Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On 9/22/2011 4:51 PM, ved...@nym.hush.com wrote: > I know only very limited stuff about this, but I thought that this > was mainly to check that copies of windows were 'non-pirated', and > has come under some criticism that they might be able to exclude some > from running linux OS's ... That's kind of like thinking that integrated circuits exist to run Windows. Windows is just one particular thing you can do with ICs, the same way that preventing end-users from installing their own operating systems is one particular thing you can do with UEFI. EFI was first developed by Intel for the Itanium processor/motherboards. Itanium was Intel's attempt at a clean break with the past, and not just in terms of architecture but in terms of the boot process. It was discovered EFI could be very useful for non-Itanium systems, and so the UEFI standard came about -- "Unified" EFI, which was able to support a large variety of systems. > My concern is, how vulnerable ... is it to run gnupg from a usb and > an Ubuntu install disk, when booting bypasses the harddrive's mbr > altogether, even considering known bios rootkit infections? This one's impossible to answer. Are you in an environment where BIOS rootkits are common? How do you know your answer to that question is correct? Etc., etc. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On 9/22/2011 3:59 PM, ved...@nym.hush.com wrote: > Can these rootkits work when there is no mbr access? Yes. In fact, EFI/UEFI is more or less a replacement for MBRs. EFI/UEFI is almost the first thing through the CPU's brain upon booting. There's probably some on-chip microcode that executes first, but EFI/UEFI is, IIRC, the first off-CPU stuff that gets loaded and executed. The EFI/UEFI designers went to some lengths to harden the system against malware -- unfortunately they could only harden it, not immunize it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
ved...@nym.hush.com wrote: > So, if , for example, in a case where I don't have my laptop with me, (but I > do have a usb with gpg and keyrings, and a miniDVD with ubuntu), > > then, assuming there is no keylogger on the borrowed laptop, what > is the problem with booting from the ubuntu miniDVD, and running > gnupg from ubuntu while accessing the keys from the usb, and > writing to the usb? You're also assuming no BIOS or UEFI rootkits :-) Whether that is or isn't a problem is up to you *UAYOR*YMMV*IANAL*NWEOI -- John P. Clizbe Inet: John ( a ) Mozilla DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Raise your hand if you know someone who is alive only because you did not want to spend time in jail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
John Clizbe John at enigmail.net wrote on Thu Sep 22 18:38:06 CEST 2011 : > It can be done, but it's nontrivial. I think it's more like Sisyphean IMHO :-(. OK, thought so, ;-) >You cannot secure "everything" necessary to securely run gpg (or any >other program) from a USB stick. >Please don't delude yourself into thinking you can. You can't. OK, not on windows, but maybe for my limited threat model I might be able to: My threat model doesn't include any 3 letter agencies, organized crime outfits, or malicious hackers out to get me, any of whom are capable of putting a hardware keylogger on a friend's laptop. Think of it as an 'envelope' threat model. I need an envelope, not a post-card, but don't need a trusted messenger to deliver my envelope by hand. So, if , for example, in a case where I don't have my laptop with me, (but I do have a usb with gpg and keyrings, and a miniDVD with ubuntu), then, assuming there is no keylogger on the borrowed laptop, what is the problem with booting from the ubuntu miniDVD, and running gnupg from ubuntu while accessing the keys from the usb, and writing to the usb? vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On 9/22/2011 12:38 PM, John Clizbe wrote: > probably be good to include msvcrt.dll as MinGW targets it. Also so that you're not depending on the host machine's MSVCRT.DLL. That .DLL is often targeted by malware: it makes such a perfect place to drop hook functions. (Putting that .DLL on the stick is a healthy practice, not a replacement for sane practices. Don't plug a USB stick into an untrusted machine, period, end of sentence: but in the event that one of your trusted machines gets compromised, having your own copy of MSVCRT.DLL on the USB stick may help prevent the spread of infection. *May*...) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
