Re: gpg: keyserver receive failed: No name - for gpg --keyserver hkp://pool.sks-keyservers.net
Am 25.06.21 um 00:14 schrieb Brandon Anderson via Gnupg-users: > >> The keyserver situation seems a bit difficult currently, maybe >> https://keys.openpgp.org/ is the best (easiest) workaround for now. >> >> But WKD is really worth looking at! >> > > My understanding is the Ubuntu Key-server is staying up, I could be > wrong, but https://keyserver.ubuntu.com/ seems to be functioning. It is > worth noting that the keys.openpgp.org keyserver is not web of trust but > explicitly trusting that keyserver to validate a person's identity. I think it´s good to distribute a key thru several channels, keys.openpgp.org is a good way to establish some trust in a key when fetching it for the first time. Afterwards you can still get the same key from a different source with WoT signatures added. If you have no fountain at all for a key to establish a chain(web) of trust, keys.openpgp.org is the only way to have some trust in a key. The WoT works only if you have some fountain for the trust. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
Quoting Peter Lebbing (2015-12-26 09:53:38) > On 26/12/15 01:39, ma...@wk3.org wrote: > > do you have an estimate on the number of unique sentences published on > > the Internet? > > What is your purpose by the way? Look for an estimated amount of entropy > contained in picking one of those sentences? Yes. To know if picking a random, but previously published sentence (no matter the length) may ever be good enough. And then maybe going on to see if two random, but previously published sentences might be good enough (-: Sincerely, Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
It's about the randomness/unpredictability/entropy of the passphrase. There are less grammatically correct sentences with 4 words than there are combinations of 4 words in total. So, yes, you can take a sentence that makes sense, but then the whole passphrase has to be longer. There is an estimate of 1.5 bit of entropy per character in natural language. So if you want a passphrase with 60 bits of entropy, it would need to be 40 characters long. You could reach the same strength with 10 random characters (alphanumeric with upper and lower case). In the end it depends what you can remember better and what you can type faster. Sincerely, Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
Hi, do you have an estimate on the number of unique sentences published on the Internet? Sincerely, Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Tor Support for SKSkeyservers in 2.1
On Monday 14 December 2015 05:20 bober wrote: > I am having trouble setting up TOR support for sks-keyservers in 2.1. Hi, the --use-tor option got introduced in 2.1.10: https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030385.html If you are using GnuPG in a version before 2.1.10 the following might help you: https://lists.gnupg.org/pipermail/gnupg-users/2015-September/054299.html Sincerely, Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Crowdfunding USB Security Key for Email- and Data-Encryption - Nitrokey Storage
Hi, very nice! Two questions/remarks, though: On Thursday 19 November 2015 22:37 Jan Suhr wrote: > The firmware and hardware of Nitrokey Storage have already been verified > by Cure59, a professional third-party security auditor. How do you deal with the findings of the audit? (https://cure53.de/pentest-report_nitrokey.pdf and https://cure53.de/pentest-report_nitrokey-hardware.pdf, for the inclinded reader. And yes, it is cure53.) > Nitrokey is made entirely in Germany […] Can we _please_, for the love of all that is dear to us, stop advertising with nation-states as quality property? It might sell more sticks, but it fosters a sense of trust where there must be none. Sincerely, Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Just published a browser-based PGP tool
Quoting Joshua Terrill (2015-10-07 21:38:52) > https://www.pgp4web.com/ Hi, why don't you contribute to projects that already do that? https://whiteout.io https://www.mailvelope.com/ https://encrypt.to/ http://www.openkeychain.org/ https://github.com/siacs/Conversations https://modernpgp.org/ just to name a few. Sincerely, Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Just published a browser-based PGP tool
Quoting Daniel Roesler (2015-10-08 17:48:59) > It looks like this is just a barebones unhosted OpenPGP interface. All > the others you listed try to do more (email, mobile apps, etc.). If I > just want to quickly encrypt/decrypt/sign/verify a file, this let's me > do it in seconds without any sort of signup or trouble. Yeah, no. Nothing related to OpenPGP can be done within seconds. Because key managment. Because of key generation. Because the key material for this app is stored exactly where? How is this a "cross-compatible OpenPGP user interface" in a way that Enigmail is not, except that Enigmail uses the native key managment facilities and is thus at least more cross-compatible than the suggested solution? Also OpenPGP en- and decryption does not happen in a vacuum. You don't go like "Oh, lets just quickly encrypt that GIF to a random public key.". There is a reason why most of the projects I suggested do email. But I also suggested OpenKeyChain and I forgot http://gpg4usb.org/. > Ideally, you could just download the source and open it locally for a > quick, cross-compatible OpenPGP user interface without having to > install anything or get admin privileges. I should work anywhere you > can open it in a browser (which is what I love about unhosted apps). > > Really sad to see it isn't open source yet... I mean https://www.pgp4web.com/js/bundle.js is not obfuscated (except the first line, I don't know what that is about). It's just 45000 lines of code. Sincerely, Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How can it be made even easier!?
Quoting Don Saklad (2015-10-04 16:30:50) > How can it be made even easier!? CryptoParties are a good start from an educational standpoint. Whiteout.io and Pixelated are a good start from a technological standpoint. https://www.cryptoparty.in/location https://www.cryptoparty.in/parties/upcoming https://whiteout.io/ https://pixelated-project.org/ I think running Pixelated in a GAMP-certified environment would be a giant leap (very intentional) towards more confidential doctor-patient communication – and also a quite solid business model. https://en.wikipedia.org/wiki/Good_Automated_Manufacturing_Practice Sincerely, Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Should I be using gpg or gpg2?
