Re: Cannot decrypt from smartcard using gnupg-2.2, can from 2.0

[alejandro Cortez via Gnupg-users]

On Tue, Oct 15, 2019 at 10:52 PM NIIBE Yutaka  wrote:

> Hello,
>
> I think that your configuration of smartcard is somehow broken.
>

The only thing I have been able to confirm is that gpg, at some point after
2.0.22, stopped allowing the use of the same subkey in multiple slots. As
soon as I created a new signing subkey and put that one into the signing
slot and the SEA subkey into the encryption slot, everything started
working.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: are angle brackets around email address allowed for auto-key-locate?

[David Hebbeker]

On Wed, 2019-10-16 at 20:26 +0200, David Hebbeker wrote:
> On Wed, 2019-10-16 at 14:19 +0200, Werner Koch wrote:
> > On Tue, 15 Oct 2019 22:23, David Hebbeker said:
> > > The manual [1] says that GnuPG can automatically retrieve keys
> > > for emails in the "u...@example.com" form. Does this exclude
> > > emails wrapped by angle brackets like ""?
> > 
> > That is fine.
> 
> I have experienced a behavior I could only explain with auto-key-
> locate being restricted to the pure form.

I still have the problem described in my previous e-mail. Can it be
that this is faulty behavior of the GnuPG?

I would create a bug report at [1] so it does not get lost. Does
something speak against it?

David

[1]: https://dev.gnupg.org/

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

libgcrypt license

[Fuse Hiroaki via Gnupg-users]

Hello

I have a question about libgcrypt license

We can find following license notice

 Libgcrypt is distributed under the terms of the GNU Lesser General Public
License (LGPLv2.1+). The helper programs as well as the documentation are
distributed under the terms of the GNU General Public License (GPLv2+). The
file LICENSES has notices about contributions that require that these
additional notices are distributed.

And I also found following commit

https://github.com/gpg/libgcrypt/commit/915570db198f2cf15db5c034096a444a8a79476e#diff-c55728a8e1162a431e4754734d27a041


This mean that only dumpsexp is GPLv3?

BR,
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ change

[Jeff Allen via Gnupg-users]

On Tue, 2019-10-22 at 00:59 +0100, MFPA via Gnupg-users wrote:
> Hi
> 
> On Monday 21 October 2019 at 6:09:17 AM, in
> , Robert J.
> Hansen wrote:-
> 
> > Due to Yahoo! Groups closing, the PGPNET mailing list
> > has moved to
> > groups.io;
> 
> I thought PGPNET's move was prompted by degraded performance on the
> yahoogroups platform, which lead some group members to look around
> and
> find something that worked better.
> 

It was, but that's quibbling.  Yahoo! Groups performance, on the
platform and as a simple mailing list relay, has been deteriorating for
years.  Hundreds of lists formerly hosted on Yahoo! Groups have moved
to other platforms because Yahoo!'s current ownership has made it clear
that the groups they inherited are not part of their corporate future. 
The elimination of of hosted content is just the latest manifestation.

Like others, we looked around and found something that worked better.

My thanks to Mr. Hansen for updating our listing.

Jeff Allen, PGPNET moderator


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ change

[Robert J. Hansen]

> I thought PGPNET's move was prompted by degraded performance on the
> yahoogroups platform, which lead some group members to look around and
> find something that worked better.

What I know is this: I was asked by a PGPNET member to change the
address, and the cause for the change was the imminent closure of the
Yahoo! Groups version of PGPNET.  That's all.  Beyond that, discuss it
on PGPNET, please.  :)


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ change

[MFPA via Gnupg-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi

On Monday 21 October 2019 at 6:09:17 AM, in
, Robert J.
Hansen wrote:-

> Due to Yahoo! Groups closing, the PGPNET mailing list
> has moved to
> groups.io;

I thought PGPNET's move was prompted by degraded performance on the
yahoogroups platform, which lead some group members to look around and
find something that worked better.

