Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

[Dan Kegel]

On Tue, Nov 7, 2017 at 5:45 AM, Sander Smeenk via Gnupg-users
 wrote:
> Could you elaborate on the 'why' part of this enforced pinentry usage
> with GnuPG? It wasn't mandatory in 1.x, now it's forced on us.
>
> Where did that come from?
> What problem did it solve?

I'm curious, too.

It sure makes scripting hard.
- Dan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New smart card / token alternative

[timothy.steiner--- via Gnupg-users]

If you are using something like Tails you would probably just install the GPG 
agent. Tails allows installing additional software - 
https://tails.boum.org/doc/advanced_topics/additional_software/index.en.html. 
U2F is available in the new version of Firefox being released later this year 
so if that is included in future Tails release then there would be in-browser 
support in Tails.
The risk mentioned with a key-logger/screen capture is the same for all smart 
cards/tokens, and really all methods of composing a message on a computer. The 
risk would even apply to Tails if say the user installed malicious software or 
browsed to a site that exploited a browser vulnerability. 

On Monday, November 6, 2017, 5:26:51 PM EST,  wrote:  
 
 

On 11/6/2017 at 4:55 PM, "Tim Steiner"  wrote:

\We have been working on a project to build a direct interface for PGP/GPG 
usage using U2F for web apps and browser extensions. This is similar to 
existing smart cards and tokens but no software install is required.

We set out to solve this problem -"Man, I really wish I could read this PGP 
message, or send this message, or open this file, or sign this file, but I 
don't have my laptop with me"

With this solution you can keep the key offline, carry it with you and it works 
even on a computer where you can't install software - 
https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo

We are interested to hear feedback on this approach from the community.

=

Using this on anything except your own computer, or laptop, is problematic, 
as the 'host' computer can have a key-logger or screen capturer, and copy the 
decrypted plaintext, or the plaintext to be encrypted.

Can it be made to work with Tails/Tor which uses GunPG ?

(The  'insecure' browser on Tails not involving Tor, is a Firefox variant.  
If it can work on that, then booting from the Tails USB avoids a 
screencapturer, and using on on-screen keyboard avoids a hardware keyboard 
logger.

But even so, there are problems with using it on an 'unknown' computer :

https://tails.boum.org/doc/about/warning/index.en.html#index2h1


vedaal

  ___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.2.2 speedo swdb.lst

[Werner Koch]

On Tue,  7 Nov 2017 16:29, mac3...@gmail.com said:

> $ cat swdb.lst
> gnupg22_ver 2.2.1
> gnupg22_date 2017-09-19

Oh sorry.  I only generated the new swdb.lst but forgot the "make
upload".  Done now.

Thanks,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpCcQT5oZZwW.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

[Ryan Beethe]

Well... it happens that when I copy your script to my archlinux machine,
everything works fine.

It also happens that when I copy your script into my ubuntu machine, I
had to change both references of `gpg` to `gpg2`, since in ubuntu gpg is
not the same program as gpg2.  I also would find it convenient to add a
`--default-recipient-self` to the `gpg2 -ea` line, but maybe that's just
me.  If the same change works for you, perhaps you have an
"alias gpg=gpg2" in your ~/.bashrc, causing your shell to behave
differently that vim?

Personally, I use a plugin (https://github.com/jamessan/vim-gnupg) and I
have never had problems.  Then in my ~/.vimrc, I just had to set:

let GPGUsePipes=1
let GPGDefaultRecipients=['my.em...@address.com']


Ryan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.2.2 speedo swdb.lst

[murphy]

Hi Werner - I had trouble compiling GnuPG on my Raspberry Pi with error:

make -f /home/pi/Downloads/gnupg-2.2.2/build-aux/speedo.mk UPD_SWDB=1
TARGETOS=native WHAT=release WITH_GUI=0 all
make[1]: Entering directory '/home/pi/Downloads/gnupg-2.2.2'
gpgv: Signature made Thu 21 Sep 2017 03:51:24 AM EDT
gpgv:    using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpgv: Good signature from "Werner Koch (dist sig)"
GnuPG version in swdb.lst is less than this version!
  This version: 2.2.2
  SWDB version: 2.2.1
/home/pi/Downloads/gnupg-2.2.2/build-aux/speedo.mk:272: *** Error
getting GnuPG software version database.  Stop.
make[1]: Leaving directory '/home/pi/Downloads/gnupg-2.2.2'
build-aux/speedo.mk:72: recipe for target 'native' failed
make: *** [native] Error 2

$ cat swdb.lst
gnupg22_ver 2.2.1
gnupg22_date 2017-09-19

Does this need to be updated to 2.2.2 ?

