Re: How to NOT gnutar files during encryption?

[helices]

On Wed, Jul 19, 2017 at 9:49 AM, Peter Lebbing 
wrote:

> On 19/07/17 16:30, helices wrote:
> > Unchecking that box and encrypting, this file decrypted and unzipped
> > without incident: Archive.zip.gpg
>
> And if you keep the box checked, does it produce a file named
> Archive.zip.gpg or Archive.zip.tar.gpg?
>

Archive.zip.gpg - which is why it took me so long to identify why I could
not unzip it ;-)

Gr ... gmail makes it tedious to reply to list mail ...
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG Installation on AIX 6.1 & RedHat Linux 6.8 & RedHat 5.11

[Robert J. Hansen]

> We need to install the GPG software in our AIX & LINUX machines

The Linux machines should be easy, if you'll tell us what distro you're
using.

I'll give someone else the chance to answer your AIX question, as I
haven't used it in many years.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to NOT gnutar files during encryption?

[Peter Lebbing]

On 19/07/17 16:30, helices wrote:
> Unchecking that box and encrypting, this file decrypted and unzipped
> without incident: Archive.zip.gpg

And if you keep the box checked, does it produce a file named
Archive.zip.gpg or Archive.zip.tar.gpg? Because IMO, it should be the
latter. A good alternative would be: supposing the file is at
.../foldername/Archive.zip, call the tarred and encrypted file
foldername.tar.gpg. But naming it Archive.zip.gpg looks just confusing
and wrong to me. The chain of extensions is just incorrect; if we're
dropping "inner" extensions, it should be Archive.gpg, which just loses
all information.

If your client saw the filename "Archive.zip.tar.gpg" or
"foldername.tar.gpg", they might notice and think "Hey, where did this
come from?" instead of just sending it to you and leading to confusion
all round. Similarly, you might have noticed.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to NOT gnutar files during encryption?

[helices]

OK, for the record, I think that I've found the solution.

I looked in Kleopatra Settings and found nothing.

Then, I imported a proper key and began signing and encrypting a file:
Archive.zip

In Kleopatra's Sign/Encrypt Files dialog, there is a checkbox: Archive
files with: TAR (PGP-compatible), which is checked by default.

Unchecking that box and encrypting, this file decrypted and unzipped
without incident: Archive.zip.gpg

I'm waiting for our client to upload a file encrypted this way.


HOWEVER, they right click the ZIP file and select "sign and encrypt" to
process files. Will the UNchecked checkbox for "Archive files with: TAR
(PGP-compatible)" be default now?

~ Mike


On Wed, Jul 19, 2017 at 8:17 AM, helices  wrote:

> How to NOT gnutar files during encryption?
>
>
> Thank you for your responses; but, you are all missing my point - and not
> answering my question.
>
> First, before encryption by Kleopatra, the file IS one (1) real ZIP file
> (e.g., filename.zip)
>
> After encryption and upload to us, the file is now an encrypted TAR file,
> with the ZIP file inside (e.g., filename.zip.gpg)
>
> Notice that there is NO indication of TAR anywhere in the filename.
>
> Yes, I can rewrite our production processes to look for files of type TAR,
> and automate that. We receive ~1000 encrypted files per day, and we have
> never needed this before.
>
> However, if they can turn OFF that TAR subprocess - which you state ought
> only to happen when requested to encrypt multiple files - then, this
> client's files will automatically process just like the thousands of other
> clients' files we process without incident every single day.
>
> So, to repeat myself:
>
> How to NOT gnutar files during encryption?
>
> Please, advise. Thank you.
>
> ~ Mike
>
>
> On Wed, Jul 19, 2017 at 5:43 AM, Werner Koch  wrote:
>
>> On Tue, 18 Jul 2017 23:30, g...@mdsresource.net said:
>>
>> > Further investigation reveals that Kleopatra is gnuTARring the ZIP file
>> > prior to encryption.
>>
>> That should only happen when you select multipe files or a directory.
>> This invokes the pgp-zip method of encrypting multiple files.  Despite
>> the name it is not ZIP but USTAR format (which any tar implementation
>> can handle).
>>
>>
>> Shalom-Salam,
>>
>>Werner
>>
>> --
>> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>>
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to NOT gnutar files during encryption?