- --
Best regards

MFPA  

It is not necessary to have enemies if you go out of your way to make friends 
hate you.
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXa5GR18UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+sxNAQC2r0cGSgs/GEy2e3ALVc2Uj2VPjCJpkS69x9f60ry0GwEApHOw99gHDT8i
OTsAIubrd/l7L6jVmkQZAK5K6PvtvwiJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCXa5GR18UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/12LEACpnzblfWb95Ih+Nv2tz+70408Q
Oa8FEIRd0Dfxa83YcdM7prwCrU0xDPinEOslDU7WkUs/QqUCkX5a7NmWb+O64/Of
b3MqEQa6FlKH5xY0XEtfR78Ldv5p17MumJVSC6PJFtDzN1UB0MK239YNAfizcBIF
EjravY6PCqcQ0zpPwutI+yZAeOHyuDCU5Hb1Cxw+rg+rTCz84fQm+wg9o3/idj9b
hZwyHyoFwoI5PHw1V8I/sxEDSn7jFp84YH3eMW/PyOadan/V8t3c7ySB9/7HEq57
ZEo+AJRLEa5KJJFxw75DqcraOJC1PYeDio13dbSwK5ygiXEyzNT9PKZ+uJ0DQFS0
0vKm7w7MpAJU2Ps9x39WOLjyvpoXFmiDrtceVzmyPCpEsU04+IzU8iRAbqthUryf
1JJgKUIGWXkBv7PNKEi/vzmHbsdNBCx9V9bQvVltT+EDxOtGECLp0Mt89RlXNCsd
WbFWDw3J9Yvvd9B5W3V6jJUs2QEmFxOD3VUcCTGEU7vC7JC8xhJftMO7svhxERUw
4SojXLI01fDtWFL8tXqKN9MLLc7jjrCQiQEkRBV4qySLP1Yy7KrN8XPLMTAveE5b
5Bvdiw+7n+nUhINX4GI9p1ALo0fhwNMogmBQ539S3+3SDeMF+ItxLcAyvOzTkoA/
kQdejA/zpKJCURk6vg==
=Y9v3
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: a new free smime service, but...

[MFPA via Gnupg-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Sunday 20 October 2019 at 3:20:41 PM, in
, Uwe Brauer via Gnupg-users wrote:-


> I just found that
> https://extrassl.actalis.it/portal/uapub/doProcess

> Provides a free smime certificate.

[...]

> does somebody know whether there is a security
> breach, the way this
> certificate was generated?

I'm no expert but their Certificate Policy reads to me that the
private key is compromised right from the start. I think usually the
keys are generated on the subscriber's device and only the public key
goes to the CA to be certified.
https://www.actalis.it/documenti-it/caact-free-s-mime-certificates-policy.aspx

3.2.2 Proving possession of private key

The private cryptographic key corresponding to the public key
within the certificate is generated by the CA (with a suitable
algorithm, size, etc.) and subsequently sent to the subscriberin
PKCS#12 for-mat[PFX], via email, thereby insuring that the
subscriber does possess the private key.The password needed to
import the PKCS#12 file isprovided to the subscriber out-of-band
(via web), therefore protecting it from unwanted disclosure to
third parties. The CA does not retain such pass-word, so that the
legitimate subscriber –assuming that he/she keeps such password
confidential –remains the only person able to import the PKCS#12.

