Re: ed448 support in gpg?

On Tue, 10 Mar 2020 20:30, Jonathan Cross said: > Is ed448 available / in development? Will be part of 2.3. However, even then I do not suggest to create such a key because the majority of deployed software won't be able to use it. If you care about the secuity of your key use a smartcard. Thi

Re: gpg --import-options import-drop-uids not available?

Hi! if you look at the commit gpg: New options import-drop-uids and export-drop-uids. [...] These options are required for experiments with changes to the keyserver infrastructure. you can see that they are used for experiments and part of the master branch. It is unlikley th

Re: Help me on this

On Mon, 2 Mar 2020 12:59, Phil Pennock said: > On Unix, it's done with "pinentry", I don't know Windows so don't know > the details there. But hopefully this provides enough to point you in On Windows we can't make it 100% sure that the Pinentry pops up above the other windows. In some cases i

Re: Encrypted GPG files

Hi! Thanks for your analysis; I have one additional comment: On Thu, 20 Feb 2020 23:28, Ángel said: > I suspect that the problem may not actually be the packet format, but > something else presented by the same client that is choosing new format > (e.g. it could be choosing IDEA as cipher). gpg

Re: Building GnuPG for QNX 7

On Tue, 18 Feb 2020 20:19, Eric Linner said: > update files and decrypt them on the target system. However, I'm > having trouble building GnuPG for QNX 7. My development environment is > Windows 10 and the target is x86 running 64-bit QNX 7. QNX supposedly > has some support for cross compiling GN

Re: swdb.lst problem

On Sun, 9 Feb 2020 16:44, murphy said: > Also when I try to download swdb.lst directly it fails with: The certificate for version.gnupg.org expired. Actually it was renewed but due to a certificate update problem with another rarely used domain, pound was not restarted. I just fixed this all.

Re: Message Padding for GnuPG

On Tue, 21 Jan 2020 23:02, Stefan Claas said: > because 'gpg --list-packets' shows the original byte size of the unencrypted > message or file, including the original filename. --list-packets can't show the original filename because that info is encrypted. Note that --list-packets decrypts if it

setrlimit failure on aarch64 (was: Interesting failure on aarch64)

On Fri, 20 Dec 2019 11:22, Konstantin Ryabitsev said: > On x86_64 this succeeds, but when I tried building on aarch64, that step [...] > gpg: Fatal: can't disable core dumps: Operation not permitted setrlimit returns an unexpected error code: if (getrlimit (RLIMIT_CORE, &limit)) lim

Re: Automatic encryption to several recipients

On Mon, 13 Jan 2020 08:16, mailing list said: > Something like > encrypt-to KEY1 > encrypt-to KEY2 > encrypt-to KEY3 Right. It works the same as --recipient and thus the argument to the option is the specification of a single key. Please use the fingerprint to specify the key. Using the keyid

Re: GnuPG website docs

On Fri, 10 Jan 2020 10:48, David Eisner said: > 1. I think there should be a notice near the top of > https://gnupg.org/documentation/howtos.html that says something like this: > "The mini HOWTO is out-of date and documents an older version of GnuPG. For > more up-to-date documentation, please see

Re: Changes in GnuPG

On Thu, 9 Jan 2020 13:01, Mark said: > Thanks for the explantion of the new public key format. If I understand > it correctly, the old system was like a flat file an this new one is > more like an indexed database that allows faster lookups. Right. The keybox format includes meta data so that t

Re: Re-sign subkey binding with changed digest?

On Wed, 8 Jan 2020 21:37, Andrew Gallagher said: > Have you tried changing the subkey expiry? Or does that reuse the same hash? That is what I would also suggest. The expire sub-command is useful for all such things. It should always use the current default digest algorithms. Regarding the SH

Re: Syncing GnuPG data between computers

On Tue, 31 Dec 2019 15:46, Steve McKown said: > The GnuPG configuration files are simple enough, but the database files > are another story I imagine. We have always used a platform independent on-disk format for all files. Thus copying the files between different platforms is no problem at all.

