Re: How can we utilize latest GPG from RPM repository?

2018-02-22 Thread helices 
Let's cut through these ill-informed suppositions once and for all: If host
compliance was our problem, I would not have posted here at all.

Also, nowhere in this thread have I stated any inability to compile myself.
Having been doing such for 40+ years, that is not our problem either.

Defending processes and systems to egregiously non-technical auditors is a
challenge that grows year by year. If you have not qualified for PCI DSS
Level 1, then you probably have only a cursory understanding of this
situation. Based on previous questions I've posted here in last several
years, it's clear to me that none of the experts here have such experience.

Sometimes, a question is just a question. Overthinking the environment in
which that question was asked adds nothing to the discussion. Now that my
question has been directly answered - thank you, Ben - and indirectly
answered - thank you, to those who did not answer directly - we can move
forward in my enterprise architecture endeavor.

Thank you, Daniel, for describing the complexity of the gnupg problem.

Our new environment will continue with gnupg v2.0.22, because that is the
security level supported by stable and secure Linux operating systems.
Please, do not debate me on this. Yes, we could do otherwise, but that will
incur PCI DSS v3.2 challenges unnecessary to us.

Thank you.

~ helices




On Thu, Feb 22, 2018 at 12:22 AM, Ben McGinnes <b...@adversary.org> wrote:

> On Wed, Feb 21, 2018 at 07:36:08AM -0800, Dan Kegel wrote:
> > On Tue, Feb 20, 2018 at 10:16 PM, Ben McGinnes <b...@adversary.org>
> wrote:
> >>
> >> Because these two lines explain *precisely* why you need something
> >> like RHEL or CentOS (certified systems to go with the auditing)
> >> *and* updated crypto.
> >
> > And when you're on those certified, curated systems, you have
> > access to tools like
> > https://www.open-scap.org/resources/documentation/make-
> a-rhel7-server-compliant-with-pci-dss/
> > to help make sure you're in compliance, I think.
> >
> > I suspect that kind of approach would make passing audits a lot
> > easier than building the latest gnupg release yourself...
> > and is less likely to break things.
>
> In all likelihood, yes ... however open-scap.org is a RedHat service
> and most likely only supplied to RHEL customers seeking PCI-DSS
> compliance along with direct support via their service contract.
>
> If, however, this particular case actually deals with CentOS systems
> and not RHEL, then the OP has elected to forego that type of
> professional service contract from the vendor in order to do it
> themselves.
>
> Which brings us either back to this thread, or a business decision at
> their end regarding whether or not bring their systems back to RHEL
> (it requires changing two files, IIRC, assuming they haven't massively
> modified things) and paying RedHat whatever it takes to get the job
> done.  I cannot predict which they will choose, nor am I willing to
> make a recommendation solely on what's been presented here.
>
> Still, the OP wanted options and now they've been provided.  :)
>
>
> Regards,
> Ben
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can we utilize latest GPG from RPM repository?

2018-02-17 Thread helices 
I will probably never understand why wanting to run the most current
version of gnupg on a plethora of servers is controversial.

Nevertheless, the two (2) greatest reasons are:

   1. PCI DSS v3.2
   2. PCI DSS compliance audits

Being able to demonstrate that we are using the latest, greatest encryption
available on every one of our hosts, simplifies that portion of the audit
equation more than you probably believe.

Furthermore, following feature not availabe in 2.0.22 are more than
nice-to-haves:

   - The file secring.gpg is not used to store the secret keys anymore.
   - All support for PGP-2 keys has been removed for security reasons.
   - The standard key generation interface is now much leaner.
   - Commands to create and sign keys from the command line without any
   extra prompts are now available.
   - There is no more need to manually start the gpg-agent.
   - A new format for locally storing the public keys is now used.
   - Revocation certificates are now created by default.
   - The format of the key listing has been changed to better identify the
   properties of a key.


Apparently, there is no current solution to our problem similar to that we
found for our rsyslog example. That is too bad. We will get over our
disappointment.

However, let it be said here and now, if the gnupg community wants the use
of gnupg to spread far further than a clique of geeks, making its use
easier for non-geeks is probably the simplest and most direct way.

Yes, that is my opinion, humble or otherwise.

YMMV

Are there any other questions before I get a direct answer to my original
subject question?

Thank you.


On Wed, Feb 14, 2018 at 2:20 PM, helices <g...@mdsresource.net> wrote:

> CentOS 7 uses gnupg2 v2.0.22. EPEL doesn't have anything newer.
>
> We want to move to v2.2.x, and stay current, but we don't want to download
> source and compile for dozens of systems.
>
> We want all users to be using the same version all of the time.
>
> Please, advise. Thank you.
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can we utilize latest GPG from RPM repository?

2018-02-15 Thread helices 
Jeffrey, please, your ad hominem accusations are not helpful.

You said, "What you’re missing is WHY you want a later upstream version."

How do you know that I'm missing that? That "why" is not at all relevant to
my question.

You said, "You can’t have it both ways:  You want to stay on a stable
distro/version which is the raison d’etre for RHEL/CentOS but want to have
the latest package."

As you know, CentOS contains thousands of files, and I have given one
example of a need to deviate from the default distribution for rsyslog.
Suffice it to say, we want to do the same with gnupg.

If there is no gnupg solution similar to our rsyslog solution, then we will
do something else.

Simply because I have not found a gnupg solution similar to our rsyslog
solution, does NOT mean that such a solution does not exist.

Hence, my original post here yesterday.

Actually answering my subject question would be helpful. You have not done
that.

Thank you.


