are
stored within an encrypted archive (whatever your favorite is)


Yes, but then that needs a passphrase, and so on.  I'm trying to cut back on 
how many I have to remember.

--
   ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
 GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

[Felix Finch]

On 20200524, Peter Lebbing wrote:

Hi,

On 24/05/2020 16:05, Felix Finch wrote:

Out of curiosity ... how safe are these files as is, assuming the
private key file has a good strong passphrase?


The safety of the private key purely depends on the strength of the
passphrase. Note that backups will have the passphrase that was set when
the backup was _made_. Changing the passphrase on your computer will not
change the passphrase in any older backups.

But there is more data in your GnuPG homedir that is not encrypted but
is privacy-sensitive. If you ever assign someone ownertrust, that will
be reflected there. It indicates how much you trust people to correctly
verify other people's identities and how well you trust them to keep
their private key private. Your brother-in-law might be offended by you
assigning him "NEVER TRUST", and your partner might not appreciate you
apparently having somewhat recently assigned positive trust to that ex
you swore you never saw anymore.

And then there is the history data for TOFU, which exposes some data
about when you verified signatures by other people or when you encrypted
something to someone. This data is there to help you analyse
trustworthiness about the third party in question when so prompted, but
it is also communication metadata about you.

These pieces of data might not exist for your particular configuration,
but they can exist.


How hard is it to crack a good passphrase?


I think the definition of a good passphrase is that it is infeasible to
crack it. That makes it circular reasoning.

A well-executed "Correct Horse Battery Staple" passphrase or a long
enough diceware passphrase cannot be cracked. The problem is determining
whether you did it right or are misunderstanding some vital detail of
creating a good passphrase.

For instance, actually choosing "Correct Horse Battery Staple" is about
the worst thing you can do... :-)


Yes, it does.  My passphrase is about ten words which only make sense to me, 
not even to people who know me, are not grammatically correct, etc.

--
   ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
 GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of Keys

[Felix Finch]

On 20200524, Damien Goutte-Gattat via Gnupg-users wrote:

On Sat, May 23, 2020 at 09:35:54PM -0700, Mark wrote:
I'm trying to figure out which files I need to backup to safeguard 
my keys.


Everything that needs to be saved is in GnuPG’s home directory, which 
on Windows should be `C:\Documents and Settings\\Application 
Data\gnupg`. In that folder you should save:


* the private keys (in the `private-keys-v1.d` subfolder;
* the public keys (the `pubring.kbx` file);
* the trust data (the `trustdb.gpg` file, plus the `tofu.db` file of 
you are using the TOFU trust model);

* any configuration file (`*.conf`);
* if you are using GpgSM, the `policies.txt` and `trustlist.txt` files.


Out of curiosity ... how safe are these files as is, assuming the private key file has a 
good strong passphrase?  If they are backed up on a USB stick which gets lost and found 
by someone else, or stolen, how much damage can be done?  How hard is it to crack a good 
passphrase?  I realize that's kind of a loose question, and "strong passphrase" 
doesn't help.

--
   ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
 GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Passphrase window freezes my DE's panel - is this a bug?

[Felix Finch]

On 20200426, Scott C Jacobs via Gnupg-users wrote:

The problem is, that even if I have a terminal window open into which I wanted 
to type xwininfo and xprop,
once the passphrase window appears, I cannot use the terminal or anything else 
- the passphrase window allows
nothing to happen until I enter the passphrase and click OK or click on cancel. 
 Then I could use the terminal and
type those commands, but the passphrase window I wished to query is gone after 
OK or cancel...


FWIW, when I plug in a USB encrypted backup drive, it has a popup passphrase 
window which also locks out all other windows.  I show my passphrase and use 
CTRL-SHIFT-C to copy it before plugging in the drive, then use CTRL-SHIFT-V to 
paste it into the popup window.  I suppose this is not as secure as it should 
be, but it's good enough for me.

--
   ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
 GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 0.332

[Felix E. Klee]

On Mon, Feb 11, 2019 at 12:17 PM Gerd v. Egidy
 wrote:
> How does it compare size-wise to the cyberJack one from Reiner SCT?

  * cyberJack RFID standard:

62 x 95 x 13 mm

  * 0.332 enclosure:

69 × 111 × 13 mm

It could be fun to replace the pin pad by a smaller one and create a
custom board. IOW it could be fun to create an open source card reader!

> That is the one I use for size-constrained use cases.

Did that in the past too. However, the “cyberJack RFID standard” needs
dedicated drivers while the Reiner SCT directly interfaces with
GnuPG. In particular with Termux on my rooted Android phone, I did not
get the cyberJack to work.

> I think having a slot for a regular card is an advantage as you can
> easily take the card out, carry it with you in your wallet and use it
> on other systems too.

I understand, but that’s not my use-case. If someone wants to give it a
go, it should not be too hard to modify the current design. You can
start from the STL files if you don’t have Rhino3D (proprietary).

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

0.332

[Felix E. Klee]

FYI:

https://github.com/feklee/0.332

This is a mod of the SCM SPR332 v2 smart card reader, making it
smaller and lighter. For quite a while I have regularly been using it
with my phone:

https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Chance to get --with-agent-s2k-calibration=MSEC into stable branch?

[Felix A. Kater]

Hi,

in the master branch there is the commit

https://dev.gnupg.org/rG926d07c5fa05de05caef3a72b6fe156606ac0549

from September 2017 for configure.ac that allows to circumvent a
huge performance regression with gnupg v2 keys in some contexts.

This commit is not in stable though.

I am not familiar with the process how commits get selected for
inclusion into the stable branch.  Is there a chance that it will
make it into gnupg stable anytime soon?

Thanks
 Felix

To recall: This issue applies to contexts like gnupg being called
internally by postgresql where there is no agent, so the security
calibration / delay of 100 MESC is applied to every single
decryption call.  Refer to my original posting and the explanation
by Werner Koch, proposing to reduce MSEC at compile time:

https://lists.gnupg.org/pipermail/gnupg-users/2018-September/060999.html



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Performance regression for gnupg v2 keys

[Felix A. Kater]

Hi,

I permit myself to sum up the open questions:

> that value can be changed at build time using the configure option
> --with-agent-s2k-calibration=MSEC but not at run time.  

That option doesn't seem to be present in gnupg configure.ac...?


> When you change the passphrase of an old key the first time or
> when you import it to gpg the key is re-encrypted so that it takes
> that long.

With the above build-time setting applied, do all previously
generated (slow) keys have to be recreated or is this delay gone
with a newly compiled agent/gnupg library?

Thanks
Felix

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Performance regression for gnupg v2 keys

[Felix A. Kater]

wk:

> We try to achieve that this decryption process takes about 100ms;

Oh, I see...

> When you change the passphrase of an old key the first time or
> when you import it to gpg the key is re-encrypted so that it takes
> that long.

So, the trigger for this delay is then inherent to the re-encrypted
key itself, not primarily dependent on the agent or gnupg library
configuration, correct?

I am asking this detail because

- I need to move the keys to another machine, into a postgresql
  database where gnupg seems to be part of postgresql itself
  (pgcrypto) and cannot be hand-configured easily, and

- I'd like to know if I have to re-create all existing (slow) keys
  after applying --with-agent-s2k-calibration=MSEC to gnupg (on the
  machine where the keys are generated).

