Re: Using a GnuPG CCID card in another computer (follow-up)

[Matthias Apitz]

El día lunes, mayo 15, 2017 a las 07:25:12p. m. +0200, Matthias Apitz escribió:

> 
> Hello,
> 
> I have a GnuPG smart card OMNIKEY 6121 Mobile USB and configured its
> use in my FreeBSD 12-CURRENT netbook, generated keys and I'm able to use
> it to login with SSH into other servers (after moving the pub key to
> the server into ~/.ssh/authorized_keys); the only tricky part was to figure
> out how to enter the PIN behind 'ssh' --> 'gpg-agent' --> 
> /usr/local/bin/pinentry
> 
> So far so good.
> 
> Now I wanted the same SIM in another FreeBSD workstation (at work), but when
> I do use it there, for example with 'gpg2 --card-status', there is no key in 
> the
> card and as well 'gpg2 --export-ssh-key guru' does not know how to
> export the key due to missing pub key. 
> 
> Should I move the full content of ~/.gnupg as well to the 2nd computer?
> And if so, why? I was thinking that all the key material (apart of the
> backup) is on the SIM and I only need its PIN...

Follow-up.

I have now copied all the files below to the other workstation and now all is
fine there too, i.e. I can export the pub key with 'gpg2 --export-ssh-key guru'
and use it for SSH being asked for the PIN of the card. The files are:

$ ls -lR .gnupg
total 52
-rw---  1 guru  wheel  2649 12 may.  22:41 dirmngr.conf
-rw-r--r--  1 guru  wheel19 15 may.  11:41 gpg-agent.conf
-rw---  1 guru  wheel  5191 12 may.  22:41 gpg.conf
drwx--  2 guru  wheel   512 14 may.  20:30 openpgp-revocs.d
drwx--  2 guru  wheel   512 14 may.  20:29 private-keys-v1.d
-rw-r--r--  1 guru  wheel  3573 14 may.  20:30 pubring.kbx
-rw---  1 guru  wheel32 12 may.  22:41 pubring.kbx~
-rw---  1 guru  wheel   600 15 may.  09:58 random_seed
-rw-r--r--  1 guru  wheel 7 15 may.  15:21 reader_0.status
-rw---  1 guru  wheel  1865 14 may.  20:29 sk_61F1ECB625C9A6C3.gpg
-rw-r-  1 guru  wheel   676 15 may.  11:45 sshcontrol
-rw---  1 guru  wheel  1280 15 may.  09:23 trustdb.gpg

.gnupg/openpgp-revocs.d:
total 4
-rw---  1 guru  wheel  1799 14 may.  20:30 
5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11.rev

.gnupg/private-keys-v1.d:
total 24
-rw---  1 guru  wheel  1873 14 may.  20:17 
147F71A678B411855B4BCCC48FAEC8689B5E1C23.key
-rw---  1 guru  wheel   615 14 may.  20:29 
314DE72F03D41683E06A504769970A1643825B38.key
-rw---  1 guru  wheel   617 14 may.  20:09 
45BDBABA30A3511D507B8A08A28D425F7CD417C6.key
-rw---  1 guru  wheel   615 14 may.  20:29 
7E22A904DB3BE5A98F98AFDEED61DF1364DD949B.key
-rw---  1 guru  wheel   615 14 may.  20:29 
937BA1F6A95F68222EC2C6F9573100E17EE9522E.key
-rw---  1 guru  wheel   617 14 may.  20:17 
B0E0BFC22F116B541848DF6593B418BBB63C0CC0.key

When I generated the keys on the card (gpg2 --cardedit --> admin --> generate)
on May 14, I have had to do this twice because I was logged out from the card 
due to
to long thinking about the passphrase for the backup of the key to the file
sk_61F1ECB625C9A6C3.gpg; one can see this on the time of the files below
.gnupg/private-keys-v1.d; the 2nd run started around 20:20 and was
successful at 20:29.

The question remains: Why I do have to move the files below .gnupg/ to
the other workstation? And, what are the files below .gnupg/private-keys-v1.d
are exactly?