> I can't offer any conclusive evidence for this, but it is my > honest estimate that more real-world sensitive traffic volume > is generated by 1.4.x than 2.x. Consequently, if 1.4.x is in any > was insecure, this would be of significantly greater benefit to > a whole class of large institutional web-traffic attackers than > if 2.x was insecure. So, if 1.4.x is indeed in any way insecure, > that should merit more serious and immediate attention that if > 2.x was insecure. The other, and in my opinion much more sensible, course of action would be to migrate all these systems that still use 1.4 to 2.1. Version numbers are like entropy: They only increase, never decrease. Sincerely, Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[HowTo] use gpg2.1 with an onion service
Hi, With the upgrade to GnuPG 2.1 my GPG+Tor setup broke. This was due to the fact that GnuPG now relies on dirmngr to handle all its networking. Which is good, because it separates different parts of functionality, but it also cost me some time to figure out. In the end, it’s very easy: 1. You create a 2 line script, which calls dirmngr with torify: user@computer:~$ cat /home/user/bin/tordirmngr.sh #! /bin/sh torify dirmngr --daemon --homedir /home/user/.gnupg 2. You write the keyserver, which preferably is an Onion Service, because as such you can be sure that you connect to it via Tor, with the just created script into your ~/.gnupg/gpg.conf: dirmngr-program /home/user/bin/tordirmngr.sh keyserver hkp://euggdcsexz2dqbwb.onion keyserver-options no-honor-keyserver-url 2.b. For good measure I would also add: use-agent keyid-format 0xlong with-fingerprint After you’re done, run "killall dirmngr" once, so that already existing, not torified, dirmngr processes are not used accidentally. Please be aware that, while this adds a lot of anonymity and confidentiality to you GPG usage, if you were to refresh your whole keyring at once, the operator of the keyserver might very well figure out who you are. And please be further aware that most Linux distribution still ship GnuPG 1 and 2 in parallel, so make sure you invoke it with gpg2 (e.g. gpg2 --search glutenf...@vemail.nerd). Feedback welcome (here or under the original post on Diaspora: https://pod.geraspora.de/posts/4027114) Sincerely, Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Current key servers
Hi there, haven´t used key servers in recent time and wonder what key servers are recommended currently. I have used pool.sks-keyservers.net, they were said to be okay especially due to the subkeys issues. Any new key servers recommended to use? Thanx Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
No changing of expiry of openPGP card?
Hi there, I just wanted to change the expiry of the key on my openPGP card. But GnuPG did not let me do this, it still shows the old expiry date. Can the expiry of the openPGP card not be changed!? Regards Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: No changing of expiry of openPGP card?
Am Mon, 21 Mar 2011 21:42:30 +0100 schrieb Malte Gell malte.g...@gmx.de: Can the expiry of the openPGP card not be changed!? My fault... I have forgotten to change the subkey´s expiry too.. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Running GnuPG smartcard with CTAPI?
Am Thu, 17 Mar 2011 10:02:43 +0100 schrieb Werner Koch w...@gnupg.org: On Wed, 16 Mar 2011 19:31, malte.g...@gmx.de said: currently I have some trouble to get my Cyberjack running with PCSC. So I wonder, can GnuPG (2.0.16) also work with CTAPI drivers? I doubt that. CTAPI has not been used for years. There is some code still but it will eventually be removed. Swap your Cyberjack against a real reader. Reiner stuff does not comply to any modern standards. Or well, only to their own interpretation of the standards. They supported Linux at least... what other brand would you recommend? (Security class III with pinpad and display with Linux support). Regards Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Running GnuPG smartcard with CTAPI?
Hello, currently I have some trouble to get my Cyberjack running with PCSC. So I wonder, can GnuPG (2.0.16) also work with CTAPI drivers? Thanx Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP for Android
Hi there, In the Android Market there is APG. Has anyone tested it? Does it import keys with subkeys? By the way, is there an app that encrypts SMS with APG? Regardsa Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using pinentry-curses interactively in Linux boot process fails (SOLVED)
Hi there, Besides, holding a GPG encrypted keyfile on unencrypted space to open a LUKS/dmcrypt encrypted device, opening/decrypting the keyfile in the boot process by entering the correct passphrase, to finally open the LUKS/dmcrypt secured device seems broken to me. Can you explain, why this setup is broken? The keyfile consists of 4 kBytes of random data and is encrypted with my PGP key, which itself is a 1024 bit RSA key, thus the security of my encrypted partition basially is as secure as my PGP key. Why not just use the same secure passphrase for the LUKS keyslot directly, instead of using a keyfile? The idea behind the whole thing is, that the openPGP pin is much easier to enter than a long password/phrase and if you use the openPGP card you simply need a keyfile to have a token that you use openPGP upon. Seems a little bit like security by obscurity to me.. I'm sorry, but this is pure nonsense. This setup is secure. The keyfile is openPGP encrypted and when decrypted, it is piped to the cryptsetup command. There is no security hole. An attacker who gains access to the hard drive would have to break the openPGP encrypted keyfile. (Malte: I hacked a lot on the opensuse bootscripts related to LUKS/dmcrypt in the last 2 years, if you need to customize your system in such a way that is not possible to achieve with the opensuse installer, feel free to drop me a note) Well, I now achieved what I wanted to achieve. The number of people who own an openPGP card is very small so I think a small howto would be enough for these folks. Malte signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using pinentry-curses interactively in Linux boot process fails (SOLVED)