Please confirm.


> It seems that you are doing a lot of operations with that key in a row.
> gpg-agent's cache will cache the unprotected key so that the 100ms to
> unprotect the key is only spend once during the caching time to live (10
> minutes by default).  Make sure tha the cache is enabled by checking the
> options --max-cache-ttl and default-cache-ttl.  Depending on your use
> case you may want to work without a passphrase (key protection) at all.

Indeed: We do many decryptions, let me explain in short:

It is postgresql that receives passphrase protected gpg keys
(pgcrypto). Otherwise it couldn't execute SQL queries on encrypted
data. So, I am forced to move the whole decryption work to
postgresql instead of dealing with decryption after the query using
(a clean version of) gnupg. I don't know about postgresql's
internals but it doesn't seem to even run an agent... And just as an
example: A query using gnupg 1.x keys that completes within 3 sec
takes 40 sec with 2.x keys.


> that value can be changed at build time using the configure option
> --with-agent-s2k-calibration=MSEC but not at run time.  

This sounds like a suitable solution.  I've seen that option here
[1] but it is missing in official gnupg.  What do you recommend?

Felix

[1] https://dev.gnupg.org/source/gnupg/browse/master/configure.ac


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Decryption timing calibration

[Felix Finch]

On Thu, Sep 20, 2018 at 04:24:01PM +0200, Werner Koch wrote:
> We try to achieve that this decryption process takes about 100ms

That is fascinating -- I did not know that decryption was calibrated
to take a certain amount of time.  Very interesting.  I hope I haven't
misunderstood.

How much variation is there for a given calibration -- how do you
create generic canned packages for wide distribution?  Gentoo compiles
everything and could easily calibrate itself; RedHat, Debian, and most
others distribute binaries and can't.  I'd think that could lead to a
pretty wide range of decrypt times.

-- 
... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Performance regression for gnupg v2 keys

[Felix A. Kater]

fkater:

> Hi,
> 
> I have older keys and newer keys that behave quite different in the
> decryption performance.
> 
> Old keys: Generated with gnupg-1.4.x, rsa2048, at 2017-01-10.
> New keys: Generated with gnupg-2.2.8, rsa2048, some weeks ago.
> 
> I've always been using the defaults for generating the keys (no
> --full-gen-key, no --expert).
> 
> Test case: Unfortunatelly a bit complicated. It is postgresql's
> pg_pub_decrypt() that performs approx. 10x slower when the keys,
> generated by gnupg and being passed to postgresql as a binary
> string, are generated with gnupg-2.2.8. Postgresql is using gnupg
> internally.
> 
> My questions here:
> 
> (1)
> If the issue is caused by the keys: Do I have the chance to compare
> old/new key internals?  I've diff'ed the output of gpg -ivv ... of
> both keys and AFAIK only the default digest algo has changed from
> SHA1 to SHA256. Not sure here though.
> 
> (2)
> What would be a suitable test case with gpg only, without postgresql.


A little update:

When I change the passphrase of an existing 1.x generated key with
gpg 1.4.x, the key stays ok (fast).

When I change the passphrase of an existing 1.x generated key with
gpg 2.2.8, the key gets somehow updated (slow).

So, besides fast/slow:

What's the difference between default (rsa 2048) keys generated with
1.x and 2.x?

Felix


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Performance regression for gnupg v2 keys

[Felix A. Kater]

Hi,

I have older keys and newer keys that behave quite different in the
decryption performance.

Old keys: Generated with gnupg-1.4.x, rsa2048, at 2017-01-10.
New keys: Generated with gnupg-2.2.8, rsa2048, some weeks ago.

I've always been using the defaults for generating the keys (no
--full-gen-key, no --expert).

Test case: Unfortunatelly a bit complicated. It is postgresql's
pg_pub_decrypt() that performs approx. 10x slower when the keys,
generated by gnupg and being passed to postgresql as a binary
string, are generated with gnupg-2.2.8. Postgresql is using gnupg
internally.

My questions here:

(1)
If the issue is caused by the keys: Do I have the chance to compare
old/new key internals?  I've diff'ed the output of gpg -ivv ... of
both keys and AFAIK only the default digest algo has changed from
SHA1 to SHA256. Not sure here though.

(2)
What would be a suitable test case with gpg only, without postgresql.

Thanks


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Washington State Electronic Notary Public endorsements

[Felix Finch]

On Mon, Sep 17, 2018 at 11:53:02AM -0700, C.J. Collier wrote:
> This all seemed to me to be something that GnuPG is designed to do and does
> quite well.  So I sent an email on Friday night to the sender of the letter
> requesting specific issues that my provider did not comply with.  This
> morning I received a call from the DoL, and was able to successfully argue
> for GnuPG's qualification as an electronic records notary public technology
> provider for the State of Washington.
> 
> In short, GnuPG can now be used to perform notarial acts
> <http://app.leg.wa.gov/RCW/default.aspx?cite=42.45.140> in the State of
> Washington!

Well done!  Any idea how applicable your experience will be in other states?

-- 
... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
 Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

On Wed, Aug 15, 2018 at 12:13 PM, Peter Lebbing
 wrote:
>> So, perhaps enQsig is using 3DES.
>
> Good find! This sounds plausible.

Created a custom key pair not on a smart card, just for this single
transaction. Result:

>gpg --verbose --decrypt encrypted.asc | head
gpg: armor header: Version: enQsig
gpg: public key is FDE5C6E97DA42AE8
gpg: public key is 92663E7CA68E4EC6
gpg: public key is 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 92663E7CA68E4EC6
gpg: encrypted with 4096-bit RSA key, ID FDE5C6E97DA42AE8, created
2018-09-06
  "Felix E. Klee "
gpg: 3DES encrypted data
gpg: Note: sender requested "for-your-eyes-only"

So yes, 3DES!

Fortunately, as can be seen above, with the custom key I was able to
decrypt the message.

Issue solved.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Communication with card reader encrypted?

[Felix E. Klee]

Thanks for clarification!

On Mon, Aug 27, 2018 at 11:51 AM, Werner Koch  wrote:
> The connection between the card reader and the host is not encrypted
> because that would require a key setup first and that would also be
> subject to key logging.

The host could provide a public encryption key to the card reader. Of
course:

  * With a tampered USB cable, there still would be attacks possible,
though different ones. That is, unless the reader can know the
identify of the host, which would again require a priori exchange,
so nothing gained.

  * This is very likely not part of the existing API (PC/SC?).

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Communication with card reader encrypted?

[Felix E. Klee]

On Sun, Aug 26, 2018 at 10:41 AM, Peter Lebbing
 wrote:
> The OpenPGP smartcard and generic smartcard protocols do define
> "Secure Messaging", but I don't think this is commonly used for cabled
> OpenPGP smartcards.

Would be interesting to find out.

> I think you'll need to trust the cable anyway,

Well, if the cable is soldered to the reader, then it’s much harder to
tamper with. Swapping a replaceable cable requires much less effort.

Concerning key loggers for comparison: It is possible that the [attack
at TAZ][1] would not have happened had the attacker to tamper with the
victim’s keyboards, their computers, or their software.

