On Thu, 19 Sep 2024 13:42, Nils Schween said:
> If it is necessary, I can try to create a certificate with openssl, that
> reproduces the error.
Given the brittleness of pkcs#12/minip12.c I would really appricate to
have a sample file. But the worst thing which could happen is that the
64 bit sa
On Thu, 19 Sep 2024 09:07, Nils Schween said:
> A short follow up: I did some more tests and I found that the change of
> the length of the salt array in the function 'parse_shrouded_key_bag'
> suffices to import the certificate. It is actually enough to increase
> the value from 20 to 32. Here is
On Mon, 16 Sep 2024 14:06, Jakob Bohm said:
> not the cryptographic validation. Obvious solution at the time would
> have been to keep a hash table of file offsets for key fingerprints .
Which conflicted with the demand for having several keyring; actually we
once had experimental support for a
Hi!
GnuPG 2.5.1 has the option --assert-signer and 2.4.6 will have this
option as well:
--assert-signer fpr_or_file
This option checks whether at least one valid signature on a file
has been made with the specified key. The key is either specified
as a fingerprint or a file
Hi!
On Thu, 12 Sep 2024 13:28, Alejandro Colomar said:
> I have my ~/.gnupg keyring under git source control, which helps
> creating and updating backups, and also having a history of the changes.
That is not a good idea because the key database (pubring.gpg,
pubring.kbx, or keyboxd DB) are a bi
4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28
Andre Heinecke (Release Signing Key)
ed25519 2020-08-24 [expires: 2030-06-30]
6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA
Werner Koch (dist signing 2020)
ed25519 2021-05-19 [expires: 2027-04-04]
AC8E 115B F73E 2D8D 47FA 9
Hi!
Just a short reminder that this mailing list's topic is GnuPG.
Advertisement for other applications, like a Python wrapper around a
long standing command line API (going all the way back to pgp 2), is
thus off-topic. It feels more like a SEO strategy than as helpful
information. Please don'
On Fri, 6 Sep 2024 10:00, Daniel Kahn Gillmor said:
> part. That said, i suspect you have a more technical userbase than the
> pool of people i correspond with.
ROFL
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
openpgp-digital-sign
On Thu, 5 Sep 2024 11:04, Daniel Kahn Gillmor said:
> PS for the record, i think there is one major concern about PGP/MIME
>multipart/signed: for users of MUAs that don't understand PGP/MIME,
>the signature shows up as a mystery attachment. I can't tell you the
See
GpgOL: Add filenames
Hi!
On Tue, 27 Aug 2024 17:37, Jakob Bohm said:
> status-fd output for a multitude of situation specific strings.
> Sometimes it is even necessary to check if the expected signing key is
> mentioned in specific ways.
Right. That is because there are a lot of use cases for signatures
which requ
On Sat, 31 Aug 2024 18:29, T. S. said:
> either because of the -BEGIN PGP SIGNED MESSAGE- strings, or because
> the unknown attachments in MIME message.
Don't use those legacy inline PGP encryption. Use PGP/MIME, a 28 year
old standard (RFC-2015). You should give that unnamed attachment
n't
know whether that draft is available somewhere.
--8<---cut here-------start->8---
From: Werner Koch [...]
Subject: Re: Sicherheitsschwäche OpenPGP
To: [...]@bsi.bund.de
cc: [...]
Date: Thu, 30 Nov 2023 14:46:11 +0100 (38 weeks, 1 day, 1 hour ago)
Sehr geehrte
On Thu, 22 Aug 2024 14:01, Björn Persson said:
> next version of GPG that way. To anyone who doesn't already have GPG,
> HTTPS is the best integrity protection they will get.
Not really. This does not protect the files on the server. Only the
.sig and the checksums posted to several places can
On Wed, 21 Aug 2024 19:09, Jacob Bachmeyer said:
> configured for anonymous-only. FTP is both simple and ancient, so I
Yes, the protocol is simple but most server implementaions are pretty
complex. That is why we settled for oftpd nearly decades ago. And as
we see we are already building a fil
Hi,
You should soon receive a confirmation mail.
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-us
On Tue, 20 Aug 2024 19:19, Jacob Bachmeyer said:
> I would suggest checking what ftpd Debian ships and using that.
