Re: Newbie question.

[Ralph Seichter via Gnupg-users]

* Johan Wevers:

> Do you have examples of this for security related subjects?

I try not to rely on Wikipedia, in particular when searching for
sensitive subjects. Besides, if that was unclear, I mentioned Wikipedia
as a general example of the good concept of a Wiki colliding with
humanity, not for any particular subject matter. Too many cooks, and
some without training or taste buds.

Used to be that compiling an encyclopedia took a huge number of
competent researchers and authors. No wonder the things were so damn
expensive.

-Ralph

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Johan Wevers]

On 28-07-2020 14:42, Ralph Seichter via Gnupg-users wrote:

> confused with facts. The amount of BS that can be found on Wikipedia is
> case in point.

Do you have examples of this for security related subjects? I know there
are issues with politically sensitive subjects but that has usually
other reasons.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ralph Seichter via Gnupg-users]

* Ayoub Misherghi via Gnupg-users:

> How about collective and cooperative effort in a wiki, or cloud
> funding pledges or donations? Those who contribute (money or effort)
> get privilege of some kind.

>From what I observed over the years, a majority of Wikis only really
work within closely knit groups of people where contributions are
limited to a select few who genuinely know what they are writing about.

I do not want amateurs, be it well-meaning or malicious, write about
security related subjects in a Wiki, because that might (in the eyes of
casual visitors and search-engines) cause their scribblings to be
confused with facts. The amount of BS that can be found on Wikipedia is
case in point.

A Wiki about encryption with write access limited to people who
demonstrably understand the math sounds like a good thing to me, but a
"Community Wiki" does not. Community usually (and sadly) means too many
loud-mouthed, attention-seeking bozos.

-Ralph

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

Sorry for seeming to be "spreading unjustified accusations". What I said 
was meant to encourage that sort of "benign tyranny", I was not 
complaining; or at least that was not my intention.



Thank you for explaining how the list works.


Ayoub


On 7/27/2020 2:08 AM, Werner Koch wrote:

On Sun, 26 Jul 2020 12:59, Ayoub Misherghi said:


The moderators on this list (I do not know who they are) have been
tyrannical excluding some of my posts; I am not bitter or resentful. I

This mailing list is not moderated and thus your post are not excluded
by any moderated.  The only automatic rejection we have are for too long
posts.  In some very rare cases we set the moderation flag for a
specific user but that is announced on the list.  I just checked that
it is not the case for you.

What our helpful moderators are mainly doing is to allow posts from
non-subscribers.

Please calm down and don't spread unjustified accusations.


Salam-Shalom,

Werner



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Werner Koch via Gnupg-users]

On Sun, 26 Jul 2020 12:59, Ayoub Misherghi said:

> The moderators on this list (I do not know who they are) have been
> tyrannical excluding some of my posts; I am not bitter or resentful. I

This mailing list is not moderated and thus your post are not excluded
by any moderated.  The only automatic rejection we have are for too long
posts.  In some very rare cases we set the moderation flag for a
specific user but that is announced on the list.  I just checked that
it is not the case for you.

What our helpful moderators are mainly doing is to allow posts from
non-subscribers.

Please calm down and don't spread unjustified accusations.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

I understand it can be frustrating, especially if nobody has a deciding 
vote or Vito power or moderator power. Someone should have have veto 
power and anybody with other ideas can always fork and do his own thing. 
That way it may probably work. A tyrant can stay on course and others 
fork and be their own tyrant and are free to produce something better.



The moderators on this list (I do not know who they are) have been 
tyrannical excluding some of my posts; I am not bitter or resentful. I 
have to live up to standard and my posts have to be kind and gentle so 
as not to burden those trying to help me for free; and amenable to 
support by helping whoever is helping me. If there was no tyrant I could 
have caused nuisance. Documentation needs a tyrant too.



On 7/26/2020 12:01 PM, Robert J. Hansen wrote:

How about collective and cooperative effort in a wiki, or cloud funding
pledges or donations? Those who contribute (money or effort) get
privilege of some kind.

I am very pessimistic about the idea of collective effort.  What
experience has taught me from working on the FAQ is that a small number
of people with extreme ideas speak up the loudest, and the vast majority
of users who are calm and reasonable speak up barely at all.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Robert J. Hansen]

> How about collective and cooperative effort in a wiki, or cloud funding
> pledges or donations? Those who contribute (money or effort) get
> privilege of some kind.

I am very pessimistic about the idea of collective effort.  What
experience has taught me from working on the FAQ is that a small number
of people with extreme ideas speak up the loudest, and the vast majority
of users who are calm and reasonable speak up barely at all.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

How about collective and cooperative effort in a wiki, or cloud funding 
pledges or donations? Those who contribute (money or effort) get 
privilege of some kind.



On 7/26/2020 2:48 AM, Peter Lebbing wrote:

On 12/07/2020 20:01, Ayoub Misherghi wrote:

Can you please suggest some good tutorial and reference material
preferably free (probably mutually exclusive requirements) that will
bring me up to your level or close to it please.

No, I think the available documentation is lacking in quality. And
on the other hand there's a lot of bad advice on websites. It's an
unfortunate situation, but few people enjoy writing good documentation.
It is a very laborious process.

Sorry I can't be of better assistance.

Peter.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Peter Lebbing]

On 12/07/2020 20:01, Ayoub Misherghi wrote:
> Can you please suggest some good tutorial and reference material
> preferably free (probably mutually exclusive requirements) that will
> bring me up to your level or close to it please.

No, I think the available documentation is lacking in quality. And
on the other hand there's a lot of bad advice on websites. It's an
unfortunate situation, but few people enjoy writing good documentation.
It is a very laborious process.

Sorry I can't be of better assistance.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

  
  

It is working now. The problem was in gpg-agent.conf that I
  forgot about. I did not do a re-install. 

I learned from this list. Thanks.
  


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

  
  


Sorry for splitting Peter and Philihp  into two threads. 



I have probably put my gpg environment/program in a state it
  cannot come out of. I want to do what cowards do. I want to
  uninstall gpg and start all over again, escaping from the mess I
  put my self into somehow. With the advice you gave me I should do
  better next the time, and hopefully  stay out of trouble. 



I have not given anybody any of the IDs yet. And besides, the
  intended application is non interactive and also does not
  communicate anything. It hides everything and itself from ever
  body and ever thing, let alone the keys (or at least that is the
  intention if a manage to keep me out of trouble. I am a ASIC
  hardware guy venturing to do what I should not; obviously.)



How do I ensure I uninstall without leaving any history or state
  that could affect a new install please? Sorry for the head ache I
  am giving you. If I manage to make money and not go bankrupt I
  will remember my friends.




On 7/12/2020 11:01 AM, Ayoub Misherghi
  wrote:


  
  Thanks. This exposes to me how little I know and it will take me
  time to absorb it. None of this information is in anything I read.
  Nothing comes close. I will not come to grips with it with the
  kind of reading material I have. Can you please suggest some good
  tutorial and reference material preferably free (probably mutually
  exclusive requirements) that will bring me up to your level or
  close to it please.
  
  
  
  The material I come across is just like silly preschool stuff with
  1/4 truth which keeps you ill informed and miss informed and
  throws you off track. They over simplify and drain education out
  of you making you zombie.
  
  
  
  Thanks,
  
  
  
  Ayoub
  
  
  
  On 7/12/2020 9:15 AM, Peter Lebbing wrote:
  
  On 12/07/2020 17:45, Ayoub Misherghi
wrote:

Sorry for going off list and messing
  everybody up. Now I disserve
  
  punishment.
  

Heh :-). It's just that if I reply off-list, it only helps you,
but if

it is on-list, other people can find it in a search engine when
they're

facing something similar.


