WSL2: Gpg4win pinentry not available after PIN cache expires

[David Tagatac]

Hello,

My use case is:

   - Sign git commits in WSL2(Debian)
   - gpg-agent uses Gpg4win's pinentry GUI to allow PIN entry


This works well immediately after restarting my Windows PC. However, after
the PIN cache expires (currently set to 86400 seconds), signing commits
fails with

> ❯❯❯ gpg-agent
> gpg-agent[11881]: gpg-agent running and available
> ❯❯❯ git ci -S -m "asdf"
> error: gpg failed to sign the data
> fatal: failed to write commit object
>

gpg-agent.conf in WSL2:

>  ❯❯❯ cat ~/.gnupg/gpg-agent.conf

default-cache-ttl 86400
> max-cache-ttl 86400
> pinentry-program "/mnt/c/Program Files (x86)/GnuPG/bin/pinentry-basic.exe"


Versions:

   - Windows 11 build 22631.3593
   - Gpg4win 4.3.1
   - [WSL2/Debian] gpg-agent (GnuPG) 2.2.40


Things that don't fix the issue:

   - Reinstall Gpg4win
   - taskkill /f /im kleopatra.exe; taskkill /f /im gpg-agent.exe; taskkill
   /f /im scdaemon.exe; (And start Kleopatra again)
   - gpgconf --kill gpg-agent
   - wsl --shutdown


Things that do fix the issue:

   - Restart the PC
   - Use pinentry-curses
   - Use pinentry-tty


Is this a known issue, or can anyone offer any hints for debugging?

Thanks,
David
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Management of background services with systemd

[David Joaquín Shourabi Porcel]

I am researching GnuPG for my employer. We will stick with the old release 
series 2.2 at first, because few Linux distributions package 2.3 or 2.4 yet. 
However, I'm studying newer versions and recent developments to ease our future 
upgrades. In doing so, a question has arisen: should background services like 
the agent not be managed with systemd?

Daniel Kahn Gillmor [introduced][1] and maintained systemd unit files and also 
implemented `--supervised` for the [agent][2] and [dirmngr][3] as part of 
version 2.1.16. However, `--supervised` has been [deprecated][4] since version 
2.3.6 and Werner recently [removed the systemd unit files][5] altogether. In 
fact, he commented the following on [task T6336][6] about two months ago:

> Actually, the entire systemd based launching is deprecated and thus the 
> logged warning [about `--supervised`] is on purpose.
> 
> The problem with the systemd launched gpg-agent is that it creates a race: 
> gpg launches gpg-agent as needed and to avoid concurrent launching by other 
> gpg or gpgsm processes, it takes a file system lock during the launch 
> process. systemd does not know about this and we end up with sometimes end up 
> with two gpg-agent processes. Eventually one of those processes detects that 
> it does not own the socket and terminates itself. No real harm here but you 
> may see smart card lockups or a flushed password cache.

For what it's worth, the systemd setup (as packaged with series 2.2) works very 
well for me. In particular:

 - background services are managed through a common interface (that of systemd);
 - logs are centralized; and
 - the agent starts whenever OpenSSH needs it, thanks to socket activation.

I have experienced only one limitation: there is no convenient way for systemd 
to manage background processes for [ephemeral home directories][7], which I 
have been using extensively for my research & testing.


[1]: https://dev.gnupg.org/rG57e95f5413e21cfcb957af2346b292686a5647b7
[2]: https://dev.gnupg.org/rG9f92b62a51d2d60f038fdbe01602865c5933fa95
[3]: https://dev.gnupg.org/rG75f8aaf5bc2dc7fcffe2987a572d489155c91eb9
[4]: https://dev.gnupg.org/rGca5d5142c6d6eaba4572a086f8473e4aebdd3f9e
[5]: https://dev.gnupg.org/rGeae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed
[6]: https://dev.gnupg.org/T6336
[7]: 
https://www.gnupg.org/documentation/manuals/gnupg/Ephemeral-home-directories.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: GNUPG and Google Cloud

[David Gordon via Gnupg-users]

CJ,

We were looking for a server-less solution. What we want to do is take data 
from a legacy mainframe system, encrypt it via PGP, and then via GKE transfer 
it to Cloud Storage. From there we want to decrypt it via GnuPG, save it in 
Cloud Storage and then load it into Big Query.

Thanks,
David

From: C.J. Collier 
Sent: Tuesday, August 16, 2022 10:23 AM
To: David Gordon 
Cc: gnupg-users@gnupg.org
Subject: Re: GNUPG and Google Cloud

Hi there!

Are you looking for a server-less solution or will a Debian instance on GCE or 
GKE suffice?

You can "deploy" GNUPG with apt-get.  Decrypting content would require getting 
a private key or an agent onto the system.

Can you give more details about what you're looking for?

C.J. in Cloud Support, Seattle
GCP Technical Solutions Engineer


On Tue, Aug 16, 2022, 05:49 David Gordon via Gnupg-users 
mailto:gnupg-users@gnupg.org>> wrote:
Can GnuPG be deployed to GCP to decrypt files? If so, is there a recommended 
approach?

Thanks,
David

Sent from 
Mail<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D550986=05%7C01%7C%7Cad6622d2400147059b4508da7f92dad8%7C84df9e7fe9f640afb435%7C1%7C0%7C637962565967612968%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=A2zN6aWVAIQ7H8Zhq2JiSIZ2cEjDy2yKCQdRIX7T7bA%3D=0>
 for Windows

___
Gnupg-users mailing list
Gnupg-users@gnupg.org<mailto:Gnupg-users@gnupg.org>
https://lists.gnupg.org/mailman/listinfo/gnupg-users<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.gnupg.org%2Fmailman%2Flistinfo%2Fgnupg-users=05%7C01%7C%7Cad6622d2400147059b4508da7f92dad8%7C84df9e7fe9f640afb435%7C1%7C0%7C637962565967612968%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=EnvRhaqhJaDX%2FlpIwBGk3QjuMcIXh5Gcppuypi5kNYw%3D=0>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[David Kačerek via Gnupg-users]

-- Original Message --
From: "Werner Koch via Gnupg-users" 
To:
Sent: 11.01.2022 11:52:00
Subject: Gpg4win LetsEncrypt issue


For details please see https://dev.gnupg.org/T5639 which was fixed with
GnuPG 2.2.32 and 2.3.4.

Hello,
I'd say the problem is not fixed in neither GnuPG 2.2.32 nor 2.3.4. At 
least not on Windows 10. Along with Alex Nadtoka & Anze Jesterle, I'm 
another person suffering from the same issue.
If I try to search for some keys on some keyserver not using the Let's 
Encrypt certificate, like hkp(s)://keyserver-01.2ndquadrant.com, there's 
no problem.


If I try to search on hkp://keyserver.ubuntu.com, there's no problem as 
well.


But If I try to search on hkps://keyserver.ubuntu.com or 
hkp(s)://keys.openpgp.org, I'm getting:
C:\Users\David>gpg --keyserver hkps://keyserver.ubuntu.com --search-keys 
opensuse

gpg: error searching keyserver: Certificate expired
gpg: keyserver search failed: Certificate expired
Both keyserver.ubuntu.com and keys.openpgp.org key servers use the LE 
certificate. On a side note, I wonder why hkp://keys.openpgp.org doesn't 
work either since hkp:// protokol works on top of HTTP and not HTTPS, 
but that's another issue.


If I remove the invalid intermediate certificate R3, issued by DST Root 
CA X3, expired on 09/29/2021 from certmgr.msc and then reload dirmngr, 
"certificate expired" error no longer shows in any case.


I've checked I have the new valid intermediate certificate R3, issued by 
ISRG Root X1, expiring on 09/15/2025 present in certmgt.msc and yet in 
such a case dirmngr shows in its log that it still tries the old 
verification path when the invalid R3 cert is installed. I would attach 
the whole log but it's partly in Czech and I don't know how to switch 
the output fully to English since it doesn't work despite setting the 
LC_MESSAGES=C variable.


So to me, it seems that both GnuPG 2.2.32 and 2.3.4 (installed via 
GnuPG4Win 4.0) on Win10 still suffer from the issue. So can we re-open 
the bug report https://dev.gnupg.org/T5639 or 
https://dev.gnupg.org/T5744 or should I create another one?


Thanks,
David K.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Short question regarding config

[Horia Mihai David via Gnupg-users]

Hi all,

What's the difference between `|--personal-cipher-preferences' and 
`default-preference-list'?|


|What ends up in the exported keys?
|

|
|

|Thanks!|

|- Mihai
|


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Short question regarding config

[Horia Mihai David via Gnupg-users]

Sorry for the formatting errors.

Regards,
- Mihai



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Best practices for obtaining a new GPG certificate

[David Mehler via Gnupg-users]

Hello,

Thanks all. I am definitely wanting a new key.

With regards the info John posted:

gpg --expert --full-gen-key
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
  (14) Existing key from card

in the output there's ECC output should I go with an ECC-style key or
RSA? As regards RSA keysize I typically use 4096.

Thanks.
Dave.


On 3/18/21, Werner Koch  wrote:
> On Thu, 18 Mar 2021 00:06, David Mehler said:
>
>> My existing GPG certificate is going to expire in less than a month.
>> I'd like to know current best practices for obtaining a new one? In
>
> Do you really want a new one?  Usually it is easier to prolong your key.
> By default a new key has an expire data so that unused keys and those
> with forgotten passphrase will eventually expire.  In general you just run
>
>   gpg --quick-set-expire FINGERPRING EXPIREDATE
>
> Expire dat may be something like 5y for 5 years or an explicit date like
> 2024-12-31.
>
> Here is an example
>
>   $ gpg -K A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8
>
>   sec   ed25519 2021-03-15 [SC] [expires: 2023-03-15]
> A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8
>   uid   [ unknown] f...@example.de
>   ssb   cv25519 2021-03-15 [E]
> 989ABB95E888956DBD5D7F66C376233B98457556
>
>   $ gpg --quick-set-expire A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8 4y
>
>
>   $ gpg -K A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8
>
>   sec   ed25519 2021-03-15 [SC] [expires: 2025-03-17]
> A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8
>   uid   [ unknown] f...@example.de
>   ssb   cv25519 2021-03-15 [E]
> 989ABB95E888956DBD5D7F66C376233B98457556
>
>
> Send the public key then to your peers, keyserver, web key directory, or
> wherever.
>
>
> Shalom-Salam,
>
>Werner
>
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Best practices for obtaining a new GPG certificate

[David Mehler via Gnupg-users]

Hello,

My existing GPG certificate is going to expire in less than a month.
I'd like to know current best practices for obtaining a new one? In
particular I'm looking for the best protocol and strength for a
security not a performance stance. The certificate will mainly be used
for verifying and signing sent messages, and tagging git commits on
personal servers. Devices used will be Windows 10 pcs and tablets and
Android (version 10 and 11) phones and tablets.
Suggestions welcome.
Thanks.
Dave.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Plan B - Who carries the torch?

[Jean-David Beyer via Gnupg-users]

On 1/5/21 8:24 AM, Konstantin Ryabitsev wrote:

On Tue, Jan 05, 2021 at 07:27:14AM -0500, Jean-David Beyer via Gnupg-users 
wrote:

Building a web of trust is so hopeless, from my point of view, that I have
abandonned gnupg. I have made keys for myself, obtained enigmail for my
Firefox browser, etc. But those with whom I correspond by e-mail has
diminished to almost the vanishing point. They use text messages on their
cell phones, Facebook messages, etc. While a few worry about the "CIA"
snooping on them, none will consider gnupg and enigmail. So for me, it is
pointless.

--
   .~.  Jean-David Beyer
   /V\  Shrewsbury, New Jersey
  /( )\ Red Hat Enterprise Linux
  ^^-^^ up 4 days, 13 hours, 37 minutes

I noticed your signature, so I must point out that RHEL and the Linux Kernel
development process rely heavily on GnuPG and the web of trust. Every time you
update packages on your system, large parts of the supply chain were verified
using GnuPG, relying on the integrity of the trust store shipped with RHEL.

So, you may not see it in your person-to-person communication, but you use
GnuPG every day.

-K


I sit corrected:

$ rpm -qf /usr/bin/gpg
gnupg2-2.2.9-1.el8.x86_64

I posted, not so much to criticize GnuPG as to criticize my associates 
who talk security paranoia, but refuse to do anything about it. When all 
is said and done, more is said than done. At least, with my associates.


--
  .~.  Jean-David Beyer
  /V\  Shrewsbury, New Jersey
 /( )\ Red Hat Enterprise Linux
 ^^-^^ up 4 days, 15 hours, 2 minutes


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Plan B - Who carries the torch?

[Jean-David Beyer via Gnupg-users]

On 1/4/21 9:31 PM, ï¿œngel wrote:

Finally, every user will need to discard their now-useless keys,
generate new ones and rebuild the chain of turst from the ground up.


Building a web of trust is so hopeless, from my point of view, that I 
have abandonned gnupg. I have made keys for myself, obtained enigmail 
for my Firefox browser, etc. But those with whom I correspond by e-mail 
has diminished to almost the vanishing point. They use text messages on 
their cell phones, Facebook messages, etc. While a few worry about the 
"CIA" snooping on them, none will consider gnupg and enigmail. So for 
me, it is pointless.


--
  .~.  Jean-David Beyer
  /V\  Shrewsbury, New Jersey
 /( )\ Red Hat Enterprise Linux
 ^^-^^ up 4 days, 13 hours, 37 minutes


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

[David Flory]

On 5/30/2020 10:17 AM, Patrick Brunschwig wrote:

[snip]

> I'm sorry, but that is simply not true. There is a known bug in the
> library used by Thunderbird (RNP) that leads to crashes when importing
> _certain_ keys. But I succeeded in importing all of my keys without any
> problems (more than 1.000), except for 5 V3-keys. I can definitely say
> that it's not just broken, and it can import keys.

[snip]

How does one identify a v3 key?

David



OpenPGP_0xE334A5C93AE58BA6.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG website docs

[David Eisner via Gnupg-users]

On Mon, Jan 13, 2020 at 3:55 AM Werner Koch  wrote:

>
> I added some notices but I am not sure what to suggest as replacement.
>

Vielen Dank. My guess is that the HOWTOs won't be updated anytime soon, so
this might be the best you can do for the time being.

 -David
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG website docs

[David Eisner via Gnupg-users]

The Documentation pages on gnupg.org should be updated to let users
(especially new users) know which information there is out of date.

Users are encouraged to use GnuPG version 2. Put yourself in the position
of a new user. You visit the Documentation menu on the home page (already a
bit overwhelming -- HOWTOs, Manuals, Guides, ...) and go to HOWTOs. It says
up front, "You may get the best overview about the GnuPG system by reading
the mini HOWTO ..." great. Except that the Mini Howto (in English, at
least) is from 2004, two years before the release of GnuPG 2.0.0. This will
often be the first doc new users will read, and it will be misleading.

1. I think there should be a notice near the top of
https://gnupg.org/documentation/howtos.html that says something like this:
"The mini HOWTO is out-of date and documents an older version of GnuPG. For
more up-to-date documentation, please see ..."

2. "HOWTOs" should be moved to a lower spot in the Documentation menu on
the website.

-David
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: are angle brackets around email address allowed for auto-key-locate?

[David Hebbeker]

On Wed, 2019-10-16 at 20:26 +0200, David Hebbeker wrote:
> On Wed, 2019-10-16 at 14:19 +0200, Werner Koch wrote:
> > On Tue, 15 Oct 2019 22:23, David Hebbeker said:
> > > The manual [1] says that GnuPG can automatically retrieve keys
> > > for emails in the "u...@example.com" form. Does this exclude
> > > emails wrapped by angle brackets like ""?
> > 
> > That is fine.
> 
> I have experienced a behavior I could only explain with auto-key-
> locate being restricted to the pure form.

I still have the problem described in my previous e-mail. Can it be
that this is faulty behavior of the GnuPG?

I would create a bug report at [1] so it does not get lost. Does
something speak against it?

David

[1]: https://dev.gnupg.org/

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: are angle brackets around email address allowed for auto-key-locate?

[David Hebbeker]

On Wed, 2019-10-16 at 14:19 +0200, Werner Koch wrote:
> On Tue, 15 Oct 2019 22:23, David Hebbeker said:
> > The manual [1] says that GnuPG can automatically retrieve keys for
> > emails in the "u...@example.com" form. Does this exclude emails
> > wrapped by angle brackets like ""?
> 
> That is fine.

Hi Werner and everyone,

thank you for your response, I was hoping that this would be possible. 

On the other hand, I have experienced a behavior I could only explain
with auto-key-locate being restricted to the pure form. Maybe you can
enlighten me on this case.

I demonstrate this behavior on a system which uses the attached
configuration file gpg.conf. I tested this with GnuPG 2.1.18 and
2.2.12. 

Preparation
===
rm msg.*
echo "hello world" > msg.txt
gpg --batch --yes --delete-keys edward...@fsf.org

Bad Case (does not work)

gpg --always-trust -e -r "" msg.txt

gpg: : skipped: No public key
gpg: msg.txt: encryption failed: No public key

Good Case (works)
=
gpg --always-trust -e -r "edward...@fsf.org" msg.txt

gpg: key 9FF2194CC09A61E8: 7454 signatures not checked due to
missing keys
gpg: key 9FF2194CC09A61E8: public key "Edward, the GPG Bot " imported
gpg: no need for a trustdb check with 'always' trust model
gpg: Total number processed: 1
gpg:   imported: 1
gpg: automatically retrieved 'edward...@fsf.org' via keyserver


Note: The only difference is the missing angle brackets.

Can you please explain the difference? That would be of great help!

Thanks
Davidkeyserver hkp://keyserver.ubuntu.com:80
# Used for encryption
auto-key-locate keyserver
# Used for verifying signatures
auto-key-retrieve


signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: We have GOT TO make things simpler

[Jean-David Beyer via Gnupg-users]

On 10/7/19 9:32 AM, Phillip Susi wrote:
> Bingo!  And as long as the user is not interested in it, and won't learn
> how to properly use it, all they will get is the veneer of privacy and
> learn the hard way that they really aren't secure.  You just can't make
> security idiot proof.

I had a realistic uncle who used to say, "You can always design a system
to be fool-proof; but if you do, a damned-fool will come along.


-- 
  .~.  Jean-David Beyer
  /V\  PGP-Key:166D840A 0C610C8B
 /( )\ Shrewsbury, New Jersey
 ^^-^^ 15:45:01 up 13 days, 21:19, 2 users, load average: 4.39, 4.72, 4.87

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "There's always light..........."

