Re: [Announce] GnuPG 2.0.18 released
On Thu, 4 Aug 2011 23:36, thaj...@gmail.com said: any version of the 2.x branch. I do not need GPG4WIN and can not understand why the same thing has not been compiled like the version 1.x branch. Gpg4win is the official binary distribution of GnuPG. Use the light installer and you are done. It is far too much work to have a ultralight installer. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, 5 Aug 2011 01:49, l...@debethencourt.com said: luisbg@atlas ~ $ gpg --card-status gpg: selecting openpgp failed: Unsupported certificate What kind of reader are you using? luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent Now that is a strange command. The gpg-connect-agent argument is simply ignored. What you do is sto start a new gpg-agent in --server mode, that is without it listening on a socket but connected to the tty. You should first start gpg-agent after checking that no other one is running. For testing I do it this way $ gpg-agent --daemon sh This creates a new shell and if you terminate this shell (exit) the gpg-agent will terminate as well after a few seconds. Then use $ gpg-connect-agent SCD SERIALNO BYE or $ gpg-connect-agent 'SCD SERIALNO' /bye or to get all info from the card $ gpg-connect-agent 'scd learn --force' /bye My guess at your problem is that there is another gpg-agent running which has the scdaemon open. The one you started under root? To debug this you should put these lines into scdaemon.conf log-file /foo/bar/scd.log debug 2049 debug-ccid-driver verbose Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.0.18 released
On Thu, 4 Aug 2011 23:32, do...@dougbarton.us said: comments/questions. First, would it be possible to have a run-time option not to display the fingerprints? I think it's an interesting idea, but not particularly useful to me as I don't already have them memorized. :) No. The fingerprint is required for the confirm option (ssh-add -c or the confirm flag in sshcontrol) because ssh-agent displays the same information. The other question is about the display of the path to the key (which for me actually is relevant since it tells me what password I need to type). I have several keys, and so far for one it displays the path in the ()s, but for one of my others it does not. How would I debug this? Ssh-add should send the comment from the key via the ssh-agent-protocol. However for PEM encoded keys is uses the filename instead. I am not sure why it does that: prv = key_load_private_pem(fd, KEY_UNSPEC, passphrase, NULL); /* use the filename as a comment for PEM */ if (commentp prv) *commentp = xstrdup(filename); You may change the comment by editing the corresponding file in /gnupg/private-keys-v1.d/ like this: $ /usr/local/libexec/gpg-protect-tool \ 8147AB71CC2CB61C56A3E3F9C9F0A2A656B38AF8.key (protected-private-key (dsa ...] (protected-at 20110720T142801) ) (comment foo_dsa) ) save the output to a file and change the value of the comment field. It is best to put the value into quotes (comment this is my comment). The save the output under the same name. It doesn't matter that it is now in advanced representation. However if you would like to store it in canonical format, you may pipe it through $ /usr/local/libexec/gpg-protect-tool --canonical So now, how to find the name of the file. The name is the so-called keygrip and not the fingerprint. To translate them you may look at a listing of all files in private-keys-v1.d: $ gpg-connect-agent 'keyinfo --list --ssh-fpr' /bye [...] S KEYINFO 8147AB71CC2CB61C56A3E3F9C9F0A2A656B38AF8 \ D - - - P 2d:b1:70:1a:04:9e:41:a3:ce:27:a5:c7:22:fe:3a:a3 [...] OK [I used the backslash to split the long line just for this mail] You see a lot of these lines. The important information is the 7th field after KEYINFO; it is the ssh fingerprint. You may simply grep for it. The 1st field is the keygrip. Append a .key and you have the filename you are looking for. Note that with 2.0.18 you will see a '-' instead of the 'P' flag. To see the help string for the keyinfo command you may use $ gpg-connect-agent 'help keyinfo' /bye Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 09:32:35AM +0200, Werner Koch wrote: On Fri, 5 Aug 2011 01:49, l...@debethencourt.com said: luisbg@atlas ~ $ gpg --card-status gpg: selecting openpgp failed: Unsupported certificate What kind of reader are you using? luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent Now that is a strange command. The gpg-connect-agent argument is simply ignored. What you do is sto start a new gpg-agent in --server mode, that is without it listening on a socket but connected to the tty. You should first start gpg-agent after checking that no other one is running. For testing I do it this way $ gpg-agent --daemon sh This creates a new shell and if you terminate this shell (exit) the gpg-agent will terminate as well after a few seconds. Then use $ gpg-connect-agent SCD SERIALNO BYE or $ gpg-connect-agent 'SCD SERIALNO' /bye or to get all info from the card $ gpg-connect-agent 'scd learn --force' /bye When I do it as you