Re: Estonian e-residency
Am Dienstag, den 07.02.2017, 11:33 + schrieb Andrew Gallagher: > On 06/02/17 09:37, Richard Ulrich wrote: > > > > So we sometimes resort to keybase.io. There the key is verified by > > some social media. Sure, if the social media profile have existed > > for some years and have some legitimate looking interactions, it is > > a good indicator that its not a face account. But still, I would > > trust a government verification more than social media. > keybase.io is a great idea. But its main use is to tie a PGP key to a > social media account or accounts that act as a surrogate web of trust > (by being referenced in multiple independent places by hopefully > reputable third parties). But if your correspondent's social network > does not overlap with yours, again I'm not sure much value is added. Every piece adds to the probability of the key being valid. > > For example I bought a car last week with Bitcoin. The person that > > handled the payment for the seller was not present, but gave me > > his > > keybase.io user name on the phone. He signed the email containing > > the Bitcoin address for the payments with his GPG key. He didn't > > have any signatures on his key. > I'm not sure I would have the cojones to follow through with this > deal, > signatures or no. ;-) > > > > > In this scenario I'm grateful for every piece of validation to give > > the key more credibility. > In a scenario where you do not know the intermediary, the only > meaningful validation is whether the vendor vouches for both the > intermediary's person and key. The fact that the intermediary > offers you *an* identity doesn't mean you are validating the correct > identity. He is the business partner of the son of the seller. The son was present and wrote the info down for me. > If for example he had given you a key signed by a Russian government > agency, would you have had more confidence? Granted, you like (and > obviously trust to some extent) the Estonian e-ID system. Others > might > not have so much faith. > > Sorry if I'm coming across as a little harsh, but you are proposing > spending hard cash and I'd hate to see you do so and not get your > money's worth. By all means, get an e-ID for the fun, for experiment, > or to start up a company. But signing PGP keys with it is non- > standard, > and it's hard enough to convince most people to verify > keys via standard methods. > > The problem with any PKI (which we still haven't cracked) is that the > motivation to get your key signed is "How do I prove my identity to > others", while the motivation of the person verifying the key is "To > what extent should I trust this person". And unfortunately, the two > questions are far from equivalent. Usually the prove of identity is done with government issued IDs. So the estonian e-residency smart card is not so much different in that regard. Of course it would be better if every country issued something like that to its citizens. And even better if that was compatible with GPG. But until that happens we might have to improvise sometimes. There is also SuisseID somehow similar, but the cost is so high that nobody is interested. Rgds Richard > > A > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Estonian e-residency
Hi Andrew, of course it is better to directly sign the key. And it is also better if there is a short path in the web of trust. But my use case is for when there is no path at all in the web of trust. Most people I know don't even have a GPG key. And of the ones that have a key, chances are high that they don't have any signatures on it. So we sometimes resort to keybase.io. There the key is verified by some social media. Sure, if the social media profile have existed for some years and have some legitimate looking interactions, it is a good indicator that its not a face account. But still, I would trust a government verification more than social media. For example I bought a car last week with Bitcoin. The person that handled the payment for the seller was not present, but gave me his keybase.io user name on the phone. He signed the email containing the Bitcoin address for the payments with his GPG key. He didn't have any signatures on his key. In this scenario I'm grateful for every piece of validation to give the key more credibility. Rgds Richard Am Donnerstag, den 02.02.2017, 13:42 + schrieb Andrew Gallagher: > On 02/02/17 12:02, Richard Ulrich wrote: > > > > I thought about applying for Estonian e-residency for the sole > > reason of adding credibility to my GPG key. My idea would be to > > sign > > my GPG key with the ID card. This could give people who are not in > > my web of trust a head start. > Which particular people? And a head start at doing what? > > AIUI the e-residency signature is not PGP-compatible, so people will > need to verify it using a separate tool. And once I have verified > your > e-residency signature, what does it mean to me? At best, it tells me > that you are one of possibly many people known to the Estonian > Government as "Richard Ulrich". Unless I have already dealt with you > elsewhere via your Estonian ID, how does this help me? > > What particular problem are you trying to solve? It seems to me that > unless you are going to use your E-identity for some other purpose, > tying your GPG key to it adds little value. You say your sole reason > for applying for e-residency is to add "credibility" to your existing > key. But how is asking the Estonian government to verify your > passport > more credible than producing your passport at a keysigning party? Or > better still, showing it to the actual person you want to talk to? > > Andrew. > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proof for a creation date
Hi Bertram, sorry for the late answer. Blockchain was mentioned in some answers, but nothing in concrete. Check this out: https://github.com/opentimestamps Rgds Richard Am Freitag, den 02.12.2016, 03:12 +0100 schrieb Bertram Scharpf: > Hi, > > we all know that kidnappers do publish a picture of their > hostage holding up a todays newpaper. The purpose of this is > to proof that the victim was alive _after_ a certain point > of time. I want to do the opposite. I want to make evidence > that I created a document _before_ a certain point of time. > > I could use self-darkening ink but that won't be reflected > in a JPEG scan and my pen won't make the job that TeX does. > I could sign a newspapers home page but that cannot be > reproduced at a later point of time to verify the signature. > > Is there a standard way in GnuPG and in the keyholder > infrastructure to accomplish this task? > > Thanks in advance. > > Bertram > > signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg and smartcard on ubuntu 16.04
I didn't read this list for a while, so forgive me if this was discussed before. For many years I have used gpg and gpg-agent with ssh support with an OpenPGP smartcard. On every ubuntu upgrade I had to fiddle a little bit to have gpg-agent act for ssh auth. No big deal usually. But this time, after the usual fiddling, I have it working nicely for ssh and evolution. But now it's the direct usage of gpg on the command line that is giving me a hard time. This aspect always worked out of the box so far. I use the stock versions from the ubuntu 16.04 repository: gnupg 1.4.20-1ubuntu3 gnupg2 2.1.11-6ubuntu2 gnupg-agent 2.1.11-6ubuntu2 scdaemon 2.1.11-6ubuntu2 In ~/.bashrc I terminate gpg-agent if it was started without ssh support, and start it again with: /usr/bin/gpg-agent --daemon --enable-ssh-support > /dev/null Now if I want to decrypt a file: gpg -d Dokumente/somefile.txt.gpg gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 0AAA … gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) gpg: Kartenleser ist nicht vorhanden gpg --use-agent -d Dokumente/somefile.txt.gpg gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 0AAA … gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) gpg: Kartenleser ist nicht vorhanden gpg2 -d Dokumente/somefile.txt.gpg gpg: verschlüsselt mit RSA Schlüssel, ID gpg: Entschlüsselung fehlgeschlagen: Kein geheimer Schlüssel gpg --card-status gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) gpg: Kartenleser ist nicht vorhanden gpg: OpenPGP Karte ist nicht vorhanden: Allgemeiner Fehler gpg2 --card-status Reader ...: ... Application ID ...: ... Version ..: 2.0 Manufacturer .: ZeitControl All this was never a problem until now. Are there any tricks to get the interfacing with smartcards working smoother again? If I powercycle the smartcard, and kill scdaemon, It will first ask me for the other smart card that contains the master key. If I don't provide this, I could not figure out how to decrypt the file. The only way was to plugin in that other smart card, and have gpg find out that this is not the one we need. Then it asks me to plug in the card that I indeed need. Now I can enter the pin, but strangely in the console, and not the pinentry window. With this awkward workflow I am able to decrypt the file. Rgds Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Help need to use truecryt + openpgp applet.
