Re: Upgraded gpg from 1.4.18 to 2.1.18: --default-recipient-self no longer works

On 13/12/17 12:59, gn...@raf.org wrote: > It always worked for me in the past without --batch That was simple luck, which failed you now :-). All this time, GnuPG thought it was talking to a real person, and when it finally, after all those years, tried to say something to that person, all GnuPG f

Re: pgpdump alternative for gpg2

On 08/12/17 16:28, gnu cry wrote: > "gpg2 > --list-packets" doesn't show key parameters. Have you tried "-v --list-packets"? I'm testing with public keys, not private keys, but it seems to show the full data in hex. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmai

Re: Getting more verbose details of a key

On 20/11/17 08:56, Werner Koch wrote: > (Suggestions for the name of a shortcut command are welcome) How about just --show? It was suggested in an unfriendly manner at LWN[1], but apart from the unfriendliness, I do think it makes sense. It does imply that it works for more than just keys, though.

Re: Using the OpenPGP Card on Unix && Win7

On 20/11/17 08:56, Matthias Apitz wrote: > I killed a running SmartCard Service on Win7 and tested GnuPG on a > Cygwin command line. Involving Cygwin is yet another non-trivial hurdle to take. I think it's best if you get it working on Windows first, and only then try to involve another layer in t

Re: Using the OpenPGP Card on Unix && Win7

On 17/11/17 16:09, Matthias Apitz wrote: > It seems that the USB token is fine, but the Card is not (see > attachment). I don't use Windows myself, but AFAIK, this is normal and not a problem. AFAIK, the exclamation mark triangle on the smartcard means that the OS has no driver to work with that

Re: Getting more verbose details of a key

On 18/11/17 21:36, Ray Satiro via Gnupg-users wrote: > sub   rsa4096 2010-02-16 [E] [expired: 2017-08-12] > sub   rsa4096 2015-08-13 [S] [expired: 2017-08-12] Well, there's your problem. GnuPG by default does not show *expired* subkeys. Use --list-options show-unusable-subkeys to do that. HTH,

Re: your message could not,be delivered to one or more recipients.

On 16/11/17 14:55, Jean-David Beyer wrote: > From where does it get port 451? My SMTP port is 465 > 204.29.186.9 is my ISP for e-mail: AOL. It's probably not a port. Note that the port 465 you are using to submit mail has nothing to do with how mail is delivered from there on. Port 465 is never us

Re: a bunch of questions

On 10/11/17 09:50, Francesco Ariis wrote: > A general word on expiry dates: you can always modify them as you > go (that's what I do), they are not set in stone? Well, this depends on your threat model. If I can control what one of your peers sees, I could strip the self-signatures that change the

Re: New smart card / token alternative

On 09/11/17 00:39, listo factor via Gnupg-users wrote: > Real-life threat-models are much more varied than what Alice, Bob > and Eve would have us believe. Hey, note that I'm not advocating against this proposed new alternative; it sounds like you think I do. I explicitly said I'm not commenting o

Re: New smart card / token alternative

On 08/11/17 16:27, ved...@nym.hush.com wrote: > or, more practically, just post anonymously to a blog or website, > using --throw-keyid, with a pre-arranged understanding that the > sender and receiver post to and check certain websites I did not phrase it properly, leading to a misunderstanding.

Re: New smart card / token alternative

On 07/11/17 15:58, listo factor via Gnupg-users wrote: > If the connection between the user and the computer > is transient, there may well be many instances where the adversary > will not be able to identify the user, even if he manages to learn > the content, and where the content, without the id

Re: Efficent batch fetching with verification?

On 03/11/17 21:06, Robin H. Johnson wrote: > You missed xargs itself, Actually, I did not :-). > this mostly centers around the command-line > length limit. I can get in about ~3200 fingerprints per GPG call. I asked "what is exec'ing much". I don't see one exec every 3200 fingerprints as overhe

Re: Efficent batch fetching with verification?