On Thu, Feb 15, 2018 at 9:06 AM, Lightner, Jeffrey <jlight...@dsservices.com
> wrote:

> What you’re missing is WHY you want a later upstream version.   Is there a
> specific feature you’re needing that isn’t in the one that comes with your
> distro?
>
>
>
> You can’t have it both ways:  You want to stay on a stable distro/version
> which is the raison d’etre for RHEL/CentOS but want to have the latest
> package.As I noted in my prior post you can get the latest of
> everything by abandoning CentOS in favor of Fedora at the expense of
> stability.Your choice of distro is based on many factors.   Some people
> even build their own packages all from scratch because they don’t like any
> of the distros.
>
>
>
> Not all packages have people that build rpm’s for them.   Many FOSS
> projects seem to prefer building for Debian or something else and MAY
> package it for whatever distro they like but some don’t package it for
> anything and expect you to do the legwork yourself.
>
>
>
> In general if it isn’t in RHEL/CentOS I look for it in the EPEL.  If it
> isn’t there I almost always download the source then configure/compile
> it.   This isn’t really a difficult process for most packages.
>
>
>
> There ARE other locations that MAY provide a package you want.   Have you
> looked at rpmfind?  rpmbone?
>
>
>
> And of course YOU could create the rpm and share it on EPEL yourself so
> others will have it.
>
>
>
>
>
> *From:* Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] *On Behalf Of *
> helices
> *Sent:* Thursday, February 15, 2018 9:10 AM
> *To:* gnupg-users@gnupg.org
>
> *Subject:* Re: How can we utilize latest GPG from RPM repository?
>
>
>
> Yes, I know that.
>
> In general, that scheme works well.
>
> However, in another case, rsyslog, a certain function has been broken for
> many years, and the only fix is to track the developers' most recent
> versions. In that case, the developers maintain their own repository:
> http://rpms.adiscon.com ; which is easy to incorporate into:
> /etc/yum.repos.d/rsyslog.repo
>
> We are hoping something similar is available for gnupg. I have not found
> that; which is the reason for my posts here.
>
> What am I missing?
>
> Please, advise. Thank you.
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can we utilize latest GPG from RPM repository?

2018-02-15 Thread helices 
Yes, I know that.

In general, that scheme works well.

However, in another case, rsyslog, a certain function has been broken for
many years, and the only fix is to track the developers' most recent
versions. In that case, the developers maintain their own repository:
http://rpms.adiscon.com ; which is easy to incorporate into:
/etc/yum.repos.d/rsyslog.repo

We are hoping something similar is available for gnupg. I have not found
that; which is the reason for my posts here.

What am I missing?

Please, advise. Thank you.



On Thu, Feb 15, 2018 at 7:56 AM, Lightner, Jeffrey <jlight...@dsservices.com
> wrote:

> CentOS isn't a vendor.   It is a project that does binary compiles of RHEL
> sources.
>
> RedHat is the vendor that creates RHEL and its source is used to make
> CentOS.   RHEL is supported by RedHat if you have a subscription.  CentOS
> has no direct support though RedHat hosts the project nowadays.
>
> RHEL (and therefore CentOS) major versions such as 7 start with base
> upstream versions of packages.   RedHat modifies that base upstream package
> to backport bug and security fixes from later upstream packages if relevant
> to the original base.   They then add extended versioning to the RPM name.
>
> For example on a test system I just looked at  "yum list gnupg2" shows:
> Installed Packages
> gnupg2.x86_64  2.0.22-3.el7   @anaconda/7.0
> Available Packages
> gnupg2.x86_64  2.0.22-4.el7
>  rhel-7-server-rpms
>
> Notice the base upstream for both the installed and the available is
> 2.0.22 but the extended versioning is different (3.el7 vs 4.el7).   You'd
> have to examine the errata to see what is different about the latter.
>
> In general unless there is a specific feature in upstream you need that is
> not in the RHEL/CentOS provided version you should use the RHEL/CentOS
> version on your RHEL/CentOS system.
>
> If you really want the latest of everything you should use Fedora instead
> of CentOS.   Just be aware that Fedora is bleeding edge and releases a new
> version twice a year.   Generally that means you HAVE to do a full upgrade
> at least once a year as they won't offer updated packages for more than two
> major versions at a time.   For a Production environment that pace of
> upgrade is usually not desirable which is why people use RHEL/CentOS
> instead.
>
> -Original Message-
> From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of
> Daniel Kahn Gillmor
> Sent: Wednesday, February 14, 2018 5:31 PM
> To: helices; gnupg-users@gnupg.org
> Subject: Re: How can we utilize latest GPG from RPM repository?
>
> On Wed 2018-02-14 14:20:10 -0600, helices wrote:
> > CentOS 7 uses gnupg2 v2.0.22. EPEL doesn't have anything newer.
> >
> > We want to move to v2.2.x, and stay current, but we don't want to
> > download source and compile for dozens of systems.
> >
> > We want all users to be using the same version all of the time.
>
> This sounds like a problem for your operating system and/or package
> manager.  GnuPG has a chain of build dependencies which often makes it
> difficult to just import directly from a single RPM.
>
> If you were running a more recent operating system, you'd likely get
> something from the GnuPG "modern" branch as well anyway.
>
> Perhaps you want to ask your operating system vendor what their
> recommendation is for "backports" of specific packages?
>
>   --dkg
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How can we utilize latest GPG from RPM repository?

2018-02-14 Thread helices 
CentOS 7 uses gnupg2 v2.0.22. EPEL doesn't have anything newer.

We want to move to v2.2.x, and stay current, but we don't want to download
source and compile for dozens of systems.

We want all users to be using the same version all of the time.

Please, advise. Thank you.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to NOT gnutar files during encryption?

2017-07-19 Thread helices 
On Wed, Jul 19, 2017 at 9:49 AM, Peter Lebbing <pe...@digitalbrains.com>
wrote:

> On 19/07/17 16:30, helices wrote:
> > Unchecking that box and encrypting, this file decrypted and unzipped
> > without incident: Archive.zip.gpg
>
> And if you keep the box checked, does it produce a file named
> Archive.zip.gpg or Archive.zip.tar.gpg?
>

Archive.zip.gpg - which is why it took me so long to identify why I could
not unzip it ;-)

Gr ... gmail makes it tedious to reply to list mail ...
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to NOT gnutar files during encryption?

