Re: gpg and smartcard on ubuntu 16.04

2016-04-27 Thread NIIBE Yutaka 

On 04/28/2016 06:02 AM, Richard Ulrich wrote:

I use the stock versions from the ubuntu 16.04 repository:
gnupg  1.4.20-1ubuntu3
gnupg2 2.1.11-6ubuntu2
gnupg-agent 2.1.11-6ubuntu2
scdaemon 2.1.11-6ubuntu2


Good, Ubuntu has GnuPG 2.1 (eventually, gpg will be GnuPG 2.1).  Out
of curiosity, does it has libgcrypt 1.7.0?


Now if I want to decrypt a file:

gpg -d Dokumente/somefile.txt.gpg
gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 0AAA …
gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e)
gpg: Kartenleser ist nicht vorhanden

gpg --use-agent -d Dokumente/somefile.txt.gpg
gpg: Anonymer Empfänger;
Versuch mit geheimem Schlüssel 0AAA …
gpg: pcsc_list_readers failed:
unknown PC/SC error code (0x8010002e)
gpg: Kartenleser ist nicht
vorhanden


I think that this is the issue of GPG_AGENT_INFO variable, which was
used before 2.1.

How about set those environment variables, like?

export GPG_AGENT_INFO=$HOME/.gnupg/S.gpg-agent:0:1
export SSH_AUTH_SOCK=$HOME/S.gpg-agent.ssh

After setting those variables, does gpg work correctly?

In my environment of Debian, those variables are set by:
/etc/X11/Xsession.d/90gpg-agent
--

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Top-posting

2016-04-27 Thread Robert J. Hansen 
> It should probably be released under a Creative Commons license.

I hereby contribute it to the public domain.  Share and enjoy.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Website usability issue

2016-04-27 Thread Philip Jackson 
On 27/04/16 11:10, Peter Lebbing wrote:
> Using a netbook with a touchpad, Debian Jessie/stable and Iceweasel
> 38.7.1esr-1~deb8u1 (Debian package), I encounter an issue with the menu
> at the top of the website.
> 
> When you hover the pointer over a menu category (Home, Donate, Download,
> ...) it folds down and subpages appear. However, there is a small slit
> between the category and the pages. If I'm not quick enough with the
> touchpad movement, and manage to hover over the slit while moving down,
> the menu folds up again just as I'm about to select a page. At the
> moment, I'm having more difficulty keeping it open than not. I'm sure
> this depends on pointer device, acceleration settings and the amount of
> caffeine in the user... (none as of yet).

I have a similar setup on an old laptop (Debian 8.4 Jessie with
Iceweasel 38.7.1esr-1-deb8u1) with touchpad.  But I don't see the
problem you outline with the dropdown menus on gnupg.org (at least I
presume you are writing about gnupg.org ?).

I also use a wireless mouse but also no problem.  And I'm cafeine
deficient so move very slowly at this time of day :-)

Philip

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg and smartcard on ubuntu 16.04

2016-04-27 Thread Richard Ulrich 
I didn't read this list for a while, so forgive me if this was
discussed before.

For many years I have used gpg and gpg-agent with ssh support with an
OpenPGP smartcard. 
On every ubuntu upgrade I had to fiddle a little bit to have gpg-agent
act for ssh auth. No big deal usually.

But this time, after the usual fiddling, I have it working nicely for
ssh and evolution. But now it's the direct usage of gpg on the command
line that is giving me a hard time. This aspect always worked out of
the box so far.

I use the stock versions from the ubuntu 16.04 repository:
gnupg  1.4.20-1ubuntu3
gnupg2 2.1.11-6ubuntu2
gnupg-agent 2.1.11-6ubuntu2
scdaemon 2.1.11-6ubuntu2

In ~/.bashrc I terminate gpg-agent if it was started without ssh
support, and start it again with:
/usr/bin/gpg-agent --daemon --enable-ssh-support  > /dev/null