On 03/11/17 06:20, Robin H. Johnson wrote: > Presently, the code is effectively this: > ...cat-list-of-fingerprints... | xargs gpg --recv > > This has the downside of causing many exec I just tried this and a list of 1319 fingerprints caused one single call to "gpg --recv FPR1 FPR2 FPR3 ... FPR131

Re: Why does import refuse to merge a new subkey?

On 02/11/17 20:37, Phil Susi wrote: > [..] but 2.0.28 on another also did it I'm pretty sure. Yes, I'm pretty sure of that as well. 2.0 can't update secret keys; it was introduced with 2.1 or somewhere during 2.1. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.

Re: Why does import refuse to merge a new subkey?

On 02/11/17 16:58, Phil Susi wrote: > Why is this? What version of GnuPG is this? It's a well-known limitation of GnuPG 1.4 and 2.0, but my 2.1.18 allows me to add secret subkeys through --import. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me

Hacking off-card backup to be on-disk key (was: Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID")

Hi Ralf, On 25/10/17 23:29, Ralf wrote: > I was hoping for something simple and I think eventually this should be > simple; nevertheless I would make use of such a workaround / would be > thankful for such an example :) I fiddled around with a test card. Prepare for a wall of text. I created a t

Re: Impact of ROCA (CVE-2017-15361) in subkey vs. private key?

On 31/10/17 11:56, Lachlan Gunn wrote: > The only difficulty is when the owner doesn't have the secret key > anymore, and so can't re-revoke it. Then you might want to keep it from > being disseminated further. Revocations are done by the primary key. If the user has lost the secret primary, they

Re: Impact of ROCA (CVE-2017-15361) in subkey vs. private key?

On 31/10/17 11:45, Lachlan Gunn wrote: > No, I don't think so I was already writing a follow-up but was momentarily blocked on the right way to phrase some of it :-). Our mails crossed. Having read my follow-up, do you now agree? If the subkey is revoked as "compromised", all is well and good? P

Re: Impact of ROCA (CVE-2017-15361) in subkey vs. private key?

On 31/10/17 11:39, Peter Lebbing wrote: > And yes, the subkey should also be revoked with reason "compromised", for the > reason you state. And only now the penny drops. I suppose a system checking for ROCA might rightfully take offense at a subkey revoked as "superseded&q

Re: Impact of ROCA (CVE-2017-15361) in subkey vs. private key?

On 31/10/17 01:08, Lachlan Gunn wrote: > I'm not sure that this is 100% correct.  The first part is true, but > signatures > of a key that has been revoked because it was superseded or lost are valid up > to > the revocation date, whereas ROCA-affected keys are compromised to some degree > and so

Re: Impact of ROCA (CVE-2017-15361) in subkey vs. private key?

On 29/10/17 23:08, Damien Goutte-Gattat wrote: > This is also true the other way around: knowing the primary private key > does not allow to deduce the private subkey(s). This is technically correct but in practice the point can be almost moot, depending on the threat model. When you know the pri

Re: Verify that the file is from who I expect it to be from

On 30/10/17 03:00, Dan Horne wrote: > However, if I simply decrypt the file I get confirmation of the signature This was a misunderstanding: gpgv cannot decrypt, so when Werner suggested gpgv, he mustn't have realised you were decrypting as well as verifying. HTH, Peter. -- I use the GNU Priva

Re: Importing an off-card backup of the encryption key of a Nitrokey fails with "no user ID"

On 25/10/17 16:15, Ralf wrote: > I was hoping for a simpler workaround to make GnuPG import the key. There is a pretty difficult workaround, using gpgsplit and standard Linux command-line tools. However, I get the sense you're not really looking for difficult workarounds :-). If I'm wrong about th

Re: Generating a new keypair through GnuPG 2.x in Ubuntu 16.0.4

On 12/10/17 09:13, Werner Koch wrote: > And while you are already at it, you better > also update to gpg 2.2.1. There are just too many fixes and changes we > did since January 2016. I think Vedaal is just using the gnupg2 package provided by Ubuntu 16.04 LTS: https://packages.ubuntu.com/xenial/

