Re: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

2018-09-04 Thread Peter Lebbing 
On 04/09/18 18:31, Fiedler Roman wrote:
> /usr/bin/gpgv --status-fd 2 --homedir /proc/self/fd/nonexistent --keyring 
> sign.pub /proc/self/fd/0

You missed my point. You are not including a slash in the keyring
argument, so gpgv is looking for it in the homedir. To quote the gpgv
man page again:

>--keyring file
>   Add  file  to the list of keyrings.  If file begins with a tilde
>   and a slash, these are replaced by the HOME  directory.  If  the
>   filename  does  not  contain a slash, it is assumed to be in the
>   home-directory ("~/.gnupg" if --homedir is not used).

And this works:

$ gpgv --keyring ./key.gpg data.gpg

> Splitting up the message gives me
> 
> 01-001.pk_enc
> 02-018.encrypted_mdc

This is an encrypted message. gpgv can't do anything with it.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: AW: AW: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

2018-09-04 Thread Fiedler Roman 
> Von: Werner Koch [mailto:w...@gnupg.org]
>
> On Tue,  4 Sep 2018 10:08, roman.fied...@ait.ac.at said:
>
> > [GNUPG:] UNEXPECTED 0
>
> The signature is corrupted in that it has a packet which is expected
> only in a key.  Or the provided key has a data signature packet etc.

I hope not :-) If any of those assumptions above is true, then the current
gpg behaviour might be a massive security problem as gpg1 can be tricked
into verifying a signature, that should not be there.

This command decrypts the data and claims to see a valid signature (both 
commands get input to decrypt from stdin):

/usr/bin/gpg1 --no-options --homedir decrypt-key --no-default-keyring --keyring 
sign.pub --lock-never --trust-model always --batch --display-charset utf-8 
--status-fd 2 --decrypt --try-all-secrets

"[GNUPG:] GOODSIG AA[keyid] "

While gpgv (from gpg2 package) does not:

/usr/bin/gpgv --status-fd 2 --homedir /proc/self/fd/nonexistent --keyring 
sign.pub /proc/self/fd/0

"[GNUPG:] UNEXPECTED 0"


Remember, that similar gpg2 call also returned the same error, so I changed
it to use "gpgv" according to your recommendation (see mail list archive).
But that did not help getting rid of the error.

> How did you create the keyfile and the signature?

Keyfile: gpg2 --no-options --homedir [home] --lock-never --trust-model always 
--export [identifier]

Signature: gpg1 --no-options --homedir [somedir] --keyring [remote.pub] 
--lock-never --trust-model always --sign --local-user [user-id] --encrypt 
--throw-keyids --hidden-recipient


> > Could it be, that "--throw-keyids" at signature creation to then avoid
> > XKeyscore-traffic-analysis [1] is not compatible with signature
> > verification?
>
> No.  The keyid (or the fingerprint in newer version) is mandatory for a
> signature packet.

OK, I have to check that. I assumed "--throw-keyids" would put me on the
safe side... Splitting up the message gives me

01-001.pk_enc
02-018.encrypted_mdc

Which of the files contains the problematic signature key ID? At least the
encryption key hing in pk.enc is zeroed out, as expected:

: 8502 0e03     1008 00a9  

At which byte offset should I find the signer key fingerprint?

> Leaving this out would not help because it is easy to
> figure out the key by trial verification against all known keys.

Well, that would be all keys in the 2^2048 key space, so the problem
should be as hard to solve as factorization itself. As keys are never
transmitted unencrypted, the attacker has no chance to know a single
one.

>  And traffic analysis can be done without crypto operations.

But it is much more convenient:

* key IDs included: get unique number of recipients at each endpoint,
  detect each new recipient as soon as it is addressed for the first time ...

