Pheeble, this bug is ancient and grown far too many complaints to be
usefully addressed. Please file a new bug with ubuntu-bug gnupg2.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/706011
I have the same problem with 'gpg2 --full-gen-key' (with all default
options) hanging indefinitely on Xubuntu 16.04.1.
In another terminal I'm running 'cat
/proc/sys/kernel/random/entropy_avail' on a loop every 5 seconds, and
the available entropy value never gets below about 2900, and gets up to
First, this is a critical flaw for usability. Second, usability flaws translate
into security issues.
For instance, the widespread myth of “high entropy password” using mixed-cased
letters, digits and “special characters” is a disaster. Sure, having complex
passwords does theoretically allows for
I am sympathetic with both sides of this (developer and user).
Suggestion: Add a guided entropy creation option such that gnupg would
start a background thread or process that generates sufficient entropy.
The user is warned about time needed variability which depends on
hardware and other
@bobafett
The signatures are a nice feature for ensuring that the package is
valid. It doesn't have to be totally 'secure' as it is a private
internal network.
If you go back and read ALL of the comments, I think you'll note that
I'm not requesting that things are made less secure, but that
Maybe this info can be added to the manual or the help text of gpkg. if
you are a developer you can also disable package signature checking from
apt, see man apt for details or something like that.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
I quite frankly don't understand the rationale of all this bug report
nor why anyone has not thought of this.
You are pissed off by apt crying when there are unsigned packages? I
understand your pain. I develop stuff too, and it's annoying.
What I don't understand is the rationale for blaming
Then please do not believe that blog post. Because /dev/urandom is not a
source of entropy and can not be relied upon for any serious business.
It is in a sense a consumer of entropy available from /dev/random, that
does an expansion to provide pseudo random data even when there is no
entropy to
I should have read the blog post you linked to before posting the
comment. There are no factual errors in the blog post to my knowledge
(I'm no professional cryptographer, just an enthusiast who took a couple
formal courses and tinkered a bit), and the argument is compelling.
My previous comment
I think that this is a real bug.
http://www.2uo.de/myths-about-urandom/
Says that /dev/urandom is the correct source and that there is no reason
to not use it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I have this issue when generating GPG keys on a remote server. It seems
like generating GPG keys on remote web servers is a relatively common
use case, and might deserve another look by the GPG developers.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
apt-get -y install rng-tools
Edit /etc/default/rng-tools:
HRNGDEVICE=/dev/urandom
/etc/init.d/rng-tools restart
That got me going with a test key...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Note the above trick/hack is *only FOR TESTING* purpose, as it gives
false sense of entropy, hence not very good gpg key.
If you plan to create a key for production use, as signing emails,
packages, etc... you better find a good source of entropy as explained
at:
Hey everyone,
This may be an old topic and I didn't read the whole thing, but:
sudo tcpdump
ought to create enough juice to generate a key.
It did for me.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Same problem and I concur that
find / -type f | xargs grep blahblahblha
was the special sauce that solved it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/706011
Title:
gpg --key-gen doesn't
Both parts have some reason.
In one hand, you shouldn't generate any kind of crypto key if you don't
have enough entropy, it defeats the whole purpouse of it.
On the other hand, with all this virtual environments we use today, and
the lack of detail on the message, you feel helpless:
Where is
If it should be moved, change it to Invalid but it is officially
'Confirmed' because it should be improved and several people have had
this problem.
** Changed in: gnupg (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
@taligent
something wrong with the way entropy is captured for REMOTE sessions.
There's only a single way to generate entropy, and it's the same whether
you're running gpg locally or remotely. It must come from an external
source (eg keyboard/mouse/disk). Anything triggered by the machine
itself
Firstly. I have fully read and understand all of the comments. However
there is absolutely something wrong with the way entropy is captured for
REMOTE sessions.
It asks me to do some work e.g. type on the keyboard. So I do so for
literally about 5 minutes generating pages of text and it still
Wow, thank goodness this bug is invalid. The original poster, with all
due respect, was simply ignorant of how things are supposed to work.
Remember the Debian SSL bug? That was due to some code maintainer who
thought he knew more than the crypto coders. As a result he broke
thousands of keys
It is people like you that make novices hate computers. You get all
uptight about stupid security restrictions and then go on a random
diatribe on an issue that is more than a year old and is marked as
'invalid'. This is exactly why Linux will never be a desktop os for the
masses.
