Re: fingerprint associated public key does not match displayed public key

[S.B. via Gnupg-users]

> Don't do that.  Seriously.  This is like saying "I want to learn how to
> farm like my grandparents did!"  Farming is hard enough: voluntarily
> doing without, you know, *electricity* is just crazy.  (In the United
> States, many farms were without electricity until the 1940s!)

> These easy-to-use tools exist for a reason: to make GnuPG easy to use.
> If you insist on doing things the hard way you have only yourself to
> blame.  First learn how to use GnuPG, and then figure out how to use
> GnuPG like you would if it was 1992 after you've got your basic skills down.

Haha.  You're good with these.  I don't want to be farming without electricity.

You may want to check out a mailing list like PGPNET, which exists
specifically to give people experience in sending/receiving encrypted
mail. :)

> I immediately did it.  I saw you there.  Using Thunderbird.  Figuring it out. 
>  Thank you all for all the good advice.

S.B.

On Mon, Dec 20, 2021 at 4:50 PM Robert J. Hansen  wrote:
>
> > seems as though my entry into this realm was clearly... bad.  I wanted
> > to learn the system without using separate encryption software like
> > kleopatra.  I wanted to know how to do it with just gpg and any email
> > provider.  It's difficult, and I have a lot to learn.
>
> Don't do that.  Seriously.  This is like saying "I want to learn how to
> farm like my grandparents did!"  Farming is hard enough: voluntarily
> doing without, you know, *electricity* is just crazy.  (In the United
> States, many farms were without electricity until the 1940s!)
>
> These easy-to-use tools exist for a reason: to make GnuPG easy to use.
> If you insist on doing things the hard way you have only yourself to
> blame.  First learn how to use GnuPG, and then figure out how to use
> GnuPG like you would if it was 1992 after you've got your basic skills down.
>
> > and... I was hoping that, since I have your email, key ID, and fingerprint 
> > ;)
> > I could write an encrypted message to your sixdemonbag email.  I'd
> > completely understand if you'd rather not.  I just have now found
> > myself luring friends and relatives into learning this with me and
> > exchanging encrypted emails and... it's not going well.
>
> You may want to check out a mailing list like PGPNET, which exists
> specifically to give people experience in sending/receiving encrypted
> mail. :)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[Rainer Fiebig via Gnupg-users]

Am 18.12.21 um 19:07 schrieb Ingo Klöcker:
> On Freitag, 17. Dezember 2021 18:04:04 CET S.B. via Gnupg-users wrote:
>>> Otherwise, you can simply send your exported key to the person you want to
>>> give your public key to.
>>
>> Yeah so, I can attach the .asc file that's in my Disk/users/SamiBadri
>> folder (it's the only .asc file I've seen), but I'm assuming that is
>> my public key.  Is that correct?
> 
> Well, it depends. We have no idea what the .asc file in Disk/users/SamiBadri 
> contains. It could be your public key. Or it could be somebody else's public 
> key. Or it could be something other than a public key.
> 
> Quite frankly, I suggest that you follow Robert's advice and start your 
> learning experience with OpenPGP by using an email client that supports 
> OpenPGP out-of-the-box. All decent email clients should have a functionality 
> to attach your public key to an email without you having to attach some file 
> manually.
> 
>> Is there anyway to send your private key?
> 
> Sure. You can send any file to anyone, so, of course, you can do the same 
> with 
> your private key (unless it's stored on a smartcard in a read-protected slot).
> 
> A decent email client should not offer a functionality to attach your secret 
> key to an email. So, if you stick to what your email client offers you, then 
> you should be safe.
> 
>> I want to know so that I don't do it accidentally.
> 
> Then don't attach random files you find on your disk to your emails without 
> knowing what those files contain.
> 
>> Also, if I
>> use the cat SamiB.asc command, the terminal reveals a certificate (and
>> I assume that's my public key certificate).
> 
> You shouldn't assume anything if you are dealing with encryption software. 
> You 
> should be sure what you are doing. Otherwise, in the extreme, you could 
> jeopardize the lives of other people.
> 
And then there's the one you're communicating with. Also make sure that
*he* knows what he is doing. Otherwise you might jeopardize your own
life. For example: Someone who replies to your top secret, perfectly
encrypted mail - without encrypting his reply. ;)

Rainer

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[Robert J. Hansen via Gnupg-users]

seems as though my entry into this realm was clearly... bad.  I wanted
to learn the system without using separate encryption software like
kleopatra.  I wanted to know how to do it with just gpg and any email
provider.  It's difficult, and I have a lot to learn.


Don't do that.  Seriously.  This is like saying "I want to learn how to 
farm like my grandparents did!"  Farming is hard enough: voluntarily 
doing without, you know, *electricity* is just crazy.  (In the United 
States, many farms were without electricity until the 1940s!)


These easy-to-use tools exist for a reason: to make GnuPG easy to use. 
If you insist on doing things the hard way you have only yourself to 
blame.  First learn how to use GnuPG, and then figure out how to use 
GnuPG like you would if it was 1992 after you've got your basic skills down.



and... I was hoping that, since I have your email, key ID, and fingerprint ;)
I could write an encrypted message to your sixdemonbag email.  I'd
completely understand if you'd rather not.  I just have now found
myself luring friends and relatives into learning this with me and
exchanging encrypted emails and... it's not going well.


You may want to check out a mailing list like PGPNET, which exists 
specifically to give people experience in sending/receiving encrypted 
mail. :)


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[S.B. via Gnupg-users]

> Well, it depends. We have no idea what the .asc file in Disk/users/SamiBadri
contains. It could be your public key. Or it could be somebody else's public
key. Or it could be something other than a public key.

That was my mistake.  When I generated my first key pair I used the command:

gpg --armor --export sami.ba...@gmail.com> ~/Desktop/SamiB.asc

I moved it into my user folder.  That's the file I uploaded to
openpgp.org.  It is the public key block.

> You shouldn't assume anything if you are dealing with encryption software. You
should be sure what you are doing. Otherwise, in the extreme, you could
jeopardize the lives of other people.

I absolutely understand.

> You can use the command
gpg --show-key  But, as with using a proper email client you should probably also use a 
> proper graphical tool for
working with GnuPG. On Linux, I suggest using Kleopatra. On Windows, I
recommend gpg4win.

I'm researching other email clients and will definitely get a GnuPG
graphical tool.  PGP Tool for Mac looks ok.

> Alternatively, you could have a look at Mailvelope (https://mailvelope.com).
It's a browser add-on that will extend GMail (and many other webmail
providers) with OpenPGP support.

I'm looking at Mailvelope and FlowCrypt for Gmail extensions.

On Sat, Dec 18, 2021 at 3:23 PM Ingo Klöcker  wrote:
>
> On Freitag, 17. Dezember 2021 18:04:04 CET S.B. via Gnupg-users wrote:
> > > Otherwise, you can simply send your exported key to the person you want to
> > > give your public key to.
> >
> > Yeah so, I can attach the .asc file that's in my Disk/users/SamiBadri
> > folder (it's the only .asc file I've seen), but I'm assuming that is
> > my public key.  Is that correct?
>
> Well, it depends. We have no idea what the .asc file in Disk/users/SamiBadri
> contains. It could be your public key. Or it could be somebody else's public
> key. Or it could be something other than a public key.
>
> Quite frankly, I suggest that you follow Robert's advice and start your
> learning experience with OpenPGP by using an email client that supports
> OpenPGP out-of-the-box. All decent email clients should have a functionality
> to attach your public key to an email without you having to attach some file
> manually.
>
> > Is there anyway to send your private key?
>
> Sure. You can send any file to anyone, so, of course, you can do the same with
> your private key (unless it's stored on a smartcard in a read-protected slot).
>
> A decent email client should not offer a functionality to attach your secret
> key to an email. So, if you stick to what your email client offers you, then
> you should be safe.
>
> > I want to know so that I don't do it accidentally.
>
> Then don't attach random files you find on your disk to your emails without
> knowing what those files contain.
>
> > Also, if I
> > use the cat SamiB.asc command, the terminal reveals a certificate (and
> > I assume that's my public key certificate).
>
> You shouldn't assume anything if you are dealing with encryption software. You
> should be sure what you are doing. Otherwise, in the extreme, you could
> jeopardize the lives of other people.
>
> > Can I copy/paste and send
> > that as a txt attachment?  Will they be able to do anything with it?
> > For instance, let's say they don't have my email, key ID, or
> > fingerprint, only the pgp public key block (aka certificate), can you
> > do anything with a txt-type file that only shows the certificate in
> > armor?
>
> If you send someone the public key block of your public key, e.g. some file
> that contains something like
>
> -BEGIN PGP PUBLIC KEY BLOCK-
>
> [...]
> -END PGP PUBLIC KEY BLOCK-
>
> then this person can import your public key in their keyring and use it to
> verify signatures made by you and to encrypt text or files for you.
>
> You can use the command
> gpg --show-key  to have a look at the key (or keys) contained in SamiB.asc. But, as with using
> a proper email client you should probably also use a proper graphical tool for
> working with GnuPG. On Linux, I suggest using Kleopatra. On Windows, I
> recommend gpg4win.
>
> > Lastly, I see that you have attached a signature .asc file with your
> > email.  I can import that file, and compare to?
>
> No, you cannot import that file. You need an email client that supports
> OpenPGP to do anything useful with it.
>
> Alternatively, you could have a look at Mailvelope (https://mailvelope.com).
> It's a browser add-on that will extend GMail (and many other webmail
> providers) with OpenPGP support.
>
> Regards,
> Ingo
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[S.B. via Gnupg-users]

> Did you notice the command is "gpg --import < certificate.txt"?

Yes, sorry.  I did type the command correctly.

>> I placed the file in my .gnupg hidden folder.
>
> Then you'd need to do "gpg --import < ~/.gnupg/certificate.txt".  If
certificate.txt isn't in your current directory, you need to tell Linux
where to look for it.

It worked.  I placed the txt file (copied and pasted) certificate in
my .gnugp folder and it went through.

> Please stop using that resource.  As mentioned above, it's shockingly bad.

To be fair.  The resource didn't actually tell me to do it that way.
It only supplied me with the command.  The method was my roundabout
way of making it work (based on my underivative understanding).  It
seems as though my entry into this realm was clearly... bad.  I wanted
to learn the system without using separate encryption software like
kleopatra.  I wanted to know how to do it with just gpg and any email
provider.  It's difficult, and I have a lot to learn.

and... I was hoping that, since I have your email, key ID, and fingerprint ;)
I could write an encrypted message to your sixdemonbag email.  I'd
completely understand if you'd rather not.  I just have now found
myself luring friends and relatives into learning this with me and
exchanging encrypted emails and... it's not going well.


>

On Fri, Dec 17, 2021 at 9:24 PM Robert J. Hansen  wrote:
>
> > What other keys would it hold?
>
> Behold:
>
> pub   ed25519/1E7A94D4E87F91D5 2021-02-22 [SC]
>7D8EC4B85B6FEDD6C10D3C791E7A94D4E87F91D5
> uid [ultimate] Robert J. Hansen 
> uid [ultimate] Robert J. Hansen 
> sub   cv25519/7D6CCDB66CA1202F 2021-02-22 [E]
>
>
> My public certificate has two keys: an Edwards-25519 signing key and a
> Curve-25519 encryption key.
>
> Back in the '90s, certificates almost always held a single key that was
> used for both encryption and signing.  Then we realized, "if the courts
> force us to give our decryption key to the cops so they can read our
> traffic, we're also giving them the ability to impersonate us."  Since
> then, virtually every OpenPGP certificate has had at least two keys: one
> for signing and one for encryption.
>
> There are cases where three or more keys are appropriate, but they're
> kind of outside the scope of the current discussion.
>
> >> Sure it does.  I did that no more than twenty minutes ago myself.
> >
> > So I typed the gpg --import > certificate.txt command and it says "no
> > such file or directory: certificate.txt" (certificate has a different
> > name of course).
>
> Did you notice the command is "gpg --import < certificate.txt"?
>
> > I placed the file in my .gnupg hidden folder.
>
> Then you'd need to do "gpg --import < ~/.gnupg/certificate.txt".  If
> certificate.txt isn't in your current directory, you need to tell Linux
> where to look for it.
>
> > Here is really the root of my problem.  As you probably know, I'm not
> > using a Web Key Service/Directory enabled email provider, so if I were
> > to get an encrypted message intended for me, I'd have to copy the
> > encryption text, paste it into txt file, then import/decrypt it like
> > that with: gpg --decrypt ~/Desktop/encryptedfile.txt | perl
> > -MMIME::QuotedPrint -0777 -nle 'print decode_qp($_)'
>
> That's shockingly bad.
>
> Try using an email client with OpenPGP support built-in.  On Linux the
> two major choices are Evolution and Thunderbird.
>
> > That's a command I found online from a source that I've been using for
> > learning pgp.
>
> Please stop using that resource.  As mentioned above, it's shockingly bad.
>
> As the FAQ says, "The good news is the internet is a treasure trove of
> information. The bad news is that the internet is a festering sewer of
> misinformation, conspiracy theories, and half-informed speculations all
> masquerading as informed commentary."

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[Ingo Klöcker]

On Freitag, 17. Dezember 2021 18:04:04 CET S.B. via Gnupg-users wrote:
> > Otherwise, you can simply send your exported key to the person you want to
> > give your public key to.
> 
> Yeah so, I can attach the .asc file that's in my Disk/users/SamiBadri
> folder (it's the only .asc file I've seen), but I'm assuming that is
> my public key.  Is that correct?

Well, it depends. We have no idea what the .asc file in Disk/users/SamiBadri 
contains. It could be your public key. Or it could be somebody else's public 
key. Or it could be something other than a public key.

Quite frankly, I suggest that you follow Robert's advice and start your 
learning experience with OpenPGP by using an email client that supports 
OpenPGP out-of-the-box. All decent email clients should have a functionality 
to attach your public key to an email without you having to attach some file 
manually.

> Is there anyway to send your private key?

Sure. You can send any file to anyone, so, of course, you can do the same with 
your private key (unless it's stored on a smartcard in a read-protected slot).

A decent email client should not offer a functionality to attach your secret 
key to an email. So, if you stick to what your email client offers you, then 
you should be safe.

> I want to know so that I don't do it accidentally.

Then don't attach random files you find on your disk to your emails without 
knowing what those files contain.

> Also, if I
> use the cat SamiB.asc command, the terminal reveals a certificate (and
> I assume that's my public key certificate).

You shouldn't assume anything if you are dealing with encryption software. You 
should be sure what you are doing. Otherwise, in the extreme, you could 
jeopardize the lives of other people.

> Can I copy/paste and send
> that as a txt attachment?  Will they be able to do anything with it?
> For instance, let's say they don't have my email, key ID, or
> fingerprint, only the pgp public key block (aka certificate), can you
> do anything with a txt-type file that only shows the certificate in
> armor?

If you send someone the public key block of your public key, e.g. some file 
that contains something like

-BEGIN PGP PUBLIC KEY BLOCK-

[...]
-END PGP PUBLIC KEY BLOCK-

then this person can import your public key in their keyring and use it to 
verify signatures made by you and to encrypt text or files for you.

You can use the command
gpg --show-key  Lastly, I see that you have attached a signature .asc file with your
> email.  I can import that file, and compare to?

No, you cannot import that file. You need an email client that supports 
OpenPGP to do anything useful with it.

Alternatively, you could have a look at Mailvelope (https://mailvelope.com). 
It's a browser add-on that will extend GMail (and many other webmail 
providers) with OpenPGP support.

Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[Andrew Gallagher via Gnupg-users]

> On 18 Dec 2021, at 02:25, Robert J. Hansen via Gnupg-users 
>  wrote:
> 
> As the FAQ says, "The good news is the internet is a treasure trove of 
> information. The bad news is that the internet is a festering sewer of 
> misinformation, conspiracy theories, and half-informed speculations all 
> masquerading as informed commentary."

Indeed. The internet is also full of articles that haven’t been updated since 
before the iPhone was invented, and thus are *at best* so technologically 
outdated they might as well be written in hieroglyphics…

A
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[Robert J. Hansen via Gnupg-users]

What other keys would it hold?


Behold:

pub   ed25519/1E7A94D4E87F91D5 2021-02-22 [SC]
  7D8EC4B85B6FEDD6C10D3C791E7A94D4E87F91D5
uid [ultimate] Robert J. Hansen 
uid [ultimate] Robert J. Hansen 
sub   cv25519/7D6CCDB66CA1202F 2021-02-22 [E]


My public certificate has two keys: an Edwards-25519 signing key and a 
Curve-25519 encryption key.


Back in the '90s, certificates almost always held a single key that was 
used for both encryption and signing.  Then we realized, "if the courts 
force us to give our decryption key to the cops so they can read our 
traffic, we're also giving them the ability to impersonate us."  Since 
then, virtually every OpenPGP certificate has had at least two keys: one 
for signing and one for encryption.


There are cases where three or more keys are appropriate, but they're 
kind of outside the scope of the current discussion.



Sure it does.  I did that no more than twenty minutes ago myself.


So I typed the gpg --import > certificate.txt command and it says "no
such file or directory: certificate.txt" (certificate has a different
name of course).


Did you notice the command is "gpg --import < certificate.txt"?


I placed the file in my .gnupg hidden folder.


Then you'd need to do "gpg --import < ~/.gnupg/certificate.txt".  If 
certificate.txt isn't in your current directory, you need to tell Linux 
where to look for it.



Here is really the root of my problem.  As you probably know, I'm not
using a Web Key Service/Directory enabled email provider, so if I were
to get an encrypted message intended for me, I'd have to copy the
encryption text, paste it into txt file, then import/decrypt it like
that with: gpg --decrypt ~/Desktop/encryptedfile.txt | perl
-MMIME::QuotedPrint -0777 -nle 'print decode_qp($_)'


That's shockingly bad.

Try using an email client with OpenPGP support built-in.  On Linux the 
two major choices are Evolution and Thunderbird.



