Re: [Announce] GnuPG 2.1.7 released

[Dongsheng Song]

On Tue, Aug 11, 2015 at 11:32 PM, Werner Koch  wrote:
> Hello!
>
> The GnuPG Project is pleased to announce the availability of a new
> release of GnuPG modern: Version 2.1.7.
>

Thanks for your great work!

Any news on pinentry ? pinentry-0.9.4 (pinentry-w32.exe) works good on
windows, but both pinentry-0.9.5 and pinentry-0.9.5-13-g1532bf3 broken
on 32bit or 64 bit Windows.

C:\>gpg-connect-agent
> GET_CONFIRMATION Hello
ERR 67108949 No pinentry 

Regards,
Cauchy

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Possible bug when using smartcards and gpg-agent2.0 as the ssh-agent

[Peter Lebbing]

On 12/08/15 20:55, Víctor Cuadrado Juan wrote:
> This seems like a bug.

The serial number is part of the application ID, it's not a bug. The one is
more verbose than the other. The AID ends in four zeroes, but the part before
that is the serial number and manufacturer ID.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Possible bug when using smartcards and gpg-agent2.0 as the ssh-agent

[Víctor Cuadrado Juan]

Hello,

I'm using gpg-agent 2.0.28 (Debian Stretch) as the ssh agent, with
"enable-ssh-suport".
I have disabled the Gnome Keyring, and I'm only using gpg-agent. I have
a properly configured Yubikey Neo with an auth subkey, and the Yubikey
is correctly configured and in use. I have a clean ~/.gnupg/sshcontrol
file, and no ~/.ssh directory at all.

At first instance everything works fine, 'ssh-add -l' and 'ssh-add -L'
show my key when I have my Yubikey connected: (I'm redacting the key and
the card number)

$ ssh-add -l
2048 **:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**
cardno:00060*** (RSA)

Yet when I try to use it to connect to the server by ssh I get a GUI
popup that says:

"take out the current card and insert the one with the serial number:
D*060***"
(In my case, in spanish, "Retire tarjeta actual e inserte la que
tiene número de serie: ")

The serial number on ssh-add -L is the same "card-no" that appears next
to the auth subkey in gpg --card-status, which is 12 chars long.

The gpg-agent pop-up serial numbers seems to correspond to the
"Application ID" displayed in gpg --card-status, which is 32 chars long.

This seems like a bug. Am I missing something? Should I post this on
gnupg-devel?

Thanks in advance,

-- 
Víctor

--
E-Mail: , OpenPGP-Key-ID: 0xA2591E231E251F36
Key fingerprint: E3C5 114C 0C5B 4C49 BA03  0991 A259 1E23 1E25 1F36
My signed E-Mails are trustworthy.






signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Temporary lock files?

[aslam karachiwala]

gpg (GnuPG) 2.0.22

My ~/.gnupg directory is getting filled with files named like
".#lk0x7feb6a637540..26914".

Shouldn't these get deleted automagically?

-- 
aslam
a k'wala's SciTech Daily 

PGP key  fingerprint: 736C D83E 32DB A2FD 0208
9113 0FC8 BA7D FECF 84FB

/Join World Community Grid
.
Help power cutting-edge research in health, poverty and sustainability./



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: How to deal with a 2nd OpenPGP Summit?

[Bob (Robert) Cavanaugh]

Hi,
Just a thought: Have a "Star chamber" meeting for the technical group, 
invitation only. After that have a 1/2 to 1 hour session open to all where the 
technical people can present their progress and invite comment. This way you 
have a focused working session with the key people, but maintain community 
trust by allowing general input.