Thanks for your attention!

Murphy




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New smart card / token alternative

[listo factor via Gnupg-users]

On 11/06/2017 10:26 PM, ved...@nym.hush.com wrote:


On 11/6/2017 at 4:55 PM, "Tim Steiner"  wrote:

With this solution you can keep the key offline, carry it with you and it  > 
works even on a computer where you can't install software...

>

We are interested to hear feedback on this approach from the community.


=

Using this on anything except your own computer, or laptop, is problematic...


=

This is a mantra from another, more gentle time.

Today, there is a whole class of real-world use cases where the
protection of the user demands that it not be known to the adversary
he or she is communicating with someone, as much - or even more -
than it is required that the content of the communication is kept
confidential. If the connection between the user and the computer
is transient, there may well be many instances where the adversary
will not be able to identify the user, even if he manages to learn
the content, and where the content, without the identity of the
communicator, is of very limited value to the adversary.

It therefore appears to me this is a worthwhile project, provided,
like always, *and for any crypto*, the user understands his or her
threat model.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

[Sander Smeenk via Gnupg-users]

Quoting Ryan Beethe (r...@splintermail.com):

> I think my setup might be almost a drop-in fix for your gpg-over-ssh
> issue, although you will have to figure out where to set the
> environment variable for your particular window manager.

Thanks for your tips and tricks. It's the less bodgy version of the
"wrapper" i wrote. I've adapted them to my system and it seems this is
actually working for the remote-ssh-on-a-system-running-X issue.

However; i still can't use 'gpg -qd' in vim like so:

| augroup GPGEncrypted
| au!
| au BufReadPre,FileReadPre  *.asc,*.gpg set viminfo=
| au BufReadPre,FileReadPre  *.asc,*.gpg set noswapfile
| au BufReadPre,FileReadPre  *.asc,*.gpg set bin
| au BufReadPre,FileReadPre  *.asc,*.gpg let ch_save = |set ch=2
| au BufReadPost,FileReadPost*.asc,*.gpg '[,']!gpg -qd 2> /dev/null
| au BufReadPost,FileReadPost*.asc,*.gpg set nobin
| au BufReadPost,FileReadPost*.asc,*.gpg let  = ch_save|unlet ch_save
| au BufReadPost,FileReadPost*.asc,*.gpg execute ":doautocmd 
BufReadPost " . expand("%:r")
| au BufReadPost,FileReadPost*.asc,*.gpg set ff=unix
| au BufWritePre,FileWritePre*.asc,*.gpg '[,']!gpg -ae 2>/dev/null
| au BufWritePost,FileWritePost  *.asc,*.gpg u
| augroup END

It seems pinentry(-curses) doesn't want to start from within vim.

Do you also have any brilliant ideas there?

Rgds,
Sndr.
-- 
| Cat, n.: Lapwarmer with built-in buzzer.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

[Sander Smeenk via Gnupg-users]

Quoting Werner Koch (w...@gnupg.org):

> > It's rather cumbersome and very dodgy at least. How do others deal with
> > this? Or is everyone using GPG solely in GUI environments nowadays? ;)
> The current develppment version of Pinentry uses this info on Linux to
> to show the process name in the titlebar.

Thanks for your insights and continued efforts to keep our data safe!

Could you elaborate on the 'why' part of this enforced pinentry usage
with GnuPG? It wasn't mandatory in 1.x, now it's forced on us.

Where did that come from?
What problem did it solve?

Thanks again,
-Sndr.
-- 
| Bakers trade bread recipes on a knead to know basis.  
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

[Werner Koch]

On Mon,  6 Nov 2017 22:49, gnupg-users@gnupg.org said:

> It's rather cumbersome and very dodgy at least. How do others deal with
> this? Or is everyone using GPG solely in GUI environments nowadays? ;)

If I want to test the curses Pinentry I simply run

  DISPLAY= gpg ...

and get the curses pinentry even when using an xterm (which is my usual
environment). For example you could start mutt the same way

  DISPLAY= mutt 

and you get the curses.  Drawback is that you won't get an image viewer
either.

Instead of using the envvar you could also invoke gpg like

  gpg --display=none 

which sets the display to none and pinentry will fallback to curses.
Using "none" is not really correct but --display requires an option and
does not like an empty string.

It is also possible to write a pinentry which depends on the actual
program invoking gpg: gpg-agent tells pinentry the pid of the process
invoking gpg; e.g.

