Re: Management of background services with systemd
On Thu, Mar 02, 2023 at 05:53:21PM +0100, Werner Koch via Gnupg-users wrote: > On Wed, 1 Mar 2023 21:24, Michael Richardson said: > > > Combined with SSH access to the machine, and the passphrase/pin popup shows > > up in the wrong place. > > Talking about ssh: Yes, you need to make sure that gpg-agent has been > launched. But once that has been done ssh works nicely. > > The major problem with ssh is that ssh has no way to pass environment > variables to gpg-agent via the ssh-agent protocol. gpg-agent needs the > envvars to pop up pinentry on the right tty/display. I once posted > patches to the ssh list to extend ssh in this way but the interest was > not high and I had no time to starting convincing them to apply these > patches. > > Actually it would also be possible to tell ssh to autostart gpg-agent, > similar to what gpg does. This could be done as a generic pre-connect > extension to ssh. FWIW, there is also the keychain tool that may be invoked in shell startup scripts (which also provides the ability to differentiate - if needed - between interactive and non-interactive shells): - the tool itself: https://www.funtoo.org/Keychain - a couple of patches that we apply to the Debian packaging: - https://salsa.debian.org/debian/keychain/-/blob/debian/master/debian/patches/malformed-ssh-key.patch - https://salsa.debian.org/debian/keychain/-/blob/debian/master/debian/patches/empty-ssh-askpass.patch G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Protecting encryption server
On Tue, Jul 28, 2020 at 10:33:42PM +0200, Denis BEURIVE via Gnupg-users wrote: > > Oh, quite the contrary. It just forces the attacker to get clever. > > If your server only sends data through an "outgoing data diode", then it > does not expose any entry point (you just disable all services : no SSH, no > ping, no HTTP... nothing). There is no way you can establish a connection > to the server. How can you hack a server if you have absolutely no way to > access it from the outside ? It seems just impossible. Quick question: how do you send data out? It cannot be via TCP connections, since those require a handshake and acknowledgements flowing both ways. It cannot be via any kind of TLS-based protocol for the exact same reason. In theory you might be able to devise some one-way protocol based on e.g. UDP or your own datalink layer and add some kind of signing into it, but that would require a security audit in its own right, and then there is the issue of dropped packets. So, as described in Rob's paper, the sending server has to continuously send the data over and over again, with no idea whether the receiving server has received any of it, parts of it, or the whole of it. Also, hm, here's a possibly stupid question: how do you keep the system time synchronized between the sender and the receiver? You cannot use any kind of time synchronization similar to NTP or even SNTP, since that would require incoming data and programs that process that incoming data and possible avenues of attack via (possibly still undiscovered) problems in those programs. So at some point, time drift will start to cause problems in the verification of the cryptographic signatures of the data the server sends. I am not saying that any of those problems is unsolvable, but it seems to me that devising robust solutions to all of them (and to all of the others that will come up along the way) will make the system much, much, *much* more complicated than "just a single one-way comm device". At some point the question would arise whether all these complications and all these newly-devised communication protocols are indeed worth it. Once again, not saying that the answer is always "no", but, well... G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Sat, May 16, 2020 at 04:55:11PM +0300, Peter Pentchev wrote: > On Sat, May 16, 2020 at 01:36:10AM +0200, Stefan Claas wrote: > > Peter Pentchev wrote: > > > > > On Fri, May 15, 2020 at 10:54:32PM +0200, Stefan Claas wrote: > > > > > > You know what, the most interesting thing of this ML for me is that > > > > when people, do a request or suggestion the old guard is always > > > > there to defend some standard and are not accepting that a new > > > > product on the OpenPGP market, with a new feature included, add an > > > > enrichment to a given standard, which people may like to use and > > > > appreciate. > > > > > > OK, but *how* is it an enrichment? What does a UID-less key provide > > > over a randomly-generated UID? Why go to the bother of supporting a > > > new special case when you can get the same result in another way, > > > with zero additional code in any of the existing implementations and > > > only a couple more lines of code in the special client that will have > > > to generate a random UID? > > > > Fact is this function is available for users of OpenPGP software. > > Is it though? It is not part of the OpenPGP standard, is it? It is > available for users of software that implements the OpenPGP standard > *with some local extensions*, which is a bit different. > > > We should better think of how this will pan out in the future, if users > > start to use OpenPGP software with UID-less public keyblocks and how > > GnuPG users can interact with them, or not? > > GnuPG users can interact perfectly well with people who use OpenPGP > software :) As Robert J. Hansen said, if you (or somebody else) want to > extend the standard, there is an IETF working group and mailing list for > that. > > The way I see it, there are two types of standards: > > - ones that are discussed and written before being implemented, so that > all the implementors have the same idea and nobody comes up with, say, > using the same magic numbers for completely different purposes or > having a function accept one more argument than anyone else and break > if it is called with fewer arguments > > - ones that standardize existing behavior, like the POSIX standard for > operating systems, system calls, libraries, command shell, etc. > > Now, I've been on the POSIX mailing list for well nigh 20 years now, and > let me tell you, trying to standardize something when different > implementors have come up with *all kinds* of slightly different ways of > doing *almost* the same thing can be... crazy. Insane. Amazingly, > astonishingly, horrifyingly weird, and very time- and nerve-consuming. > > It seems to me that the people involved in developing the OpenPGP > standard did, at one point, decide to go the other way: yes, sure, start > with the existing PGP and GnuPG and other implementations, but then, > when thinking about future work, decide to discuss things before > implementing them (recent threads on the OpenPGP mailing list > notwithstanding), so that it is sorta kinda expected that once various > implementations gain the new features, they *will* be able to > interoperate. That sounds... kind of reasonable to me. Just one more point that I forgot to write: *of course* it's fine for people to implement experimental things to see if they'll work... within reasonable bounds, of course, like not implementing new algorithm identifiers outside the space reserved for experimental ones. But it is also fine for other people to say "okay, sure, you have your experimental features, but I'll wait until they're standardized until I do the work on implementing them myself; also, let's discuss whether they are even needed." G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Sat, May 16, 2020 at 01:36:10AM +0200, Stefan Claas wrote: > Peter Pentchev wrote: > > > On Fri, May 15, 2020 at 10:54:32PM +0200, Stefan Claas wrote: > > > > You know what, the most interesting thing of this ML for me is that > > > when people, do a request or suggestion the old guard is always > > > there to defend some standard and are not accepting that a new > > > product on the OpenPGP market, with a new feature included, add an > > > enrichment to a given standard, which people may like to use and > > > appreciate. > > > > OK, but *how* is it an enrichment? What does a UID-less key provide > > over a randomly-generated UID? Why go to the bother of supporting a > > new special case when you can get the same result in another way, > > with zero additional code in any of the existing implementations and > > only a couple more lines of code in the special client that will have > > to generate a random UID? > > Fact is this function is available for users of OpenPGP software. Is it though? It is not part of the OpenPGP standard, is it? It is available for users of software that implements the OpenPGP standard *with some local extensions*, which is a bit different. > We should better think of how this will pan out in the future, if users > start to use OpenPGP software with UID-less public keyblocks and how > GnuPG users can interact with them, or not? GnuPG users can interact perfectly well with people who use OpenPGP software :) As Robert J. Hansen said, if you (or somebody else) want to extend the standard, there is an IETF working group and mailing list for that. The way I see it, there are two types of standards: - ones that are discussed and written before being implemented, so that all the implementors have the same idea and nobody comes up with, say, using the same magic numbers for completely different purposes or having a function accept one more argument than anyone else and break if it is called with fewer arguments - ones that standardize existing behavior, like the POSIX standard for operating systems, system calls, libraries, command shell, etc. Now, I've been on the POSIX mailing list for well nigh 20 years now, and let me tell you, trying to standardize something when different implementors have come up with *all kinds* of slightly different ways of doing *almost* the same thing can be... crazy. Insane. Amazingly, astonishingly, horrifyingly weird, and very time- and nerve-consuming. It seems to me that the people involved in developing the OpenPGP standard did, at one point, decide to go the other way: yes, sure, start with the existing PGP and GnuPG and other implementations, but then, when thinking about future work, decide to discuss things before implementing them (recent threads on the OpenPGP mailing list notwithstanding), so that it is sorta kinda expected that once various implementations gain the new features, they *will* be able to interoperate. That sounds... kind of reasonable to me. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Fri, May 15, 2020 at 10:54:32PM +0200, Stefan Claas wrote: > Peter Pentchev wrote: > > > On Fri, May 15, 2020 at 07:07:40PM +0200, Stefan Claas wrote: > > > > Mind you, I have only asked that GnuPG should support the import and > > > processing of UID-less public key blocks and did not requested that > > > this should be a default behaviour in the key generation process. > > > > And the answer has been given: because those blocks violate the > > OpenPGP standard and, as I understand Robert J. Hansen (and I > > apologize to him if I'm putting the wrong words into his mouth), his > > position is that there is no reason for this violation to exist at > > all, there is no reason for UID-less key blocks to exist at all, so > > GnuPG is quite right in following the OpenPGP standard and not > > accepting them. > > You know what, the most interesting thing of this ML for me is that > when people, do a request or suggestion the old guard is always there > to defend some standard and are not accepting that a new product on the > OpenPGP market, with a new feature included, add an enrichment to a > given standard, which people may like to use and appreciate. OK, but *how* is it an enrichment? What does a UID-less key provide over a randomly-generated UID? Why go to the bother of supporting a new special case when you can get the same result in another way, with zero additional code in any of the existing implementations and only a couple more lines of code in the special client that will have to generate a random UID? G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Fri, May 15, 2020 at 10:33:12PM +0300, Peter Pentchev wrote: > On Fri, May 15, 2020 at 07:07:40PM +0200, Stefan Claas wrote: > > Robert J. Hansen wrote: > > > > > > We now have the situation that either parents or teachers, etc. can > > > > choose between a software which allows UID-less public key > > > > generation, for their minors / students, themselves... > > > > > > They are free to use whatever identifier they like for a UID, even > > > just the key ID. A UID-free certificate is in no way required for > > > user privacy. > > > > > > You're being dishonest. I hate to say that, but I believe it's true. > > > You insist on pretending that you're the only one concerned about > > > privacy and that UID-free certificates are necessary for privacy of > > > personally identifying information. The reality is the UID system in > > > no way requires personally identifying information and everyone you're > > > accusing of not caring about privacy cares a great deal about it. > > > > > > You're being dishonest. Please stop. > > > > Mind you, I have only asked that GnuPG should support the import and > > processing of UID-less public key blocks and did not requested that > > this should be a default behaviour in the key generation process. > > And the answer has been given: because those blocks violate the OpenPGP > standard and, as I understand Robert J. Hansen (and I apologize to him > if I'm putting the wrong words into his mouth), his position is that > there is no reason for this violation to exist at all, there is no > reason for UID-less key blocks to exist at all, so GnuPG is quite right > in following the OpenPGP standard and not accepting them. ...and he actually said pretty much that in 06a65d70-6d01-6de0-ec03-c841d64c8...@sixdemonbag.org :) G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Fri, May 15, 2020 at 07:07:40PM +0200, Stefan Claas wrote: > Robert J. Hansen wrote: > > > > We now have the situation that either parents or teachers, etc. can > > > choose between a software which allows UID-less public key > > > generation, for their minors / students, themselves... > > > > They are free to use whatever identifier they like for a UID, even > > just the key ID. A UID-free certificate is in no way required for > > user privacy. > > > > You're being dishonest. I hate to say that, but I believe it's true. > > You insist on pretending that you're the only one concerned about > > privacy and that UID-free certificates are necessary for privacy of > > personally identifying information. The reality is the UID system in > > no way requires personally identifying information and everyone you're > > accusing of not caring about privacy cares a great deal about it. > > > > You're being dishonest. Please stop. > > Mind you, I have only asked that GnuPG should support the import and > processing of UID-less public key blocks and did not requested that > this should be a default behaviour in the key generation process. And the answer has been given: because those blocks violate the OpenPGP standard and, as I understand Robert J. Hansen (and I apologize to him if I'm putting the wrong words into his mouth), his position is that there is no reason for this violation to exist at all, there is no reason for UID-less key blocks to exist at all, so GnuPG is quite right in following the OpenPGP standard and not accepting them. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Maximum keypair length...