[helices]

How to NOT gnutar files during encryption?


Thank you for your responses; but, you are all missing my point - and not
answering my question.

First, before encryption by Kleopatra, the file IS one (1) real ZIP file
(e.g., filename.zip)

After encryption and upload to us, the file is now an encrypted TAR file,
with the ZIP file inside (e.g., filename.zip.gpg)

Notice that there is NO indication of TAR anywhere in the filename.

Yes, I can rewrite our production processes to look for files of type TAR,
and automate that. We receive ~1000 encrypted files per day, and we have
never needed this before.

However, if they can turn OFF that TAR subprocess - which you state ought
only to happen when requested to encrypt multiple files - then, this
client's files will automatically process just like the thousands of other
clients' files we process without incident every single day.

So, to repeat myself:

How to NOT gnutar files during encryption?

Please, advise. Thank you.

~ Mike


On Wed, Jul 19, 2017 at 5:43 AM, Werner Koch  wrote:

> On Tue, 18 Jul 2017 23:30, g...@mdsresource.net said:
>
> > Further investigation reveals that Kleopatra is gnuTARring the ZIP file
> > prior to encryption.
>
> That should only happen when you select multipe files or a directory.
> This invokes the pgp-zip method of encrypting multiple files.  Despite
> the name it is not ZIP but USTAR format (which any tar implementation
> can handle).
>
>
> Shalom-Salam,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't get the pinentry for passphrase in some contexts

[Damien Cassou]

Werner Koch  writes:
> "debug-pinentry" in gpg-agent.conf would give you more info.  Adding
> also "debug ipc" will show you the communication between gpg and
> gpg-agent; that is what you strace shows.  Use "log-file FILE" to set a
> log file and remember to reload gpg-agent.


I tried this configuration

enable-ssh-support
log-file /home/cassou/.gnupg/gpg-agent.log
debug-level guru
max-cache-ttl 0
debug-pinentry 1
debug 1024

The generated log files in both cases are quite similar but show the
differences below. I put _XXX_ to hide some values that are the same in
both outputs and _YYY_/_ZZZ_ when values differ.

--- firefox.log 2017-07-19 15:20:17.988440200 +0200
+++ terminal.log2017-07-19 15:20:24.128297587 +0200
@@ -2,9 +2,9 @@
 DBG: chan_6 -> OK Pleased to meet you, process _PID_
 DBG: chan_6 <- RESET
 DBG: chan_6 -> OK
-DBG: chan_6 <- OPTION ttyname=/dev/pts/2
+DBG: chan_6 <- OPTION ttyname=/dev/pts/0
 DBG: chan_6 -> OK
-DBG: chan_6 <- OPTION ttytype=dumb
+DBG: chan_6 <- OPTION ttytype=xterm-256color
 DBG: chan_6 -> OK
 DBG: chan_6 <- OPTION display=:0
 DBG: chan_6 -> OK
@@ -16,8 +16,6 @@
 DBG: chan_6 -> OK
 DBG: chan_6 <- OPTION putenv=QT_IM_MODULE=ibus
 DBG: chan_6 -> OK
-DBG: chan_6 <- OPTION putenv=INSIDE_EMACS=25.2.1,comint
-DBG: chan_6 -> OK
 DBG: chan_6 <- OPTION lc-ctype=en_US.UTF-8
 DBG: chan_6 -> OK
 DBG: chan_6 <- OPTION lc-messages=en_US.UTF-8
@@ -46,12 +44,11 @@
 DBG: chan_6 <- PKDECRYPT
 DBG: chan_6 -> S INQUIRE_MAXLEN 4096
 DBG: chan_6 -> INQUIRE CIPHERTEXT
-DBG: chan_6 <- [ 44 ... ...(_YYY_ byte(s) skipped) ]
+DBG: chan_6 <- [ 44 ... ...(_ZZZ_ byte(s) skipped) ]
 DBG: chan_6 <- END
 DBG: keygrip: _XXX_
-DBG: cipher:  _XXX_ _YYY_ _XXX_
+DBG: cipher:  _XXX_ _ZZZ_ _XXX_
 DBG: agent_get_cache '_XXX_' (mode 2) ...
-DBG:   expired '_XXX_' (0s after creation)
 DBG: ... miss
 DBG: agent_get_cache '_XXX_' (mode 2) (stored cache key) ...
 DBG: ... miss
@@ -59,10 +56,5 @@
 DBG: connection to PIN entry established
 DBG: chan_6 -> INQUIRE PINENTRY_LAUNCHED _PID_
 DBG: chan_6 <- END
-DBG: error calling pinentry: Operation cancelled 
-failed to unprotect the secret key: Operation cancelled
-failed to read the secret key
-command 'PKDECRYPT' failed: Operation cancelled 
-DBG: chan_6 -> ERR 83886179 Operation cancelled 
-DBG: chan_6 <- [eof]
-handler 0x7f8e1fa24700 for fd 6 terminated
+DBG: agent_put_cache 'XX' (mode 2) requested ttl=0
+DBG: rsa_decrypt data:+X