Now if I want to decrypt a file:

gpg -d Dokumente/somefile.txt.gpg 
gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 0AAA …
gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e)
gpg: Kartenleser ist nicht vorhanden

gpg --use-agent -d Dokumente/somefile.txt.gpg 
gpg: Anonymer Empfänger;
Versuch mit geheimem Schlüssel 0AAA …
gpg: pcsc_list_readers failed:
unknown PC/SC error code (0x8010002e)
gpg: Kartenleser ist nicht
vorhanden

gpg2 -d Dokumente/somefile.txt.gpg 
gpg: verschlüsselt mit RSA
Schlüssel, ID 
gpg: Entschlüsselung fehlgeschlagen: Kein
geheimer Schlüssel

gpg --card-status
gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e)
gpg: Kartenleser ist nicht vorhanden
gpg: OpenPGP Karte ist nicht vorhanden: Allgemeiner Fehler

gpg2 --card-status
Reader ...: ...
Application ID ...: ...
Version ..: 2.0
Manufacturer .: ZeitControl

All this was never a problem until now.
Are there any tricks to get the interfacing with smartcards working smoother 
again?

If I powercycle the smartcard, and kill scdaemon, It will first ask me for the 
other smart card that contains the master key. If I don't provide this, I could 
not figure out how to decrypt the file. 
The only way was to plugin in that other smart card, and have gpg find out that 
this is not the one we need. Then it asks me to plug in the card that I indeed 
need. Now I can enter the pin, but strangely in the console, and not the 
pinentry window. With this awkward workflow I am able to decrypt the file.

Rgds
Richard


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Top-posting

2016-04-27 Thread Michael A. Yetto 
On Wed, 27 Apr 2016 16:53:28 +0100
Andrew Gallagher  wrote:

>On 27/04/16 16:48, Robert J. Hansen wrote:
>>> What is the matter with top posting? 
>> 
>> A: Yes.  Just not top-posting.
>> Q: Are both allowed here?
>> 
>> A: Quote a few lines, write your response to those few lines,
>> quote a few lines, write your response, and so on. This is
>> called inline-posting. Q: What if it's a long message?
>> 
>> A: Quote as much of the material as you need for context,
>> place it at the top of the message, and write your response
>> beneath it. This is called bottom-posting.
>> Q: So what should I do instead?
>> 
>> A: Normally the stuff preceding text is relevant to what
>> comes after it. When you top-post, the following text is
>> relevant to what precedes it. It's reversed.
>> Q: What do you mean?
>> 
>> A: It reverses the usual flow of reading.
>> Q: What's the problem with top-posting?
>
>I am SO going to shamelessly steal this.
>

Everyone is going to steal this.

It should probably be released under a Creative Commons license.


Mike Yetto
-- 
The only good part of April Fool's Day is that it shows people
what it's like to be a skeptic the rest of the year."
 - Phil Plait


pgpwAv0J0NRtF.pgp
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

2016-04-27 Thread Daniel Pocock 


On 27/04/16 15:39, Peter Lebbing wrote:
> On 26/04/16 09:53, Daniel Pocock wrote:
>> There has been some discussion on debian-devel[1] about making a
>> bootable Debian Live CD specifically for GnuPG
> 
> I think this is interesting, and I would probably use it. But I'm just
> doing it out of interest, not because I have particular security needs
> (other than protect my network and the hosts on it from network-based
> hackers).
> 
>> - has anybody already seen anything like this?  Nobody likes
>> re-inventing the wheel
> 
> I'm not personally familiar with them, and I see Tails is even mentioned
> on the wiki, so you're already aware of it.
> 
>> - can we call all the necessary GnuPG commands from a script without the
>> user interacting directly with GnuPG, using "--batch" / unattanded
>> operation?  The sequence of commands involved would be similar to this
>> blog[3]
> 
> A bunch of stuff can be sanely scripted, but unfortunately there are
> also cases where this can lead to a very suboptimal or kludgy solution
> and GPGME would be the better way to go.
> 
> I notice in the blog this person used GnuPG 1.4.x. I don't know why he
> does that; I would recommend GnuPG 2.0.x. GnuPG 2.1 introduces some more
> commands and features that are well suited to scripting, but I think it
> could well be too new for a Debian Live CD. You mgi
> 

Debian jessie (stable) has 2.0

2.1.x is in testing and could potentially go to backports if it is
necessary to use it.

https://packages.qa.debian.org/g/gnupg2.html

> In fact, you mention ECC keys on the wiki. GnuPG 1.4 does not and will
> never support ECC keys.
> 
> Incidentally, when you use GnuPG 2.x, you can drop the 'use-agent'
> statement from the configuration file which is a 1.4 thing: 2.x always
> uses the agent.
> 