On 11/07/2020 21:07, Ayoub Misherghi wrote:

My current intended usage is in
  non-interactive mode, completely.
  
  I can remove them from the gpg.conf but I would have to issue
  them
  
  every time. My understanding is that non-interactive mode
  requires
  
  those commands.
  

Well, in that case, you should supply --no-batch when you're
using it

interactively; I'll show why further down.


My personal choice would be to have my scripts and programs
supply the

--batch on invocation rather than put it in the config file,
because you

only need to write that command invocation in the script once
(as you're

writing the script), whereas you'll be writing the --no-batch
every time

you /do/ use it from an interactive shell.


I selected "expert" mode because I am
  using ED2599 incrpytion that is
  
  available only in this mode (I know, I am newbie)
  

You only need the --expert on commands creating or adding keys
for that.

Once you have the key, you no longer need --expert to just use
it.


All the config lines I showed are in my
  user config.
  
  A few days ago, my set up, which is still in development
  phase,
  
  worked until my short lived gpg keys expired. I fell in deep
  * when
  
  I created new keys. It all worked, with the passphrase-file
  option and
  
  without, before I fell. Can you pull this dumb newbie out?
  

I think the combination that worked might have been


--8<---cut
here---start->8---

pinentry-mode loopback

passphrase-file /home/ayoub/.gnupg/output.png

--8<---cut
here---end--->8---


but once you commented out the passphrase-file entry, GnuPG had
no way

to get the passphrase. Normally you should use the pinentry (so
comment

out the pinentry-mode line as well), but you

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

I am re-sending this text only. I made the mistake of sending it html 
previously.




Sorry for splitting Peter and Philihp  into two threads.


I have probably put my gpg environment/program in a state it cannot come 
out of. I want to do what cowards do. I want to uninstall gpg and start 
all over again, escaping from the mess I put my self into somehow. With 
the advice you gave me I should do better next the time, and hopefully  
stay out of trouble.



I have not given anybody any of the IDs yet. And besides, the intended 
application is non interactive and also does not communicate anything. 
It hides everything and itself from ever body and ever thing, let alone 
the keys (or at least that is the intention if a manage to keep me out 
of trouble. I am a ASIC hardware guy venturing to do what I should not; 
obviously.)



How do I ensure I uninstall without leaving any history or state that 
could affect a new install please? Sorry for the head ache I am giving 
you. If I manage to make money and not go bankrupt I will remember my 
friends.



On 7/12/2020 11:01 AM, Ayoub Misherghi wrote:


Thanks. This exposes to me how little I know and it will take me time 
to absorb it. None of this information is in anything I read. Nothing 
comes close. I will not come to grips with it with the kind of reading 
material I have. Can you please suggest some good tutorial and 
reference material preferably free (probably mutually exclusive 
requirements) that will bring me up to your level or close to it please.



The material I come across is just like silly preschool stuff with 1/4 
truth which keeps you ill informed and miss informed and throws you 
off track. They over simplify and drain education out of you making 
you zombie.



Thanks,


Ayoub


On 7/12/2020 9:15 AM, Peter Lebbing wrote:

On 12/07/2020 17:45, Ayoub Misherghi wrote:

Sorry for going off list and messing everybody up. Now I disserve
punishment.

Heh :-). It's just that if I reply off-list, it only helps you, but if
it is on-list, other people can find it in a search engine when they're
facing something similar.

On 11/07/2020 21:07, Ayoub Misherghi wrote:

My current intended usage is in non-interactive mode, completely.
I can remove them from the gpg.conf but I would have to issue them
every time. My understanding is that non-interactive mode requires
those commands.

Well, in that case, you should supply --no-batch when you're using it
interactively; I'll show why further down.

My personal choice would be to have my scripts and programs supply the
--batch on invocation rather than put it in the config file, because you
only need to write that command invocation in the script once (as you're
writing the script), whereas you'll be writing the --no-batch every time
you /do/ use it from an interactive shell.


I selected "expert" mode because I am using ED2599 incrpytion that is
available only in this mode (I know, I am newbie)

You only need the --expert on commands creating or adding keys for that.
Once you have the key, you no longer need --expert to just use it.


All the config lines I showed are in my user config.
A few days ago, my set up, which is still in development phase,
worked until my short lived gpg keys expired. I fell in deep * when
I created new keys. It all worked, with the passphrase-file option and
without, before I fell. Can you pull this dumb newbie out?

I think the combination that worked might have been

--8<---cut here---start->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---cut here---end--->8---

but once you commented out the passphrase-file entry, GnuPG had no way
to get the passphrase. Normally you should use the pinentry (so comment
out the pinentry-mode line as well), but you force it to use the
loopback pinentry-mode. gpg _could_ ask for your passphrase that way.
But, you also specify --batch. --batch tells GnuPG that the human is
currently unavailable and it needn't bother trying to interact with it.
So it has no way to get the passphrase and gives up.

It will ask you for the passphrase when you comment out --batch, but I
recommend also commenting out the --pinentry-mode line so it'll just
launch a pinentry like it wants to do.

Now about this configuration:

--8<---cut here---start->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---cut here---end--->8---

If this file is stored with the same access conditions as
~/.gnupg/private-keys-v1.d/, it serves no good purpose. You should then
just use a key without a passphrase. With a key without a passphrase, an
attacker would just need the file

~/.gnupg/private-keys-v1.d/[...].key

and they're good to go. With your passphrase-file, they need two files:

~/.gnupg/private-keys-v1.d/[...].key
~/.gnu

Re: Have gpg-preset-passphrase always required a keygrip? (was: Newbie question.)

[raf via Gnupg-users]

Dmitry Alexandrov wrote:

> Peter Lebbing  wrote:
> > You can actually unlock keys the way GnuPG intends to do that with:
> >
> > $ my-unlocker | /usr/lib/gnupg/gpg-preset-passphrase --preset 
> >
> > You can find the keygrip for your keys with:
> >
> > $ gpg --with-keygrip --list-secret-keys
> >
> > You do need it for every subkey you want to use like this separately,
> 
> Hm...
> 
> Did not gpg-preset-passphrase(1) worked perfectly on any NAMEs (IDs,
> UIDs) as well some time ago?  Or is that me, who have some false
> memories?

For gpg-agent 2.0.x I needed to use gpg --fingerprint --fingerprint xxx@xxx
to get the cache id to use with gpg-preset-passphrase --preset.
Since then, I need gpg2 --fingerprint --with-keygrip xxx@xxx.
So it probably changed from fingerprint to keygrip with 2.1
(but I don't know exactly when).

cheers,
raf


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

  
  
Hi,


On 7/11/2020 3:34 AM, Peter Lebbing
  wrote:


  Hi!

On 10/07/2020 23:47, Ayoub Misherghi via Gnupg-users wrote:

  
ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys

  
  
Could you do

$ gpg --with-subkey-fingerprint --list-secret-keys



ayoub@vboxpwfl:$ gpg --with-subkey-fingerprint --list-secret-keys
  /home/ayoub/.gnupg/pubring.kbx
  --
  sec   ed25519 2020-07-09 [SC] [expires: 2020-07-19]
    3C5B212A55B966881E2D2718A45398B520BEE91E
  uid   [ultimate] sentry
  ssb   cv25519 2020-07-09 [E] [expires: 2020-07-19]
    F2A76096E857E2AF607DD144D17AA44F49BB5A08
  
  sec   ed25519 2020-07-09 [SC] [expires: 2021-07-09]
    7A675D7F52BC905C22F8249091556BC29D4C595E
  uid   [ultimate] develop1
  ssb   cv25519 2020-07-09 [E] [expires: 2021-07-09]
    BFF08DC8259E2E9FBAF92AC1367BD2210D4E904D
  


  

and

$ gpg --version

ayoub@vboxpwfl:~/sentry/trunk$ gpg --version
  gpg (GnuPG) 2.2.19
  libgcrypt 1.8.5
  Copyright (C) 2019 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later
  
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  
  Home: /home/ayoub/.gnupg
  Supported algorithms:
  Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
  Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
      CAMELLIA128, CAMELLIA192, CAMELLIA256
  Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  Compression: Uncompressed, ZIP, ZLIB, BZIP2




  

please?