Thanks

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: debugging systemd user services for gpg-agent and dirmngr [was: Re: gpg hangs when asking for passphrase]

[Joey Morris]

Daniel Kahn Gillmor  wrote on Wed, May 10, 2017 at 
10:58:21PM -0400:
> On Wed 2017-05-10 22:17:28 -0400, Joey Morris wrote:
> > I have systemd version 222-1 installed, which appears to be wildly out of 
> > date.
> > The first thing I'll try when I get back to this is to upgrade systemd.
> 
> yes, please!

After upgrading systemd, I'm happy to report that my agent connections no longer
hang and everything seems to be working well. (Because the upgrade fixed my
problem, I didn't attempt your other suggestion of moving my .xsession startup
tasks to .config/openbox/autostart.) Thank you for the assistance!

Joey


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Newbie can't get --passphrase option to work

[Ryk McDorman]

Kristian,

Thanks for the quick confirmation that I need to use --pinentry-mode loopback. 
I reviewed my program and found that I'd forgotten that I'd inserted an Exit 
statement (to troubleshoot something else), and that's what was causing only 
the first decryption to work. So, problem resolved!  Thanks again.

Ryk 

-Original Message-
From: Kristian Fiskerstrand [mailto:kristian.fiskerstr...@sumptuouscapital.com] 
Sent: Saturday, May 13, 2017 2:50 PM
To: Ryk McDorman ; gnupg-users@gnupg.org
Subject: RE: [EXT]:Newbie can't get --passphrase option to work

On 05/12/2017 04:15 PM, Ryk McDorman wrote:
> I've done a thorough search for a solution for this, but haven't come up with 
> much: a vague reference to a bug in 2.1.x that may have to do with it, and at 
> the end of my day yesterday I came across someone who used the 
> "--pinentry-mode loopback" option. Interestingly, when I add that to my 
> command, it DOES decrypt one file without prompting me, but then inexplicably 
> stops. (My program logic is fine, as without the -pinentry option, it prompts 
> me once for each file and decrypts each file.)  I haven't yet had time to 
> investigate that option; it's my next action but I've literally been working 
> on this for days now and needed to send out a plea for help!

And here you discuss it :p .. yes, pinentry-mode loopback is necessary for 2.1 
use of --passphrase-fd and the likes , in earlier versions of
2.1 this requires allow-pinentry-loopback for the gpg-agent but in recent 
versions that is defaulted to on.

Can you provide the information when this argument is used and the scenario 
that fails including explicit error messages?

--

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 
5109 5618 35AA 0B7F 8B60 E3ED FAE3

Amantes sunt amentes
Lovers are lunatics

CONFIDENTIALITY NOTICE:

This e-mail contains confidential information and is intended only for the 
individual named. If you are not the named addressee, you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately if you have received this e-mail by mistake and delete this 
e-mail from your system. E-mail cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. Neither the 
sender nor CoBiz Financial and its subsidiaries accept liability for any 
errors or omissions in the contents of this message which arise as a 
result of e-mail transmission.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

command 'LEARN' failed: No inquire callback in IPC

[Rogers, Dustin]

Hi GnuPG community:

I have recently installed gnupg 2.1.20 from source on a centos6.8 box. For some 
reason I cannot get the pinentry prompt to appear on the terminal with this 
newest version.

gpg-connect-agent works as expected and asks for the PIN, but gpg-agent will 
not.