And

4.1Certificate Application, Processing and Issuance
To apply for a certificate pursuant to this CP, after accepting the
quote, the requestor shall fill in and submit aweb-basedrequest
formto be found on the CA web site.Before the requestor can
actually submit the certificate request form to the CA, he/she
must read and accept this Certificate Policy and the Terms &
Conditions; both documents are made available for download in the
same web form. The requestor’s acceptance is expressed by “point &
click”, as allowed by Italian and European legislation on distance
contracts. Furthermore, before the certificate request is
accepted, the CA shall perform I according to §3.2.Upon
submission of the certificate request form, the CA shall issue the
certificateand send this latter to the Subscriber via email.The
certificate is sent to the Subscriber requestor together with the
corresponding private key, both bundled into a PKCS#12 file[PFX].
The password needed to decipher the PKCS#12 file is shown to the
requestor in the browser, at the end of the certificate request
procedure. It is up to the Subscriber to keep that password
confidential and protect it from unwanted loss

- --
Best regards

MFPA  

The cure for anything is salt water - sweat, tears, or the sea.
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXa5CFl8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+v+iAQCE1htzI++iZGPw3aWSdvYOtStbg/+RCOq/55iUo4AkXwD+Mpeawj+TjNNK
Kj7Bp9ciiGgtlsxqPeVtls8tMSNFDgaJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCXa5CFl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/+xoD/9rTd1kVPIlVjk9Worhv07MxsJ1
jLfWWifiLApgVG08JhOdjOSY8T3W4Ew/HbuvfS4/Xc1keGja7ZgEw7cSQf6LZxSz
GWH55I3y6zzh5B0JYqu+DWnsRjU3oxQhwWW2rwJFXEiEDBraerA28/8XO3CXBctm
0jjOAAA0VEfwJEJda7W32PqcSqfL+iRcoZc1vC3o6YjOdvpK/tHDNPL4KzAqt+rV
N4IraP1N/3oGKGT303G1U6eAR6Pvmsd7YSb0yLFKUVIsYzYW7GuhTiX65QvHC3ov
ss1vVDjTPxV8a7+0B1QuNlFRBpdrDAdG9t2ecblG5FcIeDrEaigabdN9QQG7RWtr
KPKv2E47bMUGgC3wqgeCO7qiCf6gSIdrI3aEi7Jvfpdu0vq4myf8ysuRL1yywaWJ
OD/taEJ50SNTwT38qWq2KWDEWo4jupPqqHfcWNLFG8ARa0mVu84GwkM7bB1bDsaF
DQKKukXsywq2EhE4CHgjWq/0jUbr6oDjxu7PIwxTdo7f/NWdOxqk9GPDMkIIsut/
fej/L6Rm0NgJfXmvWJAQ9ghCwGE3A+MoOoCWS30Czqz5+P3GpKpLyv54QEc1LrRz
CF8VNvEhMyRPlmlnns6QLvZmoYspXkygRho8xAYIqWQ/fS/ZufkS6FS82TY58fvf
rBJ7qMIUewF91bEIEQ==
=uB21
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: a new free smime service, but...

[MFPA via Gnupg-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Sunday 20 October 2019 at 3:20:41 PM, in
, Uwe Brauer via Gnupg-users wrote:-


> I just found that
> https://extrassl.actalis.it/portal/uapub/doProcess

> Provides a free smime certificate.

[...]

> does somebody know whether there is a security
> breach, the way this
> certificate was generated?

I'm no expert but their Certificate Policy reads to me that the
private key is compromised right from the start. I think usually the
keys are generated on the subscriber's device and only the public key
goes to the CA to be certified.
https://www.actalis.it/documenti-it/caact-free-s-mime-certificates-policy.aspx

3.2.2 Proving possession of private key

The private cryptographic key corresponding to the public key
within the certificate is generated by the CA (with a suitable
algorithm, size, etc.) and subsequently sent to the subscriberin
PKCS#12 for-mat[PFX], via email, thereby insuring that the
subscriber does possess the private key.The password needed to
import the PKCS#12 file isprovided to the subscriber out-of-band
(via web), therefore protecting it from unwanted disclosure to
third parties. The CA does not retain such pass-word, so that the
legitimate subscriber –assuming that he/she keeps such password
confidential –remains the only person able to import the PKCS#12.