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

On 11/10/17 04:49, Robert J. Hansen wrote: > The assumption was the web server was compromised: given that, how > can you be absolutely sure there's no communication channel back to > the trusted tabulator? Ah, this isn't about corrupting data on the line, about getting wrong data in what is the c

Re: FAQ and GNU

On 10/10/17 04:06, Robert J. Hansen wrote: > I'm not inclined to make this change. That to me means I would support leaving it as is. I don't feel strongly on writing it one way or another, but I do dislike the pressure some people exert on others pushing their view. If however you are consistentl

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

On 09/10/17 21:14, Stefan Claas wrote: > So i thought maybe i buy one, let's say with Windows 10, never update > or upgrade it due to it's permanent offline state Whether I would consider this sane or not depends a lot on the type of data you'll be handling on the offline machine. If it's just che

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

Let me start off by saying security is almost never absolute. I think it approaches some really basic economics: how much do you think your opponent is willing to spend to compromise your security? How much are you willing to spend to protect it? So there is no silver bullet. It depends on your th

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

On 09/10/17 18:53, Stefan Claas wrote: > My idea is to use the software minimodem between the two > Computers, connected, when required, via audio cables. I think perhaps this is a little low-bandwidth for security updates for your OS. By the way, you could use a USB-to-serial converter and use a

Re: 1024 key with large sub key

On 02/10/17 16:46, Robert J. Hansen wrote: > I was about to disagree with you when I discovered the > --enable-large-rsa flag. Note that the key in question appears to be an ElGamal subkey, not RSA. Not that that makes a difference to your questions and sentiments :-). Peter. -- I use the GNU

Re: Information on scdaemon protocol commands

On 29/09/17 15:29, Alexander Paetzelt | Nitrokey wrote: > Is there any other way to find out the options other than reading source > code? I didn't find anything yet... Talk to the agent :-). $ gpg-connect-agent > scd help setattr # SETATTR # # This command is used to store data on a a smartca

Re: onwnertrust and trust signature (tsig) interactions

I didn't formulate what I meant well enough, I think. Sorry. On 28/09/17 19:13, Daniel Kahn Gillmor wrote: > Yes, ownertrust and trust signatures do interact. > > a trust signature (tsig) made by a key that you have set ultimate > ownertrust on delegates some of that ownertrust via trust signatur

Re: preferring --check-sigs over --list-sigs

Ugh, really, how hard can it be? :-( Sorry about this. I'll try to get it right this time. --8<---cut here---start->8--- gpg: DBG: rsa_verify data:+01ff \ gpg: DBG: f

Re: preferring --check-sigs over --list-sigs [was: Re: Houston, we have a problem]

Okay, I made a boo boo regarding text wrapping. Let me repaste the debug output: --8<---cut here---start->8--- gpg: DBG: rsa_verify data:+01ff \ gpg: DBG: fff

Re: preferring --check-sigs over --list-sigs [was: Re: Houston, we have a problem]

On 28/09/17 13:30, Andrew Gallagher wrote: > What specific error are you getting? I don't see any errors using > --check-sigs on that key, but then I don't trust Governikus so I'm not > performing the same test that you are. Are you sure you had the Governikus key in your keyring? I am seeing the

Re: How to encrypt using public certificate\key

On 07/09/17 12:58, shaarang tyagi wrote: > I am trying to understand the encryption process and the all the input > that is required to perform encryption. > > So according to this RFC, section 2.1: If you want to learn about what makes an OpenPGP message, gpg --list-packets is very useful: $ ec

Re: Extending expiration date and SSH

On 18/09/17 12:38, Marko Božiković wrote: > Will that change the SSH public key (as it is exported using ssh-add -L for > adding to .ssh/authorized_keys)? No, if it is a regular SSH key, it will not change by changing the expiration date. > I'm looking for a best practice approach to avoid lockin

Re: [Feature Request] Multiple level subkey

On 10/09/17 17:23, lesto fante wrote: > Now, I have been pointed out that the sanity card in EU (for non EU; > all EU has the same sanity card.. So you can travel and not have to > worry) come with a certificate inside! On 14/09/17 00:20, lesto fante wrote: > I also hope the same apply on the res