Thanks,
 
Bob Cavanaugh

> -Original Message-
> From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of
> fmv1...@gmail.com
> Sent: Wednesday, August 12, 2015 5:24 AM
> To: gnupg-users@gnupg.org; n...@enigmail.net
> Subject: Re: How to deal with a 2nd OpenPGP Summit?
> 
> 
> > --
> >
> > Message: 3
> > Date: Wed, 12 Aug 2015 07:44:24 +0200
> > From: "n...@enigmail.net" 
> > To: GnuPG-Users 
> > Subject: How to deal with a 2nd OpenPGP Summit?
> > Message-ID: <55cadd38.5030...@enigmail.net>
> > Content-Type: text/plain; charset=utf-8
> >
> > Hi all,
> >
> > in April 2015 we had a first OpenPGP summit.
> > It was a meeting where the technical experts of projects and tools
> > dealing with OpenPGP with a focus on email encryption met to getting
> > to know each other personally and discuss several issues.
> > For details, see e.g.
> > - https://www.gnupg.org/blog/20150426-openpgp-summit.html
> > - https://www.mailpile.is/blog/2015-04-20_OpenPGP_Email_Summit.html
> >
> > The meting initially was organized by me to bring together a few
> > guys/projects working in that area, but it became pretty big (about 30
> > people). This caused some problems, because we had a host with limited
> > space (so I finally even had to reject some people wanting to attend).
> >
> > We also discussed there how to continue.
> > On one hand we wanted to have the meeting open so that anybody
> wanting
> > to attend could do that and to give trust by transparency.
> > On the other hand we want to be able to continue to focus on technical
> > issues (having a well signal to noise ratio) in a not-too-large group
> > of "experts".
> > We didn't find an appropriate way yet to deal with both interests.
> >
> > Now, I am about to organize a second meeting at the end of this year.
> > And I want to take the "wisdom" of this crowd to discuss this issue.
> >
> > What I currently have in mind is a meeting open to the public but with
> > some limitations (one reason is to focus the work, another is simply
> > limited space although I don't know where we can meet this time).
> > For example:
> > - Some priority for those who did attend the first meeting
> > - Some priority for "other experts", which didn't join
> >   the first meeting
> >   (but how do we handle that?)
> > - Some limitations that a person plays a "significant role"
> >   in the community
> > - Some limitation so that a tool/project should normally
> >   send only 1 or 2 guys
> >
> > The obvious other option is to open the meeting to everybody willing
> > to come, which raises a couple of risks (simply too many people, too
> > many non-experts or people  who want to change the focus, ...).
> >
> > So, my questions are:
> > =
> >
> > Is it OK for the public/community, if we meet in a way that is limited
> > as describe above (just for practical reasons)?
> >
> > Is it OK even if we can't promise full transparency (e.g. by video
> > taping sessions)?
> >
> > Would it even be OK, if we meet and constraint what is spoken there to
> > the Chatham House Rule (see
> > https://en.wikipedia.org/wiki/Chatham_House_Rule).
> > Some people requested that because
> > if anything they say might become public, they might or even have to
> > be careful what they say.
> >
> > Any general thoughts or proposals about how to deal with this?
> >
> > Note that I don't want to have it too complicated.
> > I organize this meeting in my free time to bring the issues of this
> > community forward.
> > And just having too many people is already a problem.
> > I need an approach I can handle.
> > Or is it better to have no meeting at all instead of a meeting with
> > some limitations?
> >
> > Best
> >  Nico
> >
> 
> Dear Nico,
> 
> I think you are trying to achieve a compromise that is not possible. If I
> understood correctly you are trying to reconcile developers interest with
> layman's enthusiasm. I myself belong to the second group.
> A good idea would be to organize one event for the developers and another
> open event so everyone can join. Then I think everybody would be happy.
> Note that some overlap between groups is expected and healthy for the
> community.
> 
> Kind regards,
> 
> --
> Felipe Martins Vieira
> Public PGP key: http://pgp.surfnet.nl
> Key Fingerprint: 9640 F192 63DA D637 6750 AC08 7BCA 19BB 0E69 E45D


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Inability to export and then import my secret key

[Werner Koch]

On Wed, 12 Aug 2015 13:01, pe...@digitalbrains.com said:

