Re: Does the PGP public key at https://www.washingtonpost.com/anonymous-news-tips/

WaPo also does have SecureDrop, but I'm not sure how often that gets used either. On Tue, Aug 9, 2022 at 10:34 PM Jay Sulzberger via Gnupg-users wrote: > > > On Sun, 7 Aug 2022, Andrew Gallagher wrote: > > > > >> On 7 Aug 2022, at 17:28, Jay Sulzberger via Gnupg-users > >> wrote: > >> > >>

Re: Why does gpg -k write to tofu.db?

On Tue, Aug 11, 2020 at 05:40:44PM -0400, Brian Minton wrote: > real 117m26.112s > user 25m56.486s > sys 90m31.859s Sorry about the bad signature. But, the question remains, why would just listing 13 thousand keys take 2 hours? By comparison, gpg1 takes just over a second with the

Re: Why does gpg -k write to tofu.db?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Aug 11, 2020 at 5:32 PM Brian Minton wrote: > > I have a lot of public keys in my keybox (it's about 45 MB or so). > I was trying to figure out why seemingly innocent tasks in gpg take > a very long time. It seems that gnu

Re: Why does gpg -k write to tofu.db?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Aug 11, 2020 at 5:32 PM Brian Minton wrote: > > I have a lot of public keys in my keybox (it's about 45 MB or so). > I was trying to figure out why seemingly innocent tasks in gpg take > a very long time. It seems that gnu

Why does gpg -k write to tofu.db?

I have a lot of public keys in my keybox (it's about 45 MB or so). I was trying to figure out why seemingly innocent tasks in gpg take a very long time. It seems that gnupg is making a very long running transaction to the sqlite3 database ~/.gnupg/tofu.db laptop:~/.gnupg$ date;ls -last Tue 11

Re: root certificate for smime missing gpgconf --launch dirmngr

On Tue, Jun 09, 2020 at 09:40:25AM +0200, Bernhard Reiter wrote: > If you trust a set of root certificates, like the ones shipped with your > operating system or a different application, you could just import them all > and mark them trusted. Of course you would need to sync this, if the set >

Re: WKS server problems

On 3/23/20 12:52 PM, john doe wrote: > I'll go back to using havege then as I need to generate a gpg key for > testing purposes on this VM. I apologize if I missed it earlier, but where is the VM running?  A lot of hypervisors provide an emulated or pass-through rdrand instruction, or

Re: Forward entire gnupg $HOME

On Mon, Sep 09, 2019 at 11:39:01PM +0200, Ángel wrote: > On 2019-09-05 at 08:59 +0200, john doe wrote: > > On 9/4/2019 10:41 PM, Andre Klärner wrote: > > > I usually use my workstation to do everything, but since I can't > > > access my mailbox via NFS anymore (different story), I resorted to > >

Re: Question about symmetric AES cipher in GnuPG

On 10/27/19 3:25 PM, Stefan Claas via Gnupg-users wrote: > gpg --symmetric --cipher-algo AES256 hw.txt gives me a file > size of 87 Bytes. > > Doing the same with openssl, for example: > > openssl enc -aes-256-cbc -pbkdf2 -in hw.txt -out hw.enc > > results in 32 Bytes. > > Can you please, or

Re: Which version of GnuPG to use?

On 9/17/19 12:59 PM, Stefan Claas via Gnupg-users wrote: > Unfortunately I am no programmer but I was thinking about the following: > I assume that in order to decrypt a message the secret key data must be > unlocked and loaded for a very short time into the computers RAM, in order > to perform

Re: gpg tells me a signature from my own key is a forgery.

On 8/30/19 12:41 PM, Brian Minton wrote: > I am testing signing with multiple keys. However, gpg tells me that my > own key is a forgery. I know it is not a forgery because I didn't forge > it. Is there a way to tell gpg that my own key is good? I'm using > trust model tofu+pgp, an

gpg tells me a signature from my own key is a forgery.

made Fri 30 Aug 2019 11:36:33 AM CDT gpg:using EDDSA key EED0158013DC2E6D6E001EA437B9507ACFF2016E gpg:issuer "brian@minton.systems" gpg: Good signature from "Brian Minton " [ultimate] gpg: aka "keybase.io/bjmgeek " [ulti

Re: What is the practical strength of DSA1024/Elgamal2048 (former GnuPG default)?