Re: Poldi example usage of gpg-connect-agent fails

On 06/09/17 11:30, Franck Routier (perso) wrote: > My problem is that the command gpg-connect-agent "/datafile myfile" > "SCD READKEY --advanced OPENPGP.3" /bye returns an error: > > ERR 100663414 Identifiant incorrect Hmmm, it works for me on Debian stretch/stable, with the system-provided Gn

Re: How to encrypt using public certificate\key

Hello Shaarang, On 06/09/17 16:13, shaarang tyagi wrote: > I am talking about OpenPGP, i want to encrypt a file that follows > openpgp standard [...] > I was encrypting by selecting a certificate which i had imported , i had > also imported its root ca, so certificate chain was fully there but >

Unsubscriing (was: How to encrypt using public certificate\key)

On 06/09/17 14:56, BRUCE KAPITO via Gnupg-users wrote: > Can you please cease and desist sending me emails. I did not sign up > for this *Someone* managed to subscribe your e-mail address, which is usually not possible without being able to read mail addressed to your e-mail address (and thus sho

Re: How to encrypt using public certificate\key

On 06/09/17 06:37, shaarang tyagi wrote: > I have a situation where I need to use GnuPG from command line and > encrypt a file using a public certificate or PEM public key First of all, are we talking about OpenPGP, S/MIME, or both? I notice you say PEM public key, which implies the X.509 and S/MI

Re: Documentation of trust model

On 05/09/17 00:58, Mario Castelán Castro wrote: > Are the trust models “classical” and “pgp” as implemented in GNU PG > documented anywhere? The GNU Privacy Handbook has a good explanation of it: That is to say, it explains the Web of Trust. It doesn't s

Re: E-mail with deniable authentication

On 30/08/17 12:39, Stefan Claas wrote: > But then it would be imho advisable that you use a different timestamp (time > in the future), because when verifying the published message the timestamp > would be earlier than the time the sec key would have appeared on the net, > right? Either the timest

Re: E-mail with deniable authentication

On 30/08/17 11:34, Mario Figueiredo wrote: > Examples are > dictatorships, and many forms of human relationships, including job > relations. I don't think a repudiable message lets you off the hook in those examples either, least of all the dictatorship...! > If one wants to use deniability with

Re: Questions about particular use cases (integrity verification w/o private key, add E flag to primary key, import secp256k1 key)

On 29/08/17 15:24, Shawn K. Quinn wrote: > All you're supposed to be > able to tell when using that option, is that none of your keys will > decrypt the message ... which you can only do by trying each private key on the encrypted session key packet and seeing whether the resulting plaintext (whic

pinentry-curses competing over tty (was: Extraction of decryption session key without copying complete encrypted file)

On 28/08/17 12:50, Werner Koch wrote: > If you don't want that feature the --keep-tty and --keep-display options > for gpg-agent may be useful: Those options had slipped my mind... Thanks! Werner, do you know why the bash shell that was running on the X terminal where pinentry-curses popped up re

Re: Extraction of decryption session key without copying complete encrypted file

On 28/08/17 09:57, Fiedler Roman wrote: > But it seems, that the gpg-decryption process attempts to trigger the > pinentry, not the agent and so the access to the correct controlling TTY > fails. The gpg process communicates its TTY to the agent so the pinentry knows where to pop up. This is a f

Re: AW: Extraction of decryption session key without copying complete encrypted file

On 25/08/17 18:40, Fiedler Roman wrote: > Idea: > 1) Extract all GPG preambles of files to be decrypted to a single file > (working) > 2) Batch decrypt all preambles from the input file on the trusted equipment > (not working in batch mode) > 3) Decrypt all storage elements with the list of sessi

Re: Extraction of decryption session key without copying complete encrypted file

On 25/08/17 16:08, Fiedler Roman wrote: > I tried to use the agent support that way. One reason for low adoption might > be, that using the provided documentation, it is just not possible to get a > simple batch scenario working on Ubuntu 16.04 server setups without spending > a > whole day and

Re: Is it possible to certify (sign) a key using a subkey?

