WKD: how to remove expired key verification
Hello and thanks for this hints. If using: $ gpg -v --auto-key-locate clear,wkd,nodefault --locate-key xy at xyxy.de gpg: verwende Vertrauensmodell pgp gpg: pub rsa4096/F507E7850xxC 2015-01-05 Vorname Name gpg: Schlüssel F507E785xxC: "Vorname Name " nicht geändert gpg: pub rsa2048/435F423FxxD4 2013-10-21 Vorname Name gpg: Hinweis: Signaturschlüssel 435F423FxxD4 ist am 26.03.2019 12:00:00 Mitteleurop�ische Zeit verfallen gpg: Schlüssel 435F423FxxD4: "Vorname Name " nicht geändert gpg: Anzahl insgesamt bearbeiteter Schlüssel: 2 gpg: unverändert: 2 gpg: auto-key-locate found fingerprint DDC9F7A53DAAD53F507E785xxC gpg: `xy at xyxy.de' automatisch via WKD geholt pub rsa4096 2015-01-05 [C] [verfällt: 2021-12-31] DDC9F7A53DAAD53F507E785xxC uid[ ultimativ ] Vorname Name sub rsa4096 2015-01-05 [A] [verfällt: 2021-12-31] sub rsa4096 2015-01-05 [S] [verfällt: 2021-12-31] sub rsa4096 2015-01-05 [E] [verfällt: 2021-12-31] Signaturschlüssel 435F423FxxD4 has been expired on 26.03.2019, but is still attached to published and still valid public WKD key. It's my own key, actual one and old expired signature key ;) It has been used while changing my own pgp key to a stronger one for signing it with my old valid key. Now it is not more needed, new key has been spreaded. How to remove this old and expired signature from my key contruct? Thanks and best regards. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gnupg-users@gnupg.org
Hello and thanks for this hints. If using: $ gpg -v --auto-key-locate clear,wkd,nodefault --locate-key xy at xyxy.de gpg: verwende Vertrauensmodell pgp gpg: pub rsa4096/F507E7850xxC 2015-01-05 Vorname Name gpg: Schlüssel F507E785xxC: "Vorname Name " nicht geändert gpg: pub rsa2048/435F423FxxD4 2013-10-21 Vorname Name gpg: Hinweis: Signaturschlüssel 435F423FxxD4 ist am 26.03.2019 12:00:00 Mitteleurop�ische Zeit verfallen gpg: Schlüssel 435F423FxxD4: "Vorname Name " nicht geändert gpg: Anzahl insgesamt bearbeiteter Schlüssel: 2 gpg: unverändert: 2 gpg: auto-key-locate found fingerprint DDC9F7A53DAAD53F507E785xxC gpg: `xy at xyxy.de' automatisch via WKD geholt pub rsa4096 2015-01-05 [C] [verfällt: 2021-12-31] DDC9F7A53DAAD53F507E785xxC uid[ ultimativ ] Vorname Name sub rsa4096 2015-01-05 [A] [verfällt: 2021-12-31] sub rsa4096 2015-01-05 [S] [verfällt: 2021-12-31] sub rsa4096 2015-01-05 [E] [verfällt: 2021-12-31] Signaturschlüssel 435F423FxxD4 has been expired on 26.03.2019, but is still attached to published and still valid public WKD key. It's my own key, actual one and old expired signature key ;) It has been used while changing my own pgp key to a stronger one for signing it with my old valid key. Now it is not more needed, new key has been spreaded. How to remove this old and expired signature from my key contruct? Thanks and best regards. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
WKD: how to remove expired key verification
Hello, a key contains an old, expired verification. If searching this key by WKD, it shows: $ gpg --locate-key x...@xyxy.de pub rsa2048 2013-10-21 [SCEA] [verfallen: 2019-03-26] 6EB139DA63B4D15xyxyB970F435Fxy3FB0Dxyxy uid[ verfallen ] Pre Name Valid keys included are not shown. How to fix this, how to deactivate/ remove expired verification? Kleopatra screenshot attached too => Key 7217... must be removed. Thanks for help, best regards! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Question about key verification with GnuPG 2.2.25
Hello, the --verbose options gave me some more unusual information: gpg: Schlüssel 22EEE0488086...F: Ungültige Eigenbeglaubigung für User-ID "[jpeg image of size 7915]" gpg: Schlüssel 22EEE0488086...F/CE7911B7FC04...F: Ungültige Unterschlüssel-Anbindung gpg: key 41E7044E1DBA...9: number of dropped non-self-signatures: 60 gpg: Schlüssel 4E2C6E879329...0/7017ADCEF65C...6: Mehrfache Unterschlüssel-Anbindung entfernt gpg: Im Unterpaket des Typs 28 ist das "critical bit" gesetzt gpg: compacting user ID "" on key 2BAE3CF6DAFF...0: ungültig Which error causes following warnings: gpg: signature packet: hashed data too long gpg: read_block: read error: Ungültiges Paket Thanks once more, best regards, Chris > As usual add --verose to the gpg invocation. This might give some more > information. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Question about key verification with GnuPG 2.2.25
Hello, my attempt to verify all keys with GnuPG-2.2.25 shows this response: $ gpg --refresh-keys gpg: 59 Schlüssel werden per hkps://hkps.pool.sks-keyservers.net aktualisiert gpg: ... gpg: signature packet: hashed data too long gpg: read_block: read error: Ungültiges Paket gpg: Anzahl insgesamt bearbeiteter Schlüssel: 27 gpg: unverändert: 27 In gpg.conf option charset utf-8 is set only. GnuPG-2.2.25 has been installed as part of Gpg4win-3.1.14. How to further explore the shown errors: gpg: signature packet: hashed data too long gpg: read_block: read error: Ungültiges Paket How to identify / correct affected keys? Thanks and best regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Thunderbird / Enigmail / Autocrypt
