OT: Best way to send e-mails to a recipient that does know encryption
Hi, I need to send personal infos to a recipient who has no idea what encryption is nor is able to decrypt an encrypted e-mail. I do not want to use Gmail to send that kind of informations and I'm comtemplating using posteo.de. Is this any better? In other words, how do you use e-mails with a recipient that should be able to open and reply to e-mails as usual. Sorry for being OT. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
OT: Re: 32768-bit key
On 8/27/23 08:42, isp_stream via Gnupg-users wrote: I do not get the point of this thread, please stop. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
OT: Re: Does the PGP public key at https://www.washingtonpost.com/anonymous-news-tips/
Sorry for hijacking the thread but without the context I'm not sure that my question would have been understandable. On 8/7/2022 7:59 PM, Andrew Gallagher via Gnupg-users wrote: On 7 Aug 2022, at 17:28, Jay Sulzberger via Gnupg-users wrote: Andrew, do the sks keyservers work today? I was able to find the key by going to https://keyserver.ubuntu.com/ and putting EC6C2905F0F93C0373946CA10642427A5FF780BE into the search box. Do you mean SKS the software (i.e. github.com/sks-keyserver) or SKS the protocol/network? The answer in both cases is “yes”, but for different values of “yes”. 🤓 What doesn’t work any more is the sks-keyservers.net pool, which had become a nightmare to manage. This has been taken by many to mean that the SKS network itself is down, but this is absolutely not the case. sks-keyserver still works, but is IMO not suitable for use in production unless you are an expert willing to roll your own load balancing pool and recompile the code to update blacklists (there are still a few such brave souls left). This may change in the future — the software is maintained but hasn’t had a significant feature bump in some time. The SKS network also still works, and depending on your choice of metric is probably more stable today than it has ever been. The reasons are twofold: many operators have migrated from sks-keyserver to hockeypuck, and most of the rest have shut down. This means that although there are fewer keyservers now than five years ago, the ones that do exist (including keyserver.ubuntu.com) are generally much more reliable. Information about the SKS network can be found at https://spider.pgpkeys.eu Why did you published the key to the sks key servers? I guess my question is about the reasoning behind using sks key server instead of WKD or Hagrid. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: question of verifying signatures
On 6/11/2022 4:24 PM, Linus Virtanen via Gnupg-users wrote: hii try to verify GPG signature of mutiple applications on windows but i failed.a friend of mine tried and failed. He said that you do not need verify GPG signature.He says it is waste of time. is it really necessary to verify GPG signature?if it is necessary, would you tell me why?thank you. It is up to you to decide if you want to verify a GPG signature. To verify a signature it is required to import a public key, look for instructions on the site from which you downloaded what is to be verified. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: use text pinentry in the console
On 2/22/2022 5:28 PM, Fourhundred Thecat via Gnupg-users wrote: Hello, when I type a gpg command in the terminal, such as: gpg -c foo the GUI pinentry dialog pops up to ask for password (I guess its pinentry-gtk-2) How can I confugure so that the ncurses (text based) dialog is used instead ? I am using gpg 2.2.12 on Debian 10 On Debian you need to use: $ update-alternatives --config pinentry -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Install gnupg on Linux machine ( For gpg encryption & decryption )
On 1/4/2022 4:17 AM, Rayapati Rama Rao (NCS) wrote: Hi Team, Good Morning! Could you please let me know which gnupg software to download for Linux machine to make use of gpg encryption & decryption. Also, may I know if any packages required to install on Linux prior to gnupg installation. If possible could you please provide me the steps to install gnupg on Linux machine. Thanks in advance, have a wonderful day. Can't you simply use the package manager of your distribution? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Issue when running in command in batch
On 10/8/2021 9:01 AM, luc.dedroog--- via Gnupg-users wrote: Hi, I have an issue with gnupg because I would like to run it in batch (to allow several users to maintain the keys) but I never succeed to use the parameter '--command-fd n' or '--command-file file' as explain in the documentation for the 'edit-key'. I run gnupg on iSeries IBM machine. Is the version I run (1.4.10) include this possibility? Have you some example for it? Not realy without seeing the command that is failing for you and the expected result. Adding the URL that is pointing to the documentation you are refering to would be best. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A key doesn't get imported from one of the keyservers
On 8/4/2021 10:35 AM, Werner Koch via Gnupg-users wrote: On Tue, 3 Aug 2021 11:19, Vincent Breitmoser said: Unlike the other keyservers, keys.openpgp.org has a [privacy policy] that doesn't permit distributing email addresses without consent. The key It is not a privacy policy but a serious misconception much like what keyserver.com and PGP Universal Server did a long time ago. The OpenPGP spec requires a User ID for the on-wire format of a public key. Any implementation which violates this rule is not OpenPGP compliant. The privacy argument on the a user id is layman's idea of the GDPR. In fact the key itself is not different than an IP address or mail address and in fact more stronger personal data or a natural person than the latter. Note that out of reasons of data minimization I would suggest to create new keys only with a mail address and not with any other data. For example posteo.de has such a rule for keys used on their platform; If I understand correctly, the 'real name' and 'comment' should be left out. 1) https://posteo.de/en/help/policies-for-public-keys#names -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --delete-keys --yes asks for confirmation
On 8/2/2021 11:02 PM, Yuri Kanivetsky via Gnupg-users wrote: Hi, ``` $ gpg --delete-keys --yes 7D2BAF1CF37B13E2069D6956105BD0E739499BDB gpg (GnuPG) 2.2.29; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa4096/105BD0E739499BDB 2016-11-11 Piotr Kuczynski Delete this key from the keyring? (y/N) ``` Is this a bug or a feature? If the latter, why? How do I delete a key from a script? By using the '--batch' option: $ gpg --dry-run --batch --delete-keys --yes 7D2BAF1CF37B13E2069D6956105BD0E739499BDB Note that this e-mail is folded by my mailer. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Call me crazy, but ...
