Re: Second OpenPGP-card
Hi, Am Fr den 9. Feb 2024 um 15:36 schrieb Matthias Apitz: > Next question: Can I transfer somehow the key from one card to the > other to use the same encrypted files foo.gpg from my password store: > > purism@pureos:~$ find .password-store/ -type f | wc -l > 373 Well, pass has its mechanism itself. Just reinit your store with both keys and it should reencrypt them. I did that in the past with subdirs (where you can have different keys). Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Card-Reader
Hi, I destroyed my card reader from gemalto and need a new one. (The card, luckily survived.) Is there any way to order them anymore? I found many ways to download a reader but no shop where to buy them. Preferred in Switzerland. They should be able to read SIM card size GnuPG-Cards and been optimal robust tu carry them in the pocket. Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: use text pinentry in the console
Am Di den 22. Feb 2022 um 17:28 schrieb Fourhundred Thecat via Gnupg-users: > the GUI pinentry dialog pops up to ask for password (I guess its > pinentry-gtk-2) > > How can I confugure so that the ncurses (text based) dialog is used > instead ? You should be able to call it this way: env -u DISPLAY gpg -c foo Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Preventing public key upload to key-servers
Am Mo den 31. Jan 2022 um 22:39 schrieb jonkomer via Gnupg-users: > But the reason for my original post was not to find > better ways of communication mechanics while the > relationship exists, it was specific and quite narrow: > how can both sides do all they reasonably can in order > to avoid making it public knowledge that the > relationship existed *after it has been dissolved*. > > There is significant difference between a one-time > "third-party" correspondent misusing his knowledge of > the relationship after it has been dissolved, from > that same knowledge being published in perpetuity via > a simple, automated Internet query. Specifically, > the question was if there is any mitigation against > the action of an uninformed (or, perhaps by a stretch, > malicious?) correspondent adding signatures and > uploading the key to the network of synchronizing > pubkey servers. Well, there is none. Well, there is no technology that can ever prevent that human error/fault. What you want is simply not possible. Even if there is technology to prevent the upload to a key server, someone could just publish your key via twitter, or put it into bitcoin keychain or via any other way you might imagine. And even if he is not in possession of the original key, he can create a own key (setting date to somewhen in the past) with you mail address and publish it. Or what does prevent others to create a facebook account in your name? You would have pretty much trouble to get that facebook account removed again. The problem, you described, is a human problem, not a technical one. GDPR cannot prevent leaks. And when it is leaked, there is no law that could remove the data again. You can remove it from one platform but the ghost is out of the bottle. GDPR is, as I already told, just a nearly lame duck that just ignores how technology and internet works. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: First Amendment and Marines?
Hi, Am Sa den 29. Jan 2022 um 17:38 schrieb jonkomer via Gnupg-users: > (a) Unfortunately, OpenPG email encryption is incompatible > with GDPR and should not be used by those that either want > or need to be GDPR compliant. That is, simply to say, nonsense. There is nothing related that GDPR law that is OpenPGP related. (Independent, that the GDPR is stupidly made.) When it comes to keyservers, with the same argument you could state that bitcoin is illegal. (No information in the key chain can be removed. And there is even child porn inside that key chain that could never ever again be removed!) There are more technologies out there where informations, once in, could never removed again. Regards Klaus Ps. By the way, I am neither a maintainer nor the creator of GnuPG or the OpenPGP standard. -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Levels of validation