Thanks Werner. After further investigation about html mailing with Claws Mail: 'Dillo HTML viewer' project has been updated Jun-2015, not available for Windows. 'litehtml' is available for Windows, but latest update is Oct-2015. In our environment ~ 70% of contacts are using M$ Outlook and its standard html mail functions, so discussion about sense of purpose are mindless even a change of security awareness take place around there... But you are right, html mail is definitely an annoyance and security risk, but wide spreaded compatibility to several communication partners and its needs is necessary! Best regards, Chris > -Original Message- > From: Werner Koch > Sent: Monday, November 23, 2020 1:30 PM > ... > Just load one of the HTML viewer plugins. Note that most plugins are > an integral part of Claws and thus don't run into problems like > Enigmail with Thunderbird. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Thunderbird / Enigmail / Autocrypt
Claws Mail is an useful alternative, but please keep aware it does not support html mail, text only! https://www.claws-mail.org/manual/de/claws-mail-manual.html#AEN955 Best regards, Chris > Date: Sat, 21 Nov 2020 19:02:33 +0100 > From: Werner Koch > To: Daniel Bossert via Gnupg-users > Subject: Re: Thunderbird / Enigmail / Autocrypt > Message-ID: <87sg92lhae@wheatstone.g10code.de> > Content-Type: text/plain; charset="us-ascii" > ... > Checkout Claws-mail which was forked from Sylpheed many years ago. > The > OpenPGP and S/MIME integration of both was initially done by me but > many > others improved it at lot. Claws is like Thunderbird cross-platform. > The current TB OpenPGP support is pretty basic after they removed > Enigmail. > Salam-Shalom, >Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
a new free smime service, but...
So a trustful CA issueing free S/Mime certificates > 3 month and acceptance in major browsers / mail tools is wanted. Why doesn't Let's Encrypt offer this service? https://letsencrypt.org/ Why isn't CAcert after years of participation listed as trusted CA in root stores? http://www.cacert.org/ kind regards Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg.conf for use with gpg-1.4x and -2.2x...
Hello, are there recommendations or samples for common gpg.conf file out there for secure and convenient use with v2.x *and* v1.4? On my system GPG-2.x (Gpg4win) and GPG-1.4x (GpgRelay) are both used, so compatibility is eligible. Thx + regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Manipulating primary key and subkeys at once with key *...
Hello, possibly there is a bug present if manipulating a GnuPG key with subkeys attached!? Example: We want to expire validity of primary key and all subkeys. C:>gpg --edit-key 7BF4 gpg> expire This command modifies the date for primary key only, subkeys are NOT affected. BUT: C:>gpg --edit-key 7BF4 gpg> key * gpg> expire This command only modifies the date for all subkeys, primary key is NOT affected. In my opinion gpg> key * should select all included key parts, primary key + all subkeys, but it doesn't!? So is it 'by design' (not logical, why?) or is it a bug in GnuPG-2.2x? How to select all key parts (sec + ssb + ssb + ssb...)? Thx + regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
WKD auto-key-retrieve method
> -Original Message- > I think you should add "--sender email at address" option so that your > signatures have information for WKD auto-key-retrieve method (and also > for TOFU statistics). > > It is probably mail user agent's job to add "--sender" but maybe it is > also fine to have that in gpg.conf file. Hello, how to put "--sender email at address" to gpg.conf file if using several different email addresses from sender? Is it possible to put "--sender" option to public key itself? Thanks + regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Exporting/ importing changes expiration date of subkeys...
Hello, > MFPA > I see https://www.gpg4win.org/links.htm has a link to gpgrelay. > Some of the links on that page are marked "outdated", but > not this one. Indeed, but better link: https://www.gpg4win.org/links.html ;) Regards! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Exporting/ importing changes expiration date of subkeys...
Hello, > well, you said that they imported correctly into other programs, right? > so maybe the issue is at the intersection of r2mail2 and classic GnuPG. Yes, same opinion... > This sounds like a bug in gnupgpack, but i don't see a good way > to report bugs at the URL above. In "Impressum" an email address is provided, I did contact Sebstian by myself... www.rose-indorf.de/gnupgpack/home.html#8 > GPGrelay should really upgrade to the modern GnuPG suite. Maybe as a > user you can ask the author what's blocking them from upgrading? Did try it several times, but no response. Development seems to be stopped since 2005... https://sourceforge.net/projects/gpgrelay/files/ Thx + regards! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Exporting/ importing changes expiration date of subkeys...