They don't provide oftpd anymore which is an anonymous only ftpd. All
others have a way larger attack surface.
Salam-Shalom,
Werner
--
The pioneers of a warless world are th
On Tue, 20 Aug 2024 10:49, jman said:
> All technical considerations aside, would it make it sense to make it
> official with a short announcement, even "a posteriori"?
I just pushed a short NEWS to the web server frontpage.
> a very visible project, probably good communication is beneficial fo
On Tue, 20 Aug 2024 00:26, Jacob Bachmeyer said:
> I would encourage resuming FTP distribution, since I see no plausible
> security benefit to omitting it.
I agree with your arguments. However, not providing FTP saves us from a
lot of bike shedding discussions ;-)
Another reason why we stopped
On Sun, 18 Aug 2024 20:18, Douglas Lucas said:
> When I invoke "$ gpg2 --quick-set-expire" to modify a public key, a sub
> key, or a secret key, what file(s) are modified by gpg2? In other words,
> by default, what are the public/sub/secret key files that are changed
There is no definite answer f
Hi!
Thanks for mentioning this.
On Sat, 17 Aug 2024 13:49, Jan Palus said:
> FTP service at ftp.gnupg.org appears to be down for some
> time. Couldn't find any
> info about FTP decommissioning so just letting you know about the problem.
I would not considere this a problem but something which we
On Mon, 12 Aug 2024 14:26, Matthias Apitz said:
> password-store and for outbound SSH/SCP. Is there a way, for example
> with a config in /etc/pam.d/ to used the OpenPGP card for providing
> the password to 'sudo ' or 'sudo -s'
I thought these days everyone is using
ssh root@localhost
Hi!
On Wed, 24 Jul 2024 11:48, Simon Josefsson said:
> I've been wanting a parameter like that! Does it check key expiration
> times by default? Is it possible to disable/enable that behaviour?
Yes. In theory --debug-ignore-expiration should do the trick but given
that this is a debug option;
On Mon, 22 Jul 2024 10:45, Felix E. Klee said:
> Is there anything I can try, or is the pinpad on the ACS APG8201-B2
> simply not supported?
I don't known. If you are using the internal CCID driver, you may want
to add
debug reader
debug-ccid-driver
log-file foo/bar/baz
to scdaemon.conf and che
Hi!
while talking about gpgv, let me remind you about the new
--assert-signer option which can be used as a replacement for gpgv.
--assert-signer fpr_or_file
This option checks whether at least one valid signature on file has
been made with the specified key. The key is either spe
Hi!
On Sat, 20 Jul 2024 06:54, Dennis Clarke said:
> The struggle continues to get gnupg to "just work". By running a trace
> on the command "gpgconf --check-programs" I see this :
>
>
> access("/usr/local/bin/gpgconf.ctl", F_OK) = -1 ENOENT (No such file
> or directory)
That checks whether this
Andre Heinecke (Release Signing Key)
ed25519 2020-08-24 [expires: 2030-06-30]
6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA
Werner Koch (dist signing 2020)
ed25519 2021-05-19 [expires: 2027-04-04]
AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD
Niibe Yutaka (GnuPG Release Key)
Hi
updating libksba is not enough. You also need to update gpgsm. Maybe
you can try GnuPG 2.5.0 which we released on Friday.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
openpgp-digital-signature.asc
Descr
Hi!
I'll write an announcement later for now see
https://dev.gnupg.org/T7189
for the NEWS and the usual place for downloading. Latest released
libaries are required. Take care when running
gpg --quick-gen-key f...@example.org pqc
The created key is EXPERIMENTAL and will cont be compliant w
On Thu, 20 Jun 2024 20:57, 林博仁Buo-ren, Lin said:
> Hello, I would like to request a new account for filing a document
> issue. Here are the account details:
Created - you need to confirm the mail address, though.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
Hi!
your certificate is the first I have seen with empty Subject but a an
altSubjectName. This is valid but not yet supported.
Tracked at https://dev.gnupg.org/T7171
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Eins
Hi
> 4 - 2024-06-18 16:08:56 gpgsm[39608]: ksba_cms_parse failed:
> Ungültiges CMS Objekt
Please send me such a non-parseable message/data by private mail. No
HTML parts or ZIP files, just gzip the message.