2017-07-19 Thread helices 
OK, for the record, I think that I've found the solution.

I looked in Kleopatra Settings and found nothing.

Then, I imported a proper key and began signing and encrypting a file:
Archive.zip

In Kleopatra's Sign/Encrypt Files dialog, there is a checkbox: Archive
files with: TAR (PGP-compatible), which is checked by default.

Unchecking that box and encrypting, this file decrypted and unzipped
without incident: Archive.zip.gpg

I'm waiting for our client to upload a file encrypted this way.


HOWEVER, they right click the ZIP file and select "sign and encrypt" to
process files. Will the UNchecked checkbox for "Archive files with: TAR
(PGP-compatible)" be default now?

~ Mike


On Wed, Jul 19, 2017 at 8:17 AM, helices <g...@mdsresource.net> wrote:

> How to NOT gnutar files during encryption?
>
>
> Thank you for your responses; but, you are all missing my point - and not
> answering my question.
>
> First, before encryption by Kleopatra, the file IS one (1) real ZIP file
> (e.g., filename.zip)
>
> After encryption and upload to us, the file is now an encrypted TAR file,
> with the ZIP file inside (e.g., filename.zip.gpg)
>
> Notice that there is NO indication of TAR anywhere in the filename.
>
> Yes, I can rewrite our production processes to look for files of type TAR,
> and automate that. We receive ~1000 encrypted files per day, and we have
> never needed this before.
>
> However, if they can turn OFF that TAR subprocess - which you state ought
> only to happen when requested to encrypt multiple files - then, this
> client's files will automatically process just like the thousands of other
> clients' files we process without incident every single day.
>
> So, to repeat myself:
>
> How to NOT gnutar files during encryption?
>
> Please, advise. Thank you.
>
> ~ Mike
>
>
> On Wed, Jul 19, 2017 at 5:43 AM, Werner Koch <w...@gnupg.org> wrote:
>
>> On Tue, 18 Jul 2017 23:30, g...@mdsresource.net said:
>>
>> > Further investigation reveals that Kleopatra is gnuTARring the ZIP file
>> > prior to encryption.
>>
>> That should only happen when you select multipe files or a directory.
>> This invokes the pgp-zip method of encrypting multiple files.  Despite
>> the name it is not ZIP but USTAR format (which any tar implementation
>> can handle).
>>
>>
>> Shalom-Salam,
>>
>>Werner
>>
>> --
>> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>>
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to NOT gnutar files during encryption?

2017-07-19 Thread helices 
How to NOT gnutar files during encryption?


Thank you for your responses; but, you are all missing my point - and not
answering my question.

First, before encryption by Kleopatra, the file IS one (1) real ZIP file
(e.g., filename.zip)

After encryption and upload to us, the file is now an encrypted TAR file,
with the ZIP file inside (e.g., filename.zip.gpg)

Notice that there is NO indication of TAR anywhere in the filename.

Yes, I can rewrite our production processes to look for files of type TAR,
and automate that. We receive ~1000 encrypted files per day, and we have
never needed this before.

However, if they can turn OFF that TAR subprocess - which you state ought
only to happen when requested to encrypt multiple files - then, this
client's files will automatically process just like the thousands of other
clients' files we process without incident every single day.

So, to repeat myself:

How to NOT gnutar files during encryption?

Please, advise. Thank you.

~ Mike


On Wed, Jul 19, 2017 at 5:43 AM, Werner Koch  wrote:

> On Tue, 18 Jul 2017 23:30, g...@mdsresource.net said:
>
> > Further investigation reveals that Kleopatra is gnuTARring the ZIP file
> > prior to encryption.
>
> That should only happen when you select multipe files or a directory.
> This invokes the pgp-zip method of encrypting multiple files.  Despite
> the name it is not ZIP but USTAR format (which any tar implementation
> can handle).
>
>
> Shalom-Salam,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How to NOT gnutar files during encryption?

2017-07-18 Thread helices 
We have a simple process that has worked for thousands of files over the
years:
1) Client ZIPs up a bunch of files
2) Client GPG/PGP encrypts that ZIP file
3) Client uploads that encrypted file to us
4) Our production server automatically decrypts the file
5) Our production server automatically unzips that file
6) Our production server automatically distributes those files

Today, we have a new wrinkle.  A new client is using Kleopatra to encrypt
the zip file.

Once we decrypt the file via GPG on Linux, we cannot unzip the file.

After many hours troubleshooting, I discovered that the decrypted "zip"
file is actually inside a TAR file!

Further investigation reveals that Kleopatra is gnuTARring the ZIP file
prior to encryption.

We must have many clients using GPG4WIN, and we have never had this problem
before.

How can this new client NOT gnutar files, and still properly encrypt the
ZIP file?

What are we missing?

~ Mike
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can I change the passphrase on our secret keys?

2017-04-17 Thread helices 
gpg-agent (GnuPG) 2.0.14
gpg-agent (GnuPG) 2.0.22


On Mon, Apr 17, 2017 at 1:56 PM, William Senn <wse...@twu.edu> wrote:

> Same vein, what version of gpg-agent?
>
> --
> Sent from my iPhone
>
> Will Senn, PhD
> Assistant Professor of Community Informatics
> School of Library and Information Studies
> Texas Woman's University
> Stoddard Hall, Room 408
> P.O. Box 425438
> Denton, TX 76204-5438
>
> Phone: 615-603-5354 <615-604-5354>
> Email: wse...@twu.edu
>
> On Apr 17, 2017, at 1:50 PM, helices <g...@mdsresource.net> wrote:
>
> Version info from previous post:
>
> CentOS release 6.8 (Final)
> gpg (GnuPG) 2.0.14
>
> CentOS Linux release 7.3.1611 (Core)
> gpg (GnuPG) 2.0.22
>
>
> We are NOT using pinentry.
>
>
> On Mon, Apr 17, 2017 at 1:37 PM, Daniel Kahn Gillmor <
> d...@fifthhorseman.net> wrote:
>
>> On Wed 2017-04-12 11:02:04 -0500, helices wrote:
>> > Yes, I saw that. On one host, that works.
>> >
>> > On other, I get following error:
>> > gpg> passwd
>> > Key is protected.
>> >
>> > You need a passphrase to unlock the secret key for
>> > user: "Sempris <public...@sempris.com>"
>> > 4096-bit RSA key, ID 80167A71, created 2016-03-18
>> >
>> > gpg: cancelled by user
>> > Can't edit this key: Operation cancelled
>>
>> We need more info about the host where this failed to help you :)
>>
>>  * What operating system? (and what version of the OS?)
>>
>>  * What version of gpg?
>>
>>  * What version of pinentry are you expecting to use?
>>
>>  * If you do the following command from the shell, do you see a pinentry
>>show up anywhere?
>>
>>   printf "option ttyname $(tty)\ngetpin\n" | pinentry
>>
>> Regards,
>>
>> --dkg
>>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can I change the passphrase on our secret keys?

2017-04-17 Thread helices 
Version info from previous post:

CentOS release 6.8 (Final)
gpg (GnuPG) 2.0.14

CentOS Linux release 7.3.1611 (Core)
gpg (GnuPG) 2.0.22


We are NOT using pinentry.


On Mon, Apr 17, 2017 at 1:37 PM, Daniel Kahn Gillmor <d...@fifthhorseman.net>
wrote:

> On Wed 2017-04-12 11:02:04 -0500, helices wrote:
> > Yes, I saw that. On one host, that works.
> >
> > On other, I get following error:
> > gpg> passwd
> > Key is protected.
> >
> > You need a passphrase to unlock the secret key for
> > user: "Sempris <public...@sempris.com>"
> > 4096-bit RSA key, ID 80167A71, created 2016-03-18
> >
> > gpg: cancelled by user
> > Can't edit this key: Operation cancelled
>
> We need more info about the host where this failed to help you :)
>
>  * What operating system? (and what version of the OS?)
>
>  * What version of gpg?
>
>  * What version of pinentry are you expecting to use?
>
>  * If you do the following command from the shell, do you see a pinentry
>show up anywhere?
>
>   printf "option ttyname $(tty)\ngetpin\n" | pinentry
>
> Regards,
>
> --dkg
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can I change the passphrase on our secret keys?

2017-04-17 Thread helices 
What am I missing?

Why am I getting this error?

Please, advise. Thank you.


On Wed, Apr 12, 2017 at 11:02 AM, helices <g...@mdsresource.net> wrote:

> Yes, I saw that. On one host, that works.
>
> On other, I get following error:
> gpg> passwd
> Key is protected.
>
> You need a passphrase to unlock the secret key for
> user: "Sempris <public...@sempris.com>"
> 4096-bit RSA key, ID 80167A71, created 2016-03-18
>
> gpg: cancelled by user
> Can't edit this key: Operation cancelled
>
>
> What am I missing?
>
>
> On Wed, Apr 12, 2017 at 10:51 AM, Alaric L. Dailey <alar...@pengdows.com>
> wrote:
>
>> http://blog.chapagain.com.np/gpg-how-to-change-edit-private-
>> key-passphrase/
>>
>> --
>> *From: *"helices" <g...@mdsresource.net>
>> *To: *gnupg-users@gnupg.org
>> *Sent: *Wednesday, April 12, 2017 10:35:43 AM
>> *Subject: *How can I change the passphrase on our secret keys?
>>
>> How can I change the passphrase on our secret keys?
>>
>> I've searched Google and gnupg.org to no avail.
>>
>> What am I missing?
>>
>> Versions:
>> gpg (GnuPG) 2.0.14
>> gpg (GnuPG) 2.0.22
>>
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can I change the passphrase on our secret keys?

2017-04-12 Thread helices 
Will,

Yes, I do have the passphrase.

My problem here is that gpg NEVER challenges me for the passphrase!



On Wed, Apr 12, 2017 at 11:06 AM, Senn, William <wse...@twu.edu> wrote:

> You have to know the original secret key in order to make changes. If you
> have lost access to your original passphrase, you are completely out of
> luck.
>
> Will
>
>
> On 4/12/2017 11:02 AM, helices wrote:
>
> Yes, I saw that. On one host, that works.
>
> On other, I get following error:
> gpg> passwd
> Key is protected.
>
> You need a passphrase to unlock the secret key for
> user: "Sempris <public...@sempris.com> <public...@sempris.com>"
> 4096-bit RSA key, ID 80167A71, created 2016-03-18
>
> gpg: cancelled by user
> Can't edit this key: Operation cancelled
>
>
> What am I missing?
>
>
> On Wed, Apr 12, 2017 at 10:51 AM, Alaric L. Dailey <alar...@pengdows.com>
> wrote:
>
>> http://blog.chapagain.com.np/gpg-how-to-change-edit-private-
>> key-passphrase/
>>
>> --
>> *From: *"helices" <g...@mdsresource.net>
>> *To: *gnupg-users@gnupg.org
>> *Sent: *Wednesday, April 12, 2017 10:35:43 AM
>> *Subject: *How can I change the passphrase on our secret keys?
>>
>> How can I change the passphrase on our secret keys?
>>
>> I've searched Google and gnupg.org to no avail.
>>
>> What am I missing?
>>
>> Versions:
>> gpg (GnuPG) 2.0.14
>> gpg (GnuPG) 2.0.22
>>
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>
>
>
> ___
> Gnupg-users mailing 
> listGnupg-users@gnupg.orghttp://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can I change the passphrase on our secret keys?

2017-04-12 Thread helices 
Yes, I saw that. On one host, that works.