[David]

On 16/08/2019 11:53, Wiktor Kwapisiewicz via Gnupg-users wrote:
> On 16.08.2019 11:38, john doe wrote:
>> A better comment would be the URL where to download your public key.
> 
> Even better would be using "--sig-keyserver-url" to embed the URL in an
> appropriate packet.
> 
> Details here:
> https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html
> 
> Note that unless "honor-keyserver-url" is set in the config explicitly
> this is not used by default by GnuPG (see comments about
> "auto-key-retrieve" here:
> https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html
> ).
> 
> And, if the key is available via WKD using "--sender $EMAIL" as GnuPG
> can fetch the missing key over WKD (using only --auto-key-retrieve).
> 
> Kind regards,
> Wiktor
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

Thank you Wiktor,

There's no examples how to use the --comment command - I've tried
various options - aall confuse gpg/gpg2 :)

All I want to do is add a comment in site-admin "The captain's (B)log"
open and closed brackets (B)Log confuse gpg/2 even more.

Being a bit "eccentric" da...@gbenet.com "One Flew Over the Cookoo's
Nest" would be good :)

Would the --comment command add it to the private and public key??

There's very little info on the usage of the command or what it actually
does.

Regards

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com


0x459E3AE3EA13E1A3.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

"There's always light..........."

[David]

Hi All,

Many moons ago I added the line "there's always light at the end of the
tunnel" in my postmaster key pair.

But when crating my new keys - I'd completely forgotten how to do this.
I read the GPG Manual and could find no reference to this.

Am wondering now that I've created the keys - can I add a comment? If so
what is the command??

Cheers

David

-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: looking for assistance tracking down why i don't have the ability to run gpg from the command line

[David]

On 14/08/2019 16:30, charlie derr wrote:
> I'm running debian 10 buster (upgraded recently from stretch if that
> matters) and i use KDE. I haven't yet tried to logout of my desktop
> environment completely (and just use a native console), but I thought
> I would see if any of you had any ideas. Here's the problem:
> 
> ni@quark:~/.ssh$ gpg --list-keys
> gpg: checking the trustdb
> gpg: waiting for lock (held by 22009) ...
> gpg: waiting for lock (held by 22009) ...
> gpg: waiting for lock (held by 22009) ...
> ^C
> gpg: signal Interrupt caught ... exiting
> 
> ni@quark:~/.ssh$ ps aux | grep 22009
> ni7740  0.0  0.0   6076   892 pts/6S+   11:21   0:00 grep
> 22009
> ni   22009  2.0  0.2  89404 78536 ?RL   02:51  10:30 gpg
> --batch --no-sk-comments --status-fd 104 --no-tty --charset utf8
> --enable-progress-filter --exit-on-status-write-error --display :0
> --logger-fd 108 --with-colons --list-keys --
> 4E2247974AA5A23A5C92BB4DBB8B3D7331A9367F
> ni@quark:~/.ssh$ kill 22009
> ni@quark:~/.ssh$ gpg --list-keys
> gpg: checking the trustdb
> gpg: waiting for lock (held by 28999) ...
> gpg: waiting for lock (held by 28999) ...
> gpg: waiting for lock (held by 28999) ...
> 
> as you can see, killing the offending process doesn't work (as it
> respawns immediately)
> 
> The reason this is important to me right now is because I have a new
> laptop and I'm trying to transfer my keys to it. I have an email from
> this list sent by Robert J. Hansen on 9/14/2016 that has excellent
> instructions (which I've used in the past for this purpose) but the
> 1st command in those instructions:
> 
> gpg --armor --export
> 
> dumps a lot of output to the command line but never "finishes" (and my
> guess is that it's the same lock that's preventing that command from
> completing).
> 
>   thanks so very much in advance for your time,
>  ~c
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

Hello Charlie,

On Debian 10 busty - which I have now - you have "root" I simply log
into root open the home folder go to user name folder  list hidden files
- then select the .gpg folder and copy that to a USB. You can do a
weekly backup to USB.

Then you can add it to whatever you want - but be in root to change the
ownership to whatever the users called.

when I do a --list-users t lists all my 186 keys :)

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Difficulty of fixing reconciliation

[David]

On 13/08/2019 15:54, Robert J. Hansen wrote:
>> Good write-up. Now I have a question, in hope that SKS operators are
>> reading this too. I have learned from Robert's gist that the max. is
>> 150.000 sigs per key the servers can handle, if I am not mistaken.
> 
> I didn't say this.
> 
> I said they handle up to about that, *because we've seen keys with that
> many*.  So clearly, obviously, they handle that many.
> 
> A great many people have assumed I intended to say "and it won't handle
> more than 150,000".  Which I didn't say and don't intend.  It very well
> could handle more.
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
Robert,

Can you give me a valid reason why anyone would want their key signed by
150,000 people or more?? How can you meet 150,000 people? Your going to
spend your entire waking hours getting your key signed by as many people
as possible before you die?

The mind boggles!

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP Key Poisoner

[David]

On 12/08/2019 15:47, Ralph Seichter wrote:
> * da...@gbenet.com:
> 
>> putting this code on Github whist demonstrating a point - was foolish
> 
> No, it was not. Foolish would be to pretend the conceptual flaw does not
> exist, cover your ears with your hands and go "la la la".
> 
>> To say that this was in practice and common knowledge for years - it's
>> new to me and many thousands of pgp users.
> 
> Are you suggesting that people "in the know" should let people with a
> potentially harmful lack of knowledge stay blissfully unaware? What good
> would that do?
> 
>> People Should Not Be Afraid Of Their Government - Their Government
>> Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
>> Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
> 
> I think that, in light of your message, is quite a ridiculous signature.
> https://gbenet.com advertises itself as a "Capitalist Free Website For
> Free Thinkers!" stating "I have no ''beliefs'' no secret agenda's [sic] -
> other than to bring you knowledge which you may not be aware of". Well,
> some knowledge was brought to you via GitHub, so enjoy. :-)
> 
> -Ralph
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
Thank you Ralf,

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP Key Poisoner

[David]

On 12/08/2019 12:25, Juergen Bruckner via Gnupg-users wrote:
> Thats pretty interesting, but the author also says he did this as showcase.
> Nontheless, its not really good to have such a tool "in the wild", and
> even on a plattform like GitHub
> 
> regards
> Juergen
> 
> Am 11.08.19 um 23:47 schrieb Anonymous Remailer (austria):
>>
>> https://github.com/skeeto/pgp-poisoner
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
To be frank - putting this code on Github whist demonstrating a point -
was foolish - it put's the code out into the wild - and some silly smart
arse is going to play.

It also begs the question - who did the attacks on SKS keyservers? "I
have katana and I just wanted to demonstrate cutting people's head's of
because I can." But am not going to accept the responsibility and be
accountable for my actions. Such a position is untenable in Law and in
ethics.

There are hundreds of thousands of people globally who are employed paid
by their respective intelligence agencies to write malicious code. They
hide behind the fact that they are paid - it's just a day-time 9 to 5
job - and have no sense of responsibility or accountability working in
contravention of their own countries laws.

Now you have put the code into the public domain - to prove a point? The
justification and points hardly support an ethical just standpoint. To
say that this was in practice and common knowledge for years - it's new
to me and many thousands of pgp users. Many thousands of people got
infected - and had no thought to back up their king rings and have to
start all over again.

Just because one can develop a nuclear bomb - it proves real stupidity
to drop it on an unsuspecting public.

Be Happy!

David

-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: allow-non-selfsigned-uid issue with key from keys.openpgp.org that contains no identity information

[David]

Playfair via Gnupg-users:
> On 8/1/19 7:37 AM, Werner Koch via Gnupg-users wrote:
>> On Mon, 29 Jul 2019 09:43, gnupg-users@gnupg.org said:
>>> it that way", i think.  Perhaps Werner can provide more background on
>>> why GnuPG is generally resistant to holding OpenPGP certificates that
>>> have no User ID at all in its local keyring.
>>
>> The user ID is important because the accompanying self-signature conveys
>> important information about the keyblock.  For example expiration date
>> and preferences.  It is true that this can also be conveyed with
>> direct-key-signatures (a self-signature directly on a key which was
>> mainly introduced for dedicated revocations).  However, this is a not so
>> well tested feature of gpg and my educated guess is that many other
>> OpenPGP implementations do not handle direct-key signatures in a way
>> compatible to pgp or gpg - if at all.  Thus by relying on them we would
>> sail into uncharted waters.
>>
>>> Doing such a merge would be super helpful, particularly for receiving
>>> things like subkey updates and revocation information from
>>
>> I agree that we can add a code path to import a primary key plus
>> revocation certificate but without user-ids.  PGP however, does not
>> support this and is the reason why we extended the revocation
>> certifciate with a minmal primary key.
>>
>> Update of subkeys is a different issue and I see no solid use case for
>> allowing that without user-id (cf. expiration date of the primary key).
> 
> Couldn't this issue be dealt with by the key server instead of by
> OpenPGP implementations?  GnuPG can create and import keys having
> non-email-address user IDs.  A string of more than 4 characters is
> acceptable.  Anything remotely resembling an email address, e.g.
> x...@y.xyz, is okay.
> 
> If keys.openpgp.org won't publish a user ID other than a verified email
> address, is its only recourse to remove the user ID?  Could it instead
> substitute the hex key ID, fingerprint or a dummy string like "User ID
> not verified"?  If it can't, is there any benefit in publishing a
> mutilated key people can't use?  Just reject it.
> 
> Chuck
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

Why upload a key to a keyserver with no email address? What's the point
of doing that? You cant send an encrypted email to it - unless your
given the email first -will it work to encrypt to a publlic key with no
email?

I got 180 public keys - some are very weird (I should delete them) some
keys are for signing some sub keys are for encrypting and some sub keys
decryption - why not make a key that does it all with a oad of sub keys?

Keyservers should have strict rules on public keys - all to have a valid
email a validation email sent back - then confirmed and that public key
is then available. No identity available - simple - reject the key.

Users of gpg that want to create weird and wonderful keys need to keep
them on their own laptop or desktop - keyservers should be able to purge
off these keys then keyservers would be back to what was intended.

David

-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

skipped packet 12

[David]

Hello,

Do you have any ideas why am getting multiple lines of:
gpg: skipped packet of type 12 in keybox

Thanks

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[David]

Andrew Gallagher:
> On 31/07/2019 13:36, David wrote:
>> Enigmail always defaults to the first set of keys one created
> 
> Enigmail will default to the first set of keys in your keyring that
> matches the selection criteria. Do you have more than one ID on each
> key? Do you have more than one key for each ID? This could be causing
> some confusion.
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

Andrew,

I have one key pair associated with one email address

Those keys do not have other ids attached to them.

Each key pair is only for a single (not multiple) email account.

Regards
David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[David]

Patrick Brunschwig:
> On 31.07.2019 13:46, David wrote:
>> Hello Erich,
>>
>> I did what you said - associated each email address with  it's own key.
>> I then shut down Thunderbird re-started and carried out the following test:
>>
>> Test One:
>>
>> I sent an encrypted and signed email to site-admin from postmaster. I
>> received the email - it took 6 attempts to decrypt it.
>>
>> I then decided to reply - so I sent an encrypted and signed email to
>> postmaster - I was unable to  sign as site-admin - after 9 attempts of
>> entering the passphrase - each time rejected by Enigmail. I was unable
>> to send a signed and encrypted email to postmaster.
> 
> I'm sorry, but there's a misunderstanding. Enigmail does /not/ query
> your passphrase. Enigmail calls GnuPG, and GnuPG asks for your
> passphrase if needed. If the passphrase is rejected that's not related
> to Enigmail.
> 
> -Patrick
> 

So we go and ask Werner :)

hahahaha!!!

David -

-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[David]

Patrick Brunschwig:
> On 31.07.2019 08:56, David wrote:
>> Patrick Brunschwig:
>>> On 31.07.2019 00:36, David wrote:
>>>> Andrew Gallagher:
>>>>>
>>>>>> On 30 Jul 2019, at 18:47, David  wrote:
>>>>>>
>>>>>> Hello Stefan,
>>>>>>
>>>>>> I have three email accounts with their own keys - Enigmail does not
>>>>>> support this - you have to have one key and that's it.
>>>>>
>>>>> That is simply not true. I used enigmail with multiple keys for years 
>>>>> without any issues. If you’re having issues configuring it, perhaps ask 
>>>>> on the enigmail list.
>>>>>
>>>>> A
>>>>>
>>>>
>>>> I have done so - but have got no advice on the correct settings in
>>>> Thunderbird or Enigmail.
>>>
>>> That's not true. I have asked you for more details on the Enigmail
>>> mailing list. But instead of responding, you came here to ask the same
>>> questions.
>>>
>>> As Enigmail uses GnuPG for any crypto-operations, I don't think that the
>>> problem is in Enigmail, but in your setup. Feel free to answer my
>>> questions on the Enigmail mailing list, and I'll continue to try to find
>>> out what goes wrong.
>>>
>>> -Patrick
>>>
>>
>> Hello Patrick,
>>
>> I did not approach this list for answers - I just asked if anyone knew
>> of an alternative. I then got drawn in to what was the problem.
>>
>> People say "Oh your settings are wrong" But the FAIL to give the RIGHT
>> SETTINGS!! And then go waffling on
>>
>> I have turned back the clock some 20 years - so have no settings to
>> support further keys.
>>
>> Having said that - I would appreciate exactly what settings will work to
>> enable me to sign with other emails and the public key associated with
>> it and to be able to encrypt and sign with differing emails and keys.
>>
>> I want specific instructions - not moaning and groaning my settings are
>> wrong and I don't know what I'm doing - that approach does not lead to a
>> solution.
> 
> Here are the instructions:
> 
> 1. Open the Thunderbird Account Settings (menu Tools > Account Settings)
> 2. switch to the tab "OpenPGP Security"
> 3. make sure that "Enable OpenPGP support" is checked
> 4. click on the button "Select key"
> 5. select the key that matches the email address of the account
> 
> Repeat Steps 2-5 for each and every of your accounts/email addresses.
> 
> If you follow(ed) these instructions, then everything else /should/ go
> automatically and you /should/ not have any issues. If you do have
> issues, then there are no simple instructions - we have to dig to find
> out what's wrong.
> 
> The questions I asked on the Enigmail mailing list are the 1st step into
> trying to find out why things don't work as expected, as I assumed that
> -- as a long-term user -- you already did configure Enigmail correctly.
> 
> -Patrick
> 

Patrick,

When I first created my keys that is exactly what I did. It all failed.

Enigmail always defaults to the first set of keys one created - for
example site-addmin wants to an encrypted and signed mail to skipper -
when you go to select the public key of skipper - postmaster is always
selected.

Also - why is it that enigmail and reuse a passphrase 30- times - then
suddenly remember to use it??

Enigmaill does not always read it's own settings. Even when you flush
the cache and reboot your laptop or desktop. It always defaults to the
first key you created for signing and encryption when using local keys
ie da...@gbenet.com site-add...@gbenet.com skip...@gbenet.com


be Happy - but there's something amiss somewhere in the code - what that
something is I have no idea.

David

-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[David]

David:
> Erich Eckner via Gnupg-users:
>> Hi David,
>>
>> here is, how I had thunderbird + enigmail running for several years with
>> two keys and without problems (I have switched away from thunderbird
>> since one year ago, because it got too heavy and slow for my taste):
>>
>> For each sending address, I have an identity
>> "Edit" -> "Account Settings" -> "Manage Identities ..."
>> and for each I set up the correct pgp key to use
>> "Edit ..." (in the Identities-window) -> "OpenPGP Security" -> "Use
>> email address of this identity to identify OpenPGP key" (where the
>> address matches) and "Use specific OpenPGP key ID" (where the address
>> does not match).
>>
>> Sry, If this does not help and you mentioned it already, but the
>> previous mails contained too much emotion to completely be read by me.
>>
>> Anyways, since you originally asked for an alternative: I am currently
>> using alpine + topal - which get's the multiple-keys part well, too, but
>> has deficits regarding MIME/multipart encryption.
>>
>> regards,
>> Erich Eckner
>> Friedrich-Schiller-Universität Jena
>> Institut für Optik und Quantenelektronik
>> Helmholtzweg 4
>> 07743 Jena
>>
>> Tel. +49 3641 9-47238
>>
>>
>> On Wed, 31 Jul 2019, David wrote:
>>
>>> Robert J. Hansen:
>>>>> That's why I am considering other solutions. I have been with
>>>>> Thunderbird and Enigmail for over 20 years with one key pair -
>>>>
>>>> This is simply not possible, as Enigmail didn't exist until 2001.  (It
>>>> took until about 2003 before it became really usable.)
>>>>
>>>>
>>>> ___
>>>> Gnupg-users mailing list
>>>> Gnupg-users@gnupg.org
>>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>>
>>
>>> Ok two years out - thank you for the correction
>>
>>> David
>>
>>
>>> -- 
>>> People Should Not Be Afraid Of Their Government - Their Government
>>> Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
>>> Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
>>> https://gbenet.com
>>
>>
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
> 
> Hello Erich,
> 
> I did what you said - associated each email address with  it's own key.
> I then shut down Thunderbird re-started and carried out the following test:
> 
> Test One:
> 
> I sent an encrypted and signed email to site-admin from postmaster. I
> received the email - it took 6 attempts to decrypt it.
> 
> I then decided to reply - so I sent an encrypted and signed email to
> postmaster - I was unable to  sign as site-admin - after 9 attempts of
> entering the passphrase - each time rejected by Enigmail. I was unable
> to send a signed and encrypted email to postmaster.
> 
> Test Two:
> 
> I sent an encrypted and signed email to david - when selecting the right
> public key there was always a tick in postmaster which I removed and
> selected the right key to encrypt too. BUT Enigmail REFUSED to accept my
> passphrase after 9 attempts.
> 
> Test Three:
> 
> I decided to send a signed and encrypted email to postmaster from David.
> With the following results: For some strange reason Enigmail encrypted
> to postmaster and signed:
> 
> Decrypted message Good signature from David  Key ID:
> 0x3299975EAD1E968848D19945459E3AE3EA13E1A3 / Signed on: 31/07/19, 12:18
> Key fingerprint: 3299 975E AD1E 9688 48D1 9945 459E 3AE3 EA13 E1A3 Used
> Algorithms: RSA and SHA256 Note: The message is encrypted for the
> following User ID's / Keys: 0xD21B4405FDDA1EF2 (postmaster (There's
> always light at the end of the tunnel) ),
> 0xCF833B99EBD6222A (David  
> I just copied and pasted the passphrase into the check box - I did the
> same with da...@gbenet.com and entered it in by hand 6 times.
> 
> Test Four:
> 
> I decided to send a signed and encrypted email from skipper to David
> with the following results: The message was signed Enigmail accepted the
> passphrase. The message was decrypted - even though Enigmail asked me
> for david's passphrase. When I clicked on show info about the signer no
> results came  back. I do not know if da...@gbenet.com or
> postms...@gbenet.com actually decrypted the email :) Hahhhaha

Re: Enigmail

[David]

Erich Eckner via Gnupg-users:
> Hi David,
> 
> here is, how I had thunderbird + enigmail running for several years with
> two keys and without problems (I have switched away from thunderbird
> since one year ago, because it got too heavy and slow for my taste):
> 
> For each sending address, I have an identity
> "Edit" -> "Account Settings" -> "Manage Identities ..."
> and for each I set up the correct pgp key to use
> "Edit ..." (in the Identities-window) -> "OpenPGP Security" -> "Use
> email address of this identity to identify OpenPGP key" (where the
> address matches) and "Use specific OpenPGP key ID" (where the address
> does not match).
> 
> Sry, If this does not help and you mentioned it already, but the
> previous mails contained too much emotion to completely be read by me.
> 
> Anyways, since you originally asked for an alternative: I am currently
> using alpine + topal - which get's the multiple-keys part well, too, but
> has deficits regarding MIME/multipart encryption.
> 
> regards,
> Erich Eckner
> Friedrich-Schiller-Universität Jena
> Institut für Optik und Quantenelektronik
> Helmholtzweg 4
> 07743 Jena
> 
> Tel. +49 3641 9-47238
> 
> 
> On Wed, 31 Jul 2019, David wrote:
> 
>> Robert J. Hansen:
>>>> That's why I am considering other solutions. I have been with
>>>> Thunderbird and Enigmail for over 20 years with one key pair -
>>>
>>> This is simply not possible, as Enigmail didn't exist until 2001.  (It
>>> took until about 2003 before it became really usable.)
>>>
>>>
>>> ___
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>
> 
>> Ok two years out - thank you for the correction
> 
>> David
> 
> 
>> -- 
>> People Should Not Be Afraid Of Their Government - Their Government
>> Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
>> Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
>> https://gbenet.com
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

Hello Erich,

I did what you said - associated each email address with  it's own key.
I then shut down Thunderbird re-started and carried out the following test:

Test One:

I sent an encrypted and signed email to site-admin from postmaster. I
received the email - it took 6 attempts to decrypt it.

