Re: gpg vs gpgv and trustedkeys
On Mon 2019-02-25 07:54:33 +0100, Olliver Schinagl wrote:
> What I am trying to accomplish, is to generate an OS image, which
> contains a public gpg key. The public is added using gpg --import and
> kets added to the newly created pubkey.gpg.
I think your description here is missing some background: why do you
need the public OpenPGP key in your OS image?
If the goal is just to use it with gpgv (e.g. to verify software updates
or some other post-build artifact that you'll fetch over the network)
then i recommend just explicitly pointing gpgv at the curated keyring
using --keyring, and not bothering with public.gpg or anything else.
This is the best approach because it lets you precisely control what is
being checked against, and you don't have to worry that other uses of
~/.gnupg/trustedkeys.{gpg,kbx} might end up polluting the specific check
you're hoping to make strong.
if you want an analogous example, check out the best-pratice guidance in
https://wiki.debian.org/DebianRepository/UseThirdParty about using
isolated keys per repository (with apt's Signed-By: options).
Regards,
--dkg
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why Signing key part of Master key
On Sun 2019-02-24 19:53:53 +, Farhan Khan via Gnupg-users wrote: > I was under the impression that best practice was to keep the master > key offline in cold storage. "best practice" for some is "unusable complexity" for others :) If it works for you, it's probably not unreasonable to keep the primary key offline in cold storage. But remember that what that does is to protect the primary key itself -- if you've got subkeys that are capable of acting as you (with the exception of making OpenPGP certifications), those subkeys are not protected by keeping the primary key offline. > If so, wouldn't that make having the signing key impossible to use? sure, but there's nothing stopping an "SC-capable" primary key from *also* certifying another S-capable subkey, and using that one, if the primary key is kept offline. > And if so, is it possible to remove the Signing functionality from my > Certificate key that I already generated? the "change-usage" subcommand to "gpg --edit-key" might be what you're looking for. it's documented in more recent versions of the gpg(1) man page. change-usage Change the usage flags (capabilities) of the primary key or of subkeys. These usage flags (e.g. Certify, Sign, Authenticate, Encrypt) are set during key creation. Sometimes it is useful to have the opportunity to change them (for example to add Authenticate) after they have been created. Please take care when doing this; the al‐ lowed usage flags depend on the key algorithm. Note that if you do this after having sent messages signed by the primary key, it's not clear what the behavior will be for someone who reads those signed messages after fetching your updated OpenPGP certificate. Should the message signature be invalid because the primary key is no longer signing-capable? Also note that OpenPGP certificates are built and updated by aggregation. So if you change your primary key's usage flags, that'll simply be a new set of self-signatures that makes this change. Anyone who wants to build a composite OpenPGP certificate from your key material by filtering out this change can easily do so, producing a certificate that is appears to still be SC-capable. Reasonable OpenPGP clients that see this certificate *and* your updated one will merge them and respect the most recent usage flags. But does everyone you correspond with use a reasonable OpenPGP client and have access to your update certificate? (exercise left to the reader…) --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Weird locale at passphrase step
On Mon 2019-02-25 19:53:17 +0100, Andrei Fokau wrote: > I have just installed GnuPG on macOS Mojave using Homebrew. When I try to > generate a new key I can go through almost all steps seeing messages and > dialogs in English, but when it asks my passphrase, I see [ image of cyrillic glyphs and U+FFFD REPLACEMENT CHARACTER symbols ] It sounds to me like the gpg-agent process that is running on your system has a different locale. GnuPG asks the agent for a new passphrase, which in turn displays the prompt. > How do I fix this? unfortunately, it depends on how your gpg-agent is initialized, which we don't have enough information on here. perhaps it was launched before your locale was set to en_US.UTF-8? One thing you can try as a workaround is to kill off the gpg-agent and it should get manually restarted on subsequent use: gpgconf --kill gpg-agent maybe someone with more info about how MacOS and Homebrew manage per-user services can weigh in on better workarounds, or suggest a more principled fix for that platform. --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: git.gnupg.org: Certificate expired