ved...@nym.hush.com wrote: > > Thanks, > I knew about the MSYS method, but not about the others, > but my point was about running gnupg from a flash drive. > > I was under the impression that there is no portable way to do that > on a flashdrive that doesn't have these systems installed on the > host computer, > (Is there?? If anyone knows of a way to do it, please post. Thanks. > The only way I could think of is to boot to ubuntu and run gnupg > from there on the flash drive). It can be done, but it's nontrivial. I think it's more like Sisyphean IMHO :-(. To *securely* run gpg, or any other program, from portable media, use ldd or MS's Dependency Walker to see all the DLLs that need to be supplied locally from a trusted system. They need to go in the same directory as the gpg executable as Windows searches there first. At a minimum one needs these DLLs: libbz2, readline5, libz, libgcc_s_dw2-1.dll, probably be good to include msvcrt.dll as MinGW targets it. Then you have all the Windows DLLs to deal with. Are your copies 'safe'? Do you have all the dependencies of the initial dependencies? Here's a first pass at a list (these are examples from my builds, yours will nut likely be the same): JPClizbe@booboo ~ $ c:/Cygwin/bin/ldd $(which gpg)| sed -e 's/\/cygdrive//' ntdll.dll => /c/WINDOWS/system32/ntdll.dll (0x7c90) kernel32.dll => /c/WINDOWS/system32/kernel32.dll (0x7c80) ADVAPI32.DLL => /c/WINDOWS/system32/ADVAPI32.DLL (0x77dd) RPCRT4.dll => /c/WINDOWS/system32/RPCRT4.dll (0x77e7) Secur32.dll => /c/WINDOWS/system32/Secur32.dll (0x77fe) libbz2-2.dll => /c/MinGW/bin/libbz2-2.dll (0x644c) msvcrt.dll => /c/WINDOWS/system32/msvcrt.dll (0x77c1) libgcc_s_dw2-1.dll => /c/MinGW/bin/libgcc_s_dw2-1.dll (0x6e94) readline5.dll => /c/MinGW/bin/readline5.dll (0x63e4) MSVCP60.DLL => /c/WINDOWS/system32/MSVCP60.DLL (0x7608) OLE32.dll => /c/WINDOWS/system32/OLE32.dll (0x774e) GDI32.dll => /c/WINDOWS/system32/GDI32.dll (0x77f1) USER32.dll => /c/WINDOWS/system32/USER32.dll (0x7e41) WSOCK32.DLL => /c/WINDOWS/system32/WSOCK32.DLL (0x71ad) WS2_32.dll => /c/WINDOWS/system32/WS2_32.dll (0x71ab) WS2HELP.dll => /c/WINDOWS/system32/WS2HELP.dll (0x71aa) libz-1.dll => /c/MinGW/bin/libz-1.dll (0x6550) Once one gets all those, then he can start on the keyserver helpers. gpgkeys_curl is fun. Here are just the local dependecies, none of the ones from Windows: $ c:/Cygwin/bin/ldd $(which gpgkeys_curl)| sed -e 's/\/cygdrive//'| grep MinGW libcurl-4.dll => /c/MinGW/bin/libcurl-4.dll (0x7080) libcares-2.dll => /c/MinGW/bin/libcares-2.dll (0x62d8) cryptoeay32-0.9.8.dll => /c/MinGW/bin/cryptoeay32-0.9.8.dll (0x6300) zlib1.dll => /c/MinGW/bin/zlib1.dll (0x61b8) libidn-11.dll => /c/MinGW/bin/libidn-11.dll (0x6954) libiconv-2.dll => /c/MinGW/bin/libiconv-2.dll (0x6600) libintl-8.dll => /c/MinGW/bin/libintl-8.dll (0x61cc) libssh2-1.dll => /c/MinGW/bin/libssh2-1.dll (0x63b4) ssleay32-0.9.8.dll => /c/MinGW/bin/ssleay32-0.9.8.dll (0x6924) And so on... Now, you've got all your gpg-related exe files along with a closure of DLLs to be called. What are you going to do about the core Windows OS, device drivers or the actual hardware? Quick answer: probably nothing unless the machine is yours and under your full control. You cannot secure "everything" necessary to securely run gpg (or any other program) from a USB stick. Please don't delude yourself into thinking you can. You can't. Even with an encrypted file system, you still reach the point where you don't control things the rest of the way, and only iff you do, can it be made "secure," and in that case, why go to all this trouble in the first place? Put GnuPG on the machine and your keys and other data on the USB stick if you need them to be portable. The only way to securely run any program from a USB stick is on a computer you installed the OS (from a secure source - Is your Windows CD Genuine?), audited and have total control, and in that case you don't need the USB stick for the programs, only data you wish between machines of which you also have total control. Now, on the other hand, if your goal isn't security, just to be able to run the programs from an USB stick, you need the gpg and gpgkeys_* binaries along with the non Windows DLLS all in the same folder - It's several MB zipped up, cryptoeay is BIG. But I have to ask, why use gpg without security in mind? *UAYOR*YMMV*IANAL*NWEOI -- John P. Clizbe Inet: John ( a ) Mozilla DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Raise your hand if you know someone who is alive only because you did not want to spend tim