I would not be surprised if you can find USB cables on Alibaba that
include sniffers and multiple GBs of flash memory for logging
everything, for debugging of course. ;)

[1]: http://www.taz.de/!5307828/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Communication with card reader encrypted?

[Felix E. Klee]

On Sun, Aug 26, 2018 at 12:31 AM, Dirk Gottschalk
 wrote:
> This is a really interesting question. But, does this really matter
> got an USB device? If there is a program on your computer, which
> interceps the communication, the security of you system is already
> broken.

I am more thinking about a hardware attack. If the communication is not
encrypted, this opens another attack vector. For comparison, think about
[key loggers][1]. Putting a hardware logger somewhere between the USB
peripheral device and the computer is potentially easier and quicker
than tampering with either the peripheral device or the computer.

Background: I want to put my SCM SPR332 v2 card reader into a different
enclosure, so that it’s more portable for [use with my mobile phone][2].
The very long cable also needs to be replaced. One option is to add a
USB port to the reader so that arbitrary cables can be used. This
thought coincided with me reading about [doctored USB cables][3]. I
don’t want to be required to trust three devices: phone, reader, and now
cable

[1]: http://www.taz.de/!5307828/
[2]: https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19
[3]: 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Communication with card reader encrypted?

[Felix E. Klee]

When I decrypt a file using an OpenPGP card, is the communication
between a USB card reader and the GnuPG daemon encrypted? Or: Is the
decrypted session key sent unencrypted through the cable?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Android/Termux: How to build gpg-agent without maintainer mode?

[Felix E. Klee]

On 8/22/18, Dirk Gottschalk 
wrote:
> This depends on the source of your source version. If it is from a
> release tarball, this shouldn't bother you.
>
> I only get this warning if I have compiled from the GIT repository.

Uh oh, I didn’t check out a release! Changed the [build
instructions][1] now to also include:

$ git checkout gnupg-2.2.9 # matches GnuPG in Termux

Thanks for pointing me in the right direction!

> I don't know if it is possible to compile only the agent.

Doesn’t really matter anyhow. The compile process on my phone is quite
fast, profiting from the multi core architecture.

[1]: https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Android/Termux: How to build gpg-agent without maintainer mode?

[Felix E. Klee]

On Wed, Aug 22, 2018 at 1:08 PM, Dirk Gottschalk
 wrote:
> There's nothing what should "bug" you.

Well if I call `g10/gpg` in the build, I get a big fat warning:

gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!

*Shouldn’t that bug me?*

That being said:

  * The `agent/gpg-agent` does not output the warning.

  * As said in my original post, I am only interested in the agent. It
is compatible with the `gpg` provided with Termux.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Android/Termux: How to build gpg-agent without maintainer mode?

[Felix E. Klee]

I managed to get `gpg-agent` run with USB smart card support under
Android/Termux:

https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19

What bugs me is that I had to compile in maintainer mode: Now I get
warnings that the software should not used be used with production keys.

Maintainer mode is in fact suggested by `autogen.sh`:

$ git clone git://git.gnupg.org/gnupg.git
[…]
$ cd gnupg
$ export C_INCLUDE_PATH=$PREFIX/include/:$PREFIX/include/libusb-1.0/
:$PREFIX/include/libandroid-support
$ ./autogen.sh
[…]
autogen.sh: You may now run:
  ./configure --sysconfdir=/etc --enable-maintainer-mode  && make

If I try without maintainer mode, then I get:

$ ./configure
[output attached]
$ make
make  all-recursive
make[1]: Entering directory '/data/data/com.termux/files/home/src/g/
gnupg'
Making all in m4
make[2]: Entering directory '/data/data/com.termux/files/home/src/g/
gnupg/m4'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/data/data/com.termux/files/home/src/g/
gnupg/m4'
Making all in common
make[2]: Entering directory '/data/data/com.termux/files/home/src/g/
gnupg/common'
make[2]: *** No rule to make target 'audit-events.h', needed by 'all
'.  Stop.
make[2]: Leaving directory '/data/data/com.termux/files/home/src/g/g
nupg/common'
make[1]: *** [Makefile:613: all-recursive] Error 1
make[1]: Leaving directory '/data/data/com.termux/files/home/src/g/g
nupg'
make: *** [Makefile:533: all] Error 2

*How do I build `gpg-agent` without maintainer mode?*

Note that I only need the agent, so I could probably speed up compile
time by quite a lot if disable the other tools in `./configure`. But
that’s not a priority now.


configure_output
Description: Binary data
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

On Wed, Aug 15, 2018 at 12:13 PM, Peter Lebbing
 wrote:
> Here's the catch: unless you have an on-disk copy of your private
> encryption key, you can't. [if enQsig uses 3DES]

I do have a backup of the private key, but it’s 1. out of reach at the
moment and 2. it’s a pain to restore. So far, I’m still optimistic that
the sender will eventually provide me with a message that I can decrypt.

Thanks a lot for your explanations!

PS: I’m toying with the idea of switching from my smart card to a Trezor
hardware token. This would mean generating an entirely new key (only
256 bit ECC supported). OTOH there are several advantages such as the
Trezor being a well documented open source device, and – of course – its
size with integrated key pad solution. It also depends on whether I can
get either a smart card reader or the Trezor to work with
Termux/Android.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

*Update:* Yesterday, I was reading the [GnuPG wiki page on
SmartCards][1] due to another issue. At its bottom I found listed as
known bug:

  * Encrypted message with 3DES can't be decrypted with OpenPGP Card
(V2.1, V3.3 without fix)

  - Due to the bug, it results: Missing item in object 

  - See: https://dev.gnupg.org/T3576

Well, indeed if I encrypt a message with 3DES, I cannot decrypt it with
my SmartCard:

$ echo "Hello, world!" >foo
$ gpg -e -r felix.k...@inka.de --personal-cipher-preference 3DES foo
$ gpg -d --debug=crypto foo.gpg
[…]
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2
016-12-17
      "Felix E. Klee "
gpg: public key decryption failed: Missing item in object
gpg: decryption failed: No secret key
gpg: secmem usage: 0/32768 bytes in 0 blocks
$ gpg --version
gpg (GnuPG) 2.2.9
libgcrypt 1.8.3
[…]

“Missing item in object” is the same message that I get when trying to
decrypt the enQsig encrypted message! So, perhaps enQsig is using 3DES.
*How do I find that out?*

Also, I don’t understand: I was assuming that all the card does is
decrypt my session key using my private 4096 bit RSA key. *If the
session key is a 3DES key, why should the card care?*

[1]: https://wiki.gnupg.org/SmartCard

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

On Thu, Aug 2, 2018 at 2:14 PM, Peter Lebbing 
wrote:
> So I think it's a safe bet they also screwed up the PKESK packet for
> your subkey, and the error is indeed related to it not representing a
> valid session key.

As I would like to understand things a bit better, do you think it is
possible to get some more details? In particular:

  * Is the encrypted packet in a bad format?

  * Does the 4096 bit RSA decryption fail?

  * Or: Is the decrypted packet in a bad format?