On Fri, May 08, 2020 at 01:27:22PM -0400, Barry Smith wrote: [formatting fixed, top-posting still considered weird] > On Thu, May 7, 2020, 11:00 Peter Pentchev wrote: > > > On Thu, May 07, 2020 at 07:33:06AM -0400, Barry Smith via Gnupg-users > > wrote: > > [formatting fixed; top-posting considered weird] > > > On Fri, May 1, 2020, 12:01 Konstantin Ryabitsev < > > > konstan...@linuxfoundation.org> wrote: > > > > > > > On Thu, Apr 30, 2020 at 11:07:11PM -0400, Barry Smith via Gnupg-users > > > > wrote: > > > > > Let me continue by explaining some back up information for my > > > > > question. > > > > > - I am asking in terms of the latest standards implemented in > > distros and > > > > > Windows .exe auto-install packages. > > > > > - I am trying to create a group calendar file and app for a private > > > > group. > > > > > - Original concept for my project -- use an annual calendar file > > that has > > > > > December (year minus 1) to January (year plus 1), so 14 months of > > days. I > > > > > want one keypair per day for the group. > > > > > > > > I'm not sure what kind of risk scenario you're working against, but > > this > > > > sounds extreme and will probably have all sorts of usability corner > > > > cases. > > > > > > > > > SO, users, help! > > > > > I need to know the absolute longest key that GnuPG can create RIGHT > > > > > NOW. > > > > > > > > It depends on the algorithm. RSA keys have the default maximum length > > of > > > > 8192 set at compile-time. Elliptic Curve cryptography requires much > > > > shorter keys, so maximums will be different there. > > > > > > > > In general, the length of the key is only part of the picture when > > we're > > > > talking about encryption "strength." Many cryptographers consider RSA > > > > keys longer than 2048 bits to be a "feel-good security theatre", > > because > > > > classical computers are not likely to be able to successfully break > > > > 2048-bit keys in the foreseeable future, even given state-level > > funding. > > > > If/once we get to the point where quantum computers are powerful enough > > > > to defeat 2048-bit RSA, then we should consider all classical > > public-key > > > > crypto irreversibly compromised (RSA, DSA, ECC, etc) -- longer keypair > > > > lengths will merely buy a bit of time before failing to cryptanalysis. > > > > > > > > So, if you want decent modern-day encryption, use 256-bit ECC keys and > > > > don't worry about key lengths longer than 256 (or 4096 for RSA). > > > > > > > > -K > > > > > > Thank you for your excellent response. > > > > > > I laid out my scenario. > > > >> > > > RSA keys have the default maximum length of > > > 8192 set at compile-time. > > > >> > > > Perfect. that was the answer that > > > I was looking for. > > > My "risk scenario" was an attempt to understand the maximum defaults of > > the > > > current maximum protection available in the standard distributed > > packages. > > > > > > From the position of a data scientist, I am trying to compute the > > security > > > available. ;) > > > > > > Thank you... 8196 on an RSA key. :) > > > > Leaving aside the fact that I agree with Konstantin about the pure > > futility of using 8K RSA keys (but, well, if you're asking from > > the standpoint of "this is something that somebody who wants to use > > my program at some point in the future may want"... but even from > > that standpoint, there may also be people who build their own > > versions of cryptography tools with even crazier limits, so even > > 8K might not be enough)... > > > > ...so leaving all that aside, when you speak of field lengths, > > you do realize, don't you, that the raw key material is only > > a part of even the information that is stored in the keyring, > > not to mention the information that is exported as a certificate > > (what most people think of when they say "my public key")? > > There are user IDs, there are self-signatures, there are > > signatures from other partied that let you actually trust > > the key... and most of th
Re: Maximum keypair length...
On Thu, May 07, 2020 at 07:33:06AM -0400, Barry Smith via Gnupg-users wrote: [formatting fixed; top-posting considered weird] > On Fri, May 1, 2020, 12:01 Konstantin Ryabitsev < > konstan...@linuxfoundation.org> wrote: > > > On Thu, Apr 30, 2020 at 11:07:11PM -0400, Barry Smith via Gnupg-users > > wrote: > > > Let me continue by explaining some back up information for my > > > question. > > > - I am asking in terms of the latest standards implemented in distros and > > > Windows .exe auto-install packages. > > > - I am trying to create a group calendar file and app for a private > > group. > > > - Original concept for my project -- use an annual calendar file that has > > > December (year minus 1) to January (year plus 1), so 14 months of days. I > > > want one keypair per day for the group. > > > > I'm not sure what kind of risk scenario you're working against, but this > > sounds extreme and will probably have all sorts of usability corner > > cases. > > > > > SO, users, help! > > > I need to know the absolute longest key that GnuPG can create RIGHT > > > NOW. > > > > It depends on the algorithm. RSA keys have the default maximum length of > > 8192 set at compile-time. Elliptic Curve cryptography requires much > > shorter keys, so maximums will be different there. > > > > In general, the length of the key is only part of the picture when we're > > talking about encryption "strength." Many cryptographers consider RSA > > keys longer than 2048 bits to be a "feel-good security theatre", because > > classical computers are not likely to be able to successfully break > > 2048-bit keys in the foreseeable future, even given state-level funding. > > If/once we get to the point where quantum computers are powerful enough > > to defeat 2048-bit RSA, then we should consider all classical public-key > > crypto irreversibly compromised (RSA, DSA, ECC, etc) -- longer keypair > > lengths will merely buy a bit of time before failing to cryptanalysis. > > > > So, if you want decent modern-day encryption, use 256-bit ECC keys and > > don't worry about key lengths longer than 256 (or 4096 for RSA). > > > > -K > > Thank you for your excellent response. > > I laid out my scenario. > >> > RSA keys have the default maximum length of > 8192 set at compile-time. > >> > Perfect. that was the answer that > I was looking for. > My "risk scenario" was an attempt to understand the maximum defaults of the > current maximum protection available in the standard distributed packages. > > From the position of a data scientist, I am trying to compute the security > available. ;) > > Thank you... 8196 on an RSA key. :) Leaving aside the fact that I agree with Konstantin about the pure futility of using 8K RSA keys (but, well, if you're asking from the standpoint of "this is something that somebody who wants to use my program at some point in the future may want"... but even from that standpoint, there may also be people who build their own versions of cryptography tools with even crazier limits, so even 8K might not be enough)... ...so leaving all that aside, when you speak of field lengths, you do realize, don't you, that the raw key material is only a part of even the information that is stored in the keyring, not to mention the information that is exported as a certificate (what most people think of when they say "my public key")? There are user IDs, there are self-signatures, there are signatures from other parties that let you actually trust the key... and most of these do not really have a fixed count, limit, or length. Then there is the export format, the fact that if you want to transmit the key and certificate through a text medium, you'll have to encode it and make it even larger... G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Re: problems with pinentry-0.9.0 (Werner Koch)
On Thu, Nov 20, 2014 at 12:31:53PM -0800, Rex Kneisley wrote: > Gracious reply: > >Install the pkg-config package: > >apt-get install pkg-config > >Shalom-Salam, > >Werner > > Thank you! > After installing pkg-config as suggested, > Looks like I'm down to the wire: > > checking whether mlock is broken... no > checking for byte typedef... no > checking for ulong typedef... yes > checking for setcap... /sbin/setcap > checking for cap_set_proc in -lcap... no > checking for initscr in -lncursesw... no > checking for initscr in -lncurses... no > checking for tgetent in -lcurses... no > checking for tgetent in -ltermcap... no > checking for tgetent in -ltermlib... no > checking for initscr in -lcurses... no > checking for pkg-config... /usr/bin/pkg-config > checking for gtk+-2... no > configure: WARNING: pkg-config could not find the module gtk+-2.0 > checking pkg-config is at least version 0.9.0... yes > checking for QT4_CORE... no > configure: error: No pinentry enabled. > > I have tried: > > sudo apt-get install gtk+-2 If you need to build programs with GTK+ 2.0 support, the package that you need to install is usually named something like libgtk2.0-dev on Debian-like systems. This information is actually available if you have "deb-src" lines in your /etc/apt/sources.list, so that Apt can download information about source packages; then you can try the following: apt-cache search -n pinentry (see that it shows a pinentry-gtk2 binary package) apt-cache show pinentry-gtk2 | less (it will tell you "Source: pinentry") apt-cache showsrc pinentry It will give you a list of packages in the Build-Depends field; those are packages that the Debian package of pinentry needs so that it can build properly with full support for all the backends. You might consider installing at least some of them. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: auto refresh for expired certificates
On Sun, Oct 26, 2014 at 10:32:47AM +, MFPA wrote: > Hi > > > On Sunday 26 October 2014 at 7:19:28 AM, in > , NdK wrote: > > > > > IIRC a tool exists to do that, in a way that makes it hard for keyserver > > owners to extract "social" metadata (like "these keys are on a single > > keyring"). Too bad I can't recall its name :( > > I remember reading about a tool to refresh the keys on your keyring > from keyservers, one key at a time at random intervals (and if I > recall correctly, picking a random keyserver from a list). But I can't > remember the name either, and I couldn't come up with search terms to > find it with a search engine. parcimonie? https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/ (although I'm having some trouble connecting to the webserver right now) https://packages.debian.org/sid/parcimonie G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypting to expired certificates
On Tue, Sep 16, 2014 at 03:04:08PM +0100, Nicholas Cole wrote: > Can anyone explain to me why one would want to continue using a key > and yet not simply change the expiry date? I really find all of the > examples being given to be incredibly contrived. Uhm, are you sure that you really mean to say "incredibly contrived" as in "you guys must have tried your imagination really hard to come up with these examples, none of which will happen in the real world", or do you really mean "highly unlikely except in isolated use cases"? Because what people are showing you are real use cases, ones that have happened with real people in the real world. "Unlikely" and "isolated", yes, but I wouldn't use "contrived" in this case. > It takes no time at > all these days to change the date and distribute the new key. As I've > said, if the tools to do this kind of thing easily do not exist, they > need to be created. The tools exist. The issue - in most of the cases here - is that sometimes people don't use all their PGP keys all the time and sometimes it may happen that a key will be unused for months and the owner will honestly not notice that (the system that the key resides on may not even have been powered up for months). G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypting to expired certificates
On Tue, Sep 16, 2014 at 04:01:27PM +0100, Nicholas Cole wrote: > On Tuesday, 16 September 2014, Peter Pentchev wrote: > > > On Tue, Sep 16, 2014 at 03:04:08PM +0100, Nicholas Cole wrote: > > > Can anyone explain to me why one would want to continue using a key > > > and yet not simply change the expiry date? I really find all of the > > > examples being given to be incredibly contrived. > > > > Uhm, are you sure that you really mean to say "incredibly contrived" as > > in "you guys must have tried your imagination really hard to come up > > with these examples, none of which will happen in the real world", or do > > you really mean "highly unlikely except in isolated use cases"? Because > > what people are showing you are real use cases, ones that have happened > > with real people in the real world. "Unlikely" and "isolated", yes, but > > I wouldn't use "contrived" in this case. > > > > I apologise for my poor choice of language. Uh, and come to think of it, I'm truly sorry if the above sounded a bit harsh. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Bug: --list-packets ignores second public key
On Mon, Dec 23, 2013 at 09:07:08PM +0100, Hauke Laging wrote: > Hello, > > I was just in a slightly embarrassing situation: I had a look with > gpg --list-packets > at the certificate(s) on > http://www.westphal.de/index.php?id=18 > > This is the (shortened) output: > :public key packet: > [...] > :user ID packet: > :signature packet: > [...] > :signature packet: > [...] > :user ID packet: > :signature packet: > [...] > :signature packet: > [...] > :user ID packet: > :signature packet: > [...] > :signature packet: > [...] > > So I told the site owner that there was (in contrast to his statement above) > just one certificate on the page. I had to realize that gpg sees both public > keys when importing the block instead. Hm, which version of GnuPG are you using? With both 1.4.15 and 2.0.22 on my Debian GNU/Linux system I can see a second 'public key packet': [roam@straylight ~/tmp/v/roam/pgp]$ gpg --list-packets foo.txt | egrep -ve '^[[:space:]]' :public key packet: :user ID packet: "Christian Westphal (always use together with 0x73C0BB28) " :signature packet: algo 1, keyid 1AC1BFC93FFF6951 :signature packet: algo 1, keyid A642416973C0BB28 :user ID packet: "Christian Westphal " :signature packet: algo 1, keyid 1AC1BFC93FFF6951 :signature packet: algo 1, keyid 1AC1BFC93FFF6951 :user ID packet: "Christian Westphal " :signature packet: algo 1, keyid 1AC1BFC93FFF6951 :signature packet: algo 1, keyid A642416973C0BB28 :public sub key packet: :signature packet: algo 1, keyid 1AC1BFC93FFF6951 :public sub key packet: :signature packet: algo 1, keyid 1AC1BFC93FFF6951 :public key packet: :user ID packet: "Christian Westphal " :signature packet: algo 1, keyid A642416973C0BB28 :user ID packet: "Christian Westphal (always use together with 0x3FFF6951) " :signature packet: algo 1, keyid A642416973C0BB28 :signature packet: algo 1, keyid 1AC1BFC93FFF6951 :public sub key packet: :signature packet: algo 1, keyid A642416973C0BB28 :public sub key packet: :signature packet: algo 1, keyid A642416973C0BB28 [roam@straylight ~/tmp/v/roam/pgp]$ The 15th line of the output is ':public key packet:'. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 If I had finished this sentence, signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG2 encryption options
On Thu, Oct 03, 2013 at 02:33:32PM +0300, Peter Pentchev wrote: > On Wed, Oct 02, 2013 at 09:46:24PM -0700, mightymouse2045 wrote: > > Hi there, > > > > I'm wondering if gpg2 can be used to encrypt a file using a keyfile. The > > term keyfile is used to refer to a static file where the contents are read > > into gpg2 to be used as the passphrase for the encryption process. > > > > for example: > > > > ccrypt -e --keyfile ~/.somefile ~/the_file_to_be_encrypted.doc > > > > So the above ccrypt command encrypts the file_to_be_encrypted.doc with the > > first line take from .somefile > > > > ccrypt -d --keyfile ~/.somefile ~/the_file_to_be_encrypted.doc.ctd > > > > and the above command decrypts it > > > > Is this possible with gpg2? I like this because I can use random files taken > > from the 100,000's+ static non-changing files on my system as passwords for > > encrypting and decrypting files etc. I'd just prefer to be using gpg2 as I > > can then specify algo's hash's etc instead of being stuck with AES. > > > > There are some files I don't like having to enter a passphrase for each time > > due to them be accessed very frequently, but I don't want the contents of > > them being stored plaintext either. > > If the contents of the keyfile "looks like" a single line of text (e.g. > a passphrase), then you can use gpg --symmetric (or -c for short) and > pass the file in using the --passphrase-fd option. But then, of course, everything that Peter Lebbing said about caching the passphrase or using a smartcard that caches the PIN for a limited amount of time is true. I personally have never found it much trouble to have gpg-agent prompt me for my passphrase after a couple of minutes. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 I am jealous of the first word in this sentence. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG2 encryption options