On other, I get following error:
gpg> passwd
Key is protected.

You need a passphrase to unlock the secret key for
user: "Sempris <public...@sempris.com>"
4096-bit RSA key, ID 80167A71, created 2016-03-18

gpg: cancelled by user
Can't edit this key: Operation cancelled


What am I missing?


On Wed, Apr 12, 2017 at 10:51 AM, Alaric L. Dailey <alar...@pengdows.com>
wrote:

> http://blog.chapagain.com.np/gpg-how-to-change-edit-
> private-key-passphrase/
>
> ------
> *From: *"helices" <g...@mdsresource.net>
> *To: *gnupg-users@gnupg.org
> *Sent: *Wednesday, April 12, 2017 10:35:43 AM
> *Subject: *How can I change the passphrase on our secret keys?
>
> How can I change the passphrase on our secret keys?
>
> I've searched Google and gnupg.org to no avail.
>
> What am I missing?
>
> Versions:
> gpg (GnuPG) 2.0.14
> gpg (GnuPG) 2.0.22
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How can I change the passphrase on our secret keys?

2017-04-12 Thread helices 
How can I change the passphrase on our secret keys?

I've searched Google and gnupg.org to no avail.

What am I missing?

Versions:
gpg (GnuPG) 2.0.14
gpg (GnuPG) 2.0.22
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: With which key did I sign my encrypted file?

2017-03-29 Thread helices 
Peter,

Thank you. That suffices.

Notice that I did provide --version in my original post.

~ helices


On Wed, Mar 29, 2017 at 10:40 AM, Peter Lebbing <pe...@digitalbrains.com>
wrote:

> Hello,
>
> To solve your problem, could you please also post the commands that you
> used to create the files? The information you gave is really too little
> to go on. And also always include which version of GnuPG you're using
> (gpg --version).
>
> On 28/03/17 15:22, helices wrote:
> > Once in awhile, we get pushback from a recipient that they cannot
> > decrypt our file, and sometimes they claim it is because the encrypted
> > file is signed.
>
> I do not understand why the file being signed would be a problem. I'd
> say it's a good thing it's signed.
>
> > $ /usr/bin/gpg --verify NO-sign.pgp
> > gpg: verify signatures failed: Unexpected error
>
> That's what I see for a file that isn't signed. I'd say it's expected,
> though really terse. You're asking it to verify a signature, but don't
> give it a signature. I'd say the file is unexpected rather than the
> error! ;-)
>
> On 29/03/17 16:46, helices wrote:
> > How can I see if an encrypted file is signed and by whom?
>
> If you don't mind decrypted files being saved to disc, either:
>
> ---8<->8---
> $ gpg enc.txt.gpg
> gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12
>   "Peter Lebbing <pe...@digitalbrains.com>"
> File `enc.txt' exists. Overwrite? (y/N) y
> ---8<->8---
>
> to invoke the default action on the file, and since this is an
> encrypted file that is not signed no signature information is shown. Or
> explicitly:
>
> ---8<->8---
> $ gpg -o /dev/null -d enc.txt.gpg
> gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12
>   "Peter Lebbing <pe...@digitalbrains.com>"
> ---8<->8---
>
> Which tells GnuPG to decrypt, but send the result to /dev/null, in
> other words, will not create or attempt to overwrite files on disc.
>
> For an encrypted file with a signature it'll look like this instead:
>
> ---8<->8---
> $ gpg enc-signed.txt.gpg
> gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12
>   "Peter Lebbing <pe...@digitalbrains.com>"
> File `enc-signed.txt' exists. Overwrite? (y/N) y
> gpg: Signature made Wed 29 Mar 2017 17:28:28 CEST using RSA key ID DE6CDCA1
> gpg: Good signature from "Peter Lebbing <pe...@digitalbrains.com>"
> ---8<->8---
>
> ---8<->8---
> $ gpg -o /dev/null -d enc-signed.txt.gpg
> gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12
>   "Peter Lebbing <pe...@digitalbrains.com>"
> gpg: Signature made Wed 29 Mar 2017 17:28:28 CEST using RSA key ID DE6CDCA1
> gpg: Good signature from "Peter Lebbing <pe...@digitalbrains.com>"
> ---8<->8---
>
> There are commands to really dive into the contents of an OpenPGP file,
> but this might overwhelm rather than inform you.
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: With which key did I sign my encrypted file?

2017-03-29 Thread helices 
How can I see if an encrypted file is signed and by whom?

Please, advise. Thank you.

~ helices



On Tue, Mar 28, 2017 at 8:22 AM, helices <g...@mdsresource.net> wrote:

> My company uses several keys for signing files encrypted with one of many
> recipient public keys.
>
> Once in awhile, we get pushback from a recipient that they cannot decrypt
> our file, and sometimes they claim it is because the encrypted file is
> signed.
>
> Yesterday, I took the same file, encrypted it and signed it, as well as
> encrypting it without signing it.
>
> $ /usr/bin/gpg --verify signed.pgp
> gpg: verify signatures failed: Unexpected error
>
> $ /usr/bin/gpg --verify NO-sign.pgp
> gpg: verify signatures failed: Unexpected error
>
> $ /usr/bin/gpg --version
> gpg (GnuPG) 2.0.14
>
> What am I missing?
>
> Please, advise. Thank you.
>
> ~ helices
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

With which key did I sign my encrypted file?

2017-03-28 Thread helices 
My company uses several keys for signing files encrypted with one of many
recipient public keys.

Once in awhile, we get pushback from a recipient that they cannot decrypt
our file, and sometimes they claim it is because the encrypted file is
signed.

Yesterday, I took the same file, encrypted it and signed it, as well as
encrypting it without signing it.

$ /usr/bin/gpg --verify signed.pgp
gpg: verify signatures failed: Unexpected error

$ /usr/bin/gpg --verify NO-sign.pgp
gpg: verify signatures failed: Unexpected error

$ /usr/bin/gpg --version
gpg (GnuPG) 2.0.14

What am I missing?