Hello, importing to R2mail2 is working *without* changing expiration dates, if key is exported from GnuPG-2.1.11... "Converting-way": Export GnuPG-1.4.23(GPGkeys/Win7) > Import GnuPG-2.1.11(Win7) > Export GnuPG-2.1.11(Win7) > Import R2mail2(Android-8.1) > works faultless >> Exporting (older) RSA keys should be independent from GnuPG version 1.4x >> or 2.2x, isn't it? > For each import/export operation you're asking about (both successes and > failures), could you give the following information clearly: > * Are you exporting secret keys? >or exporting public keys? RSA-4096 keypair secret + public (1 main key C, 3 subkeys for S/A/E) > * where were the secret keys originally created? (on what program does >the original export happen?) GPGkeys with GnuPG-1.4.23(Win7) > * which program is doing the import? R2mail2(Android-8.1) > * does the program doing the import modify the OpenPGP certificate in >any way? It seems to modify expiration date... > it is not normal for the primary key to be marked as > authentication-capable ("A"). If you have a tool that is doing that, > please report back what tool that is, on what platform and what version! Keys with this structure are created with GPGkeys (part of GPGshell for Windows v3.78) and GnuPG-1.4.23, all included in Sebastians's GnuPG-Pack. http://www.rose-indorf.de/gnupgpack/ Example: Geheimer Schlüssel ist vorhanden. pub 4096R/C02860E1 erzeugt: 2018-11-13 verfällt: niemals Aufruf: SCA Vertrauen: uneingeschränkt Gültigkeit: uneingeschränkt sub 4096R/37488B7B erzeugt: 2018-11-13 verfällt: niemals Aufruf: E [ uneing.] (1). test gpg> In my lightweight opinion there must be issues while creating (SCA) and exporting (date) those keys with GPGkeys/GnuPG-1.4.23(Win7)!? Maybe time to change GnuPG setup to newer versions 2.1x or 2.2x... But GPGrelay is needed... Thanks for help and the constructive hint for exporting with GnuPG-2.x. Pictures will be included in posts in the future :) Best regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Exporting/ importing changes expiration date of subkeys...
Hello, and thanks for reply! > the "classic" version of GnuPG (the 1.4.x series) not only does not > ... > If you upgrade to the modern version of GnuPG on your windows machine, > and then try to re-import, i think you'll find the merge issue resolved. GnuPG 1.4.23 is part of GnuPG-Pack with old but convincing GPGrelay included, which needs older version 1.4x. http://www.rose-indorf.de/gnupgpack/ Exporting (older) RSA keys should be independent from GnuPG version 1.4x or 2.2x, isn't it? Importing those keys are working faultless with: Flipdog CryptoPlugin/ Android-8.1: https://i.imgur.com/TmR3oiz.png and OpenKeychain/ Android-8.1 too: https://i.imgur.com/vYa1pUl.png Expiration dates of key and 3 subkeys are correct set to 31.12.2019! Only importing with R2mail2/ Android-8.1 causes described expiration error. In my opinion it depends on key structure (1 main key, 3 subkeys for S/A/E)!? If using a 'normal' key with 1 main key S/C/A and 1 subkey for E, importing to R2mail2 works, even if expiration date has been enhanced. Any hint how to bypass this issue? Thx + regards. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Exporting/ importing changes expiration date of subkeys...
Hello, there occurs an issue while exporting/ importing keypair from Windows-7/GPG-1.423 to Android-8.1/R2mail2. Private/public key contains one main key and three subkeys, all valid til 31.12.2019: pub xDDDC C sub x5B9E A sub x493D S sub x2BE6 E But if exporting and importing whole key, subkey x493D and subkey x2BE6 shows a (wrong) validity til 31.12.2017 only... Key xDDDC and subkey x5B9E show correct expiration date 31.12.2019. Additional hint: Expiration date of all (sub)keys has been extended end of year 2017, two additional years have been added til 31.12.2019. Former expiration date had been 31.12.2017. *Confused* How to solve this issue? Please refer to red marked dates! Export GPG (Windows): https://i.imgur.com/rgw1ZZ9.png Import R2mail2 (Android): https://i.imgur.com/lAR0vgq.png Thx + best regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPG on Android
Hello Juergen, thanks for kind explanation about MailDroid :) Does MailDroid support several different mail accounts using GPG and/or S/Mime? I am using K9-Mail in conjunction with CipherMail for S/Mime, but CiperMail only supports *one* S/Mime account... Thx and regards! > -- > > Message: 5 > Date: Sat, 3 Nov 2018 19:13:52 +0100 > From: Juergen BRUCKNER > To: gnupg-users@gnupg.org > Subject: Re: GPG on Android > Message-ID: > Content-Type: text/plain; charset="utf-8" > > Hello Masha, > > as you are new to this whole topic, I guess the easiest way to use > encrypted mail (either GPG and/or S/MIME) on a Android device would be > the app "MailDroid". > It comes in a free version[1] (with advertisings) and in a "pro" > version[2] (without advertisings) and supports both GPG and S/MIME. > MailDroid also supports POP and IMAP, and works fine with Googlemail. > > You need to install the additional Flipdog CryptoPlugin[3] on your > device, where you import and manage the keys. > You have to create the keys for example on a desktop computer and import > it to your android device and into the CryptoPlugin. > > I use MailDroid since several years without any problems, and can fully > recommend it for beginners. > > There is also a app named "K-9 Mail"[4], which supports GPG (but not > S/MIME). As far I know you also need several additional software for K-9 > Mail. > In my eyes its not really recommendable for beginners. I tried it years > ago and found it a bit complicated to use for myself. But thats a > personal opinion. > > The best would be to try both, MailDroid and K-9 Mail and then make your > personal choice. > If you need help with MailDroid you can contact me. For K-9 Mail I am > sure that here are also some people who can help you with it. > > best regards > Juergen > > [1] https://play.google.com/store/apps/details?id=com.maildroid > [2] https://play.google.com/store/apps/details?id=com.maildroid.pro > [3] > https://play.google.com/store/apps/details?id=com.flipdog.crypto.plugin > [4] https://play.google.com/store/apps/details?id=com.fsck.k9 > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Extending validity of main- and subkeys in one step possible?
