Re: What's the contextual definition of the term?... signature

2016-01-28 Thread Samir Nassar 
On Wednesday 27 January 2016 21:08:43 Don Saklad wrote:
> What's the contextual definition of the term?... signature
> as this term is used for GNUpg

A signature, also known as a "John Hancock":

https://commons.wikimedia.org/wiki/File:JohnHancocksSignature.svg

-- 
Samir Nassar
sa...@samirnassar.com


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AW: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

2016-01-28 Thread Werner Koch 
On Thu, 28 Jan 2016 11:54, r...@sixdemonbag.org said:

> The GnuPG developers have historically been unwilling to provide GPGME
> under any terms except the GPL.  If you need an LGPLed GPGME, you're out
> of luck.

That is right for GnuPG but not for GPGME.  From gpgme/AUTHORS:

 License (software): LGPLv2.1+
 License (manual+tools): GPLv3+

and from a decade old release note:

Noteworthy changes in version 1.0.2 (2004-12-28)


 * Changed the license of the library to the GNU Lesser General Public
   License (LGPL), version 2.1 or later.


BTW: A C++ language binding for GPGME is available from KDE.  IIRC, this
has no Qt or KDE dependencies.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgppYBbC1Kvt5.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: BAD signatures for GnuPG Stable

2016-01-28 Thread Aaron Tovo 
Probably. Although I did get a failure when using both parameters, but
it was a different error message.

$ gpg --verify  libgpg-error-1.21.tar.bz2.sig libgpg-error-1.21\(1\).tar.bz2
gpg: can't open `libgpg-error-1.21.tar.bz2.sig'
gpg: verify signatures failed: file open error

But I was also renaming files and trying a lot of different things and I
may well have made a mistake in all of that.

Anyway thanks for your help people. I'm on my way. :)

Aaron

On 01/28/2016 10:00 AM, Peter Lebbing wrote:
> On 2016-01-28 16:31, Aaron Tovo wrote:
>> I did file diffs between the new and the previous
>> downloads with 'diff' and they are identical. So I tried verify on the
>> previous download and it worked this time. Very confusing.
>
> My guess is that sharp-eyed Damien Goutte-Gattat was correct and you
> were accidentally verifying your first, corrupt download instead of
> your new one the previous time.
>
> I'm glad that you've finally got a hold of the correct file :).
>
> Peter.
>


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problems with 4096 keys on 2.1 card

2016-01-28 Thread Werner Koch 
On Wed, 27 Jan 2016 23:39, list.gnupg-us...@acme.nu said:

> $ gpg-connect-agent -v
> gpg-connect-agent: connection to agent established
>> SCD GETINFO version
> ERR 103 unknown command

You are not running the GnuPG gpg-agent.  Very likely the
gnome-keyring-daemon has hijacked the socket gpg uses to talk to
gpg-agent.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What's the contextual definition of the term?... signature

2016-01-28 Thread Francesco Ariis 
On Wed, Jan 27, 2016 at 09:08:43PM -0500, Don Saklad wrote:
> What's the contextual definition of the term?... signature
> as this term is used for GNUpg

Since you have only received (not so) funny answers: a signature, in
PGP,  serves more or less the same purpose of a handwritten one.

Most of the time it will mean "I am the author of this (email|document|
article)" but not always -- as with handwritten one it could
be used within a contract, etc.

If you have the public key of person A, you can verify with PGP his
signature, so you will be sure the document you received has not been
tampered with.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: BAD signatures for GnuPG Stable

2016-01-28 Thread Peter Lebbing 

On 2016-01-28 16:31, Aaron Tovo wrote:

I did file diffs between the new and the previous
downloads with 'diff' and they are identical. So I tried verify on 
the

previous download and it worked this time. Very confusing.


My guess is that sharp-eyed Damien Goutte-Gattat was correct and you 
were accidentally verifying your first, corrupt download instead of your 
new one the previous time.


I'm glad that you've finally got a hold of the correct file :).