And

4.1Certificate Application, Processing and Issuance
To apply for a certificate pursuant to this CP, after accepting the
quote, the requestor shall fill in and submit aweb-basedrequest
formto be found on the CA web site.Before the requestor can
actually submit the certificate request form to the CA, he/she
must read and accept this Certificate Policy and the Terms &
Conditions; both documents are made available for download in the
same web form. The requestor’s acceptance is expressed by “point &
click”, as allowed by Italian and European legislation on distance
contracts. Furthermore, before the certificate request is
accepted, the CA shall perform I according to §3.2.Upon
submission of the certificate request form, the CA shall issue the
certificateand send this latter to the Subscriber via email.The
certificate is sent to the Subscriber requestor together with the
corresponding private key, both bundled into a PKCS#12 file[PFX].
The password needed to decipher the PKCS#12 file is shown to the
requestor in the browser, at the end of the certificate request
procedure. It is up to the Subscriber to keep that password
confidential and protect it from unwanted loss

- --
Best regards

MFPA  

The cure for anything is salt water - sweat, tears, or the sea.
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXa5Apl8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+hLrAQDX3kiS9p18mUhVAnRBKf7feFGwxuY5AJR4sDXLNLIvaAD9FMxw2WwwSxSf
oUu2nNF725xRn2Ntz32fWx1LwrPWpwyJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCXa5Apl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/71GD/4kRUTdsHkJzBgmNue/KY9DEw5S
+LYPZU01uI3f4x+x5ECbXUhb5SmBiENKshhH1OcrGiZAV974scCJF2sjnZUfjHTX
IzXVbTKDI51WF1osGcLaHlrykNJ7HoV+qoZXrIUGts8KUipfUqqC9Zq7ZMHlDt/U
vjoUQxO9Akj7mBat4nWHO0f2bydULyxGwyLwdOKj3P/BoWQyG6eqHODr9iTceFnM
KZY6/Nabc9GO9HIRLQ48vMj+ElJNDefhyjg7P14GwGYRdzTxm1WaLCZNnz5aCfKo
rtRDvP6l/KiTTwezkIoBy3/YfwYYXlrJe7aklnhJVLnKGW+gpQrD2MYUztu+9r0J
doWEQnk8J6jIX47LaVC5KKoopD0ZSv4FGCSCRioqefVMQttSm5uPqim1zSZFNJBA
KIPXMlNbMTpoMvXjWGyYhEhkyg2GJeJeq84Qh9+D2SNCzglO7R1PCR7p/+JAX/Mi
CUG4s8MzRFH/9z0fRYXjrxxAX/aDX7hzInkw9Srw1L4n7JRJ5VQ/BO/wGGFFwmcq
uaJH4MFINSp6OgUppojGEGJaSLUsdGHVDxcmJMOg1047rjrf78aT1qhK6twSvMpv
aRtjZ/NJQDZt3eTdRVcb3aLvYzuha6A/mnSgH8KtrSlBZWRtRZtF+dEnP8o97sHN
hRogUjEPkCqkgFWzag==
=BJGA
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Help needed - for a binary to words encoder/decoder for GnuPG

[Stefan Claas via Gnupg-users]

Hi all,

I was wondering if native English speakers can help me out in finding 'the
right' 5 letter words which can be used in an binary to words encoder/decoder,
which then can be used with GnuPG encrypted binary files, so that these
(preferably small binary blobs) messages can then be send over telephone, radio
or as letter/fax.

I already contacted my Golang programmer who wrote me yesterday such an
encoder/decoder and I have already created a dictionary with German 5 letter
words, which are IMHO easy to speak and they contain no 'offensive' etc. words.

The encoder uses for every byte combination [0-255] a single 5 letter word. For
sure, this is not so effective as codegroups[1] but IMHO faster to speak and to
write down.