That's a command I found online from a source that I've been using for
learning pgp.


Please stop using that resource.  As mentioned above, it's shockingly bad.

As the FAQ says, "The good news is the internet is a treasure trove of 
information. The bad news is that the internet is a festering sewer of 
misinformation, conspiracy theories, and half-informed speculations all 
masquerading as informed commentary."


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[S.B. via Gnupg-users]

> Key(s): a certificate holds at least one, but usually more than one.

I see.  So, a certificate (aka pgp public key block) holds at least
one key (+ pertinent metadata that changes/updates depending on use,
etc.), but usually more.  What other keys would it hold?  The paired
secret key?  No.  Other public keys in my key ring?  Unlikely.  If the
certificate is made for encryption of a message that only one specific
secret key can decrypt.  Why would it hold more than one key?

>> But the import command doesn't work with txt.
> Sure it does.  I did that no more than twenty minutes ago myself.

So I typed the gpg --import > certificate.txt command and it says "no
such file or directory: certificate.txt" (certificate has a different
name of course).  I placed the file in my .gnupg hidden folder.

Here is really the root of my problem.  As you probably know, I'm not
using a Web Key Service/Directory enabled email provider, so if I were
to get an encrypted message intended for me, I'd have to copy the
encryption text, paste it into txt file, then import/decrypt it like
that with: gpg --decrypt ~/Desktop/encryptedfile.txt | perl
-MMIME::QuotedPrint -0777 -nle 'print decode_qp($_)'
That's a command I found online from a source that I've been using for
learning pgp.

What am I missing?  Does this only work well with WKS/D enabled
message services?

On Fri, Dec 17, 2021 at 12:42 PM Robert J. Hansen  wrote:
>
> > The document snapshot analogy really helps.
>
> I'm glad it's helped!
>
> >> No, and I'm going to strongly encourage you to stop asking
> > implementation questions.
> >
> > I think I'll take that advice.
>
> When you think you're ready, we'll be here to answer your implementation
> questions.  It would break my heart if you thought you should never ask
> them -- I just, only, think that diving into implementation details is
> almost always a bad idea for new users.
>
> If you want to teach someone poetry you start by showing them the witty
> banter and playful puns in Shakespeare, and encourage them to laugh and
> enjoy the show.  Learning about iambic pentameter can wait.  :)
>
> > I'm getting the picture now.  The pgp key block is really the
> > certificate.  The certificate holds the key and metadata.
>
> Key(s): a certificate holds at least one, but usually more than one.
> Beyond that minor detail you've got it perfect.
>
> >> gpg --import < certificate.asc
> >
> > So, when dealing with a displayed certificate (what I was calling a
> > pgp public key block), the only method I thought of was copying and
> > pasting it onto a txt file.  But the import command doesn't work with
> > txt.
>
> Sure it does.  I did that no more than twenty minutes ago myself.
>
> How were you trying to do this?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[Robert J. Hansen via Gnupg-users]

The document snapshot analogy really helps.


I'm glad it's helped!


No, and I'm going to strongly encourage you to stop asking

implementation questions.

I think I'll take that advice.


When you think you're ready, we'll be here to answer your implementation 
questions.  It would break my heart if you thought you should never ask 
them -- I just, only, think that diving into implementation details is 
almost always a bad idea for new users.


If you want to teach someone poetry you start by showing them the witty 
banter and playful puns in Shakespeare, and encourage them to laugh and 
enjoy the show.  Learning about iambic pentameter can wait.  :)



I'm getting the picture now.  The pgp key block is really the
certificate.  The certificate holds the key and metadata.


Key(s): a certificate holds at least one, but usually more than one. 
Beyond that minor detail you've got it perfect.



gpg --import < certificate.asc


So, when dealing with a displayed certificate (what I was calling a
pgp public key block), the only method I thought of was copying and
pasting it onto a txt file.  But the import command doesn't work with
txt.


Sure it does.  I did that no more than twenty minutes ago myself.

How were you trying to do this?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[S.B. via Gnupg-users]

> Please reply inline unless your email client makes this difficult.

I will be doing that from now on.  I'm not sure of any other way
besides manually copying and pasting, but that's not a problem.

> There is a Frequently Asked Questions document that you may want to read if
you haven't done so already:

I read the whole thing.  It helped a little, but there was a lot that
I just don't get (yet).  I'll be reading through it again, along with
the users archives, and the manual itself.  I've started on a journey
here, I see that.  There's a lot to learn.  But I am thrilled to learn
it all.  I do appreciate all the help.

> The easiest way is to use WKD/WKS (Web Key Directory/Service) if your email
provider supports this because then some OpenPGP-aware automatically download
your key when someone enters your email address into their email client. I
don't think gmail supports WKD.

I'll look into a WKS/D supporting email provider.

> Otherwise, you can simply send your exported key to the person you want to
give your public key to.

Yeah so, I can attach the .asc file that's in my Disk/users/SamiBadri
folder (it's the only .asc file I've seen), but I'm assuming that is
my public key.  Is that correct?  Is there anyway to send your private
key?  I want to know so that I don't do it accidentally.  Also, if I
use the cat SamiB.asc command, the terminal reveals a certificate (and
I assume that's my public key certificate).  Can I copy/paste and send
that as a txt attachment?  Will they be able to do anything with it?
For instance, let's say they don't have my email, key ID, or
fingerprint, only the pgp public key block (aka certificate), can you
do anything with a txt-type file that only shows the certificate in
armor?

Lastly, I see that you have attached a signature .asc file with your
email.  I can import that file, and compare to?

S.B.

On Fri, Dec 17, 2021 at 7:02 AM Ingo Klöcker  wrote:
>
> Please reply inline unless your email client makes this difficult. As you can
> see from the replies to your messages that's what we prefer on this mailing
> list. It helps to make the context of the replies more clear.
>
> There is a Frequently Asked Questions document that you may want to read if
> you haven't done so already:
> https://gnupg.org/faq/gnupg-faq.html
>
> On Freitag, 17. Dezember 2021 02:43:25 CET S.B. via Gnupg-users wrote:
> > When you want to give someone your public key, do you normally just
> > give your email, fingerprint, key ID, or the armor form key block?
>
> The easiest way is to use WKD/WKS (Web Key Directory/Service) if your email
> provider supports this because then some OpenPGP-aware automatically download
> your key when someone enters your email address into their email client. I
> don't think gmail supports WKD.
>
> Otherwise, you can simply send your exported key to the person you want to
> give your public key to. You may want to use the option "--export-options
> export-minimal" when exporting your key to keep the armor form key block
> small.
>
> It may also make sense to upload your key to some keyservers, so that people
> can get your key without first having to contact you.
>
> Regards,
> Ingo
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[S.B. via Gnupg-users]

> Think of them as two different snapshots of the same
document at different points in time, as various minor edits are made to
it.  But the important bits, the stuff you care about, will be
consistent through revisions so long as the fingerprint remains unchanged.

The document snapshot analogy really helps.

> No, and I'm going to strongly encourage you to stop asking
implementation questions.

I think I'll take that advice.

> What you're calling a "key block" is a certificate, not a key.  A certificate
includes cryptographic keys and metadata about those keys.

I'm getting the picture now.  The pgp key block is really the
certificate.  The certificate holds the key and metadata.

> gpg --import < certificate.asc

So, when dealing with a displayed certificate (what I was calling a
pgp public key block), the only method I thought of was copying and
pasting it onto a txt file.  But the import command doesn't work with
txt.  I was thinking of converting the txt to asc using a conversion
app but then I knew that it can't be that difficult.  If the only
thing you have is the person's certificate, and it's not in an .asc
format, is there any other way of importing it into your key ring?  Or
are all public key imports obtained via asc files?

S.B.

On Fri, Dec 17, 2021 at 4:43 AM Robert J. Hansen  wrote:
>
> > That key block did not match the one on his profile. That’s what
> > confused me. But I’m learning (from you guys) that the key blocks
> > don’t necessarily have to match.  So I can assume that:
>
> More accurately, they're very unlikely to match.  The version on his
> site may lack some signatures or user IDs present on the keyserver copy,
> or vice-versa.  Think of them as two different snapshots of the same
> document at different points in time, as various minor edits are made to
> it.  But the important bits, the stuff you care about, will be
> consistent through revisions so long as the fingerprint remains unchanged.
>
> > - the fingerprint is specific for the secret key component of the
> > generated key pair and does not change.
>
> No, and I'm going to strongly encourage you to stop asking
> implementation questions.  You're not ready for them.  For now, learn
> how to use the system, and only then start paying attention to the fine
> detail of how the system is implemented.
>
> But if you insist, see section 12.2 of RFC4880.  "A V4 fingerprint is
> the 160-bit SHA-1 hash of the octet 0x99, followed by the two-octet
> packet length, followed by the entire Public-Key packet starting with
> the version field.  The Key ID is the low-order 64 bits of the fingerprint."
>
> > - the pgp public key is, in a way, fluid. It can take many different
> > forms but encrypts specifically for the matching secret key only. The
> > same public key can have different key blocks.
>
> No.  This will probably become easier to understand if we use the
> correct language.  *Keys* are not fluid.  *Certificates* can be.  What
> you're calling a "key block" is a certificate, not a key.  A certificate
> includes cryptographic keys and metadata about those keys.  The keys
> generally don't change (although I can think of pathological cases where
> they do).  The metadata about those keys can change a lot.
>
> Most of the data in a certificate is metadata.
>
> > - I could’ve used the keyserver-obtained public key (retrieved via the
> > fingerprint), or I could’ve used the displayed public key that was
> > given in armor text form.  They are one and the same, even though
> > their revealed text is different.
>
> You could have used it and the odds are quite good it wouldn't have
> mattered in the slightest.
>
> > When you want to give someone your public key, do you normally just
> > give your email, fingerprint, key ID, or the armor form key block?
>
> I use WKS.
>
> > is there a command i could've used to directly import the key using
> > the displayed key block?  I've tried some different ones I found in
> > various places but nothing worked.
>
> gpg --import < certificate.asc

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[Ingo Klöcker]

Please reply inline unless your email client makes this difficult. As you can 
see from the replies to your messages that's what we prefer on this mailing 
list. It helps to make the context of the replies more clear.

There is a Frequently Asked Questions document that you may want to read if 
you haven't done so already:
https://gnupg.org/faq/gnupg-faq.html

On Freitag, 17. Dezember 2021 02:43:25 CET S.B. via Gnupg-users wrote:
> When you want to give someone your public key, do you normally just
> give your email, fingerprint, key ID, or the armor form key block?

The easiest way is to use WKD/WKS (Web Key Directory/Service) if your email 
provider supports this because then some OpenPGP-aware automatically download 
your key when someone enters your email address into their email client. I 
don't think gmail supports WKD.

Otherwise, you can simply send your exported key to the person you want to 
give your public key to. You may want to use the option "--export-options 
export-minimal" when exporting your key to keep the armor form key block 
small.

It may also make sense to upload your key to some keyservers, so that people 
can get your key without first having to contact you.

Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[Robert J. Hansen via Gnupg-users]

That key block did not match the one on his profile. That’s what
confused me. But I’m learning (from you guys) that the key blocks
don’t necessarily have to match.  So I can assume that:


More accurately, they're very unlikely to match.  The version on his 
site may lack some signatures or user IDs present on the keyserver copy, 
or vice-versa.  Think of them as two different snapshots of the same 
document at different points in time, as various minor edits are made to 
it.  But the important bits, the stuff you care about, will be 
consistent through revisions so long as the fingerprint remains unchanged.



- the fingerprint is specific for the secret key component of the
generated key pair and does not change.


No, and I'm going to strongly encourage you to stop asking 
implementation questions.  You're not ready for them.  For now, learn 
how to use the system, and only then start paying attention to the fine 
detail of how the system is implemented.


But if you insist, see section 12.2 of RFC4880.  "A V4 fingerprint is 
the 160-bit SHA-1 hash of the octet 0x99, followed by the two-octet 
packet length, followed by the entire Public-Key packet starting with 
the version field.  The Key ID is the low-order 64 bits of the fingerprint."



- the pgp public key is, in a way, fluid. It can take many different
forms but encrypts specifically for the matching secret key only. The
same public key can have different key blocks.


No.  This will probably become easier to understand if we use the 
correct language.  *Keys* are not fluid.  *Certificates* can be.  What 
you're calling a "key block" is a certificate, not a key.  A certificate 
includes cryptographic keys and metadata about those keys.  The keys 
generally don't change (although I can think of pathological cases where 
they do).  The metadata about those keys can change a lot.


Most of the data in a certificate is metadata.


- I could’ve used the keyserver-obtained public key (retrieved via the
fingerprint), or I could’ve used the displayed public key that was
given in armor text form.  They are one and the same, even though
their revealed text is different.


You could have used it and the odds are quite good it wouldn't have 
mattered in the slightest.



When you want to give someone your public key, do you normally just
give your email, fingerprint, key ID, or the armor form key block?


I use WKS.


is there a command i could've used to directly import the key using
the displayed key block?  I've tried some different ones I found in
various places but nothing worked.


gpg --import < certificate.asc

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[S.B. via Gnupg-users]

 Thank you guys.  This is helping.

No, I did not export the key.  Using the fingerprint, I downloaded the
asc file from openpgp.org and placed it into my disk/users/SamiBadri,
and then used the command: cat filename, to reveal the key block.

That key block did not match the one on his profile. That’s what
confused me. But I’m learning (from you guys) that the key blocks
don’t necessarily have to match.  So I can assume that:

- the fingerprint is specific for the secret key component of the
generated key pair and does not change.

- the pgp public key is, in a way, fluid. It can take many different
forms but encrypts specifically for the matching secret key only. The
same public key can have different key blocks.

- I could’ve used the keyserver-obtained public key (retrieved via the
fingerprint), or I could’ve used the displayed public key that was
given in armor text form.  They are one and the same, even though
their revealed text is different.

Is all this correct?

When you want to give someone your public key, do you normally just
give your email, fingerprint, key ID, or the armor form key block?

and...

is there a command i could've used to directly import the key using
the displayed key block?  I've tried some different ones I found in
various places but nothing worked.

Thank you guys.
S.B.

On Thu, Dec 16, 2021 at 11:12 AM Robert J. Hansen via Gnupg-users
 wrote:
>
> > when i compared the imported pgp public key block (which I obtained
> > using the import command and the provided fingerprint) to the
> > displated pgp public key block, they didn't match
> >
> > shouldn't they match?
>
> No.
>
> The key block is not a human-readable format.  It's a binary format
> that's meant to be read by computers.
>
> Imagine a word processing document.  You open up a blank document and
> type "Hello, World!".  You save that as document-1.  Then you think
> about it, erase your text, write something else, delete that, too, and
> after some more hemming and hawing you go back to "Hello, World!".  You
> save this as document-2.
>
> Now open up document-1 and document-2 in a hex editor.  Despite the fact
> they have exactly the same *human-meaningful* information, the two
> documents will look different to a computer.  Things like a timestamp
> for when it was last edited, things like a revision history, things
> like... etc.
>
> For all human purposes, document-1 and document-2 are the same.  But
> they're different on disk, and that's okay.
>
> The exact same thing happens with OpenPGP certificates.  When you import
> the certificate, GnuPG starts tracking other information -- the same way
> the word processor does.  But that doesn't mean the certificate is
> *different*, really, not in any way you care about.
>
> Hope this helps!
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[Gregor Zattler via Gnupg-users]

Hi S.B.,
* "S.B. via Gnupg-users"  [2021-12-16; 10:37]:
> maybe I'm not explaining it well.  I was able to import a public key using:
>
> gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys fingerprint*
>
> the fingerprint was provided to me by the intended recipient via their
> profile page.
>
> the profile page also displayed the pgp public key block
>
> when i compared the imported pgp public key block (which I obtained
> using the import command and the provided fingerprint) to the
> displated pgp public key block, they didn't match

I assume you exported the public key you just downloaded
from the key server with gpg --export --armor fingerprint?
and then compared the output of this command to the key
block shown on the web page?

> shouldn't they match?

then no, the do not need to match.  The fingerpint is the
fingerprint of the private signing key, while the key blocks
in question are the public key with its signatures.  At
different times these may not match, because in between
someone might have signed the public key.  Then the public
key block with this additional signature is different from
the time before the signature was added.  The signer might
have mailed this public key block to the keys owner or to
the key server and the key owner might or might not have
imported this change to her/his public key and might have
updated the website or perhaps not.



Ciao; Gregor
--
 -... --- .-. . -.. ..--.. ...-.-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[Robert J. Hansen via Gnupg-users]

when i compared the imported pgp public key block (which I obtained
using the import command and the provided fingerprint) to the
displated pgp public key block, they didn't match

shouldn't they match?


No.

The key block is not a human-readable format.  It's a binary format 
that's meant to be read by computers.


Imagine a word processing document.  You open up a blank document and 
type "Hello, World!".  You save that as document-1.  Then you think 
about it, erase your text, write something else, delete that, too, and 
after some more hemming and hawing you go back to "Hello, World!".  You 
save this as document-2.


Now open up document-1 and document-2 in a hex editor.  Despite the fact 
they have exactly the same *human-meaningful* information, the two 
documents will look different to a computer.  Things like a timestamp 
for when it was last edited, things like a revision history, things 
like... etc.


For all human purposes, document-1 and document-2 are the same.  But 
they're different on disk, and that's okay.


The exact same thing happens with OpenPGP certificates.  When you import 
the certificate, GnuPG starts tracking other information -- the same way 
the word processor does.  But that doesn't mean the certificate is 
*different*, really, not in any way you care about.


Hope this helps!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[Ingo Klöcker]

On Donnerstag, 16. Dezember 2021 16:37:30 CET S.B. via Gnupg-users wrote:
> maybe I'm not explaining it well.

Indeed.