Hi Christoph, Am So den 2. Jan 2022 um 14:39 schrieb Christoph Klassen via Gnupg-users: > in the GNU Privacy Handbook there are mentioned two levels of trust and > validation: marginal and full > (https://www.gnupg.org/gph/en/manual.html#AEN335). Is this information still > correct? Yes. But depends on your trust-model setting (see man page). > Because, when I edit the trust of a key, I can select both if these > options, but can also decide to trust a key ultimately. That's why I was > wondering, if there are still only the two levels and if the conditions for > a valid key are still the same. The trust "ultimative" should only set to your very own keys! You never use that setting for anything else. The trust "full" is for keys that are fully trusted, either by you having signed it with an ultimative trusted key or depending on the trust model by signed from multiple other trusted keys or by TOFU... The trust "marginal" is for keys that got not enough trust to be fully trusted. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Am Fr den 27. Aug 2021 um 14:12 schrieb Jerry Seibert: > On Thu, 26 Aug 2021 16:23:16 +0100, Klaus Ethgen stated: > >Unfortunately, the gtk3 version of pinentry has some toxic dependencies > >that I never want to have. > > Would you be so kind as to list, and possibly explain, those toxic > dependencies? I just tested it right away, and there is no gtk3 build anymore in pinentry, it is only the gnome3 pinentry that can be build. And at least on gentoo, the pinentry-gnome3 is not working with X anymore. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Am Fr den 27. Aug 2021 um 14:12 schrieb Jerry Seibert: > On Thu, 26 Aug 2021 16:23:16 +0100, Klaus Ethgen stated: > >Unfortunately, the gtk3 version of pinentry has some toxic dependencies > >that I never want to have. > > Would you be so kind as to list, and possibly explain, those toxic > dependencies? At least some time ago, there was a dependencie to the full gnome world including gnome-keyring and systemd. I did not test it anymore since then. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Hi, I have an update for this issue. It seems that I have the problem all time I use the QT pinentry. The gtk2 pinentry seems to be fine and with the switch to QT one, the problem appears. Now I have the problem on debian and gentoo. Even more, a `gpg-connect-agent updatestartuptty /bye` over ssh connection does not work with pinentry-qt. Unfortunately, the gtk3 version of pinentry has some toxic dependencies that I never want to have. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
decrypt mail archive
Hi, I am experience with imapfilter to decrypt old mail archives but keeping signatures. The reason is that I lost already access to old mails that was encrypted to a key which is only on a, now broken, GPG card. As the relevant mailserver is mine and the file system is encrypted, I can accept to have that mails unencrypted in storage. I have the following approach at the moment: for _, msg in ipairs(result) do mbox, uid = unpack(msg) header = mbox[uid]:fetch_header() body = mbox[uid]:fetch_body() flags = mbox[uid]:fetch_flags() date = mbox[uid]:fetch_date() if (body:match("BEGIN PGP MESSAGE")) then obody = body:match('(%-%-%-%-%-BEGIN PGP MESSAGE%-%-%-%-%-.*%-%-%-%-%-END PGP MESSAGE%-%-%-%-%-\r\n)') state, nbody = pipe_single(obody, "gpg", "--decrypt", "--unwrap") if (state ~= 0) then print("Error "..state) break end state, nbody = pipe_single(nbody, "gpg", "--enarmor") if (state ~= 0) then print("Error "..state) break end nbody = nbody:gsub('ARMORED FILE', 'MESSAGE') body = body:gsub('(%-%-%-%-%-BEGIN PGP MESSAGE%-%-%-%-%-.*%-%-%-%-%-END PGP MESSAGE%-%-%-%-%-\r\n)', nbody) message = header .. body --print(message) privat['sent-mail']:append_message(message, flags, date) end end But that do not work in mutt as the signed mail must be in separate mime parts for text and for signature. But `gpg --unwrap` generate a PGP binary file with just encryption removed. Thunderbird works just fine but mutt doesn't. Do anybody have any idea how to convert the binary package back to detached signature and eventually how to build mime parts around in lua? Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know of a gpg-encrypted secrets sharing software that allows a client to hold different "bases/repositories" of secrets?