* key IDs missing: get frequency/size of cryptograms (size is always the
  same) and try to estimate the number of distinct recipients.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Issue with pinentry GUI agent

2018-09-04 Thread Daniel Kahn Gillmor 
On Mon 2018-09-03 09:58:24 +0200, Kristian Fiskerstrand wrote:
> Just to have it mentioned, turned out this was an issue with missing
> keep-display in gpg-agent.conf, without this the Qt4/5 pinentry fail
> (although I've been told it is not an issue in KDE environment).

to be clear, keep-display means that all requests made to the agent that
require interaction with X11 will show up on the original display that
the agent was started with.  This isn't desirable in all cases
(e.g. where an agent is shared across multiple X11 displays)

> gpg-agent without keep-display still seems to send display as argument
> in --display :0 style, but this does not seem to be honored.

i think you're saying that "pinentry-qt --display :124" doesn't honor
the "--display :124" argument, but that doesn't seem to be true to me
with pinentry 1.1.0:

0 dkg@alice:~$ pinentry-qt --display :124
qt.qpa.screen: QXcbConnection: Could not connect to display :124
Could not connect to any X display.
1 dkg@alice:~$ 

or do you mean something else?

   --dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AW: AW: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

2018-09-04 Thread Werner Koch 
On Tue,  4 Sep 2018 10:08, roman.fied...@ait.ac.at said:

> [GNUPG:] UNEXPECTED 0

The signature is corrupted in that it has a packet which is expected
only in a key.  Or the provided key has a data signature packet etc.

How did you create the keyfile and the signature?

> Could it be, that "--throw-keyids" at signature creation to then avoid
> XKeyscore-traffic-analysis [1] is not compatible with signature
> verification? 

No.  The keyid (or the fingerprint in newer version) is mandatory for a
signature packet.  Leaving this out would not help because it is easy to
figure out the key by trial verification against all known keys.  And
traffic analysis can be done without crypto operations.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpMT7zdIS9uc.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AW: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

2018-09-04 Thread Werner Koch 
On Tue,  4 Sep 2018 09:52, roman.fied...@ait.ac.at said:

> Werner gave a good solution in another followup message. May I recommend
> updating the online docu/man page for "--verify" with something like this?

we have

  Note: Sometimes the use of the @command{gpgv} tool is easier than
  using the full-fledged @command{gpg} with this option.  @command{gpgv}
  is designed to compare signed data against a list of trusted keys and
  returns with success only for a good signature.  It has its own manual
  page.
  
in the docs since 2.1.18 or .19 (January 2017)


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpp2DzzYJHxs.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

2018-09-04 Thread Fiedler Roman 
> Von: Peter Lebbing [mailto:pe...@digitalbrains.com]
> 
> On 04/09/18 15:22, Peter Lebbing wrote:
> > I don't understand, could you give commands, expected behaviour and
> > actual output?
> 
> To clarify, I thought you were giving an example of "starting gpgv
> without any keyring at all", because you gave it a non-existing homedir.
> Only on re-reading your other mail did I understand this was an example
> of how you were actually trying to do it.

Sorry about being inprecise in my reply.

Yes, you are completely right: no matter which command line used, the

"[GNUPG:] UNEXPECTED 0
gpgv: verify signatures failed: Unexpected error"

error from gpgv or plain gpg does not vanish, only additional error messages
can be added depending on the keyrings used.

Using the /proc/self/fd/nonexistent as home directory should only serve the
purpose, that it is much harder for an attacker to create that path than one
where the parent directory is a writable file system.


I just removed the executable bit from "gpg2" binary and are now isolating
all gpg calls in a clean wrapper library to invoke "gpg1". When all use-cases
work with gpg1 and there is still some time, I will try to implement also a gpg2
wrapper to start another gpg1->gpg2 migration attempt. But that will be end
of September earliest.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

2018-09-04 Thread Peter Lebbing 
On 04/09/18 15:22, Peter Lebbing wrote:
> I don't understand, could you give commands, expected behaviour and
> actual output?