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
>Message: 9 >Date: Wed, 21 Sep 2011 22:44:26 -0500 >From: John Clizbe >To: gnupg-users@gnupg.org >Subject: Re: windows binary for gnupg 1.4.11 // compilation > instructions posted >Message-ID: <4e7aaf1a.1040...@enigmail.net> >Content-Type: text/plain; charset=UTF-8 > >ved...@nym.hush.com wrote: >> BTW, >> There is a unique advantage to running gnupg from cygwin on >> windows, as it's the only way to make use of unix-like commands, >> (cat, grep, printf, etc.) and pipe them to and from gnupg. > >ONLY? How much effort did you expend looking? > >The MinGW compiler folks provide a little environment called MSYS, >for Minimal >System. It's not meant to be a full-on environment like Cygwin, >even though it's >a fork of an earlier Cygwin, but provides bash and enough tools to >run most >configure scripts and do a reasonable amount of work. BTW, it's >faster than >Cygwin because it's emulating less. >IIRC, Mozilla based their Windows build environment on MSYS. > >In addition, there is Microsoft's Services for Unix which is the >old Interix >product >Another alternative is UWIN, from AT&T's David Korn and Glenn >Fowler. >(Umm, yeah /THAT/ Dave Korn.) One used to be able to point cc to >either the >MinGW gcc or to MS' CL. I haven't used it in a while. >That's just from memory. - Thanks, I knew about the MSYS method, but not about the others, but my point was about running gnupg from a flash drive. I was under the impression that there is no portable way to do that on a flashdrive that doesn't have these systems installed on the host computer, (Is there?? If anyone knows of a way to do it, please post. Thanks. The only way I could think of is to boot to ubuntu and run gnupg from there on the flash drive). So, even though gnupg compiled from cygwin can't be put on a flashdrive to run from windows, it does have the advantage of the unix-like commands. Sorry, about the 'ONLY' ... vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On 9/21/2011 11:44 PM, John Clizbe wrote: > ONLY? How much effort did you expend looking? In addition to John's offerings, don't forget http://gnuwin32.sf.net. Most of the GNU tools exist in native Win32 builds. Some of them are a bit old (e.g., their flex is 2.5.4a, current is 2.5.34, their gawk is 3.1.6 and current is 4.0.0, etc.), but they generally work quite well. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
ved...@nym.hush.com wrote: > BTW, > There is a unique advantage to running gnupg from cygwin on > windows, as it's the only way to make use of unix-like commands, > (cat, grep, printf, etc.) and pipe them to and from gnupg. ONLY? How much effort did you expend looking? The MinGW compiler folks provide a little environment called MSYS, for Minimal System. It's not meant to be a full-on environment like Cygwin, even though it's a fork of an earlier Cygwin, but provides bash and enough tools to run most configure scripts and do a reasonable amount of work. BTW, it's faster than Cygwin because it's emulating less. IIRC, Mozilla based their Windows build environment on MSYS. In addition, there is Microsoft's Services for Unix which is the old Interix product. I think one may still download 3.5 for XP. cc looks for CL.EXE on the $PATH. gcc 3.3 is included. Lots of stuff available from the user site. Certain server levels of Vista and Windows 7 have SFU built-in. It cannot be installed separately on these OSes. Another alternative is UWIN, from AT&T's David Korn and Glenn Fowler. (Umm, yeah /THAT/ Dave Korn.) One used to be able to point cc to either the MinGW gcc or to MS' CL. I haven't used it in a while. That's just from memory. -- John P. Clizbe Inet: John ( a ) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Raise your hand if you know someone who is alive only because you did not want to spend time in jail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On Tue, 20 Sep 2011 22:48, r...