And do you get a popup asking for your passphrase or is what you post
all the interaction that you get? If that is where the problem lies,
it's good to know your operating system/distribution, your desktop
environment, and stuff like that.

HTH,

Peter.


ayoub@vboxpwfl:~/sentry/trunk$ uname -a
  Linux vboxpwfl 5.4.0-40-generic #44-Ubuntu SMP Tue Jun 23 00:01:04
  UTC 2020 x86_64 x86_64 x86_64 GNU/Linux



Ubuntu 19.04 running inside VirtualBox on Windows 10





This lists gpg.conf (I have removed all commented lines except
  two that I show)

ayoub@vboxpwfl:~/sentry/trunk$ cat ~/.gnupg/gpg.conf 
  batch
  pinentry-mode loopback 
  require-secmem
  no-greeting
  expert
  #--passphrase-file file
  #passphrase-file /home/ayoub/.gnupg/output.png


I am not asked for pass phrase even though I have the
  "passphrase-file" in the gpg.conf commented out.


Thanks


  


  


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Fwd: Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

Sorry for going off list and messing everybody up. Now I disserve 
punishment. Sorry for the html too.



 Forwarded Message 
Subject:Re: Newbie question.
Date:   Sat, 11 Jul 2020 12:07:17 -0700
From:   Ayoub Misherghi 
To: Peter Lebbing 




On 7/11/2020 11:30 AM, Peter Lebbing wrote:

Hi,

On 11/07/2020 19:58, Ayoub Misherghi wrote:

ayoub@vboxpwfl:~/sentry/trunk$ cat ~/.gnupg/gpg.conf
batch
pinentry-mode loopback

Ah yes. Those two options have no place in your gpg.conf. They are
options that you might want to specify as part of the command line on
occasion, but unless you have a very unusual setup they should not be
there. You should remove both. The pinentry-mode is probably what is
preventing you being asked for the passphrase.

My current intended usage is in non-interactive mode, completely.

I can remove them from the gpg.conf but I would have to issue them

every time. My understanding is that non-interactive mode requires

those commands.


expert

I'd recommend dropping this as well.


I selected "expert" mode because I am using ED2599 incrpytion that is

available only in this mode (I know, I am newbie)


#--passphrase-file file
#passphrase-file /home/ayoub/.gnupg/output.png

These commented out lines are probably why the pinentry-mode line was
there in the first place. Do you know why these lines, both the
uncommented and the commented ones, are in your gpg.conf?


All the config lines I showed are in my user config.

A few days ago, my set up, which is still in development phase,

worked until my short lived gpg keys expired. I fell in deep * when

I created new keys. It all worked, with the passphrase-file option and 
without,


before I fell. Can you pull this dumb newbie out?


HTH,

Peter.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Ayoub Misherghi via Gnupg-users]

Thanks. This exposes to me how little I know and it will take me time to 
absorb it. None of this information is in anything I read. Nothing comes 
close. I will not come to grips with it with the kind of reading 
material I have. Can you please suggest some good tutorial and reference 
material preferably free (probably mutually exclusive requirements) that 
will bring me up to your level or close to it please.



The material I come across is just like silly preschool stuff with 1/4 
truth which keeps you ill informed and miss informed and throws you off 
track. They over simplify and drain education out of you making you zombie.



Thanks,


Ayoub


On 7/12/2020 9:15 AM, Peter Lebbing wrote:

On 12/07/2020 17:45, Ayoub Misherghi wrote:

Sorry for going off list and messing everybody up. Now I disserve
punishment.

Heh :-). It's just that if I reply off-list, it only helps you, but if
it is on-list, other people can find it in a search engine when they're
facing something similar.

On 11/07/2020 21:07, Ayoub Misherghi wrote:

My current intended usage is in non-interactive mode, completely.
I can remove them from the gpg.conf but I would have to issue them
every time. My understanding is that non-interactive mode requires
those commands.

Well, in that case, you should supply --no-batch when you're using it
interactively; I'll show why further down.

My personal choice would be to have my scripts and programs supply the
--batch on invocation rather than put it in the config file, because you
only need to write that command invocation in the script once (as you're
writing the script), whereas you'll be writing the --no-batch every time
you /do/ use it from an interactive shell.


I selected "expert" mode because I am using ED2599 incrpytion that is
available only in this mode (I know, I am newbie)

You only need the --expert on commands creating or adding keys for that.
Once you have the key, you no longer need --expert to just use it.


All the config lines I showed are in my user config.
A few days ago, my set up, which is still in development phase,
worked until my short lived gpg keys expired. I fell in deep * when
I created new keys. It all worked, with the passphrase-file option and
without, before I fell. Can you pull this dumb newbie out?

I think the combination that worked might have been

--8<---cut here---start->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---cut here---end--->8---

but once you commented out the passphrase-file entry, GnuPG had no way
to get the passphrase. Normally you should use the pinentry (so comment
out the pinentry-mode line as well), but you force it to use the
loopback pinentry-mode. gpg _could_ ask for your passphrase that way.
But, you also specify --batch. --batch tells GnuPG that the human is
currently unavailable and it needn't bother trying to interact with it.
So it has no way to get the passphrase and gives up.

It will ask you for the passphrase when you comment out --batch, but I
recommend also commenting out the --pinentry-mode line so it'll just
launch a pinentry like it wants to do.

Now about this configuration:

--8<---cut here---start->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---cut here---end--->8---

If this file is stored with the same access conditions as
~/.gnupg/private-keys-v1.d/, it serves no good purpose. You should then
just use a key without a passphrase. With a key without a passphrase, an
attacker would just need the file

~/.gnupg/private-keys-v1.d/[...].key

and they're good to go. With your passphrase-file, they need two files:

~/.gnupg/private-keys-v1.d/[...].key
~/.gnupg/output.png

and once again they're good to go, they have your private key. Why would
it be more difficult to get a hold of two files rather than one? Just
drop the passphrase, and all your problems magically disappear :-).

But given its name, I suppose output.png is generated by some unlocking
process. Suppose you did it like this before:

$ my-unlocker >~/.gnupg/output.png

You can actually unlock keys the way GnuPG intends to do that with:

$ my-unlocker | /usr/lib/gnupg/gpg-preset-passphrase --preset 

You can find the keygrip for your keys with:

$ gpg --with-keygrip --list-secret-keys

You do need it for every subkey you want to use like this separately,
and also, it does not verify whether the passphrase was correct. Also,
put

allow-preset-passphrase
max-cache-ttl 

in ~/.gnupg/gpg-agent.conf

and issue

$ gpgconf --kill gpg-agent

to reload.  is how long you want the passphrase to stay
available after gpg-preset-passphrase, and it defaults to a mere 2
hours. You could set it to 4294967295 to specify a lifetime of 136
years, i.e., infinitely for all practical purposes.

Watch out that my-unlocker doesn't leak the passphrase in any way. I
tho

Have gpg-preset-passphrase always required a keygrip? (was: Newbie question.)

[Dmitry Alexandrov]

Peter Lebbing  wrote:
> You can actually unlock keys the way GnuPG intends to do that with:
>
> $ my-unlocker | /usr/lib/gnupg/gpg-preset-passphrase --preset 
>
> You can find the keygrip for your keys with:
>
> $ gpg --with-keygrip --list-secret-keys
>
> You do need it for every subkey you want to use like this separately,

Hm...