To clarify, I thought you were giving an example of "starting gpgv
without any keyring at all", because you gave it a non-existing homedir.
Only on re-reading your other mail did I understand this was an example
of how you were actually trying to do it.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

2018-09-04 Thread Peter Lebbing 
On 04/09/18 10:08, Fiedler Roman wrote:
> /usr/bin/gpgv --status-fd 2 --homedir /proc/self/fd/nonexistent --keyring 
> key.pub data.gpg

This would open /proc/self/fd/nonexistent/key.pub as the keyring.

From the man page of gpgv:
>   Add  file  to the list of keyrings.  If file begins with a tilde
>   and a slash, these are replaced by the HOME  directory.  If  the
>   filename  does  not  contain a slash, it is assumed to be in the
>   home-directory ("~/.gnupg" if --homedir is not used).

What works for me is:

$ gpgv --keyring ./key.gpg data.gpg

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

2018-09-04 Thread Peter Lebbing 
On 04/09/18 13:55, Fiedler Roman wrote:
> This might be an issue, but now I tried also with the "pubring.kbx" file
> from the key used to create the signature (without exporting anything)
> and the error message stays completely the same.

I don't understand, could you give commands, expected behaviour and
actual output?

> BTW: what would be the recommended/most secure way to create a keyring
> file with a single public key

For gpgv, I'd just use an exported single public key like you tried to
do with gpg. gpgv has no problems with that.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

2018-09-04 Thread Fiedler Roman 
> Von: Peter Lebbing [mailto:pe...@digitalbrains.com]
> 
> On 04/09/18 09:52, Fiedler Roman wrote:
> > Maybe the current hammer documentation should be updated, to remove
> > the "--use-as-hammer" options? Or at least declare, that they shall not
> > be used that way. See:
> >
> > https://www.gnupg.org/gph/en/manual/r1606.html
> > https://www.gnupg.org/gph/en/manual/r1574.html
> 
> Ah, but you didn't pass it a keyring, did you? You passed it an exported
> OpenPGP key, which is no longer the format of a keyring! :-)

This might be an issue, but now I tried also with the "pubring.kbx" file
from the key used to create the signature (without exporting anything)
and the error message stays completely the same. The message is quite
similar to starting gpgv without any keyring at all:

# /usr/bin/gpgv --status-fd 2 --homedir /proc/self/fd/nonexistent data.gpg
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/proc/self/fd/nonexistent/trustedkeys.kbx': General 
error
[GNUPG:] ERROR add_keyblock_resource 33554433
[GNUPG:] UNEXPECTED 0
gpgv: verify signatures failed: Unexpected error

So maybe the "GNUPG:] UNEXPECTED 0" (last two lines) are not related to the 
keyring at all (the
first three lines are related).

BTW: what would be the recommended/most secure way to create a keyring
file with a single public key, probably without all the gpg2 overhead of 
creating
home directory, searching proc to kill gpg-agent afterwards and cleaning up
the home directory in secure way afterwards?

After trying to get gnupg2 working for more than a day now, but always managing
to get only from one undocumented error message to the next, one undocumented
argument behavior to the next, I will downgrade to gnupg1. In my opinion, next
migration attempt should be started with next Ubuntu LTS 2020 earliest.

> > Werner gave a good solution in another followup message.
> 
> Yes, the new option to *encrypt* to a key in a file made me forget about
> the age-old gpgv :-). I got it mixed up.
> 
> > Or could I submit patches to documentation and source code (error
> handling)
> > myself? I did not find a "contribute" section on the gnupg website at a 
> > first
> glance
> > (menus/FAQs), but could look into it deeper, if helpful.
> 
> I'd say: definitely. I'm not a GnuPG dev, though. I think for instance
> the git repository with the man page can be reached through the web on [1].