Please, advise. Thank you.

~ helices
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PCI DSS compliance

2016-11-10 Thread helices 
O, yes! I forgot about that:-(

I understand  as far as this goes.

Our company must decrypt ~100 files 7x24 in near real time. How can 
work - or any reasonable alternative - in such a production environment?

~ Mike


On Thu, Nov 10, 2016 at 9:07 AM, Kristian Fiskerstrand <
kristian.fiskerstr...@sumptuouscapital.com> wrote:

> On 11/10/2016 03:50 PM, helices wrote:
> > So would I!
> >
> > At this point, our company must achieve PCI DSS compliance before year
> end,
> > and the road to that necessity leads through this auditor, who insists
> that
> > PGP satisfies all requirements.
> >
> > There is no explanation that he shares with us.
>
> I'd expect it being reference to shamir secret sharing scheme that I
> believe formed part of PGP at some point, but haven't really looked into
> PGP for a while. This would allow e.g split key in 5 parts and require 2
> or 3 at the same time to access it. For the automated system, presumably
> would require two administrators to set it up, and expectation that
> nobody willfully modify the application or read the full private key in
> memory for the regular operation, but at that point would hinder any one
> admin to have access to the full key to use outside of the system.
>
> --
> 
> Kristian Fiskerstrand
> Blog: https://blog.sumptuouscapital.com
> Twitter: @krifisk
> 
> Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
> 
> Aut disce aut discede
> Either learn or leave
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PCI DSS compliance

2016-11-10 Thread helices 
So would I!

At this point, our company must achieve PCI DSS compliance before year end,
and the road to that necessity leads through this auditor, who insists that
PGP satisfies all requirements.

There is no explanation that he shares with us.

~ Mike



On Thu, Nov 10, 2016 at 8:27 AM, Mark H. Wood  wrote:

> I would be interested to hear this auditor's explanation of how *any*
> completely automated software system can protect private keys from a
> human with access to the system.
>
> --
> Mark H. Wood
> Lead Technology Analyst
>
> University Library
> Indiana University - Purdue University Indianapolis
> 755 W. Michigan Street
> Indianapolis, IN 46202
> 317-274-0749
> www.ulib.iupui.edu
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG cannot import public key

2014-04-24 Thread helices 
, my
ultimate goal is to have a public key from this vendor that works
automatically, just like the hundreds of others that we have. That is to
say, a signed public key that we can sign and to which we can assign trust,
and that we can use to automatically encrypt and sign files that will be
sent to them on a regular basis.  Secondly, I understand and respect this
vendor's desire to use one (1) key pair with all of their vendors.

Can their original key be fixed?  Why does legacy GPG accept that public
key?

I welcome all comments, suggestions and review. Thank you

~ helices


On Wed, Apr 23, 2014 at 10:25 PM, David Shaw ds...@jabberwocky.com wrote:

 On Apr 23, 2014, at 11:14 PM, David Shaw ds...@jabberwocky.com wrote:

  On Apr 23, 2014, at 3:24 PM, helices g...@mdsresource.net wrote:
 
  No matter how I try, I cannot encrypt a file using that public key,
 even using --edit-key to assign trust:
 
  gpg: 845F5188: skipped: Unusable public key
 
  gpg: /tmp/test.txt: encryption failed: Unusable public key
 
 
  The owner of the public key insists that it is self-signed; but, our
 GPG cannot find the self-signature
 
  It doesn't look like it's self-signed, but without looking at the key
 itself, I couldn't say for sure.  Is it posted anywhere on the net?
 
  In any event, you can override the check for encryption with the same
 flag you used to override the check on import.  So:
 
   gpg -r 845F5188 --allow-non-selfsigned-uid -e
 the-file-i-am-encrypting-etc.txt

 I should add, though, that overriding these checks is something you should
 do with suitable verification of the key.  Don't override the check unless
 you know what you're doing, and have assured yourself that the key you are
 encrypting to is really owned by the person/group that you believe it is.
  Those checks are there for a reason.

 David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG cannot import public key

2014-04-24 Thread helices 
 doesn't exist in the maths, it's added at the application level.)

 Interestingly, the key contains a binding between another user (Josh
 Miller) and the public key. This signature again lies about the type of the
 issuing key, although this one is made with SHA1 instead of SHA256. Again,
 the signature seems valid.

 -- Further remarks --

 I should reiterate that I'm not fluent in GPG's code, so I'm only
 speculating as to the behaviour of GPG.

 You asked if it is possible to 'fix' the first key. As far as I can tell,
 you should just be able to use the second key: they both publish the same
 key and the user id - key binding you wanted. If you really wanted to,
 you could delete the second user id and signature after importing the key.

 Hope this helps,
 Daniel


 On 24/04/2014, at 11:15 PM, helices g...@mdsresource.net wrote:

  Thank you, for your response.
 
  [1]
  -BEGIN PGP PUBLIC KEY BLOCK-
  Version: Encryption Desktop 10.3.0 (Build 8741)
 