Hi Christian, Am Sa den 12. Jun 2021 um 15:13 schrieb Christian Chavez: > (If you - or anyone else - have got any tips/suggestions, I'm all ears)! Was something like `cd $HOME/.password-store && git add -u && git commit -m "autocommit"`. I do not still have the cron. And the submodules was created with a normal pass init on a different machine. > > In pass, you can have different keys for each subtree. See the man page > > for `pass init --path=sub-folder`. > > > This is indeed what "solves" my problem, but I fail to understand how I can > utilize this. > Maybe I'm interpreting the keyword "init" wrongly, but I was hoping to > avoid "hand-crafted" aliases/the like to reference different > subdirectories/trees of passwords. The trick is, that there can be a .gpg-id anywhere in the subtree changing the keys that can access the passes. A `pass init -p ...` just create a .gpg-id inside that sub-folder. But the content could be the same as in the top dir. > So, in an attempt to clarify my confusion (nevermind the oxymoron that > becomes); > Are you supposed to `pass init --path $PASSWORD_STORE_DIR>` within an already established > PASSWORD_STORE_DIR? Yes. You can even add/edit that .gpg-id manually, but then you have to handle the reencryption yourself. Be also aware, that (as you have that in git) if a user was able to decrypt passes in the past, he will be in the future too. (just go back the git history) So, if you plan to have limited access for a subtree than in the main, then you have to start with that so. Keep also in mind, that anybody with write access to git could write a .gpg-id with his key included to let him access all furture stored passes in that tree. I had that this way: - my private main password-store with main .gpg-id - ... - geschäftlich (a git submodule synced from different machine) That dir includes its own .gpg-id. There was even trees with more or less keys inside. Have fun. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anyone know of a gpg-encrypted secrets sharing software that allows a client to hold different "bases/repositories" of secrets?
Hi Christian, When I read the subject, I was thinking exactly of pass. Am Fr den 11. Jun 2021 um 18:44 schrieb Christian Chavez via Gnupg-users: > Does anyone know of a tool/software that works much like pass/git secret, > but also easily/simply allows you to access two different > bases/repositories (like my personal passwords/totp and team one above) > with the same tool/cli? You can combine multiple pass repositories into one using, for example, git submodules. I used that over many years. Having a cron job that committed all submodules changes in the top pass git automatically. In pass, you can have different keys for each subtree. See the man page for `pass init --path=sub-folder`. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Follow-up on L'Affaire Stallman
Hi Werner, Am Fr den 9. Apr 2021 um 18:59 schrieb Werner Koch via Gnupg-users: > can we please stop this thread? > > This is a technical and privacy oriented mailing list and not a medium > to discuss the pros and cons of a certain person. There are a enough > other places for such chitchat. So please tell this to Robert J. Hansen who did twice bring some political cancel culture discussions to this list. I endorse Joel Rees question. There is no reason to try to cancel out RMS. I am not a big fan of him and his personality might be questionnaire to some, but there is no reason why he should be banned from anything. In fact, RMS did very great thinks for us as community. So please give at least something that justifies all that hate writings against RMS. Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We shall value email usage
Hi, Am Do den 25. Mär 2021 um 11:51 schrieb Bernhard Reiter: > To me the protected headers implementation Thunderbird is a step back, > as it leads to unnecessary data leaks (subject and cc) to other clients > with are OpenPGP/MIME compatible. Well, there is other.. For example, if you start editing a mail with thunderbird and put it to drafts. Then finishing the edit with mutt. This will leak the following headers: - user-agent - x-mailer - x-mozilla-draft-info - x-enigmail-draft-status - x-account-key - x-identity-key - fcc Even when sending mails just from thunderbird, it leaks at least the user-agent header. Currently I configured my MTA to remove that headers for outgoing mails. Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We shall value email usage