On Mon 2019-02-25 18:01:22 +0100, Marcel Waldvogel wrote: > this is probably not the right place to post, but I did not find > anything more appropriate: > > The certificate for git.gnupg.org expired yesterday. Could someone with > the appropriate privileges please fix this? It's probably a fine place. The last time this happened was on November 24 (3 months ago!) and it was reported on gnupg-devel: Message-Id: Perhaps the certificate update mechanism (it appears to be Let's Encrypt) needs to be automated into refreshing the webserver when a new certificate is issued. Thanks for the report. --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Ok this is a stupid questions
On 2019-02-25 at 14:13 +, Michael Holly wrote: > What I suspect is that instead of erroring out, GPG starts the decrypt > process over and appends the new output to the previous cycle.. I > have not tested this, but will soon. > > I just wanted to see if anyone else has seen this happen. > Not that it couldn't happen, but I find strange gpg would do that. Erroring out would make more sense. Note that GnuPG can work in filter mode, so you can do cat incomplete_file | gpg -d > output_file (*) in which case it really can't start over. I don't think it would process things differently, but worth trying. How are you invoking gpg? Which version are you running? (*) Yes, this is an useless use of cat™ In fact, it's quite likely cat will be faster than whatever is transferring the file, piping eg. wget -O - would make more sense. (**) Remember that even though you are getting an incomplete output, unless the gpg terminates with no error after verifying the data, **there's no guarantee about the contents** Don't pipe that output to bash or otherwise treat as trusted data! Wait to the next command for that (after verifying that gpg is ok with what was provided). Cheers Ángel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Weird locale at passphrase step
Hello, I have just installed GnuPG on macOS Mojave using Homebrew. When I try to generate a new key I can go through almost all steps seeing messages and dialogs in English, but when it asks my passphrase, I see: [image: image.png] My GnuPG version and locale: $ gpg --version gpg (GnuPG) 2.2.13 libgcrypt 1.8.4 $ echo $LANGUAGE en_US.UTF-8 $ locale LANG="en_US.UTF-8" LC_COLLATE="en_US.UTF-8" LC_CTYPE="en_US.UTF-8" LC_MESSAGES="en_US.UTF-8" LC_MONETARY="en_US.UTF-8" LC_NUMERIC="en_US.UTF-8" LC_TIME="en_US.UTF-8" LC_ALL="en_US.UTF-8" How do I fix this? Thanks, Andrei ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
git.gnupg.org: Certificate expired
Hi, this is probably not the right place to post, but I did not find anything more appropriate: The certificate for git.gnupg.org expired yesterday. Could someone with the appropriate privileges please fix this? Thanks, -Marcel signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Ok this is a stupid questions
On 2/25/2019 at 2:29 PM, "justina colmena via Gnupg-users" wrote: That's why I have to call foul play on proprietary operating systems. Encryption is theoretical only: in practice useless, moot, crippled, broken, and terminally back-doored with all the malware, adware, spyware, worms, viruses, trojans, keyloggers, and screenscrapers inherent to such systems as Google Android, Microsoft Windows, and Apple OS. The Democrats will stop at nothing to keep it that way at all costs, and the Republicans just don't care. = Maybe *proprietary* encryption is theoretical only.What problems do you have with GnuPG as a FOSS program ? Ordinarily, I'm on the cautious, [maybe even borderline paranoid ;-) ] side of things, and I don't just trust things lightly. But I *DO* trust GnuPG, WK, and the host of other people who have put the time and effort into GnuPG, releasing the source code routinely so that it can be compiled by the end user on FOSS platforms (Linux, Ubuntu. etc.) You sound capable enough to review source-code, and use a Linux variant. Why do you think GnuPG is useless if you check the source-code, run it on hardware you trust, and a Linux variant you trust, with a Chromium/Iron browser, and avoid anything google or microsoft or apple or any non-FOSS product? If I misunderstand you, and your beef is not with GnuPG, only with Google, Android, MS, apple etc.then I apologize. That said, can i ask you to trim your posts from the political rants, much as they may be deserved. There are other forums ideally suited to that. Thanks. vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Ok this is a stupid questions