@sixdemonbag.org said: > If I determine that my work PC and my home PC are both trusted systems, > and I have a single USB stick containing my GnuPG installation and > keyrings that I want to use on both, then I don't see the risk so long > as that USB stick is never plugged into an untrusted machine. That is right. However you would only keep your data on the stick and not the programs. All systems these day have a package management system, and those are better at program updates than doing it manually. My point was that people very often talk about encrypted super secure USB sticks which they put it into an arbitrary computer and believe that the data and programs magically work secure this way. They don't consider that a "foreign" CPU is seeing everything they stored on the stick. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
>Message: 8 >Date: Tue, 20 Sep 2011 13:28:34 -0400 >From: Avi >To: gnupg-users@gnupg.org >What about us windows users who do not have GPG installed on our >desktops, but our secure USB sticks. 1.4.11 works very nicely as >a stand-alone (or in my case, with GPGShell). >However, I am not a real programmer, nor do I play one on the radio (I just pretend to be one for the free stuff 8-) ) and so while I probably could, if I had to, compile from source using Cygwin or MingW, I'd feel safer if someone who knew what they were doing did it. - 1.4.11 when compiled from cygwin, works ok on windows, but only within cygwin. It WON'T work on a flashdrive that's attached to any windows system where cygwin isn't installed, as it needs some cygwin-specific dlls. 1.4.11 from mingw, will work anywhere, and is VERY EASY to compile from the posted instructions, (I'm not a real programmer either, and only recently have been able to successfully do 'Hello World' from Python and Perl, and haven't graduated to C yet ;-)) ) (Compiling from mingw according to the posted instructions, is easier than setting up gpgshell on a flashdrive, which isn't that hard, and is something you have already done), so try it ;-). BTW, There is a unique advantage to running gnupg from cygwin on windows, as it's the only way to make use of unix-like commands, (cat, grep, printf, etc.) and pipe them to and from gnupg. But, if you want a possibly 'more secure' flashdrive gnupg setup that lets you do everything, you can install ubuntu on a (big) usb drive, boot from the usb, and run gnupg from ubuntu. or, Boot from an ubuntu pocket dvd, and keep your keys and stuff on the usb , and write (encrypt or decrypt) to the usb. (and you don't have to compile anything ;-) ) vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Fair enough, I was not precise, my apologies. I run GnuPG off a Truecrypt encrypted partition on a USB stick, so I can access it places where I do not wish to load my keyring, and cannot install a card reader. I find that version 1.4.11 with GPGShell works like a charm, and would be loathe to see it disappear. However, I am not a real programmer, nor do I play one on the radio (I just pretend to be one for the free stuff 8-) ) and so while I probably could, if I had to, compile from source using Cygwin or MingW, I'd feel safer if someone who knew what they were doing did it. I still have nightmares from the time I built an ATLAS BLAS and then used it to compile Rblas.dll under windows. Probably took me over two weeks to get it right :} - --Avi -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) - GPGshell v3.77 Comment: Most recent key: Click show in box @ http://is.gd/4xJrs iJgEAREKAEAFAk54+3M5GGh0dHA6Ly9wZ3AubmljLmFkLmpwL3Brcy9sb29rdXA/ b3A9Z2V0JnNlYXJjaD0weEY4MEUyOUY5AAoJEA1isBn4Din5EjIA/1ge4XRc0oBF jrFi/rKcLBDNyY6AcpEFECcJslM6elOlAPoC4o2NUvUCGYXyHVgyYg6pzXbzsDzp fwaPR8Gr5Qdhdw== =+3Hz -END PGP SIGNATURE- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 On Tue, Sep 20, 2011 at 3:23 PM, Werner Koch wrote: > > On Tue, 20 Sep 2011 19:28, avi.w...@gmail.com said: > > What about us windows users who do not have GPG installed on our > > desktops, but our secure USB sticks. 