Re: Automatically generating subkey revocation certificates

On Thu, 26 Dec 2019 23:04, Dirk-Willem van Gulik said: > But this does not seem to happen when doing a --quick-add-key > subkey. Is this intentional ? Or is there a flag one can set ? Right. If you want to revoke a subkey we can assume that you still have access to the primary key and thus it is

Re: Best way to get fingerprint programatically

On Wed, 18 Dec 2019 11:51, john doe said: > By any chance, could something like the following be implemented?: > > $ gpg -K --print-fingerprint-only test I doubt that this helps because the only way to get a single result is to use the fingerprint for . Thus a second info item would be required t

Re: "--refresh-keys" not working.

On Wed, 18 Dec 2019 09:51, Gerard E. Seibert said: > gpg: mpi too large (28876 bits) > gpg: read_block: read error: Invalid packet One of the keys you imported is corrupt and thus rejected. The debug flags don't help here, it would be better to enable --verbose so that you can see which key was

Re: Best way to get fingerprint programatically

On Wed, 18 Dec 2019 08:19, john doe said: > In other words, why '--quick-set-expire' requires a fingerprint and does > not accept a . Only the fingerprint is a unique identifier for the keyblock (aka certificate, public key). Allowing a User-id would require extra code in gpg and by the caller t

Re: gpg-agent relocation error

On Wed, 11 Dec 2019 23:24, Johan Wevers said: >> libassuan.so.0 is linked to libassuan.so.0.8.3. > > That's quite an ancient version, current version is 2.5.3. My first Nope. Assuming this is a standard Linux distor, this is the lates versions. The name of the libary includes the *SO version* w

[Announce] GnuPG 2.2.19 released

on has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2019-12-31] Key fin

Re: Moving sigs from Wins machine to FreeBSD

On Thu, 5 Dec 2019 16:02, Jerry said: > So Werner, if I am understanding you correctly, I can just copy the > C:\Users\gerar\AppData\Roaming\gnupg files over to the ~/.gnupg > directory and it will work. Sounds good. Thanks! Right. If you are deeply worried about security you may want to delete

Re: Moving sigs from Wins machine to FreeBSD

On Thu, 5 Dec 2019 14:10, Jerry said: > I have gpg4win installed on a Win 10 machine. I just installed > FreeBSD onto a new PC. I installed GNUPG 2.2.18 and would like to move > all of the signatures over to it from the Windows machine. Is that > possible and how would be the best way to go about

Re: multiple recipients encryption and decryption in gpgsm

On Thu, 28 Nov 2019 10:57, Yves T said: > 1. is B able to decrypt the file if he has not the secret key from A Yes. As long as the secret key (aka private key) is available Quick test: $ fortune | gpgsm -ev -r 0xE297583E -r 0xCA89261C >/tmp/testenc The first -r ist for s/n 1A02 and the

[Announce] GnuPG 2.2.18 released

rsa2048 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa20

Re: gpg-agent, pinentry and Emacs

On Mon, 25 Nov 2019 08:44, Werner Koch said: > Thanks. I don't see that INSIDE_EMACS is propagated and I can duplicate My fault. We pass the the envvars to pinentry using setnev in an atfork handler. Thus we do not see them in the Assuan log. I added some logging to so that we can

Re: gpg-agent, pinentry and Emacs

On Sat, 16 Nov 2019 18:22, Ralph Seichter said: > ipc". I added the latter, and the resulting log file is available via > https://seichter.de/aegi6bee9eShu/gpg-agent.log . Note that I killed Thanks. I don't see that INSIDE_EMACS is propagated and I can duplicate that problem here. I will look i

Re: gpg-agent, pinentry and Emacs

On Fri, 15 Nov 2019 21:45, Ralph Seichter said: > gpg-agent[27187]: failed to read the secret key > gpg-agent[27187]: command 'PKDECRYPT' failed: Timeout You forgot to _add_ debug-pinentry debug ipc verbose to gpg-agent.conf. (The "debug ipc" is helpful because it shows what gpg is request