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AW: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

2016-01-28 Thread Robert J. Hansen 
> That is right for GnuPG but not for GPGME.  From gpgme/AUTHORS:

Really?  I thought GPGME had a dependency on libgpg-error, and the
COPYING file for that is clearly GPLv2.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: BAD signatures for GnuPG Stable

2016-01-28 Thread Ingo Klöcker 
On Thursday 28 January 2016 09:31:31 Aaron Tovo wrote:
> Thanks for the info.
> 
> Today I re-downloaded the .bz2 and .sig. And the verification worked
> (see output below). I did file diffs between the new and the previous
> downloads with 'diff' and they are identical. So I tried verify on the
> previous download and it worked this time. Very confusing.

I had a similarly confusing incident with some FLAC files intermittently 
being logged as corrupted by vlc. It turned out that I had bad RAM that 
lead to subtle differences in the files if they happened to be put onto 
the bad RAM by the kernel's file cache.

Long story short, I suggest that you check your RAM.


Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AW: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

2016-01-28 Thread Werner Koch 
On Thu, 28 Jan 2016 20:15, r...@sixdemonbag.org said:

> Really?  I thought GPGME had a dependency on libgpg-error, and the
> COPYING file for that is clearly GPLv2.

That is just a file.  COPYING describes the licence used for the manual
and the tools.  COPYING.LIB describes the license for the library itself
(LGPLv2.1+).  AUTHORS and gpg-error.h also show that it is LGPLv2.1+.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp3OfODmPsW2.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: BAD signatures for GnuPG Stable

2016-01-28 Thread Steve Butler 
Did you say this was on a VM?  We've had corrupted files with 'cp' from one 
file system to another on a VM box if it decided to do a vmotion while the copy 
was in progress.

Just remember -- "To err is human, but to really foul things up you need a 
computer."(Paul Ehrlich)


-Original Message-
From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Ingo 
Klöcker
Sent: Thursday, January 28, 2016 11:52 AM
To: gnupg-users@gnupg.org
Subject: Re: BAD signatures for GnuPG Stable

On Thursday 28 January 2016 09:31:31 Aaron Tovo wrote:
> Thanks for the info.
> 
> Today I re-downloaded the .bz2 and .sig. And the verification worked 
> (see output below). I did file diffs between the new and the previous 
> downloads with 'diff' and they are identical. So I tried verify on the 
> previous download and it worked this time. Very confusing.

I had a similarly confusing incident with some FLAC files intermittently being 
logged as corrupted by vlc. It turned out that I had bad RAM that lead to 
subtle differences in the files if they happened to be put onto the bad RAM by 
the kernel's file cache.

Long story short, I suggest that you check your RAM.


Regards,
Ingo

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: BAD signatures for GnuPG Stable

2016-01-28 Thread Damien Goutte-Gattat 

On 01/28/2016 06:12 AM, Aaron Tovo wrote:

I downloaded libgpg-error-1.21.tar.bz2 again today and it has a the
correct size (763186)

-rw-rw-r--  1 aaron aaron  763186 Jan 27 22:53 libgpg-error-1.21(1).tar.bz2

I re-downloaded sig file and it still fails the gpg --verify test.


Is the old libgpg-error-1.21.tar.bz2 (the one you downloaded before, 
with the wrong size) still present in the same directory? (I assume it 
is, based on the '(1)' suffix that has been appended to the new file you 
have just downloaded.)


If that's the case, what happens when you call gpg like this:

  $ gpg --verify libgpg-error-1.21.tar.bz2.sig

is that gpg will assume the signed file to verify is 
libgpg-error-1.21.tar.bz2. (Recent versions of GnuPG print a warning in 
situation like this, but older versions are silent about that assumption.)


Either get rid of the old file, or explicitly tell gpg which file it 
should verify:


  $ gpg --verify libgpg-error-1.21.tar.bz2.sig libgpg-error-1.21(1).tar.bz2



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: AW: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

2016-01-28 Thread Sandra Schreiner 
>From Werner: "gpg2 can't use [custom passphrase handlers] as [using
>gpg-]agent is a hard requirement.  The only reason for keeping the
>passphrase callback is for symmetric encryption."