Which version of GnuPG are you using:
gpgsm --version
also shows the libksba version
spective owners. Current releases are signed by one or more
of these keys:
rsa3072 2017-03-17 [expires: 2027-03-15]
5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28
Andre Heinecke (Release Signing Key)
ed25519 2020-08-24 [expires: 2030-06-30]
6DAA 6E64 A76D 2840 571B 4902 5288 97B8 26
Hi!
If you send bug reports or asking for support please always tell us the
version of GnuPG you are using as well as the operating system and its
version. The latter part is needed because Linux distributions often
apply a lot of custom changes to software which are not reflected by the
version
On Mon, 17 Jun 2024 14:43, Marco Moock said:
> It wasn't, I enabled it, but the error stays.
I doubt that it is due to the gnupg version but we are anyway
interested to see that. The output of
gpgconf -X
might also be useful becuase it also lists any global configuration.
(Please redact pri
Hi
which pinnetry are you you using? If you run gpg with -v it should dhow
the pinentry used. You will then see a line like:
gpg: pinentry launched (22013 gtk2 1.2.1 /dev/pts/11 xterm localhost:10.0
20620/1000/5 1000/1000 -)
Salam-Shalom,
Werner
--
The pioneers of a warless world are t
On Wed, 5 Jun 2024 21:43, Ingo Klöcker said:
> Just create a new S-only subkey. There's no need to remove the S capability
> from the primary key because the signing key is only used by yourself and you
> know that you want to use the subkey for signing.
Right. In case someone wants to do thi
Hi!
>- Sign git commits in WSL2(Debian)
>- gpg-agent uses Gpg4win's pinentry GUI to allow PIN entry
So you are mixing Unix software with Windows software. I wonder that
this works at all. The properties of the IPC between Windows and Unix
are different. That IPC is not designed to work
On Sun, 12 May 2024 15:22, Matthias Apitz said:
> I did a factory reset and changed the keylength with the subcommand
> 'key-attr' to 4096. All fine and one must be patient as the key
> 'generate' takes significantly longer.
That's why I always suggest to use ECC instead of RSA on smartcards.
Sa
On Mon, 6 May 2024 18:26, Andreas Metzler said:
> So in my test (without --compliance=de-vs) 2.2.43 /should/ have
> automatically used OCB when encrypting for a key which has 'AEAD: OCB'
> set?
Yes.Check with --debug=lookup which and why keys are selected.
Salam-Shalom,
Werner
--
Th
Hi!
On Sat, 4 May 2024 18:45, Andreas Metzler said:
> rG0a355b2fe7d8 gpg: Add compatibility flag "vsd-allow-ocb"
> rGa545e14e8a74 gpg: Support OCB encryption.
> Which understand to mean that 2.2.43 would by default both generate keys
> with 'AEAD: OCB' and use OCB when encrypting to
Hi!
Given that you have an uncommon primary key I would like to see some
information of the card. Please run
gpg-card
to get infos on the card and used keys. In case you don't want to share
this with the list, feel free to send it to Eva or me directly
(w...@gnupg.org - no html parts).
Sal
On Thu, 2 May 2024 15:31, Matthias Apitz said:
> which locks the card again. Any ideas?
If you really want to reset the card after an operation _and_ you are
using pcscd you can use
gpg-connect-agent 'scd disconnect' /bye
But killing scdaemon is probably the easier and more reliable way:
On Thu, 2 May 2024 16:58, Matěj Cepl said:
> rather dubious: systemd can certainly manage a dependence on
> shared resource, and concurrent running of two processes at
Right. However, systemd does not use the same locking scheme as gnupg
uses to avoid duplicate daemon startup. The gnupg intern
On Wed, 1 May 2024 11:50, Henning Follmann said:
> Well, if you have a authentication subkey on your card you could use that
> for ssh authentication directly.
> Your gpg-agent would then act as ssh-agent.