Re: gpg-agent, pinentry and Emacs

On Thu, 14 Nov 2019 19:54, Ralph Seichter said: > $ cat /tmp/pinentry-wrapper.log > INSIDE_EMACS is '' Pinentry consideres that it is not run from Emacs and thus it does not forward requests to Emacs but uses the standard pinentry (or should return an error for pinentry-emacs). INSIDE_EMACS

Re: gpg-agent, pinentry and Emacs

On Wed, 13 Nov 2019 17:58, Ralph Seichter said: > I use the same GnuPG version, but the Emacs variable setting you > suggested makes no difference for me. That's Emacs version 26.3, > which I should have mentioned earlier. Yet another regression in Emacs? I am still cursing over 26. Fortunately

Re: gpg-agent SSH agent returned incorrect signature type

On Tue, 5 Nov 2019 17:49, Sebastian Wiesinger said: > debug3: sign_and_send_pubkey: signing using rsa-sha2-512 AFAICS that method is not supported. We support "ssh-rsa" and "ssh-rsa-cert-...@openssh.com" but not this method. However, I do not have the debug out of gpg-agent so I can't tell for

Re: encrypt file in batch mode

On Mon, 4 Nov 2019 18:10, Tony Lane said: > was made with the unix philosophy in mind. Perhaps it would've been > better to write the gpg-agent as a shared library to be called by the > core instead. Well, we're probably too far down down the rabbit hole The process boundary has security advanta

Re: BSI withdraws approval of GnuPG (revisited after 3 month)

On Mon, 4 Nov 2019 11:40, Robert J. Hansen said: > requirements. This could be as simple as, "we prohibit the use of 3DES, > but OpenPGP lists it as a MUST algorithm". It is even less technical see my other mail. FWIW, GnuPG knows all allowed algorithms for the VS-NfD use case and can be switc

Re: BSI withdraws approval of GnuPG (revisited after 3 month)

On Mon, 4 Nov 2019 12:39, Art Silva said: > What do they approve for securing data of higher security classifications? There is a public list at: Salam-Shalom, Werner -- D

Re: BSI withdraws approval of GnuPG (revisited after 3 month)

On Mon, 4 Nov 2019 08:58, karel-v_g--- said: > In a message to this list on August 8th Werner Koch said he is > permanent contact with BSI and the reason for the withdrawal is in the > OpenPGP part of GnuPG. Once again no further details were > provided. [4] We received a new app

Re: encrypt file in batch mode

On Mon, 4 Nov 2019 16:49, Fourhundred Thecat said: > Yes, that is exactly the problem. Why should simple operations require > gpg agent ? The manual has a chapter on the architecture, please read it to understand the design goals and how it was implemented nearly 20 years ago. > Imagine the aut

Re: encrypt file in batch mode

On Sun, 3 Nov 2019 08:31, Fourhundred Thecat said: > $ gpg --list-secret-keys > gpg: can't connect to the agent: No such file or directory > gpg: failed to start agent '/usr/bin/gpg-agent': No such file or directory Your system is not properly installed. It is missing the gpg-agent which is a m

Re: How to decrypt a message while preserving the signature?

On Sun, 3 Nov 2019 10:15, Peter Lebbing said: >> --unwrap is not documented and has the minor problem that it also keeps the >> compression layer. However, gpgv groks that compression layer and works I'll document it for future releases. Salam-Shalom, Werner -- Die Gedanken sind frei.

Re: gpg-agent only checks for smartcard not for local keys

On Sat, 2 Nov 2019 12:20, Horst Skatmus said: > I do not understand how the gpg-agent determines where to look for the > private key (disk or smartcard) and where this is configured. I can switch > off the scdaemon via --disable-scdaemon but this has no effect. At the time you use ssh-add (putty

Re: Question about symmetric AES cipher in GnuPG

On Wed, 30 Oct 2019 17:19, Brian Minton said: > My guess is, the gpg one also is doing MDC, so you'd have to add the > equivalent HMAC code to openssl, but that's just a complete guess.   The OpenPGP MDC is a SHA-1 hash appended to the plaintext and then encrypted along with the data. The usual

Re: Should gpg try to connect to TCP/993?