Hi List, Am Mi den 24. Mär 2021 um 16:15 schrieb Stefan Vasilev via Gnupg-users: > Bernhard Reiter wrote: > > > What I observe is that knowledge and practive of email usage > > is declining. I notice it in many little things (like folks sending > > alternative HTML mails, not being able to handle CC, good inline quoting, > > good subjects). So where are good explanations about email practice? > > This is quite normal, because millions of people nowadays are using modern > web based > > email clients and those have with Gmail etc. the option to use OpenPGP too. > GnuPG If they are "modern" is something, I do not judge about. But there is even a solution for Web-based mail clients. Mailvelope does a pretty good job. Although there are some stuff to know about: - Mailvelope can (obviously) only handle inline PGP mails. Decoding mime mails (or encoding) is far away from such a tool - Mailvelope cannot handle hidden encrypts (As I understand the discussion, current Thunderbird is also unable to handle this.) - Mailvelope Needs a e-mail address in the key identity. Otherwise it is not selectable. > among Mailing List members. An exception might be the new Thunderbird, with As you might see, I use mutt as mail client. But recently, I started having an eye to thunderbird for some reasons. I liked the Enigmail addon. It is sad, that the native implementation in Thunderbird is a big step back. Although there is some advantages like the hidden subject header. On the other hand, as it was stated here too, it is not possible to disable it so the still dump majority of Outlook is unable to view the subject. However, Outlook is also unable to view quotes a usable way, neither is it able to create proper mails. So I always wonder, why people stick to such horrible software. Gruß Klaus Ps. I might need to use this Outlook in future for work mails. But I try to fight it. :-) -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg and ssh interaction somehow broken (card reader with pinpad)
Hi Andreas, Am Mi den 17. Mär 2021 um 16:31 schrieb Andreas K. Huettel: > Am Mittwoch, 17. März 2021, 09:48:58 CET schrieb Werner Koch: > > On Tue, 16 Mar 2021 23:25, Andreas K. Huettel said: > > > 3) then, sign something: pinentry window pops up, pin is not accepted > > > ("wrong beep") > > > > We need a log from the scdaemon. > > Here's the critical part from the scdaemon log, when signing fails in step 3: > > 2021-03-17 16:15:37 scdaemon[4932] DBG: dismiss pinpad entry prompt > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> INQUIRE DISMISSPINPADPROMPT > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- END > 2021-03-17 16:15:37 scdaemon[4932] Prüfung des CHV1 fehlgeschlagen: > Ungültiger > Wert > 2021-03-17 16:15:37 scdaemon[4932] operation sign result: Ungültiger Wert > 2021-03-17 16:15:37 scdaemon[4932] app_sign failed: Ungültiger Wert > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> ERR 100663351 Ungültiger > Wert > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- RESTART > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> OK Kann es sein, daß der Agent und GnuPG grob unterschiedliche Versionen haben? gpg-agent --version /usr/lib/gnupg/scdaemon --version Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: macOS pinentry remove saved password
Hi, Am Di den 16. Mär 2021 um 17:19 schrieb Mark McDonnell via Gnupg-users: > It would be great if users could configure the default as it feels > dangerous to default to saving the passphrase. I believe, it is the "no-allow-external-cache" option. I had the same on linux with the shity gnome PW manager. It might be the same option on mac. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Am Sa den 6. Mär 2021 um 16:32 schrieb Klaus Ethgen: > [0] https://bugs.gentoo.org/show_bug.cgi?id=774468 Sadly, Gentoo closed that bug as invalid as they do not have pam_gnupg in their software stack and so they say, that it is a usecase that is not supportet by them. It is a bit short thought. Their pinentry has a bug, that is triggered this way and they don't care. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: error searching keyserver: Network is unreachable