On Wed, Oct 02, 2013 at 09:46:24PM -0700, mightymouse2045 wrote: > Hi there, > > I'm wondering if gpg2 can be used to encrypt a file using a keyfile. The > term keyfile is used to refer to a static file where the contents are read > into gpg2 to be used as the passphrase for the encryption process. > > for example: > > ccrypt -e --keyfile ~/.somefile ~/the_file_to_be_encrypted.doc > > So the above ccrypt command encrypts the file_to_be_encrypted.doc with the > first line take from .somefile > > ccrypt -d --keyfile ~/.somefile ~/the_file_to_be_encrypted.doc.ctd > > and the above command decrypts it > > Is this possible with gpg2? I like this because I can use random files taken > from the 100,000's+ static non-changing files on my system as passwords for > encrypting and decrypting files etc. I'd just prefer to be using gpg2 as I > can then specify algo's hash's etc instead of being stuck with AES. > > There are some files I don't like having to enter a passphrase for each time > due to them be accessed very frequently, but I don't want the contents of > them being stored plaintext either. If the contents of the keyfile "looks like" a single line of text (e.g. a passphrase), then you can use gpg --symmetric (or -c for short) and pass the file in using the --passphrase-fd option. The simplest way to do it is to pass the file on the standard input and specify 0 as the number of the file descriptor for the passphrase: gpg -c --passphrase-fd 0 somefile.doc < keyfile.txt This command should create a somefile.doc.gpg file that you may later decrypt by: gpg -d --passphrase-fd 0 somefile.doc.gpg < keyfile.txt Of course, you do not have to use the standard input for this; some shells will allow you to open a new file descriptor for reading from a file: gpg -d --passphrase-fd 7 somefile.doc.gpg 7< keyfile.txt Hope this helps! G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 If this sentence didn't exist, somebody would have invented it. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG Private Key Export Question
On Fri, Sep 27, 2013 at 05:33:59PM +0300, Peter Pentchev wrote: > On Fri, Sep 27, 2013 at 09:58:35AM -0400, Paul Taukatch wrote: > > Really appreciate the help and the quick response! > > > > I just wanted to clarify, where exactly is the public key information > > stored within the exported secret key data? Is it part of the Secret key > > packet as part of the "Encrypted stuff follows section" or is following > > that? > > It's part of the secret key packet. If you run gpg --list-packets with > --debug=2 (or with --debug-all), so that it shows you the actual numeric > data in the key representations, you'll see that skey[0] and skey[1] in > the secret key packet are exactly the same as pkey[0] and pkey[1] shown > when you --export | --list-packets (so GnuPG shows you the public key). Also, if you're really writing software for parsing and extracting data from OpenPGP keys or messages, then you absolutely *must* start by reading RFC 4880, then reading it again, then bookmarking it and keeping it always open in a browser window or a text pager, so you can refer to it as often as you *will* need to :) G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 I am the thought you are now thinking. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG Private Key Export Question
On Fri, Sep 27, 2013 at 09:58:35AM -0400, Paul Taukatch wrote: > Really appreciate the help and the quick response! > > I just wanted to clarify, where exactly is the public key information > stored within the exported secret key data? Is it part of the Secret key > packet as part of the "Encrypted stuff follows section" or is following > that? It's part of the secret key packet. If you run gpg --list-packets with --debug=2 (or with --debug-all), so that it shows you the actual numeric data in the key representations, you'll see that skey[0] and skey[1] in the secret key packet are exactly the same as pkey[0] and pkey[1] shown when you --export | --list-packets (so GnuPG shows you the public key). G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 What would this sentence be like if pi were 3? signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Generation of key ID's
On Wed, Sep 25, 2013 at 08:29:58PM +0100, MFPA wrote: > > Hi > > On Sunday 22 September 2013 at 9:30:52 PM, in > , Daniel Kahn Gillmor wrote: > > > You can read up on the specifics in the standard: > > https://tools.ietf.org/html/rfc4880#section-12.2 > > Does anybody know the answer to the OP's other question:- > "And why is it done that way?" Of course, I cannot speak for the designers of the PGP and later OpenPGP key format, but... Um. When assigning identifiers to pieces of data created randomly by independent parties all around the world with no means of communication or synchronization, it makes perfect sense that the identifier would be some kind of hash over both information supplied by the person generating the piece of data and information generated randomly, that is, part of the data. So it makes perfect sense that the identifier should be some kind of a hash over parts of the PGP key material. Furthermore, the identifier should not change when the key owner makes modifications to the key itself, so it may not include user IDs or signatures made either by the owner or other people after the key has been generated. What does not change in a PGP key? Well, obviously, the key parameters themselves: the algorithm, the numbers comprising the key (be they primes or curve specifiers or whatever). In addition, a key may only be created once, so the creation time is not supposed to change. So there you have it - a long, long time ago, in a galaxy far, far away, the V3 key fingerprint was formed by hashing only the key parameters; they obviously characterize this key and they obviously will not change with time as this key is being used. Then, in V4 of the format, more information was included, but once again, all of it is not supposed to change with time. As an additional benefit, hashing the public key material also provides a quick and quite reliable way to make sure that the public key itself has not been damaged in transit. Note: in this text I repeatedly referred to "PGP keys" and not "OpenPGP keys" because, unless I am gravely mistaken, both the V3 and V4 key formats were designed before (okay, V4 was almost at the same time as) the OpenPGP Alliance was formed. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 "yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Magic numbers for keyring files?
On Wed, Sep 25, 2013 at 09:18:23AM -0400, Robert J. Hansen wrote: > I'm working on adding support for GnuPG keyrings to a file carver (a > forensic tool that recovers data from damaged filesystems, or recovers > things that have been deleted but not overwritten). Detecting an > ASCII-armored keyblock is pretty easy: look for the "BEGIN PGP PUBLIC" > header. Binary, though, is still an unsolved question. > > Before I start diving into code to find out if the keyring has a > specific binary header I can detect, I figured I'd ask on-list. :) > > Does anyone know of any magic numbers for GnuPG keyring files? AFAIK, a GnuPG keyring (as well as a PGP Inc. keyring) is just a concatenation of the (binary representation of the) public/private keys stored there. Thus, the file format you're looking for is the file format of an OpenPGP key as defined by, yeah, you guessed it, RFC 4880 :) Of course, I could be wrong, but I really don't think that GnuPG stores anything more than that - and an easy way to test that is to point Bernhard Link's gpg2txt - https://alioth.debian.org/projects/gpg2txt/ or https://code.launchpad.net/gpg2txt - or Kazu Yamamoto's pgpdump - http://www.mew.org/~kazu/proj/pgpdump/en/ - at your secring.gpg or pubring.gpg file; they will display a sequence of packets comprising one or more OpenPGP keys. So what you need to look for is sequences of bytes matching the OpenPGP format; this usually means packets of type 5 for private keys or 6 for public ones. Unfortunately the first bytes will vary with 1. the format version and 2. the packet (key) length, so there is no exact marker. Still, file(1) does it somehow; you might want to look at file's source, at its magic database, to see the heuristics it uses. In general I would guess it could be something like (all in hex): - 94 xx: xx bytes of private key data, tag 5, old format packet length - 95 xx yy: xx*256+yy bytes of private key data, tag 5, old length - 96 xx yy zz: xx*65536 + yy*256 + zz bytes of the same - C5 xx: xx (less than 192) bytes of private key data, tag 5, new length - C5 xx yy: (xx-192) * 256 + yy bytes of private key data, tag 5, new - C5 FF xx yy zz tt: up to 4 GB of private key data, tag 5, new - 98 xx: xx bytes of public key data, tag 6, old format packet length - 99 xx yy: xx*256+yy bytes of public key data, tag 6, old length - 9A xx yy zz: xx*65536 + yy*256 + zz bytes of the same - C6 xx: xx (less than 192) bytes of public key data, tag 6, new length - C6 xx yy: (xx-192) * 256 + yy bytes of public key data, tag 6, new - C6 FF xx yy zz tt: up to 4 GB of public key data, tag 6, new Then you should match the first bytes of the packet itself; it would probably start with a 04 (version) xx yy zz tt (timestamp), algorithm, etc. Hope that helps :) G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 Hey, out there - is it *you* reading me, or is it someone else? signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: random_seed - no locks available
On Wed, May 01, 2013 at 03:44:09PM +0300, Peter Pentchev wrote:
> On Mon, Apr 29, 2013 at 09:29:58PM +, Henry Hertz Hobbit wrote:
> > On 04/29/2013 02:43 PM, M Russell wrote:
> > > Hello,
> > >
> > > I hope someone might be able to lend me a hand. I am running
> > > into an error message that I resolve. I get a lock error when
> > > trying to encrypt or decrypt a file. I found other forums
> > > that suggest deleting the random_seed file and killing the rpm
> > > process, but I don't have a rpm process running. Renaming the
> > > file allowed the system to recreate the random_seed file, but
> > > the error persists. I have noticed the file size is 0 which
> > > would be appropriate since the file cannot be locked. An
> > > strace shows the error message, but it doesn't appear to point
> > > anything else out. A lsof doesn't show the file is open. I'm
> > > not sure where else to look. Has anyone seen this and have any
> > > suggestions?
> > >
> > > I'm running centos 6.2, gnupg 2.0.14, libgcrypt 1.4.5
> > >
> > > can't lock `/home/mruss/.gnupg/random_seed': No locks available
> > > note: random_seed file not updated
> > >
> > >
> > > open("/home/mruss/.gnupg/random_seed", O_RDONLY) = 10
> > > fcntl(10, F_SETLK, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = -1
> > > ENOLCK (No locks available)
> > > open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1
> > > ENOENT (No such file or directory)
> > > open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1
> > > ENOENT (No such file or directory)
> > > open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
> > > (No such file or directory)
> > > open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1
> > > ENOENT (No such file or directory)
> > > open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1
> > > ENOENT (No such file or directory)
> > > open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
> > > (No such file or directory)
> > > write(2, "can't lock `/home/mruss/.gnupg/random_seed': No locks
> > > available\n", 68) = 68
> > > close(10) = 0
> >
> > Note that random_seed is opened RDONLY. The lock is just for
> > reading and it is non-blocking. Why it should be there at
> > all when you are really locking nothing (len=0) is a bit of
> > a mystery. The length was probably set from a file stat.
>
> Werner already replied on this one - len == 0 has a special meaning and
> should indeed be correct here.
>
> > There are basically three reasons for errno to be set to ENOLCK:
> >
> > 1. You are out of lock table space (most likely). Closing down
> >everything and then rebooting is perhaps the best way to
> >return sanity to the world.
> >
> > 2. You have too many segment lockdowns. What segements?
> >Notice that the length is zero.
> >
> > 3. Something like an NFS system problem. That probably is not
> >applicable.
>
> Actually this would be my first question to the original poster - is
> there any chance that your home directory is remotely mounted using NFS
> or some other remote filesystem protocol for which your kernel does not
> really support file locking? (I have seen quite some usage of user home
> directories exported via NFS in shared environments, e.g. universities)
>
> If it is NFS, you might want to look into enabling file locking using
> something like the "nfslock" service, rpc.lockd or something similar on
> both the client and the server, just in case.
Just in case it wasn't clear, by "you" in these two paragraphs I am
referring to the original poster, M Russell, and not to Henry Hertz
Hobbit.
G'luck,
Peter
--
Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com
PGP key:http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
If there were no counterfactuals, this sentence would not have been paradoxical.
signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: random_seed - no locks available
On Mon, Apr 29, 2013 at 09:29:58PM +, Henry Hertz Hobbit wrote:
> On 04/29/2013 02:43 PM, M Russell wrote:
> > Hello,
> >
> > I hope someone might be able to lend me a hand. I am running
> > into an error message that I resolve. I get a lock error when
> > trying to encrypt or decrypt a file. I found other forums
> > that suggest deleting the random_seed file and killing the rpm
> > process, but I don't have a rpm process running. Renaming the
> > file allowed the system to recreate the random_seed file, but
> > the error persists. I have noticed the file size is 0 which
> > would be appropriate since the file cannot be locked. An
> > strace shows the error message, but it doesn't appear to point
> > anything else out. A lsof doesn't show the file is open. I'm
> > not sure where else to look. Has anyone seen this and have any
> > suggestions?
> >
> > I'm running centos 6.2, gnupg 2.0.14, libgcrypt 1.4.5
> >
> > can't lock `/home/mruss/.gnupg/random_seed': No locks available
> > note: random_seed file not updated
> >
> >
> > open("/home/mruss/.gnupg/random_seed", O_RDONLY) = 10
> > fcntl(10, F_SETLK, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = -1
> > ENOLCK (No locks available)
> > open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1
> > ENOENT (No such file or directory)
> > open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1
> > ENOENT (No such file or directory)
> > open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
> > (No such file or directory)
> > open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1
> > ENOENT (No such file or directory)
> > open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
> > (No such file or directory)
> > open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No
> > such file or directory)
> > write(2, "can't lock `/home/mruss/.gnupg/random_seed': No locks
> > available\n", 68) = 68
> > close(10) = 0
>
> Note that random_seed is opened RDONLY. The lock is just for
> reading and it is non-blocking. Why it should be there at
> all when you are really locking nothing (len=0) is a bit of
> a mystery. The length was probably set from a file stat.