Thanks for pointing that out, removed from the wiki

You are very welcome to sign up for a wiki account too if you would like
to tweak it directly

>> - what would be the preferred way for the GUI to obtain and keep the
>> master key passphrase without prompting the user to re-enter it for
>> every operation?
> 
> I am of the strong opinion that this should be left to the default GnuPG
> mechanism: the agent, combined with a (stock) pinentry. The agent will
> remember passphrases for 10 minutes by default, but it is configurable
> (not to an unlimited number, but there is some number like INT_MAX or
> similar to emulate it).
> 
> The pinentry is responsible for securely querying the user and the agent
> for securely keeping the secret in memory. They have been expressly
> designed with this purpose. In your specific use case, with swap and
> network disabled, I suppose it would matter less, but if you find agent
> and pinentry unsatisfactory, perhaps the correct course would be to
> discuss improvements to them rather than spin your own solution.
> 

So far there has been discussion about using text-based UIs such as
whiptail (shell scripting) or Urwid (Python)

Can anybody point me to an example of using pinentry with either of
those?  Or will it just work on the basic black and white console?

>> - would anybody else like to suggest improvements to the workflow?
> 
> I have some suggestions.
> 
> You state that a smartcard reader with dedicated PIN-pad protects from
> keyloggers. While there is some truth to it, it is not a panacea. The
> firmware of the reader should not have a security issue where it accepts
> rogue firmware updates, for instance. Or you could turn on the
> microphone and listen for the cadence of the keypresses, or pop up a
> message to the user saying that the PIN-pad of the particular reader is
> not supported and request them to type on the regular keyboard. The
> latter could take the form of a downgrade attack, where the malware
> strips the part of the USB configuration descriptor describing the
> PIN-pad support. In fact, I think this is the most low-tech solution
> that would work pretty well in practice, so I'm putting my money on this
> "solution". It works equally well with a hardware dongle hidden in the
> connector of the smartcard reader, like a hardware keylogger in the
> keyboard cable.
> 
> You save the private keys to flash storage. I'd like an option to use
> writable optical storage. It's cheaper (per storage unit), you can
> refresh it every so often for a low price (completely disintegrating the
> old disc and throwing it out).
> 
> Additionally, I think paperkey[1] would make an excellent addition to
> the software installed. Although I heard that a 4096-bit RSA key[2]
> would take a lot of typing if it didn't scan with OCR. Oh, a good
> OCR-font for printing, also good to include. Anyway, I considered a
> 2048-bit RSA key quite typable in an emergency; I have paper backups of
> my master and my encryption keys. The signature key is unneeded as you
> can just create a new one when you lose it.
> 

paperkey is already listed in the wiki and printing is mentioned, it
should have been in the workflow too, no

Re: Querying gpg-agent configuration options

2016-04-27 Thread Eric Pruitt 
On Wed, Apr 27, 2016 at 11:32:21AM +0200, Werner Koch wrote:
> You may read the options from gpg-agent.conf using:
>
>   gpgconf --list-options gpg-agent \
>   | awk -F: '$1=="default-cache-ttl" {print $0}'
>
> which result in an output like this (line wrapped):
>
>   default-cache-ttl:24:0:expire cached PINs
>   after N seconds:3:3:N:600::900
>
> Here we see that the default value used by gpg-agent is 600 seconds and
> the currently configured value is 900 seconds.  To get only the value,
> change the $0 in the awk command to $10.  For details see the man page
> of gpgconf.  gpgconf also allows to change these values; gpgme has an
> interface for that too.

Per the other messages in this thread and the original post, I want to
query the options from the gpg-agent directly. Based on some
experimentation with the configuration files and strace, gpgconf doesn't
query the information from gpg-agent, it parses the configuration files
which is not what I need. Am I missing something? If it matters, the
version of gpgconf / GPG I'm using is 2.0.14.

Thanks,
Eric

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Top-posting (was: Re: making a Debian...)

2016-04-27 Thread Robert J. Hansen 
> What is the matter with top posting? 

A: Yes.  Just not top-posting.
Q: Are both allowed here?

A: Quote a few lines, write your response to those few lines, quote a
few lines, write your response, and so on. This is called inline-posting.
Q: What if it's a long message?