Sorry, it doesn't work for GPG v1.4.22... Key set is called, then gpg> key * => Changing date with 'expire' is not working for all (sub)keys. gpg> key 1 => working Any additional hint? Thx + regards, Chris >> is there any possibility to extend key's validity of *all* keys in a >> keyset >> in *one* step? > > key * > > selects all keys. > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Extending validity of main- and subkeys in one step possible?
Hello, is there any possibility to extend key's validity of *all* keys in a keyset in *one* step? So 2017-12-31 should be changed to 2019-12-31 for all subkeys... Otherwise it would be necessary to choose every subkey with key 1, key 2 and so on, than 'expire', than passphrase... --example-- Geheimer Schlüssel ist vorhanden. pub 4096R/7BF4 erzeugt: 2015-01-08 verfällt: 2017-12-31 Aufruf: C Vertrauen: uneingeschränkt Gültigkeit: uneingeschränkt sub 4096R/13ED erzeugt: 2015-01-08 verfällt: 2017-12-31 Aufruf: A sub 4096R/CCFC erzeugt: 2015-01-08 verfällt: 2017-12-31 Aufruf: S sub 4096R/EBB9 erzeugt: 2015-01-08 verfällt: 2017-12-31 Aufruf: E [ uneing.] (1). xy xz Ändern des Verfallsdatums des Hauptschlüssels. Bitte wählen Sie, wie lange der Schlüssel gültig bleiben soll. 0 = Schlüssel verfällt nie = Schlüssel verfällt nach n Tagen w = Schlüssel verfällt nach n Wochen m = Schlüssel verfällt nach n Monaten y = Schlüssel verfällt nach n Jahren Wie lange bleibt der Schlüssel gültig? (0) 24m --example-end-- Thx + regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta...
Hello, > Matthias: > Maybe it will become a bit more complicated if it is necessary to > keep the keyrings syncronized in both directions. This will happen at > least if you let GPGRelay "Learn aliases from POP3" Switch off! ;) Serious answer: Latest known version of GPGrelay ist 0.962, extracted from Sebastian's GnuPG-Pack: http://home.arcor.de/rose-indorf/ Sourceforge provides the source code til version 0.959: https://sourceforge.net/projects/gpgrelay/ There seems to be no further development since 2005/2006, isn't it? In my opinion it would be very desirable if someone would adapt GPGrelay for interaction with new GPG-2.x key versions. And if touching source code, some minor issues with UTF-8 implementation could be fixed too. Actual OpenSSL libraries (f.e. 1.0.2f) are running without any issue with GPGrelay too. GPGrelay is the only known free proxy/relay program which allows different mail clients connecting with secured gpg encryption (Inline + PGP/Mime). Because of missing a fully functional solution for M$ Outlook it is needed further more... Who knows initial developer andreas john? Regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta...
Wowh, what a comprehensive answer... :) THANKS! > Furthermore, pipes do generally work on Windows. > Wouldn't this work? > gpg2\gpg2.exe --export | gpg14\gpg.exe --import Similar pipes are working in Windows. > gpg2\gpg2.exe --export-ownertrust >C:\temp\exported.trust > gpg2\gpg2.exe --output C:\temp\exported.keys --export > del %APPDATA%\GNU\GnuPG\pubring.gpg > gpg14\gpg.exe --import C:\temp\exported.keys > gpg14\gpg.exe --import-ownertrust C:\temp\exported.trust > gpg14\gpg.exe --check-trustdb If respecting own pathes and user rights with care, it seems to be a practicable way. Regular backup recommended. Thanks once more and regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta...
Thanks for hint! > From: Peter Lebbing [mailto:pe...@digitalbrains.com] > Install GnuPG 1.4 alongside 2.1 and manually sync all keys from GnuPG > 2.1 to 1.4, with for instance: > $ gpg2 --export | gpg --import I did get it running even on Windows: gpg2\gpg2.exe --export --output C:\temp\exported.keys gpg14\gpg.exe --import C:\temp\exported.keys BUT: If a key is deleted in Gpg2 version of keyring, with the above method it is NOT deleted in Gpg's keyring while importing. So is there an option for 'synchronisation' while importing (e.g. deleted keys in source export will be deleted while importing)? Thx + regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta...
Thanks for hint, that would be a distress way. But it seems to be limited to v1.4x supported keys only. What will happen, if v1.4x tries to import gpg-2.x keys with elevated features? Regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta...
Thanks for answer. It seems GPGrelay is not longer maintained by its developers but is still working with a charme if gpg.exe 1.4x is used. So, how to work around and supply keys to GPGrelay even if using gpg version 2 and up? Regards, Chris http://sites.inka.de/tesla/gpgrelay.html http://is.gd/c4duwS (Sourceforge) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta...