I would even claim that this is the best way to work with ssh - I do
this now for nearly 2
On Mon, 29 Apr 2024 07:03, Bee said:
> But that environment is not passed and used by pinentry - it has no
> knowledge of them. PINENTRY_USER_DATA may exist, but it has no
> knowledge as to how to interpret it. Ergo, some other mechanism must
Its is called "USER DATA" for a reason - you have to d
On Sun, 28 Apr 2024 13:02, Bee said:
>>+ (https://dev.gnupg.org/T4154)
[...]
>>+ mypass="IUuKctdEhH8' gpg --batch --pinentry-mode=loopback \
>>+ --passphrase-env=mypass --decrypt < message.txt
>>+
>
> can be effected without resorting to PINENTRY_USER_DATA - so no need to
> code, customize, main
On Tue, 23 Apr 2024 21:39, Eric Pruitt said:
> I have multiple public keys in my GPG keyring. When validating
> signatures, I sometimes want to validate them against a specific key so
The classcc tool for this is gpgv with its --keyring option. This is
what for example Debian uses to validate sig
On Thu, 18 Apr 2024 10:26, Bruce Walzer said:
> Perhaps things that accept key fingerprints should ignore anything
> other than hex digits?
Double clicking a word makes things really easy. I also doubt that
anyone will compare a 64 hex digit fingerprint visually. Thus better
paste it and let so
On Wed, 17 Apr 2024 16:43, Christian Sommer said:
> I indeed choose to preset the "with-fingerprint" option in my
> gpg.conf. By removing it, listing my keys give back the full 64
> character long fingerprint of my X448 key.
We once agreed that it is better to show a shortened fingerprint for
hum
On Thu, 11 Apr 2024 12:24, Moses said:
> tried to import again, and the same error still occurred. The same
> error happened when I tried to directly execute the
> D:\software\GNU\GnuPG\bin\gpg --import command.
Well, I have no more idea on how to debug this by mail :-(.
On Linux you would now us
On Wed, 10 Apr 2024 12:15, Todd Zullinger said:
> This caused me to re-read the document and I'll likely add
> an additional Token: line to note the two cards which hold a
> new key (which I have yet to start using). That should make
That is actually there (TOKEN, see the example) and gpg-agent
Hi,
I see in your PATH
D:\software\GNU\GnuWin32\bin
prior to
D:\software\GNU\Gpg4win\..\GnuPG\bin
May it be that you use a gpg version picked up from the GnuWin32? Check
also whether there is a gpg binary in the Git program directory.
My educated guess is that Gnuwin32 is a Cygwin based
Hi!
On Tue, 9 Apr 2024 12:21, Moses said:
> C:\>gpgconf -L
which merely shows that you installed the software on d:\software and
kep the user data at the usual C: directories. I see nothing strange.
To recap your problem was:
c:\> gpg --import private-keys.asc
gpg: enabled compatibility flags
On Mon, 8 Apr 2024 21:50, Dan Fandrich said:
> Running "echo SERIALNO | scd/scdaemon --server" is enough. I've tried both
> pcsc-lite 1.9.9 and 2.0.3 without a difference. I'm not sure how to drill
By default we are not using PC/SC on Linux but direct access to the
reader via USB. Now if pcsc
On Mon, 8 Apr 2024 11:42, Moses said:
> C:\> gpg-connect-agent -v
>> getinfo version
> D 2.4.5
Okay, that works.
>> gpgconf -L
> ERR 67109139 Unknown IPC command
Please enter this on the command line not at the gpg-connect-agent
prompt.
Salam-Shalom,
Werner
--
The pioneers of a warles
Hi!
On Mon, 8 Apr 2024 02:38, Moses said:
> gpg: key xxx: error sending to agent: Not enough space
That is a ENOMEM which is commonly returned for a failed malloc call.
Could happen at a lot of places.
Try:
gpg-connect-agent -v
and tehre a command like "getinfo version"
On Fri, 5 Apr 2024 13:03, Todd Zullinger said:
> In such a case, it sounds like it may be reasonable to use
> the normal socket? Until the remote side is updated to
In fact, I also did this for some time but later came up with
CommitDate: Wed Oct 12 11:30:35 2022 +0200
agent: Introduce
Hi!
> gpg: problem with fast path key listing: Forbidden - ignored
I'll suppress that message in --quiet mode for the next release.