On Thu, Apr 25, 2019 at 11:19:15AM +0200, Kristian Fiskerstrand wrote: > On 4/25/19 9:20 AM, Bernhard Reiter wrote: > > Wikipedia points out a strong sensitivity of the algorithm to the quality > > of > > random number generators and that implementations could deliberately leak > > information

Re: was Re: PGP Key Poisoner // now "Binding one person's subkey to another person's primary key"

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I've often wondered why the sks software didn't require cross-certification. It seems like that would solve the key poisoning issue. It would mean that when signing someone's key, you'd have to have a way to exchange the signatures first, before

Re: distributing pubkeys: autocrypt, hagrid, WKD (Re: Your Thoughts)

I'm kind of a corner case, but I can't use wkd because I don't control my top level domain for my email. I also can't use DANE for the same reason. I can and do use DNS CERT records because it allows a second-level domain. I suppose this has been discussed to death, but wouldn't it make sense

Re: distributing pubkeys: autocrypt, hagrid, WKD (Re: Your Thoughts)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Oops, forgot to sign it. I'm kind of a corner case, but I can't use wkd because I don't control my top level domain for my email. I also can't use DANE for the same reason. I can and do use DNS CERT records because it allows a second-level

Re: What to do with public key signature

On Debian, I use the tool caff from the signing-party package. It signs the key, then encrypts it to the public key, and sends it via email. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: NIST 800-57 compatible unattended encryption?

keying material (e.g., Initialization Vectors). That usage (data-encryption keys) is exactly what gnupg uses to encrypt a file. You can go through the document and see the rest of the policies, whether or not they apply to gnupg as implemented, but at first glance, that is the case. -- Brian Minto

Re: Gnupg-users Digest, Vol 184, Issue 22

you can host your own server. See for instance https://www.reddit.com/r/signal/wiki/faq#wiki_can_i_host_my_own_server.3F ). So in that sense, you could directly connect to the person you want to talk to, if one of you cares to run your own server. -- Brian Minton brian at minton do

Re: Managing the WoT with GPG

for maintaining the trustdb? Is that handled by gpg itself? -- Brian Minton brian at minton dot name http://brian.minton.name Live long, and prosper longer! OpenPGP fingerprint = 8213 71DD 4665 CF4F AE20 2206 0424 DC19 B678 A1A9 signature.asc Description

Re: Unknown key type

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, May 22, 2017 at 12:07 PM, David Vallier wrote: > Can someone please explain why I am getting a yellow bar on a LOT of > signed msgs saying that the key type is unknown?? > > the exact msg is "Part of the message

Re: Test Mail

On 01/05/2017 12:35 AM, Roger wrote: > Test mail to mailing list testing GNUPG signing, appearance and hopefully > conforming to mailing list standards. I received your post to the list. I also verified a good signature. signature.asc Description: OpenPGP digital signature

Re: Proof for a creation date

a Merkle tree. That has the desired properties of being append-only and publicly auditable. -- Brian Minton brian at minton dot name http://brian.minton.name Live long, and prosper longer! OpenPGP fingerprint = 8213 71DD 4665 CF4F AE20 2206 0424 DC19 B678 A1A9 signature.asc Description: PGP

Re: What are those attachments you have on your email?

g but got > a BAD signature message so I thought maybe it's for something else - A signature.asc file is usually for the message itself. See RFC 3156. https://tools.ietf.org/html/rfc3156 for more details. It's called PGP/MIME and it allows you to encrypt, sign, or both for messages containing attach

Re: regular update of all keys from a keyserver

On 10/17/2016 11:41 AM, Daniel Kahn Gillmor wrote: > On Mon 2016-10-17 06:31:16 -0400, Martin T wrote: > >> I am aware that one can update all the keys in local-keyring from a >> keyserver using "gpg --refresh-keys". Are there any disadvantages to >> simply put this command into user crontab and

Re: RSA 4096-bit Key

On 10/08/2016 02:58 AM, Rohit P wrote: > > I am using latest version of GPG. I noticed there is no option to > generate RSA 4096-bit key. The same goes with DSA. > > It is, but you have to use the "full" key generation option: $ gpg --full-gen-key gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free

Re: File Encrypted with Primary key

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 You can use gpg --list-packets to see exactly what OpenPGP packets are present in the ciphertext. That would show you in great detail exactly what their software sent you. -BEGIN PGP SIGNATURE-

