Re: How can we utilize latest GPG from RPM repository?

[Ben McGinnes]

On Wed, Feb 21, 2018 at 07:36:08AM -0800, Dan Kegel wrote:
> On Tue, Feb 20, 2018 at 10:16 PM, Ben McGinnes  wrote:
>>
>> Because these two lines explain *precisely* why you need something
>> like RHEL or CentOS (certified systems to go with the auditing)
>> *and* updated crypto.
> 
> And when you're on those certified, curated systems, you have
> access to tools like
> https://www.open-scap.org/resources/documentation/make-a-rhel7-server-compliant-with-pci-dss/
> to help make sure you're in compliance, I think.
> 
> I suspect that kind of approach would make passing audits a lot
> easier than building the latest gnupg release yourself...
> and is less likely to break things.

In all likelihood, yes ... however open-scap.org is a RedHat service
and most likely only supplied to RHEL customers seeking PCI-DSS
compliance along with direct support via their service contract.

If, however, this particular case actually deals with CentOS systems
and not RHEL, then the OP has elected to forego that type of
professional service contract from the vendor in order to do it
themselves.

Which brings us either back to this thread, or a business decision at
their end regarding whether or not bring their systems back to RHEL
(it requires changing two files, IIRC, assuming they haven't massively
modified things) and paying RedHat whatever it takes to get the job
done.  I cannot predict which they will choose, nor am I willing to
make a recommendation solely on what's been presented here.

Still, the OP wanted options and now they've been provided.  :)


Regards,
Ben


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: wotmate: simple grapher for your keyring

[Fraser Tweedale]

u wot m8

http://knowyourmeme.com/memes/u-wot-m8

Nice tool; thanks for sharing!

Cheers,
Fraser

On Wed, Feb 21, 2018 at 09:59:01AM -0500, Konstantin Ryabitsev wrote:
> Hi, all:
> 
> I've been maintaining the kernel.org web of trust for the past 5+ years,
> and I wrote a number of tools to help me visualize trust paths between
> fully trusted keys and those belonging to newer developers.
> 
> I finally got a chance to clean up the code, and I hope it's useful to
> others:
> 
> https://github.com/mricon/wotmate
> 
> If you think this is very similar to the PGP Pathfinder tool on
> https://pgp.cs.uu.nl, then you are right, but there is an important
> distinction. Wotmate does not require that a key is in the "strong set"
> before you can track paths to it, and you also don't have to wait for
> days before new signatures are reflected in the wotsap file.
> 
> Example usage (assuming you have Linus Torvalds' key in your keyring):
> 
> ./make-sqlitedb.py
> ./graph-paths.py torvalds
> eog graph.png
> 
> Best,
> -- 
> Konstantin Ryabitsev
> Director, IT Infrastructure Security
> The Linux Foundation
> 




> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: wotmate: simple grapher for your keyring

[Ben McGinnes]

On Wed, Feb 21, 2018 at 09:59:01AM -0500, Konstantin Ryabitsev wrote:
> Hi, all:
> 
> I've been maintaining the kernel.org web of trust for the past 5+ years,
> and I wrote a number of tools to help me visualize trust paths between
> fully trusted keys and those belonging to newer developers.
> 
> I finally got a chance to clean up the code, and I hope it's useful to
> others:
> 
> https://github.com/mricon/wotmate

Oh, that's very cute.  :)

Also nice to see it's py3 and so I've already forked it.  At some
point in the not too distant future I'll tweak it to try for gpgme
first and import all the keys that way, then revert back to your code
once the db is built from that.  At the very least it'll make for a
nice demonstration to compare the CLI with colons vs API methods of
doing the same thing (key counting doesn't really achieve that too
well since it's about three lines of code).


Regards,
Ben


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why Operating Systems don't always upgrade GnuPG

[Peter Lebbing]

On 21/02/18 17:22, Teemu Likonen wrote:
> default-key FINGERPRINT!

That would help for command-line usage for a user with only one private
key. But anything else might not use the default key.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can we utilize latest GPG from RPM repository?

[Dan Kegel]

On Tue, Feb 20, 2018 at 10:16 PM, Ben McGinnes  wrote:
> On Sat, Feb 17, 2018 at 05:06:54PM -0600, helices wrote:
>> I will probably never understand why wanting to run the most current
>> version of gnupg on a plethora of servers is controversial.
>>
>> Nevertheless, the two (2) greatest reasons are:
>>
>>1. PCI DSS v3.2
>>2. PCI DSS compliance audits
>
> Ah, now *this* is a pertinent fact that would've helped at the
> beginning of the thread and the fact that it wasn't is a clear
> demonstration of a tangential point I made further along about getting
> people to step back from their drilled in focus so we can identify the
> actual needs.
>
> Because these two lines explain *precisely* why you need something like
> RHEL or CentOS (certified systems to go with the auditing) *and*
> updated crypto.