>> read(5, "ERR 83886179 Operation cancelled \n", 1002) = 44
>
> The agent tells you that the Pinentry canceled the operation.  This is
> usually due to clicking the cancel button.  Some older versions of
> pinentry use cancel as a catch all error from pinentry.  Modern versions
> of gpg running with "-v" will print a line identifing the pinentry used
> and thus reveal possible problems, for example a missing GPG_TTY
> envrionment variable.


I have 2.1.13 and only got that in Firefox console:

--stdout:

--stderr:
gpg: public key is XXX
gpg: using subkey XXX instead of primary key YYY
gpg: encrypted with 4096-bit RSA key, ID XXX, created 2015-04-17
  "Damien Cassou "
gpg: public key decryption failed: Operation cancelled
gpg: decryption failed: No secret key



Do you have any more clue?

-- 
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to NOT gnutar files during encryption?

[Andre Heinecke]

Hi,

On Tuesday, July 18, 2017 4:30:13 PM CEST helices wrote:
> How can this new client NOT gnutar files, and still properly encrypt the
> ZIP file?

The client could create a ZIP Archive with the files and then encrypt that as a 
single file. Kleopatra has no built in support for ZIP + Encrypt.

FWIW Kleopatra would have automatically chosen a filename like archive.tar.gpg 
so your client must have manually changed that to have some kind of zip 
extension.

On the other hand you could extend your process to also accept tarballs ;-)

Regards,
Andre


-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GPG Installation on AIX 6.1 & RedHat Linux 6.8 & RedHat 5.11

[SIVA MADDALA]

Hi Team,

We need to install the GPG software in our AIX & LINUX machines, however first 
we need to install GPG on AIX servers and need your support in order to install 
the software. Kindly share us the link & document to download the relevant 
software and to install the software and procedure to configure it? Along with 
rollback process in case of issues. Awaiting reply.

Regards,
Siva Naresh M
--
Technical Support Engineer
Serco IT Shared Services-OMC-UNIX
Email : siva.madd...@serco.com
Phone : +44(0)845-408-3689


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent/pinentry: How to verify calling application

[Werner Koch]

On Wed, 19 Jul 2017 00:10, knaac...@gmx.de said:

> me2486  0.0  0.0  34028  3940 ?SL   21:46   0:00 gpg2 
> --enable-special-filenames --batch --no-sk-comments --status-fd 11 --no-tty 
> --charset utf8 --enable-progress-filter --exit-on-status-write-error 
> --display :0 --ttyname kein Terminal --ttytype xterm --decrypt --output - -- 
> -&14

FWIW: That looks like an gpg invovation via GPGME.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpCXWm9MU1__.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to NOT gnutar files during encryption?

[Werner Koch]

On Tue, 18 Jul 2017 23:30, g...@mdsresource.net said:

> Further investigation reveals that Kleopatra is gnuTARring the ZIP file
> prior to encryption.