> I was able to import a public key using:
> 
> gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys fingerprint*
> 
> the fingerprint was provided to me by the intended recipient via their
> profile page.
> 
> the profile page also displayed the pgp public key block
> 
> when i compared the imported pgp public key block (which I obtained
> using the import command and the provided fingerprint) to the
> displated pgp public key block, they didn't match
> 
> shouldn't they match?

I'm sorry, but I have no idea what you are comparing because you do not tell 
us how you get the "fingerprints" that you are comparing.

If you do not want to give us more details because you want to protect the 
personal data of the intended recipient then that's completely understandable. 
But in this case you have to ask the intended recipient why the information 
provided by them on their profile page does not match what you get when you 
receive their key from the key server.

Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[S.B. via Gnupg-users]

maybe I'm not explaining it well.  I was able to import a public key using:

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys fingerprint*

the fingerprint was provided to me by the intended recipient via their
profile page.

the profile page also displayed the pgp public key block

when i compared the imported pgp public key block (which I obtained
using the import command and the provided fingerprint) to the
displated pgp public key block, they didn't match

shouldn't they match?

thank you


On Thu, Dec 16, 2021 at 8:34 AM Ingo Klöcker  wrote:
>
> On Donnerstag, 16. Dezember 2021 12:52:28 CET S.B. via Gnupg-users wrote:
> > Here is my situation:  I have imported a public key using
> > gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys fingerprint*
> >
> > *provided by the intended recipient on their profile page
> >
> > The person also displayed the pgp public key block text (in armor) but
> > not as an asc file.  I first tried importing the block directly into
> > gpg but couldn't figure it out.
> >
> > when comparing the imported key (again, obtained via the keyserver
> > using the fingerprint) to the displayed public key block, they do not
> > match.
>
> How do you do this, i.e. what commands are you using?
>
> > Reasons for this (I think) are:
> > 1.  either the fingerprint or the key has been changed but not updated
> > on the profile page
>
> The fingerprint of an OpenPGP key never changes (except if its creation time
> changes).
>
> Regards,
> Ingo
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint associated public key does not match displayed public key

[Ingo Klöcker]

On Donnerstag, 16. Dezember 2021 12:52:28 CET S.B. via Gnupg-users wrote:
> Here is my situation:  I have imported a public key using
> gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys fingerprint*
> 
> *provided by the intended recipient on their profile page
> 
> The person also displayed the pgp public key block text (in armor) but
> not as an asc file.  I first tried importing the block directly into
> gpg but couldn't figure it out.
> 
> when comparing the imported key (again, obtained via the keyserver
> using the fingerprint) to the displayed public key block, they do not
> match.

How do you do this, i.e. what commands are you using?

> Reasons for this (I think) are:
> 1.  either the fingerprint or the key has been changed but not updated
> on the profile page

The fingerprint of an OpenPGP key never changes (except if its creation time 
changes).

Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

fingerprint associated public key does not match displayed public key

[S.B. via Gnupg-users]

Hello GnuPG world,

I'm a new (and obsessed) pgp user, so please bear with me.  Also, I
hope I'm in the right place.  I read through some archives and the
questions seemed a little advanced.  I hope I'm not annoying anyone
here.

I use GnuPG 2.3.3 on a MacBook Pro running Mac OS Monterey (v. 12.0.1)

Here is my situation:  I have imported a public key using
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys fingerprint*

*provided by the intended recipient on their profile page

The person also displayed the pgp public key block text (in armor) but
not as an asc file.  I first tried importing the block directly into
gpg but couldn't figure it out.

when comparing the imported key (again, obtained via the keyserver
using the fingerprint) to the displayed public key block, they do not
match.

Reasons for this (I think) are:
1.  either the fingerprint or the key has been changed but not updated
on the profile page
2.  it's a scam/hack
3.  I don't understand what's going on (most likely reason)

Any help would be appreciated.

Thank you.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Best way to get fingerprint programatically

[Werner Koch via Gnupg-users]

On Wed, 18 Dec 2019 11:51, john doe said:
> By any chance, could something like the following be implemented?:
>
> $ gpg -K --print-fingerprint-only test

I doubt that this helps because the only way to get a single result is
to use the fingerprint for .  Thus a second info item would be
required to show the user-id matching the fingerprint - et voila we are
back to --with-colon listing parsing.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Best way to get fingerprint programatically

[Eric F via Gnupg-users]

On 12/18/19 10:56 , Andrew Gallagher wrote:
> On 18/12/2019 09:32, Werner Koch via Gnupg-users wrote:
>> The  -F:: is an interesting hack but Andrew's or my variant works
>> with all AWK implementations:
>>
>>awk -F: '$1=="fpr" {print $10}' | head -1
> Aha, I forgot about handling multiple results. Note that you don't need
> head if you're already using awk:
>
>   awk -F: '$1=="fpr" {print $10; exit}'
>
> :-D

This was really interesting. Thanks for that tip (all of you). :)
Updated a key the other day, in a more manual way.

What about updating sub-keys…

$ gpg --with-colons -k 0xlongid | awk -F: '$1=="fpr" {print $10}'
0123…
4567…
8901…
2345…

Any convenient way to automate that, or can I just loop it? …something like:

$ for k in $(gpg --with-colons -k 0xlongid | awk -F: '$1=="fpr" {print $10}'); 
do \
> gpg --quick-set-expire ${k} ; done


 · Eric
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Best way to get fingerprint programatically

[john doe]

On 12/18/2019 10:56 AM, Andrew Gallagher wrote:
> On 18/12/2019 09:32, Werner Koch via Gnupg-users wrote:
>> The  -F:: is an interesting hack but Andrew's or my variant works
>> with all AWK implementations:
>>
>>awk -F: '$1=="fpr" {print $10}' | head -1
>
> Aha, I forgot about handling multiple results. Note that you don't need
> head if you're already using awk:
>
>   awk -F: '$1=="fpr" {print $10; exit}'
>

Thanks to both of you, I'll go with the awk version, that way, I can
avoid unneeded pipe redirection! :)


By any chance, could something like the following be implemented?:

$ gpg -K --print-fingerprint-only test


Which would only print the fingerprint to avoid the awk redirection
altogether.

--
John Doe

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Best way to get fingerprint programatically

[Andrew Gallagher]

On 18/12/2019 09:32, Werner Koch via Gnupg-users wrote:
> The  -F:: is an interesting hack but Andrew's or my variant works
> with all AWK implementations:
> 
>awk -F: '$1=="fpr" {print $10}' | head -1

Aha, I forgot about handling multiple results. Note that you don't need
head if you're already using awk:

awk -F: '$1=="fpr" {print $10; exit}'

:-D

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Best way to get fingerprint programatically

[Werner Koch via Gnupg-users]

On Wed, 18 Dec 2019 08:19, john doe said:

> In other words, why '--quick-set-expire' requires a fingerprint and does
> not accept a .

Only the fingerprint is a unique identifier for the keyblock (aka
certificate, public key).  Allowing a User-id would require extra code
in gpg and by the caller to either ask back or to fail if there is an
ambiguity.

The  -F:: is an interesting hack but Andrew's or my variant works
with all AWK implementations:

   awk -F: '$1=="fpr" {print $10}' | head -1


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Best way to get fingerprint programatically

[Andrew Gallagher]

On 18/12/2019 07:19, john doe wrote:
> $ gpg --quick-set-expire $(gpg --with-colons -k test | awk -F:
> 'NR==3{print substr($2,1,length($2)-1)}') 1d
> 
> I'm just wondering if there isn't a better, programatically, way to go
> about it?
Your awk looks awkward to me. What about this instead?

awk -F: '/^fpr/ {print $10}'

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Best way to get fingerprint programatically

[john doe]

Hi,

I'm using the following command to get the fingerprint to quickly change
the expiration date on a key.

$ gpg --quick-set-expire $(gpg --with-colons -k test | awk -F:
'NR==3{print substr($2,1,length($2)-1)}') 1d


I'm just wondering if there isn't a better, programatically, way to go
about it?

In other words, why '--quick-set-expire' requires a fingerprint and does
not accept a .


Any input is welcome.

--
John Doe

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Public vs Private Fingerprint

[Andrew Nesbit]

Hello all,

>> On 14 Aug 2018, at 13:43, Damien Goutte-Gattat via Gnupg-users 
>>  wrote:
>> 
>>> On 08/14/2018 12:05 PM, Ralph Corderoy wrote:
>> 
>> A [V4] fingerprint is the 160-bit SHA-1 hash of the octet 0x99,
>> followed by the two-octet packet length, followed by the entire
>> *Public-Key packet* starting with the version field.

Following on from this, in my experience, studying the output of the 
`—list-packets` option has been one of the most effective ways of learning how 
GnuPG works.

See 
https://gnupg.org/documentation/manuals/gnupg/Operational-GPG-Commands.html#index-list_002dpackets
 .

Andrew___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Public vs Private Fingerprint

[Damien Goutte-Gattat via Gnupg-users]

On 08/14/2018 12:05 PM, Ralph Corderoy wrote:
> That was my conclusion after having searched a bit this morning,
> but I didn't notice it explicitly documented?

Maybe not in GnuPG's manual, but it is explicitly documented in the
specification of the OpenPGP format (RFC 4880, §12.2 [1]):

> A [V4] fingerprint is the 160-bit SHA-1 hash of the octet 0x99,
> followed by the two-octet packet length, followed by the entire
> *Public-Key packet* starting with the version field.


Damien

[1] https://tools.ietf.org/html/rfc4880#section-12.2



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Public vs Private Fingerprint

[Ralph Corderoy]

Hi Damien,

> Actually there's no such thing as a private key fingerprint.
> Fingerprints are only calculated on public keys.

That was my conclusion after having searched a bit this morning,
but I didn't notice it explicitly documented?

-- 
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Public vs Private Fingerprint

[Damien Goutte-Gattat via Gnupg-users]

On 08/14/2018 05:20 AM, Damian Rivas wrote:
> Is there a reason why the fingerprints for my public and private keys are
> exactly the same?

Actually there's no such thing as a private key fingerprint.
Fingerprints are only calculated on public keys.

(Theoretically you *could* compute a fingerprint on a private key, but
as far as I know that's never used in OpenPGP.)

Even when GnuPG is displaying a private key (e.g. with the
--list-secret-keys command), the fingerprint is the fingerprint of the
corresponding public key.


Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Public vs Private Fingerprint

[Damian Rivas]

Hello,

Is there a reason why the fingerprints for my public and private keys are
exactly the same?

I'm new to encryption and this may be a dumb question so I apologize in
advance. I just can't seem to find a straightforward answer to this on
Google.

-Damian
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint of key

[Daniel Kahn Gillmor]

On Thu 2017-08-17 22:39:21 -0300, Duane Whitty wrote:
> Sounds like a good approach but for someone who has more public keys
> stored than me.  I only exchange encrypted email with a very, very
> small group of people and I am in regular voice communication with
> them.

If you're going to manage a keyring manually, this is the right way to
do it, regardless of how many OpenPGP certificates you have in your
keyring.  (it's actually easier to do when you only have a few)

> I guess using that approach I could import public keys from users on
> this list and then assign them various levels of trust, right down to
> no trust and not locally signed at all.

Note that nothing i outlined in my earlier suggestions involved you
setting "trust levels" (a.k.a. "ownertrust") at all.

setting "full trust" on a key means "i'm willing to accept identity
assertions made by the owner of this key" -- it's equivalent to "adding
a root CA to your browser" in some sense.

You can use GnuPG for years without ever setting any sort of ownertrust
on any key but your own (and if you generated your key in gpg, it
probably already has ultimate ownertrust).

Start with "whose keys do i believe i've checked?" -- that's plain
keysigning.

then, only later, if you really want to get into the whole web-of-trust
thing, should you consider setting ownertrust.

> I suppose I chose to use apt or apt-get because it seems like a more
> convenient way to update things as opposed to getting it straight from
> Oracle.

well said :)

> What I mean is that I have 2 email addresses which each have a
> different private key.  The key for du...@nofroth.com has is
> associated with private counterpart to the key you fetched.  I have
> another email address with a different private key associated to it.

i see, so you're talking about signing with a different key (not a
different uid).  You might want to look into adding the --default-key or
--local-user options before you do your next --edit-key operation.

All the best,

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint of key

[Daniel Kahn Gillmor]

On Thu 2017-08-17 22:48:36 -0300, Duane Whitty wrote:
> Well, I'm not familiar enough with the arcana to say whether it should
> be done away with or not but, I am a big believer in software not
> trying to guess what I want.  As you said, in version 2.1 GnuPG would
> have complained that I hadn't entered a command, correct?  Does this
> also mean it would have not carried out any action.

nope, GnuPG took the conservative approach and just produced a warning
while still trying to make a guess at what you meant.

> I have to admit to being a little hesitant making these types of
> comments because I don't feel I contributed enough (if anything) to
> have earned that right.  But perhaps as a user the comment is a small
> contribution.  I hope it is seen that way and not as a complaint.

Please don't underestimate the value of suggestions and questions from a
user.  Free software gets better because its users talk about it and
share ideas about how it can improve.  You don't need to have
contributed code to contribute ideas :)

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint of key

[Duane Whitty]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 17-08-17 09:20 PM, Daniel Kahn Gillmor wrote:
> On Mon 2017-08-14 22:12:18 -0300, Duane Whitty wrote:
>> Actually one suggestion, the way options and commands are
>> specified look the same.  It might make things clearer if there
>> was a difference in the way they are expressed on the command
>> line.  Perhaps keep the "--" for options and enter commands
>> without the "--".
> 
> I also prefer this kind of "subcommand" syntax -- it matches what
> tools like git and notmuch use.  However, that's a pretty radical
> departure from the historical GnuPG command line, and it's likely
> to break all sorts of existing things that expect to use the
> canonical interface.
> 
> If we're going to make radical departures like that, perhaps we
> should be specifying an entirely new interface that just does "the
> sensible bits" without all the rest of the arcana.
> 
> --dkg
> 
Well, I'm not familiar enough with the arcana to say whether it should
be done away with or not but, I am a big believer in software not
trying to guess what I want.  As you said, in version 2.1 GnuPG would
have complained that I hadn't entered a command, correct?  Does this
also mean it would have not carried out any action.  In my opinion
that would be the correct behaviour.  I am also a fan of the Unix
tradition of software that completes without error not having any
output unless you have asked for output.  Error output going to stderr
of course :-)

I have to admit to being a little hesitant making these types of
comments because I don't feel I contributed enough (if anything) to
have earned that right.  But perhaps as a user the comment is a small
contribution.  I hope it is seen that way and not as a complaint.

Best Regards,
Duane

- -- 
Duane Whitty
du...@nofroth.com
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJZlkdxAAoJEOJfpr8UVxtkwXwIAKg6U2hJM2v0469V3Q+dr2k8
6cn8+6nwdkARZQhABP+iSOLbFcnaGL2RLzw26+47E3pqf1X837VeHnsdBZvzQYTQ
oXB/0YTmhjsjL6hpN1V5N5+CHkmMwbwyoHD7XGFpETA/1RfgrhlkqUtcfqjBCUw6
zAvUeD6/rxhASeBb1A231924iSUFqqhkf0IXGvgJmrmIU2hPCZPkdwnxEQ+Lm5K5
8AhsnEKdE3mABlqr0mMM/uuYLI1bknxYT2QtIU2Q1gwH0af4+WqLdcv9H4dMAmQS
HYfYv8s8MAyoqPNZs2QXOg76TBhPHF382MYLGCzT9rHMWaRLk/6zmCZKOSiGtO0=
=5mpS
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint of key

[Duane Whitty]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 17-08-17 09:18 PM, Daniel Kahn Gillmor wrote:
> On Mon 2017-08-14 21:50:13 -0300, Duane Whitty wrote:
>> I perceive keys in my keyring as being ones I trust because of 
>> out-of-band confirmation and used for two-way communications.
> 
> You're not the only person with this perception.  But i'm afraid i
> think it's a mistake, unfortunately.
> 
> Actually safely curating an OpenPGP keyring with GnuPG is a
> non-trivial task.  As an example, here's a damned-if-you-do,
> damned-if-you-don't conundrum:
> 
>  Do you refresh the OpenPGP certificates in the keyring
> regularly (e.g. from the keyservers)?  if you do not, then you risk
> missing notice of revocations, so you probably have some revoked
> keys in your keyring which you didn't know you had.
> 
> If you do refresh them regularly, then it's possible that things
> (new user IDs, etc) get added to the certificates in your keyring
> during the refresh (or possibly whole new certificates get added
> entirely), and it contains things you've never actually vetted. 
> 
> 
> 
> So, how to resolve this?
> 
> The short version is that you should treat your GnuPG keyring as
> an untrusted collection of OpenPGP certificates that you know
> about.  But you can explicitly mark the certificates that you think
> are legitimate by certifying them ("signing the keys").  In
> particular, you can make non-exportable ("local") signatures over
> the key+userid combinations that you have actually confirmed
> out-of-band.
> 
> Even better, if you do that with a key which you have marked with 
> "ultimate" ownertrust, then GnuPG will report a "validity" for
> those user IDs you've signed that matches what you intended to do,
> which is to curate a list of known-valid key+userid combinations.
> 
> But treating the whole local keyring as a curated store is a
> mistake. GnuPG doesn't work that way, and it doesn't expect to work
> that way :(

Sounds like a good approach but for someone who has more public keys
stored than me.  I only exchange encrypted email with a very, very
small group of people and I am in regular voice communication with
them.  But I definitely see the merit in what you describe and believe
that it is a cautious way of proceeding.  I may even try working that
way just to practice for the day when perhaps I consider it necessary
to exchange encrypted mail with people I don't know well and don't
talk with in person or on the telephone regularly.

I guess using that approach I could import public keys from users on
this list and then assign them various levels of trust, right down to
no trust and not locally signed at all.