Hello, I did install Gpg4win-3.0 beta (with gpg 2.1.10 included). All older pub/sec keys are imported with Kleopatra, gpg encryption / decryption is working. But if using GPGrelay 0.9.6, while starting it displays attached error message. There seems to be a different key storing location or key format between 1.4x and 2.1x versions, isn't it? How to supply keys for GPGrelay in 1.4x format? Is there any way to export it from Kleopatra? Correct location? Thx + regards, Chris [ http://sourceforge.net/projects/gpgrelay/ ] [ https://wiki.gnupg.org/Gpg4win/Testversions ] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What causes this bad signature
Hi, there is a German government service that signs PGP keys?? What's the way to get it signed? Which institution? Thanks, Chris > -Original Message- > From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of > gnupg-users-requ...@gnupg.org > Sent: Sunday, November 15, 2015 2:54 AM > To: gnupg-users@gnupg.org > Subject: Gnupg-users Digest, Vol 146, Issue 7 > > Today's Topics: > >1. What causes this bad signature (Sebastian Wiesinger) >2. Re: What causes this bad signature (da...@gbenet.com) > -- > > Message: 1 > Date: Sat, 14 Nov 2015 21:28:09 +0100 > From: Sebastian Wiesinger > To: GnuPG Help and Discussion > Subject: What causes this bad signature > Message-ID: <20151114202809.ga7...@danton.fire-world.de> > Content-Type: text/plain; charset="us-ascii" > > Hello, > > for fun I tried a German government (or public-private partnership) > service that signs your PGP key if your name on a uid matches the > electronic data on your ID card (Neuer Personalausweis, nPA). I tried > this and got my signed key back. I tried to import it into my keyring > and imagine my surprise when it didn't show up. Reason being: I have > "import-options import-clean" set and the signature is somehow bad. > > Is there a way to see why the signature is bad? If I decide to let > them know that their service fails I would like to be able to tell > them what they did wrong. > > My key is 0x58A2D94A93A0B9CE and their signature comes from > 0x5E5CCCB4A4BF43D7: > > pub 2048R/0x58A2D94A93A0B9CE 2009-08-11 > uid [ultimate] Sebastian Wiesinger > sig!3 P0x58A2D94A93A0B9CE 2015-03-27 never Sebastian Wiesinger > > sig-3 1 0x5E5CCCB4A4BF43D7 2015-11-14 never Governikus OpenPGP > Signaturservice (Neuer Personalausweis) > > I attached the signed key for your interest. > > Regards Sebastian > > -- > GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) > 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE > SCYTHE. > -- Terry Pratchett, The Fifth Elephant > -- > > Message: 2 > Date: Sun, 15 Nov 2015 02:03:06 + > From: "da...@gbenet.com" > To: gnupg-users@gnupg.org > Subject: Re: What causes this bad signature > Message-ID: <5647e7da.6020...@gbenet.com> > Content-Type: text/plain; charset="utf-8" > > On 14/11/15 20:28, Sebastian Wiesinger wrote: > > Hello, > > > > for fun I tried a German government (or public-private partnership) > > service that signs your PGP key if your name on a uid matches the > > electronic data on your ID card (Neuer Personalausweis, nPA). I tried > > this and got my signed key back. I tried to import it into my keyring > > and imagine my surprise when it didn't show up. Reason being: I have > > "import-options import-clean" set and the signature is somehow bad. > > > > Is there a way to see why the signature is bad? If I decide to let > > them know that their service fails I would like to be able to tell > > them what they did wrong. > > > > My key is 0x58A2D94A93A0B9CE and their signature comes from > > 0x5E5CCCB4A4BF43D7: > > > > pub 2048R/0x58A2D94A93A0B9CE 2009-08-11 > > uid [ultimate] Sebastian Wiesinger > > > sig!3 P0x58A2D94A93A0B9CE 2015-03-27 never Sebastian > Wiesinger > > sig-3 1 0x5E5CCCB4A4BF43D7 2015-11-14 never Governikus > OpenPGP Signaturservice (Neuer Personalausweis) > > > > I attached the signed key for your interest. > > > > Regards Sebastian ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Multithreaded gpg encryption of files
Hello, if encrypting big files (500 Mb...) with gpg-1.x, only one core of Intels multicore processors is used. Is there an enhancement for using more than one core while de-/encrypting files? Thanks + regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Global changing of expiration date of mainkey and subkeys possible?