Again, the output by `pgpdump` for the packet associated with my
encryption key 04FDF78D1679DD94:

$ pgpdump 02-001.pk_enc
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x04FDF78D1679DD94
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4095 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1
block type 02

For comparison, the output for a packet encrypted with GnuPG:

$ gpg --version
gpg (GnuPG) 2.2.9
libgcrypt 1.8.3
[…]
$ gpg --recv BEF6EFD38FE8DCA0
$ echo "Hello world!" >test
$ gpg -e -r BEF6EFD38FE8DCA0 test
$ gpgsplit test.gpg
$ ls -1
01-001.pk_enc
02-018.encrypted_mdc
test
test.gpg
$ pgpdump 01-001.pk_enc
Old: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x04FDF78D1679DD94
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4095 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1
block type 02

The only difference: `Old` vs. `New` – Could this be an issue?

PS: Had to think a bit that PKESK = “Public-Key Encrypted Session Key”.
The crypto world seems to love acronyms. ;) (which does not make things
easier for us users)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

Hi Dirk,

thanks for all your suggestions!

If I can, I want to avoid creating another key. I prefer getting the
issue resolved and have bugs reported/fixed along the way. I had it once
before that I could not decrypt a document encrypted by a big German
company with my private key. These enterprise “solutions” seem to have
issues.

On Mon, Jul 30, 2018 at 5:14 PM, Dirk Gottschalk via Gnupg-users
 wrote:
> The last packet mentions your signature key as used for encryption,
> this is an error for sure.

I now removed my signature key BEF6EFD38FE8DCA0 from the encrypted
message:

$ gpg --dearmor encrypted.asc
$ gpgsplit encrypted.asc.gpg
$ ls -1
01-001.pk_enc
02-001.pk_enc
03-001.pk_enc
04-001.pk_enc
05-018.encrypted_mdc
encrypted.asc
encrypted.asc.gpg
$ pgpdump 01-001.pk_enc
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0xBEF6EFD38FE8DCA0
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4096 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1
block type 02
$ pgpdump 02-001.pk_enc
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x04FDF78D1679DD94
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4095 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1
block type 02
$ pgpdump 03-001.pk_enc
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x92663E7CA68E4EC6
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4096 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1
block type 02
$ pgpdump 04-001.pk_enc
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x9D8C454A43A6D2DE
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4094 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1
block type 02
$ pgpdump 05-018.encrypted_mdc
New: Symmetrically Encrypted and MDC Packet(tag 18)(1718 bytes)
Ver 1
(plain text + MDC SHA1(20 bytes))
$ cat 02-001.pk_enc 03-001.pk_enc 04-001.pk_enc \
05-018.encrypted_mdc >new.gpg

Decryption still fails:

$ gpg -d new.gpg
gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 92663E7CA68E4EC6
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created
2016-12-17
  "Felix E. Klee "
gpg: public key decryption failed: Missing item in object
gpg: decryption failed: No secret key
$ gpg --list-packets new.gpg
gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 92663E7CA68E4EC6
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created
2016-12-17
  "Felix E. Klee "
gpg: public key decryption failed: Missing item in object
gpg: decryption failed: No secret key
# off=0 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94
data: [4095 bits]
# off=527 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 92663E7CA68E4EC6
data: [4096 bits]
# off=1054 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 9D8C454A43A6D2DE
data: [4094 bits]
# off=1581 ctb=d2 tag=18 hlen=3 plen=1718 new-ctb
:encrypted data packet:
length: 1718
mdc_method: 2

As before, the reason given for “public key decryption failed” depends
on the card reader used:

  * SCM SPR332 v2: “Missing item in object”

  * Cherry ST-2000: “Invalid value”

  * REINER SCT cyberJack: “Missing item in object”

It seems like the card reader cannot decrypt the session key. *Is that correct?*

I also tried removing all keys except for my encryption key
04FDF78D1679DD94. This does not make a difference, i.e. encryption fails
as above.

/ Felix

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

On Mon, Jul 30, 2018 at 12:40 PM, Felix E. Klee 
wrote:
> “Invalid value”

Same on Linux BTW (with the Cherry ST-2000).

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

Now I tried a different card reader (after restarting Windows 7x64).
This time it’s a Cherry ST-2000. Previously it was a ReinerSCT
cyberJack.

With the Cherry I get a different error message! This time it’s “Invalid
value” instead of “Invalid ID”!

*What does that mean?*

>gpg --list-packets encrypted.asc
# off=0 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid BEF6EFD38FE8DCA0
data: [4096 bits]
# off=527 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94
data: [4095 bits]
# off=1054 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 92663E7CA68E4EC6
data: [4096 bits]
# off=1581 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 9D8C454A43A6D2DE
data: [4094 bits]
gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 92663E7CA68E4EC6
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2
016-12-17
  "Felix E. Klee "
gpg: public key decryption failed: Invalid value
gpg: encrypted with 4096-bit RSA key, ID BEF6EFD38FE8DCA0, created 2
016-12-17
      "Felix E. Klee "
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key
# off=2108 ctb=d2 tag=18 hlen=3 plen=1718 new-ctb
:encrypted data packet:
length: 1718
mdc_method: 2

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

Zum Vergleich eine Datei, die ich selbst für mich verschlüsselt habe,
und die ich erfolgreich entschlüsseln kann:

>gpg --list-packets foo.gpg
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2
016-12-17
  "Felix E. Klee "
# off=0 ctb=85 tag=1 hlen=3 plen=524
:pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94
data: [4094 bits]
# off=527 ctb=d2 tag=18 hlen=2 plen=76 new-ctb
:encrypted data packet:
length: 76
mdc_method: 2
# off=548 ctb=a3 tag=8 hlen=1 plen=0 indeterminate
:compressed packet: algo=2
# off=550 ctb=cb tag=11 hlen=2 plen=23 new-ctb
:literal data packet:
mode b (62), created 1532945681, name="",
raw data: 17 bytes

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

On Sun, Jul 29, 2018 at 11:37 PM, Dirk Gottschalk via Gnupg-users
 wrote:
>> My encryption key is the sub key 04FDF78D1679DD94. The private key is
>> on a smart card. […]
>
> Does this key work as expected in other programs, MUAs for example?

I use it daily for encryption/decryption of documents, though only with
GnuPG.

> I didn't test it mysqlf, but exporting a only a sub key should be no
> problem.

*But how?*

Your suggestion doesn’t seem to work:

>gpg --export 04FDF78D1679DD94 | gpg --keyid-format long
gpg: WARNING: no command supplied.  Trying to guess what you mean ..
.
pub   rsa4096/BEF6EFD38FE8DCA0 2016-12-17 [SC] [expires: 2018-12-17]
  5EF8B6017F668171259945D6BEF6EFD38FE8DCA0
uid   Felix E. Klee 
sub   rsa4096/04FDF78D1679DD94 2016-12-17 [E] [expires: 2018-12-17]

> Could you provide an example file with this error, in best case
> generated from the Sender?

I can ask him of course. First I would like to see, though, if GnuPG can
tell us what’s the problem.

> Have you tried to inspect the packets in the file with
> "--list-packets"?