On Fri, 25 Oct 2019 12:23, Jay Sulzberger said: > Is the following correct: > > When I use gpg to just encrypt or decrypt a file already on my > computer/OS's file system, then gpg does not open any formal > channels of communication going outside my computer/OS. No. By default gpg may go

Re: libgcrypt license

On Tue, 22 Oct 2019 12:27, Fuse Hiroaki said: > https://github.com/gpg/libgcrypt/commit/915570db198f2cf15db5c034096a444a8a79476e#diff-c55728a8e1162a431e4754734d27a041 I don't known what you found on github, which seems to be an inofficial mirror of GnuPG (and I do not want to check that specific

Re: are angle brackets around email address allowed for auto-key-locate?

s. Salam-Shalom, Werner ps. Here is our test data set. The second string is the exepcted result, if it is NULL we can't extract a mail address from the string: { "Werner Koch ", "w...@gnupg.org" }, { "", "w...@gnupg.org" },

Re: Future OpenPGP Support in Thunderbird

On Wed, 16 Oct 2019 10:46, Martijn Brinkers said: > I actually spend a lot of time investigating the impact of EFAIL on > S/MIME and it's my opinion that the real impact has been overblown. In > all my experiments, and I can tell you I have done a lot of them, I have > not been able to force a mai

Re: Future OpenPGP Support in Thunderbird

On Wed, 16 Oct 2019 13:07, Patrick Brunschwig said: > something on their PC and more. Gpgme may handle some of these issues, > but the fact remains: an external component makes things a lot more > complex, especially for support. Right GPGME handles this all pretty well and I have suggested often

Re: A place for discussing WKD spec clarifications?

On Tue, 15 Oct 2019 09:06, Bjarni Runar Einarsson said: > Would the GnuPG issue tracker be a good place to file "bug > reports" against the spec, to work towards clarifications? That is okay for bug reports, but often it is more important to get the opinions from more people than those who triage

Re: GPG Agent discarding cache before ttl/max ttl

On Tue, 15 Oct 2019 09:14, Chip Senkbeil said: > Is there some separate setting for GPG agent to discard its cache > earlier than the ttl/max ttl settings? I've checked the GPG agent You can follow the cache operations by adding log-file /some/log/file debug cache to gpg-agent.conf and relo

Re: FAQ October 2019 update

On Tue, 15 Oct 2019 15:17, Robert J. Hansen said: > * Every reference to the SKS keyserver network now points to > keys.openpgp.org. Reason: the SKS attacks a few months ago. I have to object against this change. The SKS server network is still useful and definitely more useful than an non-matu

Re: Future OpenPGP Support in Thunderbird

On Mon, 14 Oct 2019 20:43, Kristian Fiskerstrand said: > was suggested by Kristian and Andre: talking to SCDaemon (scd) with IPC. > Details need to be discussed, but it would be an optional solution, that Given that TB already has smartcard support it would be easy if the new code just makes use

Re: Future OpenPGP Support in Thunderbird

On Mon, 14 Oct 2019 10:54, Phillip Susi said: >> encryption protocol is S/MIME and the last time I checked S/MIME (well, >> CMS for the nitpickers) does not supoport any kind of authenticated >> encryption. In contarst OpenPGP provides this nearly for 2 decades. > > What do you mean? S/MIME auth

Re: Future OpenPGP Support in Thunderbird

On Sun, 13 Oct 2019 18:27, Binarus said: > keys' IDs were formally wrong so that key servers didn't accept the > keys. The easiest possible solution was to re-generate these keys using For the records: Not /keyservers/ but one specific keyserver which runs on a not yet matured enough code base an

Re: Future OpenPGP Support in Thunderbird

On Sat, 12 Oct 2019 12:43, Chris Narkiewicz said: > Do you know why they resited OpenPGP adoption it so much? iirc, they said that they want to support only one protocol and settled for S/MIME. This still did not explain why they rejected our proposal to clean up their S/MIME code and implement

