Re: using with su/sudo
On Sat 2016-10-15 11:34:14 -0400, John Lane wrote: >> >> Then, the command "updatestartuptty" can fix the situation. >> > > I tried this and it worked, in a su/sudo I had to do this: > > $ script -q -c '(gpg-connect-agent updatestartuptty /bye; ssh-add > alice.subkey)' so the use of script here is to allocate a new pseudoterminal, to get an independent tty, right? this seems like a pretty roundabout way to get the result the user is naively looking for. is it possible that we could offer some other easier/simpler mechanism for users invoking gpg-agent for its ssh-agent emulation across user accounts? --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Please develop even easier materials for complete novice type folks...
Please develop even easier materials for complete novice type folks other than at https://emailselfdefense.fsf.org/en/ and at https://gnupg.org ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: regular update of all keys from a keyserver
On 10/17/2016 11:41 AM, Daniel Kahn Gillmor wrote: > On Mon 2016-10-17 06:31:16 -0400, Martin T wrote: > >> I am aware that one can update all the keys in local-keyring from a >> keyserver using "gpg --refresh-keys". Are there any disadvantages to >> simply put this command into user crontab and execute for example once >> a day? > The only disadvantages are if you don't want to reveal the contents of > your keyring to the public keyservers, or to announce your presence on > the network. > > If you prefer to do these things in an anonymized way, you might prefer > a tool like parcimonie, I run a key server, which allows me to do as many key-retrieval queries as I like, without giving any information away to the rest of the world. It also helps a little, but not completely, with the problem of adding keys to the keyserver network, with respect to my social network. In particular, it's not easy for any keyserver to see which of its peers' peers a given key or set of keys, originated from. However, in theory, an attacker could track the progress of a given key across the network of keyservers by quick querying, but it's a pretty small window between the introduction of keys to a single member of the pool, and it being shared to all the keyservers. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: Re: regular update of all keys from a keyserver
I forgot to send it to the list as well... Forwarded Message Subject: Re: regular update of all keys from a keyserver Date: Mon, 17 Oct 2016 16:20:00 + From: Stephan Beck Reply-To: st...@mailbox.org To: Martin T Hi Martin, Martin T: > Hi, > > I am aware that one can update all the keys in local-keyring from a > keyserver using "gpg --refresh-keys". Are there any disadvantages to > simply put this command into user crontab and execute for example once > a day? Yes. To protect you and your contacts from an eavesdropper (may it be the ISP or someone else), you may refresh your keyring over the Tor Network, using Parcimonie (1), which opens another circuit for every single refreshing action (one refreshing action, one refreshed key), thus slowly refreshing the whole keyring. Actually, it works with gpg v1, I've never got it working with gpg2, though. If someone out there knows how to adapt it for use with gpg2, go ahead and tell us! Well, you don't tell us anything about your system or your gpg version, but another way (with gpg 2.1.10 or later) is using the in-built support for refreshing your keyring via Tor using --use-tor option. Quote from the 2.1.10 announce mail (2): * dirmngr: New option --use-tor. For full support this requires libassuan version 2.4.2 and a patched version of libadns (e.g. adns-1.4-g10-7 as used by the standard Windows installer). If you do not use or do not want to use Tor, I'd recommend using at least https in any case, retrieving the certificate of sks-keyservers.netCA.pem first (3), verifying it and copying it into your gnupg home directory, and adding it to the keyserver section in gpg.conf. I'd never refresh my keyring over plain http, because, yes, we "should all have something to hide" (4), whatever the threats may be that are already knocking on our doors and whoever might tell us that this battle is lost or useless. (1) https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/ (2) https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000381.html (3) https://sks-keyservers.net/sks-keyservers.netCA.pe (4) https://moxie.org/blog/we-should-all-have-something-to-hide/ Cheers Stephan 0x4218732B.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: regular update of all keys from a keyserver
On Mon 2016-10-17 06:31:16 -0400, Martin T wrote: > I am aware that one can update all the keys in local-keyring from a > keyserver using "gpg --refresh-keys". Are there any disadvantages to > simply put this command into user crontab and execute for example once > a day? The only disadvantages are if you don't want to reveal the contents of your keyring to the public keyservers, or to announce your presence on the network. If you prefer to do these things in an anonymized way, you might prefer a tool like parcimonie, or if you're a coder (or have ways to encourage other coders to work on things you think are interesting), you might want to to look into ways to try to address https://bugs.gnupg.org/gnupg/issue1827 --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: regular update of all keys from a keyserver
> I am aware that one can update all the keys in local-keyring from a keyserver > using "gpg --refresh-keys". Are there any disadvantages to simply put this > command into user crontab and execute for example once a day? Not that I know of. Some people will tell you that "an attacker listening in on your network connection could discover your social graph!", but honestly, if people are eavesdropping on my network connection they already have so many ways to discover my social graph that one more just doesn't matter. This 'problem' has always struck me as much ado about nothing much. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
regular update of all keys from a keyserver
Hi, I am aware that one can update all the keys in local-keyring from a keyserver using "gpg --refresh-keys". Are there any disadvantages to simply put this command into user crontab and execute for example once a day? thanks, Martin ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH public key comment field and gpg-agent
> > Agreed, that would be useful. Feel free to open a bug report. > raised https://bugs.gnupg.org/gnupg/issue2760 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH public key comment field and gpg-agent
Hi :) John Lane writes: > If the key is in the agent because of the gpg keyring then it is known > as "(none)". If I do "ssh-add -L" I will see "(none)" at the end of the > output: > > ssh-rsa B3NzaC1yc2EDAQAHT...IfFoxh2j13b3 (none) > > The reason that I stumbled upon this was because I was debugging a ssh > connection that used the gpg-agent and the ssh debugging output > displayed the following misleading output: > > debug1: Offering RSA public key: (none) > > which means the public key called "(none)" rather than, as I initially > interpreted it, no public key. > > It's also useful client-side to see who a public key belongs to. > > It would be good if the comment field reflected the key source, perhaps > the short (or long) key id. For example: > > ssh-rsa B3NzaC1yc2EDAQAHT...IfFoxh2j13b3 (3A808C39) Agreed, that would be useful. Feel free to open a bug report. Cheers, Justus signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