I guess I'm in real trouble now. The reason for this is a bit complex. My 
encprytion 
class is part of a framework, which shall be used on different plattforms. 
Therefore my
own 'GPGME wrapper' (and the framework as a whole) should be available in C++ 
and Java. 
Before I started with my implementation I found this 
https://github.com/smartrevolution/gnupg-for-java
wrapper of GPGME for Java (so I thought it should be generally possible to use 
GnuPG/GPGME in Java).
But we decided to not use the existing wrapper, because it is old, (seems) 
unmaintained and we 
would like to have simpler interfaces and one solution for both, the C++ and 
Java world. Means:
we just want to provide the simple and small interface in C++ and wrap this 
with JNI for Java.
So the problem boils down to this question: What would happen if my class would 
be called 
by an android application? Would the pinentry provided by GnuPG work in this 
case? 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

2016-01-28 Thread Robert J. Hansen 
> I guess I'm in real trouble now.

Maybe less than you think!

> But we decided to not use the existing wrapper, because it is old,
> (seems) unmaintained and we would like to have simpler interfaces and
> one solution for both, the C++ and Java world. Means: we just want to
> provide the simple and small interface in C++ and wrap this with JNI
> for Java.

Already been done for you.  The guys at the Guardian Project maintain
the official Java-GPGME bindings, *and* they're in production use on
Android.

https://github.com/guardianproject/gnupg-for-java

There was some talk on this list a few months ago about getting some
important patches in there, but looking over the Git log they seem to
have not yet been applied.

Antony Prince was the guy updating Guardian Project's code.  See the
thread at:

http://www.gossamer-threads.com/lists/gnupg/users/73146

According to Antony, you can grab his updates from:

ftp://blazrsoft.com/gnupg-for-java/

It wasn't responding for me just now, though.  Antony, are you still
maintaining this?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 2.1.10 with libgcrypt 1.7.0-beta300

2016-01-28 Thread Fulano Diego Perez 


Fulano Diego Perez:
> In my case on Debian,

Are you on Debian stretch amd64 ?

What are the versions of your dependencies ?

We should compare jamon to jamon.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

2016-01-28 Thread Sandra Schreiner 

>Don't give up!

>So far we've cleared two major problems: the first was GnuPG taking ~15
>minutes to generate a certificate, and the second was GPGME not working
>with your callback.  Two major problems solved in two days.  Imagine
>what we can get solved by the end of the week.

>Programming is hard, but you're not stupid, and you're in a place where
>you can get help.  Stick with it.  Things will be okay.

Thank you for this encouraging words. In fact I got solved another problem.
It seems that the reason GnuPG was asking for the dummy password, was
that this user was set as a signer in my context (as default). Now I use

gpgme_signers_clear(mContext);

before I encrypt/sign my string. The request for the dummy password 
disappeared. The only problem remaining is that the application still ignores 
my 
own password callback and uses the GnuPG default:

gpgme_set_passphrase_cb(mContext, passphrase_cb, nullptr);

I replaced my callback with your code:

gpgme_error_t passphrase_cb(void *hook, const char *uid_hint, const char 
*passphrase_info,
int prev_was_bad, int fd){
   
std::string passphrase { "" };
size_t written { 0 };
std::cout << "Enter your passphrase: ";
std::getline(std::cin, passphrase);

if (passphrase.empty())
return GPG_ERR_CANCELED;

while (written < passphrase.size())
{
ssize_t bytesWritten = gpgme_io_write(fd,
  [0] + written,
passphrase.size() - written);
if (bytesWritten == 0)
break;
written += bytesWritten;
}
gpgme_io_write(fd, "\n", 1);
return GPG_ERR_NO_ERROR;
}
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

2016-01-28 Thread Robert J. Hansen 
> According to Antony, you can grab his updates from:
> 
>   ftp://blazrsoft.com/gnupg-for-java/
> 
> It wasn't responding for me just now, though.