Grant Olson k...@grant-olson.net wrote On 7/22/10 6:13 PM, Malte Gell wrote: Hi there! I have the following setup: a Linux luks encrypted partition. It is encrypted with a keyfile, the keyfile itself is GnuPG encrypted and stored in /root ... When I use these commands after booting, they do what I want them to do. pinentry-curses asks my PIN, I enter it and everything is fine. But when I use exactly these commands in my script, I simply get no pinentry-curses appearing on the screen... Are all the files for gpg2 on your boot partition? Yes and the boot partition is not encrypted, only /home But I solved it. It was an init script issue. On openSUSE there is an init script earlyxdm and it has overridden so to say the pinentry-ncurses program. I have now edited earlyxdm and have added my own script to Requried-Start, thus earlyxdm now waits until pinentry-curses does its job. It works now. Pretty cool, I can now unlock my LUKS volume with the openPGP card, that's nerd ;-) Regards Malte signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using pinentry-curses interactively in Linux boot process fails (SOLVED)
tux.tsn...@free.fr wrote Yes and the boot partition is not encrypted, only /home But I solved it. It was an init script issue. On openSUSE there is an init script earlyxdm and it has overridden so to say the pinentry-ncurses program. I have now edited earlyxdm and have added my own script to Requried-Start, thus earlyxdm now waits until pinentry-curses does its job. It works now. Pretty cool, I can now unlock my LUKS volume with the openPGP card, that's nerd ;-) Hello Mate, I use Debian and not OpenSuse, but I'm interristing by your script. Could you give it ? Yes, of course. I have attached it, I named it open-luks-key. The only interesting stuff is the start and stop section. I have directly put the name of my luks partition there. It is a dumb script, does not detect anything automatically, but it works if the card reader is running fine. I even have not removed the FOO template stuff from it :-) Ugly, but works. The Required-Start: section needs to contain the PCSC daemon, that needs to run, so gpg-agent can call the pinentry program. Regards Malte open-luks-key Description: application/shellscript signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using pinentry-curses interactively in Linux boot process fails
Hi there! I have the following setup: a Linux luks encrypted partition. It is encrypted with a keyfile, the keyfile itself is GnuPG encrypted and stored in /root Now I have a smartcard reader and a OpenPGP card, so I want to decrypt the keyfile, enter the card's PIN and that's it. I wrote a little init script. Actually, this works *after* booting. But, when using it in real world booting, it does not work. gpg-agent is started correctly, but I see no pinentry-curses mask. What could be wrong? These are the commands I use in my init script: export GNUPGHOME=/root/.gnupg gpg-agent --daemon --sh --use-standard-socket --pinentry-program /usr/bin/pinentry-curses gpg -d /root/Administrativa/BOOT-SCHLUESSEL-LUKS/luks-key-home-malte.bin.gpg | cryptsetup luksOpen /dev/disk/by-id/ata-WDC_WD3200BEVT-22ZCT0_WD-WXJ0A99M9523- part6 --key-file=- cr_sda6 (this is one long line of course) mount -o acl,user_xattr /dev/mapper/cr_sda6 /home When I use these commands after booting, they do what I want them to do. pinentry-curses asks my PIN, I enter it and everything is fine. But when I use exactly these commands in my script, I simply get no pinentry-curses appearing on the screen... I use GnuPG 2.0.12. Thanx Malte signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: defining port number for keyserver searches
Faramir faramir...@gmail.com wrote Malte Gell escribió: Oh no... can it be, subkeys.pgp.net is down currently? I think I don't have a port filtering issue, the keyserver seems to be down! Try pool.sks-keyservers.net , it is a pool of servers, and it is checked daily (I think, 2 or 3 times a day), so it is unlikely it will assign you a keyserver down... or at least, not twice in a row. Indeed, seems to be very reliable. Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG4WIN and GnuPG smartcard, Claws
Werner Koch schrieb: On Tue, 9 Jun 2009 06:50, cl...@thewildbeast.co.uk said: Try the newer version of claws-mail/gpg4win (light) found here: http://www.claws-mail.org/win32/ This has SSL support using gnutls. That should be in Gpg4win 1.9.x as well. Quite some time ago we integrated the whole GNUTLS stuff just for it. Thanx for that hint, so I will give it a try. GNUTLS is integrated in the package I guess? Thunderbird is just a crap, Enigmail is great, but filter capabilities are so poor... Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG4WIN and GnuPG smartcard, Claws
Werner Koch schrieb: On Sat, 6 Jun 2009 22:52, malte.g...@gmx.de said: Does the GPG4Win package support the GnuPG smartcard? Of course, given there is a reader and its driver installed first... Yes. Indeed, GPG4Win works very smoothly. And, how powerful is the Claws client? Does it support multiple pop, smtp accounts and IMAP? The German c't magazine, issue 3/2009, run a test of several mail clients (Claws, Evo, Kmail, Thunderbird) with Claws being the only one with a '+' in all categories. Closely followed by Kmail. Yes, multiple accounts are possible with all protocols. I see, Claws seems to have very capable filter capabilities. Ugly UI under Windows, but powerful ;-) I noticed, it does not support SSL encrypted transmission of pop/smtp passwords? Is this due to lack of SSL on Windows or is this a general limitation on Claws 3.0.x that comes with GPG4Win? This makes Claws unusable for mail providers like gmx.net which only allow SSL secured transmission of passwords (maybe I am wrong here and the still allow plain text, have not tested). Regards Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPG4WIN and GnuPG smartcard, Claws
Hi there! Does the GPG4Win package support the GnuPG smartcard? Of course, given there is a reader and its driver installed first... And, how powerful is the Claws client? Does it support multiple pop, smtp accounts and IMAP? Thanx a lot in advance Malte -- GMX FreeDSL mit DSL 6.000 Flatrate und Telefonanschluss nur 17,95 Euro/mtl.! http://dslspecial.gmx.de/freedsl-aktionspreis/?ac=OM.AD.PD003K11308T4569a ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
openPGP card: using a readers keypad instead of pinentry-qt
Hello, being a class 3 reader, my cardreader has a keypad and a display, but gpg- agent still invokes pinentry-qt to enter the pin. How can I change this to use the cardreader's keypad? I have not set --disable-keypad in scdaemon.conf thanx Malte signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: openPGP card: using a readers keypad instead of pinentry-qt
Am Donnerstag, 12. Februar 2009 12:41:45 schrieb Werner Koch: On Thu, 12 Feb 2009 09:46, malte.g...@gmx.de said: being a class 3 reader, my cardreader has a keypad and a display, but gpg- agent still invokes pinentry-qt to enter the pin. How can I change this to use the cardreader's keypad? Your card reader's keypad is not supported. See this comment: /* We have only tested a few readers so better don't risk anything and do not allow the use with other readers. */ switch (handle-id_vendor) I see. Are there such specific requirements by different card readers that you are forced to individually test them for keypad support? Could someone who owns such a not yet supported reader help you? You also need to use the internal ccid driver. ...in order to get keypad support? PCSC has proven to be most reliable to me... I have not been able to get the CCID running. Does GnuPGs internal CCID driver run with *any* CCID cardreader? Thanx Malte signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
More than one key on openPGP card?
Hello, can the openPGP card store more than one key? If yes, how many can be stored? Will the forthcoming cards version 2.0 differ from 1.1 in that aspect? Malte signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: (SOLVED) Re: OpenPGP card not accessible
Am Dienstag, 10. Februar 2009 11:34:03 schrieb Werner Koch: On Tue, 10 Feb 2009 08:34, malte.g...@gmx.de said: 1. killing running gpg-agent That is not necessarry. You can simply give it a HUP (pkill -HUP gpg-agent). This will reload most of the config options including --scdaemon-program. Now you kill scdaemon (may need up to 3 SIGINT) and gpg-agent will restart it on demand. 2. starting gpg-agent again Not required because you only raised a SIGHUP and gpg-agent keeps on running. Ok. I put that in a script, may need from time to time... Your problem is probably another version of gpg-agent or scdaemon somewhere in your PATH. Well, I have only one version installed, not parallel installation or other strange things... tia Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Re: OpenPGP card not accessible
Hello, Am Dienstag, 10. Februar 2009 11:34:03 schrieb Werner Koch: (...) Your problem is probably another version of gpg-agent or scdaemon somewhere in your PATH. Hm, I don't buy it.. I continued to try things, the strange behaviour continues, now my openPGP card is shown as empty: 2[malte_g...@linux-61r3]5438 17:34~ gpg --card-status Application ID ...: D276000124010101000115CB Version ..: 1.1 Manufacturer .: PPC Card Systems Serial number : 15CB Name of cardholder: [nicht gesetzt] Language prefs ...: [nicht gesetzt] Sex ..: unbestimmt URL of public key : [nicht gesetzt] Login data ...: [nicht gesetzt] Signature PIN : zwingend Max. PIN lengths .: 0 0 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key : [none] Encryption key: [none] Authentication key: [none] General key info..: [none] I DO have keys on this card, minutes ago everything worked fine, now the card is shown like it was empty... Doesn't look this strange behaviour like a bug? It does not see my key on the card sometimes. Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card not accessible
Am Dienstag, 10. Februar 2009 18:09:58 schrieb Werner Koch: On Tue, 10 Feb 2009 17:38, malte.g...@gmx.de said: Hm, I don't buy it.. I continued to try things, the strange behaviour continues, now my openPGP card is shown as empty: I have noticed such a behaviour sporadically but I was not abale to reliable replicate it. Which reader are you using and is pcscd running? Which OS and libusb version? Yes, I use pcscd, but it also occurs with only ctapi drivers. I use a Reiner SCT cyberjack ecom (class 3 with display and pinpad). OS is openSUSE 11.1 32bit. One way to try to trigger this odd behaviour was to e.g. sign something, remove the card, stop and start again pcscd daemon, or remove the card, or stop pcscd daemon and play with onlinebanking (=ctapi), start pcscd again and trying to use the openPGPcard again, it always was triggered after the card was used and some change happened, be it to remove the card use a totally different card, change driver etc. libusb: [malte_g...@linux-61r3]5520 20:08~ rpm -qa | grep libusb libusb-0_1-4-0.1.12-136.10 libusb-devel-0.1.12-136.10 libusbpp-0_1-4-0.1.12-136.10 libusb-1_0-0-0.9.3-4.20 Interesting: I added card-timeout 0 to scdaemon.conf and the last couple hours everything was fine... now I can remove the card, sign something, move the card back into the reader and it is readable, maybe found the cure... Is card-timeout 0 harmful as the manpage suggests? Thanx Malte signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: openPGP card, cant change admin pin, can't change name
Am Sonntag, 8. Februar 2009 00:12:16 schrieb Malte Gell: gpg --card-edit passwd then asked for the PIN, default pin 123456 entered asked for the new pin, new pin entered twice and then this Error changing the PIN: Conditions of use not satisfied Too stupid, the pin needs to be 6 digits of course.. When I try to change the admin pin something similar, permission denied. What is wrong, why can't I change the pins? does still now work, what is wrong there, why don't I have the permission to change the admin pin? 2[malte_g...@linux-61r3]4867 09:25~ gpg --change-pin gpg: OpenPGP card no. X detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 3 Error changing the PIN: Permission denied The same happens when trying to change the name: Command name Cardholder's surname: Gell Cardholder's given name: Malte gpg: error setting Name: Permission denied ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: openPGP card, cant change admin pin, can't change name
Hello, Am Sonntag, 8. Februar 2009 10:26:24 schrieb Benjamin Donnachie: 2009/2/8 Malte Gell malte.g...@gmx.de: does still now work, what is wrong there, why don't I have the permission to change the admin pin? So, edit ~/.gnupg/scdaemon.conf and add the line allow-admin. Thanx for that hint, actually, I do read manpages and I knew that option before and played with it, I don't know why it has not worked before, I put it in scdaemon.conf and it works now. Fine :-) Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
(SOLVED) Re: OpenPGP card not accessible
For whom it may concern and Google cache: I found the source of trouble. I had to give one additional parameter to gpg- agent: --scdaemon-program /usr/bin/scdaemon After specifying this parameter I was able to successfully access the openPGP card with pcsc drivers and a Reiner SCT e-com. On e.g. openSUSE open /etc/X11/xdm/sys.xsession and look for the line that starts with set -- $gpgagent --sh --daemon.. add to this line: --scdaemon-program /usr/bin/scdaemon and the error described below is gone. Am Donnerstag, 5. Februar 2009 22:33:23 schrieb Malte Gell: gpg --card-edit but i cannot do anything, because GnuPG immediately exists and says there was no card gpg --card-edit first detectd the card and then suddenly says OpenPGP card is not available, though it is still in the card reader I use gpg 2.0.9 and the Reiner SCT ctapi-driver, scdaemon.conf looks like this: ctapi-driver libctapi-cyberjack.so reader-port 1 The ctapi driver seem to be the only way to access the card a little bit, but it still does not work correctly... If someone have some experience about these issues, let me know Malte Application ID ...: D276000124010101000115CB Version ..: 1.1 Manufacturer .: PPC Card Systems Serial number : 15CB Name of cardholder: [not set] Language prefs ...: de Sex ..: unspecified URL of public key : [not set] Login data ...: [not set] Signature PIN : forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key : [none] Encryption key: [none] Authentication key: [none] General key info..: [none] Command scdaemon[19663]: updating status of slot 0 to 0x0007 scdaemon[19663]: client pid is 19662, sending signal 12 scdaemon[19663.0] DBG: - [EOF] scdaemon[19663]: handler for fd -1 terminated scdaemon[19663]: scdaemon (GnuPG) 2.0.9 stopped gpg: OpenPGP card not available: IPC write error ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
openPGP card, cant change admin pin
Hi there, i wanted to change the pins of my new card and invoked gpg --change-pin I was able to select point one, was asked for the old pin and entered the new one and affirmed. Then I chose point three change Admin PIN, but gpg said no permission!? How can I now change the admin pin and why did gpg not allow to change it? By the way, does gpg explicitly say when it needs the normal pin and the admin pin? Does th card become useless after three times wrong pin? Malte signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: openPGP card, cant change admin pin
Am Samstag, 7. Februar 2009 21:50:20 schrieb Malte Gell: Hi there, i wanted to change the pins of my new card and invoked gpg --change-pin I was able to select point one, was asked for the old pin and entered the new one and affirmed. Then I chose point three change Admin PIN, but gpg said no permission!? How can I now change the admin pin and why did gpg not allow to change it? gpg --card-edit passwd then asked for the PIN, default pin 123456 entered asked for the new pin, new pin entered twice and then this Error changing the PIN: Conditions of use not satisfied When I try to change the admin pin something similar, permission denied. What is wrong, why can't I change the pins? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card not accessible
Hello, i made some progress with my new OpenPGP card. I can access it with gpg --card-edit but i cannot do anything, because GnuPG immediately exists and says there was no card gpg --card-edit first detectd the card and then suddenly says OpenPGP card is not available, though it is still in the card reader I use gpg 2.0.9 and the Reiner SCT ctapi-driver, scdaemon.conf looks like this: ctapi-driver libctapi-cyberjack.so reader-port 1 The ctapi driver seem to be the only way to access the card a little bit, but it still does not work correctly... If someone have some experience about these issues, let me know Malte Application ID ...: D276000124010101000115CB Version ..: 1.1 Manufacturer .: PPC Card Systems Serial number : 15CB Name of cardholder: [not set] Language prefs ...: de Sex ..: unspecified URL of public key : [not set] Login data ...: [not set] Signature PIN : forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key : [none] Encryption key: [none] Authentication key: [none] General key info..: [none] Command scdaemon[19663]: updating status of slot 0 to 0x0007 scdaemon[19663]: client pid is 19662, sending signal 12 scdaemon[19663.0] DBG: - [EOF] scdaemon[19663]: handler for fd -1 terminated scdaemon[19663]: scdaemon (GnuPG) 2.0.9 stopped gpg: OpenPGP card not available: IPC write error ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card not accessible
On Thursday 05 February 2009 23:13:08 Wolfgang Rosenauer wolfg...@rosenauer.org wrote the following: Malte Gell schrieb: gpg --card-edit first detectd the card and then suddenly says OpenPGP card is not available, though it is still in the card reader I've just changed my config from using pcsc-lite to the cyberjack ctapi driver and it works for me. I'm using gpg 2.0.10 though since I had other issues when accessing the card a few days ago. I have gpg 2.0.10 in my OBS repository built for openSUSE 11.1: http://download.opensuse.org/repositories/home:/wrosenauer/openSUSE_11.1/ Thanx, I tried the updated GnuPG, but it still does not work, see below. You use the same driver, just a different Cyberjack reader, so my guess is, it is the reader that makes trouble. It is a Cyberjack Secoder, released in 2008, maybe it is too new to work correctly with the delivered ctapi driver. Since your Cyberjack and the ctapi driver works it may be more likely it is the Secoder that is not properly supported by the current ctapi driver... Malte 1[r...@linux-61r3]4877-00:34~ gpg --card-edit can't connect to `/root/.gnupg/S.gpg-agent': Connection refused scdaemon[7910]: listening on socket `/tmp/gpg-PdOdAU/S.scdaemon' scdaemon[7910]: handler for fd -1 started scdaemon[7910]: reader slot 0: Processor ICC present scdaemon[7910]: slot 0: ATR=3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 scdaemon[7910.0] DBG: - OK GNU Privacy Guard's Smartcard server ready scdaemon[7910.0] DBG: - GETINFO socket_name scdaemon[7910.0] DBG: - D /tmp/gpg-PdOdAU/S.scdaemon scdaemon[7910.0] DBG: - OK scdaemon[7910.0] DBG: - OPTION event-signal=12 scdaemon[7910.0] DBG: - OK scdaemon[7910.0] DBG: - SERIALNO scdaemon[7910]: AID: D2 76 00 01 24 01 01 01 00 01 00 00 15 CB 00 00 scdaemon[7910]: Version-2 ..: no scdaemon[7910]: Get-Challenge ..: yes (0 bytes max) scdaemon[7910]: Key-Import .: yes scdaemon[7910]: Change-Force-PW1: yes scdaemon[7910]: Private-DOs : yes scdaemon[7910]: Algo-Attr-Change: no scdaemon[7910]: SM-Support .: no scdaemon[7910]: Max-Cert3-Len ..: 0 scdaemon[7910]: Max-Cmd-Data ...: 0 scdaemon[7910]: Max-Rsp-Data ...: 0 scdaemon[7910]: Cmd-Chaining ...: no scdaemon[7910]: Ext-Lc-Le ..: no scdaemon[7910]: Status Indicator: 00 scdaemon[7910]: GnuPG-No-Sync ..: no scdaemon[7910]: GnuPG-Def-PW2 ..: no scdaemon[7910]: Key-Attr-sign ..: RSA, n=1024, e=32, fmt=std scdaemon[7910]: Key-Attr-encr ..: RSA, n=1024, e=32, fmt=std scdaemon[7910]: Key-Attr-auth ..: RSA, n=1024, e=32, fmt=std scdaemon[7910]: DBG: USING application context (refcount=1) (new) scdaemon[7910.0] DBG: - S SERIALNO scdaemon[7910.0] DBG: - OK scdaemon[7910]: updating slot 0 status: 0x-0x0007 (0-1) scdaemon[7910]: sending signal 12 to client 7909 scdaemon[7910.0] DBG: - [EOF] scdaemon[7910]: handler for fd -1 terminated gpg: OpenPGP card not available: End of file Command scdaemon[7910]: scdaemon (GnuPG) 2.0.10 stopped gpg: OpenPGP card not available: IPC write error Command quit ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card not accessible