When doing a secret key listing (which happens with -K but also in
--with-colons mode) gpg walks over all public keys and asks the agent
for each key whether a
On Tue, 2 Apr 2024 18:53, Andrew Gallagher said:
> technical challenge since no modern software supports them, and gnupg1
> doesn’t implement --list-packets :-) But I have to admit they do
Sure it has the --list-packets command. This command dates back to the
very first release.
>> But let me
On Tue, 2 Apr 2024 12:39, Andrew Gallagher said:
> Are you saying that this is *not* a novel failure mode? Because we’ve
No. We had v2, v3 and v4 keyes in all kind of combinations in the past
(even as part of subkeys) and back then the two OpenPGP implementations
had no problems with that. The
On Fri, 29 Mar 2024 13:00, Andrew Gallagher said:
> V5 subkeys of v4 primary keys would appear to introduce a novel
> failure mode. It should be noted that in crypto-refresh, adding a
Nope. A v5 key has nothing to do a v4 signature and having different
algorithm on the primary key and the subkey
On Thu, 28 Mar 2024 13:54, Christian Sommer said:
> Likewise by telling GnuPG you really want the short keyID displayed
> (gpg --keyid-format short) it takes the LAST 32 bytes of the FIRST 64
> bytes of the fingerprint.
The thing here is that the short keyid is not from the specification but
a co
On Thu, 28 Mar 2024 08:26, Damien Cassou said:
> Is that a problem? Am I missing something important? It seems this
> causes me the troubles mentioned at [1].
Your subkeys are all stored on a smartcard. The primary key is online.
This is as intended. If you remove the the primary private key
(.
On Thu, 28 Mar 2024 00:49, Christian Sommer said:
> on the other hand a x488 fingerprint is 50 hex characters long. let's say
> it's 1 2 3 4 0 0 A B C D then its
> long keyid is 1 2 3 4 and its short keyid is 22 3 4.
x448 keys are created as
On Mon, 25 Mar 2024 19:55, Bee said:
> Could you make whatever notation at dev.gnupg.org is appropriate, please?
https://dev.gnupg.org/T7060
Already implemented a new option but you need to wait for gnupg 2.6.
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
ref
On Mon, 25 Mar 2024 08:33, Bee said:
> C:\Program Files (x86)\GnuPG\bin>type HelloWorld.txt | .\gpg.exe
> --passphrase-fd 3 -c 3< HelloWorld.txt
>> gpg: failed to translate osfhandle 0x0003
gpg takes system handles and not libc file descriptors. File
descriptors 0, 1, and 2 are handled by
On Sat, 23 Mar 2024 21:17, Bee said:
> Is 'gpg: failed to translate osfhandle 0x0003' known / expected?
Don't mix Cygwin and plain Windows programs.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
openpgp-
On Fri, 22 Mar 2024 20:14, Christian Sommer said:
> building GnuPG by speedo.mk on current master branch fails. The log
That is quite possible. I doubt that anyone of us used it yet. Please
use the STABLE-BRANCH-2-4 for such things. master is for development
and things might or might not work.
Hi!
> gpg -K --with-colon 20E0635864445A177F8F7C0C6141FD27892AE9B4
> sec:u:255:22:6141FD27892AE9B4:1700197485:::u:::cESCA:::#::ed25519:::0:
This is your primary key and it has been taken offline ..^.. marked by
the pound sign. Only the primary key can be used to sign other keys.
> ssb:u:255:2
On Sat, 16 Mar 2024 21:26, B.S. said:
> ... (Windows 10) [DOS] cmd ... [*NOT* powershell]
> ... cygwin gpg ...
[Do not use a Cygwin build of gpg - this is not supported. Use a
standard build for WIndows.]
> How can I have gpg pause to receive its passphrase, before it starts
> outputing decrypt
Hi!
and thanks for asking.