Thanks for the reference, I will try to figure out, how gnupg development is 
structured,
e.g. if patches have to be submitted to gnupg-dev first 

> Note that if you were to carefully read the long table of contents of
> the "GnuPG manual"[2], you'd stumble upon these entries:
> 
> > 8 Helper Tools
> > [...]
> > 8.2 Verify OpenPGP signatures
> 
> I think your addition to the man page would be helpful, but a balance
> has to be struck between documenting what something does and what it
> does not. Writing good, clear documentation is hard. I don't think the
> current documentation is as good as it could be. The fact that there are
> so many options and commands makes it very hard to do right. In the
> current state of the documentation, I think your addition is a good one.
> More in general, I think there should be documentation that users read
> which means they wouldn't end up at the man page for the gpg
> command-line tool at all, but they would immediately have chosen gpgv in
> the first place. I hope I'm succeeding in getting my intention across,
> I'm having some trouble putting it in words :-).
> 
> man pages are reference works, not user guides. You already know how to
> use something, but the details elude you for a moment? You grab a
> reference. You can't learn English from a dictionary, and you can't
> efficiently look up the spelling of a word in an English course.
> 
> In this particular case, what set you off in the wrong direction was
> that you were doing something which was never *intended* to work, it
> just did. Worse, people have been telling other people that this was
> something you could do. I think it's hard to catch all these things in
> documentation when at the same time people on the interwebs are saying
> "oh you should use an exported key as keyring".

Fully agree here. There is something important in the documentation missing.

I already offered once to contribute to that part of documentation, but there
was dispute with other gnupg mailing list folks, that had quite different 
understanding
of engineering-, design- and end user documentation for security critical
software.

>From my point of view following structure would improve the whole process:

1) have use-case documentation describing scenarios where gpg should be used.
Make them as distinct as possible to use-cases where gpg should NOT be used.
One use case group could be "fully automated en/decrypt and verify on devices
without permanent storage", another one "Embedded gpg for e-mail decryption"
or "gpg for command line e-mail/file encryption"

Re: Subkeys

2018-09-04 Thread Wiktor Kwapisiewicz via Gnupg-users 
Hi Roland,

I don't know if you have some specific questions but the Debian wiki
page about Subkeys is nice: https://wiki.debian.org/Subkeys

tl;dr version is primary/subkey setup lets you have your primary key
completely offline and use subkeys for daily work. If something bad
happens to a subkey (e.g. compromise) you can use primary key to revoke it.

There are 4 flags for key usage: C - Certify (for primary keys), S -
signing, E - encryption and A - authentication (e.g. SSH).

Kind regards,
Wiktor

> Dear GnuPG
> 
> As a user of GPG4Win, is there any explanation in the compendium about
> the meaning and use of subkeys (I cannot find anything about that matter
> in the The Gpg4win Compendium 3.0.0)
> 
> Best regards,
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gnupg-users Digest, Vol 180, Issue 3

2018-09-04 Thread Wiktor Kwapisiewicz via Gnupg-users 
On 04.09.2018 10:29, Roland Siemons (P) wrote:
> Remains:
> How can I see what is on the smartcard?

gpg --card-status

> How can I copy files to the smartcard?

You can't copy generic files, smartcard contains only private keys (gpg
--edit-key X, keytocard) and a small amount of data objects (gpg
--card-edit, admin, url/lang/name).

Note that keytocard *moves* key to card, meaning the local copy of the
private key will be deleted. If you don't want that (e.g. encryption
key) either have a copy or *don't* save after keytocard command.

The card can store only 3 keys: one signature, one encryption and one
authentication key.