  mQENBFE2VhMDCADMrztp76fxxpxtvbmPIEYqE+MAMhCn6guYS31S9DVZyz/qP1zu
  9hp+XBj69W5L1P02I+Cvk9kKkuuC3Hz/xkJZQVFOLeHu0s6ipl8TME71STw+ADdq
  Hj+FvxfkhlSwIlpIQAhb8zySbTJptME4kwoM1xASs+IjSWaOVHh/PkjgciV1p0rH
  gSW/xP2P4UH2A+ER93ItQNgp/oGY3u5puwKY1eV8Oy9hbCexlYxWvo7VSTYDumtM
  BqpMLv7yXmJUAe1LN/bIJYo87+Nr0CxVY5A9CCqAIxZy2JEkbTdI6mHLm3zb1Pn6
  FiC42TLskruKlg2Zt8EVxrjeAlapAMbi55OPABEBAAG0NUNvbmNlcnRvIFN1cHBv
  cnQgS2V5IDxjb25jZXJ0by5zdXBwb3J0QGltcGFjdC1wcy5jb20+iQEiBBADCAAM
  BQJRNlYTBQkDwmcAAAoJEIl+6bmEX1GI3TgIAMHQbQA9XKw2e7Fl2IcI/wkG57oQ
  ve0m5/uzMEoruR4vbtwSW12f3Q4/bpokWDp617WqK0cCeec3wvDglsvXLBqHJPlo
  eKE8xp12eiw9qlEIk8oGpQ9BU5Bbxh0ORuu9EBRTo5mmqBZdfzRoeRVKYzMPCqFq
  8ocBVdJ4NutTvEL0+58XUPFg4FOm1GHgbcRq6D8dMLO3vYj3w7wqloq45TdyRX/t
  I+ftQFsMBF1u4oJpQpErtsn49rVC5nK8rAodQfVY8pDWZM8VjKXk70U9w+e9AqHy
  X06TeKmjT8/fp/5iOUF90wftRnANkJQ4TOHH/neHlh4AVjz/cvvqz62O7ia5AQ0E
  UTZWFAIIANEeS9a3vKIJNlxJY4euzRkHkw0IXXRoT2NvfmC20fyTCrEWIoBGY/Pf
  KIr0WtMnoNem6K69D30nMPvuK7NZIEcf3c5k2KvD/p6GHZZVwnM8da/qvRmW+tFb
  h/W2PlOMBQpZh5Zd0o2Y/XvNmGz/agxOM9qhPj3ZysaKzy/prdx2ncHSUrvImnSH
  L8AtTVc0YtiI6qnhZFTivHpvAexrPUZ0/J2Qi2CL9pXTv/W5Mua1ec0HtCPTmI0g
  QMHcXMAhMdyrg0AQ4jlcS83Rhw6JoUQNEEuJcuuRyo6A/S0kxJuT5iZ1Za8JNoVm
  qOFJtASFz5wAHaAtOTuLJQe6EMaZkVEAEQEAAYkBIgQYAwgADAUCUTZWFAUJA8Jn
  AAAKCRCJfum5hF9RiHZSCADJ19g1ZR6mOCeUS95+NTf9TtGmoqB4ims0s8HqPOPh
  ihRdEEUoX16t+x8Vv6B6gF5zaeAmbMz1Mka41TFXgdgs3Y9HahXsiVKCoXJkrpKj
  LZFz+1fU/txCBZxf3il0JnfqY60qjdfJ5iq7iI0y7ClnjPfIHAE5j8VgrTgM+qIU
  +mpagibiiI7rdXNJF9hk+R5PwQrMLVLnLHq22lYcU3riGJMbRqWqXJJm6eSwxs4K
  Bsf+CKafoSiEKM8NrJGA9Dnd9HyeTCZTtlk92zfRh2zC0e/NCxdTlk2xy12ICoFG
  oeBxDq9N/8+Jbb9tQoFaOg3akr8WBKUaIRySEOky3GQJ
  =3RTl
  -END PGP PUBLIC KEY BLOCK-
 
  [2] Interestingly enough, importing this key with gpg (GnuPG) 1.4.5 is
 successful:
  # gpg --import /tmp/imps.asc
  gpg: key 845F5188: public key Concerto Support Key 
 concerto.supp...@impact-ps.com imported
  gpg: Total number processed: 1
  gpg:   imported: 1  (RSA: 1)
 
  [3] After several attempts to export a usable public key, they created a
 NEW keypair using their Encryption Desktop 10.3.0, which is successful. Of
 course, since they claim to be using the original without incident with
 many other vendors, they want to fix their original keys.
 
  [4] Worse, they tried to export it again and we got this error:
  # gpg --import /tmp/imps.asc
  O j: ... this is a bug (sexp.c:1259:sexp_sscan)
  Aborted
 
  -BEGIN PGP PUBLIC KEY BLOCK-
  Version: Encryption Desktop 10.3.0 (Build 8741)
 
  mQENBFE2VhMDCADMrztp76fxxpxtvbmPIEYqE+MAMhCn6guYS31S9DVZyz/qP1zu
  9hp+XBj69W5L1P02I+Cvk9kKkuuC3Hz/xkJZQVFOLeHu0s6ipl8TME71STw+ADdq
  Hj+FvxfkhlSwIlpIQAhb8zySbTJptME4kwoM1xASs+IjSWaOVHh/PkjgciV1p0rH
  gSW/xP2P4UH2A+ER93ItQNgp/oGY3u5puwKY1eV8Oy9hbCexlYxWvo7VSTYDumtM
  BqpMLv7yXmJUAe1LN/bIJYo87+Nr0CxVY5A9CCqAIxZy2JEkbTdI6mHLm3zb1Pn6
  FiC42TLskruKlg2Zt8EVxrjeAlapAMbi55OPABEBAAG0NUNvbmNlcnRvIFN1cHBv
  cnQgS2V5IDxjb25jZXJ0by5zdXBwb3J0QGltcGFjdC1wcy5jb20+iQFpBBABCABT
  BQJTWBScBQkAMBSAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGluZ0Bw
  Z3AuY29tcGdwbWltZQgLCQgHAwIBCgUeAQYVCAoJAgMACgkQiX7puYRfUYga
  iQf/ZJ1d7dY2RdRjDzhXfarf7pPXRCFzRG32T8/i0AKL4YUW9hlaQqatrWw5DPe8
  2LBgCxFptJPgQ8N8nFJBWD6h/FVtUWa7k88we2MM/9oQn7d6v3pRaVxDUKfebCIn
  KqcR0k7ajdUMsGC3X+C6sjMh/Oy1/bI1EDUdFqcLq02kMcMSoDr5B2vpsRm8+tSs
  sSaoMujMmt17v4NkOzIyuOT8oyRPxFbeYszbaLpCjnZsbc1ktmpo3SkgNn8OBckt
  0A6emPuIgy8tas+rxdmz+N3EWddt9FJz0r5DLCBAo9AUfzDBQnOrnGbvHuJuZH/t
  EFoJZyqTFgBa+RzkVYuPXVEbY7QnSm9zaCBNaWxsZXIgPGpvc2gubWlsbGVyQGlt
  cGFjdC1wcy5jb20+iQFpBBABAgBTBQJTWBScBQkAMBSAACAAB3ByZWZl
  cnJlZC1lbWFpbC1lbmNvZGluZ0BwZ3AuY29tcGdwbWltZQgLCQgHAwIBCgUeAQAA
  AAYVCAoJAgMACgkQiX7puYRfUYid4Af/TzyXyapN59vqiyg7N0ejuQwcnM8Cp7HJ
  DyJtzw/KSK/6xrfEv5vRpW58OtNOy8sjpXGLHfzwh29DBOo/oe0djpz+G/arq6Bj
  JjcAAX9NaYB09rileHN/gw4X3W8FnIR4cZWbO/AwUpesSL75Sc8D/SbQ1i/Gstge
  hzo6d79SDJ6BFRURMDDe4n+kLOZSP3VtK9i3DQ+Bl+8tvzSjLGD+B/78VX+7QR57
  +CzcRjNPQXQgvLdWkWGAYCXHzKZWx/RwTX6aFFFcIjm2s2zxZfunM+ajHt0sGZgT