> 
>> I think the VirtualBox key is just to give people assurance that
>> they are downloading what they intended to download from the
>> source they expected, in this case via apt or apt-get, etc. from
>> an Oracle repo.
> 
> If you fetch the key each time you download something that you want
> to check against the key, how do you know it's the right key over
> time?  If it's "the right key" because it was fetched over a secure
> channel from Oracle, why not just fetch the software over that
> channel?
> 
I suppose I chose to use apt or apt-get because it seems like a more
convenient way to update things as opposed to getting it straight from
Oracle.

> The advantage of having a key stored locally is that you only have
> to risk that network-fetch once; then you can make a local
> certification over its sensible VirtualBox User ID, to mark it as
> the expected key (If the User ID is *not* sensible, please complain
> to VirtualBox!).  Then all future updates can be verified against
> the same key.
> 
> Do you see how that's better than fetching the key each time?
> 
Well, I see it potentially as less work but not less risk.  I
downloaded the key using wget and https.  Then I check the validity of
the key by comparing the fingerprint generated by GnuPG with what
Oracle publishes on the VirtualBox site.  Downloading the key once
works if I implement your previous key/keyring management solution.
Also, bear in mind, no software gets updated automatically on my
system.  I get notified of updates but when the update happens is up
to me.

>> I'm not exactly sure what a good suggestion would be.  Would it
>> be correct to say that going forward usability changes would
>> probably be more likely to happen in the 2.1 branch?  If so I
>> guess I should upgrade to the 2.1 branch.
> 
> If a major change is going to happen in GnuPG, it will be in the
> 2.1 branch (or in 2.3 once 2.2 is released).  the older branches of
> GnuPG (1.4.x and 2.0.x) receive very few changes from upstream.
> 
>> 

Re: fingerprint of key

[Daniel Kahn Gillmor]

On Mon 2017-08-14 22:12:18 -0300, Duane Whitty wrote:
> Actually one suggestion, the way options and commands are specified
> look the same.  It might make things clearer if there was a difference
> in the way they are expressed on the command line.  Perhaps keep the
> "--" for options and enter commands without the "--".

I also prefer this kind of "subcommand" syntax -- it matches what tools
like git and notmuch use.  However, that's a pretty radical departure
from the historical GnuPG command line, and it's likely to break all
sorts of existing things that expect to use the canonical interface.

If we're going to make radical departures like that, perhaps we should
be specifying an entirely new interface that just does "the sensible
bits" without all the rest of the arcana.

  --dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint of key

[Daniel Kahn Gillmor]

On Mon 2017-08-14 21:50:13 -0300, Duane Whitty wrote:
> I perceive keys in my keyring as being ones I trust because of
> out-of-band confirmation and used for two-way communications.

You're not the only person with this perception.  But i'm afraid i think
it's a mistake, unfortunately.

Actually safely curating an OpenPGP keyring with GnuPG is a non-trivial
task.  As an example, here's a damned-if-you-do, damned-if-you-don't
conundrum:


Do you refresh the OpenPGP certificates in the keyring regularly
(e.g. from the keyservers)?  if you do not, then you risk missing notice
of revocations, so you probably have some revoked keys in your keyring
which you didn't know you had.

If you do refresh them regularly, then it's possible that things (new
user IDs, etc) get added to the certificates in your keyring during the
refresh (or possibly whole new certificates get added entirely), and it
contains things you've never actually vetted.



So, how to resolve this?

The short version is that you should treat your GnuPG keyring as an
untrusted collection of OpenPGP certificates that you know about.  But
you can explicitly mark the certificates that you think are legitimate
by certifying them ("signing the keys").  In particular, you can make
non-exportable ("local") signatures over the key+userid combinations
that you have actually confirmed out-of-band.

Even better, if you do that with a key which you have marked with
"ultimate" ownertrust, then GnuPG will report a "validity" for those
user IDs you've signed that matches what you intended to do, which is to
curate a list of known-valid key+userid combinations.

But treating the whole local keyring as a curated store is a mistake.
GnuPG doesn't work that way, and it doesn't expect to work that way :(

> I think the VirtualBox key is just to give people assurance that they
> are downloading what they intended to download from the source they
> expected, in this case via apt or apt-get, etc. from an Oracle repo.

If you fetch the key each time you download something that you want to
check against the key, how do you know it's the right key over time?  If
it's "the right key" because it was fetched over a secure channel from
Oracle, why not just fetch the software over that channel?

The advantage of having a key stored locally is that you only have to
risk that network-fetch once; then you can make a local certification
over its sensible VirtualBox User ID, to mark it as the expected key (If
the User ID is *not* sensible, please complain to VirtualBox!).  Then all
future updates can be verified against the same key.

Do you see how that's better than fetching the key each time?

> I'm not exactly sure what a good suggestion would be.  Would it be
> correct to say that going forward usability changes would probably be
> more likely to happen in the 2.1 branch?  If so I guess I should
> upgrade to the 2.1 branch.

If a major change is going to happen in GnuPG, it will be in the 2.1
branch (or in 2.3 once 2.2 is released).  the older branches of GnuPG
(1.4.x and 2.0.x) receive very few changes from upstream.

> I can say that what I usually end up being challenged by is importing
> keys into my keyring and on being able to choose which UID I want to
> sign with.  Maybe that just means I don't know the software well enough.

You don't sign with a UID, you sign with a key.

> The approach I took was "gpg2 --search u...@domain.com" and "gpg2
> - --recv-keys key-fingerprint".  Then I did a "gpg2 --edit-key
> key-fingerprint" to sign the key with my default UID.  I thought I
> would get a menu to select options from when I used --edit-key but
> instead I was presented with the prompt "gpg>" and I had to type the
> sign command.  It worked but I might have chosen to sign the key with
> a key from a different UID.

Again, i'm not sure what you mean by "sign from a UID".  can you be more
clear?  You're signing your friend's key+uid, from (or "with") your
primary key.

> Not sure if my method of importing to my keyring and signing the new
> public key was the usual or easiest method but it worked.

Sounds reasonable to me, except that you had to use --recv-keys, rather
than just selecting the key to fetch from the --search interface.

here's a transcript of me fetching a key that appears to be yours from the 
keyservers:

0 dkg@alice:~$ gpg --search du...@nofroth.com
gpg: data source: https://145.100.185.229:443
(1) Arlen Duane Whitty (Duane) <du...@nofroth.com>
  2048 bit RSA key E25FA6BF14571B64, created: 2016-06-09
Keys 1-1 of 1 for "du...@nofroth.com".  Enter number(s), N)ext, or Q)uit > 1
gpg: key E25FA6BF14571B64: public key "Arlen Duane Whitty (Duane) 
<du...@nofroth.com>" imported
gpg: Total number processed: 1
gpg:   impo

Re: fingerprint of key

[Duane Whitty]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 17-08-14 09:50 PM, Duane Whitty wrote:
> 
> 
> On 17-08-14 08:50 PM, Daniel Kahn Gillmor wrote:
>> On Mon 2017-08-14 19:03:19 -0300, Duane Whitty wrote:
>>> I did not and still do not want to import the oracle_vbox
>>> public key into my key ring.  I am happy to download it and
>>> check it each time.
> 
>> I think this is an interesting choice, but i don't understand
>> why you've made it.  Can you say more about why you don't want
>> to import the key, and why you prefer to fetch it each time?
> I perceive keys in my keyring as being ones I trust because of 
> out-of-band confirmation and used for two-way communications.  I
> think the VirtualBox key is just to give people assurance that they
> are downloading what they intended to download from the source
> they expected, in this case via apt or apt-get, etc. from an Oracle
> repo.
> 
> 
>>> Before I go down the road on offering an opinion on how the
>>> man page should be "fixed" (maybe it's not really broken) can
>>> you explain why it would be bad to let gpg generate and display
>>> the fingerprint of a key in an ascii armoured file?
> 
>> I'm not saying it's "bad" -- it's just not what --fingerprint 
>> does.
> 
>> --fingerprint List all keys (or the specified ones) along with 
>> their  finger‐ prints.  This  is  the  same  output as
>> --list-keys but with the additional output of a line with the
>> fingerprint.  May also  be combined  with --list-signatures or
>> --check-signatures. If this command is given twice, the
>> fingerprints of all  secondary keys are  listed  too.   This
>> command also forces pretty printing of fingerprints if the keyid
>> format has been set to "none".
> 
>> So it's like --list-keys, which says:
> 
>> --list-keys -k --list-public-keys List the specified keys.  If
>> no keys  are  specified,  then  all keys from the configured
>> public keyrings are listed.
> 
> 
>> in other words (or maybe it's not as explicitly stated as it
>> should be), "list all the keys in your keyring that match the 
>> specification".  This command is not intended for listing 
>> fingerprints of keys that come in on stdin, or of an external 
>> file.
> 
> To me that reads as "if you provide a key then the fingerprint for 
> that key will be provided otherwise your keyring will be used". 
> Thanks for correcting my understanding.
>> That said, you could combine it with:
> 
>> --no-default-keyring --keyring /path/to/file.gpg
> 
>> (as long as the file wasn't ascii-armored, and as long as you 
>> weren't concerned about updating your trustdb by accident, etc).
>>> Again, i'm not saying this is particularly user-friendly, i'm 
>>> just
>> trying to help you understand the current state of the tool.
> 
>> If you have specific suggestions for how to improve the tool, 
>> please suggest them!
>>> --dkg
> 
> 
> I'm not exactly sure what a good suggestion would be.  Would it be 
> correct to say that going forward usability changes would probably
> be more likely to happen in the 2.1 branch?  If so I guess I
> should upgrade to the 2.1 branch.
> 
> I can say that what I usually end up being challenged by is
> importing keys into my keyring and on being able to choose which
> UID I want to sign with.  Maybe that just means I don't know the
> software well enough.
> 
> For instance, last night I wanted to add a friend's new public key
> to my keyring.  Gpg wouldn't add the key based on his email.  I had
> to use his email to search the key server and then use the
> fingerprint of his new key to add it to my keyring.
> 
> The approach I took was "gpg2 --search u...@domain.com" and "gpg2 
> --recv-keys key-fingerprint".  Then I did a "gpg2 --edit-key 
> key-fingerprint" to sign the key with my default UID.  I thought I 
> would get a menu to select options from when I used --edit-key but 
> instead I was presented with the prompt "gpg>" and I had to type
> the sign command.  It worked but I might have chosen to sign the
> key with a key from a different UID.  Not sure if my method of
> importing to my keyring and signing the new public key was the
> usual or easiest method but it worked.
> 
> Not sure there's actually a suggestion for improvement in there
> :-) but you've given me a lot to consider and digest.  Sincerely,
> thanks! I love learning this stuff.
> 
> 
> Best Regards, Duane
> 
> 
Actually one suggestion, the way options and commands are specified
look 

Re: fingerprint of key

[Duane Whitty]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 17-08-14 08:50 PM, Daniel Kahn Gillmor wrote:
> On Mon 2017-08-14 19:03:19 -0300, Duane Whitty wrote:
>> I did not and still do not want to import the oracle_vbox public
>> key into my key ring.  I am happy to download it and check it
>> each time.
> 
> I think this is an interesting choice, but i don't understand why
> you've made it.  Can you say more about why you don't want to
> import the key, and why you prefer to fetch it each time?
I perceive keys in my keyring as being ones I trust because of
out-of-band confirmation and used for two-way communications.  I think
the VirtualBox key is just to give people assurance that they are
downloading what they intended to download from the source they
expected, in this case via apt or apt-get, etc. from an Oracle repo.

> 
>> Before I go down the road on offering an opinion on how the man
>> page should be "fixed" (maybe it's not really broken) can you
>> explain why it would be bad to let gpg generate and display the
>> fingerprint of a key in an ascii armoured file?
> 
> I'm not saying it's "bad" -- it's just not what --fingerprint
> does.
> 
> --fingerprint List all keys (or the specified ones) along with
> their  finger‐ prints.  This  is  the  same  output as --list-keys
> but with the additional output of a line with the fingerprint.  May
> also  be combined  with --list-signatures or --check-signatures.
> If this command is given twice, the fingerprints of all  secondary
> keys are  listed  too.   This  command also forces pretty printing
> of fingerprints if the keyid format has been set to "none".
> 
> So it's like --list-keys, which says:
> 
> --list-keys -k --list-public-keys List the specified keys.  If no
> keys  are  specified,  then  all keys from the configured public
> keyrings are listed.
> 
> 
> in other words (or maybe it's not as explicitly stated as it should
> be), "list all the keys in your keyring that match the
> specification".  This command is not intended for listing
> fingerprints of keys that come in on stdin, or of an external
> file.
> 
To me that reads as "if you provide a key then the fingerprint for
that key will be provided otherwise your keyring will be used".
Thanks for correcting my understanding.
> That said, you could combine it with:
> 
> --no-default-keyring --keyring /path/to/file.gpg
> 
> (as long as the file wasn't ascii-armored, and as long as you
> weren't concerned about updating your trustdb by accident, etc).
>> Again, i'm not saying this is particularly user-friendly, i'm
>> just
> trying to help you understand the current state of the tool.
> 
> If you have specific suggestions for how to improve the tool,
> please suggest them!
>> --dkg
> 

I'm not exactly sure what a good suggestion would be.  Would it be
correct to say that going forward usability changes would probably be
more likely to happen in the 2.1 branch?  If so I guess I should
upgrade to the 2.1 branch.

I can say that what I usually end up being challenged by is importing
keys into my keyring and on being able to choose which UID I want to
sign with.  Maybe that just means I don't know the software well enough.

For instance, last night I wanted to add a friend's new public key to
my keyring.  Gpg wouldn't add the key based on his email.  I had to
use his email to search the key server and then use the fingerprint of
his new key to add it to my keyring.

The approach I took was "gpg2 --search u...@domain.com" and "gpg2
- --recv-keys key-fingerprint".  Then I did a "gpg2 --edit-key
key-fingerprint" to sign the key with my default UID.  I thought I
would get a menu to select options from when I used --edit-key but
instead I was presented with the prompt "gpg>" and I had to type the
sign command.  It worked but I might have chosen to sign the key with
a key from a different UID.  Not sure if my method of importing to my
keyring and signing the new public key was the usual or easiest method
but it worked.

Not sure there's actually a suggestion for improvement in there :-)
but you've given me a lot to consider and digest.  Sincerely, thanks!
 I love learning this stuff.


Best Regards,
Duane

- -- 
Duane Whitty
du...@nofroth.com
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJZkkVBAAoJEOJfpr8UVxtkBDsH/0zoAMEuKvkkIzVC1r6v8kq9
Tmbqvd7i4Q8YobiExGilUXSx/s0psq4JKo1qcbvpuXnsRhJM+3/tH6TTgvdLJJOq
Em8NN7HygzJ3Fhb7RaGZS9dBv2FQFem3qk+oFHzUMUlUGF1gF+agpeFM/CwKGsMk
ClmBW9pSqQzH2z+hWXQPdAA8k8X2Wi3KH5BlrBT3kEKw+XdUJOqme8YPqWlo97XQ
/BKmpPjiBiEE7qWkOXKTdD9ySIx/XO6fmcxvJEbvqygdjh/zp/Cm5jW2MrPoQC5N
jWR18G8cRa5euNfXrzvyGm5o3SZTvoOEX3VHXPvQU8tyYVOV3sQVyM2hUWpyTfg=
=ZuO1
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint of key

[Daniel Kahn Gillmor]

On Mon 2017-08-14 19:03:19 -0300, Duane Whitty wrote:
> I did not and still do not want to import the oracle_vbox public key
> into my key ring.  I am happy to download it and check it each time.

I think this is an interesting choice, but i don't understand why you've
made it.  Can you say more about why you don't want to import the key,
and why you prefer to fetch it each time?

> Before I go down the road on offering an opinion on how the man page
> should be "fixed" (maybe it's not really broken) can you explain why
> it would be bad to let gpg generate and display the fingerprint of a
> key in an ascii armoured file?

I'm not saying it's "bad" -- it's just not what --fingerprint does.

   --fingerprint
  List all keys (or the specified ones) along with  their  finger‐
  prints.  This  is  the  same  output as --list-keys but with the
  additional output of a line with the fingerprint.  May  also  be
  combined  with --list-signatures or --check-signatures.  If this
  command is given twice, the fingerprints of all  secondary  keys
  are  listed  too.   This  command also forces pretty printing of
  fingerprints if the keyid format has been set to "none".

So it's like --list-keys, which says:

   --list-keys
   -k
   --list-public-keys
  List the specified keys.  If no keys  are  specified,  then  all
  keys from the configured public keyrings are listed.


in other words (or maybe it's not as explicitly stated as it should be),
"list all the keys in your keyring that match the specification".  This
command is not intended for listing fingerprints of keys that come in on
stdin, or of an external file.

That said, you could combine it with:

--no-default-keyring --keyring /path/to/file.gpg

(as long as the file wasn't ascii-armored, and as long as you weren't
concerned about updating your trustdb by accident, etc).

Again, i'm not saying this is particularly user-friendly, i'm just
trying to help you understand the current state of the tool.

If you have specific suggestions for how to improve the tool, please
suggest them!

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint of key

[Duane Whitty]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 17-08-14 05:58 PM, Daniel Kahn Gillmor wrote:
> On Mon 2017-08-14 13:25:58 -0300, Duane Whitty wrote:
>> Thanks for your response.  So, what you are saying is that the
>> man page is wrong ;-)
> 
> I didn't think that was what i was saying, but there have certainly
> been bugs in the documentation in the past.  Is there specific text
> that you think is wrong?  do you have a suggestion about what it
> should be changed to?
> 
> --dkg
> 
The situation is a little more clear since your last response.  If I
may quote you:

"the trouble with these two invocations of gpg is that they offer no
command.  Each invocation of GnuPG is supposed to include exactly one
command and zero or more options. ..."

I ran gpg2 --with-fingerprint oracle_vbox.asc which did what I wanted
and I received no complaints.
I did not and still do not want to import the oracle_vbox public key
into my key ring.  I am happy to download it and check it each time.
When I looked at the man page for how to do this it looked like gpg2
- --fingerprint oracle_vbox.asc should do the job but as you have
pointed out gpg expects a key in my keyring to perform that action on.