Hi Christian, Am Sa den 6. Mär 2021 um 8:44 schrieb Christian Ribeaud: > Desperately searching for hours now??? > I am NOT able to run following command: > > gpg --keyserver hkp://keyserver.dcc.sib.swiss:80 --keyserver-options > no-self-sigs-only,no-import-clean --search-keys > > Always getting following output: > > gpg: error searching keyserver: No keyserver available > gpg: keyserver search failed: No keyserver available Remember, dirmng is using tor by default if it is installed and running! You have to put no-use-tor to your .gnupg/dirmngr.conf to prevent this. This did cost me hours to find out, when the feature was implemented. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
I created a bug ([0]) for gentoo. Gruß Klaus [0] https://bugs.gentoo.org/show_bug.cgi?id=774468 -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Hi, Am Fr den 5. Mär 2021 um 17:05 schrieb Mark H. Wood via Gnupg-users: > The only thing I can think of to check is: have you selected > pinentry-qt5 using 'eselect'? Sure. That is all fine. ~> eselect pinentry list Available pinentry binary implementations: [1] pinentry-gnome3 [2] pinentry-qt5 * [3] pinentry-curses From Werner Koch, I enabled pinentry-debug, here are the results: 2021-03-05 20:03:24 gpg-agent[27031] gpg-agent (GnuPG) 2.2.25 started 2021-03-05 20:03:48 gpg-agent[27031] SIGHUP received - re-reading configuration and flushing cache 2021-03-05 20:03:53 gpg-agent[27031] can't connect to the PIN entry module '/usr/bin/pinentry': End of file 2021-03-05 20:03:53 gpg-agent[27031] failed to unprotect the secret key: No pinentry 2021-03-05 20:03:53 gpg-agent[27031] failed to read the secret key 2021-03-05 20:03:53 gpg-agent[27031] command 'PKDECRYPT' failed: No pinentry 2021-03-05 20:03:53 gpg-agent[27031] no device present 2021-03-05 20:03:53 gpg-agent[27031] can't connect to the PIN entry module '/usr/bin/pinentry': End of file 2021-03-05 20:03:53 gpg-agent[27031] smartcard decryption failed: No pinentry 2021-03-05 20:03:53 gpg-agent[27031] command 'PKDECRYPT' failed: No pinentry The strange thing is, that /usr/bin/pinentry is absolutely correct: ~> ls -l /usr/bin/pinentry lrwxrwxrwx 1 root root 12 29. Jan 20:37 /usr/bin/pinentry -> pinentry-qt5 ~> ls -lL /usr/bin/pinentry -rwxr-xr-x 1 root root 129504 26. Jan 18:25 /usr/bin/pinentry The Environment looks good: ~> gpg-connect-agent 'getinfo std_session_env' /bye D GPG_TTY=/dev/pts/2 D TERM=xterm-256color D DISPLAY=localhost:10.0 OK And when logged from .xsession: D DISPLAY=:0 OK use flags: ~> equery u pinentry [ Legend : U - final flag setting for installation] [: I - package is installed with flag ] [ Colors : set, unset ] * Found these USE flags for app-crypt/pinentry-1.1.0-r4: U I + + caps : Use Linux capabilities library to control privilege - - emacs : Add support for GNU Emacs - - gnome-keyring : Enable support for storing passwords via gnome-keyring + + gtk : Add support for x11-libs/gtk+ (The GIMP Toolkit) + + ncurses : Add ncurses support (console display library) + + qt5 : Add support for the Qt 5 application and UI framework ~> equery u app-crypt/gnupg [ Legend : U - final flag setting for installation] [: I - package is installed with flag ] [ Colors : set, unset ] * Found these USE flags for app-crypt/gnupg-2.2.25: U I + + bzip2 : Use the bzlib compression library - - doc : Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally - - ldap : Add LDAP support (Lightweight Directory Access Protocol) + + nls : Add Native Language Support (using gettext - GNU locale utilities) + + readline : Enable support for libreadline, a GNU line-editing library that almost everyone wants - - scd-shared-access : Allow concurrent access to scdaemon by multiple apps from same user. Useful if you want to use scdaemon with gnupg and for example NitroKey. + + smartcard : Build scdaemon software. Enables usage of OpenPGP cards. For other type of smartcards, try app-crypt/gnupg-pkcs11-scd. Bring in dev-libs/libusb as a dependency; enable scdaemon. + + ssl : Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security) + + tofu : Enable support for Trust on First use trust model; requires dev-db/sqlite. + + tools : Install extra tools (including gpgsplit and gpg-zip). + + usb : Build direct CCID access for scdaemon; requires dev-libs/libusb. - - user-socket : try a socket directory which is not removed by init manager at session end So, the conclusion is: - Environment seems to be fine - pinentry is correct (and working as it work when I kill and restart the gpg-agent in xsession) - The error logged is strange for me, I have no idea what went wrong Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
