Re: Error messages when generating new keys

2011-06-27 Thread Werner Koch 
On Mon, 27 Jun 2011 19:17, onemailid4mailingli...@edpnet.be said:

> 2. I tried  "$ gpg2 --gen-key", chose default options
>and entered my infos (email address, name,…)
>and I got:
>   gpg: problem with the agent: Bad CA certificate
>   gpg: problem with the agent: Invalid card
>   gpg: Key generation canceled.

You are either running a version of gpg-agent which is too old or gpg
started that version of gpg-agent but expected another one.  Or there is
another daemon taking over the connection between gpg2 and gpg-agent.
Seahorse as well as the gnome-keychain(?) used to do this (which is
something they should not do).

Adding the options "--verbose --debug 2048" to the command line may give
you some more insight.  Make sure all gpg-agent's are stopped.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent asks for ssh passphrase, although the private key has no passphras set

2011-06-27 Thread gitter 
> On Sun, 26 Jun 2011 21:29, git...@safe-mail.net said:
>
> > I am using gpg-agent to manage my one and only ssh key. I generate my
> > (private) ssh key via openpgp2ssh from my private gpg
> > key. Unfortunately, although my private gpg key is not password
> > protected, gpg-agent asks me for a passphrase (via a nice X dialog)
> > before I ssh to my server. Entering nothing works fine, and I
>
> the dialog should have asked you to protect your key in the GnuPG system
> - that is to enter a new passphrase. You have to give that passphrase.

Ah, that is right.
 
> It is possible to change that passphrase but there is no direct command
> line interface for it. However, what you really want is something like
>
> =
> default-cache-ttl-ssh 7200
> max-cache-ttl-ssh 86400
> =
>
> in ~/.gnupg/gpg-agent.conf. This caches the passphrase for 2 hours if
> it is not used or even if used for not longer than a day.

I already use these long caching options for ssh. Actually what I want is not 
to enter a passphrase for my ssh key. I trust the applications that run on my 
system, so I do not want any passphrase.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error messages when generating new keys

2011-06-27 Thread Olivier N. 
> Please describe exactly what you are doing and what versions 
of GnuPG

> are you using.  Are you using a smartcard?  Which one?

Hi,

What i did:

1. I installed gnupg2 [1] on my linux box [2]
2. I tried  "$ gpg2 --gen-key", chose default options
   and entered my infos (email address, name,…)
   and I got:
  gpg: problem with the agent: Bad CA certificate
  gpg: problem with the agent: Invalid card
  gpg: Key generation canceled.

Am I precise enough or do you need more info, log,…?

Thanks in advance for your help!

Olivier

[1] $ gpg2 --version
gpg (GnuPG) 2.0.17
libgcrypt 1.4.6
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 


This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, 
CAMELLIA128,

CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

[2] $ uname -a
Linux my-desktop 2.6.38-2-686 #1 SMP Thu Apr 7 05:24:21 UTC 2011 
i686 GNU/Linux



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent asks for ssh passphrase, although the private key has no passphras set

2011-06-27 Thread Werner Koch 
On Sun, 26 Jun 2011 21:29, git...@safe-mail.net said:

> I am using gpg-agent to manage my one and only ssh key. I generate my
> (private) ssh key via openpgp2ssh from my private gpg
> key. Unfortunately, although my private gpg key is not password
> protected, gpg-agent asks me for a passphrase (via a nice X dialog)
> before I ssh to my server. Entering nothing works fine, and I 

the dialog should have asked you to protect your key in the GnuPG system
- that is to enter a new passphrase.  You have to give that passphrase.

It is possible to change that passphrase but there is no direct command
line interface for it.  However, what you really want is something like

=
default-cache-ttl-ssh 7200
max-cache-ttl-ssh 86400
=

in ~/.gnupg/gpg-agent.conf.  This caches the passphrase for 2 hours if
it is not used or even if used for not longer than a day.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error messages when generating new keys

2011-06-27 Thread Werner Koch 
On Fri, 24 Jun 2011 00:42, onemailid4mailingli...@edpnet.be said:
>
> I'm a newbie GPG user. I'm using Linux and GPG2.
>
> When generating new keys, I get several error messages:

Please describe exactly what you are doing and what versions of GnuPG
are you using.  Are you using a smartcard?  Which one?