On 7/15/2021 12:51 AM, Стефан Васильев via Gnupg-users wrote: Brandon Anderson wrote: Andrew Gallagher wrote: On 14 Jul 2021, at 18:34, Стефан Васильев via Gnupg-users wrote: Viktor wrote: Is 'Стефан Васильев ' the same person that was ban from this very list a fiew month back? It looks like I'm seeing the same stuff as before. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple Yubikeys/Smartcards and Thunderbird email client
On 7/15/2021 12:24 PM, Ingo Klöcker wrote: On Donnerstag, 15. Juli 2021 03:22:47 CEST Brandon Anderson via Gnupg-users wrote: I have several Yubikeys and smartcards in my setup, each with its own signing subkeys, and I use these, among other things, to sign email messages. Whenever I want to send an email on thunderbird, it demands a specific smartcard by serial number for email signing and will refuse to use the smartcard/Yubikey plugged into the system. Which version of gpg are you using? If you are not using 2.3, then please retry with gpg 2.3.1. Support for multiple smartcards was significantly improved in 2.3. Is this still relevent with the built-in gpg stuff of TB? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Command line decryption/encryption
On 6/23/2021 3:31 PM, Terry Pierce wrote: Hi, Let me start off with I am totally new to GPG/Kleopatra. We use different encryption tools here and one of our clients uses GPG. I have already automated the processing of files using our tool and now have a need to build in a call to handle the decryption of these files. Looking online, I get the basic usage: gpg -d myfile.dat.gpg Two questions: * I don't see the GPG (GGP4win?) executable anywhere in the GPG4Win folders. How do I generate it? The executable is in the subdirectory 'bin' as 'gpg.exe'. * Is there a way to pass any passphrase/key to it on the command line? I would not do that but If I'm not mistaking you could use a file descripter instead of specifying a password on the command line. A better idea is to use a file that contains the passthrase if you need to automate d/encryption or to use the agent. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Follow-up on L'Affaire Stallman
On 4/8/2021 5:19 PM, Robert J. Hansen via Gnupg-users wrote: If anyone in the community has strong feelings about the FAQ -- what should go in, what should be left out, etc. -- now's the time. The only thing that I can say is that I would rather see a FAQ that reflect the current inplementation of GPG than a non-up to date FAQ per lack of user consensus (1). EG: Due to a lack of consensus, the FAQ was never updated to reflect that '3072' is now the default in GPG. That is to say, that in my view a FAQ that explains clearly how to use GPG is somewhat more importent than comunity feedback. A statement to that effect at the top of the page could be added describing why this way was chosen. 1) https://lists.gnupg.org/pipermail/gnupg-users/2021-March/064974.html -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We shall value email usage
On 3/25/2021 12:34 PM, Klaus Ethgen wrote: Hi, Am Do den 25. Mär 2021 um 11:51 schrieb Bernhard Reiter: To me the protected headers implementation Thunderbird is a step back, as it leads to unnecessary data leaks (subject and cc) to other clients with are OpenPGP/MIME compatible. Well, there is other.. For example, if you start editing a mail with thunderbird and put it to drafts. Then finishing the edit with mutt. This will leak the following headers: - user-agent - x-mailer - x-mozilla-draft-info - x-enigmail-draft-status - x-account-key - x-identity-key - fcc Even when sending mails just from thunderbird, it leaks at least the user-agent header. Currently I configured my MTA to remove that headers for outgoing mails. You can disable the usage of the user-agent in TB, one can only hope for the others as well. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
On 3/18/2021 2:39 PM, Andreas K. Huettel wrote: https://www.gentoo.org/glep/glep-0063.html https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys Reading the URLs given by the OP, I see that the GPG FAQ (1) talks about a default of '2048' but in the latest (2.2.17) release of GPG it looks like the default is now '3072': gpg --expert --full-gen-key Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key (14) Existing key from card Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) Am I missing something? 1) https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096 -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
On 3/18/2021 10:21 AM, Andreas K. Huettel wrote: Hi David, when Gentoo switched to requiring gpg-signed git commits and pushes, we put some thought into requirements and best practices. Minus the Gentoo-specific parts, this is probably good reading: https://www.gentoo.org/glep/glep-0063.html https://wiki.gentoo.org/wiki/Project:Infrastructure/ Generating_GLEP_63_based_OpenPGP_keys > On the pages, I get 'There is currently no text in this page. You can search for this page title in other pages, or ...'. Am I missing something? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Verifying and checksumming new release is somewhat cumbersom