Werner already replied on this one - len == 0 has a special meaning and
should indeed be correct here.
> There are basically three reasons for errno to be set to ENOLCK:
>
> 1. You are out of lock table space (most likely). Closing down
>everything and then rebooting is perhaps the best way to
>return sanity to the world.
>
> 2. You have too many segment lockdowns. What segements?
>Notice that the length is zero.
>
> 3. Something like an NFS system problem. That probably is not
>applicable.
Actually this would be my first question to the original poster - is
there any chance that your home directory is remotely mounted using NFS
or some other remote filesystem protocol for which your kernel does not
really support file locking? (I have seen quite some usage of user home
directories exported via NFS in shared environments, e.g. universities)
If it is NFS, you might want to look into enabling file locking using
something like the "nfslock" service, rpc.lockd or something similar on
both the client and the server, just in case.
G'luck,
Peter
--
Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com
PGP key:http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
This sentence contradicts itself - or rather - well, no, actually it doesn't!
signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fingerprint of the subkey just created?
On Thu, Apr 04, 2013 at 05:36:46PM -0400, ved...@nym.hush.com wrote: > Daniel Kahn Gillmor dkg at fifthhorseman.net > wrote on Thu Apr 4 22:56:50 CEST 2013 : > > >gpg will emit the fingerprints for the subkeys if you supply the > --fingerprint argument twice. So you might try parsing the output of: > > gpg --list-keys --with-colons --fingerprint --fingerprint > --fixed-list-mode $PGPID > > - > > It's even enough to just do: > > gpg --fingerprint --fingerprint > > and gnupg will list the keys and subkeys each with their short id followed by > a line > Key fingerprint with the fingerprint If *you* want to see the fingerprint, that's fine. If you want to write a *program* that needs the fingerprint, then --with-colons is pretty much mandatory, since it avoids all the issues of changing messages, localized messages, weird characters that might be mistaken for parts of messages, etc. Of course, for writing programs that interface with GnuPG, it's best to go all the way and use GPGME, but for some simple tasks the output of --with-colons is exactly right. I didn't know about --fixed-list-mode; thanks! G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 If wishes were fishes, the antecedent of this conditional would be true. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Posting rules for the gnupg-devel@ mailing list
On Tue, Sep 20, 2011 at 06:31:44PM +0200, Luca Capello wrote: > Hi there! > > Please Cc: me, I am not subscribed to the list. > > I found what I think is a bug in gpg-agent (the environment file should > be delete when quitting), please see: > > <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642021> > <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642012#17> > > Yesterday, after having patched gpg-agent and extensively tested my > (very simple) patch, I sent it to the gnupg-devel@ mailing list, but I > still fail to see it appearing on the archives: > > Subject: [PATCH] Remove the environment file when quitting. > Date: Mon, 19 Sep 2011 20:33:13 +0200 > Message-Id: <1316457193-26043-1-git-send-email-l...@pca.it> > X-Mailer: git-send-email 1.7.6.3 > > While I know that my email was accepted, I have not received any > error/moderation message: > = > Sep 19 20:33:27 clio postfix/smtp[2929]: 5D125CE980: > to=, \ > relay=ns1.u64.de[217.69.77.222]:25, delay=6.4, delays=0.01/0.01/6.2/0.12, \ > dsn=4.0.0, status=deferred (host ns1.u64.de[217.69.77.222] said: \ > 451-151.1.160.141 is not yet authorized to deliver mail from \ > to 451 . Please try later. (in reply to RCPT TO > command)) > Sep 19 20:42:49 [...] status=deferred [...] > Sep 19 20:52:49 [...] status=deferred [...] > Sep 19 21:12:49 [...] status=deferred [...] > Sep 19 21:52:50 clio postfix/smtp[14485]: 5D125CE980: > to=, \ > relay=ns1.u64.de[217.69.77.222]:25, delay=4769, delays=4763/0.01/5.1/0.81, \ > dsn=2.0.0, status=sent (250 OK id=1R5jta-0006Hh-CE) > = > > Should I subscribe to the gnupg-devel@ mailing list to post? Can this > information be added to the listinfo page, please? Not necessarily. I believe that this is just greylisting in action - http://en.wikipedia.org/wiki/Greylisting In short, if your mailserver is well-behaved and retransmits the message within a reasonable timeframe (usually a couple of hours would be enough, although most mailservers will retry in less than an hour), the gnupg.org server will accept your message and everything will be just fine. Of course, the gnupg.org mail admins are free to jump in and correct me :) G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If there were no counterfactuals, this sentence would not have been paradoxical. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
On Fri, Aug 26, 2011 at 01:41:41PM -0700, Doug Barton wrote: > Actually I think https://www.xkcd.com/936/ says it better. :) Yep, I was just going to comment that it's obvious that Randall Munroe reads this list :) > On 08/26/2011 11:08, David Tomaschik wrote: > > On Fri, Aug 26, 2011 at 12:31 PM, Faramir wrote: > >> El 26-08-2011 12:35, Aaron Toponce escribió: > >> ... > >>> Also, 62-character passphrase might be a bit extreme, giving you a > >>> false-sense of security. Using a truly random sequence of characters > >>> from the 94-printable ASCII pool of characters, a 12-character > >>> passphrase provides you with about 78-bits of entropy. If you think > >> > >> According to keepass strength measurer, you can get more than 128 bits > >> with just 30 characters (including some symbols of course). > >> > >> Usually we want strong passphrases to keep things safe while stored on > >> not-so-safe places, like attached to an email message on a mail server. > >> > >> Best Regards > > > > I really like KeePass, but the strength measure it provides is nearly > > meaningless. It assumes 8 bits of entropy per symbol, which is, as > > Aaron pointed out, wrong. Suggested readings: > > https://secure.wikimedia.org/wikipedia/en/wiki/Entropy_%28information_theory%29, > > https://secure.wikimedia.org/wikipedia/en/wiki/Password_strength and > > NIST publication 800-63. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I had to translate this sentence into English because I could not read the original Sanskrit. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How do I list all recipient of a message (including myself)?
On Thu, May 12, 2011 at 06:11:14AM +0200, Jerome Baum wrote: > On Thu, May 12, 2011 at 04:49, li...@mgreg.com wrote: > > > > I am writing application in which I need to know if a GnuPG encrypted > > message was sent to me. It seems that whenever you list the recipients of a > > message it will list every recipient but you -- even if you're one of them. > > Surely there's a way to reveal whether or not you're one of those > > recipients...? > > > > There doesn't seem to be a with-colons version of this, but it's a start: > > $ gpg -vv --list-only cron.log.gpg Well, there's always gpg --list-packets --with-colons, which outputs something like: :pubkey enc packet: version 3, algo 1, keyid 08D014DED0B337AA data: [4095 bits] :pubkey enc packet: version 3, algo 16, keyid 921EB6497074473C data: [1024 bits] data: [1021 bits] :encrypted data packet: length: 69 mdc_method: 2 :compressed packet: algo=2 :literal data packet: mode b (62), created 1305194688, name="foo.txt", raw data: 4 bytes ...so just look for the "pubkey enc packet" lines, get the key IDs and possibly pass them through another round of "gpg --list-keys --with-colons" or something. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I were you, who would be reading this sentence? signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --s2k-count: correct value in config file needed?
On Mon, Apr 18, 2011 at 01:05:03PM +0200, Hauke Laging wrote: > Hello, > > is the value of --s2k-count written to the key somehow? If not, can you use a > key only if the correct value is given in the config file (or command line)? > Does a key become kind of useless if you have forgotten the value which was > used during the last passphrase change? For questions like this, it's always best to look at the authoritative source for the format of various OpenPGP data - RFC 4880 :) From the way I read section 5.5.3 (Secret-Key Packet Formats) and then Section 3.7.1 (String-to-Key (S2K) Specifier Types) it would seem that the answer to your question is yes, the S2K count is stored in the secret key packet. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 The rest of this sentence is written in Thailand, on signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG not retrieving keys when verifying
On Sun, Apr 17, 2011 at 05:20:37PM +0200, Martin Gollowitzer wrote: > * Todd A. Jacobs [110417 17:14, > mID ]: > > > I'm not sure how I'm supposed to get GPG to automatically retrieve > > keys for signatures when validating a key. I'm currently running: > > > > gpg --keyserver-options auto-key-retrieve -kvv FBB75451 > > > > which doesn't do what I expect. I get a whole bunch of [User ID not > > found] messages, when what I expected was that keys matching those > > signatures would be retrieved from the keyserver. > > > > What am I doing wrong here? > > The auto-key-retrieve options is for signatures made on content, not on > keys. AFAIK there is no option for automatically retrieving all keys > that signed a key. ...and you really, *really*, REALLY don't want to do this automatically and recursively :) (okay, so you fetch the keys that signed this key, now what about the signatures on them - do you fetch them too? and the sigs on those again? when do you stop?) G'luck, PEter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Nostalgia ain't what it used to be. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[OT] passphrases Was: Re: Allowing paste into pinentry-gtk-2?
On Fri, Apr 15, 2011 at 11:47:34PM -0700, Todd A. Jacobs wrote: > Currently, it looks like pinentry-gtk-2 (I'm using 0.8.0) doesn't allow > pasting from the clipboard. This is annoying, because a truly long, > randomized password is not practical to type into a hidden dialog box. It > really seems like pinentry forces one to use short, insecure passwords. Uhm, somewhat off-topic (so marked in the subject line), and... I really don't want to start a flamewar here, but there really, really *is* a bit of a middle ground between a "short, insecure passphrase" and a "long, randomly-generated one that simply must be copy/pasted" - namely, a long, non-randomly generated one that can be written out "by hand" :) Mine, for instance, is over 30 characters long and, while it is derived from a couple of phrases, none of its components would be found by any reasonable brute-force or even dictionary attack, even by people who know me (please note that I did say "reasonable" WRT resources). > One > supposes there is a trade-off in security here, but I'm more concerned about > brute-force attacks on the passphrase than I am about someone sniffing the > clipboard--it seems that if they have access to my clipboard, they can > probably log my keystrokes, anyway, right? So offline attacks against the > key's passphrase seem more likely. > > So, I really have two questions. First, is it possible to force pinentry > dialogs to allow pasting from the clipboard? Secondly, is it possible to > force the CLI to use an alternate pinentry (say, pinentry-curses) or some > other method to populate an existing gpg-agent with a cached passphrase? G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If this sentence were in Chinese, it would say something else. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyservers
On Mon, Mar 21, 2011 at 07:46:55AM +0100, Martin Gollowitzer wrote: > Hi, > > * Remco Rijnders [110321 07:35, > mID <412.a...@winter.webconquest.com>]: > > > While I fully agree on bottom posting being preferred, I wonder if it's > > not a lost battle already. People quoting 'properly' are in such a > > minority that I don't think this can be changed around anymore. Of course, > > some fora will still be the exception to this, but I fear they will become > > less and less in number. Most of the guides on proper netiquette date from > > the previous century too and people don't seem interested anymore in doing > > things properly. > > This depends very much on the people you communicate with. People in the > Free Software are tend to do it "right" because when they start to use > e-mail regularly with others in this area, they are usually being asked > to use "proper" style :) I started with Free Software in the 21st > century and still learned to not use full quotes and top posting. The > first time I realized that proper e-mail style is useful was when I > started to read more mailinglists with rather high message volumes – you > just can keep a better overview with "correct" quoting :) > > Martin > > p.s. Even some of my non-techie friends realized the advantage of this > style after a short explanation ;) The real problem is actually MS > Outlook and its default settings. And (as pointed out even on this thread), lately, also GMail and its default settings. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 because I didn't think of a good beginning of it. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compression used in an encrypted message
On Fri, Mar 11, 2011 at 12:50:26PM -0500, Avi wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Forgive my ignorance, but is there a way to take a given > encrypted message/file and determine which compression algorithm > was used (and which level)? I know how to set compression > algorithm and level prefs, but I'm curious to see what others > use, if possible. If the file has been encrypted to you (or, more specifically, to one of the secret keys currently accessible to you), then, yes, you most probably can - "gpg --list-packets filename" should tell you what compression algorithm has been used, then it's just a matter of looking it up in RFC 4880 :) If the message has been encrypted to someone else's key, then you most probably won't be able to examine it - at least GnuPG does the compression before the encryption, so that the information about the compression algorithm used is contained within the encrypted data. You may still give it a shot with --list-packets, but don't expect too much :) Hope that helps. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence contains exactly threee erors. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: non-exportable OpenPGP certifications [was: Re: hashed user IDs ]
On Fri, Mar 11, 2011 at 09:08:50PM +1100, Ben McGinnes wrote: > On 11/03/11 6:50 PM, Daniel Kahn Gillmor wrote: > > On 03/11/2011 01:44 AM, Ben McGinnes wrote: > >> Ah, this is what I've been looking around for! For the sake of the > >> archives, how does one provide a non-exportable certification? > >> Obviously the export flag won't cut it. > > > > non-exportable OpenPGP certifications are also known as "local" > > certifications. > > > > To make a non-exportable OpenPGP certification, use: > > > > gpg --lsign-key fr...@example.net > > This bit I knew and have used sporadically, good to know that you were > referring to what I assumed, though. > > > To put that in a file: > > > > gpg --export-options export-local --export --armor fr...@example.net \ > > > frida.gpg > > > > Then the receiving party does: > > > > gpg --import-options import-local --import < frida.gpg > > Oh, excellent. Just one little clarification; the man page lists the > parameters as export-local-sigs and import-local-sigs, does shortening > it the way you have work or does the full option name need to be used? All the GnuPG command-line commands and options may be abbreviated to a unique, unambiguous starting part of their names. Try gpg --clearsi or gpg --cl, for instance :) G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I've heard that this sentence is a rumor. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to send encrypted data in an xml file
On Mon, Nov 08, 2010 at 04:02:27PM -0500, David Jourard wrote: > Hi, > > I would like to encrypt a value to a field which is part of data record > which I'm storing as an xml record. > > Its seems that the ascii armour representation has line feeds. Is it > possible to represent the data in ascii format without the line feeds. The ASCII-armoured message format is defined in section 6 of RFC 4880; it always includes newlines. Have you thought about including the ASCII-armoured signature in a CDATA section of your XML file? Or, alternatively, "simply" encoding the line break characters as and as specified in section 2.11 of the XML 1.0 specification? If neither of those is possible, you could always try to encode the signature in some other way - e.g. take a binary signature and represent the string of octets as text in some way... of course, that would mean the recipient would have to know exactly how to decode it. G'luck, Peter -- Peter Pentchev r...@space.bgr...@ringlet.netr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If you think this sentence is confusing, then change one pig. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: batch file automation -Nearly There!