Re: RSA pub-sec pri key pair + ELG enc + RSA sign subkeys + EDDSA/ECDH subkeys -> e-mail familiar RSA/ELG key recipient

On Fri, Jun 10, 2016 at 11:19 AM, Fulano Diego Perez < fulanope...@cryptolab.net> wrote: > > trade-off for larger signature for me worth it > -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ed25519 and DSA signatures are both small. The resulting ascii signature block with 2 keys is still

Re: RSA pub-sec pri key pair + ELG enc + RSA sign subkeys + EDDSA/ECDH subkeys -> e-mail familiar RSA/ELG key recipient

6-10-07] uid [ultimate] Brian Minton <br...@minton.name <mailto:br...@minton.name>> uid [ultimate] Brian Minton <bjmg...@gmail.com <mailto:bjmg...@gmail.com>> uid [ultimate] Brian Minton <bmin...@blinkenshell.org <mailto:bmin...@blinke

Re: Curve 25519 encryption subkey - problem encrypting

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Debian has gnupg 2.1 in experimental. If you have the experimental repository added, it will automatically pull in all the dependencies including libgcrypt 1.7 -BEGIN PGP SIGNATURE-

Re: Keyserver lookup failure

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 That was a known bug in that version. Try the most recent release, 2.1.12. -BEGIN PGP SIGNATURE- iIAEAREKACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJXTtYM AAoJEGuOs6Blz7qpUSEA/1eOzIohTnrAEA2RMIWbRpjeqYAuuoptzBK9zT2D8kNC

Re: Req: 64-bit GnuPG/GPGME for Windows

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Does the speedo make file always build a 32 bit version? -BEGIN PGP SIGNATURE- iIAEAREKACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJXH6w4 AAoJEGuOs6Blz7qpzJAA/j3scwJNjftJY/sSw/ADk3YCxDaokrIaOmqqcWoNmHit

Re: Verification via the web of trust

One idea I've been tossing about: import the whole dump. I read that gpg 2.1 uses a new efficient key database called keybox. It would be interesting to see if it could handle that much data, and if so, gpg could do the WoT calculations directly. On Tue, Mar 22, 2016, 9:33 AM Lachlan Gunn

Re: Should always add myself as recipient when ecrypting?

Here's a possible reason: suppose your recipient is being targeted by an enemy who wishes to read their communications. They have determined through traffic analysis that you are in communication with their target. They may then attempt to convince/coerce/trick you to decrypt the message. In

Re: SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

Windows has certutil built-in. On Fri, Mar 18, 2016, 3:27 AM Werner Koch wrote: > On Thu, 17 Mar 2016 20:44, d...@fifthhorseman.net said: > > > FWIW, the threat model of digest algorithms being published on an HTTPS > > website that then links to the file to be downloaded is

Re: DNS record for finding a key from an e-mail address

Sounds like CERT (TYPE37) records? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove photos from OpenPGP key in the keyservers

On 03/08/2016 11:08 AM, Anthony Papillion wrote: > > I'm pretty sure that, if you just send your modified key to the > keyserver again, it will replace the one that's there. > I tried it, deleting some subkeys locally, and adding others. I submitted it to the keyservers, but now all the keys,

Re: Remove photos from OpenPGP key in the keyservers

that to unambiguously refer to your public key. regards, Brian Minton -BEGIN PGP SIGNATURE- Version: GnuPG v1 iF4EAREIAAYFAlbe6NAACgkQa46zoGXPuqkZDQD/Yk6A2iH+6My2g6hh99ddJ4Fe YiSt47GEfqvQZY29pqEA/icq+eHimHThS233K2u7J2HTjJb6yA619KfQhalyRg8q =5nVu -END PGP SIGNATURE

Re: Migrating to Gmail. Recommendations?

Thunderbird is pretty common. I've used mailvelope with some success directly in the gmail client. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: status of ed25519 draft

The next draft is due soon. How long does it usually take the IETF to ratify a draft RFC? On 02/11/2015 05:20 AM, Werner Koch wrote: > On Tue, 10 Feb 2015 21:56, br...@minton.name said: >> Is there any way to see the progress of the IETF working group on >> the draft Werner has submitted? I

Re: Use of --passphrase-file

A pretty good option is to use gpg-agent. It can keep your passphrase /secret key in (secure) memory for a few minutes so you can use the key in scripted tasks. On Thu, Feb 18, 2016, 4:24 PM Harman, Michael wrote: > I am attempting to automate a process that decrypts

