Re: Problems using 10kbit keys in GnuPG instead of 4kbit keys
- Original Message - From: Werner Koch w...@gnupg.org To: Pete Stephenson p...@heypete.com Cc: GnuPG Users Mailing List gnupg-users@gnupg.org Sent: Tuesday, September 10, 2013 12:07 PM Subject: Re: Problems using 10kbit keys in GnuPG instead of 4kbit keys - Some MUA decrypt messages on the fly while you are browsing through all the new mails - if that takes too long due to the many 8k keys, it makes the MUA unusable. This is only a problem to user who choose to use 8k key, not to anyone else. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GpgEX for 64 bit Windows test version
On 2013.06.24. 21:18, Bob Henson wrote: it just caused an error, saying The module c:\program failed to load. Make sure the binary is stored at the specified path or debug it to check for problems with the binary or dependant .dll files. The specified module could not be found. It looks to me as though the regsvr command is looking for a program to run called c:\program? As I can't run the 32 bit version of GPGex anyway on this system, can I not just overwrite the existing copy of gpgex.dll with the 64 bit one and reboot? What should I try if not, please? Paths with spaces needs to be escaped. Put that C:\program files... in quotes. (). ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is it safe to rename file.gpg to `md5sum file`?
There isn't enough entropy in a filename for an MD5 checksum to give much in the way of secrecy. It seems that MD5 checksum is computed from file contents, not name. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web-based pinentry
- Original Message - From: Michael Gauthier m...@silverorange.com To: gnupg-users@gnupg.org Cc: Michael Gauthier m...@silverorange.com Sent: Wednesday, August 29, 2012 7:32 PM Subject: Web-based pinentry As of GnuPGv2, the --command-fd method of passing passphrases no longer seems to work. Is there an alternative I can use so that the pin entry interface is still a webpage? Please let me know what I can use to handle pin-entry in a web-based system. If I have understood correctly, in gpg2, in such cases you are supposed to use no passphrase at all. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg simplified?
On 2012.07.31. 12:35, Werner Koch wrote: On Tue, 31 Jul 2012 07:11, y...@yyy.id.lv said: Why do you think gpg2 won't work or does any network access without user consent? gpg2 requires gpg agent..., i was referring to posibility to making it a portable application (not requiring installation, not leaving traces in host computer when run) there (in this list) have been some threads about how to get rid of gpg agent in gpg2, so it would behave more like gpg 1.4, but answer has been, that it is not possible. No application considered requires any network access (gpg1.4, gpg2, openssl) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg simplified?
On 2012.07.30. 15:51, peter.segm...@wronghead.com wrote: I have been asked to help a small group of individuals (perhaps hundreds, not thousands) with secure data exchange (including, but not restricted to e-mail). Use of full gpg is way beyond their capabilities. I am wondering if anybody has heard of a simplified version of gpg; or failing that, I would like to hear any comments on the feasibility of a collaborative project to create such a variant, as I am convinced there would have to be a wider applicability of it. The following describes the requirements: 1) The program is CLI and operates on (i.e., it encrypts and decrypts) binary files. It has no connection with any mail client program or server or mail service and provides no key management functionality whatsoever. gpg is a CLI program which encrypts and decrypts binary files, by default it has no connection with any mail server or service openssl smime tool does the same, and unlike gpg, has no key management functionality (for encryption and decryption only) (it does have size limits, it needs as much memory, as size of file to be encrypted or decrypted) 2) Once encrypted with a (single!) recipients public key, the file consists of bytes indistinguishable from a random stream. this probably will not be possible with standard openpgp (or smime) 3) The program can be run from removable media, i.e., it requires no installation and assumes no network access for either key exchange or in operation. There are binaries for all three major platforms (Win32, Linux and Mac OSX). I have heard, that gpg 1.4 supports such operation, but have not tested it myself. gpg2 certainly will not work. openssl some times works, some times not. (I have tested only on windows, there have been some dependencies on system dlls). 4) Single key, public or private, resides in a single file. This file is encrypted with operator's public key and consists of bytes indistinguishable from a random byte stream. this probably will not be possible with standard openpgp (or smime) if private key is encrypted with it's public key, it becomes inaccessible, because unencrypted private key is needed to decrypt it. 5) Public key includes a textual description, but no unique identification other than the hash of the key. gpg keys can be generated this way, x509 certs also can be generated this way. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.1 Windows 7, pinentry does not allow paste, no way to bypass?
On 2012.06.03. 23:07, Robert J. Hansen wrote: On 6/3/2012 10:46 AM, L G wrote: During command line decryption, pinentry opens a popup window for the passphrase. In the pinentry window, paste (Ctl+V) is not supported. Deal breaker. Storing your passphrase in the clipboard is generally considered unwise and harmful. Your passphrase is a high-value secret: putting it on the clipboard makes it visible to every other process on your system (including malware!). So, if one is incapable of remembering strong passwords (passphrses), this forces them to use either useless passphrase (breakable in less than 5 min using dictionary) or use no passphrase at all. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Website link broken
- Original Message - From: MFPA expires2...@rocketmail.com To: da...@gbenet.com on GnuPG-Users gnupg-users@gnupg.org Sent: Wednesday, May 16, 2012 12:43 AM Subject: Re: Website link broken -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Tuesday 15 May 2012 at 9:21:13 PM, in mid:4fb2bab9.4020...@gbenet.com, da...@gbenet.com wrote: It works now :) does not works from here, either ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Win7: Kleopatra does not open
Hello Roland, Friday, October 21, 2011, 12:21:59 PM, you wrote: Therefore I need to be able to execute Kleopatra or GPA. Unfortunately Kleopatra does not work. I tried both from a desktop shortcut, and the command prompt (terminal). Just no reaction at all. I tried several re-installs. On 2 occasions it got working, but gave up a day later. Reinstall some success, and then failure again ... Kleopatra seems to be part of gpg4win, which has its own mailinglist (gpg4win-users...@wald.intevation.org). What are your language settings? I had a similar problem (it was reproducible in winxp and windows vista). See: http://lists.wald.intevation.org/pipermail/gpg4win-users-en/2011-April/000598.html and the rest of thread. (Kleopatra works only in english windows (maybe german too)). -- Best regards, yyymailto:y...@yyy.id.lv ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: STEED - Usable end-to-end encryption
- Original Message - From: Werner Koch w...@gnupg.org To: Jerome Baum jer...@jeromebaum.com Cc: gnupg-users@gnupg.org Sent: Tuesday, October 18, 2011 7:00 PM Subject: Re: STEED - Usable end-to-end encryption On Tue, 18 Oct 2011 16:35, jer...@jeromebaum.com said: operations will be the most important part to making that work, and the ISPs don't have to help out there (modulo webmail which isn't even end-point). Even webmail. It is easy to write a browser extension to do the crypto stuff. Installing browser extensions is even easier than installing most other software. There is firegpg plugin for firefox, and it does not works well with latest versions (installing it in firefox5 was not straightforward). I am not aware of any other public key encryption plugin for firefox or for any other browser. Some webmails have POP3/IMAP/SMTP, but some does not. (for example inbox.lv for qute long time had only POP3, but not SMTP) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On 2011.08.23. 10:07, Werner Koch wrote: On Mon, 22 Aug 2011 18:05, y...@yyy.id.lv said: So, order of certificate hashes, relative of certificate order in keyring, is critically important? No. You need to make sure to not use lines of more than ~255 characters. Check that your editor didn't reflow a comment block or similar. Re-tested today and it worked in more than one order. Probably issues in yesterday were some sort of temporary glitch. So, currently, importing a root certificate into gpgsm's keyring is a 2 stage process: 1. gpgsm --import _certificate_ 2. edit trustlist.txt file, to add imported certificates hash (to make it trusted (useable)). For some certificates gpgsm asks during import, whether to trust them (and if confirmed, add entry to trustlist.txt automatically). Is it possible to make gpgsm to ask whether to trust it, for any certificate? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpgsm certificate validity
Hello! How to verify if a certificate (in keyring) is valid? I tried to encrypt file using gpgsm and no key specifiying methods worked (http://lists.gnupg.org/pipermail/gnupg-users/2011-August/042580.html) Could that be caused by invalid certificate? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On 2011.08.22. 15:03, Werner Koch wrote: On Mon, 22 Aug 2011 11:07, y...@yyy.id.lv said: How to verify if a certificate (in keyring) is valid? gpgsm -k --with-validation USERID without USERID all certifciates are validated. In case you want to skip CRL checks, add the option --disable-crl-checks. This produced error: [certificate is bad: No value] Rest of data about certificate, were fine (ID, S/N, Issuer, Subject, validity, key type, chain length, fingerprint) What does it means? Attempts to encrypt to this USERID also produced error No value ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On 2011.08.22. 15:18, yyy wrote: On 2011.08.22. 15:03, Werner Koch wrote: On Mon, 22 Aug 2011 11:07, y...@yyy.id.lv said: How to verify if a certificate (in keyring) is valid? gpgsm -k --with-validation USERID without USERID all certifciates are validated. In case you want to skip CRL checks, add the option --disable-crl-checks. This produced error: [certificate is bad: No value] Rest of data about certificate, were fine (ID, S/N, Issuer, Subject, validity, key type, chain length, fingerprint) What does it means? Attempts to encrypt to this USERID also produced error No value Few more updates. If using gpgsm -k --with-validation (without providing an USERID), it also provides fingerprint: 81:4A:73:CC:AB:BC:41:Dgpgsm: dirmngr cache-only key lookup failed : Not found 3:D7:99:0F:A3:C0:75:AB:E0:D5:6C:AE:DD That certificate is a self signed certificate and it seems, that gpgsm is trying to find it in some external file (not in keyring) In addition to --with-validation, used --disable-crl-checks, --disable-policy-checks, but these did not change anything Also, searching google for [certificate is bad: No value], produced one result from this list, from 2006 http://lists.gnupg.org/pipermail/gnupg-devel/2006-September/023160.html (google result) further in that thread, there were a message http://lists.gnupg.org/pipermail/gnupg-devel/2006-September/023175.html This certificate does not have BasicConstraints, maybe this is a cause of error? Imported another root certificate, this had BasicConstraints set, import of it went differently, there were popup asking if i want to trust it (when importing first certificate, it did not ask anything) For that certificate, gpgsm -k --with-validation --disable-crl-checks went without errors Encryption using such IDs, worked. So, the main problem seems to be (lack of) presence of BasicConstraints in certificate. Is it possible to override check for BasicConstraints? Is it a bug? --ignore-cert-extensions cannot be used, because the problem is lack of presence of extension, not presence of extension. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On 2011.08.22. 17:31, Werner Koch wrote: On Mon, 22 Aug 2011 15:27, y...@yyy.id.lv said: This certificate does not have BasicConstraints, maybe this is a cause of error? Quite likely. That is required for CA certifciates. Is it possible to override check for BasicConstraints? Is it a bug? Try adding the relax keyword to the entry in ~/.gnuypg/trustlist.txt . That eventually fixed it. Thanks. There were some errors, along the way, though: Trustlist.txt initially contained only hash of second certificate (with BasicConstraints). Added hash of other certificate (the one without BasicConstraints) and now on ALL certificates gpgsm -k --with-validation --disable-crl-checks produces error [certificate is bad: Line too long]. In this case, first line in trustlist.txt was for second certificate in keyring and second line was for first certificate in keyring. Swapping these lines in trustlist.txt, fixed it. So, order of certificate hashes, relative of certificate order in keyring, is critically important? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpgsm recipient format
Hello! When using gpgsm to encrypt a file, what is the primarily intended recipient format? gpgsm -e -r file_to_be_encrypted.ext What to put in place of ? Certificate were imported using gpgsm --import cert.pem, it shows in gpgsm --list-keys. Certificate is self signed and the only filed containing useful information is CN, there are some other fields containing junk. There is no e-mail address specified. Tried to specify user-IDs as told here: http://www.gnupg.org/documentation/manuals/gnupg-devel/Specify-a-User-ID.html#how-to-specify-a-user-id None of these methods worked, errors were as follows: By key ID. (#1 in list) Assumed that first entry in --list-keys, named ID is that, it was 0xD56CAEDD executing: gpgsm -e -r 0xD56CAEDD file.ext produced this error: gpgsm: can't encrypt to `0xD56CAEDD': No value By fingerprint. (#2 in list) Fingerprint was last entry in --list-keys, and it was 81:4A:73:CC:AB:BC:41:D3:D7:99:0F:A3:C0:75:AB:E0:D5:6C:AE:DD executing: gpgsm -e -r 81:4A:73:CC:AB:BC:41:D3:D7:99:0F:A3:C0:75:AB:E0:D5:6C:AE:DD file.ext produced error: gpgsm: can't encrypt to `0x81:4A:73:CC:AB:BC:41:D3:D7:99:0F:A3:C0:75:AB:E0:D5:6C :AE:DD': Invalid name removing 0x in beginnig of fingerprint, did change nothing By exact match on OpenPGP user ID. (#3 in list) Does not applies here, because does not applies to X509 certificates By exact match on an email address. (#4 in list) Does not applies here, because certificate does not contains an email address. By word match. (#5 in list) Only rememberable word there were CN (cert), executing: gpgsm -e -r +cert file.ext produced error: ../../gnupg2-2.0.17/kbx/keybox-search.c:858: oops; should never get here ../../gnupg2-2.0.17/kbx/keybox-search.c:858: oops; should never get here gpgsm: can't encrypt to `+cert': No public key By exact match on the subject's DN. (#6 in list) As specified in the list, subjects DN string was extracted from output of: gpgsm --list-keys --with-colons It was: CN=cert,OU=key_usage,O=no_specified,L=bez_ca,ST=undefined_type,C=lv executing: gpgsm -e -r /CN=cert,OU=key_usage,O=no_specified,L=bez_ca,ST=undefined_type,C=lv file.ext produced error: gpgsm: can't encrypt to `/CN=cert,OU=key_usage,O=no_specified,L=bez_ca,ST=undef ined_type,C=lv': No value By exact match on the issuer's DN. (#7 in list) Since this is a self signed certificate, DN string is the same. (except for # in front of string) Error was exactly the same as in previous case. By exact match on serial number and issuer's DN. (#8 in list) executing: gpgsm -e -r #01/CN=cert,OU=key_usage,O=no_specified,L=bez_ca,ST=undefined_type,C=lv file.ext produced error: gpgsm: can't encrypt to `#01/CN=cert,OU=key_usage,O=no_specified,L=bez_ca,ST=un defined_type,C=lv': No value By keygrip. (#9 in list) Keygrip obtained by --dump-cert was: 3992799455D8CCCFECA75FE1BD7708D8A7E2EFD6 executing: gpgsm -e -r 3992799455D8CCCFECA75FE1BD7708D8A7E2EFD6 file.ext produced error: gpgsm: missing argument for option -r '3992799455D8CCCFECA75FE1BD7708D8A7E2EFD6' is not recognized as an internal or external command, operable program or batch file. By substring match. (#10 in list) Tried on CN. Executing: gpgsm -e -r cert file.ext produced error: gpgsm: can't encrypt to `cert': No value If using partial substring (with * in beginning), error were the same: gpgsm -e -r *cert file.ext gpgsm: can't encrypt to `*cert': No value These were all 10 specified methods. Output of --list-keys: ID: 0xD56CAEDD S/N: 01 Issuer: /CN=cert/OU=key_usage/O=no_specified/L=bez_ca/ST=undefined_type/C=lv Subject: /CN=cert/OU=key_usage/O=no_specified/L=bez_ca/ST=undefined_type/C=lv validity: 2010-12-04 18:14:32 through 2011-12-04 06:33:15 key type: 1024 bit RSA chain length: none fingerprint: 81:4A:73:CC:AB:BC:41:D3:D7:99:0F:A3:C0:75:AB:E0:D5:6C:AE:DD Output of --dump-cert: ID: 0xD56CAEDD S/N: 01 Issuer: CN=cert,OU=key_usage,O=no_specified,L=bez_ca,ST=undefined_type,C=lv Subject: CN=cert,OU=key_usage,O=no_specified,L=bez_ca,ST=undefined_type,C=lv sha1_fpr: 81:4A:73:CC:AB:BC:41:D3:D7:99:0F:A3:C0:75:AB:E0:D5:6C:AE:DD md5_fpr: FB:F8:0D:AA:1F:2F:F9:F8:28:40:7E:B7:49:DB:7F:F3 certid: 3A409A4E9141A06D70B234CC5716FAEF282A3477.01 keygrip: 3992799455D8CCCFECA75FE1BD7708D8A7E2EFD6 notBefore: 2010-12-04 18:14:32 notAfter: 2011-12-04 06:33:15 hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption) keyType: 1024 bit RSA subjKeyId: [none] authKeyId: [none] keyUsage: [none] extKeyUsage: [none] policies: [none] chainLength: [none] crlDP: [none] authInfo: [none] subjInfo: [none] Is there a way for recipient just specify a certificate file in pem format? (Without using keyring.) Is it possible to import pem format private keys? ___ Gnupg-users mailing list Gnupg-users@gnupg.org