Hello, is there any way to change the expiration date of mainkey AND ALL attached subkeys by one action only (and not key-by-key)? Source: pub 4096R/ erzeugt: 2014-12-09 verfällt: 2015-10-04 Aufruf: C Vertrauen: unbekannt Gültigkeit: unbekannt sub 4096R/F0E6644F erzeugt: 2014-12-09 verfällt: 2015-07-06 Aufruf: A sub 2048D/4A692C49 erzeugt: 2014-12-09 verfällt: 2015-06-07 Aufruf: S sub 4096R/CFC3C286 erzeugt: 2014-12-09 verfällt: 2015-06-07 Aufruf: E sub 4096R/D64D3126 erzeugt: 2014-12-09 verfällt: 2015-06-07 Aufruf: S [ unbek.] (1). gnupgpacker (testkey) Target: pub 4096R/ erzeugt: 2014-12-09 verfällt: 2016-11-11 Aufruf: C Vertrauen: unbekannt Gültigkeit: unbekannt sub 4096R/F0E6644F erzeugt: 2014-12-09 verfällt: 2016-11-11 Aufruf: A sub 2048D/4A692C49 erzeugt: 2014-12-09 verfällt: 2016-11-11 Aufruf: S sub 4096R/CFC3C286 erzeugt: 2014-12-09 verfällt: 2016-11-11 Aufruf: E sub 4096R/D64D3126 erzeugt: 2014-12-09 verfällt: 2016-11-11 Aufruf: S [ unbek.] (1). gnupgpacker (testkey) Thanks + regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: German ct magazine postulates death of pgp encryption
Hello, > On Behalf Of Patrick Brunschwig > Sent: Sunday, March 01, 2015 3:42 PM > The idea I have in mind is roughly as follows: if you upload a key to > a keyserver, the keyserver would send an encrypted email to every UID > in the key. Each encrypted mail contains a unique link to confirm the > email address. Once all email addresses are confirmed, the key is > validated and the keyserver will allow access to it just like with any > regular keyserver. > This way, we have a simple verification of the access to the private > the key, as well as access to the email addresses contained in the UID > by quite a simple means. I would say this is about as reliable as > sending an email to someone requesting their key. +1 This procedure should be implemented in keyservers. No CA needed, no centralisation necessary => just verifying of existing AND proper working email addresses. Additional: There are lot of old keys on keyservers not being verified in described manner. Those keys (or the newer, verified ones) could be marked with a short hint on keyservers to differ between verified and not verified email addresses. Facility of deleting own (!) keys on keyserver wanted for old (revoked, expired, test, failed...) keys. Regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: German ct magazine postulates death of pgp encryption
Thx. Maybe implementation with an opt-in could preserve publishing of faked keys on public keyservers? So if new key is uploaded an email with verification link is sent from keyserver to issuer. If embedded link is verified by issuer in 10 Minutes => uploaded public key is published If embedded link is NOT verified by issuer in 10 Minutes => uploaded public key is deleted Forums are working with this technique since years. Regards, Chris > -Original Message- > From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of > Hauke Laging > Sent: Friday, February 27, 2015 11:59 AM > Werner has replied to that (on gnupg...@gnupg.org and here): > http://rem.eifzilla.de/archives/2015/02/24/re-die-schlssel-falle ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
German ct magazine postulates death of pgp encryption
Hello, there is a discussion ongoing regarding future of pgp/gpg encryption. German ct magazine has postulated in their last edition that our pgp handling seems to be too difficult for mass usage, keyserver infrastructure seems to be vulnerable for faked keys, published mail addresses are collected from keyservers and so on... Pls refer to: Massentaugliche E-Mail-Verschlüsselung gesucht http://heise.de/-2557237 Editorial: Lasst PGP sterben! http://heise.de/-2551008 M.Marlinspike Blog: GPG And Me http://www.thoughtcrime.org/blog/gpg-and-me/ I am a little bit unhappy about this discussion because pgp still offers secure end-to-end encryption without the need of a superior CA, no compromising had been detected so far. Your positions to this ct approach? Regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Import pubkey to Thunderbird/Enigmail/Gpg4Win
Hello, if importing a public gpg rsa key to current Thunderbird/Enigmail/Gpg4Win on Win7-64, there is an issue with German Umlaute, pls refer to attached screenshot. Exported key has been created by GPG-1.4.18/Win7-64, importing Enigmail works with GPG4Win (GPG-2.0.26)/Win7-64. Everything (signing, encryption...) works as expected, so maybe it is a display error only!? Bugfix possible? Thanks and best regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Updating public key problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, did anyone get a response from encrypt.to? Btw and sorry for this question: Seems https://encrypt.to to be a reliable service regarding data security? Transmission of newly created messages are transferred from browser window to encrypt.to-server by ssl, but is its content (content of browser window) encrypted too? Regards, Chris > -Original-Message- > and that's why, in my opinion, why > the sending an encrypted message doesn't work by the free service like - > https://encrypt.to/linuxdeb...