Here is a very small GnuPG symmetrically encrypted message, run through the
encoder:

Leser Aroma Algen Angel Album Ahorn Fasan Folie Geste Insel
Kreis Umzug Xenia Katze Rille Sinus Gummi Adler Lende Torte
Mappe Balsa Sorte Album Insel Venus Quote Lampe Onkel Sinus
Laube Anzug Heike Hitze Lager Knauf Gitta Mensa Hitze Haube
Wonne Ruder Maler Ampel Mulde Platz Alina Alina Eimer Hecht
Blatt Biene Nebel Kraut Erbse Zweig Stadt Zweig Natur Stoff
Fleck Pferd Sinus Pudel Wange Wagen Index Leser Teich Pferd
Album Seide Tempo Pokal Couch Dauer Nadel Knopf Nager Suppe
Boden Anton Ziege Musik Platz Serie Geist Xenia Lurch Platz
Sirup Gleis Felge Musik Platz Henne Adler Dogge Kugel Forum
Salto Gabel

What I need now is kind folks looking here at the 'alpha' wordlist:
https://github.com/dwyl/english-words and sieve out with this small
Python program, or something else

|import fileinput
|N = 5
|for line in fileinput.input():
|for word in line.split():
|if len(word) == N:
| print word

5 letter words and then manually select the best ones, which native English
speakers could easily listen to and write down.

Once I have the list I will then create the English version of the software
and publish it, along with the German version, on my keybase page.

[1] https://www.fourmilab.ch/codegroup/

Best regards
Stefan


-- 
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
  certified OpenPGP key blocks available on keybase.io/stefan_claas
   

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Future OpenPGP Support in Thunderbird

[Vincent Breitmoser via Gnupg-users]

> Werner's implementation has an excellent reputation, and it's the only one
> I personally trust completely.

You state this so matter-of-factly, I feel compelled to point out that among
cryptographers, libgcrypt's reputation is not all that great...

https://twitter.com/ciphergoth/status/1179959883589771265

 - V

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Future OpenPGP Support in Thunderbird

[Robert J. Hansen]

>> GnuPG has steadfastly refused to create an OpenPGP library programmers
>> can use directly,
> 
> I was under the impression that gpgme is just such a library.

It is not.  Under the hood, GPGME works by launching an entirely new
process and directing it via interprocess communication.

Hopefully this puts the rest of my paragraph in perspective:

"... on the grounds that security is improved by adding
process separation between the application process and the GnuPG
process.  There's a lot to be said for this argument.  There's a lot to
be said for the counterargument: that the additional complexity involved
in communicating across a process boundary turns it into a false savings."

Regardless of whether you interface with GnuPG directly (as Enigmail
does) or through a library (as GPGME-using applications do), you're
still running GnuPG in a separate process and communicating across a
process boundary.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: There is no assurance this key belongs to the named user

[Matthias Apitz]

El día lunes, octubre 21, 2019 a las 07:32:48p. m. +0200, Matthias Apitz 
escribió:

> 
> Hello,
> 
> I wanted to insert a new password into my password store, but I can't do
> so anymore. It says:
> 
> $ pass insert -m web/test3
> Enter contents of web/test3 and press Ctrl+D when finished:
> 
> gpg: 61F1ECB625C9A6C3: There is no assurance this key belongs to the named 
> user
> gpg: [stdin]: encryption failed: Unusable public key
> Password encryption aborted.

The culprit was this file:

$ ls -l ~/.gnupg-ccid/trustdb*
-rw---  1 guru  wheel  1280 23 may.   2017 
/home/guru/.gnupg-ccid/trustdb.gpg
-rw---  1 guru  wheel  1280 11 oct.  14:02 
/home/guru/.gnupg-ccid/trustdb.gpg.20191011

after renaming it and restoring the previous version (not modified for
ages) of trustdb.gpg all is fine again. What caused the change on
October 11 remains unclear so far.

matthias


-- 
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

3. Oktober! Wir gratulieren! Der Berliner Fernsehturm wird 50 
aus: https://www.jungewelt.de/2019/10-02/index.php

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg: There is no assurance this key belongs to the named user

[Matthias Apitz]

Hello,

I wanted to insert a new password into my password store, but I can't do
so anymore. It says:

$ pass insert -m web/test3
Enter contents of web/test3 and press Ctrl+D when finished:

gpg: 61F1ECB625C9A6C3: There is no assurance this key belongs to the named user
gpg: [stdin]: encryption failed: Unusable public key
Password encryption aborted.