Did not gpg-preset-passphrase(1) worked perfectly on any NAMEs (IDs, UIDs) as 
well some time ago?  Or is that me, who have some false memories?


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Peter Lebbing]

On 12/07/2020 17:45, Ayoub Misherghi wrote:
> Sorry for going off list and messing everybody up. Now I disserve
> punishment.

Heh :-). It's just that if I reply off-list, it only helps you, but if
it is on-list, other people can find it in a search engine when they're
facing something similar.

On 11/07/2020 21:07, Ayoub Misherghi wrote:
> My current intended usage is in non-interactive mode, completely.
> I can remove them from the gpg.conf but I would have to issue them
> every time. My understanding is that non-interactive mode requires
> those commands.

Well, in that case, you should supply --no-batch when you're using it
interactively; I'll show why further down.

My personal choice would be to have my scripts and programs supply the
--batch on invocation rather than put it in the config file, because you
only need to write that command invocation in the script once (as you're
writing the script), whereas you'll be writing the --no-batch every time
you /do/ use it from an interactive shell.

> I selected "expert" mode because I am using ED2599 incrpytion that is
> available only in this mode (I know, I am newbie)

You only need the --expert on commands creating or adding keys for that.
Once you have the key, you no longer need --expert to just use it.

> All the config lines I showed are in my user config.
> A few days ago, my set up, which is still in development phase,
> worked until my short lived gpg keys expired. I fell in deep * when
> I created new keys. It all worked, with the passphrase-file option and
> without, before I fell. Can you pull this dumb newbie out?

I think the combination that worked might have been

--8<---cut here---start->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---cut here---end--->8---

but once you commented out the passphrase-file entry, GnuPG had no way
to get the passphrase. Normally you should use the pinentry (so comment
out the pinentry-mode line as well), but you force it to use the
loopback pinentry-mode. gpg _could_ ask for your passphrase that way.
But, you also specify --batch. --batch tells GnuPG that the human is
currently unavailable and it needn't bother trying to interact with it.
So it has no way to get the passphrase and gives up.

It will ask you for the passphrase when you comment out --batch, but I
recommend also commenting out the --pinentry-mode line so it'll just
launch a pinentry like it wants to do.

Now about this configuration:

--8<---cut here---start->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---cut here---end--->8---

If this file is stored with the same access conditions as
~/.gnupg/private-keys-v1.d/, it serves no good purpose. You should then
just use a key without a passphrase. With a key without a passphrase, an
attacker would just need the file

~/.gnupg/private-keys-v1.d/[...].key

and they're good to go. With your passphrase-file, they need two files:

~/.gnupg/private-keys-v1.d/[...].key
~/.gnupg/output.png

and once again they're good to go, they have your private key. Why would
it be more difficult to get a hold of two files rather than one? Just
drop the passphrase, and all your problems magically disappear :-).

But given its name, I suppose output.png is generated by some unlocking
process. Suppose you did it like this before:

$ my-unlocker >~/.gnupg/output.png

You can actually unlock keys the way GnuPG intends to do that with:

$ my-unlocker | /usr/lib/gnupg/gpg-preset-passphrase --preset 

You can find the keygrip for your keys with:

$ gpg --with-keygrip --list-secret-keys 

You do need it for every subkey you want to use like this separately,
and also, it does not verify whether the passphrase was correct. Also,
put

allow-preset-passphrase
max-cache-ttl 

in ~/.gnupg/gpg-agent.conf

and issue

$ gpgconf --kill gpg-agent

to reload.  is how long you want the passphrase to stay
available after gpg-preset-passphrase, and it defaults to a mere 2
hours. You could set it to 4294967295 to specify a lifetime of 136
years, i.e., infinitely for all practical purposes.

Watch out that my-unlocker doesn't leak the passphrase in any way. I
thought it was unhelfpul that you can't use the pinentry with
gpg-preset-passphrase and I proposed a hack more than two years ago:

https://lists.gnupg.org/pipermail/gnupg-users/2018-February/059917.html

It's pretty hacky, but it does seem to work.

You could actually just unlock your key by using it once when you start
up your system, and then use the caching feature to keep it available
for non-interactive use for the rest of the time. Then you don't use
gpg-preset-passphrase, but put, e.g., this in your gpg-agent.conf

default-cache-ttl 4294967295
max-cache-ttl 4294967295

and unlock your key by doing one decryption:

$ echo Open Sesame | gpg -r develop1 -e | gpg -d

This wil

Re: Newbie question.

[Peter Lebbing]

Hi,

On 11/07/2020 19:58, Ayoub Misherghi wrote:
> ayoub@vboxpwfl:~/sentry/trunk$ cat ~/.gnupg/gpg.conf
> batch
> pinentry-mode loopback

Ah yes. Those two options have no place in your gpg.conf. They are
options that you might want to specify as part of the command line on
occasion, but unless you have a very unusual setup they should not be
there. You should remove both. The pinentry-mode is probably what is
preventing you being asked for the passphrase.

> expert

I'd recommend dropping this as well.

> #--passphrase-file file
> #passphrase-file /home/ayoub/.gnupg/output.png

These commented out lines are probably why the pinentry-mode line was
there in the first place. Do you know why these lines, both the
uncommented and the commented ones, are in your gpg.conf?

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question.

[Peter Lebbing]

Hi!

On 10/07/2020 23:47, Ayoub Misherghi via Gnupg-users wrote:
> ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys

Could you do

$ gpg --with-subkey-fingerprint --list-secret-keys

and

$ gpg --version

please?

And do you get a popup asking for your passphrase or is what you post
all the interaction that you get? If that is where the problem lies,
it's good to know your operating system/distribution, your desktop
environment, and stuff like that.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Newbie question.

[Ayoub Misherghi via Gnupg-users]

  
  
What am I doing wrong:


ayoub@vboxpwfl:~/testdir$ ls
  textfile
  ayoub@vboxpwfl:~/testdir$ gpg -r develop1 -o textfile.gpg -e
  textfile
  ayoub@vboxpwfl:~/testdir$ ls
  textfile  textfile.gpg
  ayoub@vboxpwfl:~/testdir$ gpg -u develop1 -o textfile.dcr -d
  textfile.gpg
  gpg: encrypted with 256-bit ECDH key, ID 367BD2210D4E904D, created
  2020-07-09
    "develop1"
  gpg: public key decryption failed: End of file
  gpg: decryption failed: No secret key
  ayoub@vboxpwfl:~/testdir$ gpg --list-keys
  /home/ayoub/.gnupg/pubring.kbx
  --
  pub   ed25519 2020-07-09 [SC] [expires: 2020-07-19]
    3C5B212A55B966881E2D2718A45398B520BEE91E
  uid   [ultimate] sentry
  sub   cv25519 2020-07-09 [E] [expires: 2020-07-19]
  
  pub   ed25519 2020-07-09 [SC] [expires: 2021-07-09]
    7A675D7F52BC905C22F8249091556BC29D4C595E
  uid   [ultimate] develop1
  sub   cv25519 2020-07-09 [E] [expires: 2021-07-09]
  
  ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys
  /home/ayoub/.gnupg/pubring.kbx
  --
  sec   ed25519 2020-07-09 [SC] [expires: 2020-07-19]
    3C5B212A55B966881E2D2718A45398B520BEE91E
  uid   [ultimate] sentry
  ssb   cv25519 2020-07-09 [E] [expires: 2020-07-19]
  
  sec   ed25519 2020-07-09 [SC] [expires: 2021-07-09]
    7A675D7F52BC905C22F8249091556BC29D4C595E
  uid   [ultimate] develop1
  ssb   cv25519 2020-07-09 [E] [expires: 2021-07-09]
  
  ayoub@vboxpwfl:~/testdir$ 
  

  


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie Question about initialization

[Werner Koch]

On Fri, 23 Nov 2018 15:18, gnupg-users@gnupg.org said:

> gcry_version_check(1.8.4)

gcry_check_version requires a string with the version number or NULL.
Thus

--8<---cut here---start->8---
  const char *s;
  if ((s=gcry_version_check ("1.8.4")))
 printf ("Version of Libgcrypt okay; got version=%s\n", s);
--8<---cut here---end--->8---

You can use NULL if you only want to initialize the library or to get
the version number.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpKeFaRUUEda.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Newbie Question about initialization

[Ahmad Bilal via Gnupg-users]

Hi,

can anyone tell me the syntax of the gcry_cry_version function? Does it work in 
this way:

gcry_version_check(1.8.4)

??