Hi Ranjini, Does it have to be truecrypt? LUKS works very well with OpenPGP SmartCards or JavaApplets implementing it (e.g. YubiKey NEO). Just follow the steps in this blog post: https://blog.kumina.nl/2010/07/two-factor-luks-using-ubuntu Rgds Richard Am Donnerstag, den 19.02.2015, 13:53 +0530 schrieb Ranjini H.K: Thanks Pete Stephenson. Yes my java card supports PKCS#11. Am not so sure about OpenPGP applet. What should i do othercase To make my OpenPGP applet support PKCS#11. Ranjini HK Software Engineer - Tyfone, Inc. Bangalore www.tyfone.com Mobile: +91-9886262192 On Thu, Feb 19, 2015 at 1:46 PM, Pete Stephenson p...@heypete.com wrote: On Thu, Feb 19, 2015 at 5:53 AM, Ranjini H.K ranjin...@tyfone.com wrote: Hi all, Am trying to implement disk encryption/decryption using truecrypt with security token support. I have a java card with openPGP applet loaded on to it. Inspite of configuring truecrypt to use the security token, its not finding it and notififng me with an error saying : security token error FUNCTION NOT SUPPORTED . Considering the way it was abandoned by its developers, TrueCrypt is probably not the best choice going forward. That said, TrueCrypt only supports smartcards that use PKCS #11 libraries. Does the JavaCard you're using support PKCS #11? Does the OpenPGP applet? -- Pete Stephenson ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: setting env vars for gpg-agent
Hi Werner, So, I replaced my content in .bashrc with yours, but the behavior is still exactly the same. * ssh smartcard auth works accross different terminals. (so the agent must be functional) * evolution signiging works only if started from the terminal, even if I comment out the line : if [ $PS1 ]; then * enigform in firefox doesn't sign the headers. I did not understand the last paragraph with gpg-connect-agent /bye. But since the ssh part is working, I don't think that's necessary. Rgds Richard Am Sonntag, den 14.09.2014, 11:31 +0200 schrieb Werner Koch: On Sat, 13 Sep 2014 22:02, ricu...@gmail.com said: After gpg-agent stopped to work for ssh auth from OpenPGP smartcard after some ubuntu upgrade a while back, I launch it and set the env variables in ~/.bashrc. I suggest to lauch gpg-agent on the fly: Add use-standard-socket to ~/.gnupg/gpg-agent.conf and remove all settings of GPG_AGENT_INFO. I use this in my ~/.bashrc : --8---cut here---start-8--- # If running interactively, then: if [ $PS1 ]; then # Setup information required by GnuPG and ssh. We use the standard # socket in GnuPG's homedir, thus there is no need for an # environment variable. We reset any left over envvar. # SSH_AGENT_PID should not be set either because it is only used to # kill ssh-agent (option -k) but we don't want this to kill # gpg-agent. Because ssh does not know about GnuPG's homedir we # need to set its envvar to gpg-agent's ssh socket. GPG_TTY needs # to be set to the current TTY. The extra test is used to avoid # setting SSH_AUTH_SOCK if gpg-agent has been started with the # shell on the command line (often used for testing). unset GPG_AGENT_INFO unset SSH_AGENT_PID if [ ${gnupg_SSH_AUTH_SOCK_by:-0} -ne $$ ]; then export SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh fi fi export GPG_TTY=$(tty) --8---cut here---end---8--- If you want to use gpg-agent's ssh-agent implementaion, you need to make sure that gpg-agent is started (becuase ssh does not know how to start gpg-agent). You may do this with gpg-connect-agent /bye This works since 2.0.16 released 4 years ago. Recent veNote that if you have ~/.gnupg on some remote file system, this may not work. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: setting env vars for gpg-agent
Hi Werner, I just discovered that signing deb packages is not as smooth as before. * If I have an active gpg-agent session, it fails with the following error: clearsign failed: Allgemeiner Fehler * If I reinsert the card, I get thw following : gpg: GPG-Agent ist in dieser Sitzung nicht vorhanden Geben Sie die PIN ein: Then I have to enter the pin twice in the terminal. In all other instances so far it was always in the graphical pinentry dialog. I can verify, that gpg-agent is still running, and still working for ssh. But for regular gpg operation I discovered also other problems: $ gpg -d mhs_paraeasy_ch.txt.gpg gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 0xx … Bitte entfernen Sie die Karte und legen stattdessen die Karte mit folgender Seriennummer ein: D27xxx Drücken Sie 'Eingabe' wenn fertig; oder drücken Sie 'c' um abzubrechen: All this worked with the previous content in .bashrc. Rgds Richard Am Montag, den 15.09.2014, 21:17 +0200 schrieb Richard Ulrich: Hi Werner, So, I replaced my content in .bashrc with yours, but the behavior is still exactly the same. * ssh smartcard auth works accross different terminals. (so the agent must be functional) * evolution signiging works only if started from the terminal, even if I comment out the line : if [ $PS1 ]; then * enigform in firefox doesn't sign the headers. I did not understand the last paragraph with gpg-connect-agent /bye. But since the ssh part is working, I don't think that's necessary. Rgds Richard Am Sonntag, den 14.09.2014, 11:31 +0200 schrieb Werner Koch: On Sat, 13 Sep 2014 22:02, ricu...@gmail.com said: After gpg-agent stopped to work for ssh auth from OpenPGP smartcard after some ubuntu upgrade a while back, I launch it and set the env variables in ~/.bashrc. I suggest to lauch gpg-agent on the fly: Add use-standard-socket to ~/.gnupg/gpg-agent.conf and remove all settings of GPG_AGENT_INFO. I use this in my ~/.bashrc : --8---cut here---start-8--- # If running interactively, then: if [ $PS1 ]; then # Setup information required by GnuPG and ssh. We use the standard # socket in GnuPG's homedir, thus there is no need for an # environment variable. We reset any left over envvar. # SSH_AGENT_PID should not be set either because it is only used to # kill ssh-agent (option -k) but we don't want this to kill # gpg-agent. Because ssh does not know about GnuPG's homedir we # need to set its envvar to gpg-agent's ssh socket. GPG_TTY needs # to be set to the current TTY. The extra test is used to avoid # setting SSH_AUTH_SOCK if gpg-agent has been started with the # shell on the command line (often used for testing). unset GPG_AGENT_INFO unset SSH_AGENT_PID if [ ${gnupg_SSH_AUTH_SOCK_by:-0} -ne $$ ]; then export SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh fi fi export GPG_TTY=$(tty) --8---cut here---end---8--- If you want to use gpg-agent's ssh-agent implementaion, you need to make sure that gpg-agent is started (becuase ssh does not know how to start gpg-agent). You may do this with gpg-connect-agent /bye This works since 2.0.16 released 4 years ago. Recent veNote that if you have ~/.gnupg on some remote file system, this may not work. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
setting env vars for gpg-agent
After gpg-agent stopped to work for ssh auth from OpenPGP smartcard after some ubuntu upgrade a while back, I launch it and set the env variables in ~/.bashrc. Since then I have to launch evolution from the terminal to have gnupg correctly work with it. But even if I launch firefox from the terminal, it doesn't seem to get the settings for enigform. Where would be a better place for that. The gnupg docs suggest ~/.xsession. But that file didn't exist on my machine, and since unity is not based on X11 I doubth that it is read at all. In fact, I just copied the relevant lines from my .bashrc to .xsession and it didn't work neither for evolution nor for firefox. Also ~/.profile doesn't seem to be the right place, as it just calls .bashrc These are my lines in .bashrc: # If the agent is not already running, start it if ! ps aux | grep -q [e]nable-ssh-support; then /usr/bin/gpg-agent --daemon --enable-ssh-support --write-env-file ${HOME}/.gpg-agent-info /dev/null fi; #And then read info back eval $(cat $HOME/.gpg-agent-info) /dev/null And here is the documentation I was referring to: https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html So, where should I put those lines for that firefox receives the correct env vars? Rgds Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
using different encryption key in evolution
I realize, this question is more related to evolution than gpg directly, but people here might know better than in an evolution mailing list (which I'm not subscribed anyway). Suppose a company has a mail address that is distributed among a group of employees. E.g. if I send a mail to sa...@compa.ny that mail is forwarded to al...@compa.ny and b...@compa.ny. Now I want to send an encrypted mail to sa...@compa.ny, but there is no gpg key to that address. Instead I find keys for some people that will finally get the mail. Is there a way in evolution to explicitly state which encryption keys to use? Judging from the gpg manpage, it could be done on the commandline, but that would be difficult to then send as a regular email, I guess. Rgds Richard signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Order of keys attempted to decrypt