  OPTION owner=9798 wheatstone

The current develppment version of Pinentry uses this info on Linux to
to show the process name in the titlebar.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpFyNyD0Dna8.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] GnuPG 2.2.2 released

[Werner Koch]

Hello!

We are is pleased to announce the availability of a new GnuPG release:
version 2.2.2.  This is a maintenance release; see below for a list of
fixed bugs.


About GnuPG
===

The GNU Privacy Guard (GnuPG) is a complete and free implementation
of the OpenPGP standard which is commonly abbreviated as PGP.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  A wealth of frontend applications
and libraries making use of GnuPG are available.  As an Universal Crypto
Engine GnuPG provides support for S/MIME and Secure Shell in addition to
OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.


Noteworthy changes in version 2.2.2
===

  * gpg: Avoid duplicate key imports by concurrently running gpg
processes. [#3446]

  * gpg: Fix creating on-disk subkey with on-card primary key. [#3280]

  * gpg: Fix validity retrieval for multiple keyrings. [Debian#878812]

  * gpg: Fix --dry-run and import option show-only for secret keys.

  * gpg: Print "sec" or "sbb" for secret keys with import option
import-show. [#3431]

  * gpg: Make import less verbose. [#3397]

  * gpg: Add alias "Key-Grip" for parameter "Keygrip" and new
parameter "Subkey-Grip" to unattended key generation.  [#3478]

  * gpg: Improve "factory-reset" command for OpenPGP cards.  [#3286]

  * gpg: Ease switching Gnuk tokens into ECC mode by using the magic
keysize value 25519.

  * gpgsm: Fix --with-colon listing in crt records for fields > 12.

  * gpgsm: Do not expect X.509 keyids to be unique.  [#1644]

  * agent: Fix stucked Pinentry when using --max-passphrase-days. [#3190]

  * agent: New option --s2k-count.  [#3276 (workaround)]

  * dirmngr: Do not follow https-to-http redirects. [#3436]

  * dirmngr: Reduce default LDAP timeout from 100 to 15 seconds. [#3487]

  * gpgconf: Ignore non-installed components for commands
--apply-profile and --apply-defaults. [#3313]

  * Add configure option --enable-werror.  [#2423]


Getting the Software


Please follow the instructions found at  or
read on:

GnuPG 2.2.2 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.2.tar.bz2 (6394k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.2.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.2_20171107.exe (3807k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.2_20171107.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.  A new Gpg4win 3.0 installer
featuring this version of GnuPG will be available soon.  In the meantime
you may install this version on top of an installed Gpg4win 3.0 version.


Checking the Integrity
==

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.2.2.tar.bz2 you would use this command:

 gpg --verify gnupg-2.2.2.tar.bz2.sig gnupg-2.2.2.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.2.2.tar.bz2, you run the command like this:

 sha1sum gnupg-2.2.2.tar.bz2

   and check that the output matches the next line:

efa00fc20295b1cafe467359107ea170258870e2  gnupg-2.2.2.tar.bz2
19224023f5a7750743d042b0bfbd5e44fbc9aeb2  gnupg-w32-2.2.2_20171107.exe
0bb69eb774f8c39b8092b5615a19e656bb681084  gnupg-w32-2.2.2_20171107.tar.xz


Internationalization


This version of GnuPG has support 

Re: New smart card / token alternative

[Philipp Klaus Krause]

Am 06.11.2017 um 23:26 schrieb ved...@nym.hush.com:
> 
> 
> On 11/6/2017 at 4:55 PM, "Tim Steiner"  wrote:
> 
> \We have been working on a project to build a direct interface for
> PGP/GPG usage using U2F for web apps and browser extensions. This is
> similar to existing smart cards and tokens but no software install is
> required.
> 
> We set out to solve this problem -"Man, I really wish I could read
> this PGP message, or send this message, or open this file, or sign
> this file, but I don't have my laptop with me"
> 
> With this solution you can keep the key offline, carry it with you
> and it works even on a computer where you can't install software -
> https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo
>
>  We are interested to hear feedback on this approach from the
> community.
> 
> =
> 
> Using this on anything except your own computer, or laptop, is
> problematic, as the 'host' computer can have a key-logger or screen
> capturer, and copy the decrypted plaintext, or the plaintext to be
> encrypted.

I have often been insituations, where I had access to a friend's
computer, and you trust the friend and their computer skills enough to
handle a message on their computer.

A typical scenario might even be a sending a signed message where the
contents are intentionally known to that friend.

While I tend to carry my laptop with me often, not everyone does.

Philipp

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users