And when you're on those certified, curated systems, you have
access to tools like
https://www.open-scap.org/resources/documentation/make-a-rhel7-server-compliant-with-pci-dss/
to help make sure you're in compliance, I think.

I suspect that kind of approach would make passing audits a lot easier
than building the latest gnupg release yourself...
and is less likely to break things.
- Dan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why Operating Systems don't always upgrade GnuPG

[Teemu Likonen]

Daniel Kahn Gillmor [2018-02-20 21:35:12-08] wrote:

> Anyway, here's one concrete example (hinted at above) of a
> programmatic gap that is much easier to achieve by mucking around with
> the internal state rather than by the programmatic interface:
>
>  * I want to introduce a new signing-capable subkey, and i want to
>distribute it widely, but i don't want to start signing with it just
>yet.

It seems to me that there is an easy gpg.conf solution:

default-key FINGERPRINT!

See the ! character which forces exactly that (sub)key for signing. Use
that option to select your old signing (sub)key.

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wotmate: simple grapher for your keyring

[Konstantin Ryabitsev]

Hi, all:

I've been maintaining the kernel.org web of trust for the past 5+ years,
and I wrote a number of tools to help me visualize trust paths between
fully trusted keys and those belonging to newer developers.

I finally got a chance to clean up the code, and I hope it's useful to
others:

https://github.com/mricon/wotmate

If you think this is very similar to the PGP Pathfinder tool on
https://pgp.cs.uu.nl, then you are right, but there is an important
distinction. Wotmate does not require that a key is in the "strong set"
before you can track paths to it, and you also don't have to wait for
days before new signatures are reflected in the wotsap file.

Example usage (assuming you have Linus Torvalds' key in your keyring):

./make-sqlitedb.py
./graph-paths.py torvalds
eog graph.png

Best,
-- 
Konstantin Ryabitsev
Director, IT Infrastructure Security
The Linux Foundation



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: having trouble checking the signature of a downloaded file

[Kristian Fiskerstrand]

On 02/21/2018 11:53 AM, Peter Lebbing wrote:
> On 21/02/18 10:48, Kristian Fiskerstrand wrote:
>>>gpg: Signature made Tue May  4 23:03:11 2004 JST
>> [...]
>>
>> The author should sign the package using a more modern and secure keyblock.
> Note that not the key, but the /signature/ is made 14 years ago. So
> we're talking about verifying the integrity of a really old file. The
> author might not be available anymore or willing to expend any effort.

Touché :) Indeed, didn't notice it was an old file/signature , then
gnupg 1.4 is the recommended official suggestion presuming established
validity of key material etc etc.

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Dura necessitas
Necessity is harsh



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: having trouble checking the signature of a downloaded file

[Peter Lebbing]

On 21/02/18 11:53, Peter Lebbing wrote:
> The
> author might not be available anymore or willing to expend any effort.

(Or the author might not have a more authentic copy of the file anymore
either. This is not the reason I'm self-replying though).

> This all comes with a major caveat.

Make that two. The OP writes:

On 21/02/18 10:37, Henry wrote:
> I downloaded a tarball ***6.4.tar.gz, it's signature file
> ***6.4.tar.gz.sig, and the author's public key **.pgp from a
> well-known site.

This sounds like there is no more assurance that the downloaded key is
authentic than that the downloaded file is authentic. When to decide
that a key is authentic is one of the more difficult problems of
practical cryptography use. Some people take confidence from downloading
identical copies of the key from multiple HTTPS websites. There are
still ways for an attacker to serve you the wrong one each time, but
it's better than nothing... The best is direct personal contact with the
owner of the key, but it seems a long shot.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: having trouble checking the signature of a downloaded file

[Peter Lebbing]

On 21/02/18 10:48, Kristian Fiskerstrand wrote:
>>gpg: Signature made Tue May  4 23:03:11 2004 JST
> [...]
> 
> The author should sign the package using a more modern and secure keyblock.

Note that not the key, but the /signature/ is made 14 years ago. So
we're talking about verifying the integrity of a really old file. The
author might not be available anymore or willing to expend any effort.

