Re: [Announce] A new Beta of GnuPG 2.1 is now available
Thanks Werner. This is very exciting. This new version already works on ArchLinux via AUR. Now where can we can find this mysterious patch for libgcrypt mentioned in the announcement for enabling encryption with Curve255519 ? I looked at libgcrypt development repository and don't find it. I'm about to release libgcrypt-git and libgcrypt-error-git to AUR as well and wanted to take an opportunity to add that extra support as well. Thank you in advance Alphazo On Thu, Jun 5, 2014 at 5:55 PM, Werner Koch w...@gnupg.org wrote: Hello! I just released the fourth *beta version* of GnuPG 2.1. It has been released to give you the opportunity to check out new features and a new beta was due anyway after 30 months. If you need a stable and fully maintained version of GnuPG, you should use version 2.0.23 or 1.4.16. This versions is marked as BETA and as such it should in general not be used for real work. However, the core functionality is solid enough for a long time and I am using this code base for a couple of years now. What's new in 2.1.0-beta442 since beta3 === * gpg: Add experimental signature support using curve Ed25519 and with a patched Libgcrypt also encryption support with Curve25519. * gpg: Allow use of Brainpool curves. * gpg: Accepts a space separated fingerprint as user ID. This allows to copy and paste the fingerprint from the key listing. * gpg: The hash algorithm is now printed for signature records in key listings. * gpg: Reject signatures made using the MD5 hash algorithm unless the new option --allow-weak-digest-algos or --pgp2 are given. * gpg: Print a warning if the Gnome-Keyring-Daemon intercepts the communication with the gpg-agent. * gpg: Changed the format of key listings. To revert to the old format the option --legacy-list-mode is available. * gpg: New option --pinentry-mode. * gpg: Fixed decryption using an OpenPGP card. * gpg: Fixed bug with deeply nested compressed packets. * gpg: Only the major version number is by default included in the armored output. * gpg: Do not create a trustdb file if --trust-model=always is used. * gpg: Protect against rogue keyservers sending secret keys. * gpg: The format of the fallback key listing (gpg KEYFILE) is now more aligned to the regular key listing (gpg -k). * gpg: The option--show-session-key prints its output now before the decryption of the bulk message starts. * gpg: New %U expando for the photo viewer. * gpg,gpgsm: New option --with-secret. * gpgsm: By default the users are now asked via the Pinentry whether they trust an X.509 root key. To prohibit interactive marking of such keys, the new option --no-allow-mark-trusted may be used. * gpgsm: New commands to export a secret RSA key in PKCS#1 or PKCS#8 format. * gpgsm: Improved handling of re-issued CA certificates. * agent: The included ssh agent does now support ECDSA keys. * agent: New option --enable-putty-support to allow gpg-agent on Windows to act as a Pageant replacement with full smartcard support. * scdaemon: New option --enable-pinpad-varlen. * scdaemon: Various fixes for pinpad equipped card readers. * scdaemon: Rename option --disable-pinpad (was --disable-keypad). * scdaemon: Better support fo CCID readers. Now, internal CCID driver supports readers with no auto configuration feature. * dirmngr: Removed support for the original HKP keyserver which is not anymore used by any site. * dirmngr: Improved support for keyserver pools. * tools: New option --dirmngr for gpg-connect-agent. * The GNU Pth library has been replaced by the new nPth library. * Support installation as portable application under Windows. * All kind of other improvements - see the git log. Getting the Software GnuPG 2.1-beta442 is available at ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0-beta442.tar.bz2 ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0-beta442.tar.bz2.sig and soon on all mirrors http://www.gnupg.org/mirrors.html. Please read the README file ! Checking the Integrity == In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.23.tar.bz2 you would use this command: gpg --verify gnupg-2.1.0-beta442.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed
GnuPG2-git now available in ArchLinux
Most dependencies required to compile the GIT version of GnuPG2 have now made it to mainstream (libgpg-error, libgcryp...). The only remaining one is libksba.I've already contacted the maintainer for fixing it. I've created an AUR package for both libksba and gnupg-git so people can try out the new exciting ECDSA support without hassle. I use Yaourt as AUR helper so getting and compiling the latest GIT version is easy as: # yaourt libksba-latest # yaourt gnupg2-git Alphazo Links to AUR pages: - gnupg2-git: https://aur.archlinux.org/packages.php?ID=50961 - libksba-latest: https://aur.archlinux.org/packages.php?ID=50960 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Add/remove recipient without re-encrypting
