RE: Syntax Question on GPG2 on LINUX

2016-10-06 Thread Steve Butler 
Jim,

I don't use modern but I do have a script for classic that works in unattended 
mode on a Linux box.  The caller knows the input file name and the script knows 
my passphrase -- default gpg_pass2.  Hope this helps with gpg2! --Steve

$ cat gpg_encrypt
#!/bin/ksh
usage="gpg_encrypt [ -a -b -e ext -n -s ] PK_ID source"
#
#   Interface script for edi and ftpexec to encrypt files vi GnuPG
#
#   -a  Use Ascii Armor (--armor switch)
#   -b  Use binary (e.g. opposite of -a)
#   -e  Use ext as value of file extension (defaults to pgp when not specified)
#   -n  Do not sign (e.g. opposite of -s)
#   -s  Sign using key for helpd...@fchn.com as signing key
# For conflicting options, the last one entered takes precedence.
#
#   PK_ID  Key ID to which the file is to be encrypted.
#   source Source file name to encrypt.
#
# Encryptes to a file of source.ext and name is echoed to stdlist

XRG_DBA=${XRG_DBA:=/usr/xrg_dba}
xrgbin=$XRG_DBA/bin
homedir=$($xrgbin/default gpg_home)

EXT=pgp
ARMOR=""
SIGN="--sign"

while getopts ":abe:ns" opt
do
  case $opt in
a) ARMOR="--armor" ;;
b) ARMOR="" ;;
e) EXT=$OPTARG ;;
n) SIGN="" ;;
s) