Re: Question - GPG - No Secret Keys

[Bernhard Reiter]

Hi Rafael,

Am Freitag 16 Juni 2023 19:50:43 schrieb Alberti, Rafael Ricardo via 
Gnupg-users:
> On May 15 2023, we installed and were looking at using GPG a server.

which operating system and if you are running GNU/Linux, which distribution
are you using?

> We  created  the proper Public and Private key and Pass Phrase.   The
> decryption and encryption was working well for a few weeks until on June
> 13, 2023 the decryption failed.
>
> Upon review, we received a "No Secret Key" error - nothing changed on the
> machine.  We also noticed that the Public and Private key were no longer
> visible in the armor i.e.  Gpg -list-keys{returned blank}
>
> What would cause the keys to be removed?We did notice that an install
> of GPG occurred on the server on June 13.
>
> Can a GPG Auto Update remove the Keys inside the Armor ?  

It MUST not. So if this update did, it would be a defect of the packaging
(or the updating process in general).

> If so, how can  we disable GPG Auto Update feature

Depends on which update service you were using.
GnuPG is available for many platforms and can be installed by many means.

> After much review,  and  "by chance"  we re-imported the Public.key and the
> TrustDb.Key and the Armor was repopulated with the old Key information and
> the decryption started to work again

Good to know that you had a working backup (that is recommended practice). :)

Best Regards
Bernhard


-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Question - GPG - No Secret Keys

[Alberti, Rafael Ricardo via Gnupg-users]

Hi Gpg Developers

On May 15 2023, we installed and were looking at using GPG a server.   We 
created  the proper Public and Private key and Pass Phrase.   The decryption 
and encryption was working well for a few weeks until on June 13, 2023 the 
decryption failed.

Upon review, we received a "No Secret Key" error - nothing changed on the 
machine.  We also noticed that the Public and Private key were no longer 
visible in the armor i.e.  Gpg -list-keys{returned blank}

What would cause the keys to be removed?We did notice that an install of 
GPG occurred on the server on June 13.

Can a GPG Auto Update remove the Keys inside the Armor ?If so, how can we 
disable GPG Auto Update feature

After much review,  and  "by chance"  we re-imported the Public.key and the 
TrustDb.Key and the Armor was repopulated with the old Key information and the 
decryption started to work again

Any advise or information is appreciated

Thank you
Rafael

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPGME question about ciphertext and plaintext sizes

[Werner Koch via Gnupg-users]

On Wed, 10 May 2023 14:43, Dim Xr said:

> I'm far from a security expert, that's why I needed a more
> higher level solution for this. But definitely I'll give it a shot.

Use DMCrypt under Linux or Veracrypt etc.   Disk encryption is a
complicated matter and you definitley should have some experience in
this area.

> Do you know if OpenSSL is suitable for this task?

The same as Libgcrypt is.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPGME question about ciphertext and plaintext sizes

[Dim Xr via Gnupg-users]

Thank you Werner.

You need to use a low level crypto library
> for that (e.g. Libgcrypt) and decide which algorithm, mode and
> additional information you use.
>

OK I'll check it out. Searching on the mailing list responses I
came across with Libgcrypt again, but I've read that it is quite
low-level library so you have  to be some kind of guru to use it. :-)
I'm far from a security expert, that's why I needed a more
higher level solution for this. But definitely I'll give it a shot.

Do you know if OpenSSL is suitable for this task?

Dim.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPGME question about ciphertext and plaintext sizes

[Werner Koch via Gnupg-users]

On Tue,  9 May 2023 17:48, Dim Xr said:

> same size? Is there any way to have FPE (Format Preserving Encryption) via
> GPGME?

No.  GPGME uses the OpenPGP and S/MIME protocols (gpg and gpgsm) and is
not suitable for your task.  You need to use a low level crypto library
for that (e.g. Libgcrypt) and decide which algorithm, mode and
additional information you use.  For example it is possible to create an
IV or nonce from the block number but there are many security pitfalls.
You may want to read some papers about crypto file systems and look at
implementations for Linux and *BSD.

In GnuPG we have a disk encryption tools (g13) but that takes only care
of encrypting the actual symmetric encryption key.  Everything else is
left to dmcrypt.


Shalom-Salam,

   Werner


-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

GPGME question about ciphertext and plaintext sizes

[Dim Xr via Gnupg-users]

Hello all,
I'm currently working on a userspace block device driver. I want to add
encryption on it,
and that's how I came across GPGME.

My question is: is there a way to encrypt a plaintext and get a ciphertext
of **exactly** the
same size? Is there any way to have FPE (Format Preserving Encryption) via
GPGME?


>From my research so far, it doesn't seem to exist one. Even symmetric
algorithms are using
metadata on the ciphertext so the size is always bigger than the
corresponding plaintext.

All suggestions are welcome!

Thanks.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Re: Question about secret service integration and saved passphrases

[Jan Eden via Gnupg-users]

On 2023-01-05 13:51, Ingo Klöcker wrote:

> On Donnerstag, 5. Januar 2023 02:50:25 CET Jackson Chen via Gnupg-users wrote:
> > i had enabled KeePassXC secret service integration (some free desktop
> > standard). when i use my secret GPG/PGP keys, i get prompted by KeePassXC
> > to unlock the database (if locked). after unlocking the database, GPG goes
> > back to asking for the passphrase through pinentry.
> > 
> > the problem i have is that the pinentry program (pinentry-qt) does not have
> > a checkbox to save the passphrase, which is what i need to save the
> > passphrase into KeePassXC. is there a way to either save an entry for the
> > key's passphrase directly in KeePassXC, or indirectly through some pinentry
> > program or other way?
> 
> I think there's a pinentry-gnome3 which supports saving passwords via the 
> secret service integration. It should work fine in KDE Plasma.
> 
> Searching the internet I found this link which might be helpful:
> https://wiki.archlinux.org/title/GNOME/Keyring

I can confirm that pinentry-gnome3 works well with seahorse in Ubuntu
22.04.

- Jan


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about secret service integration and saved passphrases

[Ingo Klöcker]

On Donnerstag, 5. Januar 2023 02:50:25 CET Jackson Chen via Gnupg-users wrote:
> i had enabled KeePassXC secret service integration (some free desktop
> standard). when i use my secret GPG/PGP keys, i get prompted by KeePassXC
> to unlock the database (if locked). after unlocking the database, GPG goes
> back to asking for the passphrase through pinentry.
> 
> the problem i have is that the pinentry program (pinentry-qt) does not have
> a checkbox to save the passphrase, which is what i need to save the
> passphrase into KeePassXC. is there a way to either save an entry for the
> key's passphrase directly in KeePassXC, or indirectly through some pinentry
> program or other way?

I think there's a pinentry-gnome3 which supports saving passwords via the 
secret service integration. It should work fine in KDE Plasma.

Searching the internet I found this link which might be helpful:
https://wiki.archlinux.org/title/GNOME/Keyring

Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Question about secret service integration and saved passphrases

[Jackson Chen via Gnupg-users]

hi,

i had enabled KeePassXC secret service integration (some free desktop standard).
when i use my secret GPG/PGP keys, i get prompted by KeePassXC to unlock the 
database (if locked). after unlocking the database, GPG goes back to asking for 
the passphrase through pinentry.

the problem i have is that the pinentry program (pinentry-qt) does not have a 
checkbox to save the passphrase, which is what i need to save the passphrase 
into KeePassXC.
is there a way to either save an entry for the key's passphrase directly in 
KeePassXC, or indirectly through some pinentry program or other way?

currently, pinentry-gtk2 is broken because of a missing library (namely 
libgtk-x11). my linux system runs the KDE desktop environment, so i guess it 
makes sense why pinentry-gtk2 wouldn't work, but i'm not sure what package to 
install (arch linux ARM).

thanks!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Difference between versions--Question

[K S via Gnupg-users]

Thank you!

kcs

On Tue, Jan 3, 2023 at 9:05 PM Todd Zullinger via Gnupg-users <
gnupg-users@gnupg.org> wrote:

> K S via Gnupg-users wrote:
> > It would be helpful to know why I can't get compression in my build. I've
> > tried to build from source three times now.
> >
> > There are so many packages in Ubuntu with zip, zlib, and bzip2 in the
> name
> > I can't begin to try them all. I've looked at config.log and it doesn't
> > give much help.
>
> The config.log should show some information about the
> compression algorithms, likely found searching for "zip" in
> the output.
>
> Building from source does require a bit of familiarity with
> the system on which you are building.  While you shouldn't
> need to randomly try all the packages, knowing where to look
> for ideas will help.
>
> I don't use Ubuntu or Debian, but if I were trying to build
> gnupg from source I'd start by looking at what build
> dependencies are required by the system packages.
>
> In the case of gnupg, you can see that in the debian/control
> file:
>
>
> https://salsa.debian.org/debian/gnupg2/-/blob/7f5e9b1b/debian/control#L9-43
>
> https://git.launchpad.net/ubuntu/+source/gnupg2/tree/debian/control#n10
>
> You can install those build dependencies via something like:
>
> apt-get build-dep gnupg2
>
> The debian/rules file is usually also interesting; seeing
> what configure and make options are used can be helpful.
>
> Some of the dependencies for the current gnupg may be newer
> than what is required by the gnupg2 package in Ubuntu and/or
> provided by the OS.  You may first need to build those newer
> dependencies.
>
> If so, you need to be careful not to interfere with the OS
> libraries which are used by other packages on the system.
> It can get "interesting" trying to update something which is
> quite a core dependency of the operating system.
>
> --
> Todd
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Difference between versions--Question

[Todd Zullinger via Gnupg-users]

K S via Gnupg-users wrote:
> It would be helpful to know why I can't get compression in my build. I've
> tried to build from source three times now.
> 
> There are so many packages in Ubuntu with zip, zlib, and bzip2 in the name
> I can't begin to try them all. I've looked at config.log and it doesn't
> give much help.

The config.log should show some information about the
compression algorithms, likely found searching for "zip" in
the output.

Building from source does require a bit of familiarity with
the system on which you are building.  While you shouldn't
need to randomly try all the packages, knowing where to look
for ideas will help.

I don't use Ubuntu or Debian, but if I were trying to build
gnupg from source I'd start by looking at what build
dependencies are required by the system packages.

In the case of gnupg, you can see that in the debian/control
file:

https://salsa.debian.org/debian/gnupg2/-/blob/7f5e9b1b/debian/control#L9-43
https://git.launchpad.net/ubuntu/+source/gnupg2/tree/debian/control#n10

You can install those build dependencies via something like:

apt-get build-dep gnupg2

The debian/rules file is usually also interesting; seeing
what configure and make options are used can be helpful.

Some of the dependencies for the current gnupg may be newer
than what is required by the gnupg2 package in Ubuntu and/or
provided by the OS.  You may first need to build those newer
dependencies.

If so, you need to be careful not to interfere with the OS
libraries which are used by other packages on the system.
It can get "interesting" trying to update something which is
quite a core dependency of the operating system.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Difference between versions--Question

[Robert J. Hansen via Gnupg-users]

It would be helpful to know why I can't get compression in my build. 
I've tried to build from source three times now.


The answer is very simple: because you are building it incorrectly.  We 
can provide you with the answers, but we can't give you the software 
development skills needed to correctly use the answers.


There are so many packages in Ubuntu with zip, zlib, and bzip2 in the 
name I can't begin to try them all. I've looked at config.log and it 
doesn't give much help.


If you're unable to recognize which packages provide development headers 
for common system libraries, that would be a sign your skill level is 
not up to this task.


This isn't to say you shouldn't learn.  Learning is good, even 
essential!  It's only to say the problem isn't with GnuPG.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Difference between versions--Question

[K S via Gnupg-users]

It would be helpful to know why I can't get compression in my build. I've
tried to build from source three times now.

There are so many packages in Ubuntu with zip, zlib, and bzip2 in the name
I can't begin to try them all. I've looked at config.log and it doesn't
give much help.

Cheers

On Fri, Nov 11, 2022 at 8:38 AM Ingo Klöcker  wrote:

> On Freitag, 11. November 2022 14:06:34 CET Bernhard Reiter wrote:
> > Am Freitag 04 November 2022 13:55:58 schrieb K S via Gnupg-users:
> > > How do I run configure to get the compression routines?
> >
> > checkout the "config.log" or the output of your configure command run
> > to see if there are messages concerning compression libraries.
>
> It depends on your distribution what packages you need to install to get
> support for compression. Typically, those packages would be called
> something
> like zlib-devel, zip-devel, bzip2-devel, or similar.
>
> configure will very likely have told you that it didn't find zlib, zip and
> bzip2. Just running configure without looking at its output will allow you
> to
> build an application, but you may miss optional feature like, in the case
> of
> gnupg, support for different types of compression.
>
> Regards,
> Ingo
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Difference between versions--Question

[Ingo Klöcker]

On Freitag, 11. November 2022 14:06:34 CET Bernhard Reiter wrote:
> Am Freitag 04 November 2022 13:55:58 schrieb K S via Gnupg-users:
> > How do I run configure to get the compression routines?
> 
> checkout the "config.log" or the output of your configure command run
> to see if there are messages concerning compression libraries.

It depends on your distribution what packages you need to install to get 
support for compression. Typically, those packages would be called something 
like zlib-devel, zip-devel, bzip2-devel, or similar.

configure will very likely have told you that it didn't find zlib, zip and 
bzip2. Just running configure without looking at its output will allow you to 
build an application, but you may miss optional feature like, in the case of 
gnupg, support for different types of compression.

Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Difference between versions--Question

[Bernhard Reiter]

Hi Kevin,

Am Freitag 04 November 2022 13:55:58 schrieb K S via Gnupg-users:
> How do I run configure to get the compression routines?

checkout the "config.log" or the output of your configure command run
to see if there are messages concerning compression libraries.

> FYI, this is the first time I've built from source.

It is cool that you have tried it! :)
Bernhard

-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Difference between versions--Question

[K S via Gnupg-users]

How do I run configure to get the compression routines?

I ran the build exactly like the README file indicated I should.

FYI, this is the first time I've built from source.

kcs

On Mon, Oct 31, 2022 at 9:44 AM Ingo Klöcker  wrote:
>
> On Montag, 31. Oktober 2022 10:23:10 CET K S via Gnupg-users wrote:
> > Question:
> > Why aren't those identical? I notice the source build has only
> > Uncompressed as an option.
> [...]
> > Is there something I missed in my build?
>
> configure most likely didn't find the development files of the compression
> libraries. Check the output of configure.
>
> Regards,
> Ingo
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Difference between versions--Question

[Ingo Klöcker]

On Montag, 31. Oktober 2022 10:23:10 CET K S via Gnupg-users wrote:
> Question:
> Why aren't those identical? I notice the source build has only
> Uncompressed as an option.
[...]
> Is there something I missed in my build?

configure most likely didn't find the development files of the compression 
libraries. Check the output of configure.

Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Question about redundant smartcard setup

[kho via Gnupg-users]

  
  
Hi,

Recently I have been working with GPG and 2 smartcards (Yubikey).
Despite some information here an there on internet, some things are
still not clear to me.

My setup has 1 master key with 6 subkeys, twice 3 keys for different
purposes(A,E,S). So each smartcard will receive 3 keys. It works fine
with Thunderbird and also with other tools: passwordstore (unix pass).

Here some questions about particular situations:

1. In the passwordstore, I encrypted a few passwords, which are in fact
just GPG files that store the passwords. When I want to decrypt them
with the Yubikey, I receive the message: Please insert card with serial
number. But what if I don't have that smartcard2 at hand? And how do I
know that smartcard1 then really works , if it is never asked to insert
smartcard1? I found a way to encrypt with smartcard1 via the option: -r
! . Smartcard1 seems to work fine. But then
the question remains, suppose GPG asks for smartcard2 and smartcard2 is
stolen. I can only provide smartcard1 and GPG asks for smartcard2. What
to do?

2. Then some people suggest to use a different master key, but the goal
was that both smartcards back each other up, in case one is broke. So
that idea is not going to work, correct?

3. Also with different master keys, if I have sent a bunch of e-mails
with smartcard1 and smartcard2. When one of the smartcards is broke , I
will not be able to open those e-mails with the working smartcard?

4. Another approach is that I could for example have created just 3
subkeys (not 6) and copied all 3 to smartcard1 and again to smartcard2.
I thought that having those subkeys separately is ideal, specially in a
occasion were smartcard2 is stolen. Then I revoke the smartcard2 subkeys
and keep on using the smartcard1 until I have ordered a new backup
smartcard. Because some e-mails are sent encrypted (not so many), am I
sure then when I revoke the subkey of smartcard2 that all e-mail will
open with smartcard1?

5. What is at the end the best way to setup 2 smartcards that can be
used in encryption, signing and decryption? And additionally both
smartscard should work, I have 2 smartcards for redundancy.

On internet there are many blogs etc, but they never deal with the
complete picture.

Thanks in advance for your help.

All the best!
 
  


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about redundant smartcard setup

[kho via Gnupg-users]

Yes, will do that. And the full chain from start to finish with a test
key. Deal.

On 8/19/22 16:25, Andrew Gallagher wrote:
> On 19 Aug 2022, at 17:17, kho  wrote:
>>
>> Thanks for this fast, complete and clear answer.
>>
>> I am going to see if I can still pick up somewhere or just remove all I
>> did and start all over by following your steps.
>
> Just a note of caution: since it is quite an involved process I would
> recommend keeping it as simple as possible at first, and trying it out
> with a test key before doing it in production. So long as you have a
> (tested!) offline backup you should be safe.
>
> A
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about redundant smartcard setup

[Andrew Gallagher via Gnupg-users]

On 19 Aug 2022, at 17:17, kho  wrote:
> 
> Thanks for this fast, complete and clear answer.
> 
> I am going to see if I can still pick up somewhere or just remove all I
> did and start all over by following your steps.

Just a note of caution: since it is quite an involved process I would recommend 
keeping it as simple as possible at first, and trying it out with a test key 
before doing it in production. So long as you have a (tested!) offline backup 
you should be safe.

A



signature.asc
Description: Message signed with OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about redundant smartcard setup

[kho via Gnupg-users]

Thanks for this fast, complete and clear answer.

I am going to see if I can still pick up somewhere or just remove all I
did and start all over by following your steps.

This is the confirmation I needed! Thanks!

On 8/19/22 15:25, Andrew Gallagher wrote:
> On 19 Aug 2022, at 13:48, kho via Gnupg-users  wrote:
>> 5. What is at the end the best way to setup 2 smartcards that can be
>> used in encryption, signing and decryption? And additionally both
>> smartscard should work, I have 2 smartcards for redundancy.
> If you want the two smartcards to be redundant copies of each other, then 
> they MUST contain exactly the same key material. It is possible to generate 
> multiple signing/authentication subkeys that will be treated the same for 
> practical purposes, since most software will try each valid sig/auth-capable 
> (sub)key in turn during verification. There is no equivalent ability for 
> encryption subkeys, as clients will encrypt to only the most recent valid 
> encryption subkey. If you lose/break the smartcard with the only copy of an 
> encryption subkey then there is no way to recover.
>
> You can save the same key material to multiple smartcards using the gnupg 
> command line interface:
>
> 1. Run gnupg and follow the usual process for generating (sub)keys, but 
> “save” to save and exit before transferring subkeys to the smartcard. This 
> ensures that you have a copy on disk before continuing.
>
> 2. Run gnupg again and copy the subkey(s) to the card, but afterwards you 
> should say “quit” to exit *without* saving (not “save”). That way the subkeys 
> will not be deleted from disk and you can use them again.
>
> 3. Repeat step 2 for the second (third, fourth,…) smartcard. Only choose 
> “save” to save-and-exit after copying to the last smartcard, however be aware 
> that “last” in this context really means “last”. No take-backs.
>
> If you have to generate a new subkey for whatever reason (say you had to 
> revoke the previous one) you must follow a similar save/quit sequence, 
> remembering the order “run, generate, save, run, copy, quit, run, copy, quit, 
> … run, copy, save"
>
> To keep open the possibility of provisioning extra cards in the future, you 
> could back up your entire .gnupg directory to a secure offline storage medium 
> (such as an encrypted thumb drive) after generating the keys but before 
> transferring to smartcard(s). Or you could perform the whole process of 
> generating and managing your keys using a secure live system such as Tails 
> with an encrypted persistent partition (remembering to “quit” after copying 
> even the last time so that there is always a copy on disk). If you do either 
> of these you only need one smartcard, so long as you don’t mind waiting for a 
> replacement smartcard to arrive in the post if your original breaks.
>
> On any given machine, gnupg will only ask for one smartcard. You should 
> therefore consider one smartcard your working copy and one your emergency 
> backup (if you have multiple machines, you could assign different primary 
> cards to each machine). To force gnupg to ask for the other smartcard, you 
> can delete the stub `.key` files under ~/.gnupg/private-keys-v1.d (on 
> Linux/Mac, I forget the Windows equivalent). To work out which files to 
> delete, incant `gpg -K --with-keygrip` and note the “Keygrip” lines under the 
> three subkeys. Delete the corresponding `.key` files only, then plug in the 
> replacement smartcard and incant `killall gpg-agent; gpg --card-status` 
> (again Linux/Mac only). gnupg should now recognise the replacement card as 
> the primary, and will ask consistently for that one until you repeat the 
> process.
>
> A
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about redundant smartcard setup

[kho via Gnupg-users]

Of course, you are right. I could store it digitally on a encrypted disk
and even on paper. And like you say they are not really gone. Thanks for
the tip.

On 8/19/22 15:21, Werner Koch wrote:
> On Fri, 19 Aug 2022 14:48, kho said:
>
>> 4. Another approach is that I could for example have created just 3
>> subkeys (not 6) and copied all 3 to smartcard1 and again to smartcard2.
>> I thought that having those subkeys separately is ideal, specially in a
>> occasion were smartcard2 is stolen. Then I revoke the smartcard2 subkeys
> No need to.  Save a paper copy of the keys before you remove them from
> the disk.  If both cards are broken you can still type the keys in and
> create a new smartcard.  Exact procedures depend on your threat model.
>
>
> Salam-Shalom,
>
>Werner
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about redundant smartcard setup

[Werner Koch via Gnupg-users]

On Fri, 19 Aug 2022 14:48, kho said:

> 4. Another approach is that I could for example have created just 3
> subkeys (not 6) and copied all 3 to smartcard1 and again to smartcard2.
> I thought that having those subkeys separately is ideal, specially in a
> occasion were smartcard2 is stolen. Then I revoke the smartcard2 subkeys

No need to.  Save a paper copy of the keys before you remove them from
the disk.  If both cards are broken you can still type the keys in and
create a new smartcard.  Exact procedures depend on your threat model.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about redundant smartcard setup

[Andrew Gallagher via Gnupg-users]

On 19 Aug 2022, at 13:48, kho via Gnupg-users  wrote:
> 
> 5. What is at the end the best way to setup 2 smartcards that can be
> used in encryption, signing and decryption? And additionally both
> smartscard should work, I have 2 smartcards for redundancy.

If you want the two smartcards to be redundant copies of each other, then they 
MUST contain exactly the same key material. It is possible to generate multiple 
signing/authentication subkeys that will be treated the same for practical 
purposes, since most software will try each valid sig/auth-capable (sub)key in 
turn during verification. There is no equivalent ability for encryption 
subkeys, as clients will encrypt to only the most recent valid encryption 
subkey. If you lose/break the smartcard with the only copy of an encryption 
subkey then there is no way to recover.

You can save the same key material to multiple smartcards using the gnupg 
command line interface:

1. Run gnupg and follow the usual process for generating (sub)keys, but “save” 
to save and exit before transferring subkeys to the smartcard. This ensures 
that you have a copy on disk before continuing.

2. Run gnupg again and copy the subkey(s) to the card, but afterwards you 
should say “quit” to exit *without* saving (not “save”). That way the subkeys 
will not be deleted from disk and you can use them again.

3. Repeat step 2 for the second (third, fourth,…) smartcard. Only choose “save” 
to save-and-exit after copying to the last smartcard, however be aware that 
“last” in this context really means “last”. No take-backs.

If you have to generate a new subkey for whatever reason (say you had to revoke 
the previous one) you must follow a similar save/quit sequence, remembering the 
order “run, generate, save, run, copy, quit, run, copy, quit, … run, copy, save"

To keep open the possibility of provisioning extra cards in the future, you 
could back up your entire .gnupg directory to a secure offline storage medium 
(such as an encrypted thumb drive) after generating the keys but before 
transferring to smartcard(s). Or you could perform the whole process of 
generating and managing your keys using a secure live system such as Tails with 
an encrypted persistent partition (remembering to “quit” after copying even the 
last time so that there is always a copy on disk). If you do either of these 
you only need one smartcard, so long as you don’t mind waiting for a 
replacement smartcard to arrive in the post if your original breaks.

On any given machine, gnupg will only ask for one smartcard. You should 
therefore consider one smartcard your working copy and one your emergency 
backup (if you have multiple machines, you could assign different primary cards 
to each machine). To force gnupg to ask for the other smartcard, you can delete 
the stub `.key` files under ~/.gnupg/private-keys-v1.d (on Linux/Mac, I forget 
the Windows equivalent). To work out which files to delete, incant `gpg -K 
--with-keygrip` and note the “Keygrip” lines under the three subkeys. Delete 
the corresponding `.key` files only, then plug in the replacement smartcard and 
incant `killall gpg-agent; gpg --card-status` (again Linux/Mac only). gnupg 
should now recognise the replacement card as the primary, and will ask 
consistently for that one until you repeat the process.

A



signature.asc
Description: Message signed with OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Question about redundant smartcard setup

[kho via Gnupg-users]

Hi,

Recently I have been working with GPG and 2 smartcards (Yubikey).
Despite some information here an there on internet, some things are
still not clear to me.

My setup has 1 master key with 6 subkeys, twice 3 keys for different
purposes(A,E,S). So each smartcard will receive 3 keys. It works fine
with Thunderbird and also with other tools: passwordstore (unix pass).

Here some questions about particular situations:

1. In the passwordstore, I encrypted a few passwords, which are in fact
just GPG files that store the passwords. When I want to decrypt them
with the Yubikey, I receive the message: Please insert card with serial
number. But what if I don't have that smartcard2 at hand? And how do I
know that smartcard1 then really works , if it is never asked to insert
smartcard1? I found a way to encrypt with smartcard1 via the option: -r
! . Smartcard1 seems to work fine. But then
the question remains, suppose GPG asks for smartcard2 and smartcard2 is
stolen. I can only provide smartcard1 and GPG asks for smartcard2. What
to do?

2. Then some people suggest to use a different master key, but the goal
was that both smartcards back each other up, in case one is broke. So
that idea is not going to work, correct?

3. Also with different master keys, if I have sent a bunch of e-mails
with smartcard1 and smartcard2. When one of the smartcards is broke , I
will not be able to open those e-mails with the working smartcard?

4. Another approach is that I could for example have created just 3
subkeys (not 6) and copied all 3 to smartcard1 and again to smartcard2.
I thought that having those subkeys separately is ideal, specially in a
occasion were smartcard2 is stolen. Then I revoke the smartcard2 subkeys
and keep on using the smartcard1 until I have ordered a new backup
smartcard. Because some e-mails are sent encrypted (not so many), am I
sure then when I revoke the subkey of smartcard2 that all e-mail will
open with smartcard1?

5. What is at the end the best way to setup 2 smartcards that can be
used in encryption, signing and decryption? And additionally both
smartscard should work, I have 2 smartcards for redundancy.

On internet there are many blogs etc, but they rarely deal with the
complete picture.

Thanks in advance for your help.

All the best!


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: question of verifying signatures

[john doe via Gnupg-users]

On 6/11/2022 4:24 PM, Linus Virtanen via Gnupg-users wrote:

hii try to verify GPG signature of mutiple applications on windows but i
failed.a friend of mine tried and failed. He said that you do not need
verify GPG signature.He says it is waste of time. is it really necessary
to verify GPG signature?if it is necessary, would you tell me why?thank
you.


It is up to you to decide if you want to verify a GPG signature.

To verify a signature it is required to import a public key, look for
instructions on the site from which you downloaded what is to be verified.

--
John Doe

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

question of verifying signatures

[Linus Virtanen via Gnupg-users]

hii try to verify GPG signature of mutiple applications on windows but i 
failed.a friend of mine tried and failed. He said that you do not need verify 
GPG signature.He says it is waste of time. is it really necessary to verify GPG 
signature?if it is necessary, would you tell me why?thank you.___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: question Gnupg

[Gilberto F da Silva via Gnupg-users]

I've never been able to do this through graphical interfaces. I put all public 
keys in a directory and use the command line:
gpg --import *asc

-- 

Stela dato:2.459.716,266  Loka tempo:2022-05-16 15:22:42 Lundo Mageia 8
-==-
Sendu mesaĝojn nur al homoj aŭ retlistoj kiuj vere povas interesiĝi 
pri ili.  Se vi nepre volas sendi al multaj adresoj, metu ilin en la 
kampon bcc por ke  ne komenciĝu amasa respondado al ĉiuj.
   --Retiketo
On Fri, May 13, 2022 at 02:04:51PM +0200, r...@oemail.nl wrote:
>dear GnuPG users,
>
>apologies if I'm asking something that is described in the documentation, but i
>could not find it there.
>Is there a way to sync your public search keys library in Kleopatra across
>multiple PCs? For example by syncing the folder in which the keys are stored?
>If so, which folder do you recommend to sync for this?
>
>Please CC (r...@oemail.nl) me as I am not subscribed to this mailing list.
>thanks,
>Rik
>

>___
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>https://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Question with Subkeys and Yubikeys

[Brandon Anderson via Gnupg-users]

Hello,
I have a gpg key that was generated on a yubikey with the gpg card 
generate command. I now have a second yubikey, and I would like to 
generate and store a signature and authentication subkey on this second 
yubikey, but I am running into some issues. Ideally, I would like to be 
able to type in `gpg --expert --edit-key KeyID` and then go `addcardkey` 
with the secondary yubikey attached. This starts to work and generates a 
key on the secondary yubikey, but then it will ask me to insert the 
primary yubikey presumably to sign the change; however, even after I 
insert the primary yubikey, GPG does not recognize it, and if I remove 
the secondary yubikey the process is aborted. The other thing I tried 
was to run `generate` on the secondary yubikey so that it would generate 
its key slots and then once again run `gpg --expert --edit-key KeyID`, 
but this time called `addkey` and select option 13 to add an existing 
key hoping that it would just need the primary yubikey to sign off on 
the changes. Still, even after it asks for the pin of the primary 
yubikey, it then asks for the secondary yubikey and runs into the same 
issue. What is the best way to do this where the subkeys are generated 
on the yubikey and then signed by the primary yubikey?
Also, unrelated question, but I could not find much information on this; 
on the Yubico website, it says if you call generate on the smartcard
>When prompted, specify if you want to make an off-card backup of your 
encryption key.
 >Note: This is a shim backup of the private key, not a full backup, 
and cannot be used to restore to a new YubiKey.
What exactly is a shim backup? Is this just the private encryption key 
but nothing else, or does it not actually include any private encryption 
key? Is there a way to generate this key where the encryption key is 
never exposed outside the yubikey?


-- Brandon Anderson


OpenPGP_0x255837AEF812E87E.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

question Gnupg

[rik]

dear GnuPG users,

apologies if I'm asking something that is described in the documentation,
but i could not find it there.
Is there a way to sync your public search keys library in Kleopatra across
multiple PCs? For example by syncing the folder in which the keys are
stored? If so, which folder do you recommend to sync for this?

Please CC (r...@oemail.nl  ) me as I am not subscribed
to this mailing list.
thanks,
Rik

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Short question regarding config

[Robert J. Hansen via Gnupg-users]

What's the difference between `|--personal-cipher-preferences' and 
`default-preference-list'?|


The former is your preferences for the traffic you generate.  The latter 
is your advertised list of preferences that are affixed to new 
certificates you generate.


E.g.: if you have p-c-p of CAMELLIA256, TWOFISH, AES256, you will use 
Camellia if your recipient supports it, Twofish if your recipient 
supports it but not Camellia, AES256 if your recipient supports it but 
neither Camellia nor Twofish, and if your recipient supports none of 
them you'll use 3DES (which all recipients support).


If your d-p-l reads AES256, CAMELLIA256, TWOFISH, then any new 
certificate you generate will have a note on it telling people "I can 
read traffic encrypted with any of those algorithms."


99% of users will never have any need to use these options.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Short question regarding config

[Horia Mihai David via Gnupg-users]

Hi all,

What's the difference between `|--personal-cipher-preferences' and 
`default-preference-list'?|


|What ends up in the exported keys?
|

|
|

|Thanks!|

|- Mihai
|


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Short question regarding config

[Horia Mihai David via Gnupg-users]

Sorry for the formatting errors.

Regards,
- Mihai



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: question - Gnupg compatibility with Symantec

[Ángel]

On 2021-03-08 at 15:57 +, Call, Margaret wrote:
> Good morning,
>  
> We would like to migrate our Symantec PGP to GNU PGP..  We tested the
> system last week with new PGP users and a user that migrated to GNU
> from Symantec.  We have fixed all bugs except one:
>  
> Our legacy Symantec users (who have not yet transferred over to GNU)
> are unable to decrypt/read GNU PGP emails. 
>  
> We work on a Windows System with Microsoft Office 16..  The version
> of Outlook is: 16.0.11929.20776
>  
> We downloaded Gpg4win from this webpage: gpg4win.org
>  
> Kleopatra version 3.1.15.0
>  
> Thanks for any insight as to why Symantec users are unable to
> decrypt/read the GNU PGP emails.
>  
> Margaret

Welcome Margaret

Which Symantec PGP version are you using? What kind of keys are they
using? Note that what once was Symantec PGP is now part of Broadcom.

I find the problem a bit peculiar, since you shouldn't be having a
problem at this point. Were the keys of the legacy users originally
generated by Symantec PGP? OpenPGP keys describe their capabilities.
Thus, an older version shouldn't be unable to decrypt the content that
was sent by a newer software. It might be unable to verify the
signature, or to reply back, but it should be able to decrypt what was
written to its key.
Or, if the new version had deprecated some algorithm needed by the old
key, I would expect the problem to surface on encryption, not for
decryption.

Similarly, the old version could have issues encrypting to a key using
newer algorithms (or just to import such key, Symantec PGP will
misleadingly claim there is no key when the error is actually that it
unable to import it for being too new for them).

Another possibility would be some error not at actually decrypting the
emails, but at *detecting* that the emails contain PGP data. I actually
find that more likely. Integration with some mail clients is somewhat
fragile, and moreover, certain servers are prone to helpfully "fix"
PGP/MIME messages by corrupting them.

My recommendation is to begin by testing encryption first, and then
moving to encrypted emails. Encrypt on the GnuPG client with the key of
a legacy user, copy that to their machine and have them attempt to
decrypt it. Similarly, try to encrypt a file and send it back. That
shouldn't be an issue either, assuming the GnuPG user had some
conservative options.
If it works by manually exchanging encrypted files, then the problem
lies at the mail layer, although it's a bit hard to guess if it's a
problem with the client sending the encrypted email, with the client
receiving the email and not decryting it, with a mail server changing
the message... or a mix of those.

Kind regards



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: question - Gnupg compatibility with Symantec

[Robert J. Hansen via Gnupg-users]

Our legacy Symantec users (who have not yet transferred over to GNU) are 
unable to decrypt/read GNU PGP emails.


Symantec is unfortunately not keeping current with the latest iterations 
of the OpenPGP specification.  Further, some features of current GnuPG 
keys are not supported by Symantec PGP.


A good way to begin would be to find your gpg.conf file, and add "pgp8" 
as the first line.  This will force GnuPG to use PGP 8 compatibility 
mode, which should be a good lowest common denominator for both platforms.


Hope this helps!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: question - Gnupg compatibility with Symantec

[vedaal via Gnupg-users]

On 3/9/2021 at 4:46 AM, "Margaret via Gnupg-users Call"  wrote:  

We would like to migrate our Symantec PGP to GNU PGP.  We tested the
system last week with new PGP users and a user that migrated to GNU
from Symantec.  We have fixed all bugs except one: 
Our legacy Symantec users (who have not yet transferred over to GNU)
are unable to decrypt/read GNU PGP emails.   

 =

What type of key, and what encryption algorithm do your Symantec
users have?

What error messages do you get?   ___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

question - Gnupg compatibility with Symantec

[Call, Margaret via Gnupg-users]

Good morning,

We would like to migrate our Symantec PGP to GNU PGP.  We tested the system 
last week with new PGP users and a user that migrated to GNU from Symantec.  We 
have fixed all bugs except one:

Our legacy Symantec users (who have not yet transferred over to GNU) are unable 
to decrypt/read GNU PGP emails.

We work on a Windows System with Microsoft Office 16.  The version of Outlook 
is: 16.0.11929.20776

We downloaded Gpg4win from this webpage: gpg4win.org

Kleopatra version 3.1.15.0

Thanks for any insight as to why Symantec users are unable to decrypt/read the 
GNU PGP emails.

Margaret

[cid:image001.png@01D713FD.BFF224D0]

Margaret M. Call
Program Manager, Government Solutions
Mobile 571.992.5764

dnb.com

[cid:image002.png@01D713FD.BFF224D0][cid:image003.png@01D713FD.BFF224D0][cid:image004.png@01D713FD.BFF224D0][cid:image005.png@01D713FD.BFF224D0]

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: export-filter question or bug

[Werner Koch via Gnupg-users]

On Tue, 23 Feb 2021 13:37, Erich Eckner said:

> What am I doing wrong? Or is there something special about this key?

Nothing.  It is an interesting case.  Let's have a look at key exported
without any options (listing slightly edited):

  $ gpg --show-keys --with-sig-check c.pub 
  pub   rsa4096 2017-06-23 [SC] [expires: 2021-12-31]
2E29129B8C684FE7A959C422714A1770ECE2DF62
  uid  [...] 
  sig 3714A1770ECE2DF62 2021-01-25  [...] 
  uid  [...] 
  sig 3714A1770ECE2DF62 2017-06-23  [...] 
  sub   rsa4096 2017-06-23 [S] [expires: 2021-12-31]
FD45993ACA052203886D618205CDEE5C356A46AD
  sig  714A1770ECE2DF62 2021-01-25  [...] 

What we see is a key with two user ids.  The self-signatures binding the
user ids to the key carry important information, for example the
expiration date. 

If we look close at the self-signatures using --list-packets we see:

  :user ID packet: "[...] "
  :signature packet: algo 1, keyid 714A1770ECE2DF62
  version 4, created 1498203061, md5len 0, sigclass 0x13
  [...]
  hashed subpkt 9 len 4 (key expires after 2y0d0h0m)
  [...]

Adding this expiration value to the key creation time yields 2019-06-17
and thus the key would be expired.

  :user ID packet: "[...] "
  :signature packet: algo 1, keyid 714A1770ECE2DF62
  version 4, created 1611599717, md5len 0, sigclass 0x13
  [...]
  hashed subpkt 9 len 4 (key expires after 4y192d3h29m)
  [...]

Adding this expiration value to the key creation time yields 2021-12-31
and thus the key would be valid.

The actual used key expiration date is the latest one seen in user id
self-signaturres, thus in out case 2021-12-31.

Now if we export just one user id as done by gpg-wks-client

  gpg --no-options -v --batch --status-fd=2 --always-trust --armor \
   --export-options=export-minimal \
   --export-filter 'keep-uid=mbox= buildmas...@archlinux32.org'
   --export -- 2E29129B8C684FE7A959C422714A1770ECE2DF62 

We get a key with the buildmaster@ user id and thus the latest
expiration date is 2019-06-17.  This is because the other user id and
its self-signature has been stripped.

Sure, this could be considered a bug in export-minimal but fixing this
would require to create a new self-signature for the exported user id
which then requires the private key and would even more confuse.
I am not sure how to solve it but it needs to be solved at least for
gpg-wks-client.  See https://dev.gnupg.org/T5323

You may simply want to change the expiration date of the key which, in
contrast to "adduid" updates all self-signatures.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: export-filter question or bug

[Erich Eckner via Gnupg-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

I wanted to ask for help regarding this wkd-key-installation issue I had, 
once more.


Whichever way I try, I always end up with an expired key being installed 
into wkd, although the key file looks all-right to me:


$ gpg --show-keys --with-wkd-hash $tmp_dir/key
pub   rsa4096 2017-06-23 [SC] [expires: 2021-12-31]
  2E29129B8C684FE7A959C422714A1770ECE2DF62
uid  archlinux32 repository signing key 

 5s69opjiwx4q8z87mmkdaiiyizf5j...@archlinux32.org
uid  buildmaster 
 z4eyw18p7a9p7c9owm78fj93mqkks...@archlinux32.org
sub   rsa4096 2017-06-23 [S] [expires: 2021-12-31]

$ /usr/lib/gnupg/gpg-wks-client -C . --install-key "$tmp_dir/key" 
buildmas...@archlinux32.org
gpg-wks-client: key 2E29129B8C684FE7A959C422714A1770ECE2DF62 published for 
'buildmas...@archlinux32.org'

$ gpg --show-keys archlinux32.org/hu/z4eyw18p7a9p7c9owm78fj93mqkks6q3
pub   rsa4096 2017-06-23 [SC] [expired: 2019-06-23]
  2E29129B8C684FE7A959C422714A1770ECE2DF62
uid  buildmaster 
sub   rsa4096 2017-06-23 [S] [expired: 2021-12-31]


Instead of `gpg-wks-client --install-key`, I also tried `gpg-wks-server 
- --install-key` and `gpg --export --exportfilter keep-uid="uid=buildmaster 
"`.


What am I doing wrong? Or is there something special about this key?

The key can be found here: 
https://archlinux32.org/keys.php?k=2E29129B8C684FE7A959C422714A1770ECE2DF62


regards,
Erich

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmA09xMACgkQCu7JB1Xa
e1oNbQ//aBqnPH6yw+Fp6z1+0q73Xkg0cNgxIXgvxZKV+9imYadIKWyc1CRpVsG9
EuvSff3d5R9oxol6AIRzo3/ny0khm/CYuHr5TAmQlu8byQn4n7YK6J34m5ul9m6J
P3E7ShbmnLTdfGW7nY2jc5V1DdGNo+Rgyb6rughxULW/IeqFFQyyvKUv/XCenlKB
I2J6i/N7GYzdKmjFtei4qggvmAlMfktWeHZ12BysOxyroMnyjLlTCVReBk5mcUqJ
BZkGhiprHlx8bZRQ/ZPYZZ4RJI+KoxkKTrpeasu6fkjdSONFf0I4KiyMA9GzJArq
QX40PYPR7Jb6FrKTm6JqlNvhZqpPkCoNoyP0TVUUPN53TL/we/9rky/KGPcYXcjy
YYXOG26HQlGWIbQIUoqHaztT2Kp17WM90ENRRk3ZYYM06t4bwWPxjxdzBsi8FK/w
b9dvbMACnI3kYmB+hiFCsFUgJPCrGJ1RSpGIU7/PpMKQQFC7agxj5cJz+mEtHaAJ
3qzHtd4xVjaWYURqvAhfgkwBEZlOgzOEn8c5S7gLGfSHo+L5EwpDxkmSWsbOvTwR
/jM2FnZyIfNFnKGUSVKp7iU8nYUswMqOvFLQ1DCSmd8EFpcohdARPY8BTwC3r+T4
tFaPvPTj3fJ1BF1zXchVF/XAFlw0q5S5M5/kT4+zyYp2niyQDpc=
=ud5u
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Generic question: replication/sync between key servers, how long until published?

[michaelof--- via Gnupg-users]

Am 19.02.21 um 13:10 schrieb Andrew Gallagher via Gnupg-users:
> On 19/02/2021 11:06, michaelof--- via Gnupg-users wrote:
>> Hi all,
>>
>> published a revocation cert for a very long used old 1024 bit key plus a 
>> newly created 4096 bit key to http://keys.gnupg.net/. Visible after some 
>> minutes.
>> Now, four days later, both keys are still not visible on e.g. 
>> https://pgp.ocf.berkeley.edu
>>
>> Is this usually taking that long, or is something broken?
> 
> keys.gnupg.net doesn't exist (tested from several locations):
> 
> ```
> Host keys.gnupg.net not found: 3(NXDOMAIN)
> ```
> 
> These days, it's probably safest to publish your key to as many keyservers as 
> you can. If they sync eventually, great. But the sync process is nowhere near 
> as reliable as it used to be, and probably shouldn't be depended upon.
> 
> 

Thanks, Andrew, will follow your suggestion and upload to as many key servers 
as I'll find :)

No idea why you've got the NXDOMAIN answer for keys.gnupg.net, but it seems 
that it been offline today, maybe that's why. Now it's online, again, and you 
are getting DNS feedback:

$ host keys.gnupg.net
keys.gnupg.net is an alias for hkps.pool.sks-keyservers.net.
hkps.pool.sks-keyservers.net has address 209.244.105.201

I've used usually pgp.mit.edu, but it's very slow, currently but for a while 
now. 





___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Generic question: replication/sync between key servers, how long until published?

[Andrew Gallagher via Gnupg-users]

On 19/02/2021 11:06, michaelof--- via Gnupg-users wrote:

Hi all,

published a revocation cert for a very long used old 1024 bit key plus a newly 
created 4096 bit key to http://keys.gnupg.net/. Visible after some minutes.
Now, four days later, both keys are still not visible on e.g. 
https://pgp.ocf.berkeley.edu

Is this usually taking that long, or is something broken?


keys.gnupg.net doesn't exist (tested from several locations):

```
Host keys.gnupg.net not found: 3(NXDOMAIN)
```

These days, it's probably safest to publish your key to as many 
keyservers as you can. If they sync eventually, great. But the sync 
process is nowhere near as reliable as it used to be, and probably 
shouldn't be depended upon.


--
Andrew Gallagher



OpenPGP_signature
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Generic question: replication/sync between key servers, how long until published?

[michaelof--- via Gnupg-users]

Hi all,

published a revocation cert for a very long used old 1024 bit key plus a newly 
created 4096 bit key to http://keys.gnupg.net/. Visible after some minutes. 
Now, four days later, both keys are still not visible on e.g. 
https://pgp.ocf.berkeley.edu

Is this usually taking that long, or is something broken? 

Best Regards,
Michael

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: export-filter question or bug

[Erich Eckner via Gnupg-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, 12 Feb 2021, Werner Koch wrote:


On Fri, 12 Feb 2021 11:44, Erich Eckner said:


$GPG --export --export-filter keep-uid="mbox = $mbox" $fpr


gpg-wks-client does something similar but using "uid =" with a
pre-checked UID in an import filter.  It also uses
import-options=import-export to process the keyblock without actually
importing it.


Changing to "uid = ..." filter yields the same result. Same for adding 
"--import-options=import-export". But I'm also confused, why 
- --import-options should be relevant when exporting a key :-/





$GPG --export --export-filter keep-uid="mbox =
buildmas...@archlinux32.org" 2E29129B8C684FE7A959C422714A1770ECE2DF62
| gpg


You should use

 | gpg --show-keys


ok, noted.





pub   rsa4096 2017-06-23 [SC] [expired: 2019-06-23]
   2E29129B8C684FE7A959C422714A1770ECE2DF62
uid   buildmaster 
sub   rsa4096 2017-06-23 [S] [expired: 2021-12-31]

(note the expired pub, thus the whole key is considered expired)


Please try with --show-keys instead of using the default action.


Makes no difference.




This is not usable for wkd for me, because it contains all uids (of
course).


I am curious why you don't use gpg-wks-client for example with
the --install-key command.


Well, for multiple reasons:

First, it's not in $PATH, so I didn't see it, when 'ing ;-)

Now, that I played around with gpg-wks-client, I cannot find a --homedir 
option to set the homedir of the keyring (I do not want to fill the wks's 
user keyring with all the installed keys). Assuming, I have the key in the 
gpg directory in $tmp_dir, what's the best way to get gpg-wks-client to 
read it from there? Only way I found, is exporting into a temporary file:


$GPG --export 2E29129B8C684FE7A959C422714A1770ECE2DF62 > "$tmp_dir/key"
gpg-wks-server --install-key "$tmp_dir/key" buildmas...@archlinux32.org

Interesting thing: This also installes an expired key, while 
"$tmp_dir/key" looks ok:


$ gpg --show-keys < "$tmp_dir/key"
pub   rsa4096 2017-06-23 [SC] [expires: 2021-12-31]
  2E29129B8C684FE7A959C422714A1770ECE2DF62
uid  archlinux32 repository signing key 

uid  buildmaster 
sub   rsa4096 2017-06-23 [S] [expires: 2021-12-31]

$ gpg --show-keys < archlinux32.org/hu/z4eyw18p7a9p7c9owm78fj93mqkks6q3
pub   rsa4096 2017-06-23 [SC] [expired: 2019-06-23]
  2E29129B8C684FE7A959C422714A1770ECE2DF62
uid  buildmaster 
sub   rsa4096 2017-06-23 [S] [expired: 2021-12-31]


Ah, yet another question: The difference between `gpg-wks-client 
- --install-key ...` and `gpg-wks-server --install-key ...` is quite opaque 
to me: With gpg-wks-client, I need to add "-C .", else it tries in 
openpgp/, but besides that, the options and result look rather identical 
to me.





Salam-Shalom,

  Werner


regards,
Erich

-BEGIN PGP SIGNATURE-
Comment: Topal (https://zircon.org.uk/topal/)

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmAnrBoACgkQCu7JB1Xa
e1pPHw/+N6zqijbSYsMZb/e5AHVdq4czvYy9+hoo087XIcr5214rB7BYfoM4lZMy
NivAbrekYm1wHu4JZv420Yybn0wcSDGoQZZOv5LTJ2G8xz/1xBAWObQ5Hk6KJyTa
cY4vzEYKTbhFMha48zLA1zKFzEM3Iqhq2xmziTcHRj8AgyOt8VlpZzdA1YgsOgdo
eGnxY857CNUAJIXxTg6oVdUjr2ISTrkDinf8ZqpI5DncIatMS5dKKko0DBEkdR0m
/kufwkntOR3PmhxkYw2Z+ThTlTEmhnxHHHxyLrVm30gJPDN9b/+ZyD4B5ShswGTm
AtwjVi3nOL6oDfsHjQNq/EcbH/kdd44TLQLRXEzJ48SIAPnOvo3Y8K2diV00CdhC
qdKFpT4Vh1HIdI7hivtqvj46kgN1jn+lUzYldXixldCMaYkFz7ibeoP/KSMscFs7
VtHF0U/Ipbj8fcwxRrSRkOpfgKALpZDO4+NO9j3V29pSPZk7UCvBeduxs4TG3Koa
veC8m1v1QJleh2FdCz8ExSSrQi+py+uOFYt2XAflCG9fQzfLLF/02dQ9MrNxpbHU
zhgp07BzqxNdH/rOV74OqbJ9S5a4aiMmzHwRWuEZafBDitWcsSw69J7K6kCrmpiV
+zVTCDozeKstpb411cQhpiwSjyTOOKOtFjB/ThhpmLiQ+ljuhP4=
=pSy7
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: export-filter question or bug

[Werner Koch via Gnupg-users]

On Fri, 12 Feb 2021 11:44, Erich Eckner said:

> $GPG --export --export-filter keep-uid="mbox = $mbox" $fpr

gpg-wks-client does something similar but using "uid =" with a
pre-checked UID in an import filter.  It also uses
import-options=import-export to process the keyblock without actually
importing it.

> $GPG --export --export-filter keep-uid="mbox =
> buildmas...@archlinux32.org" 2E29129B8C684FE7A959C422714A1770ECE2DF62
> | gpg

You should use

  | gpg --show-keys


> pub   rsa4096 2017-06-23 [SC] [expired: 2019-06-23]
>2E29129B8C684FE7A959C422714A1770ECE2DF62
> uid   buildmaster 
> sub   rsa4096 2017-06-23 [S] [expired: 2021-12-31]
>
> (note the expired pub, thus the whole key is considered expired)

Please try with --show-keys instead of using the default action.

> This is not usable for wkd for me, because it contains all uids (of
> course).

I am curious why you don't use gpg-wks-client for example with
the --install-key command.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

export-filter question or bug

[Erich Eckner via Gnupg-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

I'm using the following command to export keys for wkd:

$GPG --export --export-filter keep-uid="mbox = $mbox" $fpr

However, this creates funny results for the key for 
buildmas...@archlinux32.org which is downloadable here: 
https://archlinux32.org/keys.php?k=2E29129B8C684FE7A959C422714A1770ECE2DF62


Is my filtering wrong or is this some bug in gpg?

To reproduce the issue, run:

tmp_dir=$(mktemp -d)
GPG='gpg --homedir '"$tmp_dir"
curl 
'https://archlinux32.org/keys.php?k=2E29129B8C684FE7A959C422714A1770ECE2DF62' | 
$GPG --import
$GPG --export --export-filter keep-uid="mbox = buildmas...@archlinux32.org" 
2E29129B8C684FE7A959C422714A1770ECE2DF62 | gpg

this gives:

pub   rsa4096 2017-06-23 [SC] [expired: 2019-06-23]
  2E29129B8C684FE7A959C422714A1770ECE2DF62
uid   buildmaster 
sub   rsa4096 2017-06-23 [S] [expired: 2021-12-31]

(note the expired pub, thus the whole key is considered expired)

However, skipping the --export-filter:

$GPG --export 2E29129B8C684FE7A959C422714A1770ECE2DF62 | gpg

gives the correct expiration:

pub   rsa4096 2017-06-23 [SC] [expires: 2021-12-31]
  2E29129B8C684FE7A959C422714A1770ECE2DF62
uid   buildmaster 
uid   archlinux32 repository signing key 
sub   rsa4096 2017-06-23 [S] [expires: 2021-12-31]

This is not usable for wkd for me, because it contains all uids (of 
course).


Thanks in advance,
Erich

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmAmXBMACgkQCu7JB1Xa
e1rL3Q/8Doo2VqaXgZgJAPw3xK0CvF8VQc8GLW4krEDTQH6Wu70e7nYGxFeJyLgt
pqmloRZHDbGBfAh35qIfO1eQZgoe9eyVQyriJcqG/BrW5H9Qk20KGUHhHD1yjupZ
+8WAQXzbmapiZz5COBkp1AQlOXgjKWMMTWMPt1DyaOaUKvw6LfpU78nML7wY6rF5
r7VX5jwrEDQmdyuPrumCotuZZpNOPgdAtURO9YHGh9sbOSsuIh4jvxWPyLOiFLRO
M9wmyVhDt7sDQzoyzKew5LJGqsXaJ+SaAbQszNnS5NYMWeoeZk9nJGKgUosWFhwi
RWe9ADVo9JTJcivGT/u/DGIlUtYhIdCO3z87sNvON6o4Uh9twAJk+okR/X7EYcRu
ZcVWp/HFqwqBGDKtnxw8TCvLFEHPmnnklaXBwZW0k1TQw1HbmdQoe5vHsJJoIx0s
CGMD2/5NxDWZtRPs/hJMnERgX7n15VJgMVDPSMSeGGQUIibrmEO3Pggyy2xNmVeo
x0Bhobi+zsUKluC78Jv/GHkSc1jJa0ioXQIU2Kf2/zfm9148NFtE3bWOiz/sqC19
n+SItHRN/qs4J8obNNX2T9pXbnOXQ9wAmA5rYxG/3lKyq0rCKfXAXlOFSXksabDG
PI10H2boPeMLu+HlnRtuAOq5an70flwuvXlDWg3Ux8NY3vJ4eu0=
=dzM2
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Question about key verification with GnuPG 2.2.25

[gnupgpacker]

Hello,
the --verbose options gave me some more unusual information:

gpg: Schlüssel 22EEE0488086...F: Ungültige Eigenbeglaubigung für User-ID "[jpeg 
image of size 7915]"
gpg: Schlüssel 22EEE0488086...F/CE7911B7FC04...F: Ungültige 
Unterschlüssel-Anbindung
gpg: key 41E7044E1DBA...9: number of dropped non-self-signatures: 60
gpg: Schlüssel 4E2C6E879329...0/7017ADCEF65C...6: Mehrfache 
Unterschlüssel-Anbindung entfernt
gpg: Im Unterpaket des Typs 28 ist das "critical bit" gesetzt
gpg: compacting user ID "" on key 2BAE3CF6DAFF...0: ungültig

Which error causes following warnings:
gpg: signature packet: hashed data too long
gpg: read_block: read error: Ungültiges Paket

Thanks once more, best regards, Chris


> As usual add --verose to the gpg invocation.  This might give some more
> information.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about key verification with GnuPG 2.2.25

[Werner Koch via Gnupg-users]

On Sun,  6 Dec 2020 12:12, gnupgpacker said:

> How to identify / correct affected keys?

As usual add --verose to the gpg invocation.  This might give some more
information.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Question about key verification with GnuPG 2.2.25

[gnupgpacker]

Hello,
my attempt to verify all keys with GnuPG-2.2.25 shows this response:

$ gpg --refresh-keys
gpg: 59 Schlüssel werden per hkps://hkps.pool.sks-keyservers.net aktualisiert
gpg: ...
gpg: signature packet: hashed data too long
gpg: read_block: read error: Ungültiges Paket
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 27
gpg: unverändert: 27

In gpg.conf option
charset utf-8
is set only.
GnuPG-2.2.25 has been installed as part of Gpg4win-3.1.14.

How to further explore the shown errors:
gpg: signature packet: hashed data too long
gpg: read_block: read error: Ungültiges Paket

How to identify / correct affected keys?

Thanks and best regards,
Chris


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about the status of the keyserver structure

[Stefan Claas via Gnupg-users]

Hi,

attached is the (hopefully proper) key.

Regards
Stefan

On Tue, Nov 3, 2020 at 10:44 PM Stakanov via Gnupg-users
 wrote:
>
> I hope this is the correct list for this question:
>
>
>
> I tried to follow the instructions of
>
> https://www.mageia.org/it/downloads/get/?q=Mageia-7.1-x86_64.iso
>
> were it says you can import the key to verify the iso.
>
> But kleopatra stays without reaction (no matter how many pools I join) and
>
> entropia@roadrunner:~> gpg --keyserver pool.sks-keyservers.net --recv-keys 
> EDCA7A90
> gpg: using character set 'utf-8'
> gpg: ricezione dal keyserver fallita: Connessione rifiutata
>
> which is: reception of keyserver failed: connection refused.
>
>
>
> Now I remember time ago there was an issue of keyservers abused and the 
> structure was halted.
>
>
>
> What is the current status and how can one download a signature as of today? 
> Manually or with a "keyserverpage" on https or how does it work now?
>
> Thank you in advance.
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


mageia.asc
Description: Binary data
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

A question about the status of the keyserver structure

[Stakanov via Gnupg-users]

I hope this is the correct list for this question:

I tried to follow the instructions of 
https://www.mageia.org/it/downloads/get/?q=Mageia-7.1-x86_64.iso[1] 
were it says you can import the key to verify the iso.
But kleopatra stays without reaction (no matter how many pools I join) and 
entropia@roadrunner:~> gpg --keyserver pool.sks-keyservers.net --recv-keys 
EDCA7A90 


Now I remember time ago there was an issue of keyservers abused and the 
structure 
was halted. 

What is the current status and how can one download a signature as of today? 
Manually or with a "keyserverpage" on https or how does it work now?
Thank you in advance. 


[1] https://www.mageia.org/it/downloads/get/?q=Mageia-7.1-x86_64.iso
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Bernhard Reiter]

Am Dienstag 04 August 2020 18:17:56 schrieb Dmitry Alexandrov:
> it would be nice, if GPG were not interpreting locating an
> expired key as success, but continued with the next method instead:

This is related to 
  https://dev.gnupg.org/T5028
  (gpg --locate-key should refetch via wkd, if configured and no good pubkey 
found)

Bernhard

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Dmitry Alexandrov]

Werner Koch via Gnupg-users  wrote:
> On Sun,  2 Aug 2020 07:38, Dmitry Alexandrov said:
>> I dunno why @w...@gnupg.org did that
>
> I have a post-it on my CA laptop to add a signing subkey to my new key, I 
> should really do that soon.

Maybe, you would like to update an expired key in DNS as well?

By the way, it would be nice, if GPG were not interpreting locating an expired 
key as success, but continued with the next method instead:

$$ gpg --auto-key-locate dane,wkd --locate-key w...@gnupg.org
gpg: key F2AD85AC1E42B367: public key "Werner Koch " 
imported
gpg: Total number processed: 1
gpg:   imported: 1
pub   dsa2048 2007-12-31 [SC] [expired: 2018-12-31]
  80615870F5BAD690333686D0F2AD85AC1E42B367
uid   [ expired] Werner Koch 


>> BTW, does anyone remember, how to command gpg(1) to print the above in a 
>> human-readable format?  There was some incantation, IIRC, but GPGʼs
>
>   gpg --locate-external-key -v f...@example.rog
>
> looks up f...@example.org even if a key with that user id already exists.

No, thanks, thatʼs not what I forgot, I was nonplussed by the fact, that 
--with-subkey-fingerprint has no any effect when --show-key is implied, while 
--with-colons has [].

@kloec...@kde.org had resolved [<1803396.a0EWGg1j7a@breq>] my confusion already.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Werner Koch via Gnupg-users]

On Sun,  2 Aug 2020 07:38, Dmitry Alexandrov said:

> I dunno why @w...@gnupg.org did that, but whatever his reasons were, the
> fact that he was _able_ to do that, is exactly the key reason why

I have a post-it on my CA laptop to add a signing subkey to my new key,
I should really do that soon.

Because ed25519 was not in widespread use when I created the key in 2018
I decided to use it only for encryption for some time and add a signing
key later.

> BTW, does anyone remember, how to command gpg(1) to print the above in
> a human-readable format?  There was some incantation, IIRC, but GPGʼs

  gpg --locate-external-key -v f...@example.rog

looks up f...@example.org even if a key with that user id already exists.
It then imports the key and lists it with all existing user ids.  The
-v is there to get information on how f...@example.org was retrieved. 


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Dmitry Alexandrov]

Ingo Klöcker  wrote:
> On Sonntag, 2. August 2020 06:38:21 CEST Dmitry Alexandrov wrote:
>>
>>  $ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url 
>> w...@gnupg.org)" | gpg --with-colons
>>  gpg: WARNING: no command supplied.  Trying to guess what you mean ...
>>  pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-:
>>  uid:w...@gnupg.org:
>>  sub:-:256:18:3CD7B3A055039224:1538149415:1643626805:::
>
>> BTW, does anyone remember, how to command gpg(1) to print the above in a 
>> human-readable format?  There was some incantation, IIRC, but GPGʼs options 
>> are so tangled, that I have failed to find it.
>
> Do you mean "gpg --show-key" resp. "gpg --show-key --with-subkey-fingerprint"?

Yes, exactly.  Indeed, in contrast with --with-colons, 
--with-subkey-fingerprint alone does nothing:

$ wget -qO - ‹…› | gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   ed25519 2018-09-28 [SC] [expires: 2027-01-31]
  AEA84EDCF01AD86C4701C85C63113AE866587D0A
uid   w...@gnupg.org
sub   cv25519 2018-09-28 [E] [expires: 2022-01-31]

$ wget -qO - ‹…› | gpg --with-subkey-fingerprint
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   ed25519 2018-09-28 [SC] [expires: 2027-01-31]
  AEA84EDCF01AD86C4701C85C63113AE866587D0A
uid   w...@gnupg.org
sub   cv25519 2018-09-28 [E] [expires: 2022-01-31]

$ wget -qO - ‹…› | gpg --show-key --with-subkey-fingerprint
pub   ed25519 2018-09-28 [SC] [expires: 2027-01-31]
  AEA84EDCF01AD86C4701C85C63113AE866587D0A
uid  w...@gnupg.org
sub   cv25519 2018-09-28 [E] [expires: 2022-01-31]
  E05BA20ED4F17768613B03C53CD7B3A055039224

Thank you.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Stefan Claas]

Dmitry Alexandrov wrote:
 
> Stefan Claas  wrote:
> > One more question, I tried to verify Werner's signature, from postings here 
> > on the ML, but his signature could not be
> > verified, due to a missing pub key (0xFF80AE9D1DEC358D). But when looking 
> > at Wiktor's WKD checker a key is present, but
> > with a different Fingerprint.
> >
> > https://metacode.biz/openpgp/web-key-directory
> 
> Well, thatʼs seems to be true:
> 
>   $ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url 
> w...@gnupg.org)" | gpg --with-colons
>   gpg: WARNING: no command supplied.  Trying to guess what you mean ...
>   pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-:
>   uid:w...@gnupg.org:
>   sub:-:256:18:3CD7B3A055039224:1538149415:1643626805:::
> 
> I dunno why @w...@gnupg.org did that, but whatever his reasons were, the fact 
> that he was _able_ to do that, is exactly the key
> reason why proper (write-only) keyserver networks (SKS- or Hockeypuck-based) 
> are indispensable.

Hopefully he can tell us.

> Use them, not WKD or proprietary keyserver services, when you want to get a 
> key by a given fingerprint.  In other words, when
> enabling --auto-key-retrieve, make sure that --keyserver is set to something 
> like hkps://keyserver.ubuntu.com.  IIUC, there
> is, unfortunately, still no way to configure multiple keyservers for 
> retrieval (contrary to locating).

I have as key server keys.openpgp.org in my config, besides WKD and when I 
switched it to the Ubuntu key server Claws-Mail said
key for verification of this signature not available.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Ingo Klöcker]

On Sonntag, 2. August 2020 06:38:21 CEST Dmitry Alexandrov wrote:
>   $ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url
> w...@gnupg.org)" | gpg --with-colons gpg: WARNING: no command supplied. 
> Trying to guess what you mean ...
> pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-:
>   uid:w...@gnupg.org:
>   sub:-:256:18:3CD7B3A055039224:1538149415:1643626805:::
> 
[snip]
> 
> BTW, does anyone remember, how to command gpg(1) to print the above in a
> human-readable format?  There was some incantation, IIRC, but GPGʼs options
> are so tangled, that I have failed to find it.

Do you mean "gpg --show-key" resp. "gpg --show-key --with-subkey-fingerprint"?

Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Dmitry Alexandrov]

Stefan Claas  wrote:
> One more question, I tried to verify Werner's signature, from postings here 
> on the ML, but his signature could not be verified, due to a missing pub key 
> (0xFF80AE9D1DEC358D). But when looking at Wiktor's WKD checker a key is 
> present, but with a different Fingerprint.
>
> https://metacode.biz/openpgp/web-key-directory

Well, thatʼs seems to be true:

$ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url 
w...@gnupg.org)" | gpg --with-colons
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-:
uid:w...@gnupg.org:
sub:-:256:18:3CD7B3A055039224:1538149415:1643626805:::

I dunno why @w...@gnupg.org did that, but whatever his reasons were, the fact 
that he was _able_ to do that, is exactly the key reason why proper 
(write-only) keyserver networks (SKS- or Hockeypuck-based) are indispensable.

Use them, not WKD or proprietary keyserver services, when you want to get a key 
by a given fingerprint.  In other words, when enabling --auto-key-retrieve, 
make sure that --keyserver is set to something like 
hkps://keyserver.ubuntu.com.  IIUC, there is, unfortunately, still no way to 
configure multiple keyservers for retrieval (contrary to locating).


BTW, does anyone remember, how to command gpg(1) to print the above in a 
human-readable format?  There was some incantation, IIRC, but GPGʼs options are 
so tangled, that I have failed to find it.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Stefan Claas]

Stefan Claas wrote:
 
> Damien Goutte-Gattat wrote:
>  
> > On Mon, Jul 27, 2020 at 10:00:07PM +0200, Stefan Claas wrote:
> > >For testing my new Nitrokey I have just install Enigmail for
> > >Thunderbird on a fresh Ubuntu system and when clicking on
> > >a signed message from a friend, which has properly set-up
> > >WKD Thunderbird/Enigmail can not fetch the pub key. :-(
> > 
> > Unless I missed something, I believe Enigmail will only attempt to 
> > automatically fetch a key from a Web Key Directory when *composing* a 
> > message (if there’s no key for the recipient in the local keyring), and 
> > *not* when checking a signature on a received message.
> > 
> > See that excerpt from Enigmail 2.0 changelog [1]:
> > 
> > > Support for Web Key Directory (WKD) is implemented. Enigmail will try 
> > > to download unavailable keys during message composition from WKD.
> 
> Ah, ok, thanks. I thought it will fetch also automatically when checking
> signatures.
> 
> > You can force GnuPG to try to fetch a missing key when verifying a 
> > signature by enabling the --auto-key-retrieve option (please read the 
> > note about the “web bug” in gpg’s man page before doing so—that option 
> > is disabled by default for a reason.)
> 
> I enabled it now and it works. :-)

One more question, I tried to verify Werner's signature, from postings here
on the ML, but his signature could not be verified, due to a missing pub key
(0xFF80AE9D1DEC358D). But when looking at Wiktor's WKD checker a key is present,
but with a different Fingerprint.

https://metacode.biz/openpgp/web-key-directory

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion


pgpN3s02APPsM.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ralph Seichter via Gnupg-users]

* Johan Wevers:

> Do you have examples of this for security related subjects?

I try not to rely on Wikipedia, in particular when searching for
sensitive subjects. Besides, if that was unclear, I mentioned Wikipedia
as a general example of the good concept of a Wiki colliding with
humanity, not for any particular subject matter. Too many cooks, and
some without training or taste buds.

Used to be that compiling an encyclopedia took a huge number of
competent researchers and authors. No wonder the things were so damn
expensive.

-Ralph

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Johan Wevers]

On 28-07-2020 14:42, Ralph Seichter via Gnupg-users wrote:

> confused with facts. The amount of BS that can be found on Wikipedia is
> case in point.

Do you have examples of this for security related subjects? I know there
are issues with politically sensitive subjects but that has usually
other reasons.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ralph Seichter via Gnupg-users]

* Ayoub Misherghi via Gnupg-users:

> How about collective and cooperative effort in a wiki, or cloud
> funding pledges or donations? Those who contribute (money or effort)
> get privilege of some kind.

>From what I observed over the years, a majority of Wikis only really
work within closely knit groups of people where contributions are
limited to a select few who genuinely know what they are writing about.

I do not want amateurs, be it well-meaning or malicious, write about
security related subjects in a Wiki, because that might (in the eyes of
casual visitors and search-engines) cause their scribblings to be
confused with facts. The amount of BS that can be found on Wikipedia is
case in point.

A Wiki about encryption with write access limited to people who
demonstrably understand the math sounds like a good thing to me, but a
"Community Wiki" does not. Community usually (and sadly) means too many
loud-mouthed, attention-seeking bozos.

-Ralph

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Damien Goutte-Gattat via Gnupg-users]

On Mon, Jul 27, 2020 at 10:00:07PM +0200, Stefan Claas wrote:

For testing my new Nitrokey I have just install Enigmail for
Thunderbird on a fresh Ubuntu system and when clicking on
a signed message from a friend, which has properly set-up
WKD Thunderbird/Enigmail can not fetch the pub key. :-(


Unless I missed something, I believe Enigmail will only attempt to 
automatically fetch a key from a Web Key Directory when *composing* a 
message (if there’s no key for the recipient in the local keyring), and 
*not* when checking a signature on a received message.


See that excerpt from Enigmail 2.0 changelog [1]:

Support for Web Key Directory (WKD) is implemented. Enigmail will try 
to download unavailable keys during message composition from WKD.



You can force GnuPG to try to fetch a missing key when verifying a 
signature by enabling the --auto-key-retrieve option (please read the 
note about the “web bug” in gpg’s man page before doing so—that option 
is disabled by default for a reason.)



Regards,

- Damien


[1] https://enigmail.net/index.php/en/download/changelog


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Stefan Claas]

Damien Goutte-Gattat wrote:
 
> On Mon, Jul 27, 2020 at 10:00:07PM +0200, Stefan Claas wrote:
> >For testing my new Nitrokey I have just install Enigmail for
> >Thunderbird on a fresh Ubuntu system and when clicking on
> >a signed message from a friend, which has properly set-up
> >WKD Thunderbird/Enigmail can not fetch the pub key. :-(
> 
> Unless I missed something, I believe Enigmail will only attempt to 
> automatically fetch a key from a Web Key Directory when *composing* a 
> message (if there’s no key for the recipient in the local keyring), and 
> *not* when checking a signature on a received message.
> 
> See that excerpt from Enigmail 2.0 changelog [1]:
> 
> > Support for Web Key Directory (WKD) is implemented. Enigmail will try 
> > to download unavailable keys during message composition from WKD.

Ah, ok, thanks. I thought it will fetch also automatically when checking
signatures.

> You can force GnuPG to try to fetch a missing key when verifying a 
> signature by enabling the --auto-key-retrieve option (please read the 
> note about the “web bug” in gpg’s man page before doing so—that option 
> is disabled by default for a reason.)

I enabled it now and it works. :-)

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Stefan Claas]

Dmitry Alexandrov wrote:
 
> Stefan Claas  wrote:
> > Enigmail for Thunderbird on a fresh Ubuntu system
> > when clicking on a signed message from a friend, which has properly set-up 
> > WKD Thunderbird/Enigmail can not fetch the pub
> > key. :-(
> 
> Unfortunately, ‘can not’ is not very informative description.  Does it return 
> any error?  How do you know that even tries?

Sorry, for the bad description. When having a signed message in Enigmail
and you do not have the pub key in your key ring it shows a yellow bar and
ask if you like to decrypt the message. When clicking on the decrypt button
it searches key servers and not WKD.

> > What have I to do that this works? I thought that GnuPG and Enigmail 
> > nowadays defaults to WKD too.
> 
> You mean, that you expect, that GPG should silently fetch absent keys when 
> checking signatures out of a box?  No, it does not
> do that:

[...]

Thanks, with auto-key-retrieve and auto-key-locate WKD etc. it works when
clicking on the decrypt button in Enigmail or the lock button in Claws-Mail

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD question

[Dmitry Alexandrov]

Stefan Claas  wrote:
> Enigmail for Thunderbird on a fresh Ubuntu system
> when clicking on a signed message from a friend, which has properly set-up 
> WKD Thunderbird/Enigmail can not fetch the pub key. :-(

Unfortunately, ‘can not’ is not very informative description.  Does it return 
any error?  How do you know that even tries?

> What have I to do that this works? I thought that GnuPG and Enigmail nowadays 
> defaults to WKD too.

You mean, that you expect, that GPG should silently fetch absent keys when 
checking signatures out of a box?  No, it does not do that:

| '--auto-key-retrieve'
| '--no-auto-key-retrieve'
|  These options enable or disable the automatic retrieving of keys
|  from a keyserver when verifying signatures made by keys that are
|  not on the local keyring.  The default is '--no-auto-key-retrieve'.
|
|  If the method "wkd" is included in the list of methods given to
|  'auto-key-locate', the signer's user ID is part of the signature,
|  and the option '--disable-signer-uid' is not used, the "wkd" method
|  may also be used to retrieve a key.
|
|  Note that this option makes a "web bug" like behavior possible.
|  Keyserver or Web Key Directory operators can see which keys you
|  request, so by sending you a message signed by a brand new key
|  (which you naturally will not have on your local keyring), the
|  operator can tell both your IP address and the time when you
|  verified the signature.
— (info "(gnupg) GPG Configuration Options")


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

WKD question

[Stefan Claas]

Hi all,

I must admit I am a bit out of the loop when it comes to GnuPG
configuration.

For testing my new Nitrokey I have just install Enigmail for
Thunderbird on a fresh Ubuntu system and when clicking on
a signed message from a friend, which has properly set-up
WKD Thunderbird/Enigmail can not fetch the pub key. :-(

I tried also under Windows, with gpg4win and also no luck.

What have I to do that this works? I thought that GnuPG
and Enigmail nowadays defaults to WKD too.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

Sorry for seeming to be "spreading unjustified accusations". What I said 
was meant to encourage that sort of "benign tyranny", I was not 
complaining; or at least that was not my intention.



Thank you for explaining how the list works.


Ayoub


On 7/27/2020 2:08 AM, Werner Koch wrote:

On Sun, 26 Jul 2020 12:59, Ayoub Misherghi said:


The moderators on this list (I do not know who they are) have been
tyrannical excluding some of my posts; I am not bitter or resentful. I

This mailing list is not moderated and thus your post are not excluded
by any moderated.  The only automatic rejection we have are for too long
posts.  In some very rare cases we set the moderation flag for a
specific user but that is announced on the list.  I just checked that
it is not the case for you.

What our helpful moderators are mainly doing is to allow posts from
non-subscribers.

Please calm down and don't spread unjustified accusations.


Salam-Shalom,

Werner



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: question regarding using gpg to verify a file from a .sign file

[Werner Koch via Gnupg-users]

On Fri, 24 Jul 2020 19:30, Semih Ozlem said:

> when I run the command
>
> gpg --verify SHAxSUM.sign SHAxSUM
>
> I get the following message
>
> gpgv: unknown type of key resource 'trustedkeys.kbx'

As you can see by the error message ("gpgv:...") you invoked the gpgv
tool and not the gpg tool as you showed above. 


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Werner Koch via Gnupg-users]

On Sun, 26 Jul 2020 12:59, Ayoub Misherghi said:

> The moderators on this list (I do not know who they are) have been
> tyrannical excluding some of my posts; I am not bitter or resentful. I

This mailing list is not moderated and thus your post are not excluded
by any moderated.  The only automatic rejection we have are for too long
posts.  In some very rare cases we set the moderation flag for a
specific user but that is announced on the list.  I just checked that
it is not the case for you.

What our helpful moderators are mainly doing is to allow posts from
non-subscribers.

Please calm down and don't spread unjustified accusations.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

question regarding using gpg to verify a file from a .sign file

[Semih Ozlem via Gnupg-users]

Hi

I am trying to follow the directions on the page
https://www.debian.org/CD/verify
for verifying authenticity of CDs (meaning the iso files downloaded from
debian's page). The page has iso files then SHAxSUM files and SHAxSUM.sign
files.

I have already run sha512sum command to verify the iso file. But I am
having difficulty in the next step... which is

" To ensure that the checksums files themselves are correct, use GnuPG to
verify them against the accompanying signature files (e.g. SHA512SUMS.sign).
The keys used for these signatures are all in the Debian GPG keyring
 and the best way to check them is to use that
keyring to validate via the web of trust. To make life easier for users,
here are the fingerprints for the keys that have been used for releases in
recent years:"

quoted from the page https://www.debian.org/CD/verify

when I run the command

gpg --verify SHAxSUM.sign SHAxSUM

I get the following message

gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/home/user/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made Sun 10 May 2020 03:17:55 AM +03
gpgv:using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpgv: Can't check signature: No public key

How should I proceed to check signature.

Thank you in advance for your help
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

I understand it can be frustrating, especially if nobody has a deciding 
vote or Vito power or moderator power. Someone should have have veto 
power and anybody with other ideas can always fork and do his own thing. 
That way it may probably work. A tyrant can stay on course and others 
fork and be their own tyrant and are free to produce something better.



The moderators on this list (I do not know who they are) have been 
tyrannical excluding some of my posts; I am not bitter or resentful. I 
have to live up to standard and my posts have to be kind and gentle so 
as not to burden those trying to help me for free; and amenable to 
support by helping whoever is helping me. If there was no tyrant I could 
have caused nuisance. Documentation needs a tyrant too.



On 7/26/2020 12:01 PM, Robert J. Hansen wrote:

How about collective and cooperative effort in a wiki, or cloud funding
pledges or donations? Those who contribute (money or effort) get
privilege of some kind.

I am very pessimistic about the idea of collective effort.  What
experience has taught me from working on the FAQ is that a small number
of people with extreme ideas speak up the loudest, and the vast majority
of users who are calm and reasonable speak up barely at all.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Robert J. Hansen]

> How about collective and cooperative effort in a wiki, or cloud funding
> pledges or donations? Those who contribute (money or effort) get
> privilege of some kind.

I am very pessimistic about the idea of collective effort.  What
experience has taught me from working on the FAQ is that a small number
of people with extreme ideas speak up the loudest, and the vast majority
of users who are calm and reasonable speak up barely at all.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

How about collective and cooperative effort in a wiki, or cloud funding 
pledges or donations? Those who contribute (money or effort) get 
privilege of some kind.



On 7/26/2020 2:48 AM, Peter Lebbing wrote:

On 12/07/2020 20:01, Ayoub Misherghi wrote:

Can you please suggest some good tutorial and reference material
preferably free (probably mutually exclusive requirements) that will
bring me up to your level or close to it please.

No, I think the available documentation is lacking in quality. And
on the other hand there's a lot of bad advice on websites. It's an
unfortunate situation, but few people enjoy writing good documentation.
It is a very laborious process.

Sorry I can't be of better assistance.

Peter.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Peter Lebbing]

On 12/07/2020 20:01, Ayoub Misherghi wrote:
> Can you please suggest some good tutorial and reference material
> preferably free (probably mutually exclusive requirements) that will
> bring me up to your level or close to it please.

No, I think the available documentation is lacking in quality. And
on the other hand there's a lot of bad advice on websites. It's an
unfortunate situation, but few people enjoy writing good documentation.
It is a very laborious process.

Sorry I can't be of better assistance.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

  
  

It is working now. The problem was in gpg-agent.conf that I
  forgot about. I did not do a re-install. 

I learned from this list. Thanks.
  


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

  
  


Sorry for splitting Peter and Philihp  into two threads. 



I have probably put my gpg environment/program in a state it
  cannot come out of. I want to do what cowards do. I want to
  uninstall gpg and start all over again, escaping from the mess I
  put my self into somehow. With the advice you gave me I should do
  better next the time, and hopefully  stay out of trouble. 



I have not given anybody any of the IDs yet. And besides, the
  intended application is non interactive and also does not
  communicate anything. It hides everything and itself from ever
  body and ever thing, let alone the keys (or at least that is the
  intention if a manage to keep me out of trouble. I am a ASIC
  hardware guy venturing to do what I should not; obviously.)



How do I ensure I uninstall without leaving any history or state
  that could affect a new install please? Sorry for the head ache I
  am giving you. If I manage to make money and not go bankrupt I
  will remember my friends.




On 7/12/2020 11:01 AM, Ayoub Misherghi
  wrote:


  
  Thanks. This exposes to me how little I know and it will take me
  time to absorb it. None of this information is in anything I read.
  Nothing comes close. I will not come to grips with it with the
  kind of reading material I have. Can you please suggest some good
  tutorial and reference material preferably free (probably mutually
  exclusive requirements) that will bring me up to your level or
  close to it please.
  
  
  
  The material I come across is just like silly preschool stuff with
  1/4 truth which keeps you ill informed and miss informed and
  throws you off track. They over simplify and drain education out
  of you making you zombie.
  
  
  
  Thanks,
  
  
  
  Ayoub
  
  
  
  On 7/12/2020 9:15 AM, Peter Lebbing wrote:
  
  On 12/07/2020 17:45, Ayoub Misherghi
wrote:

Sorry for going off list and messing
  everybody up. Now I disserve
  
  punishment.
  

Heh :-). It's just that if I reply off-list, it only helps you,
but if

it is on-list, other people can find it in a search engine when
they're

facing something similar.


On 11/07/2020 21:07, Ayoub Misherghi wrote:

My current intended usage is in
  non-interactive mode, completely.
  
  I can remove them from the gpg.conf but I would have to issue
  them
  
  every time. My understanding is that non-interactive mode
  requires
  
  those commands.
  

Well, in that case, you should supply --no-batch when you're
using it

interactively; I'll show why further down.


My personal choice would be to have my scripts and programs
supply the

--batch on invocation rather than put it in the config file,
because you

only need to write that command invocation in the script once
(as you're

writing the script), whereas you'll be writing the --no-batch
every time

you /do/ use it from an interactive shell.


I selected "expert" mode because I am
  using ED2599 incrpytion that is
  
  available only in this mode (I know, I am newbie)
  

You only need the --expert on commands creating or adding keys
for that.

Once you have the key, you no longer need --expert to just use
it.


All the config lines I showed are in my
  user config.
  
  A few days ago, my set up, which is still in development
  phase,
  
  worked until my short lived gpg keys expired. I fell in deep
  * when
  
  I created new keys. It all worked, with the passphrase-file
  option and
  
  without, before I fell. Can you pull this dumb newbie out?
  

I think the combination that worked might have been


--8<---cut
here---start->8---

pinentry-mode loopback

passphrase-file /home/ayoub/.gnupg/output.png

--8<---cut
here---end--->8---


but once you commented out the passphrase-file entry, GnuPG had
no way

to get the passphrase. Normally you should use the pinentry (so
comment

out the pinentry-mode line as well), but 

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

I am re-sending this text only. I made the mistake of sending it html 
previously.




Sorry for splitting Peter and Philihp  into two threads.


I have probably put my gpg environment/program in a state it cannot come 
out of. I want to do what cowards do. I want to uninstall gpg and start 
all over again, escaping from the mess I put my self into somehow. With 
the advice you gave me I should do better next the time, and hopefully  
stay out of trouble.



I have not given anybody any of the IDs yet. And besides, the intended 
application is non interactive and also does not communicate anything. 
It hides everything and itself from ever body and ever thing, let alone 
the keys (or at least that is the intention if a manage to keep me out 
of trouble. I am a ASIC hardware guy venturing to do what I should not; 
obviously.)



How do I ensure I uninstall without leaving any history or state that 
could affect a new install please? Sorry for the head ache I am giving 
you. If I manage to make money and not go bankrupt I will remember my 
friends.



On 7/12/2020 11:01 AM, Ayoub Misherghi wrote:


Thanks. This exposes to me how little I know and it will take me time 
to absorb it. None of this information is in anything I read. Nothing 
comes close. I will not come to grips with it with the kind of reading 
material I have. Can you please suggest some good tutorial and 
reference material preferably free (probably mutually exclusive 
requirements) that will bring me up to your level or close to it please.



The material I come across is just like silly preschool stuff with 1/4 
truth which keeps you ill informed and miss informed and throws you 
off track. They over simplify and drain education out of you making 
you zombie.



Thanks,


Ayoub


On 7/12/2020 9:15 AM, Peter Lebbing wrote:

On 12/07/2020 17:45, Ayoub Misherghi wrote:

Sorry for going off list and messing everybody up. Now I disserve
punishment.

Heh :-). It's just that if I reply off-list, it only helps you, but if
it is on-list, other people can find it in a search engine when they're
facing something similar.

On 11/07/2020 21:07, Ayoub Misherghi wrote:

My current intended usage is in non-interactive mode, completely.
I can remove them from the gpg.conf but I would have to issue them
every time. My understanding is that non-interactive mode requires
those commands.

Well, in that case, you should supply --no-batch when you're using it
interactively; I'll show why further down.

My personal choice would be to have my scripts and programs supply the
--batch on invocation rather than put it in the config file, because you
only need to write that command invocation in the script once (as you're
writing the script), whereas you'll be writing the --no-batch every time
you /do/ use it from an interactive shell.


I selected "expert" mode because I am using ED2599 incrpytion that is
available only in this mode (I know, I am newbie)

You only need the --expert on commands creating or adding keys for that.
Once you have the key, you no longer need --expert to just use it.


All the config lines I showed are in my user config.
A few days ago, my set up, which is still in development phase,
worked until my short lived gpg keys expired. I fell in deep * when
I created new keys. It all worked, with the passphrase-file option and
without, before I fell. Can you pull this dumb newbie out?

I think the combination that worked might have been

--8<---cut here---start->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---cut here---end--->8---

but once you commented out the passphrase-file entry, GnuPG had no way
to get the passphrase. Normally you should use the pinentry (so comment
out the pinentry-mode line as well), but you force it to use the
loopback pinentry-mode. gpg _could_ ask for your passphrase that way.
But, you also specify --batch. --batch tells GnuPG that the human is
currently unavailable and it needn't bother trying to interact with it.
So it has no way to get the passphrase and gives up.

It will ask you for the passphrase when you comment out --batch, but I
recommend also commenting out the --pinentry-mode line so it'll just
launch a pinentry like it wants to do.

Now about this configuration:

--8<---cut here---start->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---cut here---end--->8---

If this file is stored with the same access conditions as
~/.gnupg/private-keys-v1.d/, it serves no good purpose. You should then
just use a key without a passphrase. With a key without a passphrase, an
attacker would just need the file

~/.gnupg/private-keys-v1.d/[...].key

and they're good to go. With your passphrase-file, they need two files:

~/.gnupg/private-keys-v1.d/[...].key

Re: Have gpg-preset-passphrase always required a keygrip? (was: Newbie question.)

[raf via Gnupg-users]

Dmitry Alexandrov wrote:

> Peter Lebbing  wrote:
> > You can actually unlock keys the way GnuPG intends to do that with:
> >
> > $ my-unlocker | /usr/lib/gnupg/gpg-preset-passphrase --preset 
> >
> > You can find the keygrip for your keys with:
> >
> > $ gpg --with-keygrip --list-secret-keys
> >
> > You do need it for every subkey you want to use like this separately,
> 
> Hm...
> 
> Did not gpg-preset-passphrase(1) worked perfectly on any NAMEs (IDs,
> UIDs) as well some time ago?  Or is that me, who have some false
> memories?

For gpg-agent 2.0.x I needed to use gpg --fingerprint --fingerprint xxx@xxx
to get the cache id to use with gpg-preset-passphrase --preset.
Since then, I need gpg2 --fingerprint --with-keygrip xxx@xxx.
So it probably changed from fingerprint to keygrip with 2.1
(but I don't know exactly when).

cheers,
raf


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

  
  
Hi,


On 7/11/2020 3:34 AM, Peter Lebbing
  wrote:


  Hi!

On 10/07/2020 23:47, Ayoub Misherghi via Gnupg-users wrote:

  
ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys

  
  
Could you do

$ gpg --with-subkey-fingerprint --list-secret-keys



ayoub@vboxpwfl:$ gpg --with-subkey-fingerprint --list-secret-keys
  /home/ayoub/.gnupg/pubring.kbx
  --
  sec   ed25519 2020-07-09 [SC] [expires: 2020-07-19]
    3C5B212A55B966881E2D2718A45398B520BEE91E
  uid   [ultimate] sentry
  ssb   cv25519 2020-07-09 [E] [expires: 2020-07-19]
    F2A76096E857E2AF607DD144D17AA44F49BB5A08
  
  sec   ed25519 2020-07-09 [SC] [expires: 2021-07-09]
    7A675D7F52BC905C22F8249091556BC29D4C595E
  uid   [ultimate] develop1
  ssb   cv25519 2020-07-09 [E] [expires: 2021-07-09]
    BFF08DC8259E2E9FBAF92AC1367BD2210D4E904D
  


  

and

$ gpg --version

ayoub@vboxpwfl:~/sentry/trunk$ gpg --version
  gpg (GnuPG) 2.2.19
  libgcrypt 1.8.5
  Copyright (C) 2019 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later
  
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  
  Home: /home/ayoub/.gnupg
  Supported algorithms:
  Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
  Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
      CAMELLIA128, CAMELLIA192, CAMELLIA256
  Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  Compression: Uncompressed, ZIP, ZLIB, BZIP2




  

please?

And do you get a popup asking for your passphrase or is what you post
all the interaction that you get? If that is where the problem lies,
it's good to know your operating system/distribution, your desktop
environment, and stuff like that.

HTH,

Peter.


ayoub@vboxpwfl:~/sentry/trunk$ uname -a
  Linux vboxpwfl 5.4.0-40-generic #44-Ubuntu SMP Tue Jun 23 00:01:04
  UTC 2020 x86_64 x86_64 x86_64 GNU/Linux



Ubuntu 19.04 running inside VirtualBox on Windows 10





This lists gpg.conf (I have removed all commented lines except
  two that I show)

ayoub@vboxpwfl:~/sentry/trunk$ cat ~/.gnupg/gpg.conf 
  batch
  pinentry-mode loopback 
  require-secmem
  no-greeting
  expert
  #--passphrase-file file
  #passphrase-file /home/ayoub/.gnupg/output.png


I am not asked for pass phrase even though I have the
  "passphrase-file" in the gpg.conf commented out.


Thanks


  


  


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Fwd: Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

Sorry for going off list and messing everybody up. Now I disserve 
punishment. Sorry for the html too.



 Forwarded Message 
Subject:Re: Newbie question.
Date:   Sat, 11 Jul 2020 12:07:17 -0700
From:   Ayoub Misherghi 
To: Peter Lebbing 




On 7/11/2020 11:30 AM, Peter Lebbing wrote:

Hi,

On 11/07/2020 19:58, Ayoub Misherghi wrote:

ayoub@vboxpwfl:~/sentry/trunk$ cat ~/.gnupg/gpg.conf
batch
pinentry-mode loopback

Ah yes. Those two options have no place in your gpg.conf. They are
options that you might want to specify as part of the command line on
occasion, but unless you have a very unusual setup they should not be
there. You should remove both. The pinentry-mode is probably what is
preventing you being asked for the passphrase.

My current intended usage is in non-interactive mode, completely.

I can remove them from the gpg.conf but I would have to issue them

every time. My understanding is that non-interactive mode requires

those commands.


expert

I'd recommend dropping this as well.


I selected "expert" mode because I am using ED2599 incrpytion that is

available only in this mode (I know, I am newbie)


#--passphrase-file file
#passphrase-file /home/ayoub/.gnupg/output.png

These commented out lines are probably why the pinentry-mode line was
there in the first place. Do you know why these lines, both the
uncommented and the commented ones, are in your gpg.conf?


All the config lines I showed are in my user config.

A few days ago, my set up, which is still in development phase,

worked until my short lived gpg keys expired. I fell in deep * when

I created new keys. It all worked, with the passphrase-file option and 
without,


before I fell. Can you pull this dumb newbie out?


HTH,

Peter.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

Thanks. This exposes to me how little I know and it will take me time to 
absorb it. None of this information is in anything I read. Nothing comes 
close. I will not come to grips with it with the kind of reading 
material I have. Can you please suggest some good tutorial and reference 
material preferably free (probably mutually exclusive requirements) that 
will bring me up to your level or close to it please.



The material I come across is just like silly preschool stuff with 1/4 
truth which keeps you ill informed and miss informed and throws you off 
track. They over simplify and drain education out of you making you zombie.



Thanks,


Ayoub


On 7/12/2020 9:15 AM, Peter Lebbing wrote:

On 12/07/2020 17:45, Ayoub Misherghi wrote:

Sorry for going off list and messing everybody up. Now I disserve
punishment.

Heh :-). It's just that if I reply off-list, it only helps you, but if
it is on-list, other people can find it in a search engine when they're
facing something similar.

On 11/07/2020 21:07, Ayoub Misherghi wrote:

My current intended usage is in non-interactive mode, completely.
I can remove them from the gpg.conf but I would have to issue them
every time. My understanding is that non-interactive mode requires
those commands.

Well, in that case, you should supply --no-batch when you're using it
interactively; I'll show why further down.

My personal choice would be to have my scripts and programs supply the
--batch on invocation rather than put it in the config file, because you
only need to write that command invocation in the script once (as you're
writing the script), whereas you'll be writing the --no-batch every time
you /do/ use it from an interactive shell.


I selected "expert" mode because I am using ED2599 incrpytion that is
available only in this mode (I know, I am newbie)

You only need the --expert on commands creating or adding keys for that.
Once you have the key, you no longer need --expert to just use it.


All the config lines I showed are in my user config.
A few days ago, my set up, which is still in development phase,
worked until my short lived gpg keys expired. I fell in deep * when
I created new keys. It all worked, with the passphrase-file option and
without, before I fell. Can you pull this dumb newbie out?

I think the combination that worked might have been

--8<---cut here---start->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---cut here---end--->8---

but once you commented out the passphrase-file entry, GnuPG had no way
to get the passphrase. Normally you should use the pinentry (so comment
out the pinentry-mode line as well), but you force it to use the
loopback pinentry-mode. gpg _could_ ask for your passphrase that way.
But, you also specify --batch. --batch tells GnuPG that the human is
currently unavailable and it needn't bother trying to interact with it.
So it has no way to get the passphrase and gives up.

It will ask you for the passphrase when you comment out --batch, but I
recommend also commenting out the --pinentry-mode line so it'll just
launch a pinentry like it wants to do.

Now about this configuration:

--8<---cut here---start->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---cut here---end--->8---

If this file is stored with the same access conditions as
~/.gnupg/private-keys-v1.d/, it serves no good purpose. You should then
just use a key without a passphrase. With a key without a passphrase, an
attacker would just need the file

~/.gnupg/private-keys-v1.d/[...].key

and they're good to go. With your passphrase-file, they need two files:

~/.gnupg/private-keys-v1.d/[...].key
~/.gnupg/output.png

and once again they're good to go, they have your private key. Why would
it be more difficult to get a hold of two files rather than one? Just
drop the passphrase, and all your problems magically disappear :-).

But given its name, I suppose output.png is generated by some unlocking
process. Suppose you did it like this before:

$ my-unlocker >~/.gnupg/output.png

You can actually unlock keys the way GnuPG intends to do that with:

$ my-unlocker | /usr/lib/gnupg/gpg-preset-passphrase --preset 

You can find the keygrip for your keys with:

$ gpg --with-keygrip --list-secret-keys

You do need it for every subkey you want to use like this separately,
and also, it does not verify whether the passphrase was correct. Also,
put

allow-preset-passphrase
max-cache-ttl 

in ~/.gnupg/gpg-agent.conf

and issue

$ gpgconf --kill gpg-agent

to reload.  is how long you want the passphrase to stay
available after gpg-preset-passphrase, and it defaults to a mere 2
hours. You could set it to 4294967295 to specify a lifetime of 136
years, i.e., infinitely for all practical purposes.

Watch out that my-unlocker doesn't leak the passphrase in any way. I

Have gpg-preset-passphrase always required a keygrip? (was: Newbie question.)

[Dmitry Alexandrov]

Peter Lebbing  wrote:
> You can actually unlock keys the way GnuPG intends to do that with:
>
> $ my-unlocker | /usr/lib/gnupg/gpg-preset-passphrase --preset 
>
> You can find the keygrip for your keys with:
>
> $ gpg --with-keygrip --list-secret-keys
>
> You do need it for every subkey you want to use like this separately,

Hm...

Did not gpg-preset-passphrase(1) worked perfectly on any NAMEs (IDs, UIDs) as 
well some time ago?  Or is that me, who have some false memories?


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Peter Lebbing]

On 12/07/2020 17:45, Ayoub Misherghi wrote:
> Sorry for going off list and messing everybody up. Now I disserve
> punishment.

Heh :-). It's just that if I reply off-list, it only helps you, but if
it is on-list, other people can find it in a search engine when they're
facing something similar.

On 11/07/2020 21:07, Ayoub Misherghi wrote:
> My current intended usage is in non-interactive mode, completely.
> I can remove them from the gpg.conf but I would have to issue them
> every time. My understanding is that non-interactive mode requires
> those commands.

Well, in that case, you should supply --no-batch when you're using it
interactively; I'll show why further down.

My personal choice would be to have my scripts and programs supply the
--batch on invocation rather than put it in the config file, because you
only need to write that command invocation in the script once (as you're
writing the script), whereas you'll be writing the --no-batch every time
you /do/ use it from an interactive shell.

> I selected "expert" mode because I am using ED2599 incrpytion that is
> available only in this mode (I know, I am newbie)

You only need the --expert on commands creating or adding keys for that.
Once you have the key, you no longer need --expert to just use it.

> All the config lines I showed are in my user config.
> A few days ago, my set up, which is still in development phase,
> worked until my short lived gpg keys expired. I fell in deep * when
> I created new keys. It all worked, with the passphrase-file option and
> without, before I fell. Can you pull this dumb newbie out?

I think the combination that worked might have been

--8<---cut here---start->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---cut here---end--->8---

but once you commented out the passphrase-file entry, GnuPG had no way
to get the passphrase. Normally you should use the pinentry (so comment
out the pinentry-mode line as well), but you force it to use the
loopback pinentry-mode. gpg _could_ ask for your passphrase that way.
But, you also specify --batch. --batch tells GnuPG that the human is
currently unavailable and it needn't bother trying to interact with it.
So it has no way to get the passphrase and gives up.

It will ask you for the passphrase when you comment out --batch, but I
recommend also commenting out the --pinentry-mode line so it'll just
launch a pinentry like it wants to do.

Now about this configuration:

--8<---cut here---start->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---cut here---end--->8---

If this file is stored with the same access conditions as
~/.gnupg/private-keys-v1.d/, it serves no good purpose. You should then
just use a key without a passphrase. With a key without a passphrase, an
attacker would just need the file

~/.gnupg/private-keys-v1.d/[...].key

and they're good to go. With your passphrase-file, they need two files:

~/.gnupg/private-keys-v1.d/[...].key
~/.gnupg/output.png

and once again they're good to go, they have your private key. Why would
it be more difficult to get a hold of two files rather than one? Just
drop the passphrase, and all your problems magically disappear :-).

But given its name, I suppose output.png is generated by some unlocking
process. Suppose you did it like this before:

$ my-unlocker >~/.gnupg/output.png

You can actually unlock keys the way GnuPG intends to do that with:

$ my-unlocker | /usr/lib/gnupg/gpg-preset-passphrase --preset 

You can find the keygrip for your keys with:

$ gpg --with-keygrip --list-secret-keys 

You do need it for every subkey you want to use like this separately,
and also, it does not verify whether the passphrase was correct. Also,
put

allow-preset-passphrase
max-cache-ttl 

in ~/.gnupg/gpg-agent.conf

and issue

$ gpgconf --kill gpg-agent

to reload.  is how long you want the passphrase to stay
available after gpg-preset-passphrase, and it defaults to a mere 2
hours. You could set it to 4294967295 to specify a lifetime of 136
years, i.e., infinitely for all practical purposes.

Watch out that my-unlocker doesn't leak the passphrase in any way. I
thought it was unhelfpul that you can't use the pinentry with
gpg-preset-passphrase and I proposed a hack more than two years ago:

https://lists.gnupg.org/pipermail/gnupg-users/2018-February/059917.html

It's pretty hacky, but it does seem to work.

You could actually just unlock your key by using it once when you start
up your system, and then use the caching feature to keep it available
for non-interactive use for the rest of the time. Then you don't use
gpg-preset-passphrase, but put, e.g., this in your gpg-agent.conf

default-cache-ttl 4294967295
max-cache-ttl 4294967295

and unlock your key by doing one decryption:

$ echo Open Sesame | gpg -r develop1 -e | gpg -d

This 

Re: Newbie question.

[Peter Lebbing]

Hi,

On 11/07/2020 19:58, Ayoub Misherghi wrote:
> ayoub@vboxpwfl:~/sentry/trunk$ cat ~/.gnupg/gpg.conf
> batch
> pinentry-mode loopback

Ah yes. Those two options have no place in your gpg.conf. They are
options that you might want to specify as part of the command line on
occasion, but unless you have a very unusual setup they should not be
there. You should remove both. The pinentry-mode is probably what is
preventing you being asked for the passphrase.

> expert

I'd recommend dropping this as well.

> #--passphrase-file file
> #passphrase-file /home/ayoub/.gnupg/output.png

These commented out lines are probably why the pinentry-mode line was
there in the first place. Do you know why these lines, both the
uncommented and the commented ones, are in your gpg.conf?

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Peter Lebbing]

Hi!

On 10/07/2020 23:47, Ayoub Misherghi via Gnupg-users wrote:
> ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys

Could you do

$ gpg --with-subkey-fingerprint --list-secret-keys

and

$ gpg --version

please?

And do you get a popup asking for your passphrase or is what you post
all the interaction that you get? If that is where the problem lies,
it's good to know your operating system/distribution, your desktop
environment, and stuff like that.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Newbie question.

[Ayoub Misherghi via Gnupg-users]

  
  
What am I doing wrong:


ayoub@vboxpwfl:~/testdir$ ls
  textfile
  ayoub@vboxpwfl:~/testdir$ gpg -r develop1 -o textfile.gpg -e
  textfile
  ayoub@vboxpwfl:~/testdir$ ls
  textfile  textfile.gpg
  ayoub@vboxpwfl:~/testdir$ gpg -u develop1 -o textfile.dcr -d
  textfile.gpg
  gpg: encrypted with 256-bit ECDH key, ID 367BD2210D4E904D, created
  2020-07-09
    "develop1"
  gpg: public key decryption failed: End of file
  gpg: decryption failed: No secret key
  ayoub@vboxpwfl:~/testdir$ gpg --list-keys
  /home/ayoub/.gnupg/pubring.kbx
  --
  pub   ed25519 2020-07-09 [SC] [expires: 2020-07-19]
    3C5B212A55B966881E2D2718A45398B520BEE91E
  uid   [ultimate] sentry
  sub   cv25519 2020-07-09 [E] [expires: 2020-07-19]
  
  pub   ed25519 2020-07-09 [SC] [expires: 2021-07-09]
    7A675D7F52BC905C22F8249091556BC29D4C595E
  uid   [ultimate] develop1
  sub   cv25519 2020-07-09 [E] [expires: 2021-07-09]
  
  ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys
  /home/ayoub/.gnupg/pubring.kbx
  --
  sec   ed25519 2020-07-09 [SC] [expires: 2020-07-19]
    3C5B212A55B966881E2D2718A45398B520BEE91E
  uid   [ultimate] sentry
  ssb   cv25519 2020-07-09 [E] [expires: 2020-07-19]
  
  sec   ed25519 2020-07-09 [SC] [expires: 2021-07-09]
    7A675D7F52BC905C22F8249091556BC29D4C595E
  uid   [ultimate] develop1
  ssb   cv25519 2020-07-09 [E] [expires: 2021-07-09]
  
  ayoub@vboxpwfl:~/testdir$ 
  

  


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Question / sync keyrings between devices

[fsantiago]

Question,

Is there anything out there, think bittorrent-sync, that allows for syncing 
your full keyring between devices? Would it be enough to simply use 
bittorrent-sync to sync your .gnupg folder? 

I get the —export / —import but what about automating it a lil’ bit? Something 
peer to peer preferably. 

Sent from my iPhone
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about symmetric AES cipher in GnuPG [ ref:_00D58dJQM._5004Ius4eD:ref ]

[Informa D via Gnupg-users]

Exmos. Senhores,

Recebemos a informação que tiveram hoje a amabilidade de nos transmitir e que 
muito agradecemos.

Vamos imediatamente analisar o caso e responderemos com a máxima brevidade 
possível ao vosso pedido. Assim que for possível, o Serviço de Apoio ao Cliente 
entrará em contacto convosco.

No entanto, caso o vosso contacto esteja relacionado com a necessidade de 
atualizar os dados da vossa empresa na nossa base de dados, notem que poderão 
fazê-lo diretamente e sem demoras.

De facto, as entidades empresariais cujos dados constem da nossa base de dados 
podem consultar, acrescentar e modificar on-line as informações que lhes digam 
respeito, sendo para tal apenas necessário que disponham de uma senha de acesso 
exclusivo a uma zona reservada do nosso site.

Sublinhamos que este acesso para atualização on-line é totalmente gratuito e 
muito fácil, bastando entrar em www.informadb.pt e selecionar, em Feed´Back , " 
Para consultar atualizar os dados de uma empresa diretamente na nossa base de 
dados".

Se necessitarem de mais esclarecimentos sobre o Feed’Back – Serviço de 
Atualização de Dados, estaremos inteiramente disponíveis para os prestar.

Atenciosamente,

Serviço de Apoio ao Cliente

(+351) 213 500 389 - Fax: (+351) 213 151 658
vipclien...@informadb.pt
www.informadb.pt

CONFIDENCIAL. Esta mensagem destina-se a uso exclusivo do(s) destinatário(s) e 
poderá conter informação privada ou confidencial. A leitura, retenção, 
divulgação, cópia, distribuição ou reencaminhamento são proíbidas. Caso a 
receba por engano, solicitamos que nos comunique por e-mail e elimine a 
mensagem do seu sistema sem a reproduzir. Os dados pessoais constantes do 
presente e-mail estão ou serão adicionados à lista de contactos da INFORMA D, 
responsável pelo tratamento de dados, para o podermos contactar sempre que 
necessário . O direito de acesso, retificação, oposição e apagamento, deverá 
ser exercido através do e-mail: protecaodeda...@informadb.pt. Consulte o nosso 
compromisso de privacidade em www.informadb.pt.

CONFIDENTIAL. This message is intended for the exclusive use of the named 
addressee(s) and it may contain private or confidential information. Any 
reading, retention, disclosure, copying, distribution or redirection is 
prohibited. If you are not the intended recipient, please notify us by e-mail 
and delete this message from your system without retaining a copy. The personal 
data included in this e-mail is or will be added to the contact list of INFORMA 
D, acting as data controller, to contact you whenever necessary. You have the 
right of access and the rights to rectification, to object and to erasure 
through the e-mail: protecaodeda...@informadb.pt___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about symmetric AES cipher in GnuPG

[Werner Koch via Gnupg-users]

On Wed, 30 Oct 2019 17:19, Brian Minton said:

> My guess is, the gpg one also is doing MDC, so you'd have to add the
> equivalent HMAC code to openssl, but that's just a complete guess.  

The OpenPGP MDC is a SHA-1 hash appended to the plaintext and then
encrypted along with the data.  The usual OpenPGP packet structure is
used; details are in RFC-4880. Further OpenPGP's symmetric encryption
uses a random session key and encrypts that session key using the
passphrase as key.  This allows to have several independent passphrases
or public keys for the same data.

You can't easily implement that with OpenSSL in a script.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about symmetric AES cipher in GnuPG

[Brian Minton]

On 10/27/19 3:25 PM, Stefan Claas via Gnupg-users wrote:
> gpg --symmetric --cipher-algo AES256 hw.txt gives me a file
> size of 87 Bytes.
>
> Doing the same with openssl, for example:
>
> openssl enc -aes-256-cbc -pbkdf2 -in hw.txt -out hw.enc
>
> results in 32 Bytes.
>
> Can you please, or somebody else, explain in laymen terms why this is so?

My guess is, the gpg one also is doing MDC, so you'd have to add the
equivalent HMAC code to openssl, but that's just a complete guess.  




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about symmetric AES cipher in GnuPG

[Stefan Claas via Gnupg-users]

Damien Goutte-Gattat wrote:

> Hi,
> 
> On Sun, Oct 27, 2019 at 08:25:10PM +0100, Stefan Claas via Gnupg-users wrote:
> >Can you please, or somebody else, explain in laymen terms why this is 
> >so?
> 
> Simply put, gpg and openssl enc don’t use the same file formats.  
> Different formats may encode the same data differently, so you can’t 
> expect the two outputs to be similar or to be of a similar size.
> 
> In GnuPG’s case, the format is the one defined by the RFC 4880 standard 
> [1]. I don’t know what is the format used by OpenSSL, but some of the 
> differences with GnuPG’s format include:
> 
> * GnuPG adds a “Modification Detection Code” to the encrypted data;
> 
> * GnuPG also adds some metadata, including the name of the original 
>   file.
> 
> Those differences alone already explain easily why the file generated by 
> GnuPG is bigger.
> 
> Cheers,
> 
> - Damien
> 
> 
> [1] https://tools.ietf.org/html/rfc4880

Thanks for the explanation! I will then check the RFC to see if I can
find how many bytes the 'Modification Detection Code' and the meta data
consumes.

Regards
Stefan

-- 
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
  certified OpenPGP key blocks available on keybase.io/stefan_claas
   

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about symmetric AES cipher in GnuPG

[Damien Goutte-Gattat via Gnupg-users]

Hi,

On Sun, Oct 27, 2019 at 08:25:10PM +0100, Stefan Claas via Gnupg-users wrote:
Can you please, or somebody else, explain in laymen terms why this is 
so?


Simply put, gpg and openssl enc don’t use the same file formats.  
Different formats may encode the same data differently, so you can’t 
expect the two outputs to be similar or to be of a similar size.


In GnuPG’s case, the format is the one defined by the RFC 4880 standard 
[1]. I don’t know what is the format used by OpenSSL, but some of the 
differences with GnuPG’s format include:


* GnuPG adds a “Modification Detection Code” to the encrypted data;

* GnuPG also adds some metadata, including the name of the original 
 file.


Those differences alone already explain easily why the file generated by 
GnuPG is bigger.


Cheers,

- Damien


[1] https://tools.ietf.org/html/rfc4880


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Question about symmetric AES cipher in GnuPG

[Stefan Claas via Gnupg-users]

Hi Werner and all,

I was wondering why the binary file size when using symmetric AES
encryption with GnuPG is larger than with other apps, I have tested
so far.

As an example encrypting a text file containing 'Hello World':

gpg --symmetric --cipher-algo AES256 hw.txt gives me a file
size of 87 Bytes.

Doing the same with openssl, for example:

openssl enc -aes-256-cbc -pbkdf2 -in hw.txt -out hw.enc

results in 32 Bytes.

Can you please, or somebody else, explain in laymen terms why this is so?

Regards
Stefan

-- 
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
  certified OpenPGP key blocks available on keybase.io/stefan_claas
   

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: user id question

[Werner Koch]

On Sun, 10 Mar 2019 14:51, 2017-r3sgs86x8e-lists-gro...@riseup.net said:

> Is "nerdy" good or bad in this context?

That is really up to you.  Often it is fun to be a nerd.

To the OP: I have done keysigning for about 25 years but meanwhile I
don't think that the Web of Trust is a good idea to make encryption for
the masses really easy.  Also it is often more a game than serious
operational security.  In particular if it comes to the pretty German of
scheme of it which sometimes demands two government issued identity
documents and so on.  That is in stark contrast to the grassroots origin
of PGP and its tendency not to trust the government.  For a small closed
group the Web of Trust used to work well, though.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: user id question

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Friday 8 March 2019 at 8:15:43 AM, in
, Werner Koch wrote:-



> If you plan to take part in that nerdy key signing
> game

Is "nerdy" good or bad in this context?

- --
Best regards

MFPA  

The truth is rarely pure and never simple
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXIUkZV8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+u9oAQCQMlSlN7PlFjdh4i67SlS3OgcHaMrz19meN9kt37T6GQD/Xvx8AegXZ7fM
9QnMMnEtAEIAlBvfyxDiXuo+tZn/kAqJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCXIUkZl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/8PUD/0YHATTgmY4RbZiKz4HbNDn82S6
X9pvPPDoOf0cO0IVCQuVxj9zF4PCI8vVJs4DJDW1x578ThQ3wbLMNXVNTYpwfmVX
G6tIV1PaVLlERH4hHtALhL0y6cxD6Z3OfzsMEalAWusIYZbs48kJQS0hntqgDpOr
21uWZG/sDJ9DcI3TkIywYSI21Z3zAjGNhU9WZbg85cH51d6AUPWTTRSzh25JAad6
RTsT/GMcuuCDiPjHWPHQ1Z2tf1TwQI5chJf8gbRn+9opGhs9ziLlzEQywWMs2NAO
Z9+getLMutkQBPDWpkRjox5hYwVV2/fZo1sw+bNDdS2kqdAfJg3kyAcMJQEqZAB4
WPVRTGLXzw7wj+TaXBvyY1Wrejzzgv3b8VEgI+Vn5sVVbCFz6AQNydV9Acf2syR9
SrDhOnCEPMG+jHuMjF/M3ZlchUX1CHrPMd7oQtBaor9kWyGyBshVszvH0s8qpz8v
fVHMUjlCgUsEuun1ugIM1HUhDCDLh/FoTgGEOukrTHB+qva/jIZc3T6Z1VArvNOO
gRZmrRmrodlOjdy849ylXXr9ymU+4ATaz4vSs9+/0qte7CvVVkgkgNSH76hxdkda
7e48bZgv0AZOma1PRyBL4Ch4HAz4PKSzWWSe3GkvsGWUOTME9CKW15qmwSYVaYQN
QDbaywtn8GnaxpFx3g==
=UKqC
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: user id question

[john doe]

On 3/8/2019 9:15 AM, Werner Koch wrote:
> On Sun, 24 Feb 2019 10:09, johndoe65...@mail.com said:
>
>> What I understand is that there is no clear convention.
>

'Consensus' and not 'convention'! :)

> Meanwhile I would suggest to only use the mail address, that is
>
>   j...@example.org
>
> and leave out all other parts.  There are even mail providers which
> demand this for data privacy reasons.  However if you prefer to have
> your mail in it, do it in the same was as it is common in your
> country/culture like
>
>   John Doe 
>
> If you plan to take part in that nerdy key signing game, some
> participants have the policy to check the real name agains a passport;
> obviously you would need the latter form then.
>
> I used to include my real name in my keys but for my new ed25519 key I
> use only the mail addresses (I use 3 different mail addresses in my
> keys).
>

Thank you Werner for your answer.
If the former is acceptable to you, I might as well do that.

Looks like your are not keen on key signing party, may I ask why?

--
John Doe

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: user id question

[Werner Koch]

On Sun, 24 Feb 2019 10:09, johndoe65...@mail.com said:

> What I understand is that there is no clear convention.

Meanwhile I would suggest to only use the mail address, that is

  j...@example.org

and leave out all other parts.  There are even mail providers which
demand this for data privacy reasons.  However if you prefer to have
your mail in it, do it in the same was as it is common in your
country/culture like

  John Doe 

If you plan to take part in that nerdy key signing game, some
participants have the policy to check the real name agains a passport;
obviously you would need the latter form then.

I used to include my real name in my keys but for my new ed25519 key I
use only the mail addresses (I use 3 different mail addresses in my
keys).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about the security of the GnuPG Agent with regard to cryptographic material scrubbing

[gnupg]

Ciprian Dorin Craciun wrote:

> On Tue, Feb 26, 2019 at 12:58 PM Sarun Intaralawan
>  wrote:
> > I'm not able to answer your main question, but I believe it is you
> > explained. However, regarding the matter in P.S., I'm glad to inform
> > you that such a tool exists. It is called pass [1] and it is fully
> > integrated with GnuPG and Git. So you can backup your password like
> > a Git repository.
> 
> I know about that tool, however it is unfortunately written also in
> Bash, which as my own implementation has countless ways to
> (permanently) leak the password.
> 
> For example take the following commit:
> 
> https://git.zx2c4.com/password-store/commit/src/password-store.sh?id=367efa5846492e1b0898aad8a2c26ce94163ba24
> 
> Which has the following change:
> 
> - $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}"
> <<<"$password" || die "Password encryption aborted."
> + echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile"
> "${GPG_OPTS[@]}" || die "Password encryption aborted."
> 
> 
> In was committed in 2018, but the tool is from 2015, thus in the
> interim all the passwords were leaked into `$TMPDIR` and thus on the
> disk, which in most cases is actually the `rootfs`.  Thus without much
> effort, one can take out the HDD, and just run a file-system recovery
> tool to recover deleted files, or dump ASCII tokens, and thus get
> access to the used passwords.

The new version still leaks, just not as badly
(permanently). On Linux, for example, unless system
call tracing and arbitrary RAM reading has been
completely disabled, even for root, with "sysctl
kernel.yama.ptrace_scope=3", the password will appear
in ptrace/strace/ltrace output when $GPG reads stdin.

Admittedly, there needs to be an adversary with root
privileges (or the user's privileges) active on the
host at the time but it's still a potential leak. And
it might make its way to swap which might not be
encrypted.

Even with kernel.yama.ptrace_scope=3, systemtap or
dtrace (on hosts that have it) can probably see the
password.

It's probably impossible to completely avoid
(transient) leaks without hardware cryptographic
modules. But of course, that's no reason not to do
whatever you can to make it as difficult as possible
for an adversary.

> I'm not criticizing the `pass` tool, as I know myself how hard it is
> to write a tool that doesn't leak data, however any such tool should
> come with a big warning to its users.
> 
> Unfortunately on the project page there is no mention of its security
> weaknesses or any hint to the users about possible data leaks.
> 
> Ciprian.

[The rest is even more off-topic for this list]
 
To be fair, all software probably has unknown security
bugs. Warning users about the possibility before you
know that there's a problem might seem alarmist. But if
a security bug has been identified and fixed, users
should be notified if there's anything that they need
to do. Changelogs at least should highlight security
bug fixes.

In that commit, the author said that "Do not put
passwords in herestrings: Bash sometimes writes these
into temporary files, which isn't okay". If it is only
sometimes, maybe bash only uses temporary files for
here strings when they are large. If that's the case,
the passwords might never have been written to disk.
So it might be OK. However, it's not sometimes.
It's always:

  $ bash -c 'lsof -a -p $$ -d0' <<< Password1
  COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFFNODE NAME
  lsof24183  raf0r   REG  253,1   10 7864877 /tmp/zshz9mNt3 
(deleted)

So the commit message wasn't alarmist enough. And there
doesn't seem to be a Changelog file for pass or a
news or security notices section on its website.

Maybe you could submit a bug report for the
passwordstore.org website about its lack of a news or
security notices section for notifying users about
security issues.

I suppose the remedy is to cryptographically shred free
space if users didn't already have full disk encryption
(and hope they don't have SSDs). It would be good if
pass users were notified of that.

cheers,
raf


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about the security of the GnuPG Agent with regard to cryptographic material scrubbing

[Ángel]

On 2019-02-26 at 11:02 +0200, Ciprian Dorin Craciun wrote:
> Hello all!
> 
> Given the recent survey in password managers security [1], which
> concluded with their failure to properly sanitize / scrub the
> sensitive data (i.e. "master key") in "running locked state", I was
> wondering how does GnuPG Agent fare in this regard?
> 
> More specifically:
> * let's assume that one uses GnuPG Agent;  (only for PGP;)
> * the user enters the password for a particular private key;
> * (one assumes that the password was used to get the private key
> cryptographic material, and then scrubbed;)
> * then `--max-cache-ttl` seconds passes;
> * one assumes that the private key cryptographic material is now scrubbed;
> 
> Is this expectation correct?

I would say this is the right expectation.

However note that even with a perfect agent implementation, you might
find eg. that the kernel swapped to disk the page where the password was
read (before providing it to the program, which would hopefully be using
mlock(2) to avoid being swapped itself).



> Is there some external analysis about the security of the agent with
> regard to the scrubbing of both passwords and cryptographic material?

Intrigued by this I did a quick glance at the relevant code:

The cache purging seems to be done at housekeeping() [1], which simply calls 
release_data over the entry to free.
In turn, release_data() [2] is just a xfree() call, which would be
converted to gcry_free(), which is a libgcrypt function that will call
_gcry_private_free() [3].

_gcry_private_free() checks[4] whether this allocation was from a secure
pool (ie. allocated with gcry_xmalloc_secure), in which case it will
call _gcry_secmem_free[5], which does attempt to wipe the memory by
overwriting it with 0xff, 0xaa, 0x55 and 0x00 [6] using the macro
wipememory2,[7] which may do so inline (using volatile to avoid compiler
optimization) or end up calling _gcry_fast_wipememory, which would end
up calling the normal memset() through a function pointer.[8]
(I would expect either an attempt to use memset_s if available, similar
to the  check for explicit_bzero, or a note that like SecureZeroMemory
it provides no benefit, instead of a plain memset, though)

Best regards

[1] 
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/cache.c;h=799d595abdb007422090622a959aa03741139c54;hb=HEAD#l198
[2] 
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/cache.c;h=799d595abdb007422090622a959aa03741139c54;hb=HEAD#l141
[3] 
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/global.c;h=d82c680a5d2a2981129d0531ff43b337ffebb085;hb=refs/heads/master#l1019
[4] 
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/stdmem.c;h=04ce64fba14b2fd5d58be5050b80d6a159dffed5;hb=refs/heads/master#l220
[5] 
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/secmem.c;h=b36c44f6de188ff005ca10800a4ba9fdf5a352d2;hb=refs/heads/master#l787
[6] 
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/secmem.c;h=b36c44f6de188ff005ca10800a4ba9fdf5a352d2;hb=refs/heads/master#l768
[7] 
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/g10lib.h;h=694c2d83e2682103d83be03070c737a1bb6a3ae4;hb=refs/heads/master#l337
[8] 
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/misc.c;h=bb39e1c2fe1c94affe1f024a87621f79e77ba1aa;hb=refs/heads/master#l504



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about the security of the GnuPG Agent with regard to cryptographic material scrubbing

[Andrew Gallagher]

On 26/02/2019 11:54, Ciprian Dorin Craciun wrote:
> Thus without much
> effort, one can take out the HDD, and just run a file-system recovery
> tool to recover deleted files, or dump ASCII tokens, and thus get
> access to the used passwords.

Indeed, but if you use one of the standard web browsers your session
tokens are also stored on disk, by default unencrypted, and in many
cases these are equivalent to passwords (depending on the website).

Password managers address the issue of a network attacker. They don't
directly solve the problem of an attacker who has physical access to
your device. An encrypted drive is a better way to prevent an attacker
getting access to sensitive material on disk (not only passwords).

So while the problem you identify is bad, it's not fatal.

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users