Sent from ProtonMail mobile___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie Question: Creating a Key Server using GNUPG tools

[Mario Castelán Castro]

On 27/08/17 04:40, arznix via Gnupg-users wrote:
> I am developing a closed mesh network application where
> I want to encrypt the traffic using PGP. The local network
> will have no access the the greater worldwide web so it
> will not be able to access existing trusted Key Servers.

If it is an isolated network, it is a small network. Maybe it will be
more convenient to simply export all the keys the ordinary way (“gpg
.--export KEY1 KEY2 ... KEYn” and distribute that through the network.

> Any links to sample code would also be great. The system is being develop with
> Linux as the operating system for the servers attached to the mesh network.

Linux is a kernel. You mean the GNU/Linux operating system
.

-- 
Do not eat animals, respect them as you respect people.
https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie Question: Creating a Key Server using GNUPG tools

[Robert J. Hansen]

> It is unclear from the documentation for GNUPG and some of the supporting
> writeups on other websites whether I can create a Key Server for the local
> network that will generate public and private key pairs.

This doesn't sound like any keyserver I've heard of.  Normally
keyservers only store copies of keys people give them, not create
keypairs themselves.  (Or perhaps you meant "that will generate public
and private key pairs" to attach to the clause "the network", not "the
Key Server"?)

> Can anyone clarify whether it is possible to create a local Key Server using 
> the
> GNUPG tools?

Not as you intend, no.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie Question: Creating a Key Server using GNUPG tools

[Damien Goutte-Gattat]

Hi,

On 08/27/2017 11:40 AM, arznix via Gnupg-users wrote:

Can anyone clarify whether it is possible to create a local Key Server using the
GNUPG tools?


Not with GnuPG itself. The GnuPG project does not provide a keyserver 
software.


Most keyservers out there are powered by a software called SKS 
(Synchronizing Key Server) [1,2].


For a local network, a LDAP-based keyserver may also be considered. The 
GnuPG wiki has a page on how to setup such a server [3].


Finally, with GnuPG modern (>= 2.1) you may choose to setup a Web Key 
Directory. This is a recently introduced approach to key distribution, 
for which GnuPG provides some tools and documentation [4,5].


Hope that helps,

Damien

[1] https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home
[2] https://keyserver.mattrude.com/guides/building-server/
[3] https://wiki.gnupg.org/LDAPKeyserver
[4] https://gnupg.org/blog/20160830-web-key-service.html
[5] https://gnupg.org/blog/20161027-hosting-a-web-key-directory.html



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Newbie Question: Creating a Key Server using GNUPG tools

[arznix via Gnupg-users]

Hi,

This is a total newbie question as I have just discovered GNUPG.

I am developing a closed mesh network application where
I want to encrypt the traffic using PGP. The local network
will have no access the the greater worldwide web so it
will not be able to access existing trusted Key Servers.

It is unclear from the documentation for GNUPG and some of the supporting
writeups on other websites whether I can create a Key Server for the local
network that will generate public and private key pairs.

It looks like there is a server mode you can put the process in but it is 
unclear
what services that gives you access to.

Can anyone clarify whether it is possible to create a local Key Server using the
GNUPG tools?

Any links to sample code would also be great. The system is being develop with
Linux as the operating system for the servers attached to the mesh network.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question on GPG and PHP running from a webpage

[Paul R. Ramer]

"Griffin Cheng [CLIB]"  wrote:
>Hello,
>
>I am new to GPG, especially writing programs to decrypt stuff.  Is this
>the right mailing list to ask?


gnupg-users is for most discussions and gnupg-devel is for 
programming/development specific questions.  HTH.

Cheers,

--Paul
--
PGP: 3DB6D884

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Newbie question on GPG and PHP running from a webpage

[Griffin Cheng [CLIB]]

Hello,

I am new to GPG, especially writing programs to decrypt stuff.  Is this the 
right mailing list to ask?


Regards,


Griffin CHENG.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question: Where do I put my trusted key?

[Benjamin Donnachie]

2009/10/31 Charly Avital :
> Please check the MacGPG2 Project at:
> 
> The current installer for MacGPG2 2.0.12 is available. It will install a
> Mac native pinentry application.

An updated version for v2.0.13 will be available in a few days (work
and broken SAN permitting).

Ben

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question: Where do I put my trusted key?

[Charly Avital]

laredotornado wrote the following on 10/28/09 12:56 PM:


> What is also odd is that I'm told, "gpg: gpg-agent is not available in this
> session" but I just installed the agent.  Any help in troubleshooting is
> appreciated, - Dave
> 

Dave,

I'm afraid the key words in your e-mail are '/opt/local/bin/gpg'.
They suggest that you have installed gpg2 via Darwin Ports.

If it is so, Darwin Ports install a version of gpg-agent and pinentry
(required by gpg-agent) that are not compatible with MacOSX.

Please check the MacGPG2 Project at:

The current installer for NacGPG2 2.0.12 is available. It will install a
Mac native pinentry application.

Charly
MacOSX 10.6.1 32bits MacBook5,1 - 0xA57A8EFA Gnupg 1.4.10 - MacGPG2
2.0.13 (testing) -  Running Enigmail version 0.97b (20091027-0956) with
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.4pre)
Gecko/20090915 Thunderbird/3.0b4



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Newbie question: Where do I put my trusted key?

[laredotornado]

Hi,

I'm new to gpg and I just installed gpg and gpg-agent for Mac OS 10.5.6. 
Whenever I run the gpg command, I'm prompted for the passphrase.  Is there
any skip that if I am running the command as a particular user for a
particular key?  Here is an example interaction below ...


ocho:~ dalvarado$ /opt/local/bin/gpg --trust-model always --sign --force-mdc
-e -a --homedir /Users/dalvarado/.gnupg --recipient 23AC19FF

You need a passphrase to unlock the secret key for
user: "Dave Alvarado "
2048-bit RSA key, ID A34ED8DD, created 2009-09-30

gpg: gpg-agent is not available in this session
Enter passphrase:


What is also odd is that I'm told, "gpg: gpg-agent is not available in this
session" but I just installed the agent.  Any help in troubleshooting is
appreciated, - Dave

-- 
View this message in context: 
http://www.nabble.com/Newbie-question%3A--Where-do-I-put-my-trusted-key--tp26098224p26098224.html
Sent from the GnuPG - User mailing list archive at Nabble.com.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FW from PGP-Basis: newbie question about bad keys

[Werner Koch]

On Mon, 16 Feb 2009 22:45, kloec...@kde.org said:

> What if the signing key is expired or has been revoked?