On Fri, Oct 08, 2010 at 12:24:17AM +0100, Lee Elcocks wrote: [snip] > ECHO bingos| GPG --batch -se --passphrase-fd 0 -r PGPTOKEY -o > "C:\encryptedfiles\%F.pgp" Erm... on this line, where are you telling GPG to actually encrypt the %F file? G'luck, Peter -- Peter Pentchev r...@space.bgr...@ringlet.netr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence contains exactly threee erors. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Encryption with no recipient
On Tue, Aug 31, 2010 at 05:43:06AM -0400, Ted Rolle Jr. wrote: > Is there an option to use symmetric ciphers to encrypt a file with no > recipient? > --no-encrypt-to doesn't do this. > I want to encrypt a file with no recipient. Is "gpg -c filename" (or "gpg --symmetric filename") useful to you? G'luck, Peter -- Peter Pentchev r...@space.bgr...@ringlet.netr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Hey, out there - is it *you* reading me, or is it someone else? signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: setuping local/standalone keyserver
On Tue, Jul 20, 2010 at 12:50:53PM +0530, Prasanth Thandra wrote: > Hi, > i configured gnupg 2.0.15 on RHEL4 which is a mialserver. > i am able to generate keypairs. > now i want to setup a keyserver either on localhost or as a standalone. > please let me know how to do the same. Start from http://code.google.com/p/sks-keyserver/ I don't know if anybody has made an RPM of that; probably somebody has, but I'm not familiar enough with the various RPM distribution channels to check :) G'luck, Peter -- Peter Pentchev r...@space.bgr...@ringlet.netr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if pi were 3? signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Decrypting file encrypted for multiple recipients using a given ID?
On Mon, Jul 12, 2010 at 08:30:25AM +0200, Remco Rijnders wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Dear all, > > I have a file encrypted to two different User ID's, both for which I > have the public keys as well as the secret key. When I try to decrypt > the file, it always prompts me for the passphrase of user A, while I'd > like to decrypt it using the passphraseless key of user B. > > I've tried various combinations of -u with and without exclamation mark, > but without success. How can I specify that the key of user B should be > used? A possible workaround would be to create a separate secret keyring that only contains user B's secret key. I agree, it's not perfect, and it would entail explicitly specifying "--no-default-keyring --secret-keyring ..." and maybe also "--keyring ...". Alternatively, you could create a different ~/.gnupg/ directory and symlink all files *but* the secret keyring to your "real" ~/.gnupg/, then create a minimalistic secret keyring there containing only user B's key. This would mean setting GNUPG_HOME each time you want to use this keyring, so it's still not perfect. It's quite possible that there are simpler ways, I just can't think of them right now :) G'luck, Peter -- Peter Pentchev r...@space.bgr...@ringlet.netr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Do you think anybody has ever had *precisely this thought* before? signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Digitally Sign a key
On Wed, Jun 30, 2010 at 03:12:06PM +0530, Rahul R wrote: > Hi GPG Experts, > > I have a request from one of my client that they need me to digitally sign > their files in my server with my gpg key after encrypting it with their key. > I am not familiar with this. ie encrypting a file with a key and digitally > sign it with another key. > > The process that we are trying to perform is to encrypt the file with the > customer’s public key and then sign the file with our private key. > > Can any body from this group help me in finding a way? Take a look at the gpg2 documentation - the manual page says and even has an explicit example of using both the -s and the -e options: gpg -se -r Bob file sign and encrypt for user Bob Of course, you can point to a more specific recipient's key by giving either an e-mail address or, better yet, a key ID instead of "Bob" to the -r option; and you can specify which key to sign with using the -k option if you have more than one secret key on the GnuPG installation where you're running this. Hope this helps. G'luck, Peter -- Peter Pentchev r...@space.bgr...@ringlet.netr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If you think this sentence is confusing, then change one pig. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Encryption to key with multiple subkeys
On Wed, May 12, 2010 at 02:59:44AM +0200, Joke de Buhr wrote: > On Wednesday 12 May 2010 02:08:27 Daniel Kahn Gillmor wrote: > > yup, i think this is a good argument for your proposed behavior. what i > > haven't seen yet (haven't thought through yet) is what the > > counter-arguments might be. > > One possible argument against it could be the increased size of the encrypted > message. But the size of an email isn't that important nowadays and if size > matters the user should set a compression (bzip2) algorithm within the key > settings. Just for the record: no, the encrypted message will not be much larger. The way OpenPGP encryption works is that a new, random, once-only session key is generated each time you want to encrypt a message to one or more recipients; the message itself is encrypted using a symmetric algorithm, and only the session key is encrypted using the asymmetric algorithm specified by the users' OpenPGP encryption keys. Thus, only the session key (a couple of hundred bytes at most, and usually just a couple of dozens of bytes) will be encrypted over and over again for each recipient's encryption key - and, in the case discussed, for each encryption subkey of each recipient's key. Well, of course, if you're encrypting a single-byte message, the overhead might be detectable... :) G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 If the meanings of 'true' and 'false' were switched, then this sentence wouldn't be false. pgpMtvMTTQ0wA.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Restarting gpg-agent
On Sun, Mar 14, 2010 at 10:16:00PM +0100, Michel Messerschmidt wrote:
> On Sun, Mar 14, 2010 at 12:24:14PM -0700, James Moe wrote:
> > Hello,
> > opensuse v11.2, linux 2.6.31.12-0.1-desktop x86_64, gpg v2.0.12.
> > The docs at <http://www.gnupg.org/> cover starting gpg-agent pretty
> > well. What is missing is how to re-start it.
> > If gpg-agent is terminated for some reason, or the system is booted,
> > the file <.gpg-agent.info> is left behind. Because the file exists, when
> > .bashrc is run it detects the file and does not start gpg-agent.
> > Is there some way to:
> > 1. Detect if gpg-agent is running. If not, erase <.gpg-agent.info>, or
> > 2. Erase <.gpg-agent.info> at boot time.
>
>
> This works for me (in .bashrc):
A good idea, and well written :) Just one minor thing...
> # start gpg-agent if no running instance is found
> if test -z "${GPG_AGENT_INFO}" ||
>! kill -0 `grep GPG_AGENT_INFO ${GA_INFO_FILE} | cut -d: -f 2 -`
> 2>/dev/null; then
In this way, you risk a false positive if gpg-agent has died (or not
been started at all, but a .gpg-agent.info file has been left over)
and there is another process with the same process ID. This *can*
happen, whether by random chance at system startup, or by random
chance on a long-running system with PID's wrapping around.
A slightly better (if somewhat more convoluted) way could be
something like:
gpg_agent_pid=''
gpg_agent_running=''
if [ -n "${GPG_AGENT_INFO}" ] && [ -r "$GA_INFO_FILE" ]; then
gpg_agent_pid=`grep GPG_AGENT_INFO "${GA_INFO_FILE}" | cut -d: -f 2 -`
fi
if [ -n "$gpg_agent_pid" ] &&
expr "x$gpg_agent_pid" : 'x[0-9]*$' > /dev/null; then
if pgrep gpg-agent | fgrep -qw "$gpg_agent_pid" > /dev/null; then
gpg_agent_running='1'
fi
fi
if [ -n "$gpg_agent_running" ]; then
...
fi
Please don't take this as criticism, just an idea :) And, of course,
it assumes that the OS has pgrep(1).
G'luck,
Peter
--
Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org
PGP key:http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
What would this sentence be like if pi were 3?
pgpTFvqo00XDR.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to properly verify a signature from a program?
On Wed, Nov 25, 2009 at 01:44:35PM +0200, Peter Pentchev wrote: > On Tue, Nov 24, 2009 at 12:16:29PM -0500, David Roundy wrote: > > Hi all, > > > > I've been searching and searching, and have failed to find any > > documentation or tutorial that indicates the proper way to verify a > > signature from a program. The problem is that I want not to verify > > that *anyone* signed a message, but rather to verify that *someone in > > particular* signed it. > [snip] > > So far as I can tell, the process for a detached signature is something > > like: > > > > gpg --verify sigfile txtfile && echo signature passed > > > > then look at the output (or stderr?) to find out who signed the file, > > and compare with who was supposed to sign the file. It is this last > > step that sounds problematic. Am I missing something? > > That's pretty much what you should do, with just one addition: > add --status-fd=1 to the GnuPG command line. [snip] And then again, if you're writing in C, C++, or any language that can invoke routines in a shared library described in a C header file, there is also another way to do it - use the GPGME (GnuPG Made Easy) library. It provides functions that will verify a signature and return a list of signature structures, each of which will contain the fingerprint of the signing key. G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 "yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation. pgppRiglJHJNF.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to properly verify a signature from a program?
On Tue, Nov 24, 2009 at 12:16:29PM -0500, David Roundy wrote: > Hi all, > > I've been searching and searching, and have failed to find any > documentation or tutorial that indicates the proper way to verify a > signature from a program. The problem is that I want not to verify > that *anyone* signed a message, but rather to verify that *someone in > particular* signed it. [snip] > So far as I can tell, the process for a detached signature is something like: > > gpg --verify sigfile txtfile && echo signature passed > > then look at the output (or stderr?) to find out who signed the file, > and compare with who was supposed to sign the file. It is this last > step that sounds problematic. Am I missing something? That's pretty much what you should do, with just one addition: add --status-fd=1 to the GnuPG command line. When you do that, gpg will output something like the following to file descriptor 1 (stdout): [GNUPG:] SIG_ID eLbkcOT0G/i0ugaTvtB5kkRMJc0 2009-11-25 1259148663 [GNUPG:] GOODSIG 651EEFB02527DF13 Peter Pentchev [GNUPG:] VALIDSIG 2EE7A7A517FC124CF115C354651EEFB02527DF13 2009-11-25 1259148663 0 4 0 1 10 01 2EE7A7A517FC124CF115C354651EEFB02527DF13 [GNUPG:] TRUST_ULTIMATE Of course, the output *will* be different in your case, what with dates, key ID's and such :) Also, of course you can use a different value for the file descriptor (like 2 for stderr, but then this output will be mixed with the rest of GnuPG's freeform messages), just make sure your program can read what GnuPG writes to that fd :) Hope that helps. G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 I had to translate this sentence into English because I could not read the original Sanskrit. pgptYtLHBiNuT.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UI enhancement request
On Fri, Sep 04, 2009 at 08:32:26AM +0200, Henk M. de Bruijn wrote: > On Thu, 03 Sep 2009, at 22:26:31 [GMT -0700] (which was 7:26 where I > live) Joseph Oreste Bruni wrote: > > > Joseph Oreste Bruni wrote: > >> Here is a UI enhancement request: In the "edit-key" menu, typing "uid > >> *" selects all UID's. Currently, I have to type "uid #" for every UID > >> individually. Typing "uid" by itself currently deselects all UID's. > > > I just re-read my post and realized how badly worded it was (verb > > tense). Correction: I want to be able to type "uid *" and have it select > > all UID's. > > > This would be in preparation for some global function like changing > > algorithm preferences, etc. > > I assume that you know that you can select different UID's one after > another just by pressing the number followed by return/enter and then > the following UID? But he still has to issue the same command several times after selecting each and every UID in turn. "uid *" could indeed be a useful feature, although it might be not too easy to implement. G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the meaning of this sentence. pgpFrHQAY3t2E.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg -u problem
On Mon, Jul 20, 2009 at 10:09:03AM +0200, Nix wrote: > Hello, > > I have a problem with gpg (GnuPG) 1.4.9 > > I got three keys. I receive a crypted file and when i want to decrypt gpg > don't want to use another key than the default. > > i use this commande > > gpg -u 5E95FE19 -d 00poap/gpg > > Can you help me plz. That should be "gpg -k 5E95FE19 -d 00poap/gpg", not "-u". Either use -u 'Real Name' or -k keyid; in this case, 5E95FE19 is the key ID, not the user ID attached to this key. G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if it weren't self-referential? pgpqT3R77Q5mf.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Any UNIX API for GPG available?