Here you go (again my encryption key is `04FDF78D1679DD94`):

>gpg --list-packets encrypted.asc
# off=0 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid BEF6EFD38FE8DCA0
data: [4096 bits]
# off=527 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94
data: [4095 bits]
# off=1054 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 92663E7CA68E4EC6
data: [4096 bits]
# off=1581 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 9D8C454A43A6D2DE
data: [4094 bits]
gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 92663E7CA68E4EC6
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2
016-12-17
  "Felix E. Klee "
gpg: public key decryption failed: Missing item in object
gpg: encrypted with 4096-bit RSA key, ID BEF6EFD38FE8DCA0, created 2
016-12-17
  "Felix E. Klee "
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key
# off=2108 ctb=d2 tag=18 hlen=3 plen=1718 new-ctb
:encrypted data packet:
length: 1718
mdc_method: 2

I wonder what “Missing item in object” means.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

To receive a document in encrypted form, I provided my public key to the
sender. See attachment. The key contains a sub key for encryption:

sec  rsa4096/BEF6EFD38FE8DCA0
 created: 2016-12-17  expires: 2018-12-17  usage: SC
 card-no: 0005 4980
 trust: ultimate  validity: ultimate
ssb  rsa4096/04FDF78D1679DD94
 created: 2016-12-17  expires: 2018-12-17  usage: E
 card-no: 0005 4980
[ultimate] (1). Felix E. Klee 

The sender then prepared the encrypted file using a software called
enQsig: “wir verwenden eine zentrale Gateway Verschlüsselungslösung
(EnQsig).” (German)

After I received `encrypted.asc` from the sender, I tried to decrypt it,
to no avail:

C:\Users\Felix\Desktop>gpg -v -d encrypted.asc
gpg: armor header: Version: enQsig
gpg: public key is BEF6EFD38FE8DCA0
gpg: no running gpg-agent - starting 'C:\Program Files (x86)\Gpg4win
\..\GnuPG\bin\gpg-agent.exe'
gpg: waiting for the agent to come up ... (5s)
gpg: waiting for the agent to come up ... (4s)
gpg: connection to agent established
gpg: pinentry launched (9620 qt 1.1.1-beta5 - - -)
gpg: public key is 04FDF78D1679DD94
gpg: using subkey 04FDF78D1679DD94 instead of primary key BEF6EFD38F
E8DCA0
gpg: pinentry launched (4608 qt 1.1.1-beta5 - - -)
gpg: public key is 92663E7CA68E4EC6
gpg: public key is 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 92663E7CA68E4EC6
gpg: using subkey 04FDF78D1679DD94 instead of primary key BEF6EFD38F
E8DCA0
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2
016-12-17
  "Felix E. Klee "
gpg: public key decryption failed: Missing item in object
gpg: encrypted with 4096-bit RSA key, ID BEF6EFD38FE8DCA0, created 2
016-12-17
      "Felix E. Klee "
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key

>From what I can tell, the file has been encrypted with four keys. My
encryption key is the sub key 04FDF78D1679DD94. The private key is on a
smart card. As you can see, decryption fails with an error message:
“gpg: public key decryption failed: Missing item in object”

*What does the error message mean? Why does encryption fail?*

I wonder if perhaps enQsig cannot properly deal with encryption sub keys:

*Would it be possible to extract the public encryption sub key?* (to
only provide that to the sender)

I am using Gpg4win 3.1.2 on Windows 7x64. If more information is needed,
then I am happy to provide it!


5EF8B6017F668171259945D6BEF6EFD38FE8DCA0.asc
Description: Binary data
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Empty keyring after upgrade to Ubuntu 18.04 :/

[felix]

I ran into a similar problem a few months ago, upgrading from a much older 
gentoo system with 1.something.  I don't know what specific action fixed it, 
but after a couple of cycles of restoring the original and trying different 
commands, it suuddenly migrated correctly.  Memory says the first couple of 
attempts, I tried to do something which would have to do the migration first, 
and it worked when I restored the original and did just the migration by 
itself.  But I didn't take enough notes to figure it out after it started 
working.

-- 
... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
 Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Upgrading 2.0.20 to 2.2.24 -- WORKING NOW

[felix]

Well I'll be that crazy monkey's crazy uncle!

I started from scratch -- copied the 2.0.20 .gnupg dir to the 2.2.24 machine,
and imported the secret key as the very first operation:

$ gpg --import <182E8151.exported
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/home/felix/.gnupg/secring.gpg' to gpg-agent
gpg: key 783876E9182E8151: secret key imported
gpg: key 44752F7C4D3D351A: secret key imported
gpg: migration succeeded
gpg: key 783876E9182E8151: "Felix Finch (Scarecrow Repairman)
" not changed
gpg: key 783876E9182E8151: secret key imported
gpg: Total number processed: 1
gpg:  unchanged: 1
gpg:   secret keys read: 1
gpg:  secret keys unchanged: 1
$ gpg --list-secret-keys
    /home/felix/.gnupg/pubring.gpg
--
sec   dsa1024 1999-12-06 [SCA]
  E9874493C860246C3B1E6477783876E9182E8151
uid   [ultimate] Felix Finch (Scarecrow Repairman) 

ssb   elg2048 1999-12-06 [E]

sec   dsa1024 1999-12-06 [SCA]
  7689998F39D1EA2F37AECF5844752F7C4D3D351A
uid   [ unknown] Felix Finch (Remote Access) 

ssb   elg1024 1999-12-06 [E]

Of course this confused me, why would it matter that I imported and migrated
together?  So I started from scratch again with just --list-secret-keys, no
import, and it worked too.

I can only guess that the original copy of .gnupg was not copied correctly, or
got corrupted somehow.

And thanks to everyone who had the patience to deal with my problem.

-- 
... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
 Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Upgrading 2.0.20 to 2.2.24

[felix]

On Mon, Jun 18, 2018 at 08:36:38AM +0200, Werner Koch wrote:
> On Mon, 18 Jun 2018 07:44, skqu...@rushpost.com said:
> 
> > The format secret keys are stored in changed between 2.0.x and 2.1.x. It
> > is possible that 2.2.x no longer has the code in it to migrate to the
> 
> 2.2 still has the migration code.  However, once a migration is done it
> will not be done again.  Thus adding a new key with an old version of gpg
> at least the secret key won't show up in a newer gpg version.
> 
> > new format, in which case you might need to import secring.gpg manually
> > and set the trust to ultimate manually as well.
> 
> Right.  The official way to do this is to run 
>   gpg --export-secret-key KEYID >FILE
> using the old version of gpg and then to run
>   gpg --import  using the new version of gpg.  It is also possible to delete the file
> ~/.gnupg/.gpg-v21-migrated so that a migration will be triggered again.

I tried both these steps, and neither changed anything.  Import said it
imported, but I have a saved copy of .gnupg, and there was no difference after
the import.  The re-migration recreated the .gpg-v21-migrated file, but also
made no difference.  Still can't see the secret keys or decrypt anything.

-- 
    ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
 Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Upgrading 2.0.20 to 2.2.24

[felix]

On Mon, Jun 18, 2018 at 03:19:53PM +0200, Kristian Fiskerstrand wrote:
> On 06/18/2018 03:06 PM, fe...@crowfix.com wrote:
> > Says it imported the secret keys, but doesn't show them.
> 
> Any chance they are expired? Try playing with --list-options, in
> particular the show-unusable-* variants
> 
> Are they listed with --list-keys ?