On February 25, 2019 5:13:32 AM AKST, Michael Holly wrote: > So I completely preface this question is not a valid use case for gpg. > I know, I get it. > > I have a potential issue that I'm trying to diagnose. I'm trying to > understand how gpg will react to the input file size changing during > the encrypt or decrypt step. > > Right now it appears that the gpg process goes a bit crazy and the 200 > MB file I am decrypting becomes 1.2 TB or greater. > > Here is the order of the events > > > 1. File lands on my system. > > 2. PGP decrypt is invoked on the file. > > 3. Since the file is not truly done being sent to me, the file > grows in size. > > 4. GPG seems to expand the decrypted file many times over. > > What I suspect is that instead of erroring out, GPG starts the decrypt > process over and appends the new output to the previous cycle.. I > have not tested this, but will soon. > > I just wanted to see if anyone else has seen this happen. > > Thanks > > Michael News media questions? Many times it is the case that large files are compresssed before being encrypted, and there are certain information-theoretical reasons to do so. Aside from efficiency and possibly a slightly better security, it is absolutely impossible to compress files after they are encrypted because the repetitive or redundant patterns, on which the compression is based, are precisely what is obfuscated and concealed by the encryption. In any case, if the file was compressed before encryption, then it will have to be expanded back to its original size after decryption. Then there is the base64 ASCII armor, which causes a ciphertext expansion to the tune of some 35% by using only 6 of the 8 bits of each byte plus extra formatting for new lines and such. So how did the Firstlook Media reporters from The Intercept come to give up their GPG keys and go so mainstream corporate? They never got along all that well with the military, and they're not even remotely "alternative" anymore if they ever were. It's all establishment Democrat party line mainstream media, and "Don't you dare try to get smart and buck the labor union!" Holed up in Brazil somewhere pushing that atrocious "7me" spyware app on my Android phone as if that gay male reporter is suddenly a good Christian sitting on the church pew keeping the Sabbath so obediently on the Seventh Day and circumcising his kids under the law of Moses. That's why I have to call foul play on proprietary operating systems. Encryption is theoretical only: in practice useless, moot, crippled, broken, and terminally back-doored with all the malware, adware, spyware, worms, viruses, trojans, keyloggers, and screenscrapers inherent to such systems as Google Android, Microsoft Windows, and Apple OS. The Democrats will stop at nothing to keep it that way at all costs, and the Republicans just don't care. -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no será infringido. https://www.colmena.biz/~justina/ signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Ok this is a stupid questions
So I completely preface this question is not a valid use case for gpg. I know, I get it. I have a potential issue that I'm trying to diagnose. I'm trying to understand how gpg will react to the input file size changing during the encrypt or decrypt step. Right now it appears that the gpg process goes a bit crazy and the 200 MB file I am decrypting becomes 1.2 TB or greater. Here is the order of the events 1. File lands on my system. 2. PGP decrypt is invoked on the file. 3. Since the file is not truly done being sent to me, the file grows in size. 4. GPG seems to expand the decrypted file many times over. What I suspect is that instead of erroring out, GPG starts the decrypt process over and appends the new output to the previous cycle.. I have not tested this, but will soon. I just wanted to see if anyone else has seen this happen. Thanks Michael ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg vs gpgv and trustedkeys
While working on a little project, I found that there seems to be some discrepancy on how gpg and gpgv are to be used. What I am trying to accomplish, is to generate an OS image, which contains a public gpg key. The public is added using gpg --import and kets added to the newly created pubkey.gpg. However, the OS image has no need for the full blown gpg and happily uses gpgv. However gpgv fails with the (now) well known error that it cannot find the trustedkeys.gpg/kbx keyring/box. The internet has some suggestions that it is needed for gpg to generate a special keyring and import the keys into there. However the options (no-default-keyring and/or --keyring) are not existant with the gpg tools (on alpine and debian) (anymore, I believe gpg1 did have them in the past?). While gpgv still has the options, I don't think the intention was to always having to supply a custom keyring to gpgv. And so it appears that the default used keyring between the generator and the validator are miss-matching. Is this intended? If so, why? And what would be the reason for having the two separate keyrings anyway. For now, I have simply added a hack in that the two files are symlinked, this atleast makes gpgv to work as a user would intend. I suppose the alternative would be to rename the key after installation, but if that was the intention, I don't seem to see why the option to use a different keyring was removed from gpg to begin with. Both my Alpine based gpg and gpgv are the same version, gpg (GnuPG) 2.1.18 P.S. Please keep me CC-ed as I am not subsribed. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