On 18/08/17 16:16, Mario Castelán Castro wrote: > I really do not follow your argument (if any). Since making certifications using subkeys is extremely uncommon, there's a good chance people will encounter issues when checking such a certification. Since the purpose of a public certification is fo

Re: export secret subkeys

On 17/08/17 15:39, Dirk-Willem van Gulik wrote: > # off=0 ctb=95 tag=5 hlen=3 plen=533 > :secret key packet: > version 4, algo 1, created 1502976628, expires 0 > pkey[0]: [4096 bits] > pkey[1]: [17 bits] > gnu-dummy S2K, algo: 0, simple checksum, hash: 0 > protect IV:

Re: Cache Timeout not working correctly

On 11/08/17 18:51, Alexander Paetzelt | Nitrokey wrote: > I try to get the max-cache-ttl-ssh in the gpg-agent.conf working, > but the cache is still saved until physically disconnecting the gnupg > smartcard. Unless this has been fixed already, this is probably because cache-ttl has simply never w

Re: 'sign (and cert)' or just 'cert' on a master key with subkeus

On 31/07/17 17:49, Dirk-Willem van Gulik wrote: > For what it is worth - the various best practices at `riseup.net > ’[1] seem to strike a good middle ground. IMO, the good middle ground is the defaults. A wide middle. Maybe more a country than a ground ;-). And I wasn't very im

Re: gpg-agent cache keygrip

On 27/07/17 13:27, MFPA wrote: > I guess I should have trimmed my quote less severely. Using a password > manager would enable somebody who says they cannot remember multiple > decent-quality unique passwords to not share passwords between > different keys. Ah yes :-). I agree. > The single point

Re: gpg-agent cache keygrip

On 27/07/17 11:24, MFPA wrote: > Have you considered using a password manager to remember them? What would be the purpose? I already fail to see the problem of GnuPG filling in a passphrase it already knows... surely an attacker would try the same thing as well, I don't know what GnuPG not trying

Re: Test symmetrically encrypted files for errors - make sure they can be decrypted

Hi! On 22/07/17 00:01, karel-...@tutanota.com wrote: > In short I am searching for something like the test option for packed > files that most archivers offer. I don't know what OS you're using, so the details might differ but this works for me: $ gpg --batch -o /dev/null -d test.txt.gpg ; echo

Re: How to NOT gnutar files during encryption?

On 19/07/17 16:30, helices wrote: > Unchecking that box and encrypting, this file decrypted and unzipped > without incident: Archive.zip.gpg And if you keep the box checked, does it produce a file named Archive.zip.gpg or Archive.zip.tar.gpg? Because IMO, it should be the latter. A good alternativ

Re: gpg-agent/pinentry: How to verify calling application

On 19/07/17 00:10, Hartmut Knaack wrote: >[...], I checked with ps aux: > > me2486 0.0 0.0 34028 3940 ?SL 21:46 0:00 gpg2 > --enable-special-filenames --batch --no-sk-comments --status-fd 11 --no-tty > --charset utf8 --enable-progress-filter --exit-on-status-write-error

Re: A Quick Supplement

On 17/07/17 01:50, Daniel Villarreal wrote: > Are you recommending... > [...] > instead of Yes, instead of, not in addition to. The export-local-sigs will add the local sigs, the other non-local sigs will still be there as well. > And this all functions with gpg2 in place of gpg ? Yes, just use

Re: use policy of the GnuPG-card

On 16/07/17 21:25, Matthias Apitz wrote: > Why we only have a counter for the signing key? I don't think a decryption counter makes sense as you'll decrypt the same data multiple times (a signature is made only once). An authentication counter would make more sense. However, you can't collect all

A Quick Supplement

There's an option missing that could cause data loss in its absence: $ gpg --armor --export > pub.asc I'd make that: $ gpg --armor --export-options export-local-sigs --export >pub.asc If you have made any signatures that are not exportable (so lsign and friends), they would not be exported othe

Re: [HELP] pinentry-curses breaks SSH auth, but pinentry-mac works fine?