1.4.11 works very nicely as > > a stand-alone (or in my case, with GPGShell). I'm afraid that > > 2.+ would not work properly when installed to an encrypted > > There is no such thing as a secure USB stick to run programs from. > > > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On 9/20/2011 3:23 PM, Werner Koch wrote: > There is no such thing as a secure USB stick to run programs from. If I determine that my work PC and my home PC are both trusted systems, and I have a single USB stick containing my GnuPG installation and keyrings that I want to use on both, then I don't see the risk so long as that USB stick is never plugged into an untrusted machine. "Secure" and "insecure" seem to be a words that apply to specific uses of technologies, rather than those technologies /qua/ themselves. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On Friday 16 September 2011, Robert J. Hansen wrote: > On 9/16/2011 2:49 PM, ved...@nym.hush.com wrote: > > Because then who is to say that it wasn't tampered with? > > Who's to say the one on ftp.gnupg.org wasn't tampered with? It would > be fairly easy to make a version of GnuPG that always reported > itself as having a good signature. (See, e.g., Ken Thompson, > _Reflections on Trusting Trust_. David A. Wheeler had an > interesting solution to Thompson's problem, but in the main > Thompson's remarks are still quite applicable. [1]) > > And if you're downloading source code and compiling from source -- > how do you know the source wasn't tampered with? A back door could > be hidden inside the code, making sure that whenever you attempted > to verify... etc., etc. The backdoor could even be hidden in the compiler. Who says Microsoft can be trusted? > > The whole point is to start with gnupg.org signed and verified > > material, and then let the user take it from there. > > You can't. I hate to rain on the parade, but this is simply not > achievable. At some point you have to accept something on faith. > The only question is what you'll accept. > > In the extreme case, let's say GnuPG hosts a Windows binary and posts > an MD5 sum of it. How do you know the MD5 sum that's posted is > accurate? Werner's signature on it is meaningless: you don't have a > trusted copy of GnuPG you can use to verify the signature. The > posted MD5 sum could have been tampered with and you wouldn't know. > Etc., etc. Well, one could use PGP or another independent implementation of OpenPGP to verify the signature on GnuPG. And then one could use GnuPG to verify the other implementation. Of course, they could still both have been forged by the same entity, but that's a lot less likely. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On Tue, 20 Sep 2011 19:28, avi.w...@gmail.com said: > What about us windows users who do not have GPG installed on our > desktops, but our secure USB sticks. 1.4.11 works very nicely as > a stand-alone (or in my case, with GPGShell). I'm afraid that > 2.+ would not work properly when installed to an encrypted There is no such thing as a secure USB stick to run programs from. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 What about us windows users who do not have GPG installed on our desktops, but our secure USB sticks. 1.4.11 works very nicely as a stand-alone (or in my case, with GPGShell). I'm afraid that 2.+ would not work properly when installed to an encrypted stick, although, I admit, I have not actually tried it. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) - GPGshell v3.77 Comment: Most recent key: Click show in box @ http://is.gd/4xJrs iJgEAREKAEAFAk54zTE5GGh0dHA6Ly9wZ3AubmljLmFkLmpwL3Brcy9sb29rdXA/ b3A9Z2V0JnNlYXJjaD0weEY4MEUyOUY5AAoJEA1isBn4Din5shMA/3cWQTSh6UVw RHzz2haPMRa9Vlc146PjyJLYZbRg//DiAQCLr8aJHrlGMLW7DaNKdnTx+n0YPM7k HKuiahyASXxncQ== =BuQ4 -END PGP SIGNATURE- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 From: Werner Koch > To: Johan Wevers > Date: Sat, 17 Sep 2011 12:06:49 +0200 > Subject: Re: windows binary for gnupg 1.4.11 // compilation instructions > posted > On Fri, 16 Sep 2011 21:42, joh...@vulcan.xs4all.nl said: > > If they don't find this, I doubt that they have any need for 1.4. 1.4 > is not aimed for desktop users but for vintage Unix versions and maybe > for servers. > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On Mon, 19 Sep 2011 23:28, jpcli...@tx.rr.com said: > Many tools such as autoconf have to be installed from the Interix community > site. To build gnupg you don't need autoconf. A bare bones development system is always sufficient. autoconf is only used to create the configure script which is then ioncluded in the tarball. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