His webserver, though, is still going strong.  Try:

https://www.blazrsoft.com/gnupg-for-java/


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AW: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

2016-01-28 Thread Robert J. Hansen 
> Thank you for this encouraging words. In fact I got solved another problem.

Woot!

> The only problem remaining is that the application still ignores my 
> own password callback and uses the GnuPG default:

This is actually expected behavior.  See:

https://bugs.gnupg.org/gnupg/issue767

>From Werner: "gpg2 can't use [custom passphrase handlers] as [using
gpg-]agent is a hard requirement.  The only reason for keeping the
passphrase callback is for symmetric encryption."

Since you're not using symmetric encryption -- you're generating a
certificate -- your callback never gets called.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problems with 4096 keys on 2.1 card

2016-01-28 Thread stebe 
Hi,


> Andrew Gallagher  hat am 27. Januar 2016 um 15:20
> geschrieben:
> 
> 
> On 26/01/16 23:52, NIIBE Yutaka wrote:
> > 
> > It had been difficult to configure GNOME keyring (to stop the feature
> > of gpg-agent) properly.  Here is some info:
> > 
> > http://www.gniibe.org/memo/notebook/gnome3-gpg-settings.html
> 
> I fixed it by disabling gnome-keyring at system level. The following
> works under Jessie:
> 
> echo "X-GNOME-Autostart-enabled=false" >>
> /etc/xdg/autostart/gnome-keyring-ssh.desktop
> echo "X-GNOME-Autostart-enabled=false" >>
> /etc/xdg/autostart/gnome-keyring-gpg.desktop
> 
> NB this will affect all users.
> 

I used (for a debian system, system-wide basis) the following command
which I found in the wiki.

$ sudo dpkg-divert --local --rename --divert
/etc/xdg/autostart/gnome-keyring-gpg.desktop-disable --add
/etc/xdg/autostart/gnome-keyring-gpg.desktop 

If you later decide to reenable it, then you can use:

$ sudo dpkg-divert --rename --remove
/etc/xdg/autostart/gnome-keyring-gpg.desktop

http://wiki.gnupg.org/GnomeKeyring

Cheers,

Stebe

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: BAD signatures for GnuPG Stable

2016-01-28 Thread stebe 
Hi,

> Aaron Tovo  hat am 28. Januar 2016 um 06:12
> geschrieben:
 
> I re-downloaded sig file and it still fails the gpg --verify test.
> 
> $ gpg --verify libgpg-error-1.21.tar.bz2.sig gpg: Signature made Sat 12
> Dec 2015 06:03:30 AM CST using RSA key ID 4F25E3B6
> gpg: BAD signature from "Werner Koch (dist sig)"
> 
> Could this be some kind of man-in-the-middle attack? I don't recall
> having seen a signature fail like this before.
> 

If you are really interested in further invesigating it, it seems that
this might be useful for you. I haven't checked it yet, though.

(1) https://github.com/Whonix/gpg-bash-lib

Quote from (1)

Why

Writing bash scripts that do file verification using gpg that really is
secure and passes a comprehensive threat model, that covers indefinite
freeze, rollback, endless data attacks, etc. is hard.

gpg-bash-lib's goal is to provide a bash library that we can
collaboratively develop, audit and abstract the hard work into reuseable
functions.

Checking gpg exit codes only is insufficient. Quote Werner Koch (gnupg
lead developer):

"there is no clear distinction between the codes and for proper error
reporting you are advised to use the --status-fd messages."


What does it do

Abstracts file verification into common functions.
Allows detecting of stale files, i.e. detection downgrade or
indefinite freeze attacks by implementing a valid-until like mechanism.
Internally parses gpg's --status-file output.
It is signal friendly.
Detects endless data attacks, aborts and reports this.
Detects indefinite freeze and rollback (downgrade) attacks and reports
this.
Can help with verification of names of files, that are otherwise not
covered by default when using gpg.
Provide diagnostic output (variables) that contain information if the
local clock is sane by comparing signature creation date with local clock.