A: Quote as much of the material as you need for context, place it at
the top of the message, and write your response beneath it. This is
called bottom-posting.
Q: So what should I do instead?

A: Normally the stuff preceding text is relevant to what comes after it.
When you top-post, the following text is relevant to what precedes it.
It's reversed.
Q: What do you mean?

A: It reverses the usual flow of reading.
Q: What's the problem with top-posting?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Top-posting

2016-04-27 Thread Andrew Gallagher 
On 27/04/16 16:48, Robert J. Hansen wrote:
>> What is the matter with top posting? 
> 
> A: Yes.  Just not top-posting.
> Q: Are both allowed here?
> 
> A: Quote a few lines, write your response to those few lines, quote a
> few lines, write your response, and so on. This is called inline-posting.
> Q: What if it's a long message?
> 
> A: Quote as much of the material as you need for context, place it at
> the top of the message, and write your response beneath it. This is
> called bottom-posting.
> Q: So what should I do instead?
> 
> A: Normally the stuff preceding text is relevant to what comes after it.
> When you top-post, the following text is relevant to what precedes it.
> It's reversed.
> Q: What do you mean?
> 
> A: It reverses the usual flow of reading.
> Q: What's the problem with top-posting?

I am SO going to shamelessly steal this.

A

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Req: 64-bit GnuPG/GPGME for Windows

2016-04-27 Thread Robert J. Hansen 
> I can't see a real reason for not using the 32 bit GnuPG version, thus
> working on a 64 bit version has a low priority.

Besides my contract requiring 64-bit deliverables?  :)  A 32-bit GnuPG
standalone executable is okay, but my code needs to be 64-bit, which
means a 64-bit GPGME DLL.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

2016-04-27 Thread Peter Lebbing 
On 27/04/16 15:39, Peter Lebbing wrote:
> could well be too new for a Debian Live CD. You mgi

Ouch. After I had accidentally deleted my footnotes along with unused
quote, I did a whole bunch of "Undo", then copy the footnotes, then
"Redo" again. However, it is clear I didn't "Redo" enough. I sure hope
this is all that is lost :'(.

It was supposed to say:

> You might want to ask Werner Koch what his stance on this is.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

(OT) Ignoring a subthread

2016-04-27 Thread Peter Lebbing 
On 27/04/16 14:58, Daniel Pocock wrote:
> Back to the original topic then, does anybody else have any feedback on
> the questions I raised?

If we keep the proper discussion out of this particular subtree of the
topic, some mail readers actually offer the possibility to ignore the
subtree. With Icedove, I could click right on a parent post, and select
"Ignore Subthread", and I would never be notified of any discussion here.[1]

I spent some time writing up an on-topic response and posted it as a
child of the Original Post.

Peter.

[1] (Note the hyopthetical)

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

2016-04-27 Thread Peter Lebbing 
On 26/04/16 09:53, Daniel Pocock wrote:
> There has been some discussion on debian-devel[1] about making a
> bootable Debian Live CD specifically for GnuPG

I think this is interesting, and I would probably use it. But I'm just
doing it out of interest, not because I have particular security needs
(other than protect my network and the hosts on it from network-based
hackers).

> - has anybody already seen anything like this?  Nobody likes
> re-inventing the wheel

I'm not personally familiar with them, and I see Tails is even mentioned
on the wiki, so you're already aware of it.

> - can we call all the necessary GnuPG commands from a script without the
> user interacting directly with GnuPG, using "--batch" / unattanded
> operation?  The sequence of commands involved would be similar to this
> blog[3]

A bunch of stuff can be sanely scripted, but unfortunately there are
also cases where this can lead to a very suboptimal or kludgy solution
and GPGME would be the better way to go.

I notice in the blog this person used GnuPG 1.4.x. I don't know why he
does that; I would recommend GnuPG 2.0.x. GnuPG 2.1 introduces some more
commands and features that are well suited to scripting, but I think it
could well be too new for a Debian Live CD. You mgi

In fact, you mention ECC keys on the wiki. GnuPG 1.4 does not and will
never support ECC keys.

Incidentally, when you use GnuPG 2.x, you can drop the 'use-agent'
statement from the configuration file which is a 1.4 thing: 2.x always
uses the agent.

> - what would be the preferred way for the GUI to obtain and keep the
> master key passphrase without prompting the user to re-enter it for
> every operation?