I then decided to reply - so I sent an encrypted and signed email to
postmaster - I was unable to  sign as site-admin - after 9 attempts of
entering the passphrase - each time rejected by Enigmail. I was unable
to send a signed and encrypted email to postmaster.

Test Two:

I sent an encrypted and signed email to david - when selecting the right
public key there was always a tick in postmaster which I removed and
selected the right key to encrypt too. BUT Enigmail REFUSED to accept my
passphrase after 9 attempts.

Test Three:

I decided to send a signed and encrypted email to postmaster from David.
With the following results: For some strange reason Enigmail encrypted
to postmaster and signed:

Decrypted message Good signature from David  Key ID:
0x3299975EAD1E968848D19945459E3AE3EA13E1A3 / Signed on: 31/07/19, 12:18
Key fingerprint: 3299 975E AD1E 9688 48D1 9945 459E 3AE3 EA13 E1A3 Used
Algorithms: RSA and SHA256 Note: The message is encrypted for the
following User ID's / Keys: 0xD21B4405FDDA1EF2 (postmaster (There's
always light at the end of the tunnel) ),
0xCF833B99EBD6222A (David https://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[David]

Robert J. Hansen:
>> That's why I am considering other solutions. I have been with
>> Thunderbird and Enigmail for over 20 years with one key pair -
> 
> This is simply not possible, as Enigmail didn't exist until 2001.  (It
> took until about 2003 before it became really usable.)
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

Ok two years out - thank you for the correction

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[David]

Patrick Brunschwig:
> On 31.07.2019 00:36, David wrote:
>> Andrew Gallagher:
>>>
>>>> On 30 Jul 2019, at 18:47, David  wrote:
>>>>
>>>> Hello Stefan,
>>>>
>>>> I have three email accounts with their own keys - Enigmail does not
>>>> support this - you have to have one key and that's it.
>>>
>>> That is simply not true. I used enigmail with multiple keys for years 
>>> without any issues. If you’re having issues configuring it, perhaps ask on 
>>> the enigmail list.
>>>
>>> A
>>>
>>
>> I have done so - but have got no advice on the correct settings in
>> Thunderbird or Enigmail.
> 
> That's not true. I have asked you for more details on the Enigmail
> mailing list. But instead of responding, you came here to ask the same
> questions.
> 
> As Enigmail uses GnuPG for any crypto-operations, I don't think that the
> problem is in Enigmail, but in your setup. Feel free to answer my
> questions on the Enigmail mailing list, and I'll continue to try to find
> out what goes wrong.
> 
> -Patrick
> 

Hello Patrick,

I did not approach this list for answers - I just asked if anyone knew
of an alternative. I then got drawn in to what was the problem.

People say "Oh your settings are wrong" But the FAIL to give the RIGHT
SETTINGS!! And then go waffling on

I have turned back the clock some 20 years - so have no settings to
support further keys.

Having said that - I would appreciate exactly what settings will work to
enable me to sign with other emails and the public key associated with
it and to be able to encrypt and sign with differing emails and keys.

I want specific instructions - not moaning and groaning my settings are
wrong and I don't know what I'm doing - that approach does not lead to a
solution.

Regards,

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[David]

Ralph Seichter:
> * da...@gbenet.com:
> 
>> Enigmail will only work with ONE Key.
>> It does not recognise any other key than the first key that was
>> created.
> 
> I use multiple keys with Enigmail and Thunderbird, and I have done so
> for years.
> 
>> You don't think perhaps can not think - your not too smart as to offer
>> any solution.
> 
> Right, try insulting people, that will surely get you far. :-) I owe you
> exactly nothing. If you cannot figure it out yourself, try the Enigmail
> mailing list.
> 
> -Ralph
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
I have approached the Enigmail list (if you care to read all the emails)
but have had no instructions or help in resolving matters - clearly some
people wish to make conversations rather than offering practical help -
this failure was what prompted me to look into other solutions.

David

-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[David]

Andrew Gallagher:
> 
>> On 30 Jul 2019, at 18:47, David  wrote:
>>
>> Hello Stefan,
>>
>> I have three email accounts with their own keys - Enigmail does not
>> support this - you have to have one key and that's it.
> 
> That is simply not true. I used enigmail with multiple keys for years without 
> any issues. If you’re having issues configuring it, perhaps ask on the 
> enigmail list.
> 
> A
> 

I have done so - but have got no advice on the correct settings in
Thunderbird or Enigmail.

That's why I am considering other solutions. I have been with
Thunderbird and Enigmail for over 20 years with one key pair -
postmas...@gbenet.com

Regards,

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[David]

Stefan Claas via Gnupg-users:
> David wrote:
> 
> Hi David,
> 
>> I have three email accounts with their own keys - Enigmail does not
>> support this - you have to have one key and that's it.
> 
> Ah, o.k. I never tried it, but it should be possible, with different
> accounts and keys (hopefully).
>  
>> Am downloading and installing claws mail now so hope it will import all
>> my Thunderbird and Enigmail settings :)
> 
> Claws-Mail is a different beast and I think this will not work.
> 
> Regards
> Stefan
> 

Hi Stefan,

It's all installed - with a main mail box. Am going to see if I can
create four email accounts - hopefully not all as sub-accounts of the
first one I created - I notice you can not change the name of this mail
box :) I've yet to figure out how to use my keys. A learninng curve is
in order but late at night 11.45pm!!

Regards

David



-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[David]

Ralph Seichter:
> * da...@gbenet.com:
> 
>> I have three email accounts with their own keys - Enigmail does not
>> support this - you have to have one key and that's it.
> 
> Nonsense! One can not only configure one PGP key per account (of which
> there can be many), one can even configure one key per identity. Each
> TB account can have multiplie identities; one of Thunderbird's killer
> features as far as I am concerned.
> 
> Why you would lambast Enigmail for a non-problem, caused by you not
> configuring things properly, is beyond me.
> 
> -Ralph
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

Ralf,

I have had one key pair for over 20 years - for postmas...@gbenet.com
I decided to create another key pair last week for my website -
site-ad...@gbenet.com

I set the settings to choose a key by email account select the key
manually. I then sent a encrypted and signed test message from
postmas...@gbenet.com to site-ad...@gbenet.com

The email arrived and I could read it - I had no need to decrypt it
because it was signed and encrypted to postmas...@gbenet.com

I then decided to reply - it selected postmasters key but refused to
sign the email - I entered the passphrase three times  all by hand the
same result.

Puzzled by this - I decided to take the checkbox out of picking the
right key for the email accounts of postmas...@gbenet.com and
site-ad...@gbenet.com

I decided to send just an encrypted email to postmas...@gbenet.com from
site-ad...@gbenet.com "I can't find the key" even though I had selected
the  key - h.. I tried then to just send a signed reeply
to postma...@gbenet.com not encrypted - the dialogue box popped up to
enter the passphrase for site-ad...@gbenet.com - again it refused to
accept the passphrase for site-ad...@gbenet.com

Oh and I created a new key pair for da...@gbenet.com which are
completely useless. I  tried with all three keys - the only key to work
is my postmas...@gbenet.com which I've used in Thunderbird and Enigmail
for over 20 years.

And after each of these config changes in Enigmail and Thunderbird I
shut down Thunderbird deleted all the caches and rebooted my laptop.

The results were all consistent:
Enigmail will only work with ONE Key.
It does not recognise any other key than the first key that was created.

I'd like to use my da...@gbenet.com key here - some ages ago complained
I was using postmas...@gbenet.com's key to sign emails. I thought it
woulld be a good idea to have a key for this email account. BUT I can
not use it - I can not sign emails.

You moan - but offer no solutions. I can think of only one possible
solution that will work delete site-admin's key pair - delete david's
key pair and go back to what Thunderbird and Enigmail are happy with one
key pair from postmas...@gbenet.com

To be frank your comments are just like a bad fart - then they go away.
You don't think perhaps can not think - your not too smart as to offer
any solution.

Regards

David





-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[David]

Stefan Claas via Gnupg-users:
> David wrote:
> 
>> Stefan Claas via Gnupg-users:
>>> David wrote:
>>>
>>>> Hello Everyone,
>>>>
>>>> I am looking for an alternative to Enigmail - which fails to work.
>>>> Any ideas as to a suitable replacement??
>>>
>>> You may check out another MUA, like Claws-Mail, which I used with
>>> GPG plug-ins in the past. It worked fine!
>>>
>>> Regards
>>> Stefan
>>>
>> Hello Stefan - is it an add-on? Works on Linux? And does it support
>> multiple keys which Enigmail does not?
>>
>> I will go check :)
> 
> Claws-Mail is a MUA/NUA like Thunderbird. It includes GPG plug-ins.
> 
> Regarding multiple key, I don't know what you mean, sorry.
> 
> When I send messages (online) in the past with Claws-Mail I only
> send to single individuals.
> 
> If you mean multiple keys for yourself, I never checked this,
> but assume then you may need also individual accounts in
> Claws-Mail for multiple keys.
> 
> Regards
> Stefan
> 

Hello Stefan,

I have three email accounts with their own keys - Enigmail does not
support this - you have to have one key and that's it.

Am downloading and installing claws mail now so hope it will import all
my Thunderbird and Enigmail settings :)

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail

[David]

Stefan Claas via Gnupg-users:
> David wrote:
> 
>> Hello Everyone,
>>
>> I am looking for an alternative to Enigmail - which fails to work.
>> Any ideas as to a suitable replacement??
> 
> You may check out another MUA, like Claws-Mail, which I used with
> GPG plug-ins in the past. It worked fine!
> 
> Regards
> Stefan
> 
Hello Stefan - is it an add-on? Works on Linux? And does it support
multiple keys which Enigmail does not?

I will go check :)

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Enigmail

[David]

Hello Everyone,

I am looking for an alternative to Enigmail - which fails to work.
Any ideas as to a suitable replacement??

Regards

David
-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
https://gbenet.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Web Key Directory

[David]

Hello All,

If I create a folder on my server WKSDirectory" then upload my public
keys to it - and then give the:

https//gbenet.com/wksdirectory - will this do for my key retrieval?

They then just pick the public key they want to download?

It's uncomplicated :)

David

-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! https://gbenet.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: new to GPG: "gpg: Fatal: zlib inflate problem: invalid code lengths set"

[David]

Lentes, Bernd:
> Hi ML,
> 
> i'm new to GPG, so please excuse asking silly questions.
> I managed to create my keys with "gpg2 --gen-key"
> I wrote an e-Mail to ad...@gnupp.de with the subject "Mein öffentlicher 
> Schlüssel", which is german for "my public key".
> Shortly thereafter i got an encrypted response which, i assume, i have to 
> decrypt with my private key.
> I pasted the encrypted stuff into a file and then tried to decrypt:
> 
> gpg2 -d nachricht.txt
> 
> I've been asked for the passphrase for my private key which i entered, but 
> then i got the following error:
> 
> gpg: encrypted with 2048-bit RSA key, ID F742DB29, created 2019-07-23
>   "Bernd Lentes (Helmholtz GPG Schluessel) 
> "
> gpg: Fatal: zlib inflate problem: invalid code lengths set
> 
> The file has a size of 68 KB, could that be the culprit ?
> 
> Bernd
> 

The simpe rules are as follows:

(1) You encrypt to another persons public key
(2) You decrypt with your private key

That's it!

You can sign your emails - this means no one can tamper with them whilst
in transit - if it was tampered with then there's an eror in the check
sum of the message.

Be happy!

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! https://gbenet.com


0x5C6EE7FBAAD8C47D.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD: Publishing a key for multiple user IDs

[David Bürgin via Gnupg-users]

On 16/07/2019 08:23, Wolfgang Traylor wrote:
> Try the gpg-wks-client command. It should try to automatically strip the user 
> IDs. Werner Koch explained that in an old post:
> https://lists.gnupg.org/pipermail/gnupg-users/2019-February/061610.html
> 
> Since my primary secret key is offline and I access it with the live system 
> Tails, the gpg-wks-client does not work for me.
> Instead I used the following commands in the Linux command line on Tails:
> 
> Export secret & public keys (including the primary key) into 
> "primary_key.asc".
> 
> ```
> # Work in a temporary directory, with a blank keyring.
> mkdir /tmp/gnupg_posteo
> gpg --homedir "/tmp/gnupg_posteo" --import primary_key.asc
> gpg --homedir "/tmp/gnupg_posteo" --edit-key 
> 
> # Create new user ID with empty name and only the posteo address.
> # To add a comment like "WKD" or such is allowed.
> gpg> adduid
> 
> # Delete all other user IDs.
> gpg> uid 1
> gpg> uid 2
> gpg> deluid
> 
> # Save changes.
> gpg> save
> 
> # Export the public key without any third-party signatures.
> gpg --homedir "/tmp/gnupg_posteo" --export-options="export-minimal" --armor 
> --export  > key_for_posteo.asc
> ```

This is very helpful, thank you Wolfgang!



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD: Publishing a key for multiple user IDs

[David Bürgin via Gnupg-users]

Thanks everybody.

> > Is there documentation somewhere how to produce the keys for both these
> > user IDs with GnuPG? (I don’t think the Python generate scripts do this
> 
> I don't known about Python scripts.  Kmail, GpgOL, and Enigmail do the
> publishing for you.  You can also do it manuallay, see the Wiki.

Exactly – I was referring to the Python scripts in the wiki:
https://wiki.gnupg.org/WKDHosting


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

WKD: Publishing a key for multiple user IDs

[David Bürgin via Gnupg-users]

Under ‘security considerations’ the current WKD draft says:

> The mail provider MUST make sure to publish a key in a way that only the
> mail address belonging to the requested user is part of the User ID
> packets included in the returned key. Other User ID packets and their
> associated binding signatures NUST be removed before publication.

So if I have two email addresses/user IDs m...@my.org and m...@my.org
associated with the same key, I cannot just export the key and publish
it, right? I have to somehow publish two different ‘stripped’ public
keys.

Is there documentation somewhere how to produce the keys for both these
user IDs with GnuPG? (I don’t think the Python generate scripts do this
properly, or do they?)

Cheers,


-- 
David


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: test

[David]

On 14/07/2019 05:55, Stefan Claas via Gnupg-users wrote:
> David wrote:
> 
>> Hello Stefan,
>>
>> I mean to say - no keys were found :)
> 
> Maybe you have to adjust you settings.
> 
> My key is available via WKD or Hagrid.
> 
> (P.S. I forgot to insert a Message-ID,
> so now threading is not correct.)
> 
> Regards
> Stefn
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
I have imported your key,

David

-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! https://gbenet.com


0x5C6EE7FBAAD8C47D.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: test

[David]

On 13/07/2019 17:56, Stefan Claas via Gnupg-users wrote:
> Stefan Claas via Gnupg-users wrote:
> 
> David wrote:
> 
>>>> Just testing my e-,ails are getting through :)
>>>>
>>>> But not signed :) no public key
>>>>
>>>> David
> 
> And a little reply, to see if my signature verifies properly.
> 
> Step 1. Creating the reply in Notepad++ (offline).
> Step 2. Signing the message (offline).
> Step 3. Adding Headers (offline).
> Step 4. Transfer with CoolTerm to online computer.
> Step 5. Sending the message with openssl.
> 
> Stefan
> 
> Forgot the -quiet command in openssl, hence the error.
> 
> Hope the second try is correct.
> 
> Regards
> Stefan
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
Hello Stefan,

I mean to say - no keys were found :)

David

-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! https://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: test

[David]

On 13/07/2019 17:45, Stefan Claas via Gnupg-users wrote:
> David wrote:
> 
>> Just testing my e-,ails are getting through :)
> 
>> But not signed :) no public key
> 
>> David
> 
> And a little reply, to see if my signature verifies properly.
> 
> Step 1. Creating the reply in Notepad++ (offline).
> Step 2. Signing the message (offline).
> Step 3. Adding Headers (offline).
> Step 4. Transfer with CoolTerm to online computer.
> Step 5. Sending the message with openssl.
> 
> Stefan
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

Hello Stefan - I copied and pasted your key into a file - then imported
it - but I could not find your public key in my list - you have a very
small public key :)

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! https://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Testing WKD setup?

[David Bürgin via Gnupg-users]

On Sun, Jul 07, 2019 at 09:59:32PM +0300, Teemu Likonen wrote:
> Can't answer to those questions but I got your key via WKD and with the
> kye verified your email. So, this test was success.