I can decrypt fine anything in the password store:

$ gpg2 -d ~/.password-store/web/test2.gpg
gpg: encrypted with 4096-bit RSA key, ID 61F1ECB625C9A6C3, created 2017-05-14
  "Matthias Apitz (GnuPG CCID) "
4711
0815

but encryption seems to be the problem:

$ gpg2 -ea -r "Matthias Apitz (GnuPG CCID) " file
gpg: 61F1ECB625C9A6C3: There is no assurance this key belongs to the named user

sub  rsa4096/61F1ECB625C9A6C3 2017-05-14 Matthias Apitz (GnuPG CCID) 

 Primary key fingerprint: 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
  Subkey fingerprint: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N)

What might be the problem in my $GNUPGHOME:

$ ls -l $GNUPGHOME
total 456
srwx--  1 guru  wheel   0 Oct 21 18:16 S.gpg-agent
srwx--  1 guru  wheel   0 Oct 21 18:16 S.gpg-agent.browser
srwx--  1 guru  wheel   0 Oct 21 18:16 S.gpg-agent.extra
srwx--  1 guru  wheel   0 Oct 21 18:16 S.gpg-agent.ssh
srwx--  1 guru  wheel   0 Oct 21 18:16 S.scdaemon
drwx--  2 guru  wheel1024 Sep 21 10:08 crls.d
-rw---  1 guru  wheel2649 May 12  2017 dirmngr.conf
-rw-r--r--  1 guru  wheel  95 Jan  1  2019 gpg-agent.conf
-rw---  1 guru  wheel5191 May 12  2017 gpg.conf
drwx--  2 guru  wheel 512 May 14  2017 openpgp-revocs.d
drwx--  2 guru  wheel 512 May 14  2017 private-keys-v1.d
-rw---  1 guru  wheel   38835 Oct 11 14:02 pubring.gpg
-rw---  1 guru  wheel   38835 Oct 11 14:02 pubring.gpg~
-rw---  1 guru  wheel  159155 Sep 30 16:46 pubring.kbx
-rw---  1 guru  wheel  157316 Sep 21 10:07 pubring.kbx~
-rw---  1 guru  wheel 600 Oct  5 16:57 random_seed
-rw-r--r--  1 guru  wheel   7 Oct 21 19:01 reader_0.status
-rwxr-xr-x  1 guru  wheel3386 Mar 15  2018 scd-event
-rw-r--r--  1 guru  wheel 123 Jan  5  2019 scdaemon.conf
-rw-r--r--  1 guru  wheel 141 Mar 13  2018 scdaemon.conf.away
-rw---  1 guru  wheel   0 Dec 28  2017 secring.gpg
-r  1 guru  wheel1865 May 14  2017 sk_61F1ECB625C9A6C3.gpg
-rw-r-  1 guru  wheel 676 May 15  2017 sshcontrol
-rw---  1 guru  wheel1280 Oct 11 14:02 trustdb.gpg
-rw-r-  1 guru  wheel1900 Jul 22 21:52 trustlist.txt

I have enough older backups of this part of my $HOME, but would like to
understand what is missing or damaged, and how it happened, and how to
fix it.