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: DH Key

2011-06-27 Thread Werner Koch 
On Thu, 23 Jun 2011 22:10, l...@brooks.nu said:

> Thanks for the reply. I don't know if a lot of people face this issue,
> but if so, I would recommend putting it in the FAQ. It would

Done.  http://www.gnupg.org/faq/GnuPG-FAQ.html#what-are-dh-dss-keys


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: timestamp notation @gnupg.org

2011-06-27 Thread Jerome Baum 
> What I miss is a real use case for it.  Is there someone implementing a
> general purpose time stamping service?  IIRC, there used to be some 10
> years or more ago. Still any?  I don't know.

There are a lot of general purpose time stamping services, such as
 -- though that is the only one I
know of that is OpenPGP-based.

> We have way too many features in OpenPGP and GPG with the majority of
> them not being used.  Adding a yet another new feature should only be
> done if there is real world need for it.

I think the timestamp-only notation has a disputable use-case, but
timestamp-interval doesn't. If this were added to GnuPG I'd definitely
enable it (and probably set the resolution to P1D). The OP gave a very
good use case when he started this thread, and we've seen other cases
where a fake or lower-resolution timestamp would be useful.

While I didn't see/read the ages-old thread that was mentioned before,
you allegedly even agreed to implement something roughly equivalent in
the past.

-- 
Jerome Baum
tel +49-1578-8434336
email jer...@jeromebaum.com
web www.jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
--
Q: Why is this email five sentences or less?
A: http://five.sentenc.es

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: timestamp notation @gnupg.org

2011-06-27 Thread Werner Koch 
On Thu, 16 Jun 2011 19:21, jer...@jeromebaum.com said:

> Just so that Werner has a summary of what we've discussed, to base a
> decision on.

Thanks for that summary.

What I miss is a real use case for it.  Is there someone implementing a
general purpose time stamping service?  IIRC, there used to be some 10
years or more ago. Still any?  I don't know.

How if that is the case, please go ahead, implement it using whatever
notation you like and get that service running.  gpgme has the features
to display such notations, thus you can easily write a check-timestamp
application for your service.  How if that service is in real use, it
might be the time to see whether it is worth an I-D or whether GPG
should understand such an notation if - then - marked critical.

We have way too many features in OpenPGP and GPG with the majority of
them not being used.  Adding a yet another new feature should only be
done if there is real world need for it.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problem with faked-system-time option

2011-06-27 Thread Werner Koch 
On Thu, 16 Jun 2011 15:58, ds...@jabberwocky.com said:

> key signature mean?  Unless it's marked critical, the web of trust
> code in both GPG and PGP will treat those signatures as fully
> qualified ones and not just timestamp-only, yet if it is marked

This is why one should use a separate key for a timestamping service.  I
still fail to understand the use case for a timestamp-only key
signature.

> In this particular case, people seem to want a notation under the
> gnupg.org domain, arguing that it will be more likely to be adopted as
> the gnupg.org domain lends some cachet.  I don't agree with that, but
> don't care enough to argue it.

That's fine and easy to implement - i.e we don't need anything to
implement and don't change any code.  Notations are fully supported by
gpgme and thus applications may cope with them as they need.

If the idea is that those timestamping-only key signatures have some
effect on the WoT, I doubt that we want to support them.

> In terms of the second part, GPG itself, I don't yet see a need for
> any code change, which will have to be written and then maintained in
> the code (semi-)indefinitely.  Perhaps I'm cynical, but I don't really

ACK.

Let me add that I view the WoT as an entirely overrated mechanism.  It
works fine in some (maybe even only in that one hacker) communities but
for the broad mass of users (if they will ever adopt OpenPGP) it is
irrelevant.  Far too complex.  If the WoT would be used like X.509 is
used by web browsers, we would soon get all the same usual problems as
with all global PKIs.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how encrypt data/text stream instead of a file?

2011-06-27 Thread Jerome Baum 
Hey Doc,

> Sorry if I am out of line contacting you by email but I didn't see any other
> way to ask a question.

That's what this mailing list is for.

> I am a newbie Perl programmer and I want to pipe plain text to GPG and have
> it return the text encrypted.
>
> I have read quite a few articles and came up with this chunk of code on my
> own BUT it doesn't work and I was wondering if you can tell me what I am
> doing wrong...
>
>     my $public_key = "nameofpublickey";
>     my $plain_text = "this is a test message";
>     my $gpg_command = '/usr/local/bin/gpg';
>     open (GPGCOMMAND, "|$gpg_command");
>     my $encrypted_text = print GPGCOMMAND $plain_text | '$gpg_command -ea -r
> $public_key';
>     close (GPGCOMMAND);
>     print "encrypted text=$encrypted_text";
>
> It prints: encrypted text=1
>
> What am I doing wrong?