Well, in that case thank you for checking, Teemu!


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Testing WKD setup?

[David Bürgin via Gnupg-users]

Hello list,

I have implemented WKD for my domain, but now I don’t know an easy way
of testing it … is there a service or similar where I can check if this
email address is properly WKD-enabled?

Thank you.


-- 
David


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS and GnuPG related issues and possible workarounds

[David]

On 06/07/2019 12:50, Ryan McGinnis via Gnupg-users wrote:
> Someone brought it to my attention that my key is now one of the
> affected keys; I think from this we can probably surmise that whoever(s)
> is doing this probably reads this list as this email address doesn’t see
> heavy circulation. 
If in deed that's the case - that person can download any public key
insert malicious code and upload to any key server. I am not updating
any keys and no sks key servers.

Who's new to the mailing list? Now we have a web of distrust :(

David

-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! https://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

test

[David]

Just testing my e-,ails are getting through :)

But not signed :) no public key

David

-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! https://gbenet.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

[David]

On 02/07/2019 03:44, Mirimir via Gnupg-users wrote:
> On 07/01/2019 07:29 AM, David wrote:
> 
> 
> 
>> My take on all this is that I have had to disable Enigmail because it's
>> screwed - I was not able to send mail and all the settings in enigmail
>> were lots of  so I have been infected :(
>>
>> David
> 
> Damn. But all is likely not lost.
> 
> If you can open Enigmail Preferences, go to the Keyserver tab, and
> specify only keys.openpgp.org as the keyserver. That way, if you manage
> to fix gpg, Enigmail won't break it again. Also see "100% CPU usage
> endles loop of gpg --list-keys" <https://dev.gnupg.org/T3972> for
> background.
> 
> About hardening and fixing gpg, see
> <https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f> at
> Mitigations and Repairs. Also see
> <https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html>.
> 
> You'll very likely need to use gpg in terminal. I suspect that GPA may
> be just as wedged as Enigmail.
> 
> Maybe someone could post a step-by-step guide for fixing gpg. For people
> who don't commonly use it in terminal. I suppose that I could import one
> of the poisoned keys in a fresh VM, and explore how to fix it. But I'm
> sure that someone reading this could just dash it out.
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

My "fix" was simple - I already have a linux laptop - saved all my keys
and my secret key on a usb stick. Whilst reading the thread - I changed
all the key servers from sks - but then I got screwed as sks key servers
refreshed my keys! WTF!!! Having installed everything to the new laptop
I just copied the folder onto my or this working laptop and all is fine.
But as key servers share data - (???) maybe the infected keys will
circulate???

My public key has only one confirmed signing - it had two - but really I
am not that tempted to download from any key server. Not all here attach
their public key - and do not upload to a key server - and well no one
will ever upload to a key server again!!! Ha!

Every key server is at risk. It has been done once - and can be done
again - there is some very sophisticated malware out there. This is a
great shock and a wake up call to tighten security - on all key servers
- and to have a standardised platform - that takes money and developers.

I'm still in shock and very very wary!!!

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! https://gbenet.com


0x5C6EE7FBAAD8C47D.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

[David]

On 01/07/2019 14:55, Andrew Gallagher wrote:
> On 2019/07/01 14:26, Robert J. Hansen wrote:
>> A thought that would unfortunately require an adjustment to the OpenPGP
>> spec itself: why do we put certification signatures on the target's
>> certificate, anyway?
> 
> I think it's mostly to do with key size. This works fine either way when
> it's among peers, but in large organisations you'll tend to get one key
> that certifies a large number of others, while the median number of
> certifications made by any of the other keys is zero. Better to
> distribute lots of keys each with one signature, than lots of keys with
> no signatures and one key with all the signatures.
> 
> Also, given that there tend to be a small number of super-certifiers, it
> is easier to trace back the possible verification paths given a list of
> certifiers on a newly-encountered key. The question is rarely "what is
> the list of the keys that I can verify?", and almost always "how can I
> verify this particular key?". X509 uses this model also, and for the
> same reason.
> 
>> The current debacle is completely the result of allowing *anyone* to
>> append a cert signature to *anyone else's* cert.
> 
> Yes, which is why we've informally had "let the owner choose whether to
> publish her incoming certifications" as best practice for a long time.
> Cross-signing would enforce this, but the client-side tooling is lacking.
> 
>>> * It MUST cryptographically verify all fetched material.
>>
>> Note that this amounts to "SKS must die".  SKS does no cryptographic
>> verification of material.
> 
> SKS as we know it must die, but I think that has been obvious for a
> while. Its reconciliation algorithm can live on, however. The crypto
> verification doesn't need to be performed in the synchroniser. It might
> be best if it didn't so that we don't run into potential issues re some
> systems being able to verify, a new algorithm and some not. Better to
> let the synchroniser just do its job, and move all the verification and
> caching stuff to a higher level. It need not be in the same binary.
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

My take on all this is that I have had to disable Enigmail because it's
screwed - I was not able to send mail and all the settings in enigmail
were lots of  so I have been infected :(

David
-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! https://gbenet.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Your Thoughts

[David]

On 30/06/2019 21:01, Ralph Seichter wrote:
> * da...@gbenet.com:
> 
>> Your Thoughts :)
> 
> I think the article is five years old, has not aged well (e.g. MUA
> integration has improved), and that nothing better than PGP has come
> along in the meantime.
> 
> Next. ;-)
> 
> -Ralph
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

I have used gnupg for years and converted just a handful to encrypt
their emails - and it's beyond my comprehension why it is that normal
people do not encrypt their emails by default.

Over the years GUIs have come along and gpg4win - perhaps people are not
that concerned about GCHQ and the NSA reading all their emails - they
read everything else from all thier devices.

We know FaceBook Google etc.. hand over all data to the NSA and GCHQ and
their are rumours that SSL has been cracked - am sure it has as my
website and database were hacked and my host provider had 3 mail servers
hacked in a matter of 3 days - much to their shock.

I think for Windows users gpg4win attempts to provide a GUI that makes
installation easy - but only geeks use it :)

I try to promote user encryption on my website (it's down at this time)
but very very few people take their daily lives seriously.

David


-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! https://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Your Thoughts

[David]

Your Thoughts :)

https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/

-- 
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! https://gbenet.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enforcing password complexity for private keys

[David Milet]

Indeed it’s specified in the OpenPGP card specs. 
I have my answers 
Thanks 
David

> On Apr 30, 2019, at 14:13, Juergen Bruckner  wrote:
> 
> Well I may be (partly) wrong, but I guess a 6digit PIN-Code on the
> GnuPG-Card may be complex enough for the most security settings.
> 
> my2c
> Juergen
> 
>> Am 30.04.19 um 19:40 schrieb David Milet:
>> Yes, we’re considering using smart cards or usb devices like Yubikey.
>> Do those enforce password complexity?
>> 
>> To answer suggestions in other replies, our developers are savvy enough, and 
>> we do have recurring training in place to stress the importance of good 
>> passwords. But we know also that some developers will choose the weakest 
>> password the system allows, making them the weakest link.
>> 
>>> On Apr 30, 2019, at 13:21, Juergen Bruckner  wrote:
>>> 
>>> Hello David,
>>> 
>>> have you ever thought about using SmartCards?
>>> GnuPG has a built in SmartCard service.
>>> 
>>> regards
>>> Juergen
>>> 
>>>> Am 30.04.19 um 12:55 schrieb David Milet:
>>>> Hello
>>>> 
>>>> We’re considering rolling out GnuPG at work for developers to sign git 
>>>> commits.
>>>> How can we prevent developers from choosing a trivial password?
>>>> 
>>>> Is there a way for GnuPG to enforce some password complexity on the 
>>>> private keys?
>>>> 
>>>> Is that something that a Yubikey could do? 
>>>> 
>>>> Many thanks!
>>>> David
>>>> ___
>>>> Gnupg-users mailing list
>>>> Gnupg-users@gnupg.org
>>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>> 
>>> 
>>> -- 
>>> Juergen M. Bruckner
>>> juer...@bruckner.tk
>>> 
>>> ___
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>> 
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>> 
> 
> -- 
> Juergen M. Bruckner
> juer...@bruckner.tk
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enforcing password complexity for private keys

[David Milet]

Believe me we have long and passionate discussions about passwords length and 
complexity.

The question in my post is purely technical.


> On Apr 30, 2019, at 13:51, Michał Górny  wrote:
> 
>> On Tue, 2019-04-30 at 13:40 -0400, David Milet wrote:
>> Yes, we’re considering using smart cards or usb devices like Yubikey.
>> Do those enforce password complexity?
>> 
>> To answer suggestions in other replies, our developers are savvy enough, and 
>> we do have recurring training in place to stress the importance of good 
>> passwords. But we know also that some developers will choose the weakest 
>> password the system allows, making them the weakest link.
>> 
> 
> I dare say trying to enforce strong passwords via policy is usually
> a bad idea.  If you can't convince user to use and remember a good
> password, trying to force it via policy usually results either in:
> 
> a. passwords being noted down on paper, phone, etc., or
> 
> b. passwords becoming more predictable.
> 
> I can't know whether your users would actually do that but it's not
> uncommon problem that e.g. if you require password containing one digit
> and one special character, you replace trivial passwords with trivial
> passwords followed by '1!'.
> 
> -- 
> Best regards,
> Michał Górny
> 
> 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enforcing password complexity for private keys

[David Milet]

Yes, we’re considering using smart cards or usb devices like Yubikey.
Do those enforce password complexity?

To answer suggestions in other replies, our developers are savvy enough, and we 
do have recurring training in place to stress the importance of good passwords. 
But we know also that some developers will choose the weakest password the 
system allows, making them the weakest link.

> On Apr 30, 2019, at 13:21, Juergen Bruckner  wrote:
> 
> Hello David,
> 
> have you ever thought about using SmartCards?
> GnuPG has a built in SmartCard service.
> 
> regards
> Juergen
> 
>> Am 30.04.19 um 12:55 schrieb David Milet:
>> Hello
>> 
>> We’re considering rolling out GnuPG at work for developers to sign git 
>> commits.
>> How can we prevent developers from choosing a trivial password?
>> 
>> Is there a way for GnuPG to enforce some password complexity on the private 
>> keys?
>> 
>> Is that something that a Yubikey could do? 
>> 
>> Many thanks!
>> David
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>> 
> 
> -- 
> Juergen M. Bruckner
> juer...@bruckner.tk
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Enforcing password complexity for private keys

[David Milet]

Hello

We’re considering rolling out GnuPG at work for developers to sign git commits.
How can we prevent developers from choosing a trivial password?

Is there a way for GnuPG to enforce some password complexity on the private 
keys?

Is that something that a Yubikey could do? 

Many thanks!
David
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Generating revocation certificate

[Jean-David Beyer via Gnupg-users]

On 4/6/19 12:32 PM, Markus Reichelt wrote:
> i'm using on slackware64-current (if you are using windows, all hands
> are off)
> 
> gpg --version
> gpg (GnuPG) 2.2.15
> libgcrypt 1.8.4

Mine's bigger than yours (older, too):

$ gpg --version
gpg (GnuPG) 2.0.14
libgcrypt 1.4.5
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2


-- 
  .~.  Jean-David Beyer
  /V\  PGP-Key:166D840A 0C610C8B
 /( )\ Shrewsbury, New Jersey
 ^^-^^ 12:45:01 up 22:44, 2 users, load average: 4.26, 4.55, 4.53



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie: Installing Build Dependencies to gnupg-2.2.13 update from gnupg 2.0.22 on Ubuntu 14.04 LTS failed

[David]

On Wed, 27 Feb 2019 at 23:16, Oscar Carlsson via Gnupg-users
 wrote:
>
> And in future emails, try to [...] use pastebin like
> services and/or attach logs instead of adding them inline like this.

Why is that suggested?

If someone posts hundreds of kilobytes or more, I agree,
but in this case I argue the opposite, for these reasons.
Providing the information inline has several advantages:
1) all information is available in one place.
2) it's easy to quote/reference in email replies.
3) it's less work for the responders who don't have to cut
and paste from other places.
4) it avoids running pastebin javascript.
5) it preserves the integrity of the email archive, so that the
conversation can help future readers, particularly when pastebin sites
are ephemeral and/or provide only temporary storage.
6) some mailing lists strip attachments.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [paperkey] Always output "interrupt"

[David Shaw]

On Jun 20, 2018, at 11:28 AM, Damien Cassou  wrote:
> 
> David Shaw  writes:
>> Which version of paperkey is this?
> 
> both the version from source and from Fedora package are 1.5.
> 
>> If that doesn't resolve your problem, can you send me a sample secret
>> key (not your real secret key, of course - just generate a dummy one)
>> that exhibits the problem?  I'll make it work.
> 
> Please find attached the very secret key :-).

I tested this on my regular development box and it worked fine.  Just for 
completeness, I spun up a Fedora 28 VM and it worked fine there as well.  It 
occurs to me that given the pipeline you were using, the "interrupt" error may 
have come from gpg2 rather than paperkey:

> $ gpg2 --export-secret-key "FooBar" | paperkey -

What happens if you do this:

$ gpg2 --export-secret-key "FooBar" > /tmp/foo.key
$ paperkey < /tmp/foo.key

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [paperkey] Always output "interrupt"

[David Shaw]

On Jun 20, 2018, at 5:14 AM, Damien Cassou  wrote:
> 
> Hi,
> 
> The output of paperkey is just "interrupt" instead of being a printable
> output. I've tried to use paperkey on 2 different main private keys and
> failed twice. I tried with both the Fedora package and from paperkey's
> source. Same result in every case.
> 
> System:
> - Fedora 28
> - gpg (GnuPG) 2.2.8, libgcrypt 1.8.3
> 
> Keys:
> - key1: ed25519
> - key2: rsa4096
> 
> Command:
> $ gpg2 --export-secret-key "FooBar" | paperkey -
> interrupt
> $

Hi Damien,

Which version of paperkey is this?  The latest is 1.5 (and support for EdDSA 
keys was only added in that version), so if you're using an old version can you 
try the latest?

If that doesn't resolve your problem, can you send me a sample secret key (not 
your real secret key, of course - just generate a dummy one) that exhibits the 
problem?  I'll make it work.

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] [security fix] GnuPG 2.2.8 released (CVE-2018-12020)

[Jean-David Beyer]

/documentation/manuals/gnupg.pdf .
>>
>> The chapters on gpg-agent, gpg and gpgsm include information on how to
>> set up the whole thing.  You may also want to search the GnuPG mailing
>> list archives or ask on the gnupg-users mailing list for advise on how
>> to solve problems.  Most of the new features are around for several
>> years and thus enough public experience is available.
>>
>> Please consult the archive of the gnupg-users mailing list before
>> reporting a bug: <https://gnupg.org/documentation/mailing-lists.html>.
>> We suggest to send bug reports for a new release to this list in favor
>> of filing a bug at <https://bugs.gnupg.org>.  If you need commercial
>> support check out <https://gnupg.org/service.html>.
>>
>> If you are a developer and you need a certain feature for your project,
>> please do not hesitate to bring it to the gnupg-devel mailing list for
>> discussion.
>>
>>
>> Thanks
>> ==
>>
>> Maintenance and development of GnuPG is mostly financed by donations.
>> The GnuPG project currently employs one full-time developer and one
>> contractor.  Both work exclusively on GnuPG and closely related software
>> like Libgcrypt, GPGME, and GPA.  We are planning to extend our team
>> again and to help developers to improve integration of crypto in their
>> applications.
>>
>> We have to thank all the people who helped the GnuPG project, be it
>> testing, coding, translating, suggesting, auditing, administering the
>> servers, spreading the word, and answering questions on the mailing
>> lists.
>>
>> Many thanks to our numerous financial supporters, both corporate and
>> individuals.  Without you it would not be possible to keep GnuPG in a
>> good shape and address all the small and larger requests made by our
>> users.  Thanks.
>>
>>
>> Happy hacking,
>>
>>Your GnuPG hackers
>>
>>
>>
>> p.s.
>> This is an announcement only mailing list.  Please send replies only to
>> the gnupg-users'at'gnupg.org mailing list.
>>
>> p.p.s
>> List of Release Signing Keys:
>>
>> To guarantee that a downloaded GnuPG version has not been tampered by
>> malicious entities we provide signature files for all tarballs and
>> binary versions.  The keys are also signed by the long term keys of
>> their respective owners.  Current releases are signed by one or more
>> of these four keys:
>>
>>   rsa2048 2011-01-12 [expires: 2019-12-31]
>>   Key fingerprint = D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
>>   Werner Koch (dist sig)
>>
>>   rsa2048 2014-10-29 [expires: 2019-12-31]
>>   Key fingerprint = 46CC 7308 65BB 5C78 EBAB  ADCF 0437 6F3E E085 6959
>>   David Shaw (GnuPG Release Signing Key) 
>>
>>   rsa2048 2014-10-29 [expires: 2020-10-30]
>>   Key fingerprint = 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
>>   NIIBE Yutaka (GnuPG Release Key) 
>>
>>   rsa3072 2017-03-17 [expires: 2027-03-15]
>>   Key fingerprint = 5B80 C575 4298 F0CB 55D8  ED6A BCEF 7E29 4B09 2E28
>>   Andre Heinecke (Release Signing Key)
>>
>> The keys are available at <https://gnupg.org/signature_key.html> and
>> in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
>> Note that this mail has been signed by a different key.
>> ===
>>
>> [1] If you want to test whether you are affected by this bug, remove the
>> indentation from the following block
>>
>>   -BEGIN PGP MESSAGE-
>>   
>>   jA0EBwMC1pW2pqoYvbXl0p4Bo5z/v7PXy7T1BY/KQxWaE9uTBRbf4no64/+5YYzX
>>   +BVNqP+82aBFYXEsD9x1vGuYwofQ4m/q/WcQDEPXhRyzU+4yiT3EOuG7sTTaQR3b
>>   8xAn2Qtpyq5tO7k9CN6dasaXKSduXVmFUqzgU+W9WaTLOKNDFw6FYV3lnOoPtFcX
>>   rzhh2opkX9Oh/5DUkZ6YmUIX3j/A0z+59/qNO1i2hQ==
>>   =zswl
>>   -END PGP MESSAGE-
>>
>> and pass to this pipeline
>>
>>   gpg --no-options -vd 2>&1 | grep '^\[GNUPG:] INJECTED'  
>>
>> If you get some output you are using a non-fixed version.
>>
>>
>>
>> ___
>> Gnupg-announce mailing list
>> gnupg-annou...@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-announce
>>
>>
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
It says part of your message to me was encrypted and prompted me for my
passphrase, but it must not have been encrypted with my public key.