On 13/07/17 09:29, Ryan Lue wrote: > 1) I keep my dotfiles synced between multiple machines, and so try my >best to keep them platform-agnostic when I can. There are definitely >times when I can use conditionals to get different behavior on >different machines (like `if [ "$(uname)" = D

Re: Changing PINs of German bank card

On 12/07/17 07:51, Binarus wrote: > Furthermore (not being sure, so read with care), I think that the bank > does not know your pin When my bank card is replaced because its validity is about to end, the new card has the same PIN as the old one. I can't readily think of a way to do that without th

Re: Changing PINs of German bank card

On 11/07/17 12:32, Binarus wrote: > I am not completely sure if I got you right. Wouldn't that mean that I > have to lose my card, the bad person then makes two guesses, then I get > back my card and enter my correct pin, then I lose my card again, and > the same bad person finds it again and makes

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

On 04/07/17 21:03, Johan Wevers wrote: > Is that going to be fixed, or is 1.4 now really considered EOL? I think you need to see it in the context of this part of the announcement: > Allowing execute access to a box with private keys should be considered > as a game over condition, anyway. Thus

Re: TOFU

On 30/06/17 20:54, Stefan Claas wrote: > Good point! And what would be your proposal against this kind of > attack? On 30/06/17 18:38, Peter Lebbing wrote: > There is *no* *way* to mitigate an attacker having your user privileges. > :-) For me it is a) bad software design, with the

Re: TOFU

On 30/06/17 20:01, Stefan Claas wrote: > Correct. But what i mean was an attacker would replace on of my pub > keys (which i signed) with one he/she only replaced with one that > has only the Trust Level set to Ultimate, resulting in both keys > showing up with a green bar. And to mitigate this si

Re: TOFU

On 25/06/17 21:42, Stefan Claas wrote: > I asked this already in this thread, do you know what TOFU does > when a man in the middle would replace (theoretically) one of > my pub keys, modify the TOFU database , set's the Trust Level > to Ultimate and then sends a message to me. That's not what a M

Re: [HELP] pinentry-curses breaks SSH auth, but pinentry-mac works fine?

On 30/06/17 05:54, Ryan Lue wrote: > Does it have something to do with the `$GPG_TTY` environment variable > not being set on the SSH server? Almost; it has to do with the GPG_TTY variable not being communicated to the agent. The agent does not know on which tty the request for a pinentry is made

Enigmail signature status indications (was: TOFU)

On 25/06/17 13:11, MFPA wrote: > But "good signature" _does_ mean when the signature was verified the > message had not been altered since it was signed. However, I don't think that this information is in any way relevant to a user if the key that signed it was not valid. I'm afraid the current fo

Re: Managing the WoT with GPG

On 23/06/17 15:50, Neal H. Walfield wrote: > Ensuring that a cache is consistent is *hard*. I don't think we want > to add complexity (nevermind a cache!) to this security-critical > functionality. There are two hard problems in computer science: Cache invalidation, naming things, and off-by-one

Re: TOFU

On 23/06/17 03:07, MFPA wrote: > I thought "good signature" just meant the message has not been > altered in transit. That's very well possible. In that case there is no verbal indication of a valid signature, only a colour. The text I see for a signature by a fully valid key is: Good signature f

Re: Are TOFU statistics used for validity or conflict resolution?

On 23/06/17 12:56, Neal H. Walfield wrote: > It's up to the GPG client to interpret it. This document (authored by > Andre and me) has some recommendations for MUAs: Ah! Thanks for the information. I was thinking about how GnuPG handled it, i.e., on the gpg command line or as a backend for some

Re: Are TOFU statistics used for validity or conflict resolution?