Kind regards,

Wiktor

On 04.09.2018 10:29, Roland Siemons (P) wrote:
> @ Dirk Gottschalk: Thanks for very effective response to my first question!
> 
> Remains:
> How can I see what is on the smartcard?
> How can I copy files to the smartcard?
> 
> I studied the GnuPG Smartcard How-To
> (www.gnupg.org/howtos/card-howto/en/smartcard-howto.html), but that is
> entirely linux oriented. Whereas I am working on a win7 system.
> 
> HOWEVER, by trial and error, I found out that the same commands work on
> the command line terminal of Win7. I shall test it further.
> 
> Best regards,
> 
> Roland
> 
> 
> On 04/09/2018 09:52, gnupg-users-requ...@gnupg.org wrote:
>> Send Gnupg-users mailing list submissions to
>>  gnupg-users@gnupg.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>  http://lists.gnupg.org/mailman/listinfo/gnupg-users
>> or, via email, send a message with subject or body 'help' to
>>  gnupg-users-requ...@gnupg.org
>>
>> You can reach the person managing the list at
>>  gnupg-users-ow...@gnupg.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Gnupg-users digest..."
>>
>>
>> Today's Topics:
>>
>>1. Re: revocation troubles & smartcard troubles (Dirk Gottschalk)
>>2. AW: How to fix "ERROR key_generate 3355453" / "GENKEY'
>>   failed: IPC call has been cancelled" (Fiedler Roman)
>>3. Re: AW: How to fix "ERROR key_generate 3355453" / "GENKEY'
>>   failed: IPC call has been cancelled" (Peter Lebbing)
>>4. Re: AW: How to fix "ERROR key_generate 3355453" / "GENKEY'
>>   failed: IPC call has been cancelled" (Werner Koch)
>>5. AW: How to fix "ERROR key_generate 3355453" / "GENKEY'
>>   failed: IPC call has been cancelled" (Fiedler Roman)
>>
>>
>> --
>>
>> Message: 1
>> Date: Mon, 03 Sep 2018 18:41:29 +0200
>> From: Dirk Gottschalk 
>> To: gnupg-users@gnupg.org
>> Subject: Re: revocation troubles & smartcard troubles
>> Message-ID: 
>> Content-Type: text/plain; charset="utf-8"
>>
>> As long as you did not publish reports revocation, delete the key and 
>> re-import it without the revocation cert. 
>>
>> Am 3. September 2018 17:03:19 MESZ schrieb "Roland Siemons (P)" 
>> :
>>> Dear GnuPG,
>>>
>>> I am already using GnuPG for a long time. But try to improve my
>>> understanding of and working with it.
>>> I became a member of Free Software Foundation Europe, and got a
>>> smartcard. I wanted to use it.
>>>
>>> And that is where the trouble started:
>>> I intended to copy all my personal keys to the smart card.
>>> In Kleopatra, I selected "Tools/Manage smartcards"
>>> Then I selected "Import a certificate from a file", and selected files
>> >from my laptop.
>>> I was under the impression that I was copying files to the smartcard.
>>> By doing so, I not only selected my private key but also my revocation
>>> key (because, why should I enable a thief of my laptop to revoke my
>>> key?).
>>> And then it appeared that I had revoked my entire key pair. Unintended!
>>> Apparently, under smartcard management, I was not at all copying files
>>> to the smartcard. Apparently, I was doing something else. Did I at all
>>> copy files to the smartcard?
>>>
>>> Questions:
>>> Can I UNrevoke that key?
>>> How can I see what is on the smartcard?
>>> How can I copy files to the smartcard?
>>>
>>> I studied the GnuPG Smartcard How-To
>>> (www.gnupg.org/howtos/card-howto/en/smartcard-howto.html), but that is
>>> entirely linux oriented.
>>> I am working on a win7 system.
>>>
>>> Can anyone help me further?
>>>
>>> Thanks!
>>>
>>> Roland
>>
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users


-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: First smartcard operation always fails

2018-09-04 Thread Peter Lebbing 
On 04/09/18 10:17, Andrew Gallagher wrote:
> And I have just confirmed (by sending that mail) that both the first
> auth operation AND the first signing operation fail, separately.

I have no idea, it's quite curious. As an added bread crumb to follow:
what do the PIN retry counters say after the failure? gpg --card-status.