-- 
  .~.  Jean-David Beyer  Registered Linux User 85642.
  /V\  PGP-Key:166D840A 0C610C8B Registered Machine  1935521.
 /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net
 ^^-^^ 16:45:01 up 19 days, 21:28, 2 users, load average: 6.09, 5.31, 4.80

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Break backwards compatibility already: it’s time. Ignore the haters. I trust you.

[Jean-David Beyer]

On 05/20/2018 08:51 PM, Jeremy Davis wrote:
> I just read the awesome article "Efail: A Postmortem" by Robert Hansen.
> 
> Thanks for this Robert. Great work!
> 
> As suggested by Robert, I've signed up to say:
> 
> Break backwards compatibility already: it’s time. Ignore the haters. I
> trust you! :)
> 

One of the problems with Windows is that they preserved the backwards
compatibility for far too long, so they could never clean it up enough
to make it any good. I admit that Windows 7 is better than Windows XP
that was much better than Windows 95.

I wonder just how much complexity there is in my FiOS box to convert the
fiber-optic to plain old telephone service that must still be compatible
with my old rotary dial telephone that requires 90 volt 20 cycle power
to ring the bell. And all my electronic telephones with electronic
ringers that must be protected from that 90 volt ringing current.

Can you imagine the redesign that would be required so I could start the
gasoline engine in my Prius with a hand crank in the front?

-- 
  .~.  Jean-David Beyer  Registered Linux User 85642.
  /V\  PGP-Key:166D840A 0C610C8B Registered Machine  1935521.
 /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net
 ^^-^^ 23:05:01 up 4 days, 6:55, 1 user, load average: 4.04, 4.05, 4.07

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Efail or OpenPGP is safer than S/MIME

[Jean-David Beyer]

On 05/19/2018 09:00 AM, Patrick Brunschwig wrote:
> On 19.05.18 14:15, Werner Koch wrote:
>> On Fri, 18 May 2018 12:18, patr...@enigmail.net said:
>>
>>> How far back will that solution work? I.e. is this supported by all
>>> 2.0.x and 2.2.x versions of gpg?
>>
>> 2.0.19 (2012) was the first to introduce DECRYPTION_INFO  In any case
>> 2.0 is end-of-life.  In theory we could backport that to 1.4 but I don't
>> think that makes sense.
> 
> Enigmail runs on many long-term Linux distributions that still ship
> older, presumably patched, versions of GnuPG. For example, Red Hat EL
> 6.9/Centos 6.9 contains GnuPG 2.0.14, but current versions of Thunderbird.
> 
> GnuPG 2.0.x will therefore still be relevant for me for many years to come.
> 
Me too!

Red Hat Enterprise Linux Server release 6.9 (Santiago)
thunderbird-52.7.0-1.el6_9.x86_64
gnupg2-2.0.14-8.el6.x86_64
Enigmail 2.0.4

-- 
  .~.  Jean-David Beyer  Registered Linux User 85642.
  /V\  PGP-Key:166D840A 0C610C8B Registered Machine  1935521.
 /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net
 ^^-^^ 09:40:01 up 2 days, 17:30, 2 users, load average: 4.15, 4.27, 4.46



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.2.4 on Windows - problems accessing some HKPS keyservers

[David Gray via Gnupg-users]

Thanks, Phil - 

I appreciate your help and your response.

Thanks,

Dave

Sent from my iPhone

> On Jan 23, 2018, at 9:51 PM, Phil Pennock  wrote:
> 
> Looks to me like a GnuPG bug.  In fact, it looks very much like
> https://dev.gnupg.org/T1447 which has been marked resolved.
> 
> The hostname there is a CNAME to Amazon DNS, and my dirmngr logfile
> records:
> 
> 2018-01-23 21:28:10 dirmngr[70787.6] TLS verification of peer failed: 
> hostname does not match
> 2018-01-23 21:28:10 dirmngr[70787.6] DBG: expected hostname: 
> keyserver-prod.v3jierkpjv.eu-west-1.elasticbeanstalk.com
> 
> The untrusted name retrieved from DNS resolution of the CNAME record is
> being used as the name for validation.
> 
> The patches to address the issue seem to focus on SRV records, so
> repaired one way in which the problem manifested, but either didn't fix
> the underlying issue, or there's been a regression.
> 
> I've opened a new ticket for the maintainers to track this.
> https://dev.gnupg.org/T3755
> 
> -Phil


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.2.4 on Windows - problems accessing some HKPS keyservers

[David Gray via Gnupg-users]

Good Evening -

 

I'm running GnuPG 2.2.4 on Windows.  I'm able to successfully query the SKS
keyserver pool via HKPS (hkps://hkps.pool.sks-keyservers.net) with no
problems.  I'm trying to query the hkps://keys.mailvelope.com keyserver, and
I'm not having any luck.  I suspect I don't have the appropriate hkp-cacert
referenced in the dirmngr, but I got the certificate by browsing to
https://keys.mailserver.com, exporting the root cert in the certification
path as a Base-64 encoded X.509 file (with .pem extension) and copying it to
my gnupg home directory, and the hkp-cacert line in dirmngr.conf references
that .PEM file.  The cert thumbprint shows:
ad7e1c28b064ef8f6003402014c3d0e3370eb58a in windows certmgr, and the full
contents of that .pem file appear at the bottom of this message for
reference.

 

I'm hoping someone may be able to point me in the right direction to
troubleshoot this a bit further - I suspect I've done something wrong but
I'm not sure how to identify exactly what it is.

 

Details below - Thanks!

 

Dave

 

This is what I get when I attempt to lookup the key for patr...@enigmail.com
  at hkps://keys.mailvelope.com:

 

C:\Users\dave>gpg --debug-all -vvv --search-keys patr...@enigmail.com

gpg: reading options from 'C:/Users/dave/AppData/Roaming/gnupg/gpg.conf'

gpg: using character set 'CP437'

gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache
memstat trust hashing ipc clock lookup extprog

gpg: DBG: [not enabled in the source] start

gpg: DBG: chan_0x0180 <- # Home: C:/Users/dave/AppData/Roaming/gnupg

gpg: DBG: chan_0x0180 <- # Config:
C:/Users/dave/AppData/Roaming/gnupg/dirmngr.conf

gpg: DBG: chan_0x0180 <- OK Dirmngr 2.2.4 at your service

gpg: DBG: connection to the dirmngr established

gpg: DBG: chan_0x0180 -> GETINFO version

gpg: DBG: chan_0x0180 <- D 2.2.4

gpg: DBG: chan_0x0180 <- OK

gpg: DBG: chan_0x0180 -> KEYSERVER --clear hkps://keys.mailvelope.com/

gpg: DBG: chan_0x0180 <- OK

gpg: DBG: chan_0x0180 -> KS_SEARCH -- patr...@enigmail.com

gpg: DBG: chan_0x0180 <- ERR 285212985 Wrong name 

gpg: error searching keyserver: Wrong name

gpg: keyserver search failed: Wrong name

gpg: DBG: chan_0x0180 -> BYE

gpg: DBG: [not enabled in the source] stop

gpg: keydb: handles=0 locks=0 parse=0 get=0

gpg:build=0 update=0 insert=0 delete=0

gpg:reset=0 found=0 not=0 cache=0 not=0

gpg: kid_not_found_cache: count=0 peak=0 flushes=0

gpg: sig_cache: total=0 cached=0 good=0 bad=0

gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0

  outmix=0 getlvl1=0/0 getlvl2=0/0

gpg: rndjent stat: collector=0x calls=0 bytes=0

gpg: secmem usage: 0/32768 bytes in 0 blocks

 

The corresponding logs from dirmngr show:

 

2018-01-22 19:40:43 dirmngr[1664] handler for fd 864 started

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> # Home:
C:/Users/dave/AppData/Roaming/gnupg

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> # Config:
C:/Users/dave/AppData/Roaming/gnupg/dirmngr.conf

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> OK Dirmngr 2.2.4
at your service

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 <- GETINFO version

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> D 2.2.4

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> OK

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 <- KEYSERVER --clear
hkps://keys.mailvelope.com/

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> OK

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 <- KS_SEARCH --
patr...@enigmail.com

2018-01-22 19:40:43 dirmngr[1664] TLS handshake failed: Wrong name 

2018-01-22 19:40:43 dirmngr[1664] error connecting to
'https://52.50.100.145:443': Wrong name

2018-01-22 19:40:43 dirmngr[1664] command 'KS_SEARCH' failed: Wrong name


2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> ERR 285212985
Wrong name 

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 <- BYE

2018-01-22 19:40:43 dirmngr[1664] DBG: chan_0x0360 -> OK closing
connection

2018-01-22 19:40:43 dirmngr[1664] handler for fd 864 terminated

 

 

By contrast, this is what I get when I query the SKS pool for the same key
via HKPS:

 

C:\Users\dave>gpg --debug-all -vvv --keyserver
hkps://hkps.pool.sks-keyservers.net --search-keys patr...@enigmail.com

gpg: reading options from 'C:/Users/dave/AppData/Roaming/gnupg/gpg.conf'

gpg: using character set 'CP437'

gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache
memstat trust hashing ipc clock lookup extprog

gpg: DBG: [not enabled in the source] start

gpg: DBG: chan_0x0190 <- # Home: C:/Users/dave/AppData/Roaming/gnupg

gpg: DBG: chan_0x0190 <- # Config:
C:/Users/dave/AppData/Roaming/gnupg/dirmngr.conf

gpg: DBG: chan_0x0190 <- OK Dirmngr 2.2.4 at your service

gpg: DBG: connection to the dirmngr established

gpg: DBG: chan_0x0190 -> GETINFO version

Re: your message could not,be delivered to one or more recipients.

[Jean-David Beyer]

On 11/17/2017 03:09 AM, Werner Koch wrote:
> On Thu, 16 Nov 2017 17:56, w...@uter.be said:
> 
>> Alternatively, AOL might be trying to send the mail from a different
> 
> Very likely - greylistd comes with a list of whitelisted AOL server
> pools.  204.29.186.0/24 is not yet in this list - I added it to the
> local installations.
> 
> 
> Salam-Shalom,
> 
>Werner
> 
Thank you.

I used to use Verizon as my SMTP provider, but when they bought AOL,
they discontinued serving e-mail and transferred everything to AOL's
servers. I usually have no trouble posting to

gnupg-users@gnupg.org

but that one did not go through.

Yesterday, I did a whois on 204.29.186.9 and it came up as AOL, but AOL
for the .ru area (it came up with other areas where presumably AOL
serves). But today there seems to be only the main entry in Dulles, VA.

If someone had been messing with the DNS, no wonder gnupg.org would be
suspicious.

Right now everything looks OK.

$ dig -x 204.29.186.9

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 204.29.186.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63531
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;9.186.29.204.in-addr.arpa. IN  PTR

;; ANSWER SECTION:
9.186.29.204.in-addr.arpa. 300  IN  PTR omr-m007e.mx.aol.com.

;; AUTHORITY SECTION:
186.29.204.in-addr.arpa. 3600   IN  NS  dns-07.ns.aol.com.
186.29.204.in-addr.arpa. 3600   IN  NS  dns-02.ns.aol.com.
186.29.204.in-addr.arpa. 3600   IN  NS  dns-01.ns.aol.com.
186.29.204.in-addr.arpa. 3600   IN  NS  dns-06.ns.aol.com.

;; ADDITIONAL SECTION:
dns-01.ns.aol.com.  126866  IN  A   64.12.51.132
dns-02.ns.aol.com.  126866  IN  A   205.188.157.232
dns-07.ns.aol.com.  126866  IN  A   64.236.1.107
dns-06.ns.aol.com.  126866  IN  A   207.200.73.80

;; Query time: 123 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 08:53:27 2017
;; MSG SIZE  rcvd: 228


-- 
  .~.  Jean-David Beyer  Registered Linux User 85642.
  /V\  PGP-Key:166D840A 0C610C8B Registered Machine  1935521.
 /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net
 ^^-^^ 08:35:01 up 2 days, 15:50, 2 users, load average: 4.42, 4.27, 4.14



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

your message could not,be delivered to one or more recipients.

[Jean-David Beyer]

This is the mail system at host omr-m007e.mx.aol.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

   The mail system

<gnupg-users@gnupg.org>: host kerckhoffs.g10code.com[217.69.77.222] said:
451-204.29.186.9 is not yet authorized to deliver mail from 451
<jeandav...@verizon.net> to <gnupg-users@gnupg.org>. Please try
later. (in
reply to RCPT TO command)

_

Reporting-MTA: dns; omr-m007e.mx.aol.com
X-Outbound-Mail-Relay-Queue-ID: 58F77380004C
X-Outbound-Mail-Relay-Sender: rfc822; jeandav...@verizon.net
Arrival-Date: Wed, 15 Nov 2017 09:01:43 -0500 (EST)

Final-Recipient: rfc822; gnupg-users@gnupg.org
Original-Recipient: rfc822;gnupg-users@gnupg.org
Action: failed
Status: 4.0.0
Remote-MTA: dns; kerckhoffs.g10code.com
Diagnostic-Code: smtp; 451-204.29.186.9 is not yet authorized to deliver
mail
from 451 <jeandav...@verizon.net> to <gnupg-users@gnupg.org>. Please try
later.

__
>From where does it get port 451? My SMTP port is 465
204.29.186.9 is my ISP for e-mail: AOL.

-- 
  .~.  Jean-David Beyer  Registered Linux User 85642.
  /V\  PGP-Key:166D840A 0C610C8B Registered Machine  1935521.
 /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net
 ^^-^^ 08:40:01 up 1 day, 15:55, 2 users, load average: 4.81, 4.90, 4.72

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG public key vulnerability?

[David Shaw]

On Oct 31, 2017, at 8:10 PM, murphy <mac3...@gmail.com> wrote:
> 
> I got a signed notification from facebook (good signature, enigmail)
> that claims my GnuPG generated public key has a "recently disclosed
> vulnerability".  This is the full text:
> 
> We have detected that the OpenPGP key on your Facebook profile may be
> susceptible to attacks due to a recently disclosed vulnerability.  We
> recommend that you revoke and replace your public key immediately to
> minimize the risk to your encrypted communications.  You can update your
> public key by visiting your Security and Login settings.  To help reduce
> the risk of your key being attacked, we have set the privacy of your
> potentially vulnerable public key on your profile to "Only Me" to limit
> further distribution.  We will continue to encrypt your notification
> emails using this OpenPGP public key.
> 
> This is doubly weird since the private/public key was generated on a
> Yubikey-4 nano and it is safe at home.  Does anyone know what this may
> be about?

Yes.

Recently, a flaw in the firmware for some Infineon hardware crypto was found.  
RSA keys that were generated with this faulty firmware are not nearly as strong 
as their key length would imply.

You mention a Yubikey 4 nano, and unfortunately, that is one of the devices 
that used Infineon components.  In the case of a Yubikey and OpenPGP, if you 
generate the key *on* a vulnerable Yubikey, you may have a problem.  If you 
generate the OpenPGP key elsewhere and *import* the key to your Yubikey, you 
are not affected.

The Yubico people have a site up to check your device serial number to see if 
it is vulnerable and are offering a replacement program.  See 
https://www.yubico.com/keycheck/

There has been some discussion of the implications of this vulnerability on 
this list.  Search the list archives for "ROCA" to see more.

The original paper is at https://crocs.fi.muni.cz/public/papers/rsa_ccs17

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg-agent UI when waiting for smart card touch?

[David Mandelberg]

Hi,

I'm using gpg-agent with Yubikeys configured to require a physical touch 
before performing operations. Is there any way to get gpg-agent to 
display something on screen when it's waiting for me to touch the 
Yubikey? (Otherwise, I sometimes don't realize it's waiting for 
anything, and the operation times out.)


--
Freelance cyber security consultant, software developer, and more
https://david.mandelberg.org/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Help: Copied gnupg folder not recognised

[David Seaward]

Hi,

I copied ~/.gnupg from my old machine, because I want to copy all keys,
trust data etc. [1]

However, on my new machine, nothing seems to be recognising the GnuPG
files:

* "gnupg --list-keys" is empty ("gnupg --help" confirms that ~/.gnupg
is the folder being used)

* The "GnuPG keys" pane of "GNOME Password and Keys" is empty

* Email client is not able to encrypt/decrypt messages

How can I diagnose what the problem is? Failing that, how can I
export/import an entire .gnupg folder (including trust data)?

Regards,
David

[1] https://www.phildev.net/pgp/gpg_moving_keys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Unknown key type

[David Vallier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Can someone please explain why I am getting a yellow bar on  a LOT of
signed msgs saying that the key type is unknown??

the exact msg is "Part of the message signed with unknown key; the key
type is not supported by your version of GnuPG"

I am running GnuPG 2.0.30 (Gpg4Win 2.3.3) on a win 7 box.


-BEGIN PGP SIGNATURE-
Comment: TANSTAAFL
 
iQEcBAEBCAAGBQJZIwzLAAoJELKZ6kIbmiwWt3kIAJKgKOCzF+6eyTCQZ4+5oizb
J2A6/M3HhqTCSf/nJTqI99U7Od21yp7ZqeUOMb1r2t8RVp+k2NDN7TahjNr5/HEb
Q567BZ44CgiaXY1W+UzLMsnq5q5qbKBkLXyr5EAngqJyTVfRoqkZsf+Q1ymp7pqv
auAyZSVa0aMc7Kom3vqDR8w3mj1vYpxwAdykv1zxVz282/jOeW3Y5Kdi+gi7yd9z
yQhkSudNfhD0lq/uryzXVmdNwQIdlogVPrrF8GxZC3I619nbYrh80nsVPy2ErkH7
TuNF/T73H1zriUE55g75cGOPaF2WdW52i/5l7ZbutkZiNNt5tRp2jb6KFJPLC0Q=
=loEw
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: suspicious key found

[David Shaw]

On May 16, 2017, at 9:47 AM, Janne Inkilä <janne.ink...@iki.fi> wrote:
> 
> I made a key search with my name and found something suspicious.
> 
> The search:
> 
> https://pgp.mit.edu/pks/lookup?search=janne+inkila=index=on
> 
> I have used my old key since 2007. Fingerprint F4DB 40F8 BF22 8B9D 9B8F  F679 
> A482 4C9A 033E 22A2. I know this is quite old key and maybe I should revoke 
> it.
> 
> BUT
> 
> I also found another key with fingerprint 87C4 F4C8 16D1 3CC3 03E0 7977 1A9C 
> 6259 033E 22A2. The key ID is the same 033E 22A2 on both keys. There's also 
> signatures in this key. Looks like same persons and same key ID's but 
> fingerprints doesn't match. For some reason this key has been revoked.
> 
> Did someone really generated same looking key? And why? Any ideas? Someone 
> tries to capture my emails? I would like to see some sort of theory what is 
> going on, thanks :)

There are many such fake keys on the keyservers.  I have one as well.  It's 
trivial to forge the short (8 hex digit) key ID - just keep generating keys 
over and over until you match the lower 32 bits.  Note that the fingerprints do 
not match, as there is no (current) way to forge an entire fingerprint.

