gpg2 missing

[Honza Klos]

Hello,

am I missing something? gpg2.exe is not installed on installation of
gpg4win 3.0.0. I am well aware that it is supposed to be the same binary as
gpg.exe, however the behaviour (namely whether to run agent / GUI pinentry
on password prompt) changes depending on how it is called. My git was
configured tu utilize gpg2. Simply creating a symlink works, changing git
configuration to gpg.exe does not work in TortoiseGit (as expected) as
password is read from STDIN, not pinentry(-32).exe.

Regards,

Jan Klos
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Generating a new keypair through GnuPG 2.x in Ubuntu 16.0.4

[vedaal]

On 10/11/2017 at 2:33 AM, "Werner Koch"  wrote:On Tue, 10 Oct 2017
20:26, ved...@nym.hush.com said:

>  gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation,
Inc.

You left out the line which tells the libgcrypt version numbers like
in

  $ gpg --version
  gpg (GnuPG) 2.2.1-beta1
  libgcrypt 1.8.1
  [...]
=

Sorry,

here it is:

londo@londo-earth-trinket:~$ gpg2 --verbose --verbose --version
gpg (GnuPG) 2.1.11
libgcrypt 1.6.5

Should I get the new Libcrypt?
TIA

Vedaal

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ and GNU

[Neal H. Walfield]

At Wed, 11 Oct 2017 17:47:29 +0200,
Werner Koch wrote:
> On Wed, 11 Oct 2017 09:15, n...@walfield.org said:
> 
> > I'm aware of an effort that tried to port GnuPG to Android.  bionic
> > was a source of several problems.  As far as I know, the work is
> 
> Actually we solved the Bionic problems a long time ago.  The major
> problem was actually custom pinentry for android.  That has been
> written and I have seen reports that everything worked.

That's great to know, thanks!  Unfortunately, it appears that there
have either been regressions or the people that I spoke with made some
mistakes.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ and GNU

[Werner Koch]

On Wed, 11 Oct 2017 09:15, n...@walfield.org said:

> I'm aware of an effort that tried to port GnuPG to Android.  bionic
> was a source of several problems.  As far as I know, the work is

Actually we solved the Bionic problems a long time ago.  The major
problem was actually custom pinentry for android.  That has been
written and I have seen reports that everything worked.  However, the
guardianproject ran out of funding and the involved hackers moved on to
other projects


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpQaOaS1mrez.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg on read-only filesystem

[Daniel Kahn Gillmor]

On Wed 2017-10-11 08:53:59 +0200, Fourhundred Thecat wrote:
>> On 2017-10-10 15:48, Daniel Kahn Gillmor wrote:
>>
>>  You could try the following:
>> 
>> export GNUPGHOME=$(mktemp -d)
>> gpg -d file.gpg
>> rm -rf "$GNUPGHOME"
>
> thank you, that works.
>
> But it still starts the gpg-agent.
>
> How can I use gpg without the agent ?

Modern GnuPG delegates passphrase caching and secret key management to
the gpg-agent co-process.

The gpg-agent process should disappear as soon as you remove the
ephemeral home directory.

Why do you care whether gpg is one process or two processes?

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG on Android [was: Re: FAQ and GNU]

[Daniel Kahn Gillmor]

On Wed 2017-10-11 09:15:41 +0200, Neal H. Walfield wrote:
> At Wed, 11 Oct 2017 08:26:21 +0200,
> Werner Koch wrote:
>> On Tue, 10 Oct 2017 20:55, b...@adversary.org said:
>> 
>> > Has anyone managed to get any part of the GPG libs to compile on
>> > Android/Linux?  As far as I'm aware no one has and all OpenPGP
>> 
>> There might be a problems with the current release but GnuPG is expected
>> to build for Android just fine.  And on AIX and HP/UX.  There might be
>> build problems but that are bugs we need to fix.
>
> I'm aware of an effort that tried to port GnuPG to Android.  bionic
> was a source of several problems.  As far as I know, the work is
> currently stalled.

I've been asked about this repeatedly myself, and my impression aligns
with what Neal is saying, but i'd be happy to be wrong.

here's the project i was thinking of that was farthest along in terms of
system integration on Android is:

   https://guardianproject.info/code/gnupg/

At any rate, it sounds like the details here might be something that we
want to put in the FAQ :)

Clearly it is *not* the case that most Android-based Linux systems
(which is to say, most Linux-based systems, when measuring by
installation count) come with GnuPG installed by default, alas. :(

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Pete Stephenson]

On Tue, Oct 10, 2017, at 05:39 PM, Whitey wrote:
> Pete Stephenson wrote:
> > On Mon, Oct 9, 2017, at 06:53 PM, Stefan Claas wrote:
> >> I read once here on the Mailing List that one should only use
> >> trusted USB devices, whatever that means, when using an USB
> >> device.
> > 
> > If you must use USB devices for some reason, take a look at the
> > 
> > flash drive.
> > 
> > It's designed specifically to protect against "badUSB", where the
> > controller and firmware can be compromised. The controller has the
> > developer's public key baked in during manufacture. The firmware is
> > signed and can only be loaded once (no provision is made for
> > in-the-field firmware updates). The controller verifies the firmware and
> > its signature at every power-on. If a malicious actor had physical
> > access and re-flashed the firmware, the controller would notice and fail
> > to load.
> > 
> > It also has a physical write-protect switch that can prevent unwanted
> > writes.
> 
> Since a flash drive is a read/write device, when would writes be
> unwanted?  When should I use this?

Vague answer: that depends on your threat model.