@zoho.com Before the expirationd date of > those 2 keys, the encrypt.to service worked. > [...] > Does encrypt.to cope with > 4096-bit keys and SHA256 binding signatures? What size was your old > encryption subkey? -BEGIN PGP SIGNATURE- iF4EAREIAAYFAlSrxYIACgkQI4+xq0ppLEku1QEAnvacvMPB/QSDfqBfthKcxoxR YgiW6XDIF+0P2bA8TscBAOnCIFSxaqPwbHTswWGH91j6wNasAMOoQDf4c9xTRSFr =btdK -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Unable to encrypt file with private/public key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 @Dhiraj: Encrypting: You encrypt a message with recipient's public key, no password is required. (Password is only known by recipient.) Signing: You sign a message with your own private key, you must admit your private key's password. Regards, Chris (RSA-Testkey 0x3E2E0598) > What I have > learned so far from these threads is Signing always require a passphrase > whereas encryption can be done without Passphrase & it requires a Key. > Correct me if my understand is not correct. > I was doing a mistake. I > was trying to encrypt the file with Partner Key hence it was showing the > warning. While sending the file to partner I have to use my own key > which I have share with them to decrypt it. -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJUk/epAAoJEMMs0SrWTTEmkz8P/1yuKwvlFf4w2tE4/q84G/Ae zqhvgcwK5ILEfBJtL6Hc027ujnrmATe42Vk4TCaN1aEG8/uLPlsqIO8+ZfVV0YDl +UP+eLPw9Zqi7Bq+tvKtbSfS7VTmAUYtfTckAco/1PBfI5Sm0EbzvGf1jzPGHgoH z1b3MiYy4RWK/S3syL8TmV6tPYpl+Jf9D5qtMTQ/e0SfoLm4AFRTg5N/vU0Hg1Xc h1oEHDmRdlZ2TZTTsGscfx9WwzruVpg2cxZeUgZ4uFfgGOdazHvpEy+li/yVRAwf PWoM5xjPte9Tc0/5q4NL7CFvvlKMdLJhZHAOhjIFOvHrCIlEhViy8kKoqoFyKG9a HmzyNL3tajRASCdXaN92UUee2781nB7FIer65QoUdQ7cTozUHF3A2GCRwKu/jyb+ QLa8VOxPF/UUdeS9sYcoe2Cu4A69HJnohYpTaLzAnr89O7FyK2zjqbtIJhxoXy8v 6IIk1DfYCZkb9k1E3dMoIORGYCwdCcnNdJUkA4EkOh+9+a2e4hThnJm0b3OUT9Jy NShDaMS+ZFv61Wv5KH8js/d38ryG5lXcopNuav2LxHb+zMh8CulFQ8FhW4rVA72S pJFRmGfEusRVnCaPCwCHcOOlM8gHyZGrCP/GmrLT7v8vKe/AGbXCtavCss8UWeNz x/GqhPsbfXE1FuhMHWhF =r8V4 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Refreshing private key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, is there is a need keeping old key id, you can generate new subkeys for A/S/E, keeping the old 2048bit certification key C only for offline signing. Keystructure: Mainkey with old ID 2048bit - - Subkey A 8096bit - - Subkey S 8096bit (beware of this, long signature...) - - Subkey E 8096bit Old subkeys can be deactivated/revoked or not, GPG will use latest keys generated. Generating keys > 4096bit can be done with GnuPG-Pack up to 50176bit (RSA) with some additional features: http://home.arcor.de/rose-indorf/ Beware of compatibility with standard gpg installations! Security advantage isn't as great as it seems to be... Regards, Chris (RSA-Testkey 0x3E2E0598) > -Original Message- > Sent: Thursday, December 18, 2014 11:52 AM > My current key is 2048 bits in length and I > would like to have something that is closer to 8192 bits in length. Is > there a way that I can accomplish this without revoking my key so that I > can keep the same public key id? Any preferred RTFMing you can point me > to? -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJUk908AAoJEMMs0SrWTTEmRz4P/i8iJYKz5ta0145WEH3E64A5 mzVkN/7YI9mXapYp/7YzQAYq583P8kKoubCQorvyXYOI2RnehsThw/lRSvU3KId7 u+iqxdPOMT10tWzBSjIObxNZiw5DEV733Y8uI+I0CVSAiVYlvEEPY2j76SMngwWQ XkcJUW2oOagnJSfK8IKJ3es+N72JHh7ZHJQYTj1iV+SKJN83Y+RdP4XcSJiHjLsu hWeim3h19gYg/Kt9SQDIaJj94ucP2b9QADdZjQEx0yYUdZMpswa0Velq69LwWKi9 PUkR47R9PdJbfo0AeCfXmVY4kto2gkUNvgbFWcAko7CTVY+fJyIrFl/4MaDi/vo9 oNLNmhdUUHbXaxVQaAAuR+yK0aQu6C+hHWTzlKdmhGgPPQxcFLBmiLplv+Q36qmI JHd5j2On6uzJ1s3WtvxcOr9Hs1f54q0LpkK6X4bMj91/PY9DLzNLXTOSGpq2ICsm H++zQC3Nz1Ap8CIY5bsuZJpjZgpeIBPL2QMvmg53DpozSb2PAL4quCeNDRcluFjc 7ReOQ7BHUbXTN2EBSlhA/oBPr8eFh/qdLBN+9toR+7eX4ScFIauwegOxVjj+Eq00 9HSJBOTI7KS+MRarnkMoKP3CG4HjbiVpUIRUEI86O+pY0SkjgtDPVDyxh4uRkuJe uxhLHOtkSF3qCL07P0h7 =iVQV -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
"key algorithm" in GnuPG's signature verification output
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Hugo, yes, I am sorry: it seems to be like this assumption, but only if you are using other quotation marks than standard "something". Regards, Chris > -Original Message- > From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Hugo > Hinterberger > Hi Chris, > So, are you saying that my messages break your signatures of replies to my > messages? -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlSIerIACgkQI4+xq0ppLEm56wD/YqUzECDWK2RfRtA3Z8VVgOPf mGFZvL1fvTs7syLa/qsBAOUWacyWtNPySLbiuWXXoVOtfMYEKjrOLPSErPNyzWpZ =9xex -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: "key algorithm" in GnuPG's signature verification output