See https://evil32.com - they made the keys as a demonstration, but didn't 
upload them.  It's an excellent demonstration why people should never trust the 
short key ID for anything.

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Subkey Generation / SmartCard

[David Gueguen via Gnupg-users]

Hello Christoph,


with new gpg version version (>2.15) you can more easily generates sub keys


* Herafter are add subkeys to main keyring $key_id each with RSA1024 and
1 for Sign, 1 for Encrypt, 1 for Auth

 echo $var_pass_poem | gpg2 --no-verbose --pinentry-mode loopback
--batch --no-tty --yes --passphrase-fd 0 --quick-addkey --passphrase ''
$key_id rsa1024 sign 1y

  echo $var_pass_poem | gpg2 --no-verbose --pinentry-mode loopback
--batch --no-tty --yes --passphrase-fd 0 --quick-addkey --passphrase ''
$key_id rsa1024 encrypt 1y

  echo $var_pass_poem | gpg2 --no-verbose --pinentry-mode loopback
--batch --no-tty --yes --passphrase-fd 0 --quick-addkey --passphrase ''
$key_id rsa1024 auth 1y

the " echo $var_pass_poem | " trick allow you to enter the pass poem as
variable and then to not have any keyboard interaction


* Here is the automated keytocard (with keyboard interaction) check that
the exported keys are the good ones ...

  local cmd="key 2\nkeytocard\n1\ny\nkey 2\nkey 3\nkeytocard\n2\ny\nkey
3\nkey 4\nkeytocard\n3\ny\nsave\nY\n"

  echo -e $cmd | gpg2 --no-verbose --command-fd 0 --status-fd 2
--edit-key $key_id



* btw: here is how I generate main keyring:
echo "
Key-Type: $var_key_type
Key-Usage:sign cert
Key-Length:   $var_key_lenght
Subkey-Type:  $var_key_type
Subkey-Usage: encrypt
Subkey-Length:$var_key_lenght
Name-Real:$var_name
Name-Comment: $var_comment
Name-Email:   $var_mail
Keyserver:$var_web_path
Expire-Date:  $var_expiracy
Passphrase:   $var_pass_poem
Preferences:  $var_pref
  " > gen_key_script  # creating SC and E keys
gpg2 --batch --full-gen-key gen_key_script


I am also trying to make gpg card ready to go in a automated way
https://github.com/bourinus/gpg_SmartCard_generation


Hope this helps,
Best rgds,
david


On 14/04/2017 20:47, Christoph J wrote:
> I am trying to batch provision yubikeys.
> 
> Using the --batch, I can generate the initial key, but I am unable to
> add more than a single subkey.
> 
> Is there a way to batch provision subkeys, specifying the usage
> (signing, encryption, auth) without havi

ng to go into --edit-key /
> interactive mode?
> 
> On the same topic, is there a way to do 'keytocard', again without
> having to do --edit-key --> toggle --> keytocard interactively?
> 
> Any insight on this would be most helpful. Thanks!
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problems with cert validation via CRL

[David Gray]

Thanks very much for getting back to me - I really appreciate your help.  I 
have been able to get the validation to work by adding the trusted root 
certificate to the "trusted-certs" folder under the gnupg directory on my 
windows box.  The directory wasn't there but I was able to add it and as long 
as the cert is there dirmngr knows that it can trust the CRL that has been 
issued.  I haven't had a chance to circle back on my Linux installation, but 
I'm sure the same approach will work.  I'm also not sure how/why the Linux 
installation was originally able to validate the cert, but I will dig into 
that.  

Thanks again for your help - it's very much appreciated!

Sent from my Mobile Device

> On Feb 21, 2017, at 9:31 PM, NIIBE Yutaka <gni...@fsij.org> wrote:
> 
> Hello, again,
> 
> David Gray <d...@davidegray.com> wrote:
>> dave@dave-VirtualBox:~/.gnupg/crls.d$ dirmngr --debug-all --fetch-crl 
>> http://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crl
> 
> Reading the code of dirmngr, I think that --fetch-crl (or dirmngr-client
> --load-crl) doesn't work well for a CRL which is not signed by system CA
> directly.  When dirmngr doesn't know the issuer, it inquires back to the
> client, and it fails as:
> 
>> dirmngr[3184.0]: DBG: find_cert_bysubject: certificate not returned by 
>> caller - doing lookup
>> dirmngr[3184.0]: error fetching certificate by subject: Configuration error
>> dirmngr[3184.0]: CRL issuer certificate 
>> {92616B82E1A2A0AA4FEC67F1C2A3F7B48000C1EC} not found
>> dirmngr[3184.0]: crl_parse_insert failed: Missing certificate
> 
> When it is gpgsm which asks dirmngr to validate a certificate, I think
> it works.
> 
> I think that you once successfully did that on this box:
> 
>> dave@dave-VirtualBox:~/.gnupg/crls.d$ gpgsm --debug-all --list-keys 
>> --with-validation
> 
> And the CRL is cached.  Thus,
> 
>> gpgsm: DBG: chan_6 -> ISVALID 
>> 685A02B9E2BD4B5EE1FA51739B8882AEA38FB3C8.3FAADAD7DD3F946B114321153B76F88C
> 
> This is gpgsm asking if your X.509 client certificate is valid or not.
> 
>> gpgsm: DBG: chan_6 <- INQUIRE ISTRUSTED 
>> 02FAF3E291435468607857694DF5E45B68851868
> 
> Here, I think that the CRL for your X.509 client certificate is cached
> and checked.  dirmngr does not ask about anything about your X.509
> client certificate or its issuer.
> 
> dirmngr inquires back to gpgsm if the root issuer is trusted.
> 
>CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust 
> AB,C=SE
>fingerprint=02FAF3E291435468607857694DF5E45B68851868
> 
> then, gpgsm asks to gpg-agent.
> 
>> gpgsm: DBG: chan_7 -> ISTRUSTED 02FAF3E291435468607857694DF5E45B68851868
>> gpgsm: DBG: chan_7 <- S TRUSTLISTFLAG relax
>> gpgsm: DBG: chan_7 <- OK
> 
> It is trusted.  Then, gpgsm replies back to dirmngr.
> 
>> gpgsm: DBG: chan_6 -> D 1
>> gpgsm: DBG: chan_6 -> END
> 
> It's trusted.
> 
>> gpgsm: DBG: chan_6 <- OK
> 
> Then, dirmngr answers OK for the validation of your X.509 client certificate.
> 
>> gpgsm: DBG: chan_6 -> ISVALID 
>> 14673DA5792E145E9FA1425F9EF3BFC1C4B4957C.00E023CB1512835389AD616E7A54676B21
> 
> This is gpgsm asking if the intermediate certificate of following is
> valid or not:
> 
>CN=COMODO SHA-256 Client Authentication and Secure Email CA,O=COMODO CA 
> Limited,
>L=Salford, ST=Greater Manchester, C=GB
>fingerprint=59B825FC08860B04B392CC25FEC48C760753B689
> 
>> gpgsm: DBG: chan_6 <- INQUIRE ISTRUSTED 
>> 02FAF3E291435468607857694DF5E45B68851868
>> gpgsm: DBG: chan_7 -> ISTRUSTED 02FAF3E291435468607857694DF5E45B68851868
>> gpgsm: DBG: chan_7 <- S TRUSTLISTFLAG relax
>> gpgsm: DBG: chan_7 <- OK
>> gpgsm: DBG: chan_6 -> D 1
>> gpgsm: DBG: chan_6 -> END
>> gpgsm: DBG: chan_6 <- OK
> 
> Similar interactions between gpg-agent<->gpgsm<->dirmngr.
> 
>> gpgsm: DBG: chan_7 -> ISTRUSTED 02FAF3E291435468607857694DF5E45B68851868
>> gpgsm: DBG: chan_7 <- S TRUSTLISTFLAG relax
>> gpgsm: DBG: chan_7 <- OK
> 
> I don't know the exact reason, but gpgsm again asks gpg-agent.
> 
> And gpgsm shows your X.509 client certificate:
> 
>>   ID: 0x2F5900E9
>>  S/N: 3FAADAD7DD3F946B114321153B76F88C
>>   Issuer: /CN=COMODO SHA-256 Client Authentication and Secure Email 
>> CA/O=COMODO CA Limited/L=Salford/ST=Greater Manchester/C=GB
>>  Subject: /EMail=u...@domain.com
>>  aka: u...@domain.com
>> validity: 2017-01-02 00:00:00 through 2018-01-02 23:59:59
>> key type: 2048 bit RSA
>>key usag

RE: Problems with cert validation via CRL

[David Gray]

You were correct, Peter.  I haven't had a chance to verify on Ubuntu yet, but 
on Windows the following steps did the trick:

- there was no 'trusted-certs' directory in my existing home directory 
(C:\users\dave\appdata\Roaming\gnupg\), so I created one.  I also went ahead 
and created a 'logs' directory.
- I added the line "log-file 
C:\Users\dave\AppData\Roaming\gnupg\logs\dirmngrlog.txt" to my dirmngr.conf 
file to capture what I wanted
- I saved a copy of the root cert with fingerprint 
02FAF3E291435468607857694DF5E45B68851868 to a DER-encoded file with .crt 
extension to the 'trusted-certs' directory.
- I executed the 'gpgsm --list-keys --with-validation --debug-all' command, 
and all keys were shown to be good.

I've attached the debug output from the command as well as the dirmngrlog.txt 
file that was generated in case it is of interest.  (As an aside, you may 
notice that I've installed version 2.1.18 since the last output was provided). 
I don't fully understand everything that is shown in these files, but it sure 
seems to me like you were exactly right - dirmngr did not know to trust that 
root cert, so it couldn't verify that the CRL was signed by a trustworthy 
party.  Once I told dirmngr that the root cert could be trusted, it could 
verify the CRL.  I've since been able to encrypt data using this key, so 
things are looking good.

I can't thank you enough - this has been extremely helpful.

Thanks!

Dave







-Original Message-
From: Peter Lebbing [mailto:pe...@digitalbrains.com]
Sent: Tuesday, February 21, 2017 10:13 AM
To: David Gray <d...@davidegray.com>; NIIBE Yutaka <gni...@fsij.org>
Cc: gnupg-users@gnupg.org
Subject: Re: Problems with cert validation via CRL

On 21/02/17 13:20, David Gray wrote:
> I'm no expert, but when I look at the debug info (attached to original
> email), it appears that gpgsm is able to get the crl that my cert
> points to but it may be having trouble parsing it.

Reading that part made me think it couldn't find the issuer of the CRL:

> dirmngr[3184.0]: error fetching certificate by subject: Configuration
> error
> dirmngr[3184.0]: CRL issuer certificate
> {92616B82E1A2A0AA4FEC67F1C2A3F7B48000C1EC} not found

When I fetch the CRL we're talking about, OpenSSL tells me about it:

> Certificate Revocation List (CRL):
> Version 2 (0x1)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA 
> Limited/CN=COMODO SHA-256 Client Authentication and Secure Email CA
> Last Update: Feb 20 16:07:34 2017 GMT
> Next Update: Feb 24 16:07:34 2017 GMT
> CRL extensions:
> X509v3 Authority Key Identifier:
>
> keyid:92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
>
> X509v3 CRL Number:
> 822

The issuer is the certificate that gpgsm knows about:

> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> e0:23:cb:15:12:83:53:89:ad:61:6e:7a:54:67:6b:21
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, 
> CN=AddTrust External CA Root
> Validity
> Not Before: Dec 22 00:00:00 2014 GMT
> Not After : May 30 10:48:38 2020 GMT
> Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
> Limited, CN=COMODO SHA-256 Client Authentication and Secure Email CA [...]
> X509v3 extensions:
> X509v3 Authority Key Identifier:
>
> keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
>
> X509v3 Subject Key Identifier:
>
> 92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
> [...]
> SHA1
> Fingerprint=59:B8:25:FC:08:86:0B:04:B3:92:CC:25:FE:C4:8C:76:07:53:B6:8
> 9

I suspect that even though gpgsm knows about it, dirmngr might not, hence the 
failing CRL verification. I think you need to feed the certificate to dirmngr 
as well.

Whether this is actually the reason you're having problems, I don't know.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

C:\Users\dave>gpgsm --list-keys --with-validation --debug-all
gpgsm: reading options from 'C:\Users\dave\AppData\Roaming\gnupg\gpgsm.conf'
gpgsm: enabled debug flags: x509 mpi crypto memory cache memstat hashing ipc
C:\Users\dave\AppData\Roaming\gnupg\pubring.kbx
---
   ID: 0x0753B689
  S/N: 00E023CB1512835389AD616E7A54676B21
   Issuer: /CN=AddTrust External CA Root/OU=AddTrust External TTP 
Network/O=AddTrust AB/C=SE
  Subject: /CN=COMODO SHA-256 Client Authentication and Secure Email 
CA/O=COMODO

Re: Problems with cert validation via CRL

[David Gray]

Thanks, Peter!

According to the documentation the trusted certainty need to be in a folder 
named "trusted-certs" in the home directory.  I don't believe I've copied them 
there manually, so if it hasn't happened automatically that could very well be 
the issue.  I'm at work but once I get home I'll check it out and report back.

Really appreciate the help,

Dave

Sent from my iPhone

> On Feb 21, 2017, at 10:13 AM, Peter Lebbing <pe...@digitalbrains.com> wrote:
> 
>> On 21/02/17 13:20, David Gray wrote:
>> I'm no expert, but when I look at the debug info (attached to
>> original email), it appears that gpgsm is able to get the crl that my
>> cert points to but it may be having trouble parsing it.
> 
> Reading that part made me think it couldn't find the issuer of the CRL:
> 
>> dirmngr[3184.0]: error fetching certificate by subject: Configuration error
>> dirmngr[3184.0]: CRL issuer certificate 
>> {92616B82E1A2A0AA4FEC67F1C2A3F7B48000C1EC} not found
> 
> When I fetch the CRL we're talking about, OpenSSL tells me about it:
> 
>> Certificate Revocation List (CRL):
>>Version 2 (0x1)
>>Signature Algorithm: sha256WithRSAEncryption
>>Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA 
>> Limited/CN=COMODO SHA-256 Client Authentication and Secure Email CA
>>Last Update: Feb 20 16:07:34 2017 GMT
>>Next Update: Feb 24 16:07:34 2017 GMT
>>CRL extensions:
>>X509v3 Authority Key Identifier: 
>>
>> keyid:92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
>> 
>>X509v3 CRL Number: 
>>822
> 
> The issuer is the certificate that gpgsm knows about:
> 
>> Certificate:
>>Data:
>>Version: 3 (0x2)
>>Serial Number:
>>e0:23:cb:15:12:83:53:89:ad:61:6e:7a:54:67:6b:21
>>Signature Algorithm: sha256WithRSAEncryption
>>Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, 
>> CN=AddTrust External CA Root
>>Validity
>>Not Before: Dec 22 00:00:00 2014 GMT
>>Not After : May 30 10:48:38 2020 GMT
>>Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, 
>> CN=COMODO SHA-256 Client Authentication and Secure Email CA
>> [...]
>>X509v3 extensions:
>>X509v3 Authority Key Identifier: 
>>
>> keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
>> 
>>X509v3 Subject Key Identifier: 
>>92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
>> [...]
>> SHA1 Fingerprint=59:B8:25:FC:08:86:0B:04:B3:92:CC:25:FE:C4:8C:76:07:53:B6:89
> 
> I suspect that even though gpgsm knows about it, dirmngr might not,
> hence the failing CRL verification. I think you need to feed the
> certificate to dirmngr as well.
> 
> Whether this is actually the reason you're having problems, I don't know.
> 
> HTH,
> 
> Peter.
> 
> -- 
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
> 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problems with cert validation via CRL

[David Gray]

Thank you for your response!  I do have the trustlist.txt file on both 
computers - it was automatically populated with the root cert by pin entry when 
I imported my certificate on both machines, and it includes the "relax" keyword 
on both computers.  There are 3 cents total in my hierarchy - root, 
intermediate, and mine.  I've added the fingerprint of the intermediate and 
even my own cert to trustlist.txt to see if that would make a difference, but 
it didn't change anything.  

The --disable-crl-checks option allows me to use the cert for encryption, so 
I'm pretty sure the problem lies with the crl option...there are two files (in 
addition to DIR.TXT) that have been populated in crl.d, and if I do a 
dirmngr--flush they get cleared out and are added back fine the next time I try 
to validate.  The root cert does NOT include a CRL DP, so I've tried turning on 
the option not to require a crl on trusted carts, but that didn't make a 
difference.

I'm no expert, but when I look at the debug info (attached to original email), 
it appears that gpgsm is able to get the crl that my cert points to but it may 
be having trouble parsing it.  The file itself is large, but I don't think 
that's uncommon, so perhaps there is a problem with the file itself.  It's been 
updated since I started investigating, and the problem persists, so it wasn't a 
transient problem. 

Is there a way to have gpgsm (or dirmngr?) validate that it is able to parse 
and interpret the CRL (or the associated .db file in crl.d) to see if that is 
the issue?

I appreciate your help very much.  Thanks,

Dave

Sent from my Mobile Device

> On Feb 20, 2017, at 9:32 PM, NIIBE Yutaka <gni...@fsij.org> wrote:
> 
> Hello,
> 
> David Gray <d...@davidegray.com> wrote:
>> At the same time, I'm curious as to why the Ubuntu installation is
>> validating the certificate as 'good' while the Windows installation is not -
>> is this just because the Ubuntu installation was able to successfully
>> validate the certificate in the past (presumably when a previous and
>> non-problematic CRL was published)?  If the CA publishes an updated CRL that
>> doesn't have issues, will my Windows installation be able to validate the
>> certificate at that point?
> 
> Please note that my knowledge of gpgsm and X.509 is pretty much limited.
> 
> Do you have .gnupg/trustlist.txt on Ubuntu machine?  It can be created
> when you answer dialog of gpgsm by pinentry interaction.
> -- 


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Problems with cert validation via CRL

[David Gray]

Hello - new user here; this may be an obvious question but I haven't been
able to find the answer.  Ultimately, this may just highlight some of the
problems inherent in a hierarchical trust model.

 

I've got a free x.509 email certificate generated by Comodo.  