Is it possible to add or remove a recipient to an already encrypted file and thus without re-encrypting the whole file? From what I understand GnuPG encrypts the payload (my binary file) with a symmetric session key. Then it stores each recipient key ID (optional) as well as an encrypted version of the session key using the public key of the recipient (asymmetric encryption). Assuming I own the private key of one the original recipient, could GnuPG decrypt the session key and add/remove new recipients to the existing file? Thanks Alphazo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and poldi-ctrl
Hi Markus, What you are seeing with gnome-keyring is normal. The database of gnome-keyring is encrypted with a password that is usually the same as the login password. Therefore when you login with password, your gnome-keyring database gets automatically decrypted and you can access your WPA protected Wifi (if using network-manager) network without entering any additional password. Now when you login with an OpenPGP card, you can no longer decrypt the gnome-keyring database. I haven't found a practical way to avoid that. One alternative could be to use an encrypted space (truecrypt/encfs...) to store the gnome-keyring database and other home related information and therefore get rid of the gnome-keyring password. But you will still have to enter a password to unlock this encrypted space ;( Alphazo On Sun, Dec 12, 2010 at 6:10 PM, Markus Krainz l...@gmx.at wrote: Hi Alphazo, thanks for this great howto. I got it working right away. Where I still have problems: The gnome-keyring (seahorse), still demands the user-password. Also I often have to unplug and replug the reader to authenticate. This works, but it is very inconvenient. Regards, Markus On 2010-11-27 08:31, wrote: Hi Markus, Poldi tutorials are outdated. The new versions is configured differently. Poldi 0.4.1 works flawlessly with my Cryptostick token (OpenPGP card V2) for PAM authentication I used the default /etc/poldi/poldi.conf *auth-method localdb log-file /var/log/poldi.log debug scdaemon-program /usr/bin/scdaemon * Added one line to /etc/poldi/localdb/users with CryptoStick's serial number (get it from gpg --card status | grep Application) : * D1234678912346789123467891234678 alpha* And they dumped the public key from my Cryptostick into poldi local db: *sudo poldi-ctrl -k /etc/poldi/localdb/keys/* D1234678912346789123467891234678 The rest is pretty standard as it requires to modify pam configuration files. I keep the possibility to log in with password for the moment so I just added in /etc/pam.d/gdm /etc/pam.d/login /etc/pam.d/sudo /etc/pam.d/gnome-screensaver: *authsufficientpam_poldi.so* That's it really! One more thing, for better stability I recommend to disable opensc daemon when using Cryptostick. I had it enabled because I was playing with a PKCSC#11 token and got all sort of problems. I also had opensc-pkcs11.so module loaded in Thunderbird that had a tendency to restart opensc daemon also. So best is to disable it too. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 10GB /var/log/messages.log
I use syslog-ng. This happened to me again today (very annoying). I really don't know what to do. Alphazo On Sun, Nov 21, 2010 at 4:54 PM, Philipp Schafft l...@lion.leolix.orgwrote: reflum, On Sun, 2010-11-21 at 13:55 +0100, Alphazo wrote: Yesterday, after signing one message using my CryptoStick (OpenPGP card V2 + USB reader) I filled up my /var/log/messages.log with 10GB (that's a lot) of the same exact message: Nov 20 21:15:00 localhost pcscd: ccid_usb.c:613:WriteUSB() write failed (2/3): -9 Success I don't know much about pcscd, but maybe there is a loop which should get a error counter. did restarting the process help? In fact it was only 10GB because I didn't have any more space left on this partition. I also had /var/log/everything.log and /var/log/user.log with the same content. The line just before was: Nov 20 21:13:12 localhost kernel: usb 2-1.2: new full speed USB device using ehci_hcd and address 3 The only thing I remember is that I probably have removed the drive at some point. Do you use rsyslogd? -- Philipp. (Rah of PH2) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
10GB /var/log/messages.log
Yesterday, after signing one message using my CryptoStick (OpenPGP card V2 + USB reader) I filled up my /var/log/messages.log with 10GB (that's a lot) of the same exact message: Nov 20 21:15:00 localhost pcscd: ccid_usb.c:613:WriteUSB() write failed (2/3): -9 Success In fact it was only 10GB because I didn't have any more space left on this partition. I also had /var/log/everything.log and /var/log/user.log with the same content. The line just before was: Nov 20 21:13:12 localhost kernel: usb 2-1.2: new full speed USB device using ehci_hcd and address 3 The only thing I remember is that I probably have removed the drive at some point. Has someone seen this behavior before? Alphazo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is there a way to specify which smartcard reader to use?