Werner Koch wrote: > Hi, > > there is a thing for Windows called System Services for Unix (SFU). It > is a modern POSIX implementation on top of the NT kernel but very > different to the old we-need-to-be-compliant-to-gov-ITBs Posix > subsystem. Did anyone ever tried to build a GnuPG on it? > > AFAICS this would use MSC but on a native Windows supported POSIX > platform. Cygwin is based on on the Win32 API (which is the common API > used on top the NT kernel) and thus has some problems with complete > integration into the system. > The last version I used was SFU 3.5. cc looks for CL.EXE on the PATH. gcc 3.3 was also included. Many tools such as autoconf have to be installed from the Interix community site. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
Hi, there is a thing for Windows called System Services for Unix (SFU). It is a modern POSIX implementation on top of the NT kernel but very different to the old we-need-to-be-compliant-to-gov-ITBs Posix subsystem. Did anyone ever tried to build a GnuPG on it? AFAICS this would use MSC but on a native Windows supported POSIX platform. Cygwin is based on on the Win32 API (which is the common API used on top the NT kernel) and thus has some problems with complete integration into the system. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
Johan Wevers wrote: > On 16-09-2011 21:30, Simone Cianfriglia wrote: > >> To achieve your desired result, it's required to run the exactly same >> compiler, including the version, with the same options targeting the >> correct architecture. Also a minor tweak in architecture settings >> could change the result, see for example the --march and --mtune >> directives of GCC to see how many choices there are. > > Which makes me wonder how hard it would be to build GnuPG 1.4.11 with MS > Visual Studio. Back in the pgp 2 days I put a VS 5 (antique version) > project file for pgp 2.6.3ia on my site to create a win2 binary - better > than the distributed MS-DOS binary, at least it could handle long > filenames. That was easy - just put all the .c files in the project. > > I'll just have to try. > You're much better off with MinGW and dependencies or Cygwin. There was a move to try to write project files for Visual Studio some long time ago, but I don't think anything became of it. I have my own scripts, tuned bit by bit since 2004, but they are tailored to my use. -- John P. Clizbe Inet: John ( a ) Enigmail DAWT NET FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On Fri, 16 Sep 2011 21:42, joh...@vulcan.xs4all.nl said: > OK, then what about a direct link to the version of the installer still > present on ftp.gnupg.org? It was removed on purpose. We - and this includes Enigmail developers - want users to use the modern version. Those how have a valid reason to continue use of 1.4 know what an ftp server is and there first reaction will anyway be lftp ftp.gnupg.org cd to GnuPG (or gcrypt), read README and immediatley notice binary/ Compiled versions for MS Windows. If they don't find this, I doubt that they have any need for 1.4. 1.4 is not aimed for desktop users but for vintage Unix versions and maybe for servers. Admins should still kknow that tehre is a thing called ftp. > Unlikely, since tyhe Windows executable file format contains a timestamp > within the binary. And cpp may also insert timestamps into the source code. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On 9/16/2011 6:15 PM, Johan Wevers wrote: > Which makes me wonder how hard it would be to build GnuPG 1.4.11 with > MS Visual Studio. With MS Visual Studio, or with the command-line cl.exe compiler? The last I heard from the Autotools fellows (Ralf Wildenhues, et. al.) several months ago, they were really close to having a version that would work with MS tools from within MinGW. If this reached a usable version, that would seem like the most obvious way to get a GnuPG version built with the MS compilers. My question, though, is -- why? What do the MS compilers give us? I can't see any compelling reason to do this. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On 16-09-2011 21:30, Simone Cianfriglia wrote: > To achieve your desired result, it's required to run the exactly same > compiler, including the version, with the same options targeting the > correct architecture. Also a minor tweak in architecture settings > could change the result, see for example the --march and --mtune > directives of GCC to see how many choices there are. Which makes me wonder how hard it would be to build GnuPG 1.4.11 with MS Visual Studio. Back in the pgp 2 days I put a VS 5 (antique version) project file for pgp 2.6.3ia on my site to create a win2 binary - better than the distributed MS-DOS binary, at least it could handle long filenames. That was easy - just put all the .c files in the project. I'll just have to try. -- Met vriendelijke groet / With kind regards, Johan Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
re: windows binary for gnupg 1.4.11 // compilation instructions posted
Thanks, Simone, Johan and Robert, well, there goes that idea ... (but it's nice to know, that it's *possible* if there ever were some extreme need for it) ;-) Johan, as per your excellent suggestion, the link to the ftp is hosted: http://www.angelfire.com/mb2/mbgpg2go/download.html (I'm reasonably certain that Maxine would have accepted the ftp of the bunary and its sig, 'on faith') ;-) vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On 9/16/2011 2:49 PM, ved...@nym.hush.com wrote: > Because then who is to say that it wasn't tampered with? Who's to say the one on ftp.gnupg.org wasn't tampered with? It would be fairly easy to make a version of GnuPG that always reported itself as having a good signature. (See, e.g., Ken Thompson, _Reflections on Trusting Trust_. David A. Wheeler had an interesting solution to Thompson's problem, but in the main Thompson's remarks are still quite applicable. [1]) And if you're downloading source code and compiling from source -- how do you know the source wasn't tampered with? A back door could be hidden inside the code, making sure that whenever you attempted to verify... etc., etc. > The whole point is to start with gnupg.org signed and verified > material, and then let the user take it from there. You can't. I hate to rain on the parade, but this is simply not achievable. At some point you have to accept something on faith. The only question is what you'll accept. In the extreme case, let's say GnuPG hosts a Windows binary and posts an MD5 sum of it. How do you know the MD5 sum that's posted is accurate? Werner's signature on it is meaningless: you don't have a trusted copy of GnuPG you can use to verify the signature. The posted MD5 sum could have been tampered with and you wouldn't know. Etc., etc. Ultimately, you have to take something on faith -- whether it's "I believe this MD5 sum is correct," or "I believe this binary is correct," or what-have-you. That initial trust decision is what bootstraps the entire process. If an initial trust decision is necessary, why not host your own GnuPG binary, or link to the binary on the ftp.gnupg.org site, or...? > Although, [and am over my head here, so please correct if wrong], if > there *could* be a way of providing instructions on compiling, so > that the resultant compiled file would always have the same hash, > then it might make sense to host the compiled binary and the hash. This is technically possible but highly daunting. It involves opening up a PE/COFF executable in a hex editor and looking at specific offsets for timestamps, machine-specific identifiers, and so on -- and then hard-coding those back to the values present in the original binary. If the resulting binary is bit-for-bit identical to the original, then you've got a perfect copy. This is generally not worth doing unless you're in some way-beyond-the-next-level environment where you take supply-chain assurance to crazed levels. [1] ... And David Shaw was the one who pointed me towards Wheeler's paper in the first place, some time ago -- thanks. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello veidaal and gnupg-users list. > My understanding, (which may be outdated), > is that there are too many variations in individual user systems, > so that the compiled files would never have 'exactly' the same > hash independent of where they are compiled. > > Is there any way to ensure that if the same source code and the > same compiler is used, that the resultant files have the same hash? To achieve your desired result, it's required to run the exactly same compiler, including the version, with the same options targeting the correct architecture. Also a minor tweak in architecture settings could change the result, see for example the --march and --mtune directives of GCC to see how many choices there are. Regards, Simone -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCgAGBQJOc6QBAAoJEGfVQEsGVc2A/6YP/0gdn7HlVslErJ6SVMqxn7Wo RO2tAubYkDdWMvaKK4mTfH7Hx3VTLT/0LTdN1W3knNMSgJonuV54OCd2z26lfPTz +uQknj0dTh4RqfWQriBu0qTUxYVsZBNrRSUQ4RwCE9R1a2+UioIzCQ07G3r/+mfS gM7m07cafLeBqzX4pNfiB6WPTr1uuQi4nuuIH0lmhmXgnnwNeBogNrGOMkTDdoud GDkoV0NBTXuJMWgRyak5A0CbiEv6+vjUO3zFhnITkxjeWhIPrP1bpMkwAgASUnbg 9YpQnwVfitBRf72T6dpRpKjIoA5ZMDlgYIxW7MSXWFAPgysOP7agkrhItIrs77Xj +1ofVMZqmyUk+fn6RVNwoAABCqRPP7NMThtZVqKxbcd/K2G9bRsxSMkhp1qjG2A/ 6UQX4Za0SUioINyWWB56pcgsSSwGGPh6SjTQm+GHuFQq19gRbe1kKO6TENbBRLMq 5cFNC2ld+YnWoIdJjFv4SfgWmgjfKUYSTvblGVnS4kp/omhv1w3l2S5utiQYDPNF giC34GTZRrgZnm+MnHz496+KB9HfHJ2b88QF62Ij/3GG3Jyi0sfYChuuM5dNNjTX Mp8zbFZ1X9eEesDsaHkolln0zn6aMFc74lOpvs0ZUo/NF7qwsRIqJtwWM/GtCY0n VGu2FluDoAGBAUPAv0NQ =uXas -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On 16-09-2011 20:49, ved...@nym.hush.com wrote: >> Why not also host a copy of the existing binary? > > Because then who is to say that it wasn't tampered with? OK, then what about a direct link to the version of the installer still present on ftp.gnupg.org? > Although, > [and am over my head here, so please correct if wrong], > if there *could* be a way of providing instructions on compiling, > so that the resultant compiled file would always have the same > hash, Unlikely, since tyhe Windows executable file format contains a timestamp within the binary. -- Met vriendelijke groet / With kind regards, Johan Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
re: windows binary for gnupg 1.4.11 // compilation instructions posted
Johan Wevers johanw at vulcan.xs4all.nl Fri Sep 16 20:28:52 CEST 2011 wrote: >Why not also host a copy of the existing binary? Because then who is to say that it wasn't tampered with? The whole point is to start with gnupg.org signed and verified material, and then let the user take it from there. Although, [and am over my head here, so please correct if wrong], if there *could* be a way of providing instructions on compiling, so that the resultant compiled file would always have the same hash, then it might make sense to host the compiled binary and the hash. My understanding, (which may be outdated), is that there are too many variations in individual user systems, so that the compiled files would never have 'exactly' the same hash independent of where they are compiled. Is there any way to ensure that if the same source code and the same compiler is used, that the resultant files have the same hash? Thanks, vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On 16-09-2011 17:17, ved...@nym.hush.com wrote: > Posted the 'How To' on Maxine Brandt's restored site, here: > http://www.angelfire.com/mb2/mbgpg2go/cyowb.html Why not also host a copy of the existing binary? -- Met vriendelijke groet, Johan Wevers ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
>Compiling your own windows binary on windows >(for people who never used a compiler): Reviewed the instructions, and tested them on windows 64 bit systems, and no modifications are necessary. Posted the 'How To' on Maxine Brandt's restored site, here: http://www.angelfire.com/mb2/mbgpg2go/cyowb.html As expected, the compilation does not include iconv.dll, so a link to the gnupg.org iconv.dll download and instructions, http://www.gnupg.org/download/iconv.en.html , is also provided. If anyone has any suggestions for improvement, please post, Thanks, vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users