That was a dead end. Even without libcap linkage, the pinentry does not work. Also the process capabilities of a manual started gpg-agent are the same. Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Some further debuging of the capabilities: pinentry(-qt) has no file capabilities, the process of gpg-agent has the following: ~> getpcaps 27031 27031: cap_dac_override,cap_net_admin,cap_net_raw,cap_sys_rawio,cap_sys_admin=i And in strace I find the following: 28441 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
Hi Werner, Am Fr den 5. Mär 2021 um 15:59 schrieb Werner Koch: > On Fri, 5 Mar 2021 10:16, Klaus Ethgen said: > > > While this setup work well on my Devuan machine, I have some troubles on > > the Gentoo one, that I don't get solved. > > I am also using Devuan without problems. Did you used Devuan isn't the problem, it is Gentoo... > touch /var/lib/elogind/USERNAME > > to avoid elogin stealing the socket directory? I do not use elogind or any other logind. I do not like that concept and limit the amount of bloated pötterware on my system(s) to the absolute minimum. However, if it helps, there is a bug in gentoo ([0]) that is preventing the session registering. But I have the mentioned workaround in place. Gruß Klaus [0] https://bugs.gentoo.org/show_bug.cgi?id=716596 -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg-agent and X
Hi, I have a my setup depending strongly on gpg-agent. For this, I preseed some passphrases via pam_gnupg. While this setup work well on my Devuan machine, I have some troubles on the Gentoo one, that I don't get solved. When the agent is started when I login via xdm (wdm), the agent does never use X for displaying the pinentry. Even when `updatestartuptty` is issued afterwards. As I use gpg-card even not everytime from the console, I need that to display a X pinentry (currently the qt one, gtk was preferred with gtk2 but the gtk3 one is horrible.) I mitigated that now to kill the agent in xinit so the pam module is only in charge when unlocking the screen. However, I want to get it work even with login session. Anyone an idea, why it is not working correctly and why the agent is refusing to accept the DISPLAY setting when started via pam? Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unknown key in gpg-agent
Hi Werner, Am Di den 25. Aug 2020 um 14:12 schrieb Werner Koch: > Just to be sure, you quoted the ampersand, right. It works for me and > some GnuPG components are using it a lot. Just a quick test: ~> gpg --version gpg (GnuPG) 2.2.20 libgcrypt 1.8.6 ... ~> gpg --list-secret-keys /home/klaus/.gnupg/pubring.gpg -- sec> rsa4096/0x79D0B06F4E20AF1C 2011-05-16 [C] [verfällt: 2050-12-31] Schl.-Fingerabdruck = 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C Keygrip = E9CAF66DDA858EE60D654C864BB8E12E41C78242 ... ~> gpg -k \ gpg: keydb_search failed: Invalid argument gpg: error reading key: Invalid argument Sure I did use quoting for "&". Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Unknown key in gpg-agent
Hello, I have one key in my gpg agent that I do not remember anymore and do not know where it comes from. `KEYINFO --list` showes me one key (no ssh key), that I do not know. I can preseed that key with a known passphrase what suggests that I had it in gnupg once. However, `gpg --list-keys --list-options show-unusable-subkeys --with-keygrip` does not display this keygrip. Is there any posibility to export that key or get info about that key, find it whatever? As the key is in the agent, there is a corresponding .key file in .gnupg/private-keys-v1.d. So, ssh-add does not show the key (as well as KEYINFO --ssh-list) and gpg doesnt show the key. What could have put that key there when it is none of that commands? By the way, using '' does not work with gpg to select a key for listing by keygrip. Regards Klaus Ps. Please keep me explicitly in reply as I am not subscribet to the list. -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users