Re: Bug#840669: [pkg-gnupg-maint] Bug#840669: Bug#840669: Beware of leftover gpg-agent processes

2016-10-19 Thread Werner Koch 
On Fri, 14 Oct 2016 21:47, d...@fifthhorseman.net said:

>> In a new temp directory do:
>>
>>  GNUPGHOME=$(pwd) gpg-agent --daemon gpg .
>>
>> Or whatever you want to run under gpg-agent's control.  This has been
>> there for ages.
>
> fwiw, this doesn't work (and actually returns an error) if there is
> already a gpg-agent running in that $GNUPGHOME:

That is why I wrote "in a _new_ teemp directory" above .-)


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpeZ_IPkapdL.pgp
Description: PGP signature

Re: [pkg-gnupg-maint] Bug#840669: Beware of leftover gpg-agent processes

2016-10-14 Thread Werner Koch 
On Fri, 14 Oct 2016 19:17, ijack...@chiark.greenend.org.uk said:

> authorisations, if the user types in a passphrase) have a lifetime
> limited by that of the gpg process which started the agent.

In a new temp directory do:

 GNUPGHOME=$(pwd) gpg-agent --daemon gpg .

Or whatever you want to run under gpg-agent's control.  This has been
there for ages.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpiSC4YCoYAS.pgp
Description: PGP signature

Re: [pkg-gnupg-maint] Beware of leftover gpg-agent processes

2016-08-06 Thread Werner Koch 
On Sat,  6 Aug 2016 08:24, p...@debian.org said:

> BTW, does this make parcimonie obsolete? I noticed that dirmngr

We plan to add similar fucntionality to dirmngr but that has not yet
been done and I am not sure whether we will have it for 2.2.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf   */

Re: Bits from keyring-maint

2011-04-06 Thread Werner Koch 
Hi,

I do not think that it is a good idea to push for 4k RSA keys! You gain
nothing from it except for slowness on small devices.  Debian is used on
a lot of small devices.  Further DDs are strongly represented in the WoT
and thus many keyrings will increase in size and checking all the
signatures will take much longer.

Requiring 2k keys which are capable of SHA-2 is a good idea as it goes
conform with current practice.  Everything else is over the top.

The future is not RSA but ECC.  GnuPG 2.1 already implements ECC and it
can be expected that by 2012 more and more ECC keys will hit our WoT.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87zko38rlu@vigenere.g10code.de

Re: Revival of the signed debs discussion

2003-12-03 Thread Werner Koch 
On Wed, 3 Dec 2003 12:08:10 +0100, Matthias Urlichs said:

 signature algorithm would allow for hashing the data on the remote
 machine, and signing that hash locally.
 
 ... that would work. It'd probably require a few hooks within GPG
 to generate a hash packet / .

Since I moved my actual development to faster machines I now always
need to copy the tarballs to the box where I can sign them and this is
not very convenient.  Obviously, I thought about such a solution too.

There are some minor problems because we don't just sign a hash but
need to add some more data.  Creating an incomplete hash on the remote
machine is not the cleanest solution, so I have to come up with a
better way.

  Werner

-- 
Werner Koch  [EMAIL PROTECTED]
The GnuPG Expertshttp://g10code.com
Free Software Foundation Europe  http://fsfeurope.org

Re: Revival of the signed debs discussion

2003-12-03 Thread Werner Koch 
On Wed, 3 Dec 2003 13:26:02 +0100, Matthias Urlichs said:

 I'm also a bit concerned about MitM attacks; the hash-or-whatever which

Obviously you can do this only using a secure channel.

 the local side is supposed to sign should probably be encrypted with the
 signer's public key, otherwise I can just replace the data packet with
 something that ends up signing a totally different file. :-/

And if I do that, I could also sign the file right at the remote
machine because the (or some) signature key must be available over
there ;-)

 Werner