I have configured the gpg-agent.conf to use pinentry-curses

Here is output from gpg --card-edit

[root@system1 ~]# gpg --card-edit

gpg-agent[5158]: DBG: chan_8 -> OK Pleased to meet you, process 5159
gpg-agent[5158]: DBG: chan_8 <- RESET
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- OPTION ttyname=/dev/pts/0
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- OPTION ttytype=xterm
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- OPTION lc-ctype=en_US.UTF-8
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- OPTION lc-messages=en_US.UTF-8
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- GETINFO version
gpg-agent[5158]: DBG: chan_8 -> D 2.1.20
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- OPTION allow-pinentry-notify
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- OPTION agent-awareness=2.1.0
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- SCD GETINFO version
gpg-agent[5158]: no running SCdaemon - starting it
gpg-agent[5158]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready
gpg-agent[5158]: DBG: first connection to SCdaemon established
gpg-agent[5158]: DBG: chan_9 -> GETINFO socket_name
gpg-agent[5158]: DBG: chan_9 <- D /tmp/gnupg-pkcs11-scd.uTRBtO/agent.S
gpg-agent[5158]: DBG: chan_9 <- OK
gpg-agent[5158]: DBG: additional connections at 
'/tmp/gnupg-pkcs11-scd.uTRBtO/agent.S'
gpg-agent[5158]: DBG: chan_9 -> OPTION event-signal=12
gpg-agent[5158]: DBG: chan_9 <- OK
gpg-agent[5158]: DBG: chan_9 -> GETINFO version
gpg-agent[5158]: DBG: chan_9 <- D 0.7.5
gpg-agent[5158]: DBG: chan_9 <- OK
gpg-agent[5158]: DBG: chan_8 -> D 0.7.5
gpg-agent[5158]: DBG: chan_8 -> OK
gpg: WARNING: server 'scdaemon' is older than us (0.7.5 < 2.1.20)
gpg-agent[5158]: DBG: chan_8 <- SCD SERIALNO openpgp
gpg-agent[5158]: DBG: chan_9 -> SERIALNO openpgp
gpg-agent[5158]: DBG: chan_9 <- S SERIALNO D2760001240111504B4353233131 0
gpg-agent[5158]: DBG: chan_8 -> S SERIALNO D2760001240111504B4353233131 0
gpg-agent[5158]: DBG: chan_9 <- OK
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- LEARN --sendinfo
gpg-agent[5158]: DBG: chan_9 -> LEARN --force
gpg-agent[5158]: DBG: chan_9 <- S SERIALNO D2760001240111504B4353233131 0
gpg-agent[5158]: DBG: chan_9 <- S APPTYPE PKCS11
gpg-agent[5158]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token 
'gnupg-par1HA' (try 0)
gpg-agent[5158]: DBG: chan_9 -> END
gpg-agent[5158]: DBG: chan_9 <- OK
gpg-agent[5158]: DBG: agent_card_learn failed: No inquire callback in IPC
gpg-agent[5158]: command 'LEARN' failed: No inquire callback in IPC
gpg-agent[5158]: DBG: chan_8 -> ERR 67109130 No inquire callback in IPC 
gpg: OpenPGP card not available: No inquire callback in IPCI have tried to set 
the GPG_TTY variable, but I still don't get the PIN prompt. GPG_TTY=`tty`

I have this working with manual pinentry in a gnupg 2.0 environment, but 
eventually I would like to use the unattended pinentry-mode loopback, which 
seems to be available in the gnupg 2.1.20 version only. I am trying to automate 
batch operations of gpg.

Thus, SCD LEARN will dutifully prompt for PIN when I launch the gpg-agent 
alongside the gpg-connect-agent like this:
gpg-agent --debug-level=guru --debug 1024 --debug-pinentry 
--pinentry-program=/usr/bin/pinentry-curses --daemon gpg-connect-agent

But SCD LEARN does not dutifully prompt for PIN, if I launch without the 
gpg-connect-agent
gpg-agent --debug-level=guru --debug 1024 --debug-pinentry 
--pinentry-program=/usr/bin/pinentry-curses --daemon

I have a feeling I have a small configuration error, or am not understanding 
something. But I have reviewed bug reports which seem similar to this issue I 
am having also. Can anyone tell me why the gpg-connect-agent can invoke the 
pinentry, but gpg-agent cannot? I am trying su'd as root, but I have the same 
issue when Im not su as root.