On Wed, Jun 24, 2009 at 02:21:29AM -0700, littleBrain wrote: > > Does anyone have the UNIX API documentation for GPG? > > Please reply to this thread. That would be very much helpful.. What exactly are you looking for? If you want to encrypt, decrypt, sign, or verify OpenPGP messages from a program you are writing, and you want to use GnuPG for this, you may take a look at the "GnuPG Made Easy" library - http://www.gnupg.org/related_software/gpgme/ Once you download and install it, there will be a gpgme.info file which you may examine through any texinfo browser, such as the "info" or "pinfo" command-line tools. If that's not what you mean by "UNIX API documentation for GPG", you'll have to explain a bit better what you are looking for :) Hope that helps. G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If there were no counterfactuals, this sentence would not have been paradoxical. pgpkQDR6Ayo4q.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgshell and gnupg 2.x?
On Thu, Jun 04, 2009 at 05:21:04PM -0500, John Clizbe wrote: > Allen Schultz wrote: > > Couple of questions. Is there a mailing list for gpgshell? > > Not that I know of. > > > If not, Does GPGShell support gnupg 2.x? > > Maybe? But why should it? > > Everything OpenPGP related is provided by GnuPG 1.4. GnuPG's added X.509 > functions aren't needed by GPGshell. > > There still seems to be this mistaken impression that GnuPG2 is somehow > "better" that GnuPG 1.4. It's a reimplementation with component > libraries instead of a single image. Errr, unless I'm badly mistaken, gpg-agent doesn't come with GnuPG 1.4.x and to build and use it, you need some of those component libraries. And, at least for me, gpg-agent is a very, very comfortable and convenient tool. G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence contradicts itself - or rather - well, no, actually it doesn't! pgptbhl7p69s3.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Checking for interactive shell sessions [Was: Re: Can't enter passphrase in su session.]
On Thu, May 21, 2009 at 01:19:44PM -0400, Steven W. Orr wrote: [snip] > The proper way to deal with this is to: > > * Source in your .bashrc from your .bash_profile > * Set all of your environment variables in your .bash_profile > * Check in your .bashrc to see if PS1 is set. If not then you are not in > an interactive session and you need to set critical environment variables. Just BTW, a *much* more reliable way to check for an interactive session, which will not fail in many common cases (PS1 set in system-wide config files, PS1 also set in .bashrc, PS1 set in the environment of the calling shell, etc.), is the following: # First, set up all variables for both interactive and non-interactive # sessions. # Then, do this: case "$-" in *i*) echo 'Setting up interactive shell params..' stty erase ^H ;; *) # Non-interactive session, better don't output anything something_or_other=foo ;; esac Of course, substitute your own commands for the "stty" and the assignment :) Bear in mind that this only applies to Bourne-style shells; for tcsh, you might need to resort to testing for ($?prompt), indeed. G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if pi were 3? pgpiBXmYxCrAT.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How easy would it be to create (and prevent the creation of) a fake pinentry?
On Wed, Apr 29, 2009 at 03:31:51PM +0200, Raimar Sandner wrote: > On Wednesday 29 April 2009 12:09:02 Olivier Mehani wrote: > > > Let me explain: having several background-ish applications making use of > > the agent, it happens that the pinentry sometimes pops out when the > > passphrase cache has expired. One of my first concerns is that there's > > no way to identify which application actually needs to use my PGP key. > > This one seems to be partially addressed in [0], as the application > > could set the title of the pinentry program. > > The pinentry should only pop up when the application actually needs the key > do > do something. If pinentry pops up without you doing someting that requires > your secret key, you should be worried. ...like, for example, your OpenPGP-powered Jabber client suddenly needing to reconnect after something happened to the network and you simply didn't notice? :> G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Hey, out there - is it *you* reading me, or is it someone else? pgpG8GEpkVixm.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Further thoughts on Windows Install
On Wed, Apr 22, 2009 at 11:38:55AM -0400, Faramir wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > > > What's wrong with just --export ing the public/private keys, and > > importing them into win2000? > > Well, if he does it that way, he would have to re-download the keys of > his contacts again... No. That's what --export does by default. He would just have to add --export-secret-keys to *also* get his own secret keys :) > ...and set the trust level for each one again... No. That's what --export-ownertrust does. > If he keeps both his pubring and trustdb, he doesn't need to re do all that. Yes, that's true. However, this could lead to problems if some day the format of GnuPG's keyring files should change, and especially if it should change in some architecture-specific way. > And th config file would have to be rewritten, if he has such file (if > he doesn't, then he doesn't need it). Well, the config file could be copied, it's plain text. The issue here is that the keyring files are not guaranteed to be in any kind of format that is compatible with anything else, including a GnuPG version on any other architecture or even another GnuPG version on the same architecture. Well, of course, it would be a pain if a future GnuPG version would not be able to read the current version's files, but it *could* happen one day. Of course, I'm NOT speaking for the GnuPG developers in any way! It's just what I gather from the glaring lack of any mentioning of the format of the keyring files in any official documentation - IMHO, that's on purpose, and it's completely understandable and a good thing, too :) The only guaranteed, portable way to transfer one's keyrings is by running GnuPG three times: gpg --export --armor > pubkeys.txt gpg --export-secret-keys --armor > seckeys.txt gpg --export-ownertrust > ownertrust.txt ...then copying those files over to the other installation and importing them there with the --import, --import-secret-keys, and --import-ownertrust options. Still, for the present, all keyrings on all versions of GnuPG seem to be compatible, so, *for the present*, it is easier to just copy the files over. The whole point is, that's not guaranteed to work forever :) G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if it weren't self-referential? pgpYFM2a4ShjM.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: syntax for encrypting only the string passed in an argument
On Thu, Apr 16, 2009 at 12:38:52AM -0700, Incomex wrote:
>
> I want to be able to call a shell from within a development environment
> and pass a string of data to it to be de/en/crypted. The idea would look
> like
> this:
>
> read from file "data.txt" line z and put it into variableY
> variablex = call shell(gpg -e -r Joe variableY)
> print variablex
>
> rem: variableY is the plaintext, variablex is the returned cyphertext
I don't think GnuPG supports this syntax; however, you can do it
somewhat indirectly by:
echo $variableY | gpg -e -r Joe -o var_y.txt.gpg
You could even write a simple program (or shell script, or Perl script,
or something) that uses the mktemp() or mkstemp() standard C library
functions, or the mktemp(1) command-line utility, creates a temporary
file, has GnuPG output to it, displays it, and removes it.
Actually, come to think of it, here's a shell script and a Perl script
that do that - down there, right after the signature. Hope you can
at least read the code to see the ideas if you can't use them directly :)
Caveat emptor: the shell script does not deal very well with recipient
names containing whitespace or special characters! Also, the use of
"echo ... | gpg" makes it susceptible to a "ps awwfux" attack whereby
somebody who runs a "ps" command on the right server at the right time
might see the arguments to the "echo" command in the process list and
learn what you want to encrypt.
Hope that helps!
G'luck,
Peter
--
Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org
PGP key:http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
Nostalgia ain't what it used to be.
#!/usr/bin/perl -w
#
# Copyright (c) 2009 Peter Pentchev
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#notice, this list of conditions and the following disclaimer in the
#documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Ringlet: security/gpgenv/trunk/gpgenv/gpgenv.pl 3525 2009-04-17 12:58:10Z
roam $
use strict;
use File::Temp;
MAIN:
{
my ($var, $value, $f, $p, $pid, $buf);
my (@recip);
if ($#ARGV < 1) {
die("Usage: gpgenv varname recipient...\n");
}
($var, @recip) = @ARGV;
$value = $ENV{$var} || '';
$f = new File::Temp or die("Creating a temp file: $!\n");
chmod(0600, $f) or die("Setting a mode on ".$f->filename().": $!\n");
$pid = open($p, '|-');
if (!defined($pid)) {
die("Forking for GnuPG: $!\n");
} elsif ($pid == 0) {
$ENV{'PATH'} =
'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/X11R6/bin';
delete @ENV{qw/IFS CDPATH ENV BASH_ENV/};
exec('gpg', '--batch', '--yes', '-e', '-o', $f->filename(),
map { ('-r', $_) } @recip);
die("Executing GnuPG: $!\n");
}
print $p "$value\n" or
die("Sending the value of the $var variable to the child: $!\n");
close($p) or die("The child process exited with an error\n");
seek($f, 0, SEEK_SET) or die("Rewinding the output file: $!\n");
while (read($f, $buf, 4096) > 0) {
print $buf;
}
}
#!/bin/sh
#
# Copyright (c) 2009 Peter Pentchev
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must
Re: Help Solicited to implement a new pgp key server
On Wed, Apr 08, 2009 at 02:36:14AM -0700, rahul kaushik wrote: > > I have been asked to support PGP for a application. the most likely > scenario would be to implement a key server that would allow customers to > manage their keys. This will of course come with some complications, in > terms of interface, provisioning and management. > > Could anybody please help me out in knowing how can i write a server using > unix c/C++. > > If there is any document available on internet which can be helpful. It > would be great if you could > please let me know. Is there a reason why you can't use any of the existing keyserver software? Avoided: http://www.mit.edu/people/marc/pks/ Preferred: http://minskyprimus.net/sks/ If you need it in C/C++ for better integration with your application, that's another thing. Still, even in that case, you might want to take a look at the SKS source to see how things are done. G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I had to translate this sentence into English because I could not read the original Sanskrit. pgpqLlyhOI4vK.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Need a command to suppress
On Sat, Feb 07, 2009 at 07:46:41AM -0700, Chris Babcock wrote: > On Sat, 07 Feb 2009 13:21:23 +0100 > Ingo Kl??cker wrote: > > > > > Is there are command to supress these 2 lines. > > > > gpg: Signature made using DSA key ID > > > > gpg: Good signature xx.com > > > > It would help if you'd tell us why you want to suppress those 2 lines. > > > > > Add "'" | grep -v "Signature made" | grep -v "Good signature" "'" to > > > the end of the command. Using "grep -v" inverts the match so only > > > lines that do *not* contain the matching text are passed to stdout. > > > > > > Of course that's no help for Windows, but... > > > > It's also no help on other OS because those grep's would also > > eliminate the two above lines. > > I think you missed the meaning of suppress and/or invert. Might be a > language issue. > > Don't trust me. Test it on some text with a known good signature and > fix the targets if you get any unwanted matches. I think what Ingo meant was that these greps might do both more and less than you actually intend them to. More: if those grep's are done on the full output of, say, gpg --decrypt or something similar, then they could also remove *actual text*, not just gpg's status output. This could be... well, let's just say "bad" :) Less: have you actually bothered to check the result of either "gpg --verify ... | grep -v" or "gpg --decrypt ... | grep -v" ? In both cases, gpg sends the status information to the standard error stream, NOT the standard output stream, so "grep" does, erm, nothing with it :) Both of those issues are addressed by Ingo's idea of using --status-fd or, even better, --status-file instead. G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 The rest of this sentence is written in Thailand, on pgpy8KR435OXJ.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: failed to create temporary file
On Wed, Feb 04, 2009 at 01:11:05PM -0700, Joseph Oreste Bruni wrote: > On Feb 4, 2009, at 12:55 PM, lee_an...@bellsouth.net wrote: > > Here is the bash_profile for oracle > > > > > > -bash-3.00$ more .bash_profile > > export GNUPGHOME=/opt/oracle/.gnupg > > export ORACLE_BASE=/opt/oracle > > export ORACLE_HOME=/opt/oracle/product/10.1.3.1/OracleAS_1 [snip] > > Hi Lee, > > I'm not that familiar with BPEL, so perhaps you can elaborate on it. > When it starts a shell to execute commands as a user (oracle in this > case), does it always launch the shell specified in the user's /etc/ > passwd (/bin/bash) or does it simply start a POSIX shell (/bin/sh). If > BPEL only starts a POSIX shell, then you will not pick up anything > from .bash_profile. Indeed, unless the shell is started as a "login" > shell, you might not even get .profile. And then, of course, it's possible that this is a Linux system which has bash installed as /bin/sh :) And then, of course, it's possible that this is a *reasonable* Linux system with something else, e.g. dash or ash or something, installed as /bin/sh, in which case Joseph's recommendation holds. > If BPEL avoids starting any sort of shell and simply runs the programs > directly (via fork() and exec()), then you may not even get $HOME > depending on what environment variables BPEL passes in to the exec() > call. This is also true. > Try running the "env" command from BPEL and review the results. Pay > particular attention to the contents of $SHELL, $HOME, and look to see > if $GNUPGHOME is present and set as expected. Yep, this is the only way to be sure. G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 You have, of course, just begun reading the sentence that you have just finished reading. pgp5fcgYXSQLk.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to Append an Encrypted file with new data(file).
On Fri, Dec 12, 2008 at 04:26:50PM +0530, Munish Chauhan wrote: > > Hello > After executing several applications, any file appearing in some X > folder I am encrypting them and keeping them in some other folder Y. But > Let's say I have File.Doc.gpg there in Y folder and I got new file with > same name(File.Doc) at X folder. Now instead of creating another > encrypted file in Y folder, I want my existing encrypted file > (File.Doc.gpg) should be appened with the new data arrived in new > File.Doc file. This was discussed on this list last month; the short answer is, "you can't do this". A slightly longer answer is "you might be able to do something like that by ASCII-armoring the separate files (encrypted) and then appending them to the .gpg file". This ought to be doable even with MS-DOS batch files, if they have grown the capability to test if a file exists; granted, I've not looked at the extensions to the MS-DOS batch file language since sometime around version 4.0 or so, and my memories are a bit stale. For the full discussion, take a look at http://lists.gnupg.org/pipermail/gnupg-users/2008-November/035022.html G'luck, Peter -- Peter Pentchev r...@ringlet.netr...@space.bgr...@freebsd.org PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If you think this sentence is confusing, then change one pig. pgpshyt6NPPmJ.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Bypass Invalid Public key
On Mon, Oct 06, 2008 at 12:35:48PM +0300, Peter Pentchev wrote:
> On Thu, Oct 02, 2008 at 05:01:39PM -0500, Duwaine Robinson wrote:
> > Hi All,
> >
> > Is there a way to get GnuPG to complete encryption, if there is at least
> > one valid public key specified? I am trying automate my encryption
> > process, and I am hoping to be able to get away with not having to
> > specify error handling if one or more of my public keys does not exist
> > on the key ring.
