Contributing: how to modify the man page

2023-12-08 Thread Daniel Cerqueira via Gnupg-users 
I am about to contribute some simple code into GnuPG.

I want my commit to be complete, so I am looking to also modify the gpg
info and the gpg man page. I would like to know which files do I need to
edit in order to edit the gpg man page and the gpg info page.

Thanks

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Learning about authentication

2023-11-23 Thread Daniel Cerqueira via Gnupg-users 
I want to know a bit, on how authentication and authorization works in
GnuPG.

I know that for encryption, GnuPG creates a session key with the public
key, that is then used with symmetric encryption. For decryption, the
private key is used to recover that session key, in which then, the
ciphertext get's symmetrically decrypted, using that session key.

I know that for signing, a hash of the content is produced, that,
afterwards, gets encrypted with the private key. For verification, the
public key is used to recover the original hash, and then that gets
compared with the content hashing.

I don't understand how authentication and authorization works. Can
someone clarify this for me?

Thanks.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg 'signing server'? Looking for advice on key management/security

2023-11-13 Thread Daniel Cerqueira via Gnupg-users 
Jacob Bachmeyer  writes:

> The problem here is that, while the key never leaves the smartcard,
> the /entire/ device that accesses the smartcard must be trusted, as a
> backdoor on the device could steal plaintext or submit extra items for
> signing.  A PIN does not solve the problem, since the PIN is entered
> on the device, which could be backdoored to store the PIN and submit
> it along with Mallory's messages for the smartcard to sign---and the
> card will sign it, since the PIN checks out...
>
> Smartcards make silently duplicating the key difficult (supposedly
> infeasible) but do not solve the general problems with
> network-connected devices.

If you don't trust pinentry, maybe you should also not trust gnupg. They
are from the same project (gnupg.org).

I believe is best for you not to use gnupg and pinentry, until you
review it.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg 'signing server'? Looking for advice on key management/security

2023-11-12 Thread Daniel Cerqueira via Gnupg-users 
Jeff Schmidt  writes:

> Hi,
>
>    So, I want to start using Gnupg more to sign things. Right now, in
> addition to GnuPG having access to my private key, to use
> signing/encryption in my email client, requires allowing the openpgp
> implementation in the email client to access my private key. Which, I
> think I'm OK with as it's a local client, but, I got to thinking about
> the problem of access to the private key.
>
> Of course, the whole premise of public key encryption is that your
> private key is a closely guarded secret. Which raises the question,
> how does one USE the private key, without risking exposing it.
>
> There are multiple problems, it seems to me, and I'm sure as I'm about
> 20 years late to the party, that others have identified these and
> more, so I wonder if I can get recommendations to articles/blog posts
> online, or books, or any wisdom the subscribers of this list can
> impart.
>
> But, the problems that have occurred to me:
>
> * Even if one only uses the key locally on one or two 'trusted'
>   devices, there is still the problem of multiplying how many
>   different apps might have access to your private key - and the more
>   apps, the more points of potential failure/leakage of your key. Any
>   app that has been maliciously trojaned by some bad actor, could
>   steal your private key, and transmit it to some third party, or even
>   allow a third party to simply sign or encrypt data using the local
>  app, that isn't yours, as if it came from you.
>
> * The problem gets worse when you think about things like online
>   services - if you are using an online email or messaging provider,
>   or photo sharing service, document/file sharing service, online
>   social media service, it seems like it would be a really bad idea to
>   upload your private key to those services and trust them with that.
>   Now, maybe you might use subkeys are a sort of partial solution to
>   that - generating service-specific and revocable subkeys for each
>   specific service, and never providing the master private key, but
>   that still presents a risk that any of those subkeys might be
>  stolen.
>
> * Using a strong password to encrypt and protect the private key,
>   while a good idea, doesn't really solve the problem, because at some
>   point, to use the private key, you have to provide the password so
>   it can be decrypted to be used, and every time you provide the
>   password, it presents an opportunity for the key to be stolen.
>
> It seems to me that maybe the best way to resolve many of these risks,
> at least, to reduce the 'surface area' of the risk, is to only have
> ONE app (ideally, gnupg) that EVER accesses the private key, and that
> ALL other requests to encrypt or sign data be brokered through a
> 'gnupg server' running on my trusted device, where connections to the
> server are encrypted, and when I want data to be signed or encrypted
> with my private key, whatever app I'm using to originate the data
> connects to gnupg and requests signing or encryption as a service from
> the server. Then, gnupg could present the data to me for verification
> that no man-in-the-middle or malicious app has altered the data before
> submitting it for signing/encryption, then I provide my password just
> to gnupg, which would sign or encrypt the payload and pass it back to
> the original app or web service.
>
> Is there an easy way to use gnupg like this? It would be lovely if,
> for example, when I'm posting on a social media platform, if I could
> configure the social media app to connect to my local 'gnupg server'
> and have all my posts and shared photos/videos signed. Of course, this
> would require support in those third party apps to have the necessary
> code to make that connection to gnupg, but, as a starting point, I'm
> not clear if there is even any standard protocol for such a service,
> or if gnupg implements it?

You may want to consider using an OpenPGP smartcard (for example, a
Yubikey). Seems that you are a good fit.

Using a OpenPGP smartcard, the private key never leaves the smartcard.
The smartcard can also be used on a smartphone that has NFC support.

Cheers

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

How to avoid weird mestage on file deciphering

2023-11-10 Thread Daniel Cerqueira via Gnupg-users 
Hi.

I am trying to do a script that has `gpg --decrypt`.
This is what I am getting:

LC_ALL=C gpg --decrypt ~/file.gpg 
gpg: encrypted with RSA key, ID 0x
gpg: anonymous recipient; trying secret key 0x2D3C49A28079BBBD ...
gpg: anonymous recipient; trying secret key 0xB8A344FF3684F216 ...
gpg: anonymous recipient; trying secret key 0x60E8A97AEB2F2DB9 ...
gpg: okay, we are the anonymous recipient.
asdf

I want to avoid all the messages and only output "asdf" (the content of
the file). How can I do this with gpg?

I have tried some variations, but I always get this "gpg: anonumous
recipient" message (that I want to avoid).

My key is on a Yubikey. Don't know if this matters for this issue.

Thanks.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

How to send a signed git patch

2023-11-10 Thread Daniel Cerqueira via Gnupg-users 
Hi everyone.

I want to send my po translation of GnuPG.

Werner told me to send a signed git patch to a list.

So, I signed my git commit with my GnuPG key. And when I do
`git format-patch master` the created patch does not have this signature.

How can I create a git patch with a GnuPG signature?


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users