GnuPG 1.4 is kept around to verify such old files. So perhaps the OP
could use GnuPG 1.4 to verify the file; without further information
about the system he is using it is hard to explain how exactly to do
this. However, I get the feeling his OS is NetBSD :-). So if somebody
knows how GnuPG is installed there... (I don't)

This all comes with a major caveat. The reason you can't do it with
modern GnuPG is that the security of PGP-2 keys and signatures is no
longer at a sufficient level. So while it gives some confidence when the
signature verifies positively, a well-equipped attacker might have faked
it anyway!

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: having trouble checking the signature of a downloaded file

[Kristian Fiskerstrand]

On 02/21/2018 10:37 AM, Henry wrote:
> I downloaded a tarball ***6.4.tar.gz, it's signature file
> ***6.4.tar.gz.sig, and the author's public key **.pgp from a
> well-known site.
> 
> I imported the public key: `gpg --import **.pgp`.
> For some reason, two keys were "skipped":
>gpg: key 0C0B590E80CA15A7: 2 signatures not checked due to missing keys
>gpg: key 0C0B590E80CA15A7: "Author's Name 
>gpg: Total number processed: 3
>gpg: skipped PGP-2 keys: 2
  ^
  note this and see below

>gpg:  unchanged: 1
> 
> I tried to verify the downloaded file, but the check failed:
> `gpg --verify ***6.4.tar.gz.sig ***6.4.tar.gz`
>gpg: Signature made Tue May  4 23:03:11 2004 JST
>gpg:using RSA key DC80F2A6D5327CB9
>gpg: Can't check signature: No public key
> 

The above RSA key is in v3 format which is not supported in GnuPG >=2.1
for security reasons, hence not imported, and hence the output you see.

> This is the first time for this to happen, so I have no idea what I
> might be doing
> wrong.  Any help or suggestions much appreciated.  TIA

The author should sign the package using a more modern and secure keyblock.

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Aut disce aut discede
Either learn or leave



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why Operating Systems don't always upgrade GnuPG

[Werner Koch]

On Tue, 20 Feb 2018 20:36, n...@walfield.org said:

> "uncool".  I left because we (Werner and I) could not work well
> together.  This is the same reason that Justus, Kai and Marcus left.

Okay, you raised it and now my Lavamat wants to reply on this: Secret
negotiations with other companies, promising them things without
consulting with me, working on your own schedule, throwing in large
blobs of code after silently working on them for months, not adhering to
milestones, ignoring requests to write documentation, leaving almost all
of the project work to me, spending half a person year on preparing a
campaign, kind of blackmailing me to re-write GnuPG in Rust, refusing to
prepare the agreed-upon training material.

My take away of that story is that not all hackers are able value the
liberties granted to them.  Too bad.


Shalom-Salam,

   Werner

--
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpnKtX2OUR5G.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

having trouble checking the signature of a downloaded file

[Henry]

I downloaded a tarball ***6.4.tar.gz, it's signature file
***6.4.tar.gz.sig, and the author's public key **.pgp from a
well-known site.

I imported the public key: `gpg --import **.pgp`.
For some reason, two keys were "skipped":
   gpg: key 0C0B590E80CA15A7: 2 signatures not checked due to missing keys
   gpg: key 0C0B590E80CA15A7: "Author's Name 
   gpg: Total number processed: 3
   gpg: skipped PGP-2 keys: 2
   gpg:  unchanged: 1

I tried to verify the downloaded file, but the check failed:
`gpg --verify ***6.4.tar.gz.sig ***6.4.tar.gz`
   gpg: Signature made Tue May  4 23:03:11 2004 JST
   gpg:using RSA key DC80F2A6D5327CB9
   gpg: Can't check signature: No public key

This is the first time for this to happen, so I have no idea what I
might be doing
wrong.  Any help or suggestions much appreciated.  TIA

Henry

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Solaris 11 install libgpg-error make install hangs

[Daniel Kahn Gillmor]

On Fri 2018-02-09 16:03:01 +, Anna Kitces and Seth Fishman wrote:
> Correction. it is in libgpg-error this is happening

You can see logs of an example build on the Debian OS for gpg-error
here:

   https://buildd.debian.org/status/logs.php?arch=&pkg=libgpg-error

Your build is likely to differ in the details (compiler flags, etc), but
perhaps you could identify similar stages and give feedback about where
the build process seems to be hanging?

or, you could post your build log to a pastebin like
https://paste.debian.net/ and point the list to it, so we could compare
it and try to see where it might be hanging.

Please persist!  we'll get it working eventually. :)

Regards,

   --dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users