Re: GPG cannot import public key

2014-04-24 Thread helices 
Thank you, David

For now, they have agreed to move forward with the new key pair that they
created yesterday, using that same Encryption Desktop 10.3.0 (Build 8741)
PGP is Symantec for several years now ...

It is strange to me that the newly created public key breezed through our
import processes without incident.

I cannot be sure how their original key pair was originally created - they
say that they have been using it for quite awhile. It would be nice - for
them now and for me in the future - if their original key can be fixed.

Mostly, I'm not certain how much of this GPG and how much whatever is on
their side.


On Thu, Apr 24, 2014 at 12:55 PM, David Shaw ds...@jabberwocky.com wrote:

 On Apr 24, 2014, at 9:15 AM, helices g...@mdsresource.net wrote:

  Thank you, for your response.
 
  [1]
  -BEGIN PGP PUBLIC KEY BLOCK-
  Version: Encryption Desktop 10.3.0 (Build 8741)

 [..]

  -END PGP PUBLIC KEY BLOCK-

 Interesting!  This definitely has a selfsig, but the key itself is very
 odd.  It's an RSA sign-only key, which is deprecated in OpenPGP.  The
 subkey is similarly odd - a RSA encrypt-only key, also deprecated.  The
 header says it came from Encryption Desktop, which is a Symantec product
 (well, it is now).  I don't know why that key is using deprecated key
 types, but certainly something is odd there.

 RFC-4880 (published back in 2007) says:

RSA Encrypt-Only (2) and RSA Sign-Only are deprecated and SHOULD NOT be
generated, but may be interpreted.

 Weirder, the selfsig says it's a RSA signature (not RSA_S), so you have
 the odd situation of a key (RSA_S) and its self-sig (RSA) being from
 different algorithms.

 So, it's legal for GPG to not accept this key (using deprecated
 algorithms), though the error message you got seems misleading to me.

  [2] Interestingly enough, importing this key with gpg (GnuPG) 1.4.5 is
 successful:
  # gpg --import /tmp/imps.asc
  gpg: key 845F5188: public key Concerto Support Key 
 concerto.supp...@impact-ps.com imported
  gpg: Total number processed: 1
  gpg:   imported: 1  (RSA: 1)

 GPG 1.4.5 treats RSA_S and RSA_E as identical to RSA for existing keys,
 but does not allow generating them.  This is legal as per the spec (i.e.
 don't generate them, but it's optional to use them).

 I'm afraid I don't have immediate access to the GPG 2.x code base to
 check, but I wonder if your problem is simply that 2.x doesn't accept RSA_S
 and RSA_E keys?

 David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GPG cannot import public key

2014-04-23 Thread helices 
GPG version trying to import: gpg (GnuPG) 2.0.14

Header from shared armored public key: Version: Encryption Desktop 10.3.0
(Build 8741)

GPG error on import:

# gpg --import /tmp/imps.asc

gpg: key 845F5188: no valid user IDs

gpg: this may be caused by a missing self-signature

gpg: Total number processed: 1

gpg:   w/o user IDs: 1

Other GPG import:

# gpg --allow-non-selfsigned-uid --import /tmp/imps.asc

gpg: key 845F5188: accepted non self-signed user ID Concerto Support Key 
concerto.supp...@impact-ps.com

gpg: key 845F5188: public key Concerto Support Key 
concerto.supp...@impact-ps.com imported

gpg: Total number processed: 1

gpg:   imported: 1  (RSA: 1)

Then:

# gpg --list-keys 845F5188

pub  0s/845F5188 2013-03-05

uid  Concerto Support Key concerto.supp...@impact-ps.com

# gpg --edit-key 845F5188

gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

pub 0s/845F5188  created: 2013-03-05  expires: never   usage: SC

 trust: unknown   validity: unknown

[ unknown] (1). Concerto Support Key concerto.supp...@impact-ps.com

Command sign

User ID Concerto Support Key concerto.supp...@impact-ps.com is not
self-signed.  Unable to sign.

Nothing to sign with key 31A070A8

No matter how I try, I cannot encrypt a file using that public key, even
using --edit-key to assign trust:

gpg: 845F5188: skipped: Unusable public key

gpg: /tmp/test.txt: encryption failed: Unusable public key



The owner of the public key insists that it is self-signed; but, our GPG
cannot find the self-signature

What am I missing?

Please, advise. Thank you
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users