Do you always use the same reader? Perhaps it is the reader.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

2018-09-04 Thread Peter Lebbing 
On 04/09/18 09:52, Fiedler Roman wrote:
> Maybe the current hammer documentation should be updated, to remove
> the "--use-as-hammer" options? Or at least declare, that they shall not
> be used that way. See:
> 
> https://www.gnupg.org/gph/en/manual/r1606.html
> https://www.gnupg.org/gph/en/manual/r1574.html

Ah, but you didn't pass it a keyring, did you? You passed it an exported
OpenPGP key, which is no longer the format of a keyring! :-)

> Werner gave a good solution in another followup message.

Yes, the new option to *encrypt* to a key in a file made me forget about
the age-old gpgv :-). I got it mixed up.

> Or could I submit patches to documentation and source code (error handling)
> myself? I did not find a "contribute" section on the gnupg website at a first 
> glance
> (menus/FAQs), but could look into it deeper, if helpful.

I'd say: definitely. I'm not a GnuPG dev, though. I think for instance
the git repository with the man page can be reached through the web on [1].

Note that if you were to carefully read the long table of contents of
the "GnuPG manual"[2], you'd stumble upon these entries:

> 8 Helper Tools
> [...]
> 8.2 Verify OpenPGP signatures

I think your addition to the man page would be helpful, but a balance
has to be struck between documenting what something does and what it
does not. Writing good, clear documentation is hard. I don't think the
current documentation is as good as it could be. The fact that there are
so many options and commands makes it very hard to do right. In the
current state of the documentation, I think your addition is a good one.
More in general, I think there should be documentation that users read
which means they wouldn't end up at the man page for the gpg
command-line tool at all, but they would immediately have chosen gpgv in
the first place. I hope I'm succeeding in getting my intention across,
I'm having some trouble putting it in words :-).

man pages are reference works, not user guides. You already know how to
use something, but the details elude you for a moment? You grab a
reference. You can't learn English from a dictionary, and you can't
efficiently look up the spelling of a word in an English course.

In this particular case, what set you off in the wrong direction was
that you were doing something which was never *intended* to work, it
just did. Worse, people have been telling other people that this was
something you could do. I think it's hard to catch all these things in
documentation when at the same time people on the interwebs are saying
"oh you should use an exported key as keyring".

HTH,

Peter.

[1] 
[2] 

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Subkeys

2018-09-04 Thread Roland Siemons (P) 
Dear GnuPG

As a user of GPG4Win, is there any explanation in the compendium about
the meaning and use of subkeys (I cannot find anything about that matter
in the The Gpg4win Compendium 3.0.0)

Best regards,

-- 
Roland Siemons



0xAEEC5E2ED87628F5.asc
Description: application/pgp-keys
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gnupg-users Digest, Vol 180, Issue 3

2018-09-04 Thread Roland Siemons (P) 
@ Dirk Gottschalk: Thanks for very effective response to my first question!

Remains:
How can I see what is on the smartcard?
How can I copy files to the smartcard?

I studied the GnuPG Smartcard How-To
(www.gnupg.org/howtos/card-howto/en/smartcard-howto.html), but that is
entirely linux oriented. Whereas I am working on a win7 system.

HOWEVER, by trial and error, I found out that the same commands work on
the command line terminal of Win7. I shall test it further.