Re: Future OpenPGP Support in Thunderbird

On Fri, 11 Oct 2019 21:48, qwrd said: > Storing private keys on a smartcard is a noteworthy security > enhancement, and I would like to see smartcard support being available > in Thunderbird. Either via GnuPG or some other mechanism. Take a Yubikey or an OpenPGP smartcard, install Scute (pcks#11

Re: Future OpenPGP Support in Thunderbird

On Sat, 12 Oct 2019 02:23, Robert J. Hansen said: > on Enigmail was very real. It was created by an ambiguity in how GnuPG > returns error states: just because GnuPG says "decryption OK" doesn't Nope. They did not read the documentation and did not checked error codes. We suggest for a reason

Re: Future OpenPGP Support in Thunderbird

On Fri, 11 Oct 2019 20:18, Philipp Klaus Krause said: > They don't want users to require to install gpg first. And they don't > want to ship gpg with Windows installers, since it isn't MPL. The latter is just plain bullshit. There are even many proprietary products which bundle gpg or other GPL

Re: can not se and run gpg2 command

On Wed, 9 Oct 2019 15:42, Fta said: > I have installed Gnup in me windows 7, but I can not se and run the > command gpg2 On some systems (mainly older Linux distributions), the current gpg is still installed under the name gpg2. On Windows we are using the name gpg.exe now for many years. Some

Re: We have GOT TO make things simpler

On Sat, 5 Oct 2019 12:30, Robert J. Hansen said: > *absolutely no way* integrated into the email message. That had to wait > until the PGP/MIME RFCs -- that was when OpenPGP became an email protocol. MIME types for PGP inline were used on Unix soon after the introduction of MIME in 1992 at abou

Re: How to improve our GUIs

On Mon, 7 Oct 2019 10:15, john doe said: > In the above link, only the cli version of the 1.4 release is available. > I got it from (1). Nope. That is always the current 2.2. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description

Re: How to improve our GUIs

On Sat, 5 Oct 2019 21:21, vedaal said: > and then a separate option of > "Export Secret Keys" The OP explictly suggested to make the exporting of the secret key not too easy so that users don't accidently send out their secret keys. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausn

How to improve our GUIs (was: We have GOT TO make things simpler)

On Mon, 30 Sep 2019 10:58, Roland Siemons said: > 4/ Here is my proposal: > 4.1/ Stimulate that people use a GUI like GPA or Kleopatra. Not Enigmail, Enigmail folks won't like that suggestion. Users need to install a second tool which behaves different (because Enigmail implements parts of GnuPG

Re: We have GOT TO make things simpler

On Sat, 5 Oct 2019 12:15, Stefan Claas said: > installing MUAs and plug-ins, besides of GnuPG) point them to the FAQ as > learning resource and then show them as modern alternative Mailvelope And don't forget to point them to all the HOWTOS and RFCs required to to use and admin a MUA, sendmail,

Re: We have GOT TO make things simpler

On Fri, 4 Oct 2019 21:28, Stefan Claas said: > Well, I was wrong. It seems that the U.S. ESIGN Act is pretty relaxed > and does not need such strong requirements like in the EU. The EU neither. Even the Qualifizierte Elektronische Signatur, introduced in Germany ages ago, is not anymore a requi

Re: unknown modified files in GNUPGHOME

On Sun, 29 Sep 2019 10:27, g...@unixarea.de said: > Hello, > > While doing a backup of my $HOME it turned out (what I never saw > before), that some file were changed in GNUPGHOME: > > -rw--- 1 guru wheel157316 21 sept. 10:07 .gnupg-ccid/pubring.kbx > -rw--- 1 guru wheel155467 2

Re: ed25519 and sha256

On Wed, 25 Sep 2019 16:35, r...@sixdemonbag.org said: > Wikipedia is not a very good reference for low-level technical details. > Ed25519 is shorthand for "EdDSA on a specific curve": it is silent on > the subject of hash algorithms, although you can specify one as > "Ed25519-SHA-512" or what-hav

Re: Need Help with C Compiler Error in AIX 5.3 During GnuPG Build

On Mon, 23 Sep 2019 02:36, gnupg-users@gnupg.org said: > configure:3554: error: C compiler cannot create executables configure does an early test to see whether your C compiler works. This is done to detect crippled compilers delivered on some systems. Seems not the case here, though. > config