say I get: gpg-connect-agent 'scd learn --force' /bye ERR 103 unknown command I always get that 'unknown command' error in all the variatons you explained. But it works when I do it through gpg-agent --server. My guess at your problem is that there is another gpg-agent running which has the scdaemon open. The one you started under root? It looks like everytime I do gpg --card-status it spawns a new scdaemon. After the card information you can see the following line: scdaemon[7684]: scdaemon (GnuPG) 2.0.17 stopped and ps doesn't show any scdaemon running after that. To debug this you should put these lines into scdaemon.conf log-file /foo/bar/scd.log debug 2049 debug-ccid-driver verbose Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. Thanks for the help, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 10:25:33AM +0200, Luis de Bethencourt wrote: On Fri, Aug 05, 2011 at 09:32:35AM +0200, Werner Koch wrote: On Fri, 5 Aug 2011 01:49, l...@debethencourt.com said: luisbg@atlas ~ $ gpg --card-status gpg: selecting openpgp failed: Unsupported certificate What kind of reader are you using? Missed this question the first time around... It is a SCM Microsystems SCR 335 luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent Now that is a strange command. The gpg-connect-agent argument is simply ignored. What you do is sto start a new gpg-agent in --server mode, that is without it listening on a socket but connected to the tty. You should first start gpg-agent after checking that no other one is running. For testing I do it this way $ gpg-agent --daemon sh This creates a new shell and if you terminate this shell (exit) the gpg-agent will terminate as well after a few seconds. Then use $ gpg-connect-agent SCD SERIALNO BYE or $ gpg-connect-agent 'SCD SERIALNO' /bye or to get all info from the card $ gpg-connect-agent 'scd learn --force' /bye When I do it as you say I get: gpg-connect-agent 'scd learn --force' /bye ERR 103 unknown command I always get that 'unknown command' error in all the variatons you explained. But it works when I do it through gpg-agent --server. My guess at your problem is that there is another gpg-agent running which has the scdaemon open. The one you started under root? It looks like everytime I do gpg --card-status it spawns a new scdaemon. After the card information you can see the following line: scdaemon[7684]: scdaemon (GnuPG) 2.0.17 stopped and ps doesn't show any scdaemon running after that. To debug this you should put these lines into scdaemon.conf log-file /foo/bar/scd.log debug 2049 debug-ccid-driver verbose I've created this conf file both in my home and root's. When I run gpg --card-status as my user, there is no file created. But when I run it in root it does create this file. Is this confirmation that when running as root scdaemon is being spawned but when running as user it can't use scdaemon? I can paste the content of that log file if you want it. Asking before doing so since it's a bit lengthy. Thanks for all the help, Luis Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. Thanks for the help, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On 05/08/11 03:02, Luis de Bethencourt wrote: device in debian: crw-rw-r--+ 1 root root 189, 516 2011-08-05 00:46 /dev/bus/usb/005/005 device in gentoo: crw-rw-r-- 1 root pcscd 189, 395 Aug 5 02:56 /dev/bus/usb/004/012 my user is part of the pcscd group. I just checked. Look closely at the permissions for Debian. It has a plus-sign. This means there is an ACL. Probably ConsoleKit is adding you to the ACL when you log in. You can get the ACL with getfacl. Here is the output from my box: peter@tweek:~$ getfacl /dev/bus/usb/008/004 getfacl: Removing leading '/' from absolute path names # file: dev/bus/usb/008/004 # owner: root # group: pcscd user::rw- user:peter:rw- group::rw- mask::rw- other::r-- Note how user peter has read/write as well. However, I've been fighting with access rights to the cardreader as well, so please don't take this as correct. In fact, the whole pcscd group business stopped working for me at some point, oddly enough. Some Debian update conflicted with my own tinkering in udev. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, 5 Aug 2011 10:31, l...@debethencourt.com said: Missed this question the first time around... It is a SCM Microsystems SCR 335 Well that one works. It even works fine with the scdaemon internal driver, thus try after stopping pcscd. When I do it as you say I get: gpg-connect-agent 'scd learn --force' /bye ERR 103 unknown command I always get that 'unknown command' error in all the variatons you explained. Please run gpg-connect-agent 'getinfo version' /bye and gpg-connect-agent 'scd getinfo version' /bye I've created this conf file both in my home and root's. Well under ~/.gnupg/ of course. When I run gpg --card-status as my user, there is no file created. Is this really gpg2 (check using gpg --version). But when I run it in root it does create this file. That smells like a file permission problem. Is this confirmation that when running as root scdaemon is being spawned but when running as user it can't use scdaemon? No. I can paste the content of that log file if you want it. Asking before doing so since it's a bit lengthy. Please send by private mail. Note that this may reveal PINs if you entered one. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Thu, Aug 04, 2011 at 11:25:36PM +0200, Luis de Bethencourt wrote: Hi everybody and thanks for the help. I recently upgraded my GnuPG setup with a Smart Card (GnuPG Card v2). I can get/set the information of the card through the root user, but this is not good for everyday use. I think I have pinpointed the problem, scdaemon iny my machine doesn't like anybody but root. Here is a paste of a few commands to show the problem: luisbg@atlas ~ $ gpg --card-status gpg: selecting openpgp failed: Unsupported certificate gpg: OpenPGP card not available: Unsupported certificate luisbg@atlas ~ $ sudo gpg --card-status scdaemon[31077]: reading public key failed: Missing item in object scdaemon[31077]: reading public key failed: Missing item in object Application ID ...: D2760001240102050CC9 Version ..: 2.0 Manufacturer .: ZeitControl Serial number : 0CC9 Name of cardholder: Luis de Bethencourt Language prefs ...: en Sex ..: male URL of public key : http://people.collabora.com/~luisbg/gpg_pub_key_873B518D Login data ...: luisbg Signature PIN : not forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 2 Signature key : 3F4A 28A6 568A CD30 480A F9EB 6BBF 9F19 873B 518D created : 2011-07-26 12:22:00 Encryption key: [none] Authentication key: [none] General key info..: [none] scdaemon[31077]: updating slot 0 status: 0x-0x0007 (0-1) luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent OK Pleased to meet you SCD LEARN S SERIALNO D2760001240102050CC9 0 INQUIRE KNOWNCARDP D2760001240102050CC9 0 scdaemon[31088]: updating slot 0 status: 0x-0x0007 (0-1) Notice how I can check the status as root, and do SCD Learn as my user. But not check the status as my user (or sign my mails, which is the main problem). Also pcsc_scan works with my user, it shows the Serial number of the card. If it helps, I'm running gentoo with: gpg (GnuPG) 2.0.17 scdaemon (GnuPG) 2.0.17 pcsc-lite version 1.7.2 gpg-agent (GnuPG) 2.0.17 luisbg@atlas ~ $ gpgconf gpg:GPG for OpenPGP:/usr/bin/gpg2 gpg-agent:GPG Agent:/usr/bin/gpg-agent scdaemon:Smartcard Daemon:/usr/bin/scdaemon gpgsm:GPG for S/MIME:/usr/bin/gpgsm dirmngr:Directory Manager:/usr/bin/dirmngr Thanks a million for the help, Luis By the way, I should mention I have replicated this issue in my two gentoo-based machines. But then got the card and reader working very easily in an other machine which runs debian. So the hardware is OK. Unforunately for this case, my laptop is one of the gentoo machines, and that is the machine I will make more use of the card. Thanks, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Card only available to root user
Hi everybody and thanks for the help. I recently upgraded my GnuPG setup with a Smart Card (GnuPG Card v2). I can get/set the information of the card through the root user, but this is not good for everyday use. I think I have pinpointed the problem, scdaemon iny my machine doesn't like anybody but root. Here is a paste of a few commands to show the problem: luisbg@atlas ~ $ gpg --card-status gpg: selecting openpgp failed: Unsupported certificate gpg: OpenPGP card not available: Unsupported certificate luisbg@atlas ~ $ sudo gpg --card-status scdaemon[31077]: reading public key failed: Missing item in object scdaemon[31077]: reading public key failed: Missing item in object Application ID ...: D2760001240102050CC9 Version ..: 2.0 Manufacturer .: ZeitControl Serial number : 0CC9 Name of cardholder: Luis de Bethencourt Language prefs ...: en Sex ..: male URL of public key : http://people.collabora.com/~luisbg/gpg_pub_key_873B518D Login data ...: luisbg Signature PIN : not forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 2 Signature key : 3F4A 28A6 568A CD30 480A F9EB 6BBF 9F19 873B 518D created : 2011-07-26 12:22:00 Encryption key: [none] Authentication key: [none] General key info..: [none] scdaemon[31077]: updating slot 0 status: 0x-0x0007 (0-1) luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent OK Pleased to meet you SCD LEARN S SERIALNO D2760001240102050CC9 0 INQUIRE KNOWNCARDP D2760001240102050CC9 0 scdaemon[31088]: updating slot 0 status: 0x-0x0007 (0-1) Notice how I can check the status as root, and do SCD Learn as my user. But not check the status as my user (or sign my mails, which is the main problem). Also pcsc_scan works with my user, it shows the Serial number of the card. If it helps, I'm running gentoo with: gpg (GnuPG) 2.0.17 scdaemon (GnuPG) 2.0.17 pcsc-lite version 1.7.2 gpg-agent (GnuPG) 2.0.17 luisbg@atlas ~ $ gpgconf gpg:GPG for OpenPGP:/usr/bin/gpg2 gpg-agent:GPG Agent:/usr/bin/gpg-agent scdaemon:Smartcard Daemon:/usr/bin/scdaemon gpgsm:GPG for S/MIME:/usr/bin/gpgsm dirmngr:Directory Manager:/usr/bin/dirmngr Thanks a million for the help, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users