After reading the man page several times for the 1.4 and 2.0 versions
I can see nothing that would make me believe that I needed to provide
the program with a key from my keyring.  That's fine though, I'm still
learning.

Now that you point it out I can see that --with-fingerprint is an
option under the section "Key related options" and so it makes sense
that a command should be entered as well.

I am not sure I understand why it would be bad to do the following,
which implies not importing the key to a keyring:

gpg --with-fingerprint --fingerprint < public-key-file.asc

where I substituted --fingerprint for --import

However if I do that it's the same as running:
gpg2 --with-fingerprint --fingerprint

and the oracle_vbox.asc file containing the key is completely ignored
and there are no warnings that it was ignored.

Before I go down the road on offering an opinion on how the man page
should be "fixed" (maybe it's not really broken) can you explain why
it would be bad to let gpg generate and display the fingerprint of a
key in an ascii armoured file?

By the way, I really appreciate the assistance you're giving me in
helping me to understand this.  I know your busy.

Best Regards,
Duane

- -- 
Duane Whitty
du...@nofroth.com
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJZkh4hAAoJEOJfpr8UVxtkwj0H/0bPfVYbKMlbvLBsF+9pTFPW
9PwNRA47dARN8eBwtRr106br0iCLFxs31ObXyh80M+cGJFTIQN61y3FfD8GsEv9/
BS9xzjHv4q/sO+pF2yOy2ygmjoxouvbPIL86yobhJA+bKBw4piH9UxaPnQmO+SLC
j450uLxl2C7ZWOcSI4bi0myHTnsZkvkbrPlYfo0zjbyJXIP+3DonRZhhVR2nzUwr
DNX1K5TRy2Dw4NN430o0q9Bcef05XywExJFpCaxFWDOJdTgwVOkrfodDoaXKotjx
M+nqD9sduQHXiCeXR1cN7aZ9rYCJ301xeFAiRJTOHl/sTUpoEdP2sj5i3Fog+pQ=
=mBYf
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint of key

[Daniel Kahn Gillmor]

On Mon 2017-08-14 13:25:58 -0300, Duane Whitty wrote:
> Thanks for your response.  So, what you are saying is that the man
> page is wrong ;-)

I didn't think that was what i was saying, but there have certainly been
bugs in the documentation in the past.  Is there specific text that you
think is wrong?  do you have a suggestion about what it should be
changed to?

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint of key

[Daniel Kahn Gillmor]

On Mon 2017-08-14 15:09:22 -0400, Todd Zullinger wrote:
> $ gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
> pub  4096R/FDB19C98 2016-03-31 Fedora 25 Primary (25) 
> <fedora-25-prim...@fedoraproject.org>
>   Key fingerprint = C437 DCCD 558A 66A3 7D6F  4372 4089 D8F2 FDB1 9C98
>
> $ gpg2 --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
> pub   rsa4096 2016-03-31 [SCE]
>   C437 DCCD 558A 66A3 7D6F  4372 4089 D8F2 FDB1 9C98
> uid   Fedora 25 Primary (25) <fedora-25-prim...@fedoraproject.org>

the trouble with these two invocations of gpg is that they offer no
command.  Each invocation of GnuPG is supposed to include exactly one
command and zero or more options.  As the gpg(1) manpage says:

gpg [--homedir dir] [--options file] [options] command [args]

--with-fingerprint is a GnuPG option, not a command.  When you give gpg
no command, you're basically saying "hey, gpg, do whatever you think is
reasonable."

more recent versions of gpg will complain:

gpg: WARNING: no command supplied.  Trying to guess what you mean ...

Please see https://dev.gnupg.org/T2943 for more discussion of this
situation and why it is problematic.

> Also, both 2.1.13 on fedora 25 and 2.1.22 on fedora rawhide, the 
> command above complains about the show-only option:
>
> $ gpg2 --version
> gpg (GnuPG) 2.1.22
>
> $ gpg2 --with-fingerprint --import-options show-only --import < 
> /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
> gpg: unknown option 'show-only'
> gpg: invalid import options
>
> Is there a typo in that command or is show-only not in the latest 
> release of the 2.1 branch?

the latest release of the 2.1 branch is 2.1.23.  show-only was added in
2.1.23.

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint of key

[Todd Zullinger]

Daniel Kahn Gillmor wrote:

with more modern versions of gnupg, you can just use:

   gpg --with-fingerprint --import-options show-only --import < 
public-key-file.asc


FWIW, I've used "gpg --with-fingerprint public-key-file.asc" for what 
seems like years to do this sort of quick fingerprint check of keys. 
It's particularly handy with linux distribution package signing keys, 
which are typically not something I have any need to import to my 
keyring.


On a fedora-25 system:

   $ gpg --version
   gpg (GnuPG) 1.4.22

   $ gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
   pub  4096R/FDB19C98 2016-03-31 Fedora 25 Primary (25) 
<fedora-25-prim...@fedoraproject.org>
 Key fingerprint = C437 DCCD 558A 66A3 7D6F  4372 4089 D8F2 FDB1 9C98

   $ gpg2 --version
   gpg (GnuPG) 2.1.13

   $ gpg2 --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
   pub   rsa4096 2016-03-31 [SCE]
 C437 DCCD 558A 66A3 7D6F  4372 4089 D8F2 FDB1 9C98
   uid   Fedora 25 Primary (25) <fedora-25-prim...@fedoraproject.org>


I haven't looked at the documentation for --with-fingerprint in a 
while, but it does seem like it's at least leaving out some details 
regarding its use on key files which are not imported.


I have no idea whether those differences are intended and should 
simply be documented or it's considered a bug that --fingerprint and 
--with-fingerprint differ in handling unimported keys.


Also, both 2.1.13 on fedora 25 and 2.1.22 on fedora rawhide, the 
command above complains about the show-only option:


   $ gpg2 --version
   gpg (GnuPG) 2.1.22

   $ gpg2 --with-fingerprint --import-options show-only --import < 
/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
   gpg: unknown option 'show-only'
   gpg: invalid import options

Is there a typo in that command or is show-only not in the latest 
release of the 2.1 branch?


--
Todd
~~
The most overlooked advantage to owning a computer is that if they
foul up, there's no law against whacking them around a little.
   -- Eric Porterfield



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint of key

[Duane Whitty]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 17-08-14 12:14 PM, Daniel Kahn Gillmor wrote:
> On Mon 2017-08-14 03:32:08 -0300, Duane Whitty wrote:
>> I was recently trying to compare the fingerprint of a key I
>> downloaded to its online stated value.  I thought I should be
>> able to accomplish my goal with "gpg --fingerprint
>> public-key-file.asc".  Gpg returned "gpg: error reading key: No
>> public key"
> 
> "gpg --fingerprint" displays the fingerprint of a key that is
> already in the user's keyring.
> 
> you'll need to "gpg --import public-key-file.asc" first, and then
> ask for its fingerprint, especially with older versions of gnupg.
> 
> If you really want to isolate the imported key, you can use an
> ephemeral GNUPGHOME directory, like so:
> 
> export GNUPGHOME=$(mktemp -d) gpg --import < public-key-file.asc 
> gpg --fingerprint rm -rf $GNUPGHOME
> 
> with more modern versions of gnupg, you can just use:
> 
> gpg --with-fingerprint --import-options show-only --import <
> public-key-file.asc
> 
> hth,
> 
> --dkg
> 
Hi Daniel,

Thanks for your response.  So, what you are saying is that the man
page is wrong ;-)

Best Regards,
Duane

- -- 
Duane Whitty
du...@nofroth.com
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJZkc8RAAoJEOJfpr8UVxtk+5MIAKEtESbPZG+CHDr6hh+dkRaf
OhlOQyNw9HuZzAhOXKQZKXukiwDSinlOQ+cJn4JbYtYUVZtDCQz/mu/WAkgtdN5U
WM4FrZYxciDdJrZKzD4i+sc6MujKo2UEeTz4MqDO1DhKaD94fJ3EqRakPzmD6t7Y
1F6mvWDquz0Camr41NTrrkB3v6ISt7b/TA3H5v/XJCfZ9Wv5GHNKxzFeftmBEcQY
lw/9geYKRahIFKGdMHVA2eQQteW4uq8wMgJSDUEOuxv/WyztWxvNeiwzZtjhAYl2
3J1j3pvL9XV7Q/Y+u/sjE941ieVSr3nbm7xy/VW5GLyWxWP3/dgjsh0CEaqGTjM=
=TLc2
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint of key

[Daniel Kahn Gillmor]

On Mon 2017-08-14 03:32:08 -0300, Duane Whitty wrote:
> I was recently trying to compare the fingerprint of a key I downloaded
> to its online stated value.  I thought I should be able to accomplish
> my goal with "gpg --fingerprint public-key-file.asc".  Gpg returned
> "gpg: error reading key: No public key"

"gpg --fingerprint" displays the fingerprint of a key that is already in
the user's keyring.

you'll need to "gpg --import public-key-file.asc" first, and then ask
for its fingerprint, especially with older versions of gnupg.

If you really want to isolate the imported key, you can use an ephemeral
GNUPGHOME directory, like so:

export GNUPGHOME=$(mktemp -d)
gpg --import < public-key-file.asc
gpg --fingerprint
rm -rf $GNUPGHOME

with more modern versions of gnupg, you can just use:

gpg --with-fingerprint --import-options show-only --import < 
public-key-file.asc

hth,

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

fingerprint of key

[Duane Whitty]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Tested on:
$ gpg --version
gpg (GnuPG) 1.4.16

$ gpg2 --version
gpg (GnuPG) 2.0.22

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 14.04.5 LTS
Release:14.04
Codename:   trusty

I was recently trying to compare the fingerprint of a key I downloaded
to its online stated value.  I thought I should be able to accomplish
my goal with "gpg --fingerprint public-key-file.asc".  Gpg returned
"gpg: error reading key: No public key"

So I did a search and found --with-fingerprint.  Worked as I hoped it
would.

According to gpg(1) and gpg2(1) - "--with-fingerprint
      Same as the command --fingerprint but changes only the
format of the output and may be used together with another command."

So is this a bug in gpg or a bug in the man page or am I missing
something so trivial and obvious that I will smack myself in the
forehead when someone points it out to me?

I understand dev cycles are being focused primarily(?) on the 2.1
branch but I figured this might be worth mentioning.  I confess, I
haven't checked the archives to see if it already has been.

Best Regards,
Duane

- -- 
Duane Whitty
du...@nofroth.com
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJZkUPfAAoJEOJfpr8UVxtkLy8H/3ffsaDpy1YWfZNjRBTu3vGZ
H/QrXGa7Mo7I9yFTojhyI9u9GCPzPu3sl/ZbvwGXEVpMoME5VuU8Fz5Dl1DGd9GF
E1qT6Kk2L+H/eZiQNc4LFXjn3TQXNCIjq/HFiw7Eh/31eUcBZ+6/kjd9pvRmtzEO
S4SAVn36PId23pZln/qaLJIpgmqBdGKWZ9KtmguDu9mMr63SDfJXRrSxdTvkjEBT
8w/3C3bs1/i0qEUepGXAlIIsllSQ2OgUZB477JTk8YfH/LH5WHDLvm+tHcTZ5Jg7
uYstNr8dgQEWSmqvWrQXBCZp3qTSfI1xW7Nzug8DtNFZ1Np2uhVuo2Uqv5HIZcg=
=t2JQ
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg 2.1.16: change of option --with-fingerprint

[Werner Koch]

On Sat,  1 Jul 2017 16:46, linux_nutze...@mailbox.org said:

> When I tried to import a CentOS gpg key according to the manual from [1], I 
> made the following observation:
>
> "gpg --quiet --with-fingerprint " does not return the fingerprint 
> when using gnupg 2.1.17 (on ArchLinux and openSuse Tumbleweed).

That manual suggest the use of an unspecified behavior.  Namely that gpg
tries to do the right thing depending on the data.  For keys you will
see only some kind of debug output which funnily resembles a key
listing.  But it is not a real key listing.  Recent version of gpg thus
print

  gpg: WARNING: no command supplied.  Trying to guess what you mean ...

What you need to do instead is to import that key and then run 

  gpg -k --with-fingerprint secur...@centos.org

or

  gpg --fingerprint secur...@centos.org

which shows the fingerprint.  Here -k and --fingerprint are the
commands.  If you don't want to import the key and your version of gpg
is at least 2.1.14 you can do this:

  gpg -n --import --import-options import-show FILE_WITH_KEY

This tells the import command to list the key during input (import-show)
and not to actually import (-n or --dry-run)

In case you want to script this, please make sure to also add
--with-colons so that you get the guaranteed to be stable machine
readable output.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpbtsal6oQDl.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gnupg 2.1.16: change of option --with-fingerprint

[linux_nutzer42]

Hello all,

did the function of the option --with-fingerprint change in gnupg 2.1.16 and 
later?

When I tried to import a CentOS gpg key according to the manual from [1], I 
made the following observation:

"gpg --quiet --with-fingerprint " does not return the fingerprint 
when using gnupg 2.1.17 (on ArchLinux and openSuse Tumbleweed).
Also a self-compiled gnupg 2.1.16 does not return the fingerprint in this 
scenario, whereas a self compiled gnupg 2.1.15 does so.
gnupg 2.1.13 on Fedora also returns the fingerprint.
For the tests I used the key from [2] which I downloaded according to [1] with 
wget.

Many thanks in advance.

Regards
linux_nutzer42


links
=
[1] https://wiki.centos.org/Download/Verify 
[2] http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7

details
===
Arch Linux gnupg 2.1.17
---
$ gpg --quiet --with-fingerprint ./RPM-GPG-KEY-CentOS-7
pub   rsa4096 2014-06-23 [SC]
uid   CentOS-7 Key (CentOS 7 Official Signing Key) <secur...@centos.org>

Fedora gnupg 2.1.13
---
$ gpg2 --quiet --with-fingerprint ./RPM-GPG-KEY-CentOS-7
pub   rsa4096 2014-06-23 [SC]
  6341 AB27 53D7 8A78 A7C2  7BB1 24C6 A8A7 F4A8 0EB5
uid   CentOS-7 Key (CentOS 7 Official Signing Key) <secur...@centos.org>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Creating Unique Fingerprint

[Pete Stephenson]

It's not as hard as you might think, at least in terms of 32-bit
fingerprints: https://evil32.com/
--
Pete Stephenson


On Mon, Jun 19, 2017, at 08:00 AM, Lou Wynn wrote:
> According to my understanding of crypto theory, your only way is to
> generate keys and compare their fingerprints and with the value you
> want. I would be surprised that you can find one in your lifetime. Or
> it'd be a breakthrough in cryptography if you managed to do it
> somehow.


> Thanks, Lou
>> On 06/18/2017 07:23 PM, Long Si wrote:
>> Hi  I am on Linux, and would like to generate a key with "unique 40"
>> fingerprint.  eg 1: Starts with ABCD  ...   eg 2: Starts with
>> AXXX  ... XXXA ends with A  eg 3:  ...  without any '0'
>> character at all  How would I go about writing such a script? Don't
>> mind running for months to get these sets.  Regards
>> ___ Gnupg-users mailing
>> list Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>> 
> _
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Creating Unique Fingerprint

[Kirill Elagin]

Google is a pretty great tool for this kind of things.
Here is one of the results I found:
https://github.com/Valodim/pgp-vanity-keygen

As far as I can tell from the source, it uses the method I suggested,
decreasing timestamp one by one, and it finds a fingerprint that ends in a
given string of bytes. This last part is not exactly what you need, so
you’ll have to adjust the test yourself, but other than that it seems to be
a reasonable “plug-and-play” solution for your task.

On Mon, Jun 19, 2017 at 6:38 PM Long Si <longsi0...@gmail.com> wrote:

> Hi everyone
>
> Thanks for your input so far. I am surprised to learn about the
> suggested methods. For my example 1, I had assumed there would be only
> (1/16)^4 combinations so it should be fairly quick (i.e. less than a
> week to find one).
>
> Let say for now, I just want my full fingerprint to start with a 'A'.
> With a possibility of 1/16, I assumed this should take less than a day
> of computing power. Can anyone show me a script to do so?
>
> I wish to have a working key, of course, with my chosen name, email, etc...
>
>
> Regards
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Creating Unique Fingerprint

[Long Si]

Hi everyone

Thanks for your input so far. I am surprised to learn about the
suggested methods. For my example 1, I had assumed there would be only
(1/16)^4 combinations so it should be fairly quick (i.e. less than a
week to find one).

Let say for now, I just want my full fingerprint to start with a 'A'.
With a possibility of 1/16, I assumed this should take less than a day
of computing power. Can anyone show me a script to do so?

I wish to have a working key, of course, with my chosen name, email, etc...


Regards

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Creating Unique Fingerprint

[Kirill Elagin]

The easiest strategy, of course, is to simply use gpg to generate a key and
check its fingerprint until you get the one you need (see batch mode).
Generation of an RSA 2048 key is taking around a second, so e.g. for your
example #1 (four bytes fixed) we are talking tens of hours or ones of days.

In case you need something better, you’ll have to get inside the public key
packet. Basically, fingerprint is a hash of the actual public key material
and its creation timestamp, so if you do not care much about creation
timestamps, you can bruteforce _them_, which will be much faster. This way
you might get a timestamp that doesn’t make sense (e.g. in the future) and
some implementations can potentially become upset, so you either accept
that or choose timestamps carefully.

If you don’t need the key to actually work, that is, be able to
encrypt/decrypt, then you can safely brute force its other parameters, such
as p, q and e.

I do not know if there are tools around, but hacking GnuPG code should not
be too difficult.