Thanks

matthias


-- 
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

3. Oktober! Wir gratulieren! Der Berliner Fernsehturm wird 50 
aus: https://www.jungewelt.de/2019/10-02/index.php


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ: seeking consensus

[Steffen Nurpmeso]

Steffen Nurpmeso wrote in <20191021160908.4_hgk%stef...@sdaoden.eu>:
 |Vincent Breitmoser wrote in <2UJQOP6NMJE80.2FS52GC36TCEU@my.amazin.horse>:
 ||> Especially if the key is shipped alongside the message already
 ||
 ||Are you sure that it is though? Seems to me you're giving out ill-informed
 ||advice here.
 |
 |Bad advice of mine yes, PGP does not do it the way S/MIME does it.
 ...
 |But you could send a signed message with the public key attached
 |(as application/pgp-keys even?) to the person you want to
 |henceforth communicate encrypted and/or signed.  You need some
 |kind of web of trust to make this fly, however.  But it would
 |make it clear that you have the private counterpart.

Ok, that "clear" is only true if you then just send an encrypted
messae right afterwards.  But that should be it, or am i confused?
I would say that is not an effort too much to gain safe
communication when it is desired.  And then there are other ways
of fetching keys, as long as there are keyservers which one can
use.

Thanks for the sks pool is due at that time.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ: seeking consensus

[Steffen Nurpmeso]

Steffen Nurpmeso wrote in <20191021160908.4_hgk%stef...@sdaoden.eu>:

'Just want to add that the DKIM i refer to in my first message is
in my eyes not a solution but a desastrous demolition ball
of the mail standard, and as such hatred by me, and the reply-to:
that was pointing to Tony Lane's real address is gone if one does
not answer him as a primary and at first glance.

  To: Vincent Breitmoser 
  Cc: Tony Lane via Gnupg-users 

Brain damaged that too.  And i wonder how many archives will be
mutilated and soiled.  What will the next generation think,
definetely not the same that "we" do when we look at messages from
the 80s, for example.  That is the worst business cr.p in a long
time.

(And i apologise shall some g's be missing, my six month old
Lenovo IdeaPad 530S has a keyboard defect; for now i use
a Mode_switch overfay for f, but it's kinda sick.)
 

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ: seeking consensus

[Steffen Nurpmeso]

Vincent Breitmoser wrote in <2UJQOP6NMJE80.2FS52GC36TCEU@my.amazin.horse>:
 |
 |> Especially if the key is shipped alongside the message already
 |
 |Are you sure that it is though? Seems to me you're giving out ill-informed
 |advice here.

Bad advice of mine yes, PGP does not do it the way S/MIME does it.
Sorry, this was not truly intended, i am more used to CMS and
S/MIME, it just came "naturally" out of me.  Side-channel free, so
to say ;}

But you could send a signed message with the public key attached
(as application/pgp-keys even?) to the person you want to
henceforth communicate encrypted and/or signed.  You need some
kind of web of trust to make this fly, however.  But it would
make it clear that you have the private counterpart.

I do stand to my opinion on the Autocrypt header beside that.
I think the OpenPGP: header with a reference to safe transport for
fetching possibilities is more kind and social, and safer, too.

 | - V
 --End of <2UJQOP6NMJE80.2FS52GC36TCEU@my.amazin.horse>

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Using WKD via http_proxy without DNS server available

[Michał Górny via Gnupg-users]

Hello,

We received a report from one of our users who was unable to get GnuPG
to fetch keys from behind a HTTP proxy [1].  From our investigation, it
seems that GnuPG does not even try to use the proxy if the system does
not have a DNS server configured.  In particular, the log posted at [2]
states:

  2019-10-17 16:28:05 dirmngr[17549.6] DBG: chan_6 <- WKD_GET -- 
infrastruct...@gentoo.org
  2019-10-17 16:28:05 dirmngr[17549.6] DBG: dns: libdns initialized
  2019-10-17 16:28:05 dirmngr[17549.6] DBG: dns: 
resolve_dns_name(openpgpkey.gentoo.org): Server indicated a failure
  2019-10-17 16:28:05 dirmngr[17549.6] DBG: dns: 
getsrv(_openpgpkey._tcp.gentoo.org): Server indicated a failure
  2019-10-17 16:28:05 dirmngr[17549.6] command 'WKD_GET' failed: Server 
indicated a failure 
  2019-10-17 16:28:05 dirmngr[17549.6] DBG: chan_6 -> ERR 219 Server indicated 
a failure 
  2019-10-17 16:28:05 dirmngr[17549.6] DBG: chan_6 <- BYE
  2019-10-17 16:28:05 dirmngr[17549.6] DBG: chan_6 -> OK closing connection
  2019-10-17 16:28:05 dirmngr[17549.6] handler for fd 6 terminated