Thank you,
-Dustin Rogers




The information contained in this e-mail is confidential and/or proprietary to 
Capital One and/or its affiliates and may only be used solely in performance of 
work or services for Capital One. The information transmitted herewith is 
intended only for use by the individual or entity to which it is addressed. If 
the reader of this message is not the intended recipient, you are hereby 
notified that any review, retransmission, dissemination, distribution, copying 
or other use of, or taking of any action in reliance upon this information is 
strictly prohibited. If you have received this communication in error, please 
contact the sender and delete the material from your 

Using a GnuPG CCID card in another computer

[Matthias Apitz]

Hello,

I have a GnuPG smart card OMNIKEY 6121 Mobile USB and configured its
use in my FreeBSD 12-CURRENT netbook, generated keys and I'm able to use
it to login with SSH into other servers (after moving the pub key to
the server into ~/.ssh/authorized_keys); the only tricky part was to figure
out how to enter the PIN behind 'ssh' --> 'gpg-agent' --> 
/usr/local/bin/pinentry

So far so good.

Now I wanted the same SIM in another FreeBSD workstation (at work), but when
I do use it there, for example with 'gpg2 --card-status', there is no key in the
card and as well 'gpg2 --export-ssh-key guru' does not know how to
export the key due to missing pub key. 

Should I move the full content of ~/.gnupg as well to the 2nd computer?
And if so, why? I was thinking that all the key material (apart of the
backup) is on the SIM and I only need its PIN...

Thanks

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] GnuPG 2.1.21 released

[Werner Koch]

Hello!

The GnuPG team is pleased to announce the availability of a new release
of GnuPG: version 2.1.21.  See below for a list of new features and bug
fixes.

Note: This release fixes a keyring corruption bug introduced
  with last release.  Users of 2.1.20, who are using the
  old "pubring.gpg" file to store their public keys, are
  asked to update to this new release.


About GnuPG
=

The GNU Privacy Guard (GnuPG) is a complete and free implementation
of the OpenPGP standard which is commonly abbreviated as PGP.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  A wealth of frontend applications
and libraries making use of GnuPG are available.  As an Universal Crypto
Engine GnuPG provides support for S/MIME and Secure Shell in addition to
OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.


Noteworthy changes in version 2.1.21


  * gpg,gpgsm: Fix corruption of old style keyring.gpg files.  This
bug was introduced with version 2.1.20.  Note that the default
pubring.kbx format was not affected.

  * gpg,dirmngr: Removed the skeleton config file support.  The
system's standard methods for providing default configuration
files should be used instead.

  * w32: The Windows installer now allows installion of GnuPG without
Administrator permissions.

  * gpg: Fixed import filter property match bug.

  * scd: Removed Linux support for Cardman 4040 PCMCIA reader.

  * scd: Fixed some corner case bugs in resume/suspend handling.

  * Many minor bug fixes and code cleanup.

A detailed description of the changes found in this 2.1 branch can be
found at .


Getting the Software


Please follow the instructions found at  or
read on:

GnuPG 2.1.21 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.21.tar.bz2 (6321k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.21.tar.bz2.sig

or via FTP:

 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.21.tar.bz2
 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.21.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.21_20170515.exe (3762k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.21_20170515.exe.sig

or via FTP:

 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.21_20170515.exe
 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.21_20170515.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.  The Windows installer comes with
TOFU support, many translations, support for Tor, and support for HKPS
and the Web Key Directory.


Checking the Integrity
==

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.1.21.tar.bz2 you would use this command:

 gpg --verify gnupg-2.1.21.tar.bz2.sig gnupg-2.1.21.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.1.21.tar.bz2, you run the command like this:

 sha1sum gnupg-2.1.21.tar.bz2

   and check that the output matches the next line:

1852c066bc21893bc52026ead78edf50fdf15e13  gnupg-2.1.21.tar.bz2
f8a75914e8d82375a89e39fbf45d9f72ed8ab92c  gnupg-w32-2.1.21_20170515.exe
91591e0f197b18b04671c2ca1377f0d195d1fa21  gnupg-w32-2.1.21_20170515.tar.xz


Internationalization


This version of GnuPG has support for 26 languages with