> Anyway, on-topic: don't copy random_seed though. And be aware that some 
> options

It would not be a catastrophically failure, though.  Here is a comment
from the function reading random_seed:

   Note: Multiple instances of applications sharing the same random
   seed file can be started in parallel, in which case they will read
   out the same pool and then race for updating it (the last update
   overwrites earlier updates).  They will differentiate only by the
   weak entropy that is added in read_seed_file based on the PID and
   clock, and up to 16 bytes of weak random non-blockingly.  The
   consequence is that the output of these different instances is
   correlated to some extent.  In the perfect scenario, the attacker
   can control (or at least guess) the PID and clock of the
   application, and drain the system's entropy pool to reduce the "up
   to 16 bytes" above to 0.  Then the dependencies of the initial
   states of the pools are completely known.  */

The above is for the general case of asking for random, for example
session keys.  When generating a new public key pair gpg (and Libgcrypt)
takes an extra step by making sure that at least 128 bit of fresh
entropy (e.g. from /dev/random) have been inserted into the pool.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Inability to export and then import my secret key

[Bryant Evans]

Thank you all for your rapid assistance. I think I have the problem
solved but will know for sure in an hour or so when I test it out
thoroughly at the office.


*Bryant Evans*

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to deal with a 2nd OpenPGP Summit?

[fmv1992]

> --
> 
> Message: 3
> Date: Wed, 12 Aug 2015 07:44:24 +0200
> From: "n...@enigmail.net" 
> To: GnuPG-Users 
> Subject: How to deal with a 2nd OpenPGP Summit?
> Message-ID: <55cadd38.5030...@enigmail.net>
> Content-Type: text/plain; charset=utf-8
> 
> Hi all,
> 
> in April 2015 we had a first OpenPGP summit.
> It was a meeting where the technical experts of projects and tools
> dealing with OpenPGP with a focus on email encryption
> met to getting to know each other personally and
> discuss several issues.
> For details, see e.g.
> - https://www.gnupg.org/blog/20150426-openpgp-summit.html
> - https://www.mailpile.is/blog/2015-04-20_OpenPGP_Email_Summit.html
> 
> The meting initially was organized by me to bring together
> a few guys/projects working in that area, but it became
> pretty big (about 30 people). This caused some problems,
> because we had a host with limited space (so I finally
> even had to reject some people wanting to attend).
> 
> We also discussed there how to continue.
> On one hand we wanted to have the meeting open so that
> anybody wanting to attend could do that and to give trust
> by transparency.
> On the other hand we want to be able to continue to focus
> on technical issues (having a well signal to noise ratio)
> in a not-too-large group of "experts".
> We didn't find an appropriate way yet to deal with both
> interests.
> 
> Now, I am about to organize a second meeting at the end of this year.
> And I want to take the "wisdom" of this crowd to discuss this issue.
> 
> What I currently have in mind is a meeting open to the public
> but with some limitations (one reason is to focus the work, another
> is simply limited space although I don't know where we can meet
> this time).
> For example:
> - Some priority for those who did attend the first meeting
> - Some priority for "other experts", which didn't join
>   the first meeting
>   (but how do we handle that?)
> - Some limitations that a person plays a "significant role"
>   in the community
> - Some limitation so that a tool/project should normally
>   send only 1 or 2 guys
> 
> The obvious other option is to open the meeting to
> everybody willing to come, which raises a couple of risks
> (simply too many people, too many non-experts or people
>  who want to change the focus, ...).
> 
> So, my questions are:
> =
> 
> Is it OK for the public/community, if we meet in a way
> that is limited as describe above (just for practical reasons)?
> 
> Is it OK even if we can't promise full transparency (e.g. by video
> taping sessions)?
> 
> Would it even be OK, if we meet and constraint what is spoken there
> to the Chatham House Rule (see
> https://en.wikipedia.org/wiki/Chatham_House_Rule).
> Some people requested that because
> if anything they say might become public, they might or even
> have to be careful what they say.
> 
> Any general thoughts or proposals about how to deal with this?
> 
> Note that I don't want to have it too complicated.
> I organize this meeting in my free time to bring the issues
> of this community forward.
> And just having too many people is already a problem.
> I need an approach I can handle.
> Or is it better to have no meeting at all instead of a meeting
> with some limitations?
> 
> Best
>  Nico
> 