I am of the strong opinion that this should be left to the default GnuPG
mechanism: the agent, combined with a (stock) pinentry. The agent will
remember passphrases for 10 minutes by default, but it is configurable
(not to an unlimited number, but there is some number like INT_MAX or
similar to emulate it).

The pinentry is responsible for securely querying the user and the agent
for securely keeping the secret in memory. They have been expressly
designed with this purpose. In your specific use case, with swap and
network disabled, I suppose it would matter less, but if you find agent
and pinentry unsatisfactory, perhaps the correct course would be to
discuss improvements to them rather than spin your own solution.

> - would anybody else like to suggest improvements to the workflow?

I have some suggestions.

You state that a smartcard reader with dedicated PIN-pad protects from
keyloggers. While there is some truth to it, it is not a panacea. The
firmware of the reader should not have a security issue where it accepts
rogue firmware updates, for instance. Or you could turn on the
microphone and listen for the cadence of the keypresses, or pop up a
message to the user saying that the PIN-pad of the particular reader is
not supported and request them to type on the regular keyboard. The
latter could take the form of a downgrade attack, where the malware
strips the part of the USB configuration descriptor describing the
PIN-pad support. In fact, I think this is the most low-tech solution
that would work pretty well in practice, so I'm putting my money on this
"solution". It works equally well with a hardware dongle hidden in the
connector of the smartcard reader, like a hardware keylogger in the
keyboard cable.

You save the private keys to flash storage. I'd like an option to use
writable optical storage. It's cheaper (per storage unit), you can
refresh it every so often for a low price (completely disintegrating the
old disc and throwing it out).

Additionally, I think paperkey[1] would make an excellent addition to
the software installed. Although I heard that a 4096-bit RSA key[2]
would take a lot of typing if it didn't scan with OCR. Oh, a good
OCR-font for printing, also good to include. Anyway, I considered a
2048-bit RSA key quite typable in an emergency; I have paper backups of
my master and my encryption keys. The signature key is unneeded as you
can just create a new one when you lose it.

I'd recommend a reading of the questions in the GnuPG FAQ[3], and
checking whether any apply to your project. Thought, discussion and
consensus have gone into the drafting of the FAQ, it is a valuable
source of information.

I'd suggest to support only OpenPGP smartcards, not PKCS #11 tokens. The
latter requires a lot of tinkering to get to work, and to make it into a
Live CD that runs on a fair multitude of systems? I think it would be
difficult, and the cost/benefit tradeoff seems bad. OpenPGP compatible
cards are not expensive. They were designed to offer a good alternative
to PKCS #11 in the first place.

Regarding expiry periods, I think they are too soon. I think the main
feature of expiry is to eventually disable a key to which the private
part has been lost. The purpose of this is to ease the selection process
when fetching a key from the keyservers. I consi

Re: making a Debian Live CD for managing GnuPG master key and smartcards

2016-04-27 Thread Daniel Pocock 


On 27/04/16 11:53, Werner Koch wrote:
> On Tue, 26 Apr 2016 22:51, r...@sixdemonbag.org said:
> 
>> Well, there's a little bit of a chicken-and-the-egg problem here.  If
>> new projects are told "don't evangelize here", how will they let users
>> who might be interested in their project know it exists?  Evangelization
> 
> For me it is okay to do that from time to time, but they shall not take
> over a thread.  Many of us do not have the time to follow each thread
> and thus the subject should be on topic.
> 

Back to the original topic then, does anybody else have any feedback on
the questions I raised?


- can we call all the necessary GnuPG commands[1] from a script without
the user interacting directly with GnuPG, using "--batch" / unattanded
operation?  The sequence of commands involved would be similar to this
blog[3]

- what would be the preferred way for the GUI to obtain and keep the
master key passphrase without prompting the user to re-enter it for
every operation?

- would anybody else like to suggest improvements to the workflow?



1.
https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Import a pkcs12 certificate chain

2016-04-27 Thread Ian Prideaux 


On 26/04/16 15:09, Damien Goutte-Gattat wrote:
> On 04/26/2016 02:47 PM, Ian Prideaux wrote:
>> The Symantec command is: pgp --new-passphrase newpp --passphrase
>> oldpp --import CertificateChain.p12
>>
>> However, I can't figure out what the gpg2 command is, or even if
>> gnupg is capable of this.
> 
> I am not sure I understand your workflow and what you want to achieve
> exactly.
> 
No, I'm not sure either. This is a system that I've inherited, with no
documentation :-(

Every other third party uses keypairs that are generated by the
pgp --gen-key command. I don't understand what is gained by using a
keypair which is generated from a certificate chain.