On Mon, Jun 19, 2017 at 6:44 AM Long Si <longsi0...@gmail.com> wrote:

> Hi
>
> I am on Linux, and would like to generate a key with "unique 40"
> fingerprint.
>
> eg 1: Starts with ABCD  ... 
>
> eg 2: Starts with AXXX  ... XXXA ends with A
>
> eg 3:  ...  without any '0' character at all
>
> How would I go about writing such a script? Don't mind running for
> months to get these sets.
>
> Regards
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Creating Unique Fingerprint

[Lou Wynn]

According to my understanding of crypto theory, your only way is to
generate keys and compare their fingerprints and with the value you
want. I would be surprised that you can find one in your lifetime. Or
it'd be a breakthrough in cryptography if you managed to do it somehow.

Thanks,
Lou

On 06/18/2017 07:23 PM, Long Si wrote:
> Hi
>
> I am on Linux, and would like to generate a key with "unique 40" fingerprint.
>
> eg 1: Starts with ABCD  ... 
>
> eg 2: Starts with AXXX  ... XXXA ends with A
>
> eg 3:  ...  without any '0' character at all
>
> How would I go about writing such a script? Don't mind running for
> months to get these sets.
>
> Regards
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Creating Unique Fingerprint

[Stefan Claas]

Am Mon, 19 Jun 2017 10:23:58 +0800
schrieb Long Si <longsi0...@gmail.com>:

> Hi
> 
> I am on Linux, and would like to generate a key with "unique 40"
> fingerprint.
> 
> eg 1: Starts with ABCD  ... 
> 
> eg 2: Starts with AXXX  ... XXXA ends with A
> 
> eg 3:  ...  without any '0' character at all
> 
> How would I go about writing such a script? Don't mind running for
> months to get these sets.

If there would be such a script, we would have a problem... ;-)

But you can generate a key with a 32bit key-id of your choice,
with scallion:

https://github.com/lachesis/scallion

Regards
Stefan


pgpxysooGupnK.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Creating Unique Fingerprint

[Long Si]

Hi

I am on Linux, and would like to generate a key with "unique 40" fingerprint.

eg 1: Starts with ABCD  ... 

eg 2: Starts with AXXX  ... XXXA ends with A

eg 3:  ...  without any '0' character at all

How would I go about writing such a script? Don't mind running for
months to get these sets.

Regards

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Overwriting a fingerprint in card-status

[Kirill Elagin]

Hello,

I have a key on a smartcard and at some point I added it as a subkey
to a different primary key by giving its keygrip in `--expert` mode.

This works great but I recently realised that when this was done its
fingerprint changed and as a result a wrong fingerprint is now stored
in the card metadata, as shown by `--card-status`. (Now I am a little
confused by the fact that gnupg is still able to locate the key and
use it.)

Given that the key material on the card is correct, is there a way to
forcibly overwrite the fingerprint that is displayed by
`--card-status`?

Thanks.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to show fingerprint in email header?

[Satoshi Yoshida]

Peter Lebbing <pe...@digitalbrains.com> writes:

> Enigmail puts the following in my mails:
>
> Openpgp: id=8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E;
>  url=http://digitalbrains.com/2012/openpgp-key-peter
>
> I think that is the generally accepted method to give both a fingerprint
> and a URL. I'd wager the following is just the fingerprint:
>
> Openpgp: id=8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E

I see. Your answer is perfect for my question.
Thank you very much.

-- 
Satoshi Yoshida
https://satoshi.blog

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to show fingerprint in email header?

[Satoshi Yoshida]

Daniel Kahn Gillmor  writes:

> This is probably more of a question for your mail user agent than for
> GnuPG, since GnuPG doesn't send mail.  What program do you use to send
> mail?

I am using Gnus. I know how to edit email header.
I want to know Openpgp: style still alive or not.
Sorry my poor English. I'm a Japanese.

-- 
Satoshi Yoshida
https://satoshi.blog

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to show fingerprint in email header?

[Satoshi Yoshida]

Werner Koch  writes:

> Here is what I use:
>
>   OpenPGP: url=https://k.gnupg.net/80615870F5BAD690333686D0F2AD85AC1E42B367
>
> This is a complete URL of our dedicated keyserver with the finperint
> appended.  How to configure this depends on your mailer.  I do this in
> Gnus:

Is this style still alive? Following URL shows it is expired.
https://datatracker.ietf.org/doc/draft-josefsson-openpgp-mailnews-header/

> (setq gnus-posting-styles
>   '((".*"
>(name "Werner Koch")
>(address "w...@gnupg.org" )
>  ("OpenPGP"  
> "url=https://k.gnupg.net/80615870F5BAD690333686D0F2AD85AC1E42B367; )
>  ("X-message-flag" "Mails containing HTML will not be read!\n\t 
> Please send only plain text.")
>(organisation "The GnuPG Project")
>  (signature
>   "Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.")
>)))

I'm using Gnus too.

> (X-message-flag is a hack for Outlook users ;-)

Hehehe.

-- 
Satoshi Yoshida
https://satoshi.blog

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to show fingerprint in email header?

[Daniel Kahn Gillmor]

On Thu 2017-06-08 22:05:40 +0900, Satoshi Yoshida wrote:
> How to show fingerprint in email header?
> I found
> https://datatracker.ietf.org/doc/draft-josefsson-openpgp-mailnews-header/
> But it is expired.

This is probably more of a question for your mail user agent than for
GnuPG, since GnuPG doesn't send mail.  What program do you use to send
mail?

Regards,

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to show fingerprint in email header?

[Peter Lebbing]

On 08/06/17 15:05, Satoshi Yoshida wrote:
> How to show fingerprint in email header?

Enigmail puts the following in my mails:

Openpgp: id=8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E;
 url=http://digitalbrains.com/2012/openpgp-key-peter

I think that is the generally accepted method to give both a fingerprint
and a URL. I'd wager the following is just the fingerprint:

Openpgp: id=8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to show fingerprint in email header?

[Werner Koch]

On Thu,  8 Jun 2017 15:05, sato...@linux.com said:

> https://datatracker.ietf.org/doc/draft-josefsson-openpgp-mailnews-header/

Here is what I use:

  OpenPGP: url=https://k.gnupg.net/80615870F5BAD690333686D0F2AD85AC1E42B367

This is a complete URL of our dedicated keyserver with the finperint
appended.  How to configure this depends on your mailer.  I do this in
Gnus:

--8<---cut here---start->8---
(setq gnus-posting-styles
  '((".*"
 (name "Werner Koch")
 (address "w...@gnupg.org" )
 ("OpenPGP"  
"url=https://k.gnupg.net/80615870F5BAD690333686D0F2AD85AC1E42B367; )
 ("X-message-flag" "Mails containing HTML will not be read!\n\t Please 
send only plain text.")
 (organisation "The GnuPG Project")
 (signature
  "Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.")
 )))
--8<---cut here---end--->8---


(X-message-flag is a hack for Outlook users ;-)

However, I would much more like to see adoption of the Web Key Directory
which makes it much easier to find the right key.  If you are using
GnuPG 2.1 you can add 

--8<---cut here---start->8---
auto-key-locate local
auto-key-locate wkd
auto-key-locate dane
--8<---cut here---end--->8---

to your gpg.conf to enable it.  The fallback to DANE is optional; I
doubt that is much more deployed than WKD.  Note that WKD (and DANE)
contact the server of the mail provider, so they know that you will send
an encrypted mail - but that is something they will see
anyway.  Workaround is as usual Tor ("use-tor" in dirmngr.conf)


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpBnrZg6JuOb.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How to show fingerprint in email header?

[Satoshi Yoshida]

How to show fingerprint in email header?
I found
https://datatracker.ietf.org/doc/draft-josefsson-openpgp-mailnews-header/
But it is expired.

-- 
Satoshi Yoshida
https://satoshi.blog

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: sha1 pgp fingerprint

[Werner Koch]

On Thu, 26 Jan 2017 10:56, pe...@digitalbrains.com said:

> second-preimage attack. The problems with SHA-1 are with collision
> resistance, not preimage attacks.

Correct, but we should also mention that even collissions are not yet a
current problem - but one we definitely want to be prepared for.

The whole fuzz about replacing SHA-1 from https (I write https and not
TLS for a reason) may help to learn about algorithm replacement
procedures for the future.  Replacing SHA-1 in X.509 certificates, as
used for the Web, will not magically make the Web in any way more
secure.  The problems with the Web infrastructure are not due to SHA-1
or even RSA-1024; Shamir's old rule still holds: "Crypto will not be
broken, it will by bypassed".


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpefP443XLqr.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: sha1 pgp fingerprint

[Peter Lebbing]

On 26/01/17 00:47, sivmu wrote:
> The question I have not yet found any clear answer for, is why is nobody
> talking about this and should pgp keys be identified by a stronger hash
> alogrithm in the future?

Subverting SHA-1 as used for OpenPGP fingerprints requires a
second-preimage attack. The problems with SHA-1 are with collision
resistance, not preimage attacks.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: sha1 pgp fingerprint

[Damien Goutte-Gattat]

On 01/26/2017 12:47 AM, sivmu wrote:

The question I have not yet found any clear answer for, is why is nobody
talking about this and should pgp keys be identified by a stronger hash
alogrithm in the future?


People *do* talk about this. But a change of the hash algorithm used for 
fingerprinting keys cannot be decided unilateraly by GnuPG developers. 
All OpenPGP implementations have to agree on such a change, that's why 
the discussions occur on the IETF OpenPGP mailing list.


See for example those threads:

https://www.ietf.org/mail-archive/web/openpgp/current/msg08265.html

https://www.ietf.org/mail-archive/web/openpgp/current/msg08693.html



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

sha1 pgp fingerprint

[sivmu]

I have been wondering for a while about the use of sha1 in pgp fingerprints.

Although sha1 may not be easily broken in practise, there are
theoreticall collosion attacks that are feasible for well funded
organisations.
Cryptographers, like Bruce Schneier, have been recommending for years to
migrate to a new hash algorithm for all sorts of reasons.

New versions of gpg do not use sha1 in any encryption operation if I am
not mistaken. But we still use sha1 fingerprints to compare of our keys.

The question I have not yet found any clear answer for, is why is nobody
talking about this and should pgp keys be identified by a stronger hash
alogrithm in the future?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg --encrypt-to says a key by fingerprint is ambigous

[Lars Hollenbach]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello,
When I use gpg --encrypt-to  I am getting this:

gpg --encrypt-to 06195004D8FBF459786B2CA2D731496480A63D5A
gpg: key specification '06195004D8FBF459786B2CA2D731496480A63D5A' is ambiguous
gpg: (check argument of option '--encrypt-to')
gpg: '06195004D8FBF459786B2CA2D731496480A63D5A' matches at least:
gpg:   06195004D8FBF459786B2CA2D731496480A63D5A
gpg:   06195004D8FBF459786B2CA2D731496480A63D5A

I'm using gnupg 2.1.10 on Windows 8.1

Verschlüsseln Sie Ihre E-Mails mit gpg4o für Outlook | Encrypt your email with 
gpg4o
- 
---
Lars Hollenbach
Auszubildender

Giegerich & Partner GmbH  
Robert-Bosch-Straße 18 | D-63303 Dreieich
Tel. +49 6103 5881-0 | Fax +49 6103 5881-49
lars.hollenb...@giepa.de | http://www.giepa.de 

Geschäftsführer: Dipl.-Ing. (TU) Hans-Joachim Giegerich
Amtsgericht Offenbach/Main | HRB 33236

TeleTrusT Quality Seal  “IT Security made in Germany” www.teletrust.de/itsmig
- 
---

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: Using gpg4o v3.5.53.6558 - http://www.gpg4o.com/
Charset: utf-8

iQIcBAEBCAAGBQJWjTreAAoJEOuEWOo7QtbaqYIQAJEwgTeVdT69+77vwYk/WCJO
09qRRA8fBXcDhrAc2hzqlZ2gc/oD8KuKzumlupuZjP8LZtO0N+Zg/CjrgdO3LJp2
tWmUgI3aKdw1NU2+Y3JviySvqTMvI5cd73Ei7nUVK3rwMOFMbLKc7j/3K5GGH0ux
BtCs0cYYvDIf4wAfIOBSxsM4g/HLwiF7QvK8I+S0qCvtHfjsQUuES80kmtaXbntV
IO/AgyZ0/WVKU28z2SnLxtlJS0Y9SsyJvboKjCF6An9A0bNWL0lhqWcsCFQr18XN
A4apGCq2NaLv4poLEv1TAJk9m6sXxn6FVbtyPzejoDs18iBhv+0cxv1k+UtN+yy2
490aS10ttDYQNPOVNW334AvJgYu8s3IY5AuASwiQzqntulo7lL2vCO5th20VnOAC
4bapp/beC96WuKgBfMCKTl5zP3z10croc8X/9yTBvxcbsyw5/b7M7Bri9iYlsO4o
OTiBflXL9gaTyDFDMoHThIj6oNLb47CcIqR0zQbzIECpkgN3SV7w45AlWufr/yzy
b1NqKUiLH+fXv7KEAP14afnK9t9eziIKircSRAq2BYm5fspFUxbDahf4qi5MGqTa
2wBFYR5BNchQTITmE8a/dmD+hkqpjHqeORWh5MJgfGIBgOUwdNRHKndVU4l85YjA
5DrKD1tRUy3wVvM1Di0P
=QmHc
-END PGP SIGNATURE-
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg --encrypt-to says a key by fingerprint is ambigous

[Doug Barton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 1/6/2016 8:03 AM, Lars Hollenbach wrote:
| Hello, When I use gpg --encrypt-to  I am getting
| this:
|
| gpg --encrypt-to 06195004D8FBF459786B2CA2D731496480A63D5A gpg: key
| specification '06195004D8FBF459786B2CA2D731496480A63D5A' is
| ambiguous gpg: (check argument of option '--encrypt-to') gpg:
| '06195004D8FBF459786B2CA2D731496480A63D5A' matches at least: gpg:
| 06195004D8FBF459786B2CA2D731496480A63D5A gpg:
| 06195004D8FBF459786B2CA2D731496480A63D5A

The error message seems pretty straightforward ... can you show us the
output of --list-keys for that fingerprint?

Doug
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJWjXJNAAoJEFzGhvEaGryErNkH/2e81P2zaHt+EM0gvJp9VgrD
BqdiH6p8pzYLvQK1iVgMRymQXCjFhJWDFvWl1enOIeJbiO5OVHiK9vIuRRC7O3mF
mN0s84illeJfIHBjYANt7fdpUhHr/rQ+KYuAZ7yrbKVeQbZ47HfKpvhOf1ANb5nR
3xgGek4qD7lVSWmAMEKoDOmUqVlf3vq76pTYtce7R/kWrZVnlm2+PnkZ06PvB0ye
7eDkis1J3FBzCxHpdDCExjyh02QHwxBnqgu2MTusrtFY34JMWB/LBjeAwFf6Dy1M
6HcvzwY2M+8Fp6KK2Ift44jrMy8eEbXGqC2oGsw9S5MPIrn6XCI7fF2jie3/P9w=
=xxIx
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What is 'CA fingerprint 1' on Smartcard

[Daniel Krebs]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 03.04.2015 um 13:14 schrieb Werner Koch:
 Back in 2005 the idea was to setup our own OpenPGP CA and the 
 FSFE prepared the cards for this (this is also one of the the 
 reasons for the PIN letter).  However, the folks responsible for 
 the fellowship card never came around to setup a process to 
 actually run such a CA and thus the whole thing got dusty.  I 
 still have the CDROM with the private key but I do not think that 
 this expired key is of any use.
 
 
 Salam-Shalom,
 
 Werner

Hi Werner,
sorry for the late replay, somehow I missed your mail...
Was this meant to work kind of like the the CA of the ct's crypto
campaign?

DK
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCgAGBQJVPgDCAAoJEA7irlPqaBCOigUQAKsAGEJC9KDqt3vUzAxF+mCN
cHb30nS3zLYucum95kG3jWknhFwn4fnXoLDrMEHokg41dI9jIOM6nqA1oPqwtxRz
oynEx+xrFWNK4X45Sr8eePmjzm5OmD5YumcbOz8cEIdI+BoR6tuf7gJxOQ5rXGWx
93jG3vJuJHg8xLeosPOiu/fvmD+A1LbwZUKfzmJD/ie8eIfwRYvt/+2eFj3AjzjD
jZviztbjVtPWZQ1+urIhoufbWyXFrP60I+sMzYeqWhTIMmipxgsKHDWE8+RKRI9L
w1Oyl11sPY01VIXNBf3sYkBTCtnze4MvyF723ZFS7XvmtqajPXlRl09rLOrbZZX5
KFl2AQSeUyv0cB7DiDOfUXxi4+nibNeHLb11DagDr+6ReBCDRr4WKeWzpG2YRuul
bfiI7wEsP54DaEjiPPvbeC+0Fv6iBsg4gZYXqYe7r30qfOSmdTcVGorcCGsO/1gu
RiJz9wRmanZpZNNx8xAA3ccQf5ftLM9/C57ILTeeTU2FTBD9L0gY25leLjpSAWPZ
Ub5FGvP1VIFrAvuneF98wQrmmF9aeJqUekg4zvehmQuH32J5qHxR2hNLrgUlB8Gq
VEzke5/rKwksN5etvh9o+kt7w4/OzkPgEjiz/qMUHdLyea2jcFTcfUxc0CRx65aT
+oSvKnVfn4Ujnm6DbgxR
=+Idr
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What is 'CA fingerprint 1' on Smartcard

[Werner Koch]

On Tue, 31 Mar 2015 18:50, mailingl...@krebs.uno said:

 What is the CA fingerprint on FSFE-Smartcard?