Best regards,

Roland


On 04/09/2018 09:52, gnupg-users-requ...@gnupg.org wrote:
> Send Gnupg-users mailing list submissions to
>   gnupg-users@gnupg.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>   http://lists.gnupg.org/mailman/listinfo/gnupg-users
> or, via email, send a message with subject or body 'help' to
>   gnupg-users-requ...@gnupg.org
>
> You can reach the person managing the list at
>   gnupg-users-ow...@gnupg.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Gnupg-users digest..."
>
>
> Today's Topics:
>
>1. Re: revocation troubles & smartcard troubles (Dirk Gottschalk)
>2. AW: How to fix "ERROR key_generate 3355453" / "GENKEY'
>   failed: IPC call has been cancelled" (Fiedler Roman)
>3. Re: AW: How to fix "ERROR key_generate 3355453" / "GENKEY'
>   failed: IPC call has been cancelled" (Peter Lebbing)
>4. Re: AW: How to fix "ERROR key_generate 3355453" / "GENKEY'
>   failed: IPC call has been cancelled" (Werner Koch)
>5. AW: How to fix "ERROR key_generate 3355453" / "GENKEY'
>   failed: IPC call has been cancelled" (Fiedler Roman)
>
>
> --
>
> Message: 1
> Date: Mon, 03 Sep 2018 18:41:29 +0200
> From: Dirk Gottschalk 
> To: gnupg-users@gnupg.org
> Subject: Re: revocation troubles & smartcard troubles
> Message-ID: 
> Content-Type: text/plain; charset="utf-8"
>
> As long as you did not publish reports revocation, delete the key and 
> re-import it without the revocation cert. 
>
> Am 3. September 2018 17:03:19 MESZ schrieb "Roland Siemons (P)" 
> :
>> Dear GnuPG,
>>
>> I am already using GnuPG for a long time. But try to improve my
>> understanding of and working with it.
>> I became a member of Free Software Foundation Europe, and got a
>> smartcard. I wanted to use it.
>>
>> And that is where the trouble started:
>> I intended to copy all my personal keys to the smart card.
>> In Kleopatra, I selected "Tools/Manage smartcards"
>> Then I selected "Import a certificate from a file", and selected files
> >from my laptop.
>> I was under the impression that I was copying files to the smartcard.
>> By doing so, I not only selected my private key but also my revocation
>> key (because, why should I enable a thief of my laptop to revoke my
>> key?).
>> And then it appeared that I had revoked my entire key pair. Unintended!
>> Apparently, under smartcard management, I was not at all copying files
>> to the smartcard. Apparently, I was doing something else. Did I at all
>> copy files to the smartcard?
>>
>> Questions:
>> Can I UNrevoke that key?
>> How can I see what is on the smartcard?
>> How can I copy files to the smartcard?
>>
>> I studied the GnuPG Smartcard How-To
>> (www.gnupg.org/howtos/card-howto/en/smartcard-howto.html), but that is
>> entirely linux oriented.
>> I am working on a win7 system.
>>
>> Can anyone help me further?
>>
>> Thanks!
>>
>> Roland
>


0xAEEC5E2ED87628F5.asc
Description: application/pgp-keys
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: First smartcard operation always fails

2018-09-04 Thread Andrew Gallagher 
On 04/09/18 09:11, Andrew Gallagher wrote:
> Hi, all.
> 
> I've had a pgp smartcard v2.1 for years now (two, actually), and I've
> noticed that no matter what operation I perform, the first attempt after
> inserting the card, or waking from sleep with the card inserted, fails.

And I have just confirmed (by sending that mail) that both the first
auth operation AND the first signing operation fail, separately.

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

First smartcard operation always fails

2018-09-04 Thread Andrew Gallagher 
Hi, all.

I've had a pgp smartcard v2.1 for years now (two, actually), and I've
noticed that no matter what operation I perform, the first attempt after
inserting the card, or waking from sleep with the card inserted, fails.

Example:

```
andrewg@fred:~$ ssh my.server
sign_and_send_pubkey: signing failed: agent refused operation
andrewg@my.server's password: ^C

andrewg@fred:~$ ssh my.server
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-92-lowlatency x86_64)
```

A similar thing happens with signing emails, and my signing and
authentication subkeys are distinct.

This has been bugging me for as long as I can remember, across different
machines, different software versions and OSes (Linux and Mac), and
using both smartcards.

Does anyone have any idea what's going on?