Re: keys.openpgp.org not sending confirmation email

On Tue, 17 Sep 2019 17:35, look@my.amazin.horse said: > convention or otherwise. The spec is factually wrong and misleading for > implementors in this aspect, and should be updated to reflect reality. The specs are not wrong if you would read them: | the name and email address of the key holder

Re: keys.openpgp.org not sending confirmation email

On Tue, 17 Sep 2019 15:08, gnupg-users@gnupg.org said: > See also dkg's thoughts on the matter on the openpgp-wg mailing list, to align > the specification with reality: OpenPGP has never defined what goes into the User ID except for the encoding which should be UTF-8. Anything else does not bel

Re: keys.openpgp.org not sending confirmation email

On Tue, 17 Sep 2019 14:57, li...@binarus.de said: > to use only key IDs consisting solely of the actual mail address > hereafter (with or without the angle brackets - I can live with both That is actually what I suggest for quite some time. The extra stuff is not required and may lead only to co

Re: Automatically delete old keys from servers

On Tue, 17 Sep 2019 15:12, daniel.boss...@dabo.ch said: > On the key servers are many old keys lying around which aren't valid anymore. Old keys are still useful to verify signatures. This is even true for expired keys. The user then needs to decide what to do with the verification result. Sh

Re: Regenerate Openpgp Public Key from Private Key

On Tue, 17 Sep 2019 11:09, m...@halfdog.net said: > Therefore some exports (or copies of old secring.gpg) just do > no include the public key, otherwise import would be trivial. Nope. It is not possible to create an OpenPGP secret keyblok without the public key parts. > As the key causing me pr

Re: keys.openpgp.org not sending confirmation email

On Tue, 17 Sep 2019 09:12, li...@binarus.de said: > I am asking myself why Enigmail doesn't. I am not sure (and can't test > at the moment) how GnuPG would behave if given a problematic name when > generating a key; I hope it would give a warning or would add the gpg generates such a key just fin

Re: Regenerate Openpgp Public Key from Private Key

On Tue, 17 Sep 2019 06:51, m...@halfdog.net said: > Regenerating private keys is mathematically trivial but tool-wise > a little tricky. It seems that quite some people were troubled What's wrong with gpg --import backup-of-private-key.gpg the private key include the entire public key. Sal

Re: Which version of GnuPG to use?

On Mon, 16 Sep 2019 23:49, gnupg-users@gnupg.org said: > speak, with a specially crafted software, when using an online computer > with a SmardCard? I have read that the secret key can not been copied from > the card, but what about the 'bits and pieces' in memory when decrypting? Side-channel at

Re: Generating bitwise identical keyrings with GnuPG 1 + 2

On Mon, 16 Sep 2019 15:41, io...@ionic.de said: > * On 9/15/19 3:56 PM, Werner Koch wrote: >> The trust packets are for internal use of gpg and are never exported. > > But... that's the whole point. gpg 1.4 seems to export them, while gpg > 2.x does not. I just checked t

Re: 37.191.231.105 (part of keyserver pool) redirects to ... unknown location?

On Mon, 16 Sep 2019 10:11, io...@ionic.de said: > which also means that requests to URLs like http://keys.gnupg.net will > sometimes > redirect a user to that location. That is not correct. For quite some time that address is a hardwired to avoid problems DNS problems (https://dev.gnupg.org/T37

Re: Generating bitwise identical keyrings with GnuPG 1 + 2

On Fri, 13 Sep 2019 21:28, io...@ionic.de said: > Either way, my best guess is that GPG 2.2+ drops the trust packets > because the trust is not explicitly set (i.e., default value) - as an The trust packets are for internal use of gpg and are never exported. These packets are one of the reasons w

Re: Info for GnuPG users which have a keybase account

On Tue, 10 Sep 2019 18:58, gnupg-users@gnupg.org said: > Well, Werner and other prominent ML members are on keybase, so I am not. I once tested it and thus there may still be an account or whatever. And I do not know what Stellar or Lumen are in this context. But no need to explain it. Anyway,

[Announce] Libgcrypt 1.8.5 released

048 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048 2014-10-

Re: Questions on code signing

On Tue, 27 Aug 2019 00:18, gnupg-users@gnupg.org said: > (1) If a file is signed but the signature is incorrect, 'gpg2 -d' > returns a non-zero status code, so the remote script knows not to Right but as stated somewhere in the docs, you should never ever rely on the status code fomr the binary.