That should only happen when you select multipe files or a directory.
This invokes the pgp-zip method of encrypting multiple files.  Despite
the name it is not ZIP but USTAR format (which any tar implementation
can handle).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpqx0kFTQi6T.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A Quick Supplement

[Werner Koch]

On Tue, 18 Jul 2017 22:49, r...@sixdemonbag.org said:

> random_seed is internal data belonging to the PRNG.

That is right.  However we always add at least 128 bit of fresh random
which would be enough - at least on all systems with /dev/random or on
Windows.  It is just that we are ultra-conservative and use a huge state
of 4800 bits.  The random_seed file gives an initial value to that
state.  From a pure mathematical point of view the 128 bits we always
add are enough.  For key generation we have even stronger requirements.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpqR3niAxD9H.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to NOT gnutar files during encryption?

[Einar Ryeng]

Hi,

On Tue, Jul 18, 2017 at 04:30:13PM -0500, helices wrote:
> 
> After many hours troubleshooting, I discovered that the decrypted "zip"
> file is actually inside a TAR file!
> 
> Further investigation reveals that Kleopatra is gnuTARring the ZIP file
> prior to encryption.
> 
> How can this new client NOT gnutar files, and still properly encrypt the
> ZIP file?
> 
> What are we missing?

Sounds like either a bug or a somewhat stupid default setting in Kleopatra
(which I have never used). A workaround on the receiving end could be to detect
that the file is a tar file and unpack it before further processing.

Something like this:

#!/bin/bash
FILENAME=$1
FILE_MIMETYPE=$(file -iN $FILENAME)

if [[ "$FILE_MIMETYPE" =~ "$FILENAME: application/x-tar; charset=binary" ]]
then
tar xvf $FILENAME
fi

As usual, du NOT run code from random people on the Internet.

-- 
Einar Ryeng


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent/pinentry: How to verify calling application

[Peter Lebbing]

On 19/07/17 00:10, Hartmut Knaack wrote:
>[...], I checked with ps aux:
> 
> me2486  0.0  0.0  34028  3940 ?SL   21:46   0:00 gpg2 
> --enable-special-filenames --batch --no-sk-comments --status-fd 11 --no-tty 
> --charset utf8 --enable-progress-filter --exit-on-status-write-error 
> --display :0 --ttyname kein Terminal --ttytype xterm --decrypt --output - -- 
> -&14
> 
> And pstree outputs:
> 
> systemd---systemd---gpg2

Hah, that's not helpful, thanks, systemd! All we've learned is that
whatever is invoking gpg2 is using systemd for that, I suppose. Well,
*that* narrows it down! Perhaps you can find something with journalctl,
which allows you to read systemd logs, I dunno. I'm still pretty new to
the systemd world. I do intend to learn.

I never use pstree, I use ps's "f" (forest) option. Does that show the
same thing? If you just add the "f" to your options, it would be ps
faux, sounds French fake but will work :-). Is there anything
informative in the full command line of those systemd processes?

> When hitting cancel on that pinentry window, I get another window, stating
> that kwallet wants to get access to my private key.

That is a lot more informative. I believe kwallet is the credential
manager for KDE, keeping passwords and stuff.

I've got two guesses:

1) At some point you permitted kwallet to encrypt all your credentials
using your OpenPGP key. It is simply trying to decrypt your "wallet" so
it can be accessed.

2) It wants to add your private key to its credentials and manage it for
you from now on.

1) is pretty benign and actually cool, 2) might not be to your liking at
all. Personally, my neck hair rises remembering the way gnome-keyring
"interacted" with GnuPG back in the day. This is water under the bridge
now, gnome-keyring is a fine citizen again these days, and I thank them
for that.

However, I don't know kwallet other than its basic function. I hope my
contribution helps you along, small as it is.

HTH,

Peter.

PS: I just had a similar thing the other day where an ssh-agent was
launched against my will, but it had no parents at all in the process
tree! Cost me a long time of fruitless bug hunting until I thought of
replacing /usr/bin/ssh-agent with a shell script that logged "ps fx"
output at the moment it was invoked, when it still had a parent. Then
everything went quickly from there on.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users