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: AW: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

2018-09-04 Thread Fiedler Roman 
> Von: Werner Koch [mailto:w...@gnupg.org]
>
> On Mon,  3 Sep 2018 19:25, pe...@digitalbrains.com said:
>
> > It could be that recently an option was added to check a signature by a
> > certificate in a file, but in general you need to import a certificate
>
> No, that is nlot the case.  We only added the option -f to encrypt to a
> key taken from a file.
>
> For verification against a single key or a set of keys use the gpgv
> tool:
>
>gpgv --keyring FILEWITHKEYS FILETOCHECK [DATAFILE]

Thanks for your helpful reply, that seems to be exactly the command
I should use. But it seems it is suffering from the same "[GNUPG:] UNEXPECTED 0"
issue.

/usr/bin/gpgv --status-fd 2 --homedir /proc/self/fd/nonexistent --keyring 
key.pub data.gpg
[GNUPG:] UNEXPECTED 0
gpgv: verify signatures failed: Unexpected error

Could it be, that "--throw-keyids" at signature creation to then avoid
XKeyscore-traffic-analysis [1] is not compatible with signature verification? I
would have expected to work exactly the same way as with "--decrypt":
without a key-ID all keys are tested.

Regards, Roman

[1] https://motherboard.vice.com/en_us/article/ezpxan/pssst-your-pgp-is-leaking
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

2018-09-04 Thread Fiedler Roman 
> Von: Peter Lebbing [mailto:pe...@digitalbrains.com]
>
> On 03/09/18 18:56, Fiedler Roman wrote:
> > With gpg1 a similar command should have verified, that the signature
> > is exactly from the single public key stored in "key.pub".
>
> This has never been a supported use of gpg, it just happened to work
> because GnuPG 1.4 happened to use a bunch of exported OpenPGP
> certificates as the format of its public keyring. This was an
> implementation detail which enabled you to do this. Just because you can
> use the rear side of a screwdriver to hammer in a small nail doesn't
> mean you're meant to do carpentry that way ;-).

Maybe the current hammer documentation should be updated, to remove
the "--use-as-hammer" options? Or at least declare, that they shall not
be used that way. See:

https://www.gnupg.org/gph/en/manual/r1606.html
https://www.gnupg.org/gph/en/manual/r1574.html

Without that, what should be the purpose of the "--no-default-keyring"
except to flush all default keys and operate only on the ones given
via the "--keyring" option?

> In GnuPG, the homedir is
> pretty much not part of the interface, it is internal with some
> exceptions like .conf-files and being able to retrieve revocation
> certificates from it. The keyring format has changed and GnuPG also
> expects a lot of other different things in its homedir. So it no longer
> works.

Maybe the "--no-default-keyring" should return something like "obsolete
gnupg file API used" instead of "[GNUPG:] UNEXPECTED 0"?

> It could be that recently an option was added to check a signature by a
> certificate in a file, but in general you need to import a certificate
> before you can do verifications. I didn't see the new option in the few
> announcements I read. Either it was discussed and not done or discussed
> and implemented, can't recall.

Werner gave a good solution in another followup message. May I recommend
updating the online docu/man page for "--verify" with something like this?

"""For automated verification against a single public key, the gpgv tool may
better suit you needs"""

Or could I submit patches to documentation and source code (error handling)
myself? I did not find a "contribute" section on the gnupg website at a first 
glance
(menus/FAQs), but could look into it deeper, if helpful.

Regards, Roman

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AW: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

2018-09-04 Thread Werner Koch 
On Mon,  3 Sep 2018 19:25, pe...@digitalbrains.com said:

> It could be that recently an option was added to check a signature by a
> certificate in a file, but in general you need to import a certificate

No, that is nlot the case.  We only added the option -f to encrypt to a
key taken from a file.

For verification against a single key or a set of keys use the gpgv
tool:

   gpgv --keyring FILEWITHKEYS FILETOCHECK [DATAFILE]


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpzQr9ED54eO.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users