Hello, I have two USB dongle plugged in at the same time. One is the crypto stick (OpenPGP card 2.0 + CCID reader) and the other one is a PKCS#11 token. I don't use any udev rule for the crypto stick as the latest ccid lib supports it out of the box. Now I'm unable to do a gpg --card-status with both token inserted. gpg: detected reader `Feitian SCR301 00 00' gpg: detected reader `German Privacy Foundation Crypto Stick v1.2 01 00' Insérez la carte et tapez entrée ou entrez 'c' pour annuler: Is there a way to specify which reader to use for that command? For information, pcsc_scan reports the two readers correctly: PC/SC device scanner V 1.4.17 (c) 2001-2009, Ludovic Rousseau ludovic.rouss...@free.fr ludovic.rouss...@free.fr Compiled with PC/SC lite version: 1.6.4 Scanning present readers... 0: Feitian SCR301 00 00 1: German Privacy Foundation Crypto Stick v1.2 01 00 Fri Oct 8 10:34:55 2010 Reader 0: Feitian SCR301 00 00 Card state: Card inserted, ATR: 3B 9F 95 81 31 FE 9F 00 65 46 53 05 30 06 71 DF 00 00 00 81 61 10 C6 ATR: 3B 9F 95 81 31 FE 9F 00 65 46 53 05 30 06 71 DF 00 00 00 81 61 10 C6 + TS = 3B -- Direct Convention + T0 = 9F, Y(1): 1001, K: 15 (historical bytes) TA(1) = 95 -- Fi=512, Di=16, 32 cycles/ETU 125000 bits/s at 4 MHz, fMax for Fi = 5 MHz = 156250 bits/s TD(1) = 81 -- Y(i+1) = 1000, Protocol T = 1 - TD(2) = 31 -- Y(i+1) = 0011, Protocol T = 1 - TA(3) = FE -- IFSC: 254 TB(3) = 9F -- Block Waiting Integer: 9 - Character Waiting Integer: 15 + Historical bytes: 00 65 46 53 05 30 06 71 DF 00 00 00 81 61 10 Category indicator byte: 00 (compact TLV data object) Tag: 6, len: 5 (pre-issuing data) Data: 46 53 05 30 06 Tag: 7, len: 1 (card capabilities) Selection methods: DF - DF selection by full DF name - DF selection by partial DF name - DF selection by file identifier - Implicit DF selection - Short EF identifier supported - Record number supported - Record identifier supported Tag: 0, len: 0 (unknown) Tag: 0, len: 0 (unknown) Tag: 0, len: 0 (unknown) Mandatory status indicator (3 last bytes) LCS (life card cycle): 81 (Proprietary) SW: 6110 (0x10 bytes of response still available.) + TCK = C6 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 9F 95 81 31 FE 9F 00 65 46 53 05 30 06 71 DF 00 00 00 81 61 10 C6 3B 9F 95 81 31 FE 9F 00 65 46 53 05 .. 06 71 DF 00 00 00 .. .. .. .. Feitian PKI (http://www.ftsafe.com/products/PKI-Card.html) FTCOS/PK-01C Fri Oct 8 10:34:55 2010 Reader 1: German Privacy Foundation Crypto Stick v1.2 01 00 Card state: Card inserted, ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C + TS = 3B -- Direct Convention + T0 = DA, Y(1): 1101, K: 10 (historical bytes) TA(1) = 18 -- Fi=372, Di=12, 31 cycles/ETU 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz = 161290 bits/s TC(1) = FF -- Extra guard time: 255 (special value) TD(1) = 81 -- Y(i+1) = 1000, Protocol T = 1 - TD(2) = B1 -- Y(i+1) = 1011, Protocol T = 1 - TA(3) = FE -- IFSC: 254 TB(3) = 75 -- Block Waiting Integer: 7 - Character Waiting Integer: 5 TD(3) = 1F -- Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following - TA(4) = 03 -- Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V + Historical bytes: 00 31 C5 73 C0 01 40 00 90 00 Category indicator byte: 00 (compact TLV data object) Tag: 3, len: 1 (card service data byte) Card service data byte: C5 - Application selection: by full DF name - Application selection: by partial DF name - EF.DIR and EF.ATR access services: by GET DATA command - Card without MF Tag: 7, len: 3 (card capabilities) Selection