  $ gpg -k 'C485 A6CD 7EC6 6E9E EC33  65F2 70F2 75E4 C32F 6CA5'
  pub   dsa1024/70F275E4C32F6CA5 2005-04-10 [expired: 2009-12-31]
  uid   [ expired] FSFE Fellowship (certification key) c...@fsfe.org

Back in 2005 the idea was to setup our own OpenPGP CA and the FSFE
prepared the cards for this (this is also one of the the reasons for the
PIN letter).  However, the folks responsible for the fellowship card
never came around to setup a process to actually run such a CA and
thus the whole thing got dusty.  I still have the CDROM with the private
key but I do not think that this expired key is of any use.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What is 'CA fingerprint 1' on Smartcard

[Daniel Krebs]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 02.04.2015 um 04:40 schrieb NIIBE Yutaka:

 It seems that it's intended to be hold a fingerprint of OpenPGP,
 but it is not clear what/how this fingerprint is used for.
 
 From a view point of scdaemon developer, I don't have any
 experience using these data objects.  Even, I couldn't imagine
 valid usage of these data objects.
 
 Besides, I don't understand the reason why this data object was
 filled by a specific value when shipped.
 
 Sorry for not useful information, but, those are all I could say.
 
 Still, it would make sense to share this info.
 

OK, I will ask on the FSFE mailing list, ask them and post the answer
here as soon as i have it.

DK
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCgAGBQJVHVWTAAoJEA7irlPqaBCOf30P/R7OXr6jyTniFeiiv0LYBC9T
TyYwvqRyRnvng4VRKdT0Nq3kF/Omj2HIi7KCVZTOgDmmR83IMYyWm4oBFNXrDKzd
QO0J8OwUf+/B122vL1yvE3n1/V5rHxTpTl3bvBQG/VgZO9Fiwt1BYwCfF+79VlvR
OCnoLdepAHn4ZFT74neq5ZCxbG3UxSOr+9RBlf9gFzs+qNOI8TsqIzF4xueQHe6f
Jv7YD6aTqh7z3/d67v5j4ChzRxrghe2+I97QJkB98qvxqNxAVwg9hD64VcvtBNjB
O+AR+wbqnztfAa3pnQ4RGHIH1NGfy+v0Tps2tuCn/SucIirwbaIk+jhMHaWZB3Tx
0K7ivxRK4tbpAJyFY8r85XSTAEw4c711rkPbIcpolfw/5upXD/UD2YFCFxlnTaxt
xc38nKunoXT2B3LB5mRKnDGL69KZPHv5J+gSvZcP1/k8ItV/OryzSCyiJsGG+WIK
ipHvTjmyWs3R3Qnm1B0q3qklaoQGVsw1k6W8Ezafu4Vm84PxdmaE5LBfyH2KJN3h
CFQQKeo4Tfb8wRAvZj1VrLo3AqLWdOLioAKXy+xzuPbK87fnMx0tfwn2147PGsNr
008q8Wbj5n4cqTmP1Db4woASvHuTFdwmLm3Kr0yqJnTkZUrme7OyxJ0SAA0qNXdv
LPNlpdG/WJPn0IJhI1bM
=iGUm
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What is 'CA fingerprint 1' on Smartcard

[NIIBE Yutaka]

On 04/01/2015 01:50 AM, Daniel Krebs wrote:
 What is the CA fingerprint on FSFE-Smartcard?
 
 A gpg2 --car-status gave the information:
 CA fingerprint 1 .: C485 A6CD 7EC6 6E9E EC33  65F2 70F2 75E4 C32F 6CA5

Well, I can't find a key with this fingerprint on key servers.

 This is a smartcard issued by the FSFE. After reseting the card this
 information is gone, so it must be applied by FSFE. I read the
 openpgp-card-2.0 specification but I'm still not sure what this CA
 data object is used for and what specific CA it points to. Maybe you
 can help...

It seems that it's intended to be hold a fingerprint of OpenPGP, but
it is not clear what/how this fingerprint is used for.

From a view point of scdaemon developer, I don't have any experience
using these data objects.  Even, I couldn't imagine valid usage of
these data objects.

Besides, I don't understand the reason why this data object was filled
by a specific value when shipped.

Sorry for not useful information, but, those are all I could say.

Still, it would make sense to share this info.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

What is 'CA fingerprint 1' on Smartcard

[Daniel Krebs]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,
Hope this question is OK on this list.
What is the CA fingerprint on FSFE-Smartcard?

A gpg2 --car-status gave the information:
CA fingerprint 1 .: C485 A6CD 7EC6 6E9E EC33  65F2 70F2 75E4 C32F 6CA5

This is a smartcard issued by the FSFE. After reseting the card this
information is gone, so it must be applied by FSFE. I read the
openpgp-card-2.0 specification but I'm still not sure what this CA
data object is used for and what specific CA it points to. Maybe you
can help...

DK
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCgAGBQJVGtBTAAoJEA7irlPqaBCOP50P/2wnYuXxamlMJ6Tyuec93fQ6
6wljqQC+9J6k9VXAciWQyEXH5UL9YyxoGf4cEa0/px/0FZvX6BTtuxmnAPJvJQM8
caY+NzWFBQga6OjkSzcMtIzxDXaFn7/Ex1MnpuHqqXA3NLllmbuLhLL2uWbHI2pO
X8/pMkbTJflHF7yT3jOwNXPg0lotzkbBg2v3uLPTzYcpek71N7WP2NbK9mhWqFeA
LThTP1Ou0K+7869+VTAr4fymnLp8DxN5eprvX0kthToAlKivF2+0Q3rgF6EYDZDS
1ld8tSLgQC/5yJh3nftM5aSLkfNeIdMeDTk96vdHu3+K2XbTRZQ9JDSt9ZONqVxa
sQOuEUXoFZjud4Eqv9C2uTGzd77P8KgUk2PNegepNuDdtsqOeGkt+TQQVHxgdolv
K4SgtKFTHmboXA9n7j8fyhrAWDG3gvDoUHP3QGUGRGv/gvr9OLtg/N8ORVWDvUy1
jNyEFA6hHQEhgf5wC5wjjde0OXj83xLfeuLUpy8rMO1pqp8OH3qYtvqVPx8Gt8WE
zAZtpW8A8t8KXlp6YG4KxCB2RU94wDvBg4EeuKygMQdvDKgIRbmVvd83B4wmz8TA
rdv1KInbF5FWvKfyGYV/Wxa6Ack5iwU+6xGQGv5Sy4NjEX60uCjRew4LPLfzEBw9
lRs45T9WxiF5iCFGA6YF
=Orxq
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Issuer Fingerprint

[Werner Koch]

On Wed, 14 Jan 2015 00:54, 2014-667rhzu3dc-lists-gro...@riseup.net said:

 I thought we already took care of this with
 sig-notation issuer-...@notations.openpgp.fifthhorseman.net=%g [0]

But GnuPG does not know about this - it is Dkg's private thing.  Further
this triples the required size for each signature.

If we would do that with notaion data something like iss...@gnupg.org=
would be used.  But see the discussion on gnupg-devel.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Issuer Fingerprint (was: Vanity Keys)

[Werner Koch]

[Moving discussion to gnupg-devel]

On Tue, 13 Jan 2015 10:41, nicholas.c...@gmail.com said:

 Or a new revision of the standard, I suppose.  But I think that one or

A new key and signature packet version will take years to develop and
deploy.  Thus I think it is better to first do something within the
standard which will be backward compatible.

We currently use this subpacket:

  5.2.3.5.  Issuer

   (8-octet Key ID)

   The OpenPGP Key ID of the key issuing the signature.

A new optional subpacket:

5.2.3.27.  IssuerFingerprint

   (N-octet Key Fingerprint)

   The OpenPGP Fingerprint of the key issuing the signature.  For
   current versions of OpenPGP N has the value 20.  Future versions of
   OpenPGP may specify a different scheme for the fingerprint and thus
   another value for N.  Implementations should thus be prepared for
   other fingerprint lengths but honor this subpacket only if N is 20.

could be used to overcome duplicate key id problems.  The subpacket
type octet for that new subpacket would be 33.  Note that

  Adding a new Signature subpacket MUST be done through the IETF
  CONSENSUS method, as described in [RFC2434].

which takes quite some time.  Should be pursue this task or take a quick
solution by using notation data?

The size of a signature will increase by 22 or even more when using the
notation data approach.  This is noticeable but given that we are anyway
moving to the smaller ECC algorithms I think this is acceptable.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Issuer Fingerprint (was: Vanity Keys)

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Tuesday 13 January 2015 at 11:33:25 AM, in
mid:87zj9mdiey.fsf...@vigenere.g10code.de, Werner Koch wrote:


 Should be pursue this
 task or take a quick solution by using notation data?

I thought we already took care of this with
sig-notation issuer-...@notations.openpgp.fifthhorseman.net=%g [0]

[0] http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7235

- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

I don't suffer from insanity I enjoy every minute of it.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJUtbBNXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwIx8IALcVn0Fga/hLnz2iksk36PDk
IkIHNMfi4BmszL23i/CXnDVemDXzReIis1n0eWEicw8hkliEAZHKRMomKNnIqXB7
ezp+dnnhYghIuXCDNlYSigSZy0hyln/tR2Mb9bebQC29IxBuP4HIOQGBaJak6Bq1
oeCqfzcp0GNAqIT5MR/k+pJIQeW9NMLCam+5pv7vXrkgVsP+O0HdSRkZ3Ef8y/Vg
3RBF30JhCmpAVKuUeCTputryeBs3RFTQ6f2CbskUY6gvcKmHmofGpUG5eI2gmjKb
hvP3s2RGMewbYUNGZDmXJdaWdtkjsvNx3X/aM2x3IqUvGZ3eECQz2Op++VbcMbyI
vgQBFgoAZgUCVLWwVV8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45MaNAQC2k5AjdZepyyvbbwYqgK0OzhFF
9Wz0TAvtpMEltAI1GQEA8RyAlAosJa5bO29y1UI2yIFT9B9iozy00H2vBSl49Qg=
=povV
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keygrip v fingerprint ?

[Philip Jackson]

On 30/11/14 01:32, Kristian Fiskerstrand wrote:
 The keygrip is protocol-agnostic whereby the fingerprint would differ
 e.g. between OpenPGP and X.509. From [0] (note [2]):
 
 The keygrip is a unique identifier for a key pair, it is
 independent of any protocol, so that the same key can be used with
 different protocols.  PKCS-15 calls this a subjectKeyHash; it can be
 calculated using Libgcrypt's gcry_pk_get_keygrip ().

Thank you, Kristian



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Keygrip v fingerprint ?

[Philip Jackson]

I see on :

https://www.gnupg.org/documentation/manuals/gnupg/Option-Index.html#Option-Index

references to both --with-keygrip and --with-fingerprint.  When I try
--with-keygrip on gnupg2.0.26, it appears not to be a valid option.

The only other time I have seen a reference to a keygrip (and I don't remember
where I saw it), it seemed to me that a keygrip looked just like a fingerprint.

Could someone please explain the difference between a keygrip and a fingerprint
or point me to a relevant document ?

Philip



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keygrip v fingerprint ?

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 11/30/2014 12:23 AM, Philip Jackson wrote:
 I see on :
 
 https://www.gnupg.org/documentation/manuals/gnupg/Option-Index.html#Option-Index

  references to both --with-keygrip and --with-fingerprint.  When I
 try --with-keygrip on gnupg2.0.26, it appears not to be a valid
 option.
 

It is available in 2.1

 The only other time I have seen a reference to a keygrip (and I
 don't remember where I saw it), it seemed to me that a keygrip
 looked just like a fingerprint.
 
 Could someone please explain the difference between a keygrip and a
 fingerprint or point me to a relevant document ?

The keygrip is protocol-agnostic whereby the fingerprint would differ
e.g. between OpenPGP and X.509. From [0] (note [2]):

The keygrip is a unique identifier for a key pair, it is
independent of any protocol, so that the same key can be used with
different protocols.  PKCS-15 calls this a subjectKeyHash; it can be
calculated using Libgcrypt's gcry_pk_get_keygrip ().

References:
[0]
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/keyformat.txt;h=42c4b1f06faf1bbe71ffadc2fee0fad6bec91a97;hb=refs/heads/master

- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
I have always wished that my computer would be as easy to use as my
telephone.
My wish has come true -- I no longer know how to use my telephone
(Bjarne Stroustrup, April 1999)
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJUemW3AAoJEPw7F94F4Tag29IP/iO+JvAlFBZyqgF5Juf+F005
iCHj7piTb5uTKFHCS+tZl481HCet1dEti8JUlQBYq5G7HAKfwWGvSsg3XSg+bpJu
s9UM3JQpC4Nc+rxVqyYkB6rwPRCdWHiJgVV9vCBX9WzRfLT4TkVBVarMRWl7v6mx
mUspI9PAm3pHVS9Sp4ehvLaDH+0tew3sCGeMLa6F4tvEcjtl6v9TXEtlsmJaBE0R
4m945ik6rAidSLVViCHBBL28UmKsXgho0YHP1fINT3nrmqojesZhqSwQ/dGL3Ppn
9Jcqiz7jLJAmx3pwBgeOV5kzFLE0iWS4x6bwNLaopjI0gM2U/ccuH3HVKbl0xu0w
Ki+z9U1eLXc2zxuGrc7M0bVjcGt72pdODPf2HNUzYeFlTcX6mmIRRVGydoKbvQBB
o84Io2pIjprCcC07lqyWU8lB6QaNHHrJ/cp1NVSfPhnxfpnPLW3u62K/2WXiWfMJ
aztfgWSIFNjrFUY01ayQj/OePei6V4FRQa9G13PSCF8C+6ESNOvLL7FpeAqQM9Es
H0I8FjWmBpVfbamuNiQxZymwN2Rc0FknGHxpwvWcZEu6PUJUyY2PtNmWwKd7nvpq
rYfp9okBRs0TCIAs0XRuF0RepwbVcbr9Z2Kxy5vqE3XsSZ5B9a4zU7OzGIoqkcH5
UQtfRrgLvyVpIiEgWq8V
=ZaEC
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

DANE (was: mailto with pgp fingerprint)

[Nicolai Josuttis (enigmail)]

Are you or is someone working on DANE support for GnuPG?
Any schedule?

Am 22.07.2014 16:27, Werner Koch schrieb/wrote:
 
 On Tue, 22 Jul 2014 09:40, enigm...@josuttis.de said:
 More and more we seem to have the problem of faked keys in the
 key servers. This especially applies to well known keys such
 as authors of magazines and famous tools.
 
 This is actually the problem of checking the validity of the key. 
 Granted, gpg is not smart enough to figure out the best matching
 key but that is something which can be fixed.
 
 A more simple way of tackling this is to use PKA or DANE for key 
 validation: For sending mail you already need DNS and thus it would
 be easy to retrieve the matching key from the DNS.  The drawback is
 that this must be configured by the key owner and can't be changed
 by the sender.
 
 
 Shalom-Salam,
 
 Werner
 

-- 
Nicolai M. Josuttis
www.josuttis.de
mailto:n...@enigmail.net
PGP fingerprint: CFEA 3B9F 9D8E B52D BD3F 7AF6 1C16 A70A F92D 28F5


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Wednesday 23 July 2014 at 9:02:23 PM, in
mid:109d2e39-c8dc-4cbc-a404-a5bd1b130...@gpgtools.org, steve wrote:


 Wouldn’t it be a nice solution, if key server software
 had a mechanism for users to verify their UserID by
 sending a mail to the mail address in question.

If I recall correctly, PGP's keyserver PGP Global Directory sends an
email to each email address in the uids when a key is submitted, and
only lists those uids whose email address replies. It re-sends these
verification emails every six months, and deletes keys if there is no
reply. It also allows anybody with access to your email address to
delete your key and upload a different one, according to Wikipedia
[0].

[0] 
https://en.wikipedia.org/wiki/Key_server_%28cryptographic%29#Problems_with_keyservers

- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

Yellow snow is not lemon flavoured
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlPSTQtXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5p/rMD/2jee+I7sU1i7Dj7dD1U1NXfxfeXADVVpoSg
O+cdMw4rhJLUbYg4c6GIvnvN6EeqvV5I85QMEvwpgimvY910Md2/KViqb6S215wY
WbtwAmVLyRdrB3pa8+03iTbGpaqlP6hjULDo8qEP0t63PLXHXujPqjoMmkg1/JHk
CXLcHH/4
=+CbD
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

[Schlacta, Christ]

On Jul 25, 2014 5:30 AM, MFPA 2014-667rhzu3dc-lists-gro...@riseup.net
wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512

 Hi


 On Wednesday 23 July 2014 at 9:02:23 PM, in
 mid:109d2e39-c8dc-4cbc-a404-a5bd1b130...@gpgtools.org, steve wrote:


  Wouldn’t it be a nice solution, if key server software
  had a mechanism for users to verify their UserID by
  sending a mail to the mail address in question.

 If I recall correctly, PGP's keyserver PGP Global Directory sends an
 email to each email address in the uids when a key is submitted, and
 only lists those uids whose email address replies. It re-sends these
 verification emails every six months, and deletes keys if there is no
 reply. It also allows anybody with access to your email address to
 delete your key and upload a different one, according to Wikipedia
 [0].

I just recently published a number of keys, and never noticed any such
emails.


 [0] 
https://en.wikipedia.org/wiki/Key_server_%28cryptographic%29#Problems_with_keyservers


 - --
 Best regards

 MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

 Yellow snow is not lemon flavoured
 -BEGIN PGP SIGNATURE-

 iPQEAQEKAF4FAlPSTQtXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
 bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
 N0VDQTAzAAoJEKipC46tDG5p/rMD/2jee+I7sU1i7Dj7dD1U1NXfxfeXADVVpoSg
 O+cdMw4rhJLUbYg4c6GIvnvN6EeqvV5I85QMEvwpgimvY910Md2/KViqb6S215wY
 WbtwAmVLyRdrB3pa8+03iTbGpaqlP6hjULDo8qEP0t63PLXHXujPqjoMmkg1/JHk
 CXLcHH/4
 =+CbD
 -END PGP SIGNATURE-


 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Friday 25 July 2014 at 2:01:28 PM, in
mid:cacpwn9tbm5ko1mqee3ovfehif1dv5u3n1pjf-k42jzsstyu...@mail.gmail.com,
Schlacta, Christ wrote:


 On Jul 25, 2014 5:30 AM, MFPA
 2014-667rhzu3dc-lists-gro...@riseup.net wrote:
 If I recall correctly, PGP's keyserver PGP Global
 Directory sends an email to each email address in the
 uids when a key is submitted, and only lists those
 uids whose email address replies. It re-sends these
 verification emails every six months, and deletes keys
 if there is no reply. It also allows anybody with
 access to your email address to delete your key and
 upload a different one, according to Wikipedia [0].