On 23/06/17 11:14, Neal H. Walfield wrote: > No, both keys are set to ask. The key with a lot of observed > signatures could be bad. This could occur, if there is a MitM, but > the MitM has a small lapse, because, perhaps, you've used an > unintercepted network path to retreive the "new" signatur

Re: Managing the WoT with GPG

On 22/06/17 15:00, martin f krafft wrote: > As far as I understand, the parameters --marginals-needed and > --completes-needed can be used to define a maximum search depth D, > so when I ask GPG to update the trustdb WRT key 0xdeadbeef, then I'd > envision it to Don't you mean >--max-cert

Re: TOFU

On 21/06/17 20:49, Peter Lebbing wrote: > which would still > be marginally safe until computers are much faster, and certainly not a > short ID which is utterly unsafe and has always been. Which *might* still be marginally safe. I haven't done any actual calculations, and I wan

Re: TOFU

On 21/06/17 20:30, Stefan Claas wrote: > Technically spoken Enigmail showed all three messages as "Untrusted > Good Signature from Ernst Mustermann etc. , because i have not signed > the first key locally, to get for the first two messages a green bar > in Enigmail. Or either: - Used --tofu-policy

Re: Using gpg for ssh (Maximum Portability)

On 18/06/17 03:48, Christopher Jones wrote: > It's a task to setup gpg on new boxes: Import pub key, ultimately trust > my key, and muck around with gpg and ssh agents. If all you want to do is SSH, you don't need your key, so it reduces to "muck around with gpg and ssh agents". As long as gpg-age

Re: speedo Error 2, download swdb.lst failed

On 21/06/17 17:14, murphy wrote: > download of swdb.lst failed. I think this is because of an expired certificate for versions.gnupg.org: $ wget -S https://versions.gnupg.org/swdb.lst --2017-06-21 19:11:03-- https://versions.gnupg.org/swdb.lst Resolving versions.gnupg.org (versions.gnupg.org)...

Re: TOFU

On 08/06/17 22:33, Stefan Claas wrote: > I did a test today with Enigmail and with TOFU in command line mode. > I posted 3 messages with a fantasy name to a Usenet test group where > the 3rd message was signed with a fake key and Enigmail showed me this: > > UNTRUSTED Good signature from Ernst Mus

Re: How to join pubring.kbx and pubring.gpg?

On 16/06/17 10:27, Binarus wrote: > [...] or if the whole software / data exchange protocol depends on > the sort of key. In other words, even if I would manage to extract > the key and to integrate it into the Enigmail / gpg4win world, would > the communication partner be able to decrypt the respe

Re: Key expiration question

On 16/06/17 08:17, listo factor via Gnupg-users wrote: >> An expired key will definitely not be able to issue valid >> signatures after the expiration date. > > There is nothing ~in the key itself~ that prevents any key from > being used to create signatures There is nothing ~in the key itself~

Re: modern GnuPG verify signatures

On 15/06/17 17:24, Stefan Claas wrote: > when i sign a message and do a gpg --verify it shows "using RSA > key 2BAF85F9281ABD543823C7C5981EB7C382EC52B4", in Terminal under > macOS, with my own key, but when doing the verify again with a > message from someone else it shows the long key-ID, instead

Re: Key expiration question

On 13/06/17 09:55, Chris Horrocks wrote: > At first I thought it may be a mechanism for revalidating private > key ownership but key expiration doesnt appear to impact on trust or > validity. An expired key will definitely not be able to issue valid signatures after the expiration date. So any cer

Re: GnuPG card && using the backup secret key

expires: 2017-10-19] > 8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E > Keygrip = 13790148EEE34BC5140DD31B6F95EABA8A19E419 > uid [ultimate] Peter Lebbing > sub rsa2048 2009-11-12 [S] [expires: 2017-10-19] > Keygrip = 46E61BB13BF429980D89B6B7BDE0F70E55E41A03 > sub rsa204

Re: Question for app developers, like Enigmail etc. - Identicons

On 13/06/17 09:43, Stefan Claas wrote: > Another thing i will do in the future, which i haven't read in popular > tutorials, > is that once checking the hash/sig of the provided package i will also hash > the binaries after unpacking and print them out on a piece of paper, so > that i > can frequen