On 11/29/2020 12:53 PM, Werner Koch wrote: On Sat, 28 Nov 2020 07:57, john doe said: If I look at Debian (1) for example, the checksum file is gpg signed. Assuming that I understand correctly, the Debian approach is not a safe way to make the checksums available?propagate? No, that is a safe way. Having a separate file with checksums is sometimes better for the signing workflow. It also allows to sign/verify a bunch of files with just one operation. It also avoids the need to download and upload all files to a dedicated signing box. Only since GnuPG 2.2 the latter could be handled using gpg-agent's remote feature. Interesting, just to be sure you are refering to the below option from (1)?: "--extra-socket name" Is the release workflow documented somewhere so a non-dev could look to implement this ? In other words, is it worth considering such a move. 1) https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html#Agent-Options -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Verifying and checksumming new release is somewhat cumbersom
On 11/26/2020 9:10 PM, Werner Koch wrote: Hi, and thanks for asking. Thanks for this. To be sure that I understand you correctly, I took the liberty of rewording your answers. On Thu, 26 Nov 2020 19:12, john doe said: Is there a URL to download those sha1sums and those public keyss as files? The problem with sha1sums is that a single publication would be easy to fake. The only known countermeasure is to widely distribute them. We do have them on the website as you noticed, they are send out by signed mail to several thousand subscribers, and our and other mail archives carry the release announcement with the checksums. If I look at Debian (1) for example, the checksum file is gpg signed. Assuming that I understand correctly, the Debian approach is not a safe way to make the checksums available?propagate? No, there is no single file with the checksums because that would be a too easy target for an attacker. Even if the file would be gpg signed? and for the public key I could do something like: $ wget $ gpg --import $ gpg --verify *.sig And please check the printed fingerprint against copies of the fingerprint distributed in the same way as the checksums. The keys are also quite well connected in the Web-of-Trust, which can also help to to validate them. You mean by checking if the fingerprint of the downloaded keys match the one listed on the web site? The advantage of the public keys and the fingerprints is that they do not change and thus you only need to validate them once once and sign the keys so that you can trust them in the future. Okay, if the fingerprints matches I should sign the keys with mine. I understand that for this last step I could also do: $ gpg --keyserver-options auto-key-retrieve veirfy *.sig Don't. For verification always use gpg --verify file.sig file Okay, won't do that anymore. and check the output well. If you need to automate this, use gpgv and put all the trusted signing keys into a dedicated keyring. For automating this with gpg, I would suggest to write a gpgme based tool. If I want to verify a new release,: - Manually: take advantage of gpgv - Unattended: use a wrapper around gpgme Your input is much appriciated. 1) https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/ -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Verifying and checksumming new release is somewhat cumbersom
Hello all, I see that at (1) and (2) the public keys block and the sha1sums respectively are listed on their corresponding page. Is there a URL to download those sha1sums and those public keyss as files? That is for checksumming I could simply do: $ wget $ sha1sum -c --ignore-missing and for the public key I could do something like: $ wget $ gpg --import $ gpg --verify *.sig I understand that for this last step I could also do: $ gpg --keyserver-options auto-key-retrieve veirfy *.sig Any feedback is appreciated. P.S. If I can I'll be more than happy to help tweaking the release process in that regard. 1) https://gnupg.org/download/integrity_check.html 2) https://gnupg.org/signature_key.html -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cannot verify .sig
On 11/7/2020 6:55 PM, pavel hora via Gnupg-users wrote: Hi, I would like to use GPG to verify installation files (True Crypt this time to be specific) that come with a signature .sig and PGP public key .asc. You should use veracrypt instead. I have installed GPG 4 Win 3.1.13. I have imported the public key. I have tried to verify the .exe with .sig, but Kleopatra tells me the public key is not certified, so I try to certify it myself, but I need my own key pair for that. So I try to build it, only it ends with error, because "No agent running". Now I assume that these issues happen because I prevent Kleopatra or GPG from accessing the net, but then again, why should it do so for the tasks specified above? I have used PGP in the past, long time ago, and it was always offline. So my question is - can I still use GPG to check the signature of the file, pls? And perhaps, why does GPG so desire the net access for my tasks? Does it work if you do: $ gpg --verify <*.sig> -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