 I just recently published a number of keys, and never
 noticed any such emails.


Did you publish them to the (stand-alone) PGP Global Directory?
rather than to one of the keyservers that propagates the keys to each
other?

It's possible the PGP Global Directory has changed it's processes,
but any such change is not yet reflected in their FAQ page [0], which
still says:-

What new features are available with the PGP Global Directory?
The PGP Global Directory uses next-generation keyserver technology; it
sends verification messages to the email addresses on a submitted key
and lets you manage your own key, including removing it--features not
available on keyservers with older keyserver technology.

and:-

Does the PGP Global Directory use any other methods for keeping
itself free of unusable keys?
Yes. The PGP Global Directory re-verifies keys every six months by
sending a renewal email message to the email address on the key. If
the key owner does not respond, the key will be removed from the
directory. In order for the key to remain on the PGP Global Directory,
the owner must approve the renewal request. This feature ensures the
PGP Global Directory will always contain only current keys.


[0] https://keyserver.pgp.com/vkd/VKDHelpPGPCom.html.


- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

The cure for anything is salt water - sweat, tears, or the sea.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlPSX1xXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pBioD/j0j6cGF9Half1AQsqrvJvyAZo78qkPygBsK
USkWeGrc1cFWuuqb6tAWJ5EFX46ez/JWbodD106so0ltNLPLgcrkor+ZEDjquI7C
iHtH33j7h0ZEoCbwdtodhr+9C7ejwh+DahhpSNuHZgHfl4iG8xH8WpmMaJTSLu/i
th42v9JR
=Zdfe
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Friday 25 July 2014 at 3:12:58 PM, in
mid:20140725101258.a18ae6eadac2f5426df7c...@gmail.com, Thomas
Harning wrote:


 While PGP Global Directory provides for some basic
 level of this email address belongs to this key...
 its key signing policy leads to cruft buildup.

Yes, I wasn't promoting it. Just replying to Steve's post about
keyservers verifying UIDs by sending emails being a nice solution
and had it been discussed - by showing him that it had actually been
tried and there is an instance publicly available. I was hoping that
Steve would then search for discussions on PGP Global Directory to
see arguments for and against, or maybe that somebody would briefly
summarise here.


 Back in April 2011 I signed up for it and got a series
 of key signatures every few weeks until January 2012
 when I got fed up with it. There are now 14 expired
 signatures 'stuck' on my key and published to the
 directories...

And I guess these have been leaked onto the networked keyservers,
rather than being confined to PGP Global Directory? I never really saw
the point of those signatures from the directory: if it was listed
there, it had been verified in the last six months, and once a user
had downloaded and used it for communication, they knew whether or not
it worked.




- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

Courage is not the absence of fear, but the mastery of it.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlPSa3RXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5p8LoD/RN/S+yms9N/Igu0XJbpCxai6MVbYuZ8FW8R
evzqYbR7E08R3ThgSfXOakwBEJkuCII60XYzF27g3ztK+qdcHtDZvQUwe4OwgdkU
YxEcES9x8glee3WudRCl1NXpOBDyKkBfb/ESaIvjK0RdVEYpStMGx3b6X1/gzEM+
d8jDOc74
=TeLf
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

[Alexander Reiter]

MFPA wrote:
 If I recall correctly, PGP's keyserver PGP Global Directory sends an
 email to each email address in the uids when a key is submitted, and
 only lists those uids whose email address replies. It re-sends these
 verification emails every six months, and deletes keys if there is no
 reply. It also allows anybody with access to your email address to
 delete your key and upload a different one, according to Wikipedia
 [0].

Instead of revoking your key, simply remove it from the directory.
   -- PGP Global Directory Frequently Asked Questions (FAQ)

Meaning that gpg --keyserver ldap://keyserver.pgp.com --refresh-keys
would result in unchanged keys, even if I had revoked them.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

[Thomas Harning]

On Fri, 25 Jul 2014 14:44:54 +0100
MFPA 2014-667rhzu3dc-lists-gro...@riseup.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512
 
 Hi
 
 
 On Friday 25 July 2014 at 2:01:28 PM, in
 mid:cacpwn9tbm5ko1mqee3ovfehif1dv5u3n1pjf-k42jzsstyu...@mail.gmail.com,
 Schlacta, Christ wrote:
 
 
  On Jul 25, 2014 5:30 AM, MFPA
  2014-667rhzu3dc-lists-gro...@riseup.net wrote:
  If I recall correctly, PGP's keyserver PGP Global
  Directory sends an email to each email address in the
  uids when a key is submitted, and only lists those
  uids whose email address replies. It re-sends these
  verification emails every six months, and deletes keys
  if there is no reply. It also allows anybody with
  access to your email address to delete your key and
  upload a different one, according to Wikipedia [0].
 
  I just recently published a number of keys, and never
  noticed any such emails.
 
 
 Did you publish them to the (stand-alone) PGP Global Directory?
 rather than to one of the keyservers that propagates the keys to each
 other?
 
 It's possible the PGP Global Directory has changed it's processes,
 but any such change is not yet reflected in their FAQ page [0], which
 still says:-
 
 What new features are available with the PGP Global Directory?
 The PGP Global Directory uses next-generation keyserver technology; it
 sends verification messages to the email addresses on a submitted key
 and lets you manage your own key, including removing it--features not
 available on keyservers with older keyserver technology.
 
 and:-
 
 Does the PGP Global Directory use any other methods for keeping
 itself free of unusable keys?
 Yes. The PGP Global Directory re-verifies keys every six months by
 sending a renewal email message to the email address on the key. If
 the key owner does not respond, the key will be removed from the
 directory. In order for the key to remain on the PGP Global Directory,
 the owner must approve the renewal request. This feature ensures the
 PGP Global Directory will always contain only current keys.
 
 
 [0] https://keyserver.pgp.com/vkd/VKDHelpPGPCom.html.
 
 
 - --
 Best regards
 
 MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net
 
 The cure for anything is salt water - sweat, tears, or the sea.
 -BEGIN PGP SIGNATURE-
 
 iPQEAQEKAF4FAlPSX1xXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
 bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
 N0VDQTAzAAoJEKipC46tDG5pBioD/j0j6cGF9Half1AQsqrvJvyAZo78qkPygBsK
 USkWeGrc1cFWuuqb6tAWJ5EFX46ez/JWbodD106so0ltNLPLgcrkor+ZEDjquI7C
 iHtH33j7h0ZEoCbwdtodhr+9C7ejwh+DahhpSNuHZgHfl4iG8xH8WpmMaJTSLu/i
 th42v9JR
 =Zdfe
 -END PGP SIGNATURE-

While PGP Global Directory provides for some basic level of this email address 
belongs to this key... its key signing policy leads to cruft buildup.

Back in April 2011 I signed up for it and got a series of key signatures every 
few weeks until January 2012 when I got fed up with it. There are now 14 
expired signatures 'stuck' on my key and published to the directories...


-- 
Thomas Harning harni...@gmail.com


pgpMmjtgnJbu8.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

[steve]

Wouldn’t it be a nice solution, if key server software had a mechanism for 
users to verify their UserID by sending a mail to the mail address in question.

Those verified keys then could be prioritized over the not verified keys when a 
search is done. Could still be faked, but would make faking a lot harder.

I assume this has already been discussed on some key server devel list? But 
have not followed that discussion, so I’m not aware.

All the best,
steve



Am 22.07.2014 um 16:27 schrieb Werner Koch w...@gnupg.org:

 On Tue, 22 Jul 2014 09:40, enigm...@josuttis.de said:
 More and more we seem to have the problem of faked keys in the key
 servers. This especially applies to well known keys such as
 authors of magazines and famous tools.
 
 This is actually the problem of checking the validity of the key.
 Granted, gpg is not smart enough to figure out the best matching key but
 that is something which can be fixed.
 
 A more simple way of tackling this is to use PKA or DANE for key
 validation: For sending mail you already need DNS and thus it would be
 easy to retrieve the matching key from the DNS.  The drawback is that
 this must be configured by the key owner and can't be changed by the
 sender.
 
 
 Shalom-Salam,
 
   Werner
 
 --
 Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

[Peter Lebbing]

On 24/07/14 02:14, Sam Gleske wrote:
 I'm hoping keybase.io http://keybase.io will hopefully resolve the 
 issue of identity checking with key fingerprints.

I've just scanned through [1]. I'm not convinced.

This quote is from the front page:

 If you trust the client (our reference client is open source), then 
 the server can't give you the wrong key for maria without getting 
 caught or also compromising her twitter and github accounts.

This one from [1]:

 For instance, when Joe wants to establish a connection to an identity
 on Twitter, he would sign a statement of the first form, and then
 post that statement both on Twitter and Keybase. Outside observers
 can then reassure themselves that the accounts Joe on Keybase and
 MrJoe on Twitter are controlled by the same person. This person is
 usually the intended keyholder, but of course could be an attacker
 who broke into both accounts.

The basic reasoning seems to be: if you want multiple websites to report
incorrect data to the user, you need to hack multiple websites.

Huh?

You only need to be able to MITM close to the victim, and manipulate all
data your victim sees. There's no need to hack any server; you only need
to hack one router and be able to fake SSL certificates. No matter how
many accounts you link, github, twitter, facebook, security is not
increased against a MITM close to you.

If they thought of this, why is there no mention at all of a MITM'ing
attacker?

It's perfectly possible to write a program that scans all data for
OpenPGP signatures by a specific key, and replaces them on the fly by
OpenPGP signatures by another key. There's no need to MITM all SSL web
traffic: just do the keybase.io traffic, parse the response, and then
MITM the sites mentioned by keybase.io, which the keybase client will
now check.

A laptop on the move, *not* always using the same VPN, might quickly
escape from the attacker and see the real data. However, the damage
might already be done. You might already have given your attacker that
plaintext that you were so worried about that you encrypted it.

The documentation in [1] is superficial, and my analysis is even more
superficial. This is just something that stood out to me.

HTH,

Peter.

[1] https://keybase.io/docs/server_security

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://digitalbrains.com/2012/openpgp-key-peter

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

[Sam Gleske]

I'm hoping keybase.io will hopefully resolve the issue of identity checking
with key fingerprints.

For example, my keybase account is... https://keybase.io/samrocketman

My friends who regularly interact with me on github (and more rarely
twitter) as well as the domain(s) I own will help to give my recipients the
benefit of the doubt that my key is what I say it is when they only see it
in an email.


On Tue, Jul 22, 2014 at 10:27 AM, Werner Koch w...@gnupg.org wrote:

 On Tue, 22 Jul 2014 09:40, enigm...@josuttis.de said:
  More and more we seem to have the problem of faked keys in the key
  servers. This especially applies to well known keys such as
  authors of magazines and famous tools.

 This is actually the problem of checking the validity of the key.
 Granted, gpg is not smart enough to figure out the best matching key but
 that is something which can be fixed.

 A more simple way of tackling this is to use PKA or DANE for key
 validation: For sending mail you already need DNS and thus it would be
 easy to retrieve the matching key from the DNS.  The drawback is that
 this must be configured by the key owner and can't be changed by the
 sender.


 Shalom-Salam,

Werner

 --
 Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users




-- 
GPG FINGERPRINT 4096 KEY
8D8B F0E2 42D8 A068 572E
BF3C E8F7 3234 7257 E65F
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

mailto with pgp fingerprint

[Nicolai Josuttis (enigmail)]

More and more we seem to have the problem of faked keys in the key
servers. This especially applies to well known keys such as
authors of magazines and famous tools.

In addition, I have the problem that I'd like to use a special
reply-to address, which is not listed in the keyservers, but it
should be easy to associate that with a (known) public key.

So, I was wondering whether it is possible to force somehow the usage
of a specific pgp key identified by its fingerprint.

One obvious approach might be to extend the mailto format
(see http://www.rfc-editor.org/rfc/rfc2368.txt).

I was wondering whether it make sense to standardize something like
 mailto:n...@josuttis.de?pgp=EA25EF48BF2001E41FAB0C1CDEF9FC808A1C44D0
or

 
mailto:n...@josuttis.de?pgpfp=EA25EF48BF2001E41FAB0C1CDEF9FC808A1C44D0
so that we can provide elements in websites and emails
that force mailers to automatically choose the right public key
(either from internal list or from key servers).
The semantics would be:
- use the passed pgp key with the following email address

Mailers/PGP-tools could even use this to update their key rings.
(but with appropriate interaction and/or warning/error handling,
 because this can be a simple security hole if a link just
 would assign faked associated keys.).

We could even use a syntax like:
 mailto:?pgp=EA25EF48BF2001E41FAB0C1CDEF9FC808A1C44D0
or
 mailto:?pgpfp=EA25EF48BF2001E41FAB0C1CDEF9FC808A1C44D0
to force the usage of a pgp key and derive the email address from there.

Questions:
- Would such a thing make sense or am I missing something?
- Is there even something like that already there or on the way?
- If not, is somebody familiar with the process or even willing
  to propose this as a RFC?
- Other thoughts?

And BTW, if this is too much out of scope of GnuPG issues:
- What would be the right place to discuss such a thing?

Best
 Nico

-- 
Nicolai M. Josuttis
www.josuttis.de
mailto:n...@enigmail.net
PGP fingerprint: CFEA 3B9F 9D8E B52D BD3F 7AF6 1C16 A70A F92D 28F5


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

[Werner Koch]

On Tue, 22 Jul 2014 09:40, enigm...@josuttis.de said:
 More and more we seem to have the problem of faked keys in the key
 servers. This especially applies to well known keys such as
 authors of magazines and famous tools.

This is actually the problem of checking the validity of the key.
Granted, gpg is not smart enough to figure out the best matching key but
that is something which can be fixed.

A more simple way of tackling this is to use PKA or DANE for key
validation: For sending mail you already need DNS and thus it would be
easy to retrieve the matching key from the DNS.  The drawback is that
this must be configured by the key owner and can't be changed by the
sender.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg --with-fingerprint $FILE is not listing the keyfingerprint in some cases

[Aaron Toponce]

On Wed, May 14, 2014 at 11:32:07AM +1000, Fraser Tweedale wrote:
 This behaviour also occurs for me in 2.0.22.  Instead of exporting
 the key, you could use --list-keys, which works for me:

Yeah, I'm not interesting in running it from the keyring, as I am assuming that
the key is not imported, but only the file is available.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o


pgp0mJ31Mhuai.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg --with-fingerprint $FILE is not listing the keyfingerprint in some cases

[Aaron Toponce]

On Tue, May 13, 2014 at 11:30:21PM -0400, David Shaw wrote:
 Looks like a bug.  Note that on each of the keys that didn't work there is a
 direct signature on the key.  This is not very common, and is usually used
 for a designated revoker (i.e. I permit so-and-so to revoke my key for me).
 I suspect there is a bug printing the fingerprints on a key from a key file
 (rather than from a keyring) for keys with a direct signature.

Ah. Interesting. Should I file a proper bug against GnuPG then?

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o


pgp7jybYnMPZM.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg --with-fingerprint $FILE is not listing the keyfingerprint in some cases

[Werner Koch]

On Wed, 14 May 2014 14:51, aaron.topo...@gmail.com said:

 Ah. Interesting. Should I file a proper bug against GnuPG then?

Please do that.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg --with-fingerprint $FILE is not listing the keyfingerprint in some cases

[Aaron Toponce]

On Wed, May 14, 2014 at 06:26:31PM +0200, Werner Koch wrote:
  Ah. Interesting. Should I file a proper bug against GnuPG then?
 
 Please do that.

Done. https://bugs.g10code.com/gnupg/issue1640

Thanks,

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o


pgpQCElNaRK6x.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg --with-fingerprint $FILE is not listing the keyfingerprint in some cases

[Aaron Toponce]

I don't know if this is a bug, or if I am doing something wrong, so I might as
well ask here. I ran the following command from my terminal, and cannot
retrieve the fingerprint from the file:

$ gpg --output 0xBB065B251FF4945B.gpg --export 0xBB065B251FF4945B
$ gpg --with-colons --with-fingerprint 0xBB065B251FF4945B.gpg 
pub:-:2048:1:BB065B251FF4945B:2008-07-27:::f:
uid:Daniel T. Hagan dan...@kickidle.com:
sub:-:2048:1:6BA86443C0C6CDA2:2008-07-27
sub:-:2048:1:16C018D9B89B420A:2008-07-27

There should exist an ^fpr line in the output. Compare to:

$ gpg --output 0x4713D527ECE16009.gpg --export 0x4713D527ECE16009
$ gpg --with-colons --with-fingerprint 0x4713D527ECE16009.gpg 
pub:-:1024:17:4713D527ECE16009:2005-06-06:::f:George Hacker (GLS) 
ghac...@redhat.com:
fpr:8BFD3F436366D9820E9EAB2F4713D527ECE16009:
uid:George Hacker geor...@axian.com:
uid:George Hacker ghac...@axian.com:
uat:1 2493:
sub:-:1024:16:0D94CF6C0C8C2F1B:2005-06-06

Of the 453 keys in my public keyring, this happens on 8 of them (about 2%):

0x072DC7442B89BD45
0x14774C7B9958256C
0x4B2A4897D39DA0E3
0x63E42BD8C58C753A
0x677A7DE8CC9A6F67
0x6FA1B04BB6724E04
0x9710B89BCA57AD7C
0xBB065B251FF4945B

Any ideas what is going on?

Thanks,

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o


pgpjZIa4_wV0B.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users