>From the 2.0.20 machiine:

  $ gpg --list-secret-keys
  /home/felix/.gnupg/secring.gpg
  --
  sec   1024D/182E8151 1999-12-06
  uid  Felix Finch (Scarecrow Repairman) 
  ssb   2048g/A3362105 1999-12-06

  sec   1024D/4D3D351A 1999-12-06
  uid  Felix Finch (Remote Access) 
  ssb   1024g/C2422DAD 1999-12-06

  $ gpg --list-keys
  /home/felix/.gnupg/pubring.gpg
  --
  pub   1024D/182E8151 1999-12-06
  uid  Felix Finch (Scarecrow Repairman) 
  sub   2048g/A3362105 1999-12-06

  pub   1024D/4D3D351A 1999-12-06
  uid  Felix Finch (Remote Access) 
  sub   1024g/C2422DAD 1999-12-06

  $ ls -al .gnupg
  total 38
  drwx--  4 felix users  360 Jun 18 05:48 .
  drwx-- 68 felix users 5744 Jun 18 00:00 ..
  -r  1 felix users   42 Sep  3  2008 gpg-agent.conf
  -r  1 felix users   51 Sep  3  2008 .gpg-agent-info
  -r  1 felix users 2844 Nov 26  2004 options
  drwx--  2 felix users   48 Jun  7  2007 private-keys-v1.d
  -rw---  1 felix users 2088 Jun  7  2012 pubring.gpg
  -rw---  1 felix users 2072 Dec  5  1999 pubring.gpg~
  -rw---  1 felix users  600 Jun 17 15:08 random_seed
  drwx--  2 felix users  152 Sep  3  2008 RCS
  -rw---  1 felix users 2836 Dec  5  1999 secring.gpg
  -rw---  1 felix users 1280 Jun  7  2012 trustdb.gpg
  $

>From the 2.2.24 machine:

  $ gpg --list-secret-keys
  $ gpg --list-keys
  /home/felix/.gnupg/pubring.kbx
  --
  pub   dsa1024 1999-12-06 [SCA]
E9874493C860246C3B1E6477783876E9182E8151
    uid   [ unknown] Felix Finch (Scarecrow Repairman) 

sub   elg2048 1999-12-06 [E]

  pub   dsa1024 1999-12-06 [SCA]
7689998F39D1EA2F37AECF5844752F7C4D3D351A
    uid   [ unknown] Felix Finch (Remote Access) 

sub   elg1024 1999-12-06 [E]

  $ ls -al .gnupg
  total 192
  drwx--  4 felix felix  4096 Jun 18 05:52 .
  drwx-- 75 felix felix 32768 Jun 17 12:37 ..
  -r  1 felix felix42 Sep  3  2008 gpg-agent.conf
  -r  1 felix felix51 Sep  3  2008 .gpg-agent-info
  -rw---  1 felix felix 0 Jun 18 05:52 .gpg-v21-migrated
  -r  1 felix felix  2844 Nov 26  2004 options
  drwx--  2 felix felix  4096 Oct 22  2017 private-keys-v1.d
  -rw---  1 root  root  12226 Oct 22  2017 pubring.gpg
  -rw---  1 root  root  12226 Oct 22  2017 pubring.gpg~
  -rw---  1 felix felix  2484 Jun 17 13:44 pubring.kbx
  -rw---  1 felix felix  1385 Jun 17 13:44 pubring.kbx~
  -rw---  1 felix felix   600 Jun 17 15:17 random_seed
  drwx--  2 felix felix  4096 Sep  3  2008 RCS
  -rw---  1 felix felix  2836 Dec  5  1999 secring.gpg
  -rw---  1 felix felix  1280 Jun 17 14:54 trustdb.gpg
  $ 

-- 
... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
 Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Upgrading 2.0.20 to 2.2.24

[felix]

On Mon, Jun 18, 2018 at 08:36:38AM +0200, Werner Koch wrote:
> On Mon, 18 Jun 2018 07:44, skqu...@rushpost.com said:
> 
> > The format secret keys are stored in changed between 2.0.x and 2.1.x. It
> > is possible that 2.2.x no longer has the code in it to migrate to the
> 
> 2.2 still has the migration code.  However, once a migration is done it
> will not be done again.  Thus adding a new key with an old version of gpg
> at least the secret key won't show up in a newer gpg version.
> 
> > new format, in which case you might need to import secring.gpg manually
> > and set the trust to ultimate manually as well.
> 
> Right.  The official way to do this is to run 
>   gpg --export-secret-key KEYID >FILE
> using the old version of gpg and then to run
>   gpg --import  using the new version of gpg.  It is also possible to delete the file
> ~/.gnupg/.gpg-v21-migrated so that a migration will be triggered again.

Thanks -- but that didn't do the trick.

  $ gpg --list-secret-keys
  gpg: starting migration from earlier GnuPG versions
  gpg: porting secret keys from '/home/felix/.gnupg/secring.gpg' to gpg-agent
  gpg: key 783876E9182E8151: secret key imported
  gpg: key 44752F7C4D3D351A: secret key imported
  gpg: migration succeeded
  $ gpg --list-secret-keys
  $ 

Says it imported the secret keys, but doesn't show them.  Don't think it's
permissions; the only read-only files are options, gpg-agent.conf, and
.gpg-agent-info.  Killed gpg-agent; it restarted fine, but gpg still doesn't
show the secret keys.

I'll have to try the export-import angle later; the old machine is old enough
that physically copying files requires some legwork.

-- 
    ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
 Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Upgrading 2.0.20 to 2.2.24

[felix]

I have a seldom-used need to encrypt a few files, and the last time I did was 
on a gentoo system running 2.0.20.

gpg -e dest -r fe...@crowfix.com

I have migrated the .gnupg dir to an Ubuntu 18.04 system running 2.2.24, and 
the gpg command seems to have mutated.  The gentoo 2.0.20 command can decrypt 
what the Ubuntu 2.2.24 command encrypts.  But the Ubuntu 2.2.24 command will 
not decrypt either what it just encrypted or what the gentoo 2.0.20 command 
encrypted:

gpg: encrypted with 2048-bit ELG key, ID 18DCDD20A3362105, created 
-mm-dd
  "Felix Finch (Scarecrow Repairman) "
gpg: decryption failed: No secret key

The enceyption command also seems pickier:

gpg: 18DCDD20A3362105: There is no assurance this key belongs to the named 
user
sub  elg2048/18DCDD20A3362105 1999-12-06 Felix Finch (Scarecrow Repairman) 

 Primary key fingerprint: E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151
   Subkey fingerprint: 1A59 C8A1 81FB 6780 641C  D17E 18DC DD20 A336 
2105

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N)

Can someone offer an explanation so I don't have to dredge through a zillion 
changelogs to see why 2.2.24 is pickier?  What does it mean to say there is no 
secret key?

-- 
... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
 Felix Finch: scarecrow repairman & wood chipper / fe...@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: [don't know]: 1st length byte missing

[Felix E. Klee]

Thanks, Werner!