methods: C0 - DF selection by full DF name - DF selection by partial DF name Data coding byte: 01 - Behaviour of write functions: one-time write - Value 'FF' for the first byte of BER-TLV tag fields: invalid - Data unit in quartets: 2 Command chaining, length fields and logical channels: 40 - Extended Lc and Le fields - Logical channel number assignment: No logical channel - Maximum number of logical channels: 1 Mandatory status indicator (3 last bytes) LCS (life card cycle): 00 (No information given) SW: 9000 (Normal processing.) + TCK = 0C (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C GnuPG card V2 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg-agent and scdaemon confusion when card is removed
Hello, Just received a Crypto Stick from the German Privacy Fundation. It is basically a USB token that embeds an OpenPGP card and a CCID smart card reader. My OS is Archlinux 64-bit and it has the following packages installed: - gnupg 1.4.10-2 - gnupg2 2.0.16-2 - ccid 1.4.0-2 - pcsclite 1.6.4-2 Since it has a pretty recent version of ccid I didn't have to patch ccid nor use any custom udev rule. The Crypto Stick worked out of the box. -- Crypto Stick inserted # gpg --card-status gpg: detected reader `German Privacy Foundation Crypto Stick v1.2 00 00' Application ID ...: D2760001240102050584 Version ..: 2.0 . -- Crypto Stick removed # gpg --card-status gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) gpg: lecteur de cartes indisponible gpg: la carte OpenPGP n'est pas disponible: erreur générale -- Crypto Stick inserted # gpg --card-status gpg: detected reader `German Privacy Foundation Crypto Stick v1.2 00 00' Application ID ...: D2760001240102050584 Version ..: 2.0 . Then I managed to get SSH authentication working with that CryptoStick following instructions found here http://www.programmierecke.net/howto/gpg-ssh.html. That required to enable gpg-agent and configure ssh support for it. However for some reasons it breaks when Crypto Stick is removed then inserted back. I no longer have access to the card. I have to kill scdaemon in order to get access to the card again. Here are my config files: /etc/profile.d/gpg-agent.sh #!/bin/sh envfile=${HOME}/.gnupg/gpg-agent.env if test -f $envfile kill -0 $(grep GPG_AGENT_INFO $envfile | cut -d: -f 2) 2/dev/null; then eval $(cat $envfile) else eval $(gpg-agent --enable-ssh-support --daemon --write-env-file $envfile) fi ~/.gnupg/gpg-agent.conf # Cache settings default-cache-ttl 3600 default-cache-ttl-ssh 10800 allow-mark-trusted # Keyboard control #no-grab # PIN entry program pinentry-program /usr/bin/pinentry-gtk-2 So now with gpg-agent enable I have the following behavior: # ps aux | grep gpg alpha 5455 0.0 0.0 15140 560 ?Ss 22:20 0:00 gpg-agent --enable-ssh-support --daemon --write-env-file /home/alpha/.gnupg/gpg-agent.env -- Crypto Stick inserted # gpg --card-status Application ID ...: D2760001240102050584 Version ..: 2.0 . -- Crypto Stick removed # gpg --card-status gpg: selecting openpgp failed: ec=6.32848 gpg: la carte OpenPGP n'est pas disponible: erreur générale -- Crypto Stick inserted # gpg --card-status gpg: selecting openpgp failed: ec=6.32848 gpg: la carte OpenPGP n'est pas disponible: erreur générale #kill -9 scdaemon # gpg --card-status Application ID ...: D2760001240102050584 Version ..: 2.0 . Is there a way to avoid that behavior or to have some kind of script to kill scdaemon automatically? Thanks Alphazo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users