Re: BSI withdraws approval of GnuPG for confidential documents

On Thu, 22 Aug 2019 00:04, pe...@digitalbrains.com said: > And heck, it might lend urgency to the topic should Werner subsequently > also ask them. We are in contact with them and have regular meetings. It does not help the case if I would disclose details. The problems around the OpenPGP part

Re: how to recover secret key passphrase?

On Wed, 21 Aug 2019 12:03, pe...@digitalbrains.com said: > So what ilf probably needs is something that can read the private keybox > format. That's where my advice falls short: I can't help with that. That is right. You need a new tool for John to do that. The format is descriped in gnupg/agen

Re: Difficulty of fixing reconciliation

On Thu, 15 Aug 2019 00:02, gnupg-users@gnupg.org said: > But at least then we will want to add cryptography to see which > selfsigs are truly legitimate, right? That would be the first and most important step to get the keyservers back for the WoT Shalom-Salam, Werner -- Die Gedanken sind

Re: Difficulty of fixing reconciliation

On Wed, 14 Aug 2019 15:45, r...@sixdemonbag.org said: > developed *more than twenty years ago* it was decided to support > arbitrary numbers of third-party signatures. GnuPG faithfully At least OpenPGP has this: 5.2.3.17. Key Server Preferences (N octets of flags) This is a list of o

Re: PGP Key Poisoner

On Tue, 13 Aug 2019 09:54, gnupg-users@gnupg.org said: > The bug, however, is in the program that chokes on poisoned keys! Nope. This is a long standing DoS protection by limiting the total length of a keyblock. The diagnostics were a bit misleading, though. The time it took to process all the

Re: BSI withdraws approval of GnuPG for confidential documents

On Thu, 8 Aug 2019 17:22, gnupg-users@gnupg.org said: > maybe interesting for some community members, living in Germany. We learned about that last week and are trying to figure out what is going on. It is likely an internal coordination or content admin problem at the BSI. We do not know abou

Re: About support of RFC 2437, 4056 and 6979

On Sat, 20 Jul 2019 10:07, persm...@hardenedlinux.org said: > Does GnuPG support OAEP for RSA (PKCS#1 v2 and RFC 2437), RSA-PSS (RFC gpg does not support this because OpenPGP requires pkcs-1.5. There are no plans to change this because there is not real world issue with pcsc-15. when using in th

Re: skipped packet 12

On Thu, 1 Aug 2019 20:46, da...@gbenet.com said: > Do you have any ideas why am getting multiple lines of: > gpg: skipped packet of type 12 in keybox You gpg version is older than 2.1.20 but you used a newer version on that keybox too. Shalom-Salam, Werner -- Die Gedanken sind frei. Au

Re: allow-non-selfsigned-uid issue with key from keys.openpgp.org that contains no identity information

On Thu, 1 Aug 2019 09:27, gnupg-users@gnupg.org said: > We're already in uncharted waters with the inevitable abuse of SKS, we > need to figure out how to stabilize the ecosystem. Most businesses do not use public keyservers at all but use their internal PKI. > If the PGP implementation of Open

Re: Commands supported by extra socket

On Fri, 26 Jul 2019 15:57, gnupg-users@gnupg.org said: > Where can I find information on what commands are supported by > S.gpg-agent and S.gpg-agent.extra socket? I am looking for some > information which clearly differentiates these two sockets. Here is an overview on the allowed commands for t

Re: allow-non-selfsigned-uid issue with key from keys.openpgp.org that contains no identity information