Re: Error message "gpg: Can't check signature: Broken public key"

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I got the following message: rejected by import screener Here's more detail (gpg 2.1.8 on Windows 8): C:\Users\mintonb>gpg -vvv --recv 0x1712BC461AF778E4 gpg: using character set 'CP437' gpg: data source: http://pgp.mit.edu:80 gpg: armor: BEGIN

Re: Problems with key available in v1.4.19 but not v2.1.5

The 2.1 branch deprecates all pgp v2 keys. My guess is that your old key was one of those. See https://gnupg.org/faq/whats-new-in-2.1.html#nopgp2 for details. On Fri, Jul 17, 2015, 4:53 PM Philip Neukom pneu...@gmail.com wrote: Hello all. I'm having some problems with my key that was created

Re: Lower Bound for Primes during GnuPG key generation

There are approximately 2^2038 primes in the 2048-bit space (source, https://www.wolframalpha.com/input/?i=log2%282**2049%2Fln%282**2049%29+-+2**2047%2Fln%282**2047%29+%29 ). Even allowing that the first bit is 1, that makes 2^2037. Given that, the chance of p and q having a difference of 2, at

Re: PGP/MIME (Was: One alternative to SMTP for email: Confidant Mail)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I think gmail is the single most popular email client, with 500 million users. I think that until there is a way to verify pgp signatures from within gmail, pgp/mime will continue to show up as an attachment. There are ways to use pgp/mime or

Re: PGP/MIME (Was: One alternative to SMTP for email: Confidant Mail)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Mar 26, 2015 at 3:49 PM, MFPA 2014-667rhzu3dc-lists-gro...@riseup.net wrote: Gmail is an email service provider, not an email client. They provide access via a webmail site for those who wish to process their email using a web browser,

Re: Making the case for smart cards for the average user

I thought keyservers strip all punctuation. So f...@example.com becomes foo example com. On Tue, Mar 17, 2015, 3:33 PM MFPA 2014-667rhzu3dc-lists-gro...@riseup.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Tuesday 17 March 2015 at 5:38:03 PM, in

Re: Enigmail speed geeking

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 If a key is generated externally, a backup can be taken before the key is moved to the card. For a key generated on the card, there is (by design), no way to extract the secret key, including for the purpose of backing it up -BEGIN PGP

Re: [cygwin] gpg-agent with ssh support ?

Another option that I often use is https://github.com/wesleyd/charade, which opens a unix domain socket on cygwin, connected to Pageant, so cygwin programs and windows programs that use PuTTY can share the same authentication. Another similar program is http://github.com/cuviper/ssh-pageant On

Re: [cygwin] gpg-agent with ssh support ?

I would like to second the request for this feature. On Wed, Mar 11, 2015, 6:23 AM Werner Koch w...@gnupg.org wrote: On Wed, 11 Mar 2015 07:18, xav...@maillard.im said: I enabled ssh support in the gpg-agent.conf file as usual and I clearly see the socket files for both GNUpg and SSH.

bugs.gnupg.org TLS certificate

, but bugs.gnupg.org (and other sites such as git.gnupg.org) don't use that certificate. Have you considered a wildcard certificate? I know this has been discussed before, e.g. at https://lists.gnupg.org/pipermail/gnupg-users/2013-December/048415.html thanks, - -- Brian Minton br...@minton.name http

Re: Decrypting PGP/MIME on the command line

Mailpile may be useful. https://mailpile.is It lets you scan in a bunch of messages, and decrypt them, and indexes them, keeping the index and message store encrypted. It has command line as well as a gui. On Sun, Mar 1, 2015 at 9:32 AM, René Puls rp...@kcore.de wrote: Hi, is there a

Re: Thoughts on GnuPG and automation

Yes, but the colon protocol doesn't support things like passphrase entry, etc. On Fri, Feb 27, 2015 at 9:09 AM, Peter Lebbing pe...@digitalbrains.com wrote: On 27/02/15 12:02, Hans-Christoph Steiner wrote: For example, I think that `gpg --json` is great idea. I ended up using a Java wrapper

Re: MIME or inline signature ?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 My personal preference is inline, but I do have a request: if you have a 4096 bit RSA key, please don't sign inline. The signature block is ridiculously long. That's why I use DSA and especially ed25519 for signing. My main email access is on my