No backup, and I think there is no way to recover the password, which
- in this case - is very unfortunate. :( I wonder how this happened.
The drive is a Samsung EVO SSD with NTFS.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: [don't know]: 1st length byte missing

[Felix E. Klee]

On Sun, Oct 22, 2017 at 12:06 PM,   wrote:
> please list the encrypted text as part of the inline message.

Thanks for pointing that out. Here you go:

-BEGIN PGP ARMORED FILE-
Comment: Use "gpg --dearmor" for unpacking

hQIMAwT9940Wed2UAQ//X3XcOwKvauUCfRI0tqWBrf4CUs/HnzJgaLgL3snxCd0T
cYr78WQvrwUBAJEwvakjuTsrBC7CdxJHWmaEYQZrw8dIAMdxDoKGaWti9S0cGrZD
CjaUjZypCM7bmJViUUmy7nBgrkThQGzS5fqT9EelJ/loJZViIm8kqtV3BGknkyrX
GF92v6CKhh6VDZE4p4trePV46l2Dw4zdB3CPsEc06HREOdGN1RZssMKpQCxnbk44
AskDJS/AOG0xnvgLny96j38xdCz+F9KQ8dA9UZCRau6qTYaOtjvhLIHW1eWjNNtD
Eay54IkFbdF4bReS3fSPp4pv3w2SZLPyX+WX8w5lmRyv7+CsSPzP2spD2KunSsiA
0+1Tw/Lr2Rvwbb+j1cgcr4+IcpPGddn4un+KS42HpxWfZfM7bqoetNO6lL0n2EHI
2W3brKf/9HWeR0vj9LQlDQJGPhejvm6Jgmv/QVYlAEqkkdQurA8UZ3t6v2aQwdgO
smHUfnCVj/CZd3qU5rlvWq2N/vjxIra1VVbFLpC6FU6ISaxBn8D6wBQ4IJmKXTMn
b/hGQtd8paHeUXIyg48f1abGsaa1/bvQ8ReZjVpAkEFCaQeSovf67krSCYNdeJ/+
YY9QHly/kj0JGqcNtFhBEAJxmh05bGkTmYKauiMF4iLa5fQj639oW6TsiXB5wi3S
=UO5M
-END PGP ARMORED FILE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg: [don't know]: 1st length byte missing

[Felix E. Klee]

See the attached file. When I try to decrypt it using `gpg -d`, I get:

gpg: [don't know]: 1st length byte missing

`gpg --version` (on Windows):

gpg (GnuPG) 2.2.1
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Users/Felix/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

IIRC I haven’t updated gpg since I encrypted the file. So I assume that
the same gpg 2.2.1 has been used for encryption.

The private key is on an OpenPGP smartcard by ZeitControl.

*Any idea how to fix the issue?*


password.gpg
Description: Binary data
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Selecting SSH Key in gpg-agent ssh-agent mode

[Felix Winterhalter]

Hey there fellow gpg-users,

I've been using gpg-agent for a while with my Yubikey and its working 
fine. Asking me the pin once on each plugin and then silently working in 
the background.


For various reasons I also have on-disk ssh-keys with passphrases that I 
added with ssh-add to the gpg-agents keystore.


However on servers where those keys are present gpg-agent will always 
ask me to unlock these keys first even if the Yubikey is already 
unlocked. On declining pinentry it will then continue to use the 
Yubikey's keys.


Is there any setting to reorder the order in which SSH-Keys are tried 
against a server? Or rather is there also a way to specifiy to first try 
unlocked keys?


Cheers,

Felix


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: suspicious key found

[Felix Winterhalter]

There was a proof of concept attack on the fingerprints a couple of 
years ago. The keys were revoked afterwards.


TL;DR short key fingerprints are not secure at all. Also the web of 
trust is your friend here.


Cheers,

Felix


On 16/05/17 15:47, Janne Inkilä wrote:

I made a key search with my name and found something suspicious.

The search:

https://pgp.mit.edu/pks/lookup?search=janne+inkila=index=on 



I have used my old key since 2007. Fingerprint F4DB 40F8 BF22 8B9D 
9B8F  F679 A482 4C9A 033E 22A2. I know this is quite old key and maybe 
I should revoke it.


BUT

I also found another key with fingerprint 87C4 F4C8 16D1 3CC3 03E0 
7977 1A9C 6259 033E 22A2. The key ID is the same 033E 22A2 on both 
keys. There's also signatures in this key. Looks like same persons and 
same key ID's but fingerprints doesn't match. For some reason this key 
has been revoked.


Did someone really generated same looking key? And why? Any ideas? 
Someone tries to capture my emails? I would like to see some sort of 
theory what is going on, thanks :)


Janne Inkilä

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Mail address to account conversion (keybase.io)

[Felix Van der Jeugt]

Excerpts from Andrew Gallagher's message of 2017-01-25 18:10:56 +:
> True, people might try to email you on that ID, but the worst that
> will happen is they get a bounce (and you have other, usable IDs on
> the same pubkey I assume).

I indeed do have those, but I'm not sure keybase will bounce. I tried
mailing myself there earlier (with a third address) and all I got in
return was silence.

> If the ID still "belongs" to you (in some meaningful sense) then
> there's no need to revoke it just because it is unusable for the
> purposes of email. It is merely a convention that IDs correspond to
> email addresses. If your keybase account still exists, has a 1-to-1
> mapping with that ID, and is still under your control, then IMO it's
> legitimate to keep the ID - particularly if it is used as a reference
> point for other things. The presence of an ID on a public key makes no
> claim as to whether the ID is usable for a particular purpose.

Thanks for the opinion, I find myself agreeing. I should probably stop
collecting signs on that uid on keysigning parties, though, I shouldn't
bother people with sending signed keys an unconventional (and manual)
method.

Sincerely,
Felix



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Mail address to account conversion (keybase.io)

[Felix Van der Jeugt]

Excerpts from Christian Heinrich's message of 2017-01-26 09:19:42 +1100:
> On Thu, Jan 26, 2017 at 1:51 AM, Felix Van der Jeugt
> <felix.vanderje...@gmail.com> wrote:
> > Recently, keybase.io stopped their email forwarding service. Now, my
> > noc...@keybase.io uid can no longer receive email. I'd normally revoke
> > the uid, but my account, keybase.io/noctua, can still receive messages
> > through the website.
> 
> Is this for their private key that keybase.io generates on your behalf
> when you sign up?

No, this is for my own PGP key of which I uploaded the public key to
them. I just added a uid with the keybase email to my key.

Sincerely,
Felix



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Mail address to account conversion (keybase.io)

[Felix Van der Jeugt]

Dear all,

Recently, keybase.io stopped their email forwarding service. Now, my
noc...@keybase.io uid can no longer receive email. I'd normally revoke
the uid, but my account, keybase.io/noctua, can still receive messages
through the website.

I'm in a dilemma now: should I revoke the uid because the email address
is invalid? It's nice to have a reference to the account in my key,
though.

Any advice on this would be welcome.

Sincerely,
Felix


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Using GPGAgent as SSHAgent on Windows with cygwin/mingw

[Felix Winterhalter]

So I am currently trying to get gpg-agent to play nice with ssh on
Windows. I'm running gpg version 2.1.15.

Using Linux I was able to get everything to run the way I want by adding

enable-ssh-support to the agent config

and setting the environment variable
SSH_AUTH_SOCK to the gpg agents ssh socket.