Unless you use "--list-options show-unusable-uids" those signatures are
not shown.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FW from PGP-Basis: newbie question about bad keys

[Ingo Klöcker]

On Monday 16 February 2009, Werner Koch wrote:
> On Mon, 16 Feb 2009 18:48, faramir...@gmail.com said:
> >> The "signatures not checked" seems pretty self explanatory.  What
> >> does the bad signatures mean?
>
> The signed data does not match the signature.  That is the signed
> data or the signature has been modified or the signature was not
> correctly created initially.

What if the signing key is expired or has been revoked?


Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FW from PGP-Basis: newbie question about bad keys

[Werner Koch]

On Mon, 16 Feb 2009 18:48, faramir...@gmail.com said:

>> The "signatures not checked" seems pretty self explanatory.  What does
>> the bad signatures mean?

The signed data does not match the signature.  That is the signed data
or the signature has been modified or the signature was not correctly
created initially.

> 2 firmas no comprobadas por errores
> (2 signatures not checked due to errors).

All kind of error, like out of memory or file read error.  But most
likely it is bad signature class or a corrupted keyblock (signatures
swapped).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FW from PGP-Basis: newbie question about bad keys

[David Shaw]

On Mon, Feb 16, 2009 at 02:48:11PM -0300, Faramir wrote:
> paramouse escribi??:
> > I am new to using GnuPG and hoping this is the the correct place to post
> > questions.
> > 
> > For practice, I imported some public keys to my keyring.  I ran a
> > 
> > gpg --check-sig
> > 
> > After listing the signatures of the public keys I've imported, there's
> > the statement:
> > 
> > 46 bad signatures
> > 5133 signatures not checked due to missing keys
> > 
> > The "signatures not checked" seems pretty self explanatory.  What does
> > the bad signatures mean?
> 
>   Since I never saw an answer about the meaning of those bad signatures,
> I am forwarding the question to GnuPG-Users list...
> 
>   I ran that command too, and got:
> 
> 186 firmas incorrectas
> (186 bad signatures)
> 19112 firmas no comprobadas por falta de clave
> (19112 signatures not checked due to missing keys)
> 2 firmas no comprobadas por errores
> (2 signatures not checked due to errors).
> 
>   What kind of errors could it be?

"signatures not checked" means just what you guessed - the keys aren't
there, so GPG couldn't check them.

"bad signatures" means the signature was checked, but it turned out to
be invalid.

"not checked due to errors" is a grab bag for everything else.  A
common reason for something to show up in this group is a timestamp
conflict (for example, the signature is older than the key that issued
it).  When you do a --check-sig, some sigs are tagged with "sig%".
Look for those and you can usually read the reason for the error.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

FW from PGP-Basis: newbie question about bad keys

[Faramir]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

paramouse escribió:
> I am new to using GnuPG and hoping this is the the correct place to post
> questions.
> 
> For practice, I imported some public keys to my keyring.  I ran a
> 
> gpg --check-sig
> 
> After listing the signatures of the public keys I've imported, there's
> the statement:
> 
> 46 bad signatures
> 5133 signatures not checked due to missing keys
> 
> The "signatures not checked" seems pretty self explanatory.  What does
> the bad signatures mean?

  Since I never saw an answer about the meaning of those bad signatures,
I am forwarding the question to GnuPG-Users list...

  I ran that command too, and got:

186 firmas incorrectas
(186 bad signatures)
19112 firmas no comprobadas por falta de clave
(19112 signatures not checked due to missing keys)
2 firmas no comprobadas por errores
(2 signatures not checked due to errors).

  What kind of errors could it be?

  Best Regards

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJJmabbAAoJEMV4f6PvczxAgP8IAJIon5OZ/2J+JFOKhCUYm2hy
8Vsh0Z0HIak9PGThB3zD2hhislejl6pBtm0A5cDFBBat73Yni6M2SIq4R16ZXiEL
GQG92xCEHVm4vGXbBY9gd9s+ixkpJjOWwjTXzk2zjc5a+W693TV502I37wa8EhHJ
klpvUg1CPiRAEO6VL2Wvg4fcElK3Wy13So/haoAoKikOG4f6FeoIWj0dxot/DN1V
9Hym/cJxbucO0uQKT6hwhiVwl30V/VacgPXnGnPd84i+aCM5rhwrpv9jYOow++Sv
fZnvxa1wjTu078vf3hrlQfU2SNrqgJ55a1IiJQA40JxZiST23ZPj6n+EygTK4Oo=
=W2p9
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Newbie question

[Todd Hesla]

I am a newbie to GnuPG, and am using gpg-agent so that I only need to enter
my passphrase once.  If I decrypt a file (which I encrypted to myself), I am
of course asked to enter my passphrase.  If I decrypt it a second time,
gpg-agent supplies my passphrase from its cache.  However, gpg2 still displays
the passphrase prompt-message in the terminal:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$$ ll test*
-rw-rw-r-- 1 todd todd   6 2007-11-20 15:14 test
$$ cat test
Test.
$$ gpg2 -e test
$$ ll test*
-rw-rw-r-- 1 todd todd   6 2007-11-20 15:14 test
-rw-rw-r-- 1 todd todd 599 2007-11-20 16:26 test.gpg
$$ gpg2 -d test.gpg

You need a passphrase to unlock the secret key for
user: "Todd Hesla (General) <[EMAIL PROTECTED]>"
2048-bit ELG key, ID 1C0B50A0, created 2007-11-20 (main key ID 65A3115F)

Test.
$$ 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

How can I get rid of this prompt-message?  Apparently, it is not sufficient
to just re-direct standard output and standard error to "/dev/null":

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$$ gpg2 -d test.gpg &>/dev/null

You need a passphrase to unlock the secret key for
user: "Todd Hesla (General) <[EMAIL PROTECTED]>"
2048-bit ELG key, ID 1C0B50A0, created 2007-11-20 (main key ID 65A3115F)

$$ 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Any tips on how to eliminate this prompt-message (when I decrypt the file
the second time) will be very much appreciated.

Thank you.

-- 
Todd Hesla
Department of Aerospace Engineering and Mechanics
University of Minnesota
Minneapolis, Minnesota
USA

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question

[NikNot]

I used libTomCrypt (cf.: http://libtom.org/) to implement something
similar. The data viewer executable contains (somewhat concealed)
private key, and data sets are encrypted using the public key of the
pair. (LibTomCrypt is much more flexible and easier to program against
than Libgcrypt when you are building your own applications that have
nthing to do with PGP). Piping data through GPG is not a solution that
our users would appreciate.

NikNot

On 2/9/07, Werner Koch <[EMAIL PROTECTED]> wrote:
> On Fri,  9 Feb 2007 12:01, [EMAIL PROTECTED] said:
>
> > - Does libcrypt do the job? I guess so...
>
> No.  Libgcrypt provides basic building blocks but has no support for
> any specific protocol.
>
> > - The CAD data may contain a fixed header, so an atacker knowing
> >   the header might use this info to easily get the private key?
>
> It all depends on the protocol used.  Getting the protocol right is
> not easy and thus the best advise I can give is to use an established
> protocol like OpenPGP or CMS (pkcs#7)
>
> For your application I would simply use a different file suffix or a
> special MIME type and pipe the data through gpg while reading.
>
>
> Salam-Shalom,
>
>Werner
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: public keys newbie question

[Jim McQueeney]

Bruce Cowin wrote:
> As I understand it, people only need my public key if they are going to 
> encrypt a file for me.  If I will only be sending them encrypted files, then 
> I need their public key but they don't need mine.  Is this correct?
> 
> Thanks.
> 
> 
> 
> Regards,
> 
> Bruce
> 
>

Not quite; If you sign your messages, the recipient will need your public key
to verify the signature...