Seems like a Perl-related issue to me, not a GnuPG-related issue.
Basically $encrypted_text is not, as you intended, the output from the
gpg -- I think it's the output from print, in this case 1 ("true") for
"yes, we managed to pipe this into gpg".

I suggest consulting with the appropriate Perl mailing list for how to
pipe into a command and get the output. Also consider "--batch" and
related options, see .

Best,

-- 
Jerome Baum
tel +49-1578-8434336
email jer...@jeromebaum.com
web www.jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
--
Q: Why is this email five sentences or less?
A: http://five.sentenc.es

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

re: how encrypt data/text stream instead of a file?

2011-06-27 Thread Doc Webb 
Sorry if I am out of line contacting you by email but I didn't see any other
way to ask a question.
 
I am a newbie Perl programmer and I want to pipe plain text to GPG and have
it return the text encrypted.
 
I have read quite a few articles and came up with this chunk of code on my
own BUT it doesn't work and I was wondering if you can tell me what I am
doing wrong...
 
my $public_key = "nameofpublickey";
my $plain_text = "this is a test message";
my $gpg_command = '/usr/local/bin/gpg';
open (GPGCOMMAND, "|$gpg_command");
my $encrypted_text = print GPGCOMMAND $plain_text | '$gpg_command -ea -r
$public_key';
close (GPGCOMMAND);
print "encrypted text=$encrypted_text";
 
It prints: encrypted text=1
 
What am I doing wrong?
 
Doc
 
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg-agent asks for ssh passphrase, although the private key has no passphras set

2011-06-27 Thread gitter 
I am using gpg-agent to manage my one and only ssh key. I generate my (private) 
ssh key via openpgp2ssh from my private gpg key. Unfortunately, although my 
private gpg key is not password protected, gpg-agent asks me for a passphrase 
(via a nice X dialog) before I ssh to my server. Entering nothing works fine, 
and I can connect to the server.

~$ eval "$(gpg-agent --enable-ssh-support --daemon)"
~$ gpg2 --export-secret-keys | openpgp2ssh | ssh-add /dev/stdin
Identity added: /dev/stdin (/dev/stdin)
~$ ssh m...@myserver.con
...

Is there any way I can disable this needless dialog? I am running GNU/Linux; 
Debian 6; x86_64 - gpg-agent 2.0.14

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: DH Key

2011-06-27 Thread Lane Brooks 

On 06/23/2011 02:05 PM, Robert J. Hansen wrote:

On Thu, 23 Jun 2011 09:11:37 -0600, Lane Brooks  wrote:

I need to generate a 2048-bit PGP version 6.5.3 or later and of the type
DH/DSS public key.

For reasons I've never been able to understand, PGP insists on calling
Elgamal "Diffie-Hellman," and insists on calling the Digital Signature
Algorithm ("DSA") the Digital Signature Standard ("DSS").

What PGP calls a DH/DSS key is really a DSA-and-Elgamal key.

Hope this helps!



Thanks for the reply. I don't know if a lot of people face this issue, 
but if so, I would recommend putting it in the FAQ. It would supplement 
the question about PGP that is already in there. This is exactly what I 
needed to know.


Thanks,
Lane

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[no subject]

2011-06-27 Thread gitter 
I am using gpg-agent to manage my github ssh key. I generate my (private) ssh 
key via openpgp2ssh from my private gpg key. Unfortunately, although my private 
gpg key is not password protected, gpg-agent asks me for a password (via a nice 
X dialog) before I ssh to github. Entering nothing works fine, and I can 
connect to github.

~$ eval "$(gpg-agent --enable-ssh-support --daemon)"
~$ gpg2 --export-secret-keys | openpgp2ssh | ssh-add /dev/stdin
Identity added: /dev/stdin (/dev/stdin)
~$ ssh g...@github.com
PTY allocation request failed on channel 0
Hi xxx! You've successfully authenticated, but GitHub does not provide shell 
access. Connection to github.com closed.

Is there any way I can disable this needless dialog?  I am running GNU/Linux; 
Debian 6; x86_64 - gpg-agent 2.0.14

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users