 

I've got Ubuntu 16.04 LTS running a clean install, with gpg and gpgsm 2.1.11
installed.  I imported my certificate into my keychain using gpgsm a day or
two ago, and everything is working as expected - the certificate is
successfully validated, and I'm able to encrypt files using the public key
of this certificate, and decrypt them using the private key.  

 

I've also got a Windows 10 machine - this computer had GPG4Win installed for
some time, but I've since uninstalled that, and removed all configuration
directories/files I could find.  I've installed GnuPG binary version 2.1.11,
and I've been able to successfully import my certificate into my keychain
this morning, and everything seems to work as expected - but the certificate
is not successfully validated under Windows.  As a result, I'm not able to
encrypt anything using the public key of this certificate.

 

I'm trying to figure out what is going on - it appears that there is problem
validating the CRL available at the DP listed in my certificate regardless
of whether I run the fetch-url from Ubuntu or Windows - both output files
are attached.  Does this suggest a problem with the CRL that the CA has
published, or do I have something I need to adjust in my configs somewhere?

 

At the same time, I'm curious as to why the Ubuntu installation is
validating the certificate as 'good' while the Windows installation is not -
is this just because the Ubuntu installation was able to successfully
validate the certificate in the past (presumably when a previous and
non-problematic CRL was published)?  If the CA publishes an updated CRL that
doesn't have issues, will my Windows installation be able to validate the
certificate at that point?

 

I've replaced all the email addresses in the attached files with
'u...@domain.com'.

 

I appreciate any assistance you might be able to provide.  Thank you,

 

Dave

 

 

dave@dave-VirtualBox:~/.gnupg/crls.d$ dirmngr --debug-all --fetch-crl 
http://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crl
dirmngr[3184.0]: Note: no default option file '/home/dave/.gnupg/dirmngr.conf'
dirmngr[3184.0]: enabled debug flags: x509 crypto memory cache memstat hashing 
ipc lookup
dirmngr[3184.0]: permanently loaded certificates: 0
dirmngr[3184.0]: runtime cached certificates: 0
dirmngr[3184.0]: RESP: 'HTTP/1.1 200 OK'
dirmngr[3184.0]: RESP: 'Date: Mon, 20 Feb 2017 13:32:34 GMT'
dirmngr[3184.0]: RESP: 'Content-Type: application/x-pkcs7-crl'
dirmngr[3184.0]: RESP: 'Connection: close'
dirmngr[3184.0]: RESP: 'Set-Cookie: 
__cfduid=dba16ddf7e3474878a3bb0d6b4d273e9f1487597554; expires=Tue, 20-Feb-18 
13:32:34 GMT; path=/; domain=.comodoca.com; HttpOnly'
dirmngr[3184.0]: RESP: 'Last-Modified: Sun, 19 Feb 2017 16:58:28 GMT'
dirmngr[3184.0]: RESP: 'ETag: W/"58a9ceb4-efab2"'
dirmngr[3184.0]: RESP: 'X-CCACDN-Mirror-ID: dwdccacrl10'
dirmngr[3184.0]: RESP: 'Cache-Control: public, max-age=14400'
dirmngr[3184.0]: RESP: 'CF-Cache-Status: HIT'
dirmngr[3184.0]: RESP: 'Expires: Mon, 20 Feb 2017 17:32:34 GMT'
dirmngr[3184.0]: RESP: 'Server: cloudflare-nginx'
dirmngr[3184.0]: RESP: 'CF-RAY: 334253495461246e-IAD'
dirmngr[3184.0]: RESP: ''
dirmngr[3184.0]: update times of this CRL: this=20170219T165828 
next=20170223T165828
dirmngr[3184.0]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[3184.0]: DBG: find_cert_bysubject: certificate not in cache
dirmngr[3184.0]: DBG: get_cert_local_ski called w/o context
dirmngr[3184.0]: DBG: find_cert_bysubject: certificate not returned by caller - 
doing lookup
dirmngr[3184.0]: error fetching certificate by subject: Configuration error
dirmngr[3184.0]: CRL issuer certificate 
{92616B82E1A2A0AA4FEC67F1C2A3F7B48000C1EC} not found
dirmngr[3184.0]: crl_parse_insert failed: Missing certificate
dirmngr[3184.0]: processing CRL from 
'http://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crl' 
failed: Missing certificate

dave@dave-VirtualBox:~/.gnupg/crls.d$ gpgsm --debug-all --list-keys 
--with-validation
gpgsm: reading options from '/home/dave/.gnupg/gpgsm.conf'
gpgsm: enabled debug flags: x509 mpi crypto memory cache memstat hashing ipc
gpgsm: failed to open '/home/dave/.gnupg/policies.txt': No such file or 
directory
gpgsm: DBG: looking for parent certificate
gpgsm: DBG:   found via authid and keyid
gpgsm: DBG: got issuer's certificate:
gpgsm: DBG: BEGIN Certificate 'issuer':
gpgsm: DBG:  serial: 01
gpgsm: DBG:   notBefore: 2000-05-30 10:48:38
gpgsm: DBG:notAfter: 2020-05-30 10:48:38
gpgsm: DBG:  issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust AB,C=SE
gpgsm: DBG: subject: CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust 

Re: Counterarguments Supporting GnuPG over Off The Record (OTR)

[Jean-David Beyer]

On 01/19/2017 04:06 AM, Stephan Beck wrote:
> 15-20 years from now, OpenPGP will have expired and be a case of study
> for computer historians.
> 

I agree. 20 years from now, we will all be using telepathy, and the
telephone and Internet will be redundant. Without electromagnetic
communication, and without paper communication, we will be unable to
encrypt anything. Will there be an equivalent to OpenPGP that works with
telepathy?


-- 
  .~.  Jean-David Beyer  Registered Linux User 85642.
  /V\  PGP-Key:166D840A 0C610C8B Registered Machine  1935521.
 /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net
 ^^-^^ 11:10:01 up 8 days, 19:55, 3 users, load average: 5.18, 4.96, 4.87

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

[David Shaw]

On Jan 16, 2017, at 11:52 AM, John Lane <gn...@jelmail.com> wrote:
> 
> I'm trying to experiment with trust signatures but I can't work out how
> the 'domain' question is used ?
> 
> I think I understand what it is for, but I can't enter a value and get
> it to work.
> 
> I have a key A that has signed b...@example.com and c...@example.org
> 
> If I tsign A at level 2 with the domain blank then B and C are fully valid.
> 
> If I tsign A at level 2 with a domain of example.com then neither are
> valid. I expected B to be valid.
> 
>> From what I've read, I think this value might be a regular expression
> and need to be entered in a certain way.

The value is a regular expression internally, but you don't need to enter it as 
one.   GnuPG automatically takes what you enter into the domain field and 
converts it to a regexp.  For example:

  example.com

becomes:

  <[^>]+[@.]example\.com>$

Can you post the actual user IDs of the keys you are testing with (or a similar 
example.com set) so I can try them as well?

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg key lost in self update

[David Niklas]

On Thu, 29 Dec 2016 14:15:52 +
Christoffer Stjernlöf  wrote:

> do...@mail.com writes:
> > I used a config file (hand written), and concatenated several of it's
> > lines to form a super long strong passphrase for my key.  
> 
> There is no way to crack an arbitrary private key. However, since your
> passphrase is limited to the space of valid config files, the search
> space is massively limited. You could try generating several reasonable
> combinations of config options in this file format and see if one of
> them unlocks the key.
> 
Thanks

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What are those attachments you have on your email?

[David Adamson]

On Fri, Nov 25, 2016 at 9:33 AM, Stephan Beck <st...@mailbox.org> wrote:
> Sorry, David, for arriving a bit late to the party..., I had to answer
> Peter who had addressed several list mails in reply to mine yesterday
> and it took me a while.
> Yes, as Brian says, the verify command expects an .asc signature file
> and a message or a file signed with it as input. By
> using/fetching/retrieving the signer's key gpg verifies that this
> message/file really was signed by the one who claims to be the signer.
>
> Cheers
>
> Stephan
>

Stephan so this is a result of you using a mail client that requires
the signature file and If I used a similar mail client it could
automatically verify this email message was signed by the holder of
Stephan's private key?

However is it the case as Juan put it that since I'm using another
type of mail service, in my case gmail web based interface, that this
signature will not be applicable?

Juan said:
"Otherwise, it
looks like a normal message (or empty if PGP/MIME encrypted) with a
signature.asc file (sometimes called differently) as an attachment."

Brian,
Thanks for the resource. I'll have to get used to
reading/understanding this type of material/subject matter.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: configure warnings and errors upon ./configure for Pinentry v0.9.7

[David Adamson]

I wasn't exactly methodical in my approach to resolve the issue but I
"think" what resolved my issue preventing me from generating keys was
following Stephan's suggestion of adding to .bashrc, which I had done
and was still getting the issue but tonight I added the lines to
.bashrc of root.

Or it could have been Peter's suggestion of rm trustdb.gpg.

Anyhow I have successfully generated pub and secret key.  I am getting
a gui pop up requesting I enter a passphrase when generating a key
which was not my initial goal but I'm glad to have something working
than nothing.

I have a feeling I'm not out of the woods quite yet but that's ok.  I
appreciate you guys helping me work through this gpg software.  I
still have lots of questions about what kind of questions I should
have but that will come.


David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: configure warnings and errors upon ./configure for Pinentry v0.9.7

[David Adamson]

On Mon, Nov 21, 2016 at 4:16 AM, Werner Koch  wrote:
>
>> configure: error: No pinentry enabled.
>
> You need to install the appropriate development package for the GUI
> platform.
>
>
> Salam-Shalom,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Werner was GTK+-2.0 a potential option for an appropriate development
package for the GUI platform?

After installing GTK+-2.0 I was successfully able to complete the
install of pinentry, However during the --gen-key process while
generating entropy I got the following errors:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: lookup_hashtable failed: Unknown system error
gpg: trustdb: searching trust record failed: Unknown system error
gpg: Error: The trustdb is corrupted.
gpg: You may try to re-create the trustdb using the commands:
gpg:   cd ~/.gnupg
gpg:   gpg --export-ownertrust > otrust.tmp
gpg:   rm trustdb.gpg
gpg:   gpg --import-ownertrust < otrust.tmp
gpg: If that does not work, please consult the manual


So with one issue solved now on to the next.  I'm sorry but this can't
be right. Anyone know why I am running into so many issues?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: configure warnings and errors upon ./configure for Pinentry v0.9.7

[David Adamson]

On Mon, Nov 21, 2016 at 8:15 PM, Stephan Beck  wrote:
> Ah, I forgot one thing: you have to add the following to your ~/.bashrc
> file:
> GPG_TTY=$(tty)
> export GPG_TTY
>
> Does it work now?
>
> HTH
>
> Stephan

Stephan I updated the .bashrc file in my home directory, still got the
same error, so I restarted the system but unfortunately the error
remains.

Thanks for the assistance.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: configure warnings and errors upon ./configure for Pinentry v0.9.7

[David Adamson]

On Mon, Nov 21, 2016 at 12:33 PM, Stephan Beck <st...@mailbox.org> wrote:
> Hi,
>
> David Adamson:
>
> If you only want to use the command line (i.e. text mode) and do not
> need a GUI, you'll probably need the pinentry-curses package. Install it
> by typing: sudo apt-get install pinentry-curses

Thanks for the tip. I just tried your suggestion, installed
pinentry-curses, which installed without error but I am getting the
same error when trying generate keys, just as before.


> There's one thing I don't really understand:
> In your first mail you talked about your laptop with Debian Jessie, and
> that it has gnupg 1.4.18 pre-installed. I think the whole info should
> be: Debian Jessie (standard install) has gnupg 1.4.18 AND gnupg 2.0.26
> pre-installed. Or how would you be able to issue a command gpg2 at all?
> Or do you have a text-mode only pre-installed Debian Jessie with both
> gnupg versions?

You're right there's some information I accidentally left out. I have
a standard debian 8 jessie install which included gnupg v 1.4.18. I
then downloaded and installed from gnupg.org the source code for
version GnuPG modern 2.1.16 and needed libraries. With that said you
can pick up with the opening line of this thread. I hope I didn't
leave anything out this time.

I'm really starting to feel I missed a step along the way and messed
up the install.  I suppose I could do a fresh install  of the OS and
just use the 1.4.18 version otherwise I'm not aware of what to do
differently on my second attempt. I feel as though I followed the
instructions. It probably some basic linux config that I'm too new to
know about, LOL.

Thanks.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: configure warnings and errors upon ./configure for Pinentry v0.9.7

[David Adamson]

On Mon, Nov 21, 2016 at 4:16 AM, Werner Koch  wrote:

>> configure: error: No pinentry enabled.
>
> You need to install the appropriate development package for the GUI
> platform.

I looked for a GUI platform but had no idea what it's called where to
find it and why I need a GUI if I plan on using purely command line
interface.

Would It be:
"GPA is a graphical frontend to GnuPG"

Thanks for your help!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: configure warnings and errors upon ./configure for Pinentry v0.9.7

[David Adamson]

Thanks Krzysztof. I did apt-get install pinentry-qt4 although it was
an older (0.8.3-2) version than what is on gnupg . org. It installed
without any errors but when I run gpg2 --gen-key I'm still getting:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry

There is no delay in the error - it occurs at the same time the text
above is displayed.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

configure warnings and errors upon ./configure for Pinentry v0.9.7

[David Adamson]

Hello,

I'm running a debian Jessie v8 kernel release 3.16.0-4-amd64 on my
personal laptop. It came pre-installed with GnuPG 1.4.18.

I went to generate keys for myself by typing:
gpg2 --gen-key

But then during the process got this error:
gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry

So I assumed I needed to install Pinentry and downloaded it from gnupg.org.
I tried running ./configure as root and towards the end I got the
following warnings and errors. I'm not sure how many issues I'm
dealing with here or how to fix them.

checking for gpg-error-config... /usr/local/bin/gpg-error-config
checking for GPG Error - version >= 1.16... yes (1.25)
configure: WARNING:
***
*** The config script /usr/local/bin/gpg-error-config was
*** built for x86_64-pc-linux-gnu and thus may not match the
*** used host x86_64-unknown-linux-gnu.
*** You may want to use the configure option --with-gpg-error-prefix
*** to specify a matching config script or use $SYSROOT.
***
checking for libassuan-config... /usr/local/bin/libassuan-config
checking for LIBASSUAN - version >= 2.1.0... yes (2.4.3)
checking LIBASSUAN API version... okay
configure: WARNING:
***
*** The config script /usr/local/bin/libassuan-config was
*** built for x86_64-pc-linux-gnu and thus may not match the
*** used host x86_64-unknown-linux-gnu.
*** You may want to use the configure option --with-libassuan-prefix
*** to specify a matching config script or use $SYSROOT.
***
checking for byte typedef... no
checking for ulong typedef... yes
checking for setcap... /sbin/setcap
checking for cap_set_proc in -lcap... no
checking for pkg-config... no
checking for ncursesw... checking for ncurses... checking for initscr
in -lncursesw... no
checking for initscr in -lncurses... no
checking for tgetent in -lcurses... no
checking for tgetent in -ltermcap... no
checking for tgetent in -ltermlib... no
checking for initscr in -lcurses... no
checking if Unix domain socket is supported... yes
checking for pkg-config... no
checking for pkg-config... (cached) no
checking for Qt5Core >= 5.0.0 Qt5Gui >= 5.0.0 Qt5Widgets >= 5.0.0...
./configure: line 9744: no: command not found
./configure: line 9752: no: command not found
no
./configure: line 9770: no: command not found
checking for QtCore >= 4.4.0 QtGui >= 4.4.0... ./configure: line
10123: no: command not found
./configure: line 10131: no: command not found
no
configure: error: No pinentry enabled.

I appreciate any help, thanks.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg2 --version gpg: Fatal: libgcrypt is too old (need 1.7.0, have 1.6.3)

[David Adamson]

Running ldconfig as root resolved the issue I was having! Now when I
type gpg2 --version in a new shell it reports the following:

gpg (GnuPG) 2.1.15
libgcrypt 1.7.3

Thanks for the help.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg2 --version gpg: Fatal: libgcrypt is too old (need 1.7.0, have 1.6.3)

[David Adamson]

That worked thank you but only for that session and I read that it's
generally not good practice to make that path permanent.

Are you proposing I do this every time I wish to use gpg2?
Is this behavior expected in a successful installation or what did I
do wrong and can I fix it?

Thanks again.

P.S. I am prepared to do fresh install of OS if that would be smart.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg2 --version gpg: Fatal: libgcrypt is too old (need 1.7.0, have 1.6.3)

[David Adamson]

Hello,

I'm running a debian Jessie v8 kernel release 3.16.0-4-amd64 on my
personal laptop. It came pre-installed with GnuPG 1.4.18.

Rightly or not I thought having the latest version was a good idea for
no other reason than wanting to have the latest and greatest. So from
gnupg.org download page I downloaded and installed Gnupg Modern 2.1.15
along with the required libraries: nPth v1.2, Libgpg-error v1.25,
Libgcrypt v1.7.3, Libksba v1.3.5 and Libassuan v2.4.3. Integrity
checked them all.

After installation completed I ran gpg --version from the command line
and was presented with:
gpg (GnuPG) 1.4.18
but then saw reference online somewhere to gpg2 and figured that I
should be checking the version to that and so I ran gpg2 --version and
was presented with:
gpg: Fatal: libgcrypt is too old (need 1.7.0, have 1.6.3).

I would like to have either version at this point that works. I don't
like the idea of having misconfigured or improperly installed software
trashing up my system. If you can help me clean up my system and have
either version operational, I'd appreciate it.

I intend to use Gnupg just to encrypt and sign text and files.

Thanks in advance!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Need Help decrypt HTML E-mail using OutlookPrivacyPlugin

[David J]

Hi,

I've installed dejavusecurity/OutlookPrivacyPlugin to decrypt e-mails from
outlook.

It works well with encrypted text email but under features its says it can
decrypt HTML e-mail.

I'm collecting data from an online form and I want to send the email as a
form with the data filled in.

I encrypt the HTML form using gpg then send as an e-mail.

When the email arrives in Outlook it decrypts but displays at the top:

** Message decrypted. Message was unsigned.

then the HTML code.

Is there any specific way I need to prepare the HTML email then upon
decryption it appears as an HTML email ready for printing.

Any clue as to how I get this to work is welcome.

Thank-you in advance!