I have my private sub keys on a smart card, and up until recently decrypting was always fine. Then I found out that for signing other people's keys, I need to have the primary private key available. So I put it on a second smart card as described here: http://gnupg.10057.n7.nabble.com/Issues-with-primary-key-amp-subkeys-on-different-smartcards-td32228.html Now decryption still works, but with a small hiccup: $ gpg -d test.txt.gpg gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 0AE275A9 … gpg: sending command `SCD PKDECRYPT' to agent failed: ec=6.91 gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 8760DB3E … gpg: Alles klar, wir sind der ungenannte Empfänger. gpg: verschlüsselt mit RSA Schlüssel, ID It first tries to decrypt using the primary key. And since the card with the primary key is not plugged in, it outputs an error, before it tries the sub key that succeeds. I tried using the -r option to specify the key to use, but it was seemingly ignored. Is there a way to specify which key to try first? The problem I have at the moment ist that some scripts fail probably because the error that is output. For example, it never reaches line 43 of the following script since I have the stub for the primary key: https://github.com/ulrichard/locally_encrypted_remote_storage/blob/master/open_locally_encrypted_remote_storage.sh Rgds Richard PS: out of curiosity: What does the ID mean in the output from gpg : gpg: verschlüsselt mit RSA Schlüssel, ID signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG launches crowdfunding campaign
As this is about a crypto project, wouldn't it be adequate to accept payments in crypto currencies? Rgds Richard On Don, 2013-12-19 at 11:08 +0100, Werner Koch wrote: GnuPG encryption project launches crowdfunding campaign Today GNU Privacy Guard (GnuPG) has launched its first crowdfunding campaign [1] with the aim of building a new website and long term infrastructure. The 24.000 EUR target will fund: - Fresh web interfaces for gnupg.org including mobile - Completion and release of GnuPG 2.1 - Anonymous Tor network access to the website - A new user friendly download page suitable for all devices - A new server for web services - New pages convening external guides, videos, and handbooks - Facilities for processing recurring donations for long term project support Project founder and Lead Developer Werner Koch said “GnuPG has seen a huge upsurge in popularity following recent state spying revelations. After 16 years of continuous development, we are now asking for community support to capitalise on consumer demand for privacy, and make GnuPG easy to access for mainstream audiences”. GnuPG is one of the few tools remaining above suspicion in the wake of leaked NSA documents. Edward Snowden and his contacts including Bruce Schneier switched to GnuPG when they began handling the secret documents earlier this year [2]. The Wall Street Journal, The Committee to Protect Journalists, and ProPublica [3] have all embraced GnuPG for protection of staff and sources. Phil Zimmermann, original inventor of Pretty Good Privacy (PGP), has also moved to GnuPG in wake of the news. “GnuPG is a key part of modern privacy infrastructure” said Sam Tuke, Campaign Manager, GnuPG. “Millions of users rely on GnuPG to work securely on servers, laptops and smartphones, but 2013 donations totaling 3.000 EUR to date have not even covered fixed costs. Supporting new algorithms like elliptical curve and fixing newfound exploits fast takes a lot of work which is done voluntarily. Now is the time for people to contribute to making GnuPG slick and more sustainable in future”. Jacob Appelbaum, Tor Project developer, added “GnuPG is important - it allows us the assurances we need to do our work. Community funding is a critical part of a confident outlook for GnuPG in future.” For further information, please contact Sam Tuke. Email: samtuke [at] gnupg.org Phone: +49 176 81923811 [1] http://goteo.org/project/gnupg-new-website-and-infrastructure [2] http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance [3] http://www.cjr.org/behind_the_news/hacks_hackers_security_for_jou.php == About GNU Privacy Guard == GnuPG is a leading cryptography app that protects emails and data from interception. It is developed by a community of Free Software engineers led by Werner Koch. GnuPG is used and recommended by the world’s top security experts, including Bruce Schneier and Phil Zimmermann. It offers best in class privacy free of charge and restriction. Hundreds of companies have integrated GnuPG into their products to perform mission critical security, including Red Hat, Deutsche Bahn, and many others. http://gnupg.org signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