[...]

Introduction

It is assumed, that your script downloaded a data file as well as a
signature file. A separate folder containing the keys that are supposed to
be used for gpg verification, such as for example
/usr/share/program-name/signing-keys.d is required as a prerequisite. You
can then use this library to do the gpg verification for you. 

Cheers, 

Stebe

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AW: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

2016-01-28 Thread Robert J. Hansen 
> Moreover the license is GPL and we would need LGPG. Maybe this point
> could be solved with separate license negotiations.

The GnuPG developers have historically been unwilling to provide GPGME
under any terms except the GPL.  If you need an LGPLed GPGME, you're out
of luck.

If you can't/won't use GPLed code, we insist you not use GPGME.  If you
can, we're happy to continue helping you address your problems with it.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

2016-01-28 Thread Sandra Schreiner 

>> But we decided to not use the existing wrapper, because it is old,
>> (seems) unmaintained and we would like to have simpler interfaces and
>> one solution for both, the C++ and Java world. Means: we just want to
>> provide the simple and small interface in C++ and wrap this with JNI
>> for Java.

>Already been done for you.  The guys at the Guardian Project maintain
>the official Java-GPGME bindings, *and* they're in production use on
>Android.

This will sadly not solve my problem. The GPGME interface is not the interface 
we would
like to use for our purposes, because not all of the GPGME features should be 
available 
in our framework (intentionally). Therefore I would have to write (actually I 
already wrote, 
beside the callback problem) a C++ wrapper for GPGME. And I would have to write 
another 
wrapper for the Java wrapper, for the same reason. The combination of this 
would lead to 
maintaining at least two wrappers: the one for Java and the one for C++. 
Moreover the 
license is GPL and we would need LGPG. Maybe this point could be solved with 
separate 
license negotiations. But for now I guess I'm back to my question: What would 
happen if 
I would rely on pinentry in android? 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AW: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

2016-01-28 Thread Antony Prince 
On 1/28/2016 4:32 AM, Robert J. Hansen wrote:
...
> 
> Antony Prince was the guy updating Guardian Project's code.  See the
> thread at:
> 
>   http://www.gossamer-threads.com/lists/gnupg/users/73146
> 
> According to Antony, you can grab his updates from:
> 
>   ftp://blazrsoft.com/gnupg-for-java/
> 
> It wasn't responding for me just now, though.  Antony, are you still
> maintaining this?
> 

I switched hosting providers a month or two ago and those files may have
slipped through the cracks. If anyone is interested in the pre-compiled
files, I can set it up again. The code was pretty much exactly the same
as that from guardian project except I made a few modifications to the
build process so it could be built by the travis continuous integration
system. If you are familiar with Java and Maven, it would probably be
best to build it natively using Maven on your host system. I tested the
binaries on a few systems (all Ubuntu) and it seemed to work as
expected, but I'm not 100% sure if there are any bindings created and if
there are, that they are system independent. If you need a hand with the
maven build process, I'll be happy to help.

--
Antony Prince




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What's the contextual definition of the term?... signature

2016-01-28 Thread Schlacta, Christ 
I sent this a while ago in case anybody else wants to read it, but
accidentally only to Don.
On Jan 28, 2016 7:42 AM, "Schlacta, Christ"  wrote:

> Unofficially, but functionality and contextually correct.. A cryptographic
> signature is a cryptographically strong hash of a message that has been
> encrypted from an agent's private key to its public key such that anybody
> with the public key can verify the message, yet nobody except the agent
> with the private key could have generated said signature.
> The function is both to verify that the sender specified in the message is
> the one who sent it, and that the message is exactly and only the message
> the sender sent.
> On Jan 27, 2016 7:01 PM, "Don Saklad"  wrote:
>
>> What's the contextual definition of the term?... signature
>> as this term is used for GNUpg
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users