FWICS the problem is that dirmngr aborts immediately upon getting DNS
error.  Could it be changed to proceed as if no DNS records were
received, and attempt to perform the request via proxy?  TIA.


[1] https://bugs.gentoo.org/661376
[2] https://bugs.gentoo.org/661376#c31

-- 
Best regards,
Michał Górny



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Future OpenPGP Support in Thunderbird

[Robert J. Hansen]

> Actually, the Enigmail / GnuPG duo is one of the best examples of how
> different software parts could work together, thus increasing the
> prevalence of both parts by magnitudes, pushing a technique which the
> world really needs, and making it usable for the masses. Enigmail /
> GnuPG is by fare more than its sum.

And at the same time, less.  Remember what Efail showed us: that the
interface between GnuPG and clients calling it is remarkably subtle and
prone to misinterpretation.  It isn't just Enigmail which got bit by
this, either: a *lot* of email clients got hit.

GnuPG has steadfastly refused to create an OpenPGP library programmers
can use directly, on the grounds that security is improved by adding
process separation between the application process and the GnuPG
process.  There's a lot to be said for this argument.  There's a lot to
be said for the counterargument: that the additional complexity involved
in communicating across a process boundary turns it into a false savings.

I'm not sure which one I believe, myself.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Future OpenPGP Support in Thunderbird

[Binarus]

On 19.10.2019 17:20, Patrick Brunschwig wrote:
> 
>> Why not stick with that and focus on what has made Enigmail
>> successful?
> What is the reason in your eyes that made Enigmail successful?
> 

It is the ingenious mixture of integration / ease-of-use on one hand
(setting it up (normally) is a no-brainer, including key generation and
key upload, it allows for per-recipient rules, it provides a nice GUI
for a task which actually is complex, it allows subject encryption, it
allows using hardware tokens, it provides PGP/MIME and PGP/inline, and
it integrates fantastically; heck, the PGP settings even are integrated
into the account settings, exactly where they belong!) and on the other
hand the unlimited possibilities of GnuPG (command line, configuration).

Last, but not least, we must not forget security issues. Implementing
PGP correctly is a hairy task, given the long history of security
problems in different implementations. Werner's implementation has an
excellent reputation, and it's the only one I personally trust
completely. It is exactly the division of tasks which may have
contributed to Enigmail's success more than one would imagine. After
all, email encryption users do care about the underlying engine. We all
know what we would have to expect if the TB team would rewrite the thing
itself (which you have ruled out) or would use some library which hasn't
been tested as rigorously as GnuPG.

Actually, the Enigmail / GnuPG duo is one of the best examples of how
different software parts could work together, thus increasing the
prevalence of both parts by magnitudes, pushing a technique which the
world really needs, and making it usable for the masses. Enigmail /
GnuPG is by fare more than its sum.

Each of the above reasons has made Enigmail such successful (and GnuPG,
or course).

Regards,

Binarus


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ change

[Mark Rousell]

On 21/10/2019 06:09, Robert J. Hansen wrote:
> Due to Yahoo! Groups closing

I know it doesn't really matter here and now but Yahoo Groups is not
closing. It's only the ancillary services that are being deleted. Yahoo
Groups continues in service as a very basic mail list service (with no
archive), i.e. the core service continues as it does now.

(Yes, I can well imagine that the death of the Yahoo Groups mail list
service could well happen soon but it has not been announced as yet).

Reference: https://help.yahoo.com/kb/groups/SLN31010.html


-- 
Mark Rousell

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users