enable-ssh-support not enabled after upgrade to ubuntu saucy (gpg 1.4.14)
I set up ssh authentication a long time ago according to the second half of this guide (with smartcard): http://www.programmierecke.net/howto/gpg-ssh.html It worked without an issue until I recently upgraded to Ubuntu 13.10. After the upgrade I had to disable the gnome-keyring-ssh and gnome-keyring-gpg as well as ssh-agent again, as I did after previous upgrades. The configuration for enable-ssh-support in ~/.gnupg/gpg-agent.conf was still intact. On another system where the whole stuff still works, ps aux | grep gpg-agent shows only one instance with lots of options: /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/richi/.gnupg/gpg-agent-info-quadulrich /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch gnome-session --session=ubuntu But on this system, it shows 5 instances 4 with only --daemon and the fifth with an additional --sh. If I type gpg-agent --daemon --enable-ssh-support and execute the output in a terminal, I get an instance that works and handles the ssh key authentication. Is anybody here aware of some changes in this area, and knows how I need to configure my system, to have it as seamless as before? More specifically, what I need to do to have the gpg-agent started with all these options? Rgds Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Changing the email address of a key
When I generated my new private key, I used one of my email addresses. This email address is stored both on the crypto stick (smart card) and in the secring.gpg or pubring.gpg, probably both. Now I would like to use that key with another email address. Is it possible to change the email address of a key, and how would I proceed to have it on the stick and in the gpg stub files? Rgds Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Signing eMails doesn't work anymore
Hi, this is my first post to this list. I have a crypto stick from www.privacyfoundation.de, and when I first set it up, signing emails worked flawlessly. But then I wanted to also be able to use my crypto-stick for ssh authentication. As adding the authentication sub key turned out to be difficult, I generated an entirely new private key with encryption-, signature- and authentication subkeys generated before putting them onto the crypto stick. SSH authentication works nicely now, but with the new key, signing emails always fails. Ecryption and decryption still works. I'm using evolution, but I also tried with thunderbird. The errormessage I get is the same I get when trying to sign something with gpg directly. Could it be that gpg is confused which key to use? #gpg --sign setup_my_system.sh gpg: sending command `SCD PKSIGN' to agent failed: ec=6.18 gpg: Beglaubigung fehlgeschlagen: Allgemeiner Fehler gpg: signing failed: Allgemeiner Fehler #gpg2 --card-status Application ID ...: D276000124010205115F Version ..: 2.0 Manufacturer .: ZeitControl Serial number : 115F Name of cardholder: Richard Ulrich Language prefs ...: de Sex ..: männlich URL of public key : [nicht gesetzt] Login data ...: [nicht gesetzt] Signature PIN : nicht zwingend Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 0 Signature key : 6555 FA9F AEEF 386C 50E2 7AE1 02EC 6014 E840 1492 created : 2012-08-07 19:01:59 Encryption key: 3A6C CF0A C29F 3DFC 60AF DCCE 31AA D811 8760 DB3E created : 2012-08-07 19:00:54 Authentication key: 2C12 F55B 69D3 088E BFD9 C010 BABF AE12 5A09 7EF6 created : 2012-08-07 19:04:12 General key info..: pub 2048R/E8401492 2012-08-07 Richard Ulrich (ulrichard) xx...@gmail.com sec# 2048R/0AE275A9 erzeugt: 2012-08-07 verfällt: 2022-08-05 ssb 2048R/8760DB3E erzeugt: 2012-08-07 verfällt: niemals Kartennummer: 0005 115F ssb 2048R/E8401492 erzeugt: 2012-08-07 verfällt: niemals Kartennummer: 0005 115F ssb 2048R/5A097EF6 erzeugt: 2012-08-07 verfällt: niemals Kartennummer: 0005 115F #gpg2 --list-keys /home/richi/.gnupg/pubring.gpg -- pub 2048R/0AE275A9 2012-08-07 [verfällt: 2022-08-05] uid Richard Ulrich (ulrichard) xx...@gmail.com sub 2048R/8760DB3E 2012-08-07 sub 2048R/E8401492 2012-08-07 sub 2048R/5A097EF6 2012-08-07 sub 2048R/EC980139 2012-08-07 [verfällt: 2022-08-05] Rgds Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users