Am Donnerstag, 5. Februar 2009 23:13:08 schrieb Wolfgang Rosenauer: Malte Gell schrieb: gpg --card-edit first detectd the card and then suddenly says OpenPGP card is not available, though it is still in the card reader I have gpg 2.0.10 in my OBS repository built for openSUSE 11.1: http://download.opensuse.org/repositories/home:/wrosenauer/openSUSE_11.1/ As written previously, it has not helped, I have now tried to use the pc/sc driver and pcsc daemon, to no avail, output below. 1[r...@linux-61r3]4937-01:39~ gpg --card-edit can't connect to `/root/.gnupg/S.gpg-agent': Connection refused scdaemon[20981]: listening on socket `/tmp/gpg-lPsvco/S.scdaemon' scdaemon[20981]: handler for fd -1 started scdaemon[20981]: reader slot 0: not connected scdaemon[20981]: slot 0: ATR=3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 scdaemon[20981.0] DBG: - OK GNU Privacy Guard's Smartcard server ready scdaemon[20981.0] DBG: - GETINFO socket_name scdaemon[20981.0] DBG: - D /tmp/gpg-lPsvco/S.scdaemon scdaemon[20981.0] DBG: - OK scdaemon[20981.0] DBG: - OPTION event-signal=12 scdaemon[20981.0] DBG: - OK scdaemon[20981.0] DBG: - SERIALNO scdaemon[20981]: AID: D2 76 00 01 24 01 01 01 00 01 00 00 15 CB 00 00 scdaemon[20981]: Version-2 ..: no scdaemon[20981]: Get-Challenge ..: yes (0 bytes max) scdaemon[20981]: Key-Import .: yes scdaemon[20981]: Change-Force-PW1: yes scdaemon[20981]: Private-DOs : yes scdaemon[20981]: Algo-Attr-Change: no scdaemon[20981]: SM-Support .: no scdaemon[20981]: Max-Cert3-Len ..: 0 scdaemon[20981]: Max-Cmd-Data ...: 0 scdaemon[20981]: Max-Rsp-Data ...: 0 scdaemon[20981]: Cmd-Chaining ...: no scdaemon[20981]: Ext-Lc-Le ..: no scdaemon[20981]: Status Indicator: 00 scdaemon[20981]: GnuPG-No-Sync ..: no scdaemon[20981]: GnuPG-Def-PW2 ..: no scdaemon[20981]: Key-Attr-sign ..: RSA, n=1024, e=32, fmt=std scdaemon[20981]: Key-Attr-encr ..: RSA, n=1024, e=32, fmt=std scdaemon[20981]: Key-Attr-auth ..: RSA, n=1024, e=32, fmt=std scdaemon[20981]: DBG: USING application context (refcount=1) (new) scdaemon[20981.0] DBG: - S SERIALNO scdaemon[20981.0] DBG: - OK scdaemon[20981.0] DBG: - LEARN --force scdaemon[20981.0] DBG: - S SERIALNO scdaemon[20981.0] DBG: - S APPTYPE OPENPGP scdaemon[20981.0] DBG: - S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=0 scdaemon[20981.0] DBG: - S DISP-NAME scdaemon[20981.0] DBG: - S DISP-LANG de scdaemon[20981.0] DBG: - S DISP-SEX 9 scdaemon[20981.0] DBG: - S PUBKEY-URL scdaemon[20981.0] DBG: - S CHV-STATUS +0+254+254+254+3+3+3 scdaemon[20981.0] DBG: - S SIG-COUNTER 0 scdaemon[20981.0] DBG: - S PRIVATE-DO-1 scdaemon[20981.0] DBG: - S PRIVATE-DO-2 scdaemon[20981]: reading public key failed: Missing item in object scdaemon[20981]: reading public key failed: Missing item in object scdaemon[20981]: reading public key failed: Missing item in object scdaemon[20981.0] DBG: - OK gpg-agent[20980]: card has S/N: (XXed by me) Application ID ...: XX Version ..: 1.1 Manufacturer .: PPC Card Systems Serial number : 15CB Name of cardholder: [not set] Language prefs ...: de Sex
trouble getting GnuPG 2.0.9 working with smartcard
Hi there, with hope of finding more response I place my question now here. I have a Reiner SCT Cyberjack Secoder card reader and with the driver from Reiner SCT's web site it works now, the diagnosis tool cyberjack says the reader is available and accessable. In ~/.gnupg/scdaemon.conf i specified the PCSC driver, it contains the following: debug-level advanced pcsc-driver /usr/lib/readers/ifd-cyberjack.bundle/Contents/Linux/ifd- cyberjack.so.2.3.0 But, when inserting a blank smartcard i only get the following: 1[r...@linux-61r3]4339-06:06~ gpg --card-status can't connect to `/root/.gnupg/S.gpg-agent': Connection refused scdaemon[28645]: listening on socket `/tmp/gpg-Gxylwx/S.scdaemon' scdaemon[28645]: handler for fd -1 started scdaemon[28645]: error sending PC/SC OPEN request: Broken pipe scdaemon[28645.0] DBG: - OK GNU Privacy Guard's Smartcard server ready scdaemon[28645.0] DBG: - GETINFO socket_name scdaemon[28645.0] DBG: - D /tmp/gpg-Gxylwx/S.scdaemon scdaemon[28645.0] DBG: - OK scdaemon[28645.0] DBG: - OPTION event-signal=12 scdaemon[28645.0] DBG: - OK scdaemon[28645.0] DBG: - SERIALNO scdaemon[28645]: no supported card application found: General error scdaemon[28645.0] DBG: - ERR 100663297 General error SCD gpg-agent[28644]: command learn failed: General error gpg: OpenPGP card not available: General error [2]1[r...@linux-61r3]4340-06:07~ scdaemon[28645.0] DBG: - RESTART scdaemon[28645.0] DBG: - OK scdaemon[28645.0] DBG: - [EOF] scdaemon[28645]: handler for fd -1 terminated scdaemon[28645]: scdaemon (GnuPG) 2.0.9 stopped In my naive thoughts I hoped to be able to format a blank card to put my key on it. Is this now a driver / GnuPG vs card reader issue or is it not possible to just use any blank smart card (it is a 8 kB smartcard from Atmel it seems) Malte signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Compiling libgcrypt