-- 
* Jim McQueeney <[EMAIL PROTECTED]> **
* Jim McQueeney <[EMAIL PROTECTED]> *
*** OpenPGP ** DH: 0x22768E06 
* Keys *** DH: 0x41B6F689 


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: public keys newbie question

[Thorsten Haude]

Hi,

* Bruce Cowin wrote (2007-02-13 08:06):
>As I understand it, people only need my public key if they are going to 
>encrypt a file for me.  If I will only be sending them encrypted files, then I 
>need their public key but they don't need mine.  Is this correct?

Yup.

They will also need your public key to verify stuff you signed.


Thorsten
-- 
Every person shall have the right freely to inform himself
without hindrance from generally accessible sources.
- German Grundgesetz, Article 5, Sec. 1


pgpuVolBGALe7.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

public keys newbie question

[Bruce Cowin]

As I understand it, people only need my public key if they are going to encrypt 
a file for me.  If I will only be sending them encrypted files, then I need 
their public key but they don't need mine.  Is this correct?

Thanks.



Regards,

Bruce

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question

[Werner Koch]

On Fri,  9 Feb 2007 12:01, [EMAIL PROTECTED] said:

> - Does libcrypt do the job? I guess so...

No.  Libgcrypt provides basic building blocks but has no support for
any specific protocol.

> - The CAD data may contain a fixed header, so an atacker knowing
>   the header might use this info to easily get the private key?

It all depends on the protocol used.  Getting the protocol right is
not easy and thus the best advise I can give is to use an established
protocol like OpenPGP or CMS (pkcs#7)

For your application I would simply use a different file suffix or a
special MIME type and pipe the data through gpg while reading.


Salam-Shalom,

   Werner


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question

[Hans Ekbrand]

On Fri, Feb 09, 2007 at 11:36:35AM +0100, Antonio Bleile wrote:
> Hi Sven,
> 
> > Hi!
> > 
> > Private/Public key does not buy you much in this case if all 
> > you want is to obfuscate the file contents.
> > Just use some AES implementation with the same symmetric key 
> > on the server and the client.
> > 
> > Despite you seem to be aware of it, let me stress again:
> > It cannot possibly be secure if the decryption key is stored 
> > alongside with the enrcypted data (which is why I chose the 
> > word "obfuscate" above).
> 
> Mh... That means I've missed something really fundamental...
> When you send an encrypted mail you send the encrypted
> data and the receiver at some point has both, the public
> key and your encrypted mail.

The receiver has the *private* key. The sender encrypts with the
*public* key.

-- 
Hans Ekbrand (http://sociologi.cjb.net) <[EMAIL PROTECTED]>
Q. What is that strange attachment in this mail?
A. My digital signature, see www.gnupg.org for info on how you could
   use it to ensure that this mail is from me and has not been
   altered on the way to you.


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Newbie question

[Antonio Bleile]

 Hi,


> On Fri,  9 Feb 2007 11:36, [EMAIL PROTECTED] said:
> 
> > Mh... That means I've missed something really fundamental...
> > When you send an encrypted mail you send the encrypted data and the 
> > receiver at some point has both, the public key and your encrypted 
> > mail. Else, how should he read your mail? Am I totally wrong?
> 
> It is the way around.  You use the *public* key to *en*crypt 
> to the recipient.  The recipent uses his *private* key to *de*crypt.
> 
> Of course you could include a private key in a viewer 
> software so that anyone can encrypt files for use by this 
> viewer.  I think that is what you had in mind.

Exactly. I interchanged the terms. Weird. Shouldn't public
be "public"??? Thank you for clearing this up. There are
the other two questions still open ;) :

- Does libcrypt do the job? I guess so...
- The CAD data may contain a fixed header, so an atacker knowing
  the header might use this info to easily get the private key?

Thank's and Salam,

 Toni


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question

[Werner Koch]

On Fri,  9 Feb 2007 11:36, [EMAIL PROTECTED] said:

> Mh... That means I've missed something really fundamental...
> When you send an encrypted mail you send the encrypted
> data and the receiver at some point has both, the public
> key and your encrypted mail. Else, how should he read your 
> mail? Am I totally wrong? 

It is the way around.  You use the *public* key to *en*crypt to the
recipient.  The recipent uses his *private* key to *de*crypt.

Of course you could include a private key in a viewer software so that
anyone can encrypt files for use by this viewer.  I think that is what
you had in mind.



Salam-Shalom,

   Werner


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Newbie question

[Antonio Bleile]

Hi Sven,

> Hi!
> 
> Private/Public key does not buy you much in this case if all 
> you want is to obfuscate the file contents.
> Just use some AES implementation with the same symmetric key 
> on the server and the client.
> 
> Despite you seem to be aware of it, let me stress again:
> It cannot possibly be secure if the decryption key is stored 
> alongside with the enrcypted data (which is why I chose the 
> word "obfuscate" above).

Mh... That means I've missed something really fundamental...
When you send an encrypted mail you send the encrypted
data and the receiver at some point has both, the public
key and your encrypted mail. Else, how should he read your 
mail? Am I totally wrong? 

Bye,

  Toni


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Newbie question

[Antonio Bleile]

Hi all,

I have a question concerning an "unusual" way of using gnuPG...
I don't want to encrypt emails, I just want to encrypt binary
data and deliver that over the internet. Consider the following
scenario: I have a program that gets deliverd to various clients.
The program is a viewer for 3d models. The viewer can load and
display various types of input formats (e.g. CAD models). It 
can also load models directly from a URL. Now we'd like to put
some cool models on our web page but we don't want people to
disassemble the file and thus getting to the mathematic definition
of a CAD model (people giving you a CAD model of e.g. a brandnew
car are very concerned about their data!!!). So I thought to 
protect the data with public/private key encryption. We encrypt
the data with a private key and put the result on our server.
Our viewer contains the public key for decryption. You might
say that it's easy to get to the data anyway, you just
have to dump the memory of the program after the data has
been decypted But that requires some higher "criminal energy",
and I think I can live with the risk...

- So actually, my question is: Does this approach make any sense
  for you crypto-gurus out there? (Please forgive me my ignorance,
  I have just a vague memory of my cryptography lessons...).
- Does libcrypt do the job? 
- The CAD data may contain a fixed header, so an atacker knowing
  the header might use this info to easily get the private key?

Thank you and kind regards,

  Toni


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Newbie question : GPgee and GPGshell etc..

[gpg . 20 . subu]

Newbie question



which one of these
- GPGshell
- WinPT
- GPGee

is better for a starter with GPG 



TIA

Subu



Kurt Fitzner - [EMAIL PROTECTED] wrote:

>In the belief that GPGee is now ready for production use, I've just
>released version 1.0.  For those who aren't familliar with it, GPGee is
>a Windows explorer shell extension.  It adds support for GnuPG to the
>right-click context menu in Windows explorer.
>
>You can download it from the GPGee home page at: http://gpgee.excelcia.org
>
>GPGee's features include:
>
>  - Sign, sign+encrypt, or encrypt multiple files at once.
>  - Verify/decrypt multiple files at once - GPGee automatically
>detects the GnuPG file type and performs the correct operaation.
>  - Can configure the location of the gpg.conf, public and secret
>keyrings files.  Use GPGee with keys stored on usb flash drives.
>* - Quick-select encryption key groups.  Encrypt to multiple
>recipients quickly and easily.
>* - Visual indication of the trust level of signatures
>* - Compares expiry date of keys against the date signatures were
>produced.
>  - Context-sensitive help
>  - It's free software, just like GnuPG.  Inspect the code for yourself.
>
>* = New feature for 1.0
>


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question : GPgee and GPGshell etc..