However on Windows I now get the error:

 ssh-add -L
Error connecting to agent: Bad file descriptor

Same for simple ssh during the public key lookup stage.

I can read the socket file using cat or less however and I get:

52655
▒<D%uI▒sۛdt▒▒

which seems to me to be a process ID + binary data. So the socket
appears to be there and it is recreated when I restart gpg-agent.

So the question is whether this is actually a gpg related bug or has
something to do with how ssh from cygwin works.

I do get the same error using ssh/ssh-add from MinGW though.

If anyone has any idea how to resolve this I'd be glad for some help.

However please don't suggest to simply use putty, I prefer to have a
shared configuration across my Linux and Windows boxes and I do use the
command line ssh utilities a lot for different things on Windows too.

Best regards,
Felix

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: KEYTOCARD failed: Unusable secret key

[Felix E. Klee]

On Tue, Jul 26, 2016 at 1:22 PM, Andrew Gallagher 
wrote:
> If you want to keep a backup copy on local disk, you need to quit
> *without saving* immediately after running 'keytocard'.

Hitting  to quit did the trick. Now I could copy the key – a new
one – to two cards. Thanks for the suggestion!

Before that I tried re-importing the private key from the `.asc` file,
but it still was not possible to write it to another card. The error
message was the same as before. I don’t understand this: The key is
around, but somehow I cannot use it.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: KEYTOCARD failed: Unusable secret key

[Felix E. Klee]

On Tue, Jul 26, 2016 at 1:22 PM, Andrew Gallagher <andr...@andrewg.com>
wrote:
> What does it say when you run "gpg --list-secret-keys" on your local
> machine now?

*Without* the smart card reader connected, it says:

# gpg –list-secret-keys
/ramdisk/pubring.kbx

sec>  rsa4096 2016-07-26 [SC] [expires: …]
  AFADB5A…
  Card serial no. = …
uid   [ultimate] Felix …
ssb>  rsa4096 2016-07-26 [E] [expires: …]

Also I can export the private key:

# gpg --armor --export-secret-keys | wc -l
53

So it seems to be still there, no?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg: KEYTOCARD failed: Unusable secret key

[Felix E. Klee]

Successfully moved a key to an [OpenPGP-Card][1]. Now, as backup, I
want to install the key to a second card, but that failed:

# gpg --edit-key $KEY
[...]
gpg> toggle
[...]
ggp> keytocard
Really move the primary key? (y/N) y
[...]
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

gpg: WARNING: such a key has already been stored on the card!

Replace existing key? (y/N) y
gpg: KEYTOCARD failed: Unusable secret key

Why did it work for the first card but not for the second one?

I assume, although `keytocard` is documented as *moving* the key to the
card, it actually copies it.

[1]: https://g10code.com/p-card.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Creating key stubs from smartcard without public key

[Felix Winterhalter]

So I've recently started experimenting with a Yubikey.

I started off by creating an encryption subkey from my master key and 
moving that to the Yubikey.


This worked fine until I moved to a different computer and tried using 
it there.
It didn't automatically recognize the key on the card until I imported 
my publickey as well.


As far as I understand public key encryption regenerating the public key 
should always be possible

using the private key (which should be stored on the card).

My expected result would have been that gpg --card-status reads the card 
and then imports all keys on the card

generating the public key associated on the fly for local use.

The situation gets even more complicated if I want to have an 
authentication subkey on my Yubikey and not have it bound
to any specific master key (and certainly not publish it on any 
keyservers).
How can I export the ssh key (using gpg --export-ssh-key) when trying to 
do so using the key id yields:


gpg2 --export-ssh-key 0x5FECDB8C8311CB07!
gpg: key "0x5FECDB8C8311CB07!" not found: No public key
gpg: export as ssh key failed: No public key

Is there any way those public keys or key stubs can be created from the 
keys stored on the Yubikey or any smartcard itself?


Best regards,
Felix



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to export ASCII armored secret key without passphrase?

[Felix E. Klee]

On Wed, Jan 20, 2016 at 6:13 PM, Peter Lebbing 
wrote:
> $ gpg2 --export-secret-keys | gpg --import

Thanks! On my system, Arch, that’s:

$ gpg --export-secret-keys | gpg1 --import

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How to export ASCII armored secret key without passphrase?

[Felix E. Klee]

There’s a known issue: 

Is there any workaround? For example, could I export an ASCII armored
key with a passphrase, then decrypt the exported key?

Command that failed without passphrase (the key doesn't have one):

$ gpg --armor --export-secret-keys >key.txt

Affected version of GnuPG is 2.1.10.

With 2.0.19 I did not run into this issue.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

WG: GnuPG 2.1: --auto-key-locate dane

[Felix Seip]

-Ursprüngliche Nachricht-
Von: Felix Seip 
Gesendet: Freitag, 27. November 2015 15:13
An: 'Werner Koch' <w...@gnupg.org>
Betreff: AW: GnuPG 2.1: --auto-key-locate dane

I tried this once again using the Werner Koch's key:
gpg --auto-key-locate dane -v --locate-key w...@gnupg.org

However, I didn't receive the answer that I was expecting. Here is what I got:
gpg: using PGP trust model
gpg: error retrieving 'w...@gnupg.org' via DANE: Not found
gpg: error reading key: Not found

I should have received a fingerprint with the corresponding key.

 I also tried:
gpg --auto-key-locate pka -v --locate-key w...@gnupg.org

The response I received was:
gpg: using PGP trust model
gpg: auto-key-locate found fingerprint 80615870F5BAD690333686D0F2AD85AC1E42B367
gpg: error retrieving 'w...@gnupg.org' via PKA: No public key
gpg: key "w...@gnupg.org" not found: No public key

Best Regards,
Felix Seip


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.1: --auto-key-locate dane

[Felix Seip]

Hi,

The past week I have been trying to figure out how to receive a public key from 
a DNS domain through GnuPG 2.1.9. The way I have been attempting to do this is 
by executing:
gpg --auto-key-locate dane -ea -r felixs...@gmx.de<mailto:felixs...@gmx.de>

However, every time I get the following error message:
gpg: error retrieving 'felixs...@gmx.de' via PKA: Unknown IPC command
gpg: felixs...@gmx.de: skipped: Unknown IPC command
gpg: [stdin]: encryption failed: Unknown IPC command

Clearly I am doing something wrong and was wondering if someone could help me 
with this problem.

Thank you in advance,
Felix Seip

Verschlüsseln Sie Ihre E-Mails mit gpg4o für Outlook | Encrypt your email with 
gpg4o
---
Felix Seip
Auszubildender

[cid:image001.jpg@01D12862.B4B67EE0]Giegerich & Partner GmbH
Robert-Bosch-Straße 18 | D-63303 Dreieich
Tel. +49 6103 5881-54 | Fax +49 6103 5881-39
felix.s...@giepa.de<mailto:felix.s...@giepa.de> | 
http://www.giepa.de<http://www.giepa.de/>

Geschäftsführer: Dipl.-Ing. (TU) Hans-Joachim Giegerich
Amtsgericht Offenbach/Main | HRB 33236
---

[cid:image002.jpg@01D12862.B4B67EE0]
---

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users