> >
> > Any help is greatly appreciated.
> > Thank you
>
> I'm not sure that what you're asking would be such a good idea; after
> all, it boils down to "let GnuPG report success even if it did not
> really do most of what you asked it to, with no real way of knowing
> which parts it did do and which parts it didn't" :)
Oookay, okay, I know, I know, I know - you *can* try running GnuPG on
the *encrypted* file later and find out which keys it is actually
encrypted to, but in my book, that goes under "nonsensical effort".
[almost snip my "--list-keys --with-colons output processing" suggestion]
> gpg --list-keys --with-colons 16194553 87E057BE 5DBFAB91
> awk -F: '$1 == "pub" && $12 ~ /E/ { print $5 }'
That part still stands :)
G'luck,
Peter
--
Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED]
PGP key:http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
This would easier understand fewer had omitted.
pgpPaCfCFMvM2.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Bypass Invalid Public key
On Thu, Oct 02, 2008 at 05:01:39PM -0500, Duwaine Robinson wrote:
> Hi All,
>
> Is there a way to get GnuPG to complete encryption, if there is at least
> one valid public key specified? I am trying automate my encryption
> process, and I am hoping to be able to get away with not having to
> specify error handling if one or more of my public keys does not exist
> on the key ring.
>
> Any help is greatly appreciated.
> Thank you
I'm not sure that what you're asking would be such a good idea; after
all, it boils down to "let GnuPG report success even if it did not
really do most of what you asked it to, with no real way of knowing
which parts it did do and which parts it didn't" :)
IMHO, an alternative would be to actually *ask* it which keys it does
have before attempting the encryption; you can do something like:
gpg --list-keys --with-colons 16194553 87E057BE 5DBFAB91
...and then look for the lines beginning with "pub". If this is
a Unixish environment, you could try filtering the output through
awk -F: '$1 == "pub" && $12 ~ /E/ { print $5 }'
..or, of course, just use your programming language's text processing
capabilities to extract the fifth field of the "pub" lines that contain
an "E" character in the twelfth field :) All of them will identify
valid public keys that GnuPG can actually encrypt to (the uppercase 'E'
signifies exactly that, according to the doc/DETAILS file in the GnuPG
source).
Hope that helps :)
G'luck,
Peter
--
Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED]
PGP key:http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
because I didn't think of a good beginning of it.
pgpO5L6ITb134.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: so how do you get others to sign your key?
On Thu, Jul 24, 2008 at 06:43:59AM -0400, Faramir wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > reynt0 escribi??: > > On Mon, 21 Jul 2008, kurt c wrote: > > . . . > >> My name is Lawrence, by the way. I created this email account on a whim > >> to test Enigmail, that's why it has this kurt c stuff on it. And now > > . . . > > > > FWIW, > > Do you know that, as I understand things, Google saves > > and records of, and analyzes including for affinity > > grouping, all the email content and email accounts you > > communicate with, and so by using gmail you are in some > > small way compromising the privacy and maybe security of > > everyone posting on any email list you get email from? > > Writing a plain text email, gmail or not, already does that... do you > know if your ISP sniffs your messages? Do you know if my ISP does it? Do > you know if somebody in the list is an SPECTRE agent? [snip] > >And... here comes the best part of this: the messages sent to the > list are available at the list's web site, and no subscription or login > is required to access them... so no doubt, even if gmail doesn't search > the message's content, google, yahoo, msn, and all other searchers > surely have indexed them with their robots... unless there is a > robots.txt file stopping them... but it won't stop any bad boy... And then there are things like http://marc.theaimsgroup.com/ ... :) But let's not feed the troll any more :) G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 No language can express every thought unambiguously, least of all this one. pgpSFaizaGeCT.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: make data available for a certain amount of time
On Thu, Jul 10, 2008 at 06:14:27PM +0200, Florian Philipp wrote: > On Thu, 10 Jul 2008 14:32:20 +0200 > "Sander de Bakker" <[EMAIL PROTECTED]> wrote: > > > Hello Faramir and Robert, > > > > thank you for the responses. > > > > I want everyone to be able to acces the data as long as the data is > > valid. When the data becomes invalid i want it to be inaccesible for > > everyone. > > > > I want to control and force when the data should be invalid, i was > > thinking of using the expiration of a gpg key. > > > > Any suggestions are appreciated. > > > > N00bical > > What I've seen once was a self-extracting archive built with bash. It > was basically a bash-script with some binary data attached to it. > > It was created with something like: > #!/bin/bash > cat script.sh archive.tar > archive.sh > > The script did something like > #!/bin/bash > tail -n 30 archive.sh | tar x Errr, that's a bit off-topic, but it is *much* easier to do that with shar (in the base system on most OS's, or in a package named sharutils or similar on most Linux distributions). Of course, shar wants to encode the binary data and thus makes the file a bit bigger than just a binary blob, but this is actually a good thing in view of all the weird and wonderful (not!) ways that various shells treat "special", "graphical", and other interesting characters. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence claims to be an Epimenides paradox, but it is lying. pgpgnBwSYD7RZ.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: key generation in a script or non interactive mode?
On Thu, Jul 10, 2008 at 08:25:55PM -0400, David Shaw wrote: > On Jul 10, 2008, at 5:41 PM, Afzal, Naeem M wrote: > > > > > Ok, I was able to resolve this issue. I have to set HOME=/root > > inside the shell to get it going. Now I have new problem, script > > runs ok from within this chroot fs, but when keys generation process > > just hangs with statement: > > > > "Not enough random bytes available. Please do some other work > > (Need 284 more bytes)" > > > > > > How can I force it to complete it? > > Your entropy source dried up. Normally I'd suggest wiggling the mouse > or poking at the keyboard to make some more entropy, but if you're > running completely unattended that may be hard (you may not even have > a mouse on that box). I usually do something like "find / -print0 | xargs -0 cksum", but that, of course, assumes that the kernel will gather entropy from the disk. > There is a good article on entropy gathering on Linux (I'm assuming > you are running Linux here) at http://lwn.net/Articles/283103/ Aye, this is a good article indeed, worth reading by both sysadmins and everyone else who is interested in randomness :) G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 When you are not looking at it, this sentence is in Spanish. pgpHd8k6pkuom.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem in case decrypting large file size
On Sun, Jun 29, 2008 at 04:42:00PM +0530, ajay Madamala wrote: > Hello all > > Currently we are working on GPG implementation in project with Java > integration.GPG commands will be called by Java code at runtime. However, we > were not able to test decryption via java code if source file was >2kb > size..Please advice me how to overcome this case...Inputs are more > helpful... Assuming you meant two *giga*bytes, not two kilobytes, I think the most common work-around is to pass the encrypted data on gpg's standard input and read the decrypted data from its standard output. That is, instead of doing something like: gpg -d file.txt.enc and expecting to get a file.txt after a successful decryption, do this: gpg -d < file.txt.enc > file.txt Of course, the exact invocation depends on your programming language, libraries and stuff (you may invoke a shell and pass it this command with the redirections, or you may fork off a process and reopen its file descripts 0 and 1, or...), but that's the general idea. Hope that helps. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence claims to be an Epimenides paradox, but it is lying. pgpZtIcRmw6v7.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: LD_PRELOAD attack
On Wed, Jun 11, 2008 at 04:31:45PM -0400, michael graffam wrote: > On Wed, Jun 11, 2008 at 3:56 PM, David Shaw <[EMAIL PROTECTED]> wrote: > > > If the attacker had access to your machine to implement the LD_PRELOAD > > attack, there are literally dozens of ways they can similarly steal > > whatever data they are trying to steal. Why do a very complex attack > > involving replacing libraries when they could just replace the GPG > > binary itself? > > Replacing the GPG bin requires root. An LD_PRELOAD'ed lib doesn't. > > > Or add a shell script named 'gpg' and put it in your > > search path ahead of the real gpg? > > Again, root. Nope. None of these is true. If an attacker has access to *your* account, he has perfectly good access to your shell startup files, and he is perfectly capable of changing your PATH to include a directory of his choosing where he may place any binaries he wants to - and your shell will happily execute them instead of the real system binaries. Or maybe you are in the habit of auditing your .*shrc and .*sh_profile files after each and every login? And then auditing the pager or editor that you audited them with? If so, my hat's off to you, Sir, but this is a level of paranoia that I'm not quire comfortable with :) > > Or turn on typescript by default. > > Doesn't save GPG passphrases. True. > > Or load a kernel module that changes the meaning of system calls. Or > > replace the rng with one that isn't random. Or, or, or. > > > Root, root, root. This, too, is true. > Get it yet? LD_PRELOAD enables attacks against GPG w/o requiring full access > to the box. The attacker just need access to the user's account. True, too, except that an attacker with access to your account really does have at least seven ways (that pop up in my mind without even thinking too hard) of replacing the gpg or pinentry or whatever binaries without you noticing *at once*. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the thought you are now thinking. pgptzSOgntSqn.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how long should a password be?
On Tue, May 06, 2008 at 04:52:31AM -0400, Faramir wrote: [snip Sven Radde's explanations about the salt] >Excellent explanation, thanks. But I still miss the point about the > salt number doesn't need to be kept secret... I mean: if the salt value > is not known to the program that must validate the password, then it > can't validate it (since the hash produced by the password will never > match the "salted" stored hash). That means the salt used must be stored > somewhere... and if I get the stored hash, and the salt, I would just > need to generate the rainbow tables adding the salt value I got... Wait, > I think I am beginning to get the point... since the salt is random, I > figure each user will have his own salt value... and that would mean I > would have to generate 1 rainbow table for each user... but then, I > would rather try to crack an admin password, and then reset the > passwords of the users... It seems that you are missing another important point about the salt - it is generated randomly each and every time something needs to be encrypted :) There is no such thing as "the salt value for this user"; every time this user wants to hash a password, the system generates a random salt value and hashes this particular password, just this once, with this value. Hope that helps :) G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Nostalgia ain't what it used to be. pgpcayCNkaLrY.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Backdoor?
On Wed, Dec 12, 2007 at 11:46:30AM -0800, nate eccels wrote: > Does gpg have any trapdoors. Even if it did have any, do you seriously expect anybody would come out and say "Yes!" on the official public mailing list? :P Humor aside, the answer ought to be "no" - although all that I can say is "almost certainly no", since I have not myself done a full review of the GnuPG code. Still, there are lots and lots of people who *have* - maintainers of GnuPG packages on all kinds of operating systems and distributions, security researchers hoping for a quick claim to fame, serious security researchers really interested in the risks of deploying GnuPG in various kinds of environment... Since nobody has come up with anything so far, I personally am confident enough that, no, GnuPG does not have any backdoors. And just by the way, it really ought to be "backdoor", not "trapdoor", when you are speaking about cryptography - because, strictly speaking, GnuPG *does* implement various trapdoor algorithms, but that is actually a very, very good thing :) G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If there were no counterfactuals, this sentence would not have been paradoxical. pgp6nilSwEe5A.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Validating encrypted files
On Fri, Dec 07, 2007 at 01:08:36PM -0800, Alan Olsen wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> I have encountered something that does not seem to be covered by any of
> the FAQs, manuals, or other general hints. I figured I might find a
> couple of good hints here.
>
> I have a number of files that I have received. I can decrypt them or
> not. I can check the signature or not.
>
> What I want to do is verify that the file was encrypted and to what
> keys. I can kludge something together by using --status-fd and grep. I
> am hoping for something a little more user friendly and/or script
> friendly.
[snip more need to know if a file is encrypted or signed correctly]
If you only want to check if the file is encrypted and to what key(s),
you can use --list-packets --list-only; this will list the outermost
packets in the OpenPGP message without doing any decryption.
Among the results there will probably be a packet that looks like this:
:pubkey enc packet: version 3, algo 16, keyid 921EB6497074473C
data: [1022 bits]
data: [1024 bits]
You can fish this line out with something like either of the following:
sed -ne '/^:pubkey enc packet:/ { s/.* keyid //; s/ .*//; p;}'
perl -nle '/^:pubkey enc packet:.* keyid (\s+)/ and print $1'
The catch with this approach is that it does not actually do any
decryption; the --list-only option takes care of that. Thus, you cannot
see if the decryption will succeed, you cannot even see if the encrypted
message has been signed before the encryption - the signature packets are
within the encrypted data, --list-only will not analyze them.
If you want to analyze the message within, too, then it would seem the
logical thing that dropping --list-only would achieve some kind of goal;
however, from my limited testing it does not seem so. A simple invocation
of "gpg --list-packets file.gpg" only shows a "compressed packet" and then
a "literal data packet" line, no signature checking in sight. Of course,
if the "compressed packet" and "literal data packet" are present, the
decryption was *most probably* successful... but ICBW, and it is much too
late at night for me to actually check the GnuPG source to see if it is
possible for it to display a "literal data packet" and only then notice
that the decryption has failed.