[gpg . 20 . subu]

Hi


I visited the Win PT link from gnupg.org site. This link
http://www.stud.uni-hannover.de/~twoaday/winpt.html has the following 

1. http://www.stud.uni-hannover.de/~twoaday/sipfone-exe.zip  - Windows
binary

2. http://www.equipmente.de/gnupt-int.exe - graphicall installer which
seems to have additional stuff + WinPt, but an older version of WinPT

3. and other links ...


Now my question 
---

- which is the most stable release of WinPT (pl. note I am a newbie) ?

- Is it preferable I have the latest release (i.e.) with all loophole
plugged http://www.stud.uni-hannover.de/~twoaday/winpt-0.9.92-exe.zip or
have the latest stable version which might be something else

TIA




Kurt Fitzner - [EMAIL PROTECTED] wrote:

>[EMAIL PROTECTED] wrote:
>
>>which one of these
>>- GPGshell
>>- WinPT
>>- GPGee
>>
>>is better for a starter with GPG
>
>
>First of all, let's get some definitions down because it can become
>confusing.  WinPT is both an application and a group of tools.  The
>application, Windows Privacy Tray, sits in the Windows task tray and
>gives you a GnuPG interface from there.  The group of tools is the tray
>application bundled along with GnuPG itself.  This distinction will
>become important later... for now, though, when I say "WinPT" I mean the
>tray application, not the group of tools.
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Add to FAQ! Re: Newbie question : GPgee and GPGshell etc..

[David D. Scribner]

Samuel ]slund [EMAIL PROTECTED] wrote:
> Hi
> 
> This seems like a good description of Windows GUI for GnuPG.
> If I was looking for a GUI this is the information I would like to have.
> Could someone with access add it to the FAQ?
> The question could be "Does GnuPG for windows have a GUI?", possibly
> under the installation heading.
> 
> //Samuel

Hi Samuel!

There's actually a very broad list of GUI frontends, with hyperlinks to
the product's home page for the various OSes already posted on gnupg.org
. However, I
think that the mention of this would be good to include in the GnuPG FAQ
(something along the lines of "Are there GUI fontends for GnuPG?" perhaps),
and including a URL to point the reader to the Frontends page for further
information. I'll add this to my (LONG) overdue update to the FAQ. Thanks!

Even though the descriptions on the Frontends page are very minimal, it
would be very hard to keep it updated with broad or more complete
descriptions as the various products change regularly, adding or
enhancing their features, etc. It's best to let the project's home page
go into more detail about their own product, and mainly point the inquirer
to those pages instead.

If there are GUIs that are not listed that someone feels *should be*
listed, or other suggestions for the Frontends page, I'm sure the page
maintainer (Werner) would welcome them.

Thanks again for the suggestion to the FAQ!

-- 
David D. Scribner
http://www.tuxist.org
http://www.gnupg.org   -  It's your privacy. It's your right!
GnuPG/PGP: 3172 7408 58CA D9C2 F697  950F 9DDC 7AC7 91EC 5F06
 
"The nice thing about Windows is - It does not just crash, it displays
a dialog box and lets you press 'OK' first."  -- Arno Schaefer's .sig
 


pgp3xXkZL3VmZ.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Add to FAQ! Re: Newbie question : GPgee and GPGshell etc..

[Samuel ]slund]

Hi

This seems like a good description of Windows GUI for GnuPG.
If I was looking for a GUI this is the information I would like to have.
Could someone with access add it to the FAQ?
The question could be "Does GnuPG for windows have a GUI?", possibly
under the installation heading.

//Samuel

On Wed, May 11, 2005 at 06:50:20PM -0600, Kurt Fitzner wrote:
> [EMAIL PROTECTED] wrote:
> 
> > which one of these
> > - GPGshell
> > - WinPT
> > - GPGee
> > 
> > is better for a starter with GPG 
> 
> First of all, let's get some definitions down because it can become
> confusing.  WinPT is both an application and a group of tools.  The
> application, Windows Privacy Tray, sits in the Windows task tray and
> gives you a GnuPG interface from there.  The group of tools is the tray
> application bundled along with GnuPG itself.  This distinction will
> become important later... for now, though, when I say "WinPT" I mean the
> tray application, not the group of tools.
> 
> Now, to answer your question:  GPG Shell is an ok program but not really
> designed for the GnuPG beginner.  What is does when you tell it to do
> something is start the GngPG command for you and then dump you into a
> command prompt with that GnuPG command running so you can finish it
> (answer any questions GnuPG has for you).  So, if you want to edit a
> key, it doesn't have a GUI mechanism to do so - it drops you into the
> GnuPG edit key command and you have to type all the key editing commands
> in. For a new person, WinPT will be easier to use.  It doesn't expose
> quite as much of the inner workings of GnuPG - there are some things you
> can't do with it, but what it does do is completely through a GUI.
> 
> Now, as far as GPGee goes, it isn't intended as a "competitor" to WinPT,
> but more as a complement. WinPT is a tray application that gives you a
> key manager and lets you perform GPG operations on the clipboard and the
> current window.  GPGee isn't intended to do all that.  It is only a
> Windows explorer shell extension.  It adds GnuPG commands to the windows
> explorer right-click context menu.  So, if you want to simple sign,
> encrypt, or verify one or more files, GPGee makes that very easy.  There
> is no key management in it at all, so that would be something you would
> do through WinPT.
> 
> The reason I made the distinction between the WinPT tray application and
> the WinPT group of tools, is that GPGee is going to become one of the
> tools included in WinPT.  Timo Schulz had a different shell extension
> (WinFPSE) that was included in the WinPT bundle, but he wants to focus
> more on the tray application, and I will focus on the explorer extension.
> 
> Hopefully once GPGee is in the bundle things will become less confusing
> for the new people just looking for a good front end.
> 
>   Kurt.
> 



> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie question : GPgee and GPGshell etc..

[Kurt Fitzner]

[EMAIL PROTECTED] wrote:

> which one of these
> - GPGshell
> - WinPT
> - GPGee
> 
> is better for a starter with GPG 

First of all, let's get some definitions down because it can become
confusing.  WinPT is both an application and a group of tools.  The
application, Windows Privacy Tray, sits in the Windows task tray and
gives you a GnuPG interface from there.  The group of tools is the tray
application bundled along with GnuPG itself.  This distinction will
become important later... for now, though, when I say "WinPT" I mean the
tray application, not the group of tools.

Now, to answer your question:  GPG Shell is an ok program but not really
designed for the GnuPG beginner.  What is does when you tell it to do
something is start the GngPG command for you and then dump you into a
command prompt with that GnuPG command running so you can finish it
(answer any questions GnuPG has for you).  So, if you want to edit a
key, it doesn't have a GUI mechanism to do so - it drops you into the
GnuPG edit key command and you have to type all the key editing commands
in. For a new person, WinPT will be easier to use.  It doesn't expose
quite as much of the inner workings of GnuPG - there are some things you
can't do with it, but what it does do is completely through a GUI.

Now, as far as GPGee goes, it isn't intended as a "competitor" to WinPT,
but more as a complement. WinPT is a tray application that gives you a
key manager and lets you perform GPG operations on the clipboard and the
current window.  GPGee isn't intended to do all that.  It is only a
Windows explorer shell extension.  It adds GnuPG commands to the windows
explorer right-click context menu.  So, if you want to simple sign,
encrypt, or verify one or more files, GPGee makes that very easy.  There
is no key management in it at all, so that would be something you would
do through WinPT.

The reason I made the distinction between the WinPT tray application and
the WinPT group of tools, is that GPGee is going to become one of the
tools included in WinPT.  Timo Schulz had a different shell extension
(WinFPSE) that was included in the WinPT bundle, but he wants to focus
more on the tray application, and I will focus on the explorer extension.

Hopefully once GPGee is in the bundle things will become less confusing
for the new people just looking for a good front end.

Kurt.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users