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 12/06/17 20:51, Stefan Claas wrote: > Maybe as an additional security feature Enigmail should give > a key with a set trust level of "Ultimate" a different color than > green. No, that's beside the point. Once somebody gets your user privileges, there is no "additional security". It's game over

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

I hadn't gotten round to answer your earlier questions yet, since I noticed a point I should first spend some effort and thinking on. On 12/06/17 16:14, Stefan Claas wrote: > And a question for this... If Mallory would get > somehow access to my Computer and replace one pub key from my > communica

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 12/06/17 14:52, Stefan Claas wrote: > I just checked again. On my Mac and on my Windows Notebook > i get a green bar , from a blue "Untrusted" key when i go into > Enigmails Key Management and set the trust of that key to > Ultimate... Don't do this! Or did you do it just for testing? "Ultimate

Re: changing the passphrase of the secret key stored in the GnuPG card

On 11/06/17 21:48, Matthias Apitz wrote: > My question remains: How can I change (or verify) the above Passphrase I > have used? Ah! That's the encryption of the backup key, not of the secret key stored in the smart card. Well, it's ultimately the same key, but it's not the copy of it stored in th

Re: GPG4Win Advice

On 08/06/17 16:39, Ian A Morris wrote: > When using the GUI there are options for the following, “Remove > unencrypted original file when don” This is an extra convenience added by the GUI program. It is not in the command line interface. > Gpg2 –batch –recipient /x / –encrypt-files –armor C:

Re: changing the passphrase of the secret key stored in the GnuPG card

[1] I'd say "Identification" is a misnomer, it's authentication instead. Identification is the mere act of naming something, authentication is providing a means to prove something is authentic, is true, is not fake. You could identify yourself as Peter Lebbing, but it almost surely woul

Re: How to show fingerprint in email header?

On 08/06/17 15:05, Satoshi Yoshida wrote: > How to show fingerprint in email header? Enigmail puts the following in my mails: Openpgp: id=8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E; url=http://digitalbrains.com/2012/openpgp-key-peter I think that is the generally accepted method to give both a fi

Re: Fwd: RE: setting GnuPG card to 'not forces' does not let sign

On 08/06/17 12:48, Matthias Apitz wrote: > Every time I write to gnupg-users@gnupg.org I get this crap from a robot > or from Sarah about dating. Can someone do anything that he/she/it is not > triggered. Yes, same here. I thought it was rather funny that she told me: > Hello again! My boyfriend

TOFU (was: Question for app developers, like Enigmail etc. - Identicons)

On 07/06/17 13:49, Stefan Claas wrote: > In Enigmail with the blue and green bar (without showing statistics) it > would simply mean > that it switches from green to blue, right? Not necessarily! I don't know if Enigmail checks whether the From: is equal to the key UID, but we're talking about lo

Re: Question for app developers, like Enigmail etc. - Identicons

On 07/06/17 11:04, Peter Lebbing wrote: > On 06/06/17 20:12, Stefan Claas wrote: >> Is TOFU verifying the email address from the from: header of the message >> and then compares it with the email address in the UID? > > Yes. Actually, that's not really correct. It als

Re: Question for app developers, like Enigmail etc. - Identicons

On 06/06/17 20:46, Charlie Jonas wrote: > On 2017-06-06 19:12, Stefan Claas wrote: >> I tried also with Enigmail under OS X but when checking the signatures here >> from the list members i always get the blue "Untrusted Good Signature". > > Yes I get this as well. Interestingly whatever trust leve

Re: Question for app developers, like Enigmail etc. - Identicons

On 06/06/17 20:12, Stefan Claas wrote: > Is TOFU verifying the email address from the from: header of the message > and then compares it with the email address in the UID? Yes. > I ask, because > if i would use a free form UID with no email address That would make it difficult. >, or i use an A

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 07/06/17 07:55, Stefan Claas wrote: > The procedure went like this: I inserted my id-card in a certified > card reader, which i purchased, startet the german certified id-card > software "AusweisApp2" to connect to the CA Server and the server > checked my id-card online and after verification s

<    1   2   3   4   5   6   7   8   9   10   >