Re: Sign key with externalized master key

The wikipedia article on UDF mentions write support in all major OSes. It also supports POSIX permissions. On Fri, Feb 13, 2015 at 9:49 PM, Robert J. Hansen r...@sixdemonbag.org wrote: FAT, alas, is the portable filesystem that you're looking for. NTFS also works. Linux can read/write NTFS

emulating smartcard with Nexus 5

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I recently got a new Nexus 5, with NFC. Supposedly it supports ISO 7816-4. Is there any possibility of, for instance, porting gnuk to android? I'd love to use my smartphone as a smartcard. Of course, the smartphone wouldn't have as many

Re: moving up from 2.0.26 to 2.1.1

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 In Debian, the experimental repo has gpg 2.1 with all dependencies. Follow the instructions at https://wiki.debian.org/DebianExperimental -BEGIN PGP SIGNATURE- Version: OpenKeychain v3.1.2

Re: Sign key with externalized master key

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Feb 11, 2015, 5:33 PM Xavier Maillard xav...@maillard.im wrote: Thank you for this precision. Are you aware of some portable and well supported by the 3-major OSes filesystem type ? Just UDF -BEGIN PGP SIGNATURE- Version:

status of ed25519 draft

Is there any way to see the progress of the IETF working group on the draft Werner has submitted? I noticed that the draft expires in May. In particular, I would like to know if 22 is going to be the IANA standardized Public-Key Algorithm number. signature.asc Description: OpenPGP

Re: Anonymous payment for hardware tokens

Showing a hash wouldn't prevent a malicious entity from making a fake token that prints whatever hash the user expects. There's no way to verify that the hash is if code actually on the device, or that the hashed code is the only code on the device. The only way I could see to prevent it is to

Re: GPG (v. 1.4.12) is not user-friendly

It seemed to me that all Kelly was trying to do was print the fingerprint of a key from a file. On Tue, Dec 30, 2014 at 10:59 PM, Ryan Sawhill r...@b19.org wrote: I disagree with your subject, and propose that you google for a tutorial since the man page clearly didn't work for you. (As far

Re: Issue: unknown armor header: \x09Version: GnuPG v2.0.17 (MingW32)

On Mon, Dec 22, 2014 at 5:41 AM, pkalluru pkall...@ebay.com wrote: *unknown armor header: \x09Version: GnuPG v2.0.17 (MingW32)* 0x09 is a tab character. That sounds like a whitespace error. ___ Gnupg-users mailing list Gnupg-users@gnupg.org

Re: [Gnupg-users]

I would just backup the expired and revoked keys, then delete them. I personally never have used my revoked keys. I mean maybe once in a very great while, I come across a file encrypted with my old key on my hard drive, but that's happened maybe twice in the last ten years. On Dec 27, 2014 1:54

Re: OT, but related ... Google’s End-To-End Email Encryption Tool Gets Closer To Launch

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Not to mention the fact that they released technical documents about their combined keyserver / logger system. I always thought that would be a good idea, after reading about Certificate Transparency for TLS, to have a similar thing for OpenPGP,

Re: GnuPG and g10 code

Thanks for the good work! Do you get any income from kernel concepts with sale of the OpenPGP smart cards? I prefer to buy products from for-profit companies, and donate only to charities / nonprofit organizations. On Dec 15, 2014 2:54 AM, Werner Koch w...@gnupg.org wrote: Hi, last week I

Re: Mainkey with many subkeys??

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I recently created a key, with a RSA 4096-bit main key (certify only) and 4 subkeys: one DSA for signing, and one ELGamal for encryption, for communicating with people who I don't know are using ECC, and one each of ED25519 and nistp384 for people

gpg: ECDSA public key is expected to be in SEC encoding multiple of 8 bits

with 384-bit ECDH key, ID EA49CFDB55D113E9, created 2014-10-12 Brian Minton br...@minton.name hi gpg: Signature made Thu Nov 20 11:06:18 2014 EST gpg:using EDDSA key 37B9507ACFF2016E gpg: Good signature from Brian Minton br...@minton.name [ultimate] gpg: aka Brian

Re: gpg: ECDSA public key is expected to be in SEC encoding multiple of 8 bits

oops, I meant to say I have an ECDH and EDDSA subkey, but no ECDSA. On Thu, Nov 20, 2014 at 11:12 AM, Brian Minton br...@minton.name wrote: I'm seeing an interesting message when encrypting and signing with my ECDSA/EDDSA subkeys. The encryption and signing seems to work, so it's mainly just