On Mon, 29 Jul 2019 09:43, gnupg-users@gnupg.org said: > it that way", i think. Perhaps Werner can provide more background on > why GnuPG is generally resistant to holding OpenPGP certificates that > have no User ID at all in its local keyring. The user ID is important because the accompanying se

Re: --lsign --add-me or the invisible WoT

On Sat, 20 Jul 2019 11:57, gnupg-users@gnupg.org said: > additional paramemter like --add-me for --lsign would make sense, for --quick-sign-key fpr [names] --quick-lsign-key fpr [names] Directly sign a key from the passphrase without any further u

Re: I deleted 80 % of my keyring, but my keybox file isn't shrinking

On Wed, 17 Jul 2019 23:41, i...@zeromail.org said: > But the keybox file didn't get any smaller: Good catch. In gpg we have not implenteted the compression run: /* FIXME: Do a compress run if needed and no other user is currently using the keybox. */ However, in gpgsm this is done

Re: WKD auto-key-retrieve method

On Tue, 16 Jul 2019 17:18, gnupgpac...@on.yourweb.de said: > how to put "--sender email at address" to gpg.conf file if using several > different email addresses from sender? You can't it is the task of the MUA (cf. gpgme_set_sender). > Is it possible to put "--sender" option to public key itsel

Re: WKD: Publishing a key for multiple user IDs

On Mon, 15 Jul 2019 18:03, gnupg-users@gnupg.org said: > So if I have two email addresses/user IDs m...@my.org and m...@my.org > associated with the same key, I cannot just export the key and publish > it, right? I have to somehow publish two different ‘stripped’ public Sight. GnuPG handles this

Re: WKD documentation (Re: Testing WKD setup?)

On Wed, 10 Jul 2019 21:47, johan...@zarl-zierl.at said: > ...except it isn't installed by default. Will this be part of gpg-wks-client? Ooops. I meant gpg-wks-client. There is no gpg-wks-tool. > won't be installed to libexec), it would still be beneficial to describe the > actual file system

Re: WKD documentation (Re: Testing WKD setup?)

On Tue, 9 Jul 2019 23:33, johan...@zarl-zierl.at said: > Now that I have done it once, I think the setup without /usr/lib/gnupg/gpg- > wks-client isn't that complicated either: Please use gpg-wks-tool instead; it is much easier and less error prone. > b. Manually, using gpg: gpg --homedir "$(mk

Re: WKD: mutt integration status

On Wed, 10 Jul 2019 11:59, andr...@andrewg.com said: > In this instance, I wonder if the apostrophe hasn't screwed something up > - are apostrophes valid in the MIME boundary charset? I use that for ages and believe this is all valid. But new Emacs versions sometimes chnage the spooky list and t

Re: WKD: mutt integration status

On Wed, 10 Jul 2019 10:53, gnupg-users@gnupg.org said: > If you convince Mutt community that WKD is a good idea I can prepare > the patch for you. As far as I remember it's very minimal and I'd be Actually I started to work on Mutt (not NeoMutt, though) but had to give up due to time constraints.

Re: How to delete flooded key

On Wed, 10 Jul 2019 10:23, patr...@enigmail.net said: > Is it sufficient to run "gpg --delete-keys 0x...", and wait for quite a > while, or does it require other measures? --edit-key and then use "clean" to remove them. And well, install 2.2.17 to avoid future trouble. Shalom-Salam, Werner

Re: WKD documentation (Re: Testing WKD setup?)

On Tue, 9 Jul 2019 15:50, gnupg-users@gnupg.org said: > setting it up and the feedback has been overwhelmingly positive. The > only thing I needed was basically the local-part hash and actually > that's what I built the checker for, to generate the URL in an easy I think things are even easier n

Re: Third-Party Confirmation signature?

On Tue, 9 Jul 2019 10:10, gnupg-users@gnupg.org said: > However, if gpg doesn't support a way of adding that subpacket, then > creating easy-to-copy-and-paste commands for users to use to approve > signatures becomes difficult. The problem I see is that the keyservers need to check the validity

[Announce] GnuPG 2.2.17 released to mitigate attacks on keyservers

that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [e

<    1   2   3   4   5   6   7   8   9   10   >