Hello I am currently trying to build GnuPG 2.08 from the source. I have compiled and installed the latest versions of the necessary libraries (libksba-1.0.2, libgpg-error-1.6, libassuan-1.0.4 and pth-2.0.7) except libgcrypt 1.4.0which unfortunately aborts during the compile process. I have tried to install an older version (1.2.2) but it also aborted with an error in rijndael.lol . I am using GNU Make 3.80 and gcc (GCC) 3.3.3 (SuSE Linux). Below are the outputs of make and the configure-script while trying to build libgcrypt 1.4.0. How can I get this working ? Yours sincerely Stefan Malte Schumacher This is the make output : /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../src -I../src -I/usr/local/include -g -O2 -Wall -Wpointer-arith -MT rijndael.lo -MD -MP -MF .deps/rijndael.Tpo -c -o rijndael.lo rijndael.c gcc -DHAVE_CONFIG_H -I. -I.. -I../src -I../src -I/usr/local/include -g -O2 -Wall -Wpointer-arith -MT rijndael.lo -MD -MP -MF .deps/rijndael.Tpo -c rijndael.c -fPIC -DPIC -o .libs/rijndael.o gcc -DHAVE_CONFIG_H -I. -I.. -I../src -I../src -I/usr/local/include -g -O2 -Wall -Wpointer-arith -MT rijndael.lo -MD -MP -MF .deps/rijndael.Tpo -c rijndael.c -o rijndael.o /dev/null 21 make[2]: *** [rijndael.lo] Fehler 1 make[2]: Leaving directory `/home/stefan/Software/Packed/libgcrypt-1.4.0 /cipher' make[1]: *** [all-recursive] Fehler 1 make[1]: Leaving directory `/home/stefan/Software/Packed/libgcrypt- 1.4.0' make: *** [all] Fehler 2 And this is the output of configure : checking for mmap... yes checking for getpagesize... yes checking for sysconf... yes checking for waitpid... yes checking for wait4... yes checking for gettimeofday... yes checking for getrusage... yes checking for gethrtime... no checking for clock_gettime... no checking for fcntl... yes checking for ftruncate... yes checking for mlock... yes checking for sysconf... (cached) yes checking for getpagesize... (cached) yes checking whether mlock is broken... no checking for random device... yes checking for _ prefix in compiled symbols... no checking for mpi assembler functions... done checking if gcc supports -Wpointer-arith... yes checking whether non excutable stack support is requested... yes checking whether assembler supports --noexecstack option... yes configure: creating ./config.status config.status: creating Makefile config.status: creating m4/Makefile config.status: creating mpi/Makefile config.status: creating cipher/Makefile config.status: creating doc/Makefile config.status: creating src/Makefile config.status: creating src/gcrypt.h config.status: creating src/libgcrypt-config config.status: creating src/versioninfo.rc config.status: creating tests/Makefile config.status: creating config.h config.status : config.h is unchanged config.status: linking ./mpi/i386/mpih-add1.S to mpi/mpih-add1-asm.S config.status: linking ./mpi/i386/mpih-sub1.S to mpi/mpih-sub1-asm.S config.status: linking ./mpi/i386/mpih-mul1.S to mpi/mpih- mul1-asm.S config.status: linking ./mpi/i386/mpih-mul2.S to mpi/mpih-mul2-asm.S config.status: linking ./mpi/i386/mpih-mul3.S to mpi/mpih-mul3-asm.S config.status: linking ./mpi/i386/mpih-lshift.S to mpi/mpih-lshift-asm.S config.status: linking ./mpi/i386/mpih-rshift.S to mpi/mpih-rshift-asm.S config.status: linking ./mpi/generic/mpi-asm-defs.h to mpi/mpi-asm-defs.h config.status: executing depfiles commands config.status: executing gcrypt-conf commands Configured for: GNU/Linux (i686-pc-linux-gnu) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG: remotely controllable function pointer [CVE-2006-6235]
On Wednesday 06 December 2006 16:55, Werner Koch wrote: GnuPG: remotely controllable function pointer [CVE-2006-6235] === 2006-12-04 Hm, GnuPG 1.4.5 (unpatched)/KMail 1.8.2 reports invalid signed message... Maybe my gpg.conf is messed or is this due to changes in gpg 1.4.5? Thanx. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why are my signatures being labelled as bad?
On Wednesday 19 April 2006 21:47, Robert Smits wrote: I'm trying to figure out why I can send encrypted messages to myself at home from my work computer, and they come through just fine, but signed messages to myself from my work computer come labeelled as having a bad signature. Work computer - Suse Linux 9.3 running Kmail and KGpg. (...) This is probably a Kgpg issue. The same here with Umlauts (ä ü ö),Kgpg considers clearsigned text as bad. Example: ftp://ftp.gwdg.de/linux/suse/ftp.suse.com/suse/i386/update/10.0/patches/MozillaFirefox-52838 Cut and paste the content of this patch description into Kgpg´s internal editor and it´ll say broken signature. Download the patch description and verify it manually using gpg --verify MozillaFirefox-52838 and you´ll see the sig is fine. There must be a nasty bug somewhere in Kgpg Trying every possible configuration, either in Kgpg or gpg.conf hasn´t helped. Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Trouble with gpgsm
On Friday 24 March 2006 15:43, [EMAIL PROTECTED] wrote: Hi, I cannot seem to import the server certificate that it signed. I continually get the following message: 5 - 2006-03-23 16:58:30 gpgsm[27069]: self-signed certificate has a BAD signature: Bad signature 5 - 2006-03-23 16:58:30 gpgsm[27069]: basic certificate checks failed - not imported OpenSSL will verify the certificate: [EMAIL PROTECTED] ~ $ openssl verify -CAfile /etc/ssl/certs/My_CA.pem ./server.crt server.crt: OK It is My_CA.pem that you can´t import into the GnuPG system, right? What happens if you try the following: openssl pkcs12 -in My_CA.pem -export -out My_CA.p12 -nocerts -nodes This should result in My_CA.p12 and next gpgsm --call-protect-tool --p12-import --store My_CA.p12 Does this work? Does gpgsm --list-secret-keys list it now? _If_ this worked you can grab the public part from My_CA.pem with an editor, since it is a text file. I took this from a mini-howto that describes how to use GnuPG with X.509 certificates that some email providers offer. hth Malte ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users