When interacting with an untrusted system, you may not want the
untrusted system to be able to write data to the USB drive that might
also be used on the trusted system. In my use case, I was more
interested in the novelty and principle of having a signed, verified
firmware running on the device that is not vulnerable to the badUSB
attack. The write protect switch is actually a bit of a hassle for me,
as the screen printing indicating which position is read-only has worn
off with use, so I always accidentally set it to read-only when I want
it in read/write mode (in much the same way that all USB plugs exist in
a superposition of multiple states, all aligned the wrong way). :)

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Andrew Gallagher]

On 11/10/17 13:04, Robert J. Hansen wrote:
> Permitting
> trusted machines to communicate in a *provably* one-way manner with
> systems outside the DMZ is an important problem -- not just being able
> to do it, but coming up with a way simple enough that non-technical
> users can understand.

Point a webcam at the local console. ;-)

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Robert J. Hansen]

> Our frames of reference were different: I was actually mostly
> thinking about a duplex system, which if needed could be reduced to
> simplex, in which case it would be the other way around than your
> use-case. I never considered the scenario where the trusted system
> was already compromised and you need to make sure it is completely
> deaf and blind so an attacker can't influence it in real time.

Right.  Our assumption was that the web server would be compromised
within moments of bringing up the external-facing network.  Permitting
trusted machines to communicate in a *provably* one-way manner with
systems outside the DMZ is an important problem -- not just being able
to do it, but coming up with a way simple enough that non-technical
users can understand.

> The disadvantage for your attacker is lack of economy of scale: an
> attack through internet can be done from your home to anywhere on the
> planet. If you need to be in the vicinity of your target, you lose
> that.

That's why the vote tabulating office is guarded by people with guns.  :)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Peter Lebbing]

On 11/10/17 04:49, Robert J. Hansen wrote:
> The assumption was the web server was compromised: given that, how
> can you be absolutely sure there's no communication channel back to
> the trusted tabulator?

Ah, this isn't about corrupting data on the line, about getting wrong
data in what is the correct direction.

This is about ensuring that a simplex link is really a simplex link.
It's about data not going in the wrong direction.

Furthermore, it is a simplex link from a trusted to an untrusted system.
Whereas the OP was talking about wanting to transfer data from an
untrusted to a trusted system.

Our frames of reference were different: I was actually mostly thinking
about a duplex system, which if needed could be reduced to simplex, in
which case it would be the other way around than your use-case. I never
considered the scenario where the trusted system was already compromised
and you need to make sure it is completely deaf and blind so an attacker
can't influence it in real time.

> We didn't need a fast link from the tabulator to the web server: we 
> needed a slow and absolutely, positively, definitively one-way link.

I'm sure you're aware of this, but I think it's useful to point out
since this is a public mailing list :-).

If your attacker can get physically somewhat close to your tabulator,
there are RF and powerline attacks to consider as well... if you don't
trust the IC's in the tabulator, that can get tricky. The disadvantage
for your attacker is lack of economy of scale: an attack through
internet can be done from your home to anywhere on the planet. If you
need to be in the vicinity of your target, you lose that.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ and GNU

[Neal H. Walfield]

At Wed, 11 Oct 2017 08:26:21 +0200,
Werner Koch wrote:
> On Tue, 10 Oct 2017 20:55, b...@adversary.org said:
> 
> > Has anyone managed to get any part of the GPG libs to compile on
> > Android/Linux?  As far as I'm aware no one has and all OpenPGP
> 
> There might be a problems with the current release but GnuPG is expected
> to build for Android just fine.  And on AIX and HP/UX.  There might be
> build problems but that are bugs we need to fix.

I'm aware of an effort that tried to port GnuPG to Android.  bionic
was a source of several problems.  As far as I know, the work is
currently stalled.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ and GNU

[Neal H. Walfield]

At Tue, 10 Oct 2017 23:55:32 -0400,
Robert J. Hansen wrote:
> 
> > Amazing how much people want to comment on the color of this 
> > particular bikeshed!
> 
> I agree.  Bikeshedding frustrates me: I'll leave it at that.
> 
> Reviewing the last forty-odd emails on the subject, there are a small
> number of regular contributors to the community who are in favor, a
> small number opposed, and a smaller number of mostly-lurkers who have
> exceptionally strong feelings.
> 
> I do not see a community consensus one way or another.  I'll continue
> with my original plan.

I didn't realize that there was a vote.  FWIW, I agree with dkg,
although I'm not particularly passionate about it.

:) Neal

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg on read-only filesystem

[Fourhundred Thecat]

> On 2017-10-10 15:48, Daniel Kahn Gillmor wrote:
>
>  You could try the following:
> 
> export GNUPGHOME=$(mktemp -d)
> gpg -d file.gpg
> rm -rf "$GNUPGHOME"

thank you, that works.

But it still starts the gpg-agent.

How can I use gpg without the agent ?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ and GNU

[Werner Koch]

On Tue, 10 Oct 2017 20:55, b...@adversary.org said:

> Has anyone managed to get any part of the GPG libs to compile on
> Android/Linux?  As far as I'm aware no one has and all OpenPGP

There might be a problems with the current release but GnuPG is expected
to build for Android just fine.  And on AIX and HP/UX.  There might be
build problems but that are bugs we need to fix.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpYVTOsCvQ8Z.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Generating a new keypair through GnuPG 2.x in Ubuntu 16.0.4

[Werner Koch]

On Tue, 10 Oct 2017 20:26, ved...@nym.hush.com said:

>   gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.

You left out the line which tells the libgcrypt version numbers like in

  $ gpg --version
  gpg (GnuPG) 2.2.1-beta1
  libgcrypt 1.8.1
  [...]


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpe9T1NR5y7N.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users