Dear Nico,

I think you are trying to achieve a compromise that is not possible. If I 
understood correctly
you are trying to reconcile developers interest with layman's enthusiasm. I 
myself belong to
the second group.
A good idea would be to organize one event for the developers and another open 
event so
everyone can join. Then I think everybody would be happy. Note that some 
overlap between groups
is expected and healthy for the community.

Kind regards,

-- 
Felipe Martins Vieira
Public PGP key: http://pgp.surfnet.nl
Key Fingerprint: 9640 F192 63DA D637 6750 AC08 7BCA 19BB 0E69 E45D



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Card reader success report (openpgp card v2.1)

[Thomas Jarosch]

On Tuesday, 11. August 2015 12:10:28 NIIBE Yutaka wrote:
> > Three readers were tested:
> > - Cherry ST-2000
> > - SCM SPR332
> > - Reiner SCT cyberjack go plus
> 
> I think that USB vendor ID and product ID are:
> 
>   Cherry ST-2000  046a:003e
> 
> Please confirm that and please let me know IDs for those new products
> of SCM SPR332 and Reiner SCT cyberjack go plus.

here are the USB IDs from "lsusb":

0c4b:0504 Reiner SCT Kartensysteme GmbH cyberJack go / go plus
04e6:e003 SCM Microsystems, Inc. SPR532 PinPad SmartCard Reader
046a:003e Cherry GmbH SmartTerminal ST-2xxx


Funny that the SPR332 (that's the name on the backside of the reader)
announces itself as a "SPR532".

> That's because I maintain pages:
> 
> http://wiki.gnupg.org/CardReader/PinpadInput
> https://wiki.debian.org/GnuPG/CCID_Driver
> 
> ... along with the scdaemon implementation.

that page made me buy those specific readers :)
Chances were good they work fine with the openpgp card
and I really want the pinpad to work.

> Besides, if you can include information of your operating system and
> its version, it helps other users.

I tested it on Fedora 22 that ships gnupg 2.1.5. I manually upgraded
to gnupg 2.1.6 (recompiled the .rpm package with the updated source tarball) 
to get the Cherry ST-2000 up and running. Later on I also tested git HEAD.

Thomas


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Inability to export and then import my secret key

[Mirimir]

On 08/12/2015 04:39 AM, Werner Koch wrote:
> On Wed, 12 Aug 2015 12:25, miri...@riseup.net said:
> 
>> Well, GnuPG 1.4 _definitely_ doesn't support importing secret keys. But
> 
> That is not correct.  All version support import of secret keys.  What
> versions < 2.1 don't allow is merging (updating) a secret key.  This can
> be problematic in some cases but most of the time it is sufficient to
> delete the secret key first and then import the other version of the
> secret key.

I clearly recall 1) exporting both my private and public keys from an
old system, 2) importing them into a new system with no existing keys,
and 3) finding that I could decrypt, but not sign.

But I must have done something wrong. Sorry to confuse things.

> Shalom-Salam,
> 
>Werner
> 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Inability to export and then import my secret key

[Peter Lebbing]

On 12/08/15 12:25, Mirimir wrote:
> I got that OP is migrating to new hardware, so I don't see why identical
> installations would be problematic.

Right, yes, then a full copy makes a whole lot more sense. I got thrown off by
the fact that the error message seems to indicate the key already existed, and
completely forgot about the introduction at the top of the message :). Such an
exceptionally short attention span seems to indicate an acute lack of caffeine,
I've taken swift action to remedy that!