> But, as a starting point, you must know that the gpg2 program only deals
> with OpenPGP keys and messages. To manipulate X.509 certificates, you
> need gpgsm (another component of the GnuPG project) instead.
> 
> Presumably, the command you need should be
> 
> $ gpgsm --import CertificateChain.p12
> 
> to import the certificate and key from the PKCS#12 file into your
> keyring. Then you would probably use the --export command to export back
> the certificate only and send it to your third party.
> 
Yes that works. However I'm having trouble exporting the old
certificate-generated-keys from symantec. gpg2 uses the same keyring
format as symantec, so I can just copy and rename the keyring files.
gpgsm uses it's own keyring format, and doesn't interoperate with gpg2.
I'd have to write code specifically to deal with that one customer.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

2016-04-27 Thread flapflap 

MFPA:
> [0] is a How-To for creating an OpenPGP keypair for use with GnuPG on
> an airgapped system (using Tails) and exporting the subkeys for
> day-to-day use. There is a link [1] to a second guide to export the
> subkeys to an OpenPGP smartcard.

I was also about suggesting Tails, so thanks for doing that for me :)


Daniel Pocock:
> The benefit is that everything on the CD is self-contained, it can't be
> tampered with, it can run without network support in the kernel and the
> workflow would be controlled by a script.  All the details, including
> workflow, are described in a wiki[2]


Tails can be instructed in the Tails Greeter to disable all network
access [0].

As far as I understand it, Tails unconditionally blacklists the drivers
of all network devices [1].  If network access is enabled in the
Greeter, the blacklist is deleted [2] and the related services are
restarted; if network access is not enabled, the blacklist stays in place.

Yet, Tails might not be what you want because you have a different usage
pattern and thread model in mind.  For instance Tails ships non-free
software (and isn't happy about that) but needs to balance with the
possibility to run on almost every device a non-technical savvy user
wants it to boot from (which might not be the case for your use case).


[0]
https://tails.boum.org/doc/first_steps/startup_options/offline_mode/index.en.html
[1]
https://git-tails.immerda.ch/tails/tree/config/chroot_local-hooks/80-block-network?id=744ad738707e2527f694bdbe12463ddbdb76ddf0
[2]
https://git-tails.immerda.ch/tails/tree/config/chroot_local-includes/usr/local/lib/tails-unblock-network?id=744ad738707e2527f694bdbe12463ddbdb76ddf0

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

(OT) Netiquette

2016-04-27 Thread Peter Lebbing 
On 27/04/16 11:53, Werner Koch wrote:
> For me it is okay to do that from time to time, but they shall not take
> over a thread.  Many of us do not have the time to follow each thread
> and thus the subject should be on topic.

Right, I should have changed the Subject:-line on my first reply here,
since it was clearly not about the Live CD anymore... my apologies...

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

2016-04-27 Thread Paolo Bolzoni 
Since the thread is already quite lost I chip in with a question.
What is the matter with top posting? Is my client that is weird
showing the text from the beginnig, where what I want to read is? Top
posting sounds even more ad-hoc that bottom posting where you have to
scroll down to find what you want to read...

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: making a Debian Live CD for managing GnuPG master key and smartcards

2016-04-27 Thread Werner Koch 
On Tue, 26 Apr 2016 22:51, r...@sixdemonbag.org said:

> Well, there's a little bit of a chicken-and-the-egg problem here.  If
> new projects are told "don't evangelize here", how will they let users
> who might be interested in their project know it exists?  Evangelization

For me it is okay to do that from time to time, but they shall not take
over a thread.  Many of us do not have the time to follow each thread
and thus the subject should be on topic.

An while I am talking about the netiquette: Pretty please trim your
quotes and do not top-post.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Req: 64-bit GnuPG/GPGME for Windows

2016-04-27 Thread Werner Koch 
On Tue, 26 Apr 2016 19:31, r...@sixdemonbag.org said:
> How difficult would it be to get a 64-bit GnuPG and GPGME binary package
> built for Windows?  The existing one appears to be 32-bit only, and my
> development environment is 64-bit only.