David j.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: File Encrypted with Primary key

[David Shaw]

On Aug 19, 2016, at 11:56 AM, Scott Linnebur <slinne...@redrobin.com> wrote:
> 
> I have an issue that I just cannot figure out.  What I’m trying to do is move 
> a file between two organizations using two different transports while 
> encrypting the file.  On one side they use ipswitch movit to encrypt the file 
> and post it to a sftp site.  Then from my end I use camel to pick up the 
> file, decrypt it and place it where it needs to go internally.  What I have 
> done is generate a key pair with GPG and have given the other company my 
> public key to encrypt with as well as imported the key rings into Camel.
>  
> Testing…
> They post the encrypted file and when my camel process pull is down I get the 
> error “exception creating cipher”.
> If I manually pull down the file I can decrypt it fine with GPG.
> If I encrypt a test file with my own public key and feed it to Camel it 
> decrypts fine.
>  
> This is where I think the problem is but I can’t figure out a way to prove 
> it.  When I generated the key pair with GPG, it created a primary and 
> secondary keys.  Primary has usage set to SC and secondary set to E.  When I 
> look at the file they sent me, it’s encrypted with the primary key.  That 
> file fails in the camel process but is successful in a manual GPG decyption 
> process.  When I encrypt a file with GPG it uses the secondary key and I can 
> decrypt it with Camel or manually with GPG.  I have a suspicion that is the 
> cause but I can’t test it.  I can’t find anyway to force the primary key to 
> encrypt and I can’t figure out how to generate a key pair without secondary 
> keys in it.  Any ideas how to troubleshoot this?  The secondary party is not 
> helpful and they are using their standard process with moveit to encrypt it 
> and aren’t likely to change that, especially if I can’t prove that’s what’s 
> wrong.

I have seen this before - basically the Moveit code is using a buggy/older 
OpenPGP engine that does the wrong thing and ignores key flags.  Your key has 
an RSA primary key, and their engine sees that and concludes that since it's 
RSA, it can encrypt to it.  GPG properly respects key flags so uses the subkey.

There is only one fix for this, but two workarounds:

1 (the true fix): Get Moveit to fix their OpenPGP engine.  That's likely not an 
easy task since Moveit most likely purchased it from an upstream vendor (I'm 
going to guess Symantec - I have a vague recollection the previous time I saw 
this was with the Symantec code), so the actual fix would need to be from the 
upstream vendor, then Moveit would have to integrate it, and then whoever 
you're communicating with would have to update Moveit.  Given that this problem 
still exists in 2016, I'm going to guess that a fix here is not going to happen 
any time soon!

2 (workaround A): You can generate a key that explicitly permits encrypting to 
the primary key.  Then both GPG and Moveit will encrypt to the primary and 
everyone can interoperate.  This is not ideal as it is best practice to split 
the signing and encryption capabilities, but should solve your immediate 
problem.

3 (workaround B): Don't use an RSA primary key.  Instead of generating a RSA 
primary key with an RSA subkey, generate a DSA primary key with an Elgamal 
subkey (or for that matter, an RSA subkey - what matters here is the primary is 
DSA).  This pretty much forces the Moveit code to encrypt to the subkey since 
there is no way to encrypt to a DSA primary key (it's a signature-only 
algorithm).

My advice would be to try workaround B first.  If they're using the same engine 
that I saw before, it was smart enough to handle that case and would properly 
use the subkey.

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-preset-passphrase not working with 2.1

[David Matthews]

On 14 July 2016 at 07:29, David Matthews <davidmatthew...@gmail.com> wrote:
> On 13 July 2016 at 13:13, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote:
>> Hi David--
>>
>> On Tue 2016-07-12 16:46:53 +0200, David Matthews wrote:
>>> I can't get gpg-preset-passphrase to work with GnuPG 2.1.7.
>>
>> there have been significant changes to GnuPG between 2.1.7 and 2.1.13.
>>
>> can you try upgrading to 2.1.13?
>
> I've compiled 2.1.13 on Fedora 23 and get the same result (test output below).
>
> According to issue 2015 this was caused by a change that went into
> release 2.1.5.

Could someone with the necessary permissions please add a comment to
https://bugs.gnupg.org/gnupg/issue2015 to indicate that this bug still exists at
2.1.13 and also update the title? I only have permission to create a new bug
and I don't want to create a duplicate.

Thanks,
David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-preset-passphrase not working with 2.1

[David Matthews]

On 13 July 2016 at 13:13, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote:
> Hi David--
>
> On Tue 2016-07-12 16:46:53 +0200, David Matthews wrote:
>> I can't get gpg-preset-passphrase to work with GnuPG 2.1.7.
>
> there have been significant changes to GnuPG between 2.1.7 and 2.1.13.
>
> can you try upgrading to 2.1.13?

I've compiled 2.1.13 on Fedora 23 and get the same result (test output below).

According to issue 2015 this was caused by a change that went into
release 2.1.5.

Thanks,
David

++ gpg-agent -vv --daemon --allow-preset-passphrase --debug-level 9
gpg-agent[12163]: enabled debug flags: command mpi crypto memory cache
memstat ipc
gpg-agent[12163]: listening on socket '/run/user/1000/gnupg/S.gpg-agent'
gpg-agent[12164]: gpg-agent (GnuPG) 2.1.13 started
+ eval ''
+ /usr/local/libexec/gpg-preset-passphrase -vv --preset -P test myid
gpg-agent[12164]: handler 0x7fc9c028a700 for fd 4 started
gpg-agent[12164]: DBG: chan_4 -> OK Pleased to meet you, process 12165
gpg-agent[12164]: DBG: chan_4 <- OPTION ttyname=/dev/pts/0
gpg-agent[12164]: DBG: chan_4 -> OK
gpg-agent[12164]: DBG: chan_4 <- OPTION ttytype=xterm
gpg-agent[12164]: DBG: chan_4 -> OK
gpg-agent[12164]: DBG: chan_4 <- OPTION lc-ctype=en_US.UTF-8
gpg-agent[12164]: DBG: chan_4 -> OK
gpg-agent[12164]: DBG: chan_4 <- OPTION lc-messages=en_US.UTF-8
gpg-agent[12164]: DBG: chan_4 -> OK
gpg-agent[12164]: DBG: chan_4 <- PRESET_PASSPHRASE myid -1 74657374
gpg-agent[12164]: DBG: agent_put_cache 'myid' (mode 1) requested ttl=-1
gpg-agent[12164]: DBG: chan_4 -> S PROGRESS need_entropy X 60 120
gpg-agent[12164]: DBG: chan_4 -> S PROGRESS need_entropy X 120 120
 Removed lots of repeated lines 
gpg-agent[12164]: DBG: chan_4 -> S PROGRESS need_entropy X 60 120
gpg-agent[12164]: DBG: chan_4 -> S PROGRESS need_entropy X 120 120
gpg-agent[12164]: DBG: chan_4 -> OK
gpg-agent[12164]: DBG: chan_4 <- [eof]
gpg-agent[12164]: handler 0x7fc9c028a700 for fd 4 terminated
+ echo 'GET_PASSPHRASE --no-ask myid Err Pmt Des'
+ gpg-connect-agent -vv
gpg-agent[12164]: handler 0x7fc9c028a700 for fd 4 started
gpg-agent[12164]: DBG: chan_4 -> OK Pleased to meet you, process 12168
gpg-agent[12164]: DBG: chan_4 <- RESET
gpg-agent[12164]: DBG: chan_4 -> OK
gpg-agent[12164]: DBG: chan_4 <- OPTION ttytype=xterm
gpg-agent[12164]: DBG: chan_4 -> OK
gpg-agent[12164]: DBG: chan_4 <- GET_PASSPHRASE --no-ask myid Err Pmt Des
gpg-agent[12164]: DBG: agent_get_cache 'myid' (mode 3) ...
gpg-agent[12164]: DBG: ... miss
gpg-agent[12164]: command 'GET_PASSPHRASE' failed: No data
gpg-agent[12164]: DBG: chan_4 -> ERR 67108922 No data 
gpg-connect-agent: closing connection to agent
ERR 67108922 No data 
gpg-agent[12164]: DBG: chan_4 <- [eof]
gpg-agent[12164]: handler 0x7fc9c028a700 for fd 4 terminated

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg-preset-passphrase not working with 2.1

[David Matthews]

I can't get gpg-preset-passphrase to work with GnuPG 2.1.7. The
command appears to work successfully but the passphase is not found by
GET_PASSPHRASE. I've included details of my simple test below plus the
output from running it on Centos 7.2 (where it works using 2.0.22) and
Fedora 23 (where it fails using 2.1.7).

Searching through the issue tracker I found
https://bugs.gnupg.org/gnupg/issue2015. The title of this issue is
"GET_PASSPHRASE with --no-ask always return error in gnupg 2.1.5" but,
based on the discussion in the issue, I think the title is now wrong
and should really be "gpg-preset-passphrase does not work". Have I
understood that correctly? If so I assume I will see the same issue
with the latest release?

Any advice much appreciated.

Thanks

## Test script

#!/bin/bash
set -x
eval "$(gpg-agent -vv --daemon --allow-preset-passphrase --debug-level 9)"
/usr/libexec/gpg-preset-passphrase -vv --preset -P test myid
echo "GET_PASSPHRASE --no-ask myid Err Pmt Des" | gpg-connect-agent -vv

## Centos 7.2 output

++ gpg-agent -vv --daemon --allow-preset-passphrase --debug-level 9
gpg-agent[3239]: enabled debug flags: command mpi crypto memory cache
memstat assuan
gpg-agent[3239]: listening on socket `/home/vagrant/.gnupg/S.gpg-agent'
gpg-agent[3240]: gpg-agent (GnuPG) 2.0.22 started
+ eval 'GPG_AGENT_INFO=/home/vagrant/.gnupg/S.gpg-agent:3240:1; export
GPG_AGENT_INFO;'
++ GPG_AGENT_INFO=/home/vagrant/.gnupg/S.gpg-agent:3240:1
++ export GPG_AGENT_INFO
+ /usr/libexec/gpg-preset-passphrase -vv --preset -P test myid
gpg-agent[3240]: handler 0xcfcb70 for fd 7 started
gpg-agent[3240]: chan_7 -> OK Pleased to meet you, process 3241
gpg-agent[3240]: chan_7 <- OPTION display=localhost:10.0
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- OPTION ttyname=/dev/pts/1
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- OPTION ttytype=dumb
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- OPTION lc-ctype=en_US.UTF-8
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- OPTION lc-messages=en_US.UTF-8
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- PRESET_PASSPHRASE myid -1 74657374
gpg-agent[3240]: DBG: agent_put_cache `myid' requested ttl=-1 mode=1
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- [eof]
gpg-agent[3240]: handler 0xcfcb70 for fd 7 terminated
+ echo 'GET_PASSPHRASE --no-ask myid Err Pmt Des'
+ gpg-connect-agent -vv
gpg-agent[3240]: handler 0xcfe550 for fd 7 started
gpg-agent[3240]: chan_7 -> OK Pleased to meet you, process 3243
gpg-connect-agent: connection to agent established
gpg-agent[3240]: chan_7 <- RESET
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- OPTION ttytype=dumb
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- OPTION display=localhost:10.0
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- GET_PASSPHRASE --no-ask myid Err Pmt Des
gpg-agent[3240]: DBG: agent_get_cache `myid'...
gpg-agent[3240]: DBG: ... hit
gpg-agent[3240]: chan_7 -> [[Confidential data not shown]]
OK 74657374
gpg-connect-agent: closing connection to agent

## Fedora 23 output

++ gpg-agent -vv --daemon --allow-preset-passphrase --debug-level 9
gpg-agent[1420]: enabled debug flags: command mpi crypto memory cache
memstat ipc
gpg-agent[1420]: listening on socket '/home/vagrant/.gnupg/S.gpg-agent'
gpg-agent[1421]: gpg-agent (GnuPG) 2.1.7 started
+ eval ''
+ /usr/libexec/gpg-preset-passphrase -vv --preset -P test myid
gpg-agent[1421]: handler 0x7f8092ffc700 for fd 4 started
gpg-agent[1421]: DBG: chan_4 -> OK Pleased to meet you, process 1422
gpg-agent[1421]: DBG: chan_4 <- OPTION ttyname=/dev/pts/1
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- OPTION ttytype=dumb
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- OPTION lc-ctype=en_US.UTF-8
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- OPTION lc-messages=en_US.UTF-8
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- PRESET_PASSPHRASE myid -1 74657374
gpg-agent[1421]: DBG: agent_put_cache 'myid' (mode 1) requested ttl=-1
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- [eof]
gpg-agent[1421]: handler 0x7f8092ffc700 for fd 4 terminated
+ echo 'GET_PASSPHRASE --no-ask myid Err Pmt Des'
+ gpg-connect-agent -vv
gpg-agent[1421]: handler 0x7f8092ffc700 for fd 4 started
gpg-agent[1421]: DBG: chan_4 -> OK Pleased to meet you, process 1425
gpg-agent[1421]: DBG: chan_4 <- RESET
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- OPTION ttytype=dumb
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- OPTION putenv=INSIDE_EMACS=24.5.1,comint
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- GET_PASSPHRASE --no-ask myid Err Pmt Des
gpg-agent[1421]: DBG: agent_get_cache 'myid' (mode 3) ...
gpg-agent[1421]: DBG: ... miss
gpg-agent[1421]: command 'GET_PASSPHRASE' failed: No data
gpg-agent[1421]: DBG: chan_4 -> ERR 67108922 No data 
ERR 67108922 No data 
gpg-connect-agent: closing connection to 

gpg-preset-passphrase not working with 2.1

[David Matthews]

I can't get gpg-preset-passphrase to work with GnuPG 2.1.7. The
command appears to work successfully but the passphase is not found by
GET_PASSPHRASE. I've included details of my simple test below plus the
output from running it on Centos 7.2 (where it works using 2.0.22) and
Fedora 23 (where it fails using 2.1.7).

Searching through the issue tracker I found
https://bugs.gnupg.org/gnupg/issue2015. The title of this issue is
"GET_PASSPHRASE with --no-ask always return error in gnupg 2.1.5" but,
based on the discussion in the issue, I think the title should really be
"gpg-preset-passphrase does not work". Have I understood that correctly?
If so I assume I will see the same issue with the latest release?

Any advice much appreciated. My setup relies on using
gpg-preset-passphrase so I'll need to install 2.0 for the moment unless
I can get this working.

Thanks,
David

## Test script

#!/bin/bash
set -x
eval "$(gpg-agent -vv --daemon --allow-preset-passphrase --debug-level 9)"
/usr/libexec/gpg-preset-passphrase -vv --preset -P test myid
echo "GET_PASSPHRASE --no-ask myid Err Pmt Des" | gpg-connect-agent -vv

## Centos 7.2 output

++ gpg-agent -vv --daemon --allow-preset-passphrase --debug-level 9
gpg-agent[3239]: enabled debug flags: command mpi crypto memory cache
memstat assuan
gpg-agent[3239]: listening on socket `/home/vagrant/.gnupg/S.gpg-agent'
gpg-agent[3240]: gpg-agent (GnuPG) 2.0.22 started
+ eval 'GPG_AGENT_INFO=/home/vagrant/.gnupg/S.gpg-agent:3240:1; export
GPG_AGENT_INFO;'
++ GPG_AGENT_INFO=/home/vagrant/.gnupg/S.gpg-agent:3240:1
++ export GPG_AGENT_INFO
+ /usr/libexec/gpg-preset-passphrase -vv --preset -P test myid
gpg-agent[3240]: handler 0xcfcb70 for fd 7 started
gpg-agent[3240]: chan_7 -> OK Pleased to meet you, process 3241
gpg-agent[3240]: chan_7 <- OPTION display=localhost:10.0
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- OPTION ttyname=/dev/pts/1
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- OPTION ttytype=dumb
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- OPTION lc-ctype=en_US.UTF-8
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- OPTION lc-messages=en_US.UTF-8
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- PRESET_PASSPHRASE myid -1 74657374
gpg-agent[3240]: DBG: agent_put_cache `myid' requested ttl=-1 mode=1
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- [eof]
gpg-agent[3240]: handler 0xcfcb70 for fd 7 terminated
+ echo 'GET_PASSPHRASE --no-ask myid Err Pmt Des'
+ gpg-connect-agent -vv
gpg-agent[3240]: handler 0xcfe550 for fd 7 started
gpg-agent[3240]: chan_7 -> OK Pleased to meet you, process 3243
gpg-connect-agent: connection to agent established
gpg-agent[3240]: chan_7 <- RESET
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- OPTION ttytype=dumb
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- OPTION display=localhost:10.0
gpg-agent[3240]: chan_7 -> OK
gpg-agent[3240]: chan_7 <- GET_PASSPHRASE --no-ask myid Err Pmt Des
gpg-agent[3240]: DBG: agent_get_cache `myid'...
gpg-agent[3240]: DBG: ... hit
gpg-agent[3240]: chan_7 -> [[Confidential data not shown]]
OK 74657374
gpg-connect-agent: closing connection to agent

## Fedora 23 output

++ gpg-agent -vv --daemon --allow-preset-passphrase --debug-level 9
gpg-agent[1420]: enabled debug flags: command mpi crypto memory cache
memstat ipc
gpg-agent[1420]: listening on socket '/home/vagrant/.gnupg/S.gpg-agent'
gpg-agent[1421]: gpg-agent (GnuPG) 2.1.7 started
+ eval ''
+ /usr/libexec/gpg-preset-passphrase -vv --preset -P test myid
gpg-agent[1421]: handler 0x7f8092ffc700 for fd 4 started
gpg-agent[1421]: DBG: chan_4 -> OK Pleased to meet you, process 1422
gpg-agent[1421]: DBG: chan_4 <- OPTION ttyname=/dev/pts/1
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- OPTION ttytype=dumb
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- OPTION lc-ctype=en_US.UTF-8
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- OPTION lc-messages=en_US.UTF-8
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- PRESET_PASSPHRASE myid -1 74657374
gpg-agent[1421]: DBG: agent_put_cache 'myid' (mode 1) requested ttl=-1
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- [eof]
gpg-agent[1421]: handler 0x7f8092ffc700 for fd 4 terminated
+ echo 'GET_PASSPHRASE --no-ask myid Err Pmt Des'
+ gpg-connect-agent -vv
gpg-agent[1421]: handler 0x7f8092ffc700 for fd 4 started
gpg-agent[1421]: DBG: chan_4 -> OK Pleased to meet you, process 1425
gpg-agent[1421]: DBG: chan_4 <- RESET
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- OPTION ttytype=dumb
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- OPTION putenv=INSIDE_EMACS=24.5.1,comint
gpg-agent[1421]: DBG: chan_4 -> OK
gpg-agent[1421]: DBG: chan_4 <- GET_PASSPHRASE --no-as