Re: Secret key Questions regarding expiration and backing up
On Fri 2016-10-14 19:16:45 -0400, Andrew Gallagher wrote: > my understanding is that a copy of some public key information (such > as expiry dates) is kept in the corresponding secret key store, and > this will be updated when the public key is edited. This is exactly correct. see: https://tools.ietf.org/html/rfc4880#section-5.5.3 The Secret-Key and Secret-Subkey packets contain all the data of the Public-Key and Public-Subkey packets, with additional algorithm- specific secret-key data appended, usually in encrypted form. Regards, --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Secret key Questions regarding expiration and backing up
On 14 Oct 2016, at 23:49, g...@noffin.com wrote: > So for clarification then: > > If there are no expiry dates on secret keys, what does this output mean then? > > #gpg --list-secret-keys > > > sec 2048R/ 2014-10-30 [expires: 2017-10-31] > The expiry date shown here is just a copy of the one on the public key. It is checked by gnupg to prevent it making signatures with a secret key that has an expired public key (and which are therefore unverifiable by others). I suppose you could think of this as being the expiry of the secret key, but it is always the same as that of the public key and the one on the public key is the important one. > And my next question is then... When I exported my secret key and moved it > to another machine - why did the contents of the export to file change > between the extension of the expiration date? (I exported before and after > to test). I'll defer to someone more expert than me on the internals, but my understanding is that a copy of some public key information (such as expiry dates) is kept in the corresponding secret key store, and this will be updated when the public key is edited. Andrew. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Secret key Questions regarding expiration and backing up
> On 14 Oct 2016, at 19:11, g...@noffin.com wrote: >> >> Hi there - pretty new with GPG, but have been getting going with it >> without much issue. I'm just curious about a few best practices and so >> on. >> >> 1) Should you set an expiration on your secret key? Or do most people >> just >> secure it appropriately (with no expiration)? > > Secret keys don't have expiration dates, only public keys. Best practice > is to set an expiration date of a year or two in the future on the primary > key, and either the same or shorter on your subkeys (I use the same expiry > myself, for simplicity). > > The reason for this is that you may lose your secret material or forget > your password, and you don't want stale keys hanging around on the > internet forever with no indication that they are no longer usable. > >> 2) If you do have the secret key expire, and I have a backup of it (file >> format) - And for some reason I forget to extend it before expiration - >> can I still extend it? > > Yes. Just edit the public key and republish. The expiration date only > informs other people that their software should stop using the key - it > doesn't prevent you from doing anything. > > Andrew > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > So for clarification then: If there are no expiry dates on secret keys, what does this output mean then? #gpg --list-secret-keys sec 2048R/ 2014-10-30 [expires: 2017-10-31] And my next question is then... When I exported my secret key and moved it to another machine - why did the contents of the export to file change between the extension of the expiration date? (I exported before and after to test). Thanks in advance! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Secret key Questions regarding expiration and backing up
On 14 Oct 2016, at 19:11, g...@noffin.com wrote: > > Hi there - pretty new with GPG, but have been getting going with it > without much issue. I'm just curious about a few best practices and so on. > > 1) Should you set an expiration on your secret key? Or do most people just > secure it appropriately (with no expiration)? Secret keys don't have expiration dates, only public keys. Best practice is to set an expiration date of a year or two in the future on the primary key, and either the same or shorter on your subkeys (I use the same expiry myself, for simplicity). The reason for this is that you may lose your secret material or forget your password, and you don't want stale keys hanging around on the internet forever with no indication that they are no longer usable. > 2) If you do have the secret key expire, and I have a backup of it (file > format) - And for some reason I forget to extend it before expiration - > can I still extend it? Yes. Just edit the public key and republish. The expiration date only informs other people that their software should stop using the key - it doesn't prevent you from doing anything. Andrew ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Secret key Questions regarding expiration and backing up
Hi there - pretty new with GPG, but have been getting going with it without much issue. I'm just curious about a few best practices and so on. 1) Should you set an expiration on your secret key? Or do most people just secure it appropriately (with no expiration)? 2) If you do have the secret key expire, and I have a backup of it (file format) - And for some reason I forget to extend it before expiration - can I still extend it? I did a few tests exporting a secret key before and after extending the expiration date - and obviously the file contents changed. I just want to be sure that I have a good backup of it, however follow best practices. Thank you. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: unable to decrypt a mail coming from apple mail
Stephan Beckwrites: > Hi, > > ng0: >> Hi, >> >> I've just got an email where the X-Mailer is Apple Mail. It adds some >> bits and pieces, is a 7bit Content-Transfer-Encoding and I fail to >> decrypt it with gpg --decrypt (applied to the email as a file and also >> when applied to the BEGIN/END PGP block). >> The key is imported, still valid and yet I get: >> gpg: decryption failed: No secret key >> >> I'm running an unaltered Guix build here: >> ng0@shadowwalker ~$ gpg --version >> gpg (GnuPG) 2.1.13 >> libgcrypt 1.7.3 > > have you checked the bug tracker at (1) ? > There are several entries for > gpg: decryption failed: No secret key. > > when you enter this very phrase into the search entry mask. > > Maybe there you'll find what you are looking for. > > Cheers > > Stephan > > (1) https://bugs.gnupg.org > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > >From the subjects of those 9 bugs I don't see how they are related to my problem. Nevertheless I will read into them in the next days. Thanks ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
mentors needed for the PGP Clean Room project in Outreachy/GSoC
Hi all, I've advertised[1] the PGP Clean Room in the current round of Outreachy and it will probably be promoted in GSoC 2017 too. We already have a couple of applicants interested in working on it, their details are in the pki-clean-room list archive[2] Would anybody from the GnuPG community be interested in collaborating as a co-mentor on this project? If so, please feel free to email me and/or subscribe to the pki-clean-room mailing list[3]. Regards, Daniel 1. https://danielpocock.com/outreachy-gsoc-2017-pki-clean-room 2. http://lists.alioth.debian.org/pipermail/pki-clean-room-devel/Week-of-Mon-20161010/date.html 3. https://lists.alioth.debian.org/mailman/listinfo/pki-clean-room-devel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: unable to decrypt a mail coming from apple mail
Hi, ng0: > Hi, > > I've just got an email where the X-Mailer is Apple Mail. It adds some > bits and pieces, is a 7bit Content-Transfer-Encoding and I fail to > decrypt it with gpg --decrypt (applied to the email as a file and also > when applied to the BEGIN/END PGP block). > The key is imported, still valid and yet I get: > gpg: decryption failed: No secret key > > I'm running an unaltered Guix build here: > ng0@shadowwalker ~$ gpg --version > gpg (GnuPG) 2.1.13 > libgcrypt 1.7.3 have you checked the bug tracker at (1) ? There are several entries for gpg: decryption failed: No secret key. when you enter this very phrase into the search entry mask. Maybe there you'll find what you are looking for. Cheers Stephan (1) https://bugs.gnupg.org ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users