Anyway, my
@ Jon Stevens
So if we care about security we are stupid? This isn't just some random
security issue in code that are a dime a dozen. If we implemented what
you suggested we would be breaking the entire web of trust of people who
use Ubuntu to generate GPG keys. We would literally be making
# find / -type f | xargs grep blahblahblha
works every time for me.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/706011
Title:
gpg --key-gen doesn't have enough entropy and rng-tools
Just a simple:
$find / /dev/null
I think this might do the trick.
Just to add three cents to the question of entropy vs. bug, bear in mind
here that whatever goes into generating that key is as strong as its
weakest link. Someone might go to a great deal of effort to generate the
key pair in
aporter,
The likely reason 'ls -R /' doesn't generate enough entropy for you is
that the only thing going to be read from the filesystem is the contents
of all the directories and perhaps some metadata on the files
themselves, which in a minimal filesystem may not generate sufficient
disk
Steve,
This bug ticket is from over a year ago. But I tried ls -R /, and it
still doesn't work. I.e. I'm still sitting at Need 277 more bytes
indefinitely.
I also tried your line: find /var/ /usr /lib /srv -type f -print0 |
xargs -0 cat /dev/null
Well, actually my /var /usr /lib and /srv
Guys,
I see the same problem with cat -v /dev/random when on a remote shell.
It doesn't print out much, and all of the find ls and ping lines I
call don't change that.
aporter
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
As per bug log, I don't think this is an issue in GnuPG
** Changed in: gnupg (Ubuntu)
Status: Confirmed = Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/706011
Title:
gpg --key-gen
Please re-open. Per the original report and the discussion, this isn't a
bug in gnupg, it is a bug in Ubuntu.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/706011
Title:
gpg --key-gen doesn't have
Wow Marc, I'm not going to repeat the discussion above, but clearly you
haven't read it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/706011
Title:
gpg --key-gen doesn't have enough entropy and
This isn't an issue in gnupg, and this isn't an issue in Ubuntu.
To generate a key, you need to have entropy. To get kernel entropy, you
need to perform activity. There is no way to generate a key on a machine
that doesn't have any entropy. Either generate entropy by generating
disk activity,
What part didn't I read?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/706011
Title:
gpg --key-gen doesn't have enough entropy and rng-tools install/start
fails
To manage notifications about
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: gnupg (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/706011
Title:
gpg
If you want to create a useful, valid (i.e. secure) gpg key, then you
need a good source of entropy. There is no way around that. If you're
working on a remote or virtual machine or with limited inputs into the
random pool, then there are a couple of ways of improving that:
1. Generate the key
http://www.thingy-ma-jig.co.uk/blog/22-01-2010/generate-entropy-gnupg
I, like Nick, am trying to use gpg remotely. So I can't move my mouse
or use my keyboard. Also, like Jon, I'm sitting here for minutes
(hours?) waiting. For some reason, the ls -R / trick isn't working
for me. Maybe
If you don't care about randomness when creating a GPG key, then you
should not be using one. Reducing the entropy used when creating a key
makes it *much* weaker. Are you planning on uploading your signed
packages anywhere?
--
You received this bug notification because you are a member of
No. It is an internal corporate repo sitting behind a firewall. In my eyes,
the only point of creating the key and signing the packages is so that
apt-get/aptitude doesn't cry like a baby (require me to type 'Yes') when I'm
installing software on the servers.
Anyway, way to miss the whole point
gpg does not freeze, even if you think so. It just waits until enough
entropy has been collected and this might take some time depending if
you follow the instructions or not.
We won't depend nor recommend rng-tools (see 7.2 in the Debian policy) -
hundreds and thousands of people created their
The method described here thoroughly and completely misses the point of
entropy.
urandom is not a source of entropy, and using it to seed random via
rngtools is a dangerous activity to recommend; let alone to default to.
Better that the user follow the instructions and wiggle their
Wow, I feel like there is a lot of hostility in these responses. Is that
really necessary?
I'm sorry, but I've tried this on both a vmware esx server instance and
a VM (in VMware Fusion) on my local desktop in a shell window. In both
cases, the result was the same. I let it sit for *hours* and
40 matches
Mail list logo