On Sun, 17 Mar 2024 11:29, pal said:
> I am writing to express my strong interest in a 64-bit version of GnuPG for
> Windows. While I understand that currently only 32-bit systems (x86) are
> officially supported, I believe adding 64-bit compatibility would be a
> valu
On Sun, 17 Mar 2024 13:09, Bence Ferdinandy said:
> running out of memory. Based on a discussion I found
> (https://dev.gnupg.org/T4255), I set `auto-expand-secmem 100M` in
Right. The man page says:
--auto-expand-secmem n
Allow Libgcrypt to expand its secure memory area as req
0 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28
Andre Heinecke (Release Signing Key)
ed25519 2020-08-24 [expires: 2030-06-30]
6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA
Werner Koch (dist signing 2020)
ed25519 2021-05-19 [expires: 2027-04-04]
AC8E 115B F73E 2D8D 47FA 9908 E98E 9
Hi,
please send proper bug reports or detailed questions. Stuart have hints
how how this can be done. If you don't want to follow this basic rule
we have to set you on moderated.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service.
Hi!
On Wed, 6 Mar 2024 20:20, Vladimir Nikishkin said:
> However, I don't seem to be able to find a way to download a tarball
> of the commit in any way.
You man a tarball made from the repository at that commit? In general
we only publish traballs. If you want to use a working thing (i.e. gi
On Tue, 5 Mar 2024 11:15, Bruce Walzer said:
> So just to be clear, I am not complaining that GnuPG implemented the
> LibrePGP version of OCB. I am complaining that GnuPGP did #2 and #3
> before implementation was close to universal and did not clearly spell
Sorry, this is not true. OCB mode is
Hi!
On Tue, 5 Mar 2024 12:39, Tobias Leupold said:
> Sorry for asking another thing about this. For sure, I didn't want to set off
> an avalanche, and I still don't want to. But from a user's perspective, this
> is simply very confusing and also unsettling.
You are right. What I can do is to
On Mon, 4 Mar 2024 15:34, Matěj Cepl said:
> like this one. My key has been signed by 60+ signatures, but
> still 45K just for that seems excessive. Is there some way how to
> generate something meaningful, which would be smaller?
gpg --export -a --export-options export-minimal FOO >foo.asc
thi
On Mon, 4 Mar 2024 19:05, Tobias Leupold said:
> IMO interoperability with GnuPG is crucial for this project. Most
> people using that on their phones will come from Linux, or they will
Actually most users will come from Windows ;-)
Salam-Shalom,
Werner
--
The pioneers of a warless world
On Tue, 5 Mar 2024 00:16, Vincent Breitmoser said:
> The packet format referred to here is GnuPG-specific. In November
Vincent, please stop spreading wrong facts.
That is not a GnuPG specific but an agreed upon format by the
participants of the OpenPGP WG and implemented by all major
implementa
On Mon, 4 Mar 2024 14:19, Matěj Cepl said:
> Do I understand it correctly that gnupg contains smaller version
> of systemd (dependency activation) inside of itself and that
No. It is not required. Just don't let systemd start gpg-agent or
dirmngr with option --supervised. If you use ssh just m
On Mon, 4 Mar 2024 12:03, Tobias Leupold said:
> So: Is it wise and/or necessary to disable that for new GnuPG generated keys,
> for the sake of interoperability? Or will the others catch up and implement
No, it is not because you are delaying the deployment of new and a much
faster algorithm
On Sun, 3 Mar 2024 20:38, Matěj Cepl said:
> 1. Could you please explain why it is racy? Why from all services
Because all components of gnupg will start gpg-agent and the other
daemons oin the fly and make sure that only one is started. Systemd
does not know about this specific start mechanism
Hi!
On Sat, 2 Mar 2024 20:54, mc...@cepl.eu said:
> am running it on host with systemd --user services (configuration
Take care, the use of systemd is racy and support will be removed in
2.6.
> gpg: all values passed to '--default-key' ignored
> gpg: keydb_search failed: IPC syntax error
(You
On Fri, 1 Mar 2024 21:56, Daniel Kahn Gillmor said:
> For example, GnuPG could instead offer an interface with explicit
> options to allow the user to choose to match certificates by
> fingerprint, or by e-mail address, or by name, or by full User ID, but
Simply prefix the fingerprint with 0x an
On Wed, 28 Feb 2024 17:41, Jacob Bachmeyer said:
> As Werner mentioned, you can also have different .gpg-id files for
> different parts of your password store, if you wanted some passwords
> to only be available with certain smartcards.