G'luck,
Peter
--
Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED]
PGP key:http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
I am jealous of the first word in this sentence.
pgpgevel7NEaq.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG fails to encrypt
On Tue, Oct 30, 2007 at 04:04:58PM -0700, William Bradshaw wrote: > When calling the GPG command from within a Vitria Businessware automator > process, files larger than 20MB fail to encrypt. Files smaller than > 20MB encrypt just fine. If I run the GPG command outside of the Vitria > Businessware process the large (20MB plus) files encrypt just fine. The > GPG command being called by Vitria is: > > /usr/local/bin/gpg --always-trust -e -r "F" > /vitria/bw3dev1/encrypt/FSA/$FSA.560167.$FHP.cere07110938.txt.01102007_11-13-08 Try getting an actual error message - that should help point to an actual problem :) There are several ways you could look for an error message, and most of them involve writing a simple shell script wrapper for gpg and having Vitria invoke the script instead of the gpg binary itself. Maybe something like the following could help (and yes, I'm aware of all the security problems within - predictable filenames, file/directory permissions and stuff): #!/bin/sh set -e GNUPG='/usr/local/bin/gpg' OUTDIR='/tmp/gpg' STDOUT="$OUTDIR/out.$$" STDERR="$OUTDIR/err.$$" $GNUPG "$@" > "$STDOUT" 2>"$STDERR" errcode="$?" echo "The GnuPG process's exit code is $errcode" >> "$STDERR" exit "$errcode" To use it, create a directory /tmp/gpg writeable by the user that Vitria should run as, then make Vitria execute it instead of the actual gpg binary. As a result, each time Vitria tries to run GnuPG, you'll get two files in the /tmp/gpg directory containing the data that gpg sent to its standard output and its standard error streams, and the exit code. If this does not help a whole lot, you could put an strace or ltrace or something like that in the script for further information gathering. Hope that helps! G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if pi were 3? pgpb8xUhK5gHm.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to use GnuPG to generate sha512sum hash?
On Fri, Aug 31, 2007 at 04:38:51AM -0400, Todd Zullinger wrote: > Moses wrote: > > I want hash some strings by using GnuPG, I know GPG have hash > > function, but I can't find how to do it in the manuals or other > > documentations on the official website. What's parameters used by > > GPG for hash? > > > > Furthermore, I would like use sha-512 hash strings from standard > > input, rather than from files, is it possible? If not, is there any > > other app can do this for me? > > Perhaps this: > > echo "some string" | gpg --print-md SHA512 > > is what you're looking for? ...or, certainly, echo -n "some string" if you want just the string without the terminating newline :) At least on most POSIX-like systems, that is. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence every third, but it still comprehensible. pgpBbNMwT9mbl.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compiling GnuPG 2.0.1 on MacOS X
On Tue, Feb 13, 2007 at 07:03:24PM +, Benjamin Donnachie wrote:
> Benjamin Donnachie wrote:
> > How embarrassing... my mistake - I was still using the old patched version!
>
> Ah-ha! That's better! As a quick test I threw together the following
> helper application:
>
> /*
> ** Mac OS fails to process bundle information correctly
> ** for pinentry-mac.
> **
> ** This quick hack attempts to address that.
> **
> */
>
> #include
>
> int main()
> {
> return system
> ("/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac");
> }
Is there any reason for not using execv(3)?
(disclaimer: not tested on PPC or MacOS X or, really, anything besides
FreeBSD/i386 and Debian/i386...)
#include
#include
#ifndef __unused
#if defined(__GNUC__) && !defined(__INTEL_COMPILER)
#define __unused__attribute__((unused))
#else /* __GNUC__ */
#if defined(__INTEL_COMPILER)
#define __unused__attribute__((__unused__))
#else /* __INTEL_COMPILER */
#define __unused
#endif /* __INTEL_COMPILER */
#endif /* __GNUC__ */
#endif /* __unused */
#define APP "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac"
int main(int argc __unused, char * const argv[])
{
execv(APP, argv);
perror("execv");
return (1);
}
Of course, you may skip the whole __unused dance if you know that you
are only ever going to compile it on a single OS/arch/compiler - or if
you don't care about compiler warnings :)
> Compile this using "gcc -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch
> i386 -arch ppc pinentry-helper.c -o pinentry-helper" (Or download from
> http://www.py-soft.co.uk/~benjamin/download/mac-gpg/pinentry-helper) and
> copy it to "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper".
>
> Then add the following to ~/.gnupg/gpg-agent.conf:
>
> pinentry-program
> "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper"
>
> Unpatched gpg-agent (admittedly v1.9.21) correctly invokes pinentry-mac,
> reading the GUI bundle information correctly.
>
> It needs more work to achieve a tidy solution - especially since the
> location of pinentry-mac is fixed and it fails to pass any command line
> arguments.
The above will take care of passing command-line arguments; the executable
location might be handled by a symlink or something.
> Plus I might still use NSTask instead.
G'luck,
Peter
--
Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED]
PGP key:http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
Nostalgia ain't what it used to be.
pgpnhBgLZFexp.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyrings for websites
On Thu, Feb 08, 2007 at 01:03:05PM +0100, B?r Kessels wrote: > Hello, > > With the current growth of online services that talk to eachother (the > web2.0) I thought it a good idea to think about a way to determine > "trust" between the sites. > > If my site shares its spam tokens, comments, search results, tags and > pictures (etc) with a cloud of sites, it could be a good idea to > establish a trust-ring. > > I therefore thought it an interesting idea to make keys not just for > people, but for a website. That way I can sign public keys from other > sites and give them a trust weight. [snip] > > It is still an idea. And no code is made yet. But I am heavy into > Drupal (been full time developer for it for over 4 years), and I can > introduce this concept there, then hope it takes off into wordpress, > plone and other Open Source, or Closed source CMses. > > All I need is some general idea wether or not this will a) work at all > and b) is possible with gnupg, and c) if it would not 'threaten' gnug > too much. It ought to be both possible and trivial. ISTR several discussions on this mailing list, where people mentioned using PGP keys (or rather, uid's) with only names, no e-mail addresses. You could either use such keys with the hostname (or the full path to the web application) placed directly in the "name" part of the user ID, or develop some kind of machine-readable encoding to represent a host name, application path, application name, or any level of detail you feel comfortable with, and then place those in the "name" or the "comment" part of the key's user ID. After that, proceed as usual - sign the user-ID with the key itself (GnuPG should do that as part of the key generation anyway), sign it with your own key, and send the public key to the others. They should generate keys for their web apps too, sign them with their own (developers') keys, and send them to you. Then each of you establishes his own trustdb, places trust in (some of) the developers' keys, and off you go. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This inert sentence is my body, but my soul is alive, dancing in the sparks of your brain. pgp6yO5HMcwWw.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gen-key non-interactively
On Thu, Feb 08, 2007 at 04:59:26AM -0500, Mark Pinto wrote: > I'm wanting to pass all of the information that gpg needs to create a > key (key size, type, expiration, userid, etc) initially and not have > gpg keep pausing to ask the user. I've read the man page, read gpg > --help, googled, and I still cant figure out how to pass those things > to gpg while using --gen-key. Any help would be *greatly* > appreciated. If you are trying to do this as part of a bigger program, you might want to check out the gpgme and libgcrypt libraries. Otherwise, the gnupg manual page mentions an experimental method for using --gen-key non-interactively, which is described in the DETAILS file in the doc/ subdirectory of the gnupg source archive. Thus, you need to download the gnupg source (either 1.4.x or 2.0.x, depending on which version you're using anyway), read the doc/DETAILS file, and see if the method described there works for you. I just tried it with GnuPG 1.4.6, and it worked just fine here. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If the meanings of 'true' and 'false' were switched, then this sentence wouldn't be false. pgpZ6dwa2Lk5f.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Password length paranoia
On Tue, Feb 07, 2006 at 08:14:29PM +0100, Ludwig H?gelsch?fer wrote: > Hi, > > On 07.02.2006 20:05 Uhr, Oskar L. wrote: > > > This is of course only true if the attacker knows it is exactly 15 > > characters long. If not, then it should be calculated like this: 95^1 + > > 95^2 + 95^3 + ... + 95^15. > > Right, this gives exactly 95^16 - 1. Errr... only for very small values of 95, I'd say ;) Namely, only if 95 equals 2... which it doesn't quite seem to :) Oh, kay, so it's more like (95^16 - 1^16) / (95 - 1), which is only 94 times less than your bid. But still... :) > This is not a dramatic improvement compared to 2^256. Err... what?! Straight from bc's mouth: (95^16-1)/(95-1) 468219860267835848675991626496 2^256 115792089237316195423570985008687907853269984665640564039457584007913129639936 Okay, so it might not be quite in the feasible range - I'll leave that for others to judge - but it does seem pretty dramatic to me. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I had finished this sentence, pgpf6d5gLpvqG.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Encrypt from memory to disc?
On Mon, Oct 17, 2005 at 09:55:57PM -0700, Steve Leibel wrote: > I have an application where I have data in memory that needs to be > encrypted without ever being written to disc, even temporarily. > > Using PGP I can run "pgp -feat" and then pipe the data to the pgp > process. That works very well. > > I have to do the same thing for GPG, but I can't figure out how to > send data to GPG directly from memory. > > Any suggestions greatly appreciated. Pipe the data to "gpg -r recipient -e -o outfile.gpg" The recipient may be specified as either a key ID or an e-mail address (if it is unique in the public keyring). G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If there were no counterfactuals, this sentence would not have been paradoxical. pgphyzdIp3doZ.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
On Mon, Sep 05, 2005 at 10:14:41PM +0200, Alon Bar-Lev wrote: > Zeljko Vrba wrote: > > Alon Bar-Lev wrote: > >> > >> I agree... So if we all understand the need of PKCS#11 in order to > >> access cryptographic tokens, what I don't understand is how come > >> people choose to develop low-level applications in order to work with > specific devices? > >> > > Neither do I understand that. Werner didn't give a single plausible > argument except possibly of license incompatibility. But in my > understanding, > > just incorporating PKCS#11 support into GnuPG would NOT cause license > incompatibility. It would happen at run-time if the user chooses to > > load GPL-incompatible binary PKCS#11 driver (which most of them are). > > Right... This argument was given to me also... > But I could not find any justification for it... > Let's say you use GPLed licensed program on windows... It loads > kernel32.dll, right? > Since your GPLed program does not contain any other licensed code it is > still GPLed... > The same goes with GPLed licensed program that loads PKCS#11 module... Hate to jump into this discussion, but isn't this *exactly* why Werner always keeps mentioning *shared* libraries? :) G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence was in the past tense. pgpM5iAic7Epg.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Signing MS-Excel spread sheets
On Fri, Sep 02, 2005 at 10:39:52PM -0400, Dan Mundy wrote: > Berend Tober wrote: > > I hate to admit that I still use MS-Excel rather than an open source > > spread sheet tool, but workplace requirements constrain my fate... > > Has anyone else managed a work-around for this flaw? (Aside from the > > obvious -- "Stop using MS-Excel!" -- because that is a failure I cannot > > control...) > > use openoffice.org: it is opensource and fully compatible with > microsoft. now it is a failure you can control. see > http://www.openoffice.org/dev_docs/instructions.html#win for how to > install it. Hate to point out the obvious, but unfortunately, it just might be that Berend canNOT control whether his coworkers also use OpenOffice or MS Excel, in which case the problem of a coworker opening a signed spreadsheet and invalidating the signature still stands. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Hey, out there - is it *you* reading me, or is it someone else? pgp76xqruFAg8.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: validate_key_list failed
On Fri, Aug 05, 2005 at 04:15:47PM +0200, Thomas Klausner wrote: > Hi! > > After adding some keys recently, I always get: [snip] > gpg: mpi larger than indicated length (2 bytes) > gpg: keyring_get_keyblock: read error: invalid packet > gpg: keyring_get_keyblock failed: invalid keyring > gpg: failed to rebuild keyring cache: invalid keyring > gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model > gpg: mpi larger than indicated length (2 bytes) > gpg: keyring_get_keyblock: read error: invalid packet > gpg: keydb_get_keyblock failed: invalid keyring > gpg: validate_key_list failed > > And the trustdb is not updated, because on the next run > I get the same error. > > How can I fix this? > Or how can I find out which key it is, so I can remove it > (as workaround)? FWIW, I've been getting the same with the FreeBSD port of gnupg-1.4.2. I've reverted to using 1.4.1 for the present. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence was in the past tense. pgpi0OJZKuUOe.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Protecting signing key
On Tue, Aug 02, 2005 at 05:48:39PM -0500, Ryan Malayter wrote: [snip] > That said, everything I've read indicates that the encrypting file > system (EFS) in Windows 2000+ is reasonably well implemented. However, > the user's password is still the weak link, as it is used to protect > the private key that EFS needs for decryption. > > Because you can get the hash of this password from the disk in some > way (you always have to be able to, otherwise you could not > authenticate), the password is the weak link. I can't speak about EFS, since I'm not familiar with it at all, but that statement does not have to be necessarily true. You *can* get by without storing even a hash of the password on the disk, and it's actually pretty easy - just encrypt a known-plaintext magic sequence of bytes using a key derived from the password and store the encrypted result. There is also the possibility of generating a random magic sequence and storing that on the disk in plaintext, too, thus "salting" the authentication in a different way every time. Okay, so, come to think of it, this could be called hashing in a way, and it is still vulnerable to dictionary attacks on the password. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 "yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation. pgpxDY34W1b7K.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