Hi Hugo, I did make some test with your last post: Outlook-incoming as Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="utf-8"; Format="flowed" If signing “something” (your choice) and resending, signature is broken. If signing „something“ and resending, signature is broken. (Word-2010; incoming Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable) If signing "something" and resending, signature works as expected. (Standard for Outlook-2010, Thunderbird-31.3; incoming Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit) Most used common keyboards are using SHIFT+2 for quotation marks. This results in above shown results, depending on charset and program used. Your (German) keyboard seems to be a scientific one with some additional chars enabled: http://is.gd/nkQQzK My Outlook-2010 (and Thunderbird too) generates "something" by default, not “something” (your choice), or „something“. Settings are set to "iso-8859-1", if new message is generated. If replying, incoming charset is used. I didn't notice such a behavior before!? Regards, Chris > -Original Message- > From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Hugo > Hinterberger > Sent: Wednesday, December 10, 2014 9:15 AM > > Why break quotation marks "1AF778E4" and "good" or "bad" in OP signature > > verification while answering? > > I use “"” when it is required. In regular text I try to follow > typographical conventions for text. > Nothing seems to be broken on my end. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
"key algorithm" in GnuPG's signature verification output
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, by the way: Pls refer to OP: http://lists.gnupg.org/pipermail/gnupg-users/2014-December/051872.html Why break quotation marks "1AF778E4" and "good" or "bad" in OP signature verification while answering? Some charset settings needed? Thx + regards, Chris -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlSHLfAACgkQI4+xq0ppLEmbWgEA57UmoaVrru0W91fV214PiOyY yuaJFNsKaWvh8pWKVOcBAO7Kl2ZWEpfuHL8URd3aiK/6ZrJKQ/bhNK3CD54Vdhwi =oUi8 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
"key algorithm" in GnuPG's signature verification output
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, signing with two keys in one block can be done. But also, if unequal technology used (e.g. RSA+edDSA)? Verifying of MFPA's signature with Gpg-1.4.18 gave me: gpg: Unterschrift vom 06.12.2014 16:56:22 mittels RSA-Schlüssel ID B31F25F0 gpg: FALSCHE Unterschrift von "0x251BCCEB547B7194" [unbekannt] gpg: Unterschrift vom 06.12.2014 16:56:33 mittels ?-Schlüssel ID 1AF778E4 gpg: Unterschrift kann nicht geprüft werden: Unbekanntes Public-Key-Verfahren Time: 09.12.2014 11:45:53 (09.12.2014 10:45:53 UTC) Gpg-1.4.8 isn't captable using edDAS. In my opinion output would be ok if a new edDSA key has been used!? If RSA signing key has been used, there might be some fault... Regards, Chris (Testkey 0x3e2e0598, DSA-2048-sig) > It seems that you (MFPA) changed your signing practice after I noted that > I can't verify signatures created with your key “1AF778E4”. I did not know > that one could sign a message with two keys in one signing block. > I am wondering if there is a way to collapse the verification result for a > multi-key signature down to a single “good” or “bad” value/result, because > Enigmail gave me some ambiguous message about your signatures. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlSG1e4ACgkQI4+xq0ppLElTaAEA6HrAxq2sV30uRKp++6c/5zLa mQ62Ec4SeUsUM7H1V/UA/i3pU18f5vZUCY1CYClTHBFLcEyGjeDDY7Z063rrNlTQ =K9bu -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Mainkey with many subkeys??
Kristian, I am a little bit confused about your key design ;) Main key has options SC. There is an active newer signing key S, so this will be always used for signing? And there are two active encryption keys E: GPG uses in my opinion only the key generated latest, isn't it? So how to desire which key is used? And what's about backward compatibility? Thanks for any hint, regards, Chris > -Original Message- > From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of > Kristian Fiskerstrand > Sent: Sunday, December 07, 2014 10:16 PM > Tomo: you'll find that my key have a few subkeys at least due to these > practises. It doesn't provide any issue for either keyservers or to > use more generally, but you are correct in that the information is > retained. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Changing key's passphrase in an automated way
Hello, did try it too: Thomas' attempt gave me with Gpg-1.4.18: gpg: verwende Vertrauensmodell PGP [GNUPG:] GET_LINE keyedit.prompt [GNUPG:] GOT_IT [GNUPG:] USERID_HINT 5D4F1C79E62651B3 testpassw tester (44) [GNUPG:] NEED_PASSPHRASE 5D4F1C79E62651B3 5D4F1C79E62651B3 1 0 [GNUPG:] BAD_PASSPHRASE 5D4F1C79E62651B3 [GNUPG:] GET_LINE keyedit.prompt [GNUPG:] GOT_IT John's hint with ECHO -e PASSWD\nMyOldPassword\nMyNewPassword\nSAVE|GPG --command-fd 0 --no-tty --passphrase-repeat 0 --status-fd 2 --verbose --edit-key E62651B3 gave me just: gpg: verwende Vertrauensmodell PGP [GNUPG:] GET_LINE keyedit.prompt [GNUPG:] GOT_IT [GNUPG:] GET_LINE keyedit.prompt [GNUPG:] GOT_IT It seems that old password isn't accepted by batch cmd. Why? MyOldPassword is definitely correct and works if editing same test key for example with addkey !? Thanks, Chris > -Original Message- > From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of > Thomas Pelletier > Sent: Saturday, December 06, 2014 12:54 PM > To: John Kennerson; gnupg-users@gnupg.org > Subject: Re: Changing key's passphrase in an automated way > > On Sat Dec 06 2014 at 12:15:53 AM John Kennerson > wrote: > > ECHO -e PASSWD\nOLDPASS\nNEWPASS\nSAVE|GPG --command-fd 0 --no-tty - > -passphrase-repeat > 0 --status-fd 2 --verbose --edit-key 9C6BD0AC > > > > Awesome! It did the trick with GPG 1.4. > > Thank you, > Thomas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users