FWIW: The C3S uses pass for their teams and meik wrote a scr
On Wed, 28 Feb 2024 17:40, Jacob Bachmeyer said:
> Or even Windows, which remains disturbingly common in applications
> that probably need far less attack surface, like industrial control
> systems... (Is the stupidity of management a main driver of Shamir's
> law?)
Often true but the real probl
On Wed, 28 Feb 2024 10:55, Matthias Apitz said:
> purism@pureos:~$ cat .password-store/.gpg-id
> CCID L5
Which means that it encrypts to "CCID L5". pass parses this using
while read -r gpg_id; do
gpg_id="${gpg_id%%#*}" # strip comment
[[ -n $gpg_id ]] || c
On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said:
> Therefore, pass(1) almost certainly has its own list of keys stored
pass stores the fingerprints of the keys in a .gpg-id file and allows to
set different ones per directories.
> logarithm problem and /vice versa/. Accordingly, RSA1024 is now
>
On Tue, 27 Feb 2024 10:07, Matthias Apitz said:
> I've never done anything with this and expected it also at date
> 2021-10-30 (when I initialized the OpenPGP card in the mobile L5).
The pubring.kbx is used for various things. For example we also store
"ephemeral keys" for X.509 (those we receiv
Hi!
sorry, for the wrong order of the messages, I simply forgot to sent
them yesterday.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_
On Fri, 23 Feb 2024 22:59, Marcin Wrochna said:
> However, I cannot make `gpg --symmetric` encryption work on the remote,
> as it tells me getting a passphrase is "Forbidden".
Right. It does not sund like a good idea to give the server access to
your local password store (in gpg-agent). This wa
service. - A. Einstein
From 4025da324903093736f238329274f5e234f5339e Mon Sep 17 00:00:00 2001
From: Werner Koch
Date: Sun, 25 Feb 2024 15:55:14 +0100
Subject: [PATCH GnuPG] agent: Allow GET_PASSPHRASE in restricted mode.
* agent/command.c (cmd_get_passphrase): Allow use in restricted mode
On Thu, 22 Feb 2024 15:37, Bernhard Reiter said:
> For Debian GNU/Linux oldstable, it still is 2.2.27, though
> and 2.2.19 for Ubuntu GNU/Linux 20.04LTS.
--locate-external-keys was introduced with 2.2.17.
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse mi
On Wed, 21 Feb 2024 15:52, Philip Colmer said:
> that works. The wiki (https://wiki.gnupg.org/WKDHosting) says to use
> gpg --homedir "$(mktemp -d)" --verbose --locate-keys
> your.em...@example.org ... and this doesn't work.
Its a wiki and ppl change it at will and worse nobody checks and updates
Hi!
Please don't use PKA. Any remaining support will be removed anyway.
The Web Key Directory is a far better and easiert way to get
certificates. In fact it is enabled by default and used transparently
in Kleopatra and with the Windows GpgOL plugin. Other Unix mailers
might also have support f
On Tue, 13 Feb 2024 17:32, Matthias Apitz said:
> We need here 'Microm SIM'. And I talked to the owner of floss-shop. They
> do not offer a way to pop out Micro SIM.
I simply uses scissors to cut them out and those cards work. Granted I
don't use the Librem regulary (if at all), but the card was
On Thu, 15 Feb 2024 11:48, Bernhard Reiter said:
> But it does not get the current version of the pubkey in some circumstances.
Example? I am not zware of it.
> And the long version works in a few more elder GnuPG versions. ;)
Since 2.2.17 from summer 2019 - 5 years passed since then with a co
On Wed, 14 Feb 2024 11:24, Bernhard Reiter said:
> The following will get his pubkey by WKD on the command line:
> gpg --locate-keys --auto-key-locate clear,nodefault,wkd w...@gnupg.org
FWIW,
gpg --locate-external-key w...@gnupg.org
is much easier that the abvove long list of options.
Sa
On Fri, 9 Feb 2024 15:36, Matthias Apitz said:
> So, can I buy this card here in Europe or even in Germany?
floss-shop.de
> If not, I could with a script decrypt all the files in this tree and
> encrypt them again after setup the card. But, it would be better just
> copy the files over by SCP,
1 - 100 of 3103 matches
Mail list logo