I can't see a real reason for not using the 32 bit GnuPG version, thus
working on a 64 bit version has a low priority.

The pending task for GnuPG is to consolidate the OS objects used to
access files, pipes, and sockets.  In the 32 bit version our hacks to
detect the type of the objects work reasonable well, but they won't work
with 64 bit because sizeof(int) < sizeof(void*).  We make extensive use
of converting pointers (Windows' "HANDLE") to "int" and vice versa -
this can't work on 64-bit.  There are some other problems as well.

The planned solution is to use a new kind of object to wrap all those
different OS objects.  The use of the estream interface (e.g. es_printf)
from libgpg-error is a first step in this direction and will eventually
be extended to provide such a wrapper interface.

For GPGME there is clearly a need for 64 bit compatibility.  It is
already possible to build GPGME for 64 bit but certain features do not
yet work; using OpenPGP (gpg) should work. 


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Evangelzation discussion

2016-04-27 Thread Peter Lebbing 
On 26/04/16 23:40, Bob (Robert) Cavanaugh wrote:
> All good points, no argument. I particularly agree regarding the 
> frequency. By all means promote your own product if you believe in
> it.

I also think it's a good idea if you can read about related software on
this list, but I think that authors should be reluctant to promote their
own stuff in other threads. With care, it can be done, though.

Incidentally, the software will also need to be free software, as per
the rules for FSF lists.

> However, I stand by my opinion that there should be a clear
> demarcation between GnuPG and its official distribution opposed to
> applications, utilities, etc that  GnuPG and its official
> distributed utilities.

Yes, I think it would be better if stuff like GPGME, libassuan,
libgcrypt, libgpg-error, libksba and pinentry got their own category on
the website rather than being a peer to the other stuff in related
software...

> Their author(s) should not imply that their
> project is part of GnuPG.

I can't think of an instance where this appeared to be the case, though.
Then again, I know what is part of GnuPG and what not, so I might not
have noticed indeed.

> I just re-checked; egpg is not listed on the gnupg.org 'Download'
> page. It is not even listed on the 'Frontends' tab, which I find
> somewhat surprising, as that should be the appropriate place to be
> listed?

While "related software" is a large list, I don't think it's meant to be
exhaustive. I'm also not sure what the qualifications are to be
considered for being added (other than being free software). I think
this is done informally, on an ad-hoc basis.

My 2 cents,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Querying gpg-agent configuration options

2016-04-27 Thread Werner Koch 
On Tue, 26 Apr 2016 23:31, eric.pru...@gmail.com said:

> particular, I would like to query the running agent to see what values
> are being used for default-cache-ttl and max-cache-ttl. I have reviewed

You may read the options from gpg-agent.conf using:

  gpgconf --list-options gpg-agent \
  | awk -F: '$1=="default-cache-ttl" {print $0}'

which result in an output like this (line wrapped):

  default-cache-ttl:24:0:expire cached PINs
  after N seconds:3:3:N:600::900

Here we see that the default value used by gpg-agent is 600 seconds and
the currently configured value is 900 seconds.  To get only the value,
change the $0 in the awk command to $10.  For details see the man page
of gpgconf.  gpgconf also allows to change these values; gpgme has an
interface for that too.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Website usability issue

2016-04-27 Thread Peter Lebbing 
Hi all,

Using a netbook with a touchpad, Debian Jessie/stable and Iceweasel
38.7.1esr-1~deb8u1 (Debian package), I encounter an issue with the menu
at the top of the website.

When you hover the pointer over a menu category (Home, Donate, Download,
...) it folds down and subpages appear. However, there is a small slit
between the category and the pages. If I'm not quick enough with the
touchpad movement, and manage to hover over the slit while moving down,
the menu folds up again just as I'm about to select a page. At the
moment, I'm having more difficulty keeping it open than not. I'm sure
this depends on pointer device, acceleration settings and the amount of
caffeine in the user... (none as of yet).

I'm not familiar with website development, but perhaps the slit can be
made a transparent part of the menu, such that it doesn't register as
"no longer hovering over the menu"?

Oh, I also use Privoxy and Ghostery. I disabled Privoxy and did a full
page reload (Ctrl-Shift-R), but the problem persisted.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users