Anyway, on-topic: don't copy random_seed though. And be aware that some options
in the *.conf files might only be applicable on the old system, and not on the
new one.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Inability to export and then import my secret key

[Werner Koch]

On Wed, 12 Aug 2015 12:25, miri...@riseup.net said:

> Well, GnuPG 1.4 _definitely_ doesn't support importing secret keys. But

That is not correct.  All version support import of secret keys.  What
versions < 2.1 don't allow is merging (updating) a secret key.  This can
be problematic in some cases but most of the time it is sufficient to
delete the secret key first and then import the other version of the
secret key.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Inability to export and then import my secret key

[Mirimir]

On 08/12/2015 03:58 AM, Peter Lebbing wrote:
> On 12/08/15 04:00, Mirimir wrote:
>> It's simplest to just copy the gpg folder. Importing private keys is
>> broken by design.
> 
> I don't think I agree with either statement. Copying the folder comes
> with its own caveats: don't copy random_seed, and you might not want two
> identical installations with regard to present private keys and such.

I got that OP is migrating to new hardware, so I don't see why identical
installations would be problematic.

> And "broken by design" implies to me that GnuPG doesn't *want* to
> support merging secret keys; which would be odd given that the latest
> version, GnuPG 2.1, does support it. I also can't remember ever hearing
> a reason why it would be bad.

Well, GnuPG 1.4 _definitely_ doesn't support importing secret keys. But
maybe I'm wrong about "broken by design". I vaguely recall reading
something about that a year or two ago.

> Anyway, the reason I think Bryant is seeing this issue, is that GnuPG
> 1.4 and 2.0 don't support merging new things into existing secret keys.
> I suppose the key already existed on the other system but you added new
> subkeys and are trying to import those?
> 
> If you can get the up-to-date system (sys1) to export the secret key as
> you want it to be on the other computer (sys2), it boils down to:
> 
> sys1 $ gpg2 -o sec.gpg --export-secret-keys 1C0B95E5
> [copy sec.gpg to sys2]
> sys2 $ gpg2 -o sec_backup.gpg --export-secret-keys 1C0B95E5
> sys2 $ gpg2 --delete-secret-keys 1C0B95E5
> sys2 $ gpg2 --import sec.gpg
> 
> Now check if everything is okay on sys2, and if so, you can delete
> sec_backup.gpg.
> 
> I think this should be safe, since you keep a backup of the local copy
> until you are sure the deletion didn't delete unintended stuff.

That is for sure a more elegant path :)

> HTH,
> 
> Peter.
> 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Inability to export and then import my secret key

[Peter Lebbing]

On 12/08/15 04:00, Mirimir wrote:
> It's simplest to just copy the gpg folder. Importing private keys is
> broken by design.

I don't think I agree with either statement. Copying the folder comes
with its own caveats: don't copy random_seed, and you might not want two
identical installations with regard to present private keys and such.

And "broken by design" implies to me that GnuPG doesn't *want* to
support merging secret keys; which would be odd given that the latest
version, GnuPG 2.1, does support it. I also can't remember ever hearing
a reason why it would be bad.

Anyway, the reason I think Bryant is seeing this issue, is that GnuPG
1.4 and 2.0 don't support merging new things into existing secret keys.
I suppose the key already existed on the other system but you added new
subkeys and are trying to import those?

If you can get the up-to-date system (sys1) to export the secret key as
you want it to be on the other computer (sys2), it boils down to:

sys1 $ gpg2 -o sec.gpg --export-secret-keys 1C0B95E5
[copy sec.gpg to sys2]
sys2 $ gpg2 -o sec_backup.gpg --export-secret-keys 1C0B95E5
sys2 $ gpg2 --delete-secret-keys 1C0B95E5
sys2 $ gpg2 --import sec.gpg

Now check if everything is okay on sys2, and if so, you can delete
sec_backup.gpg.

I think this should be safe, since you keep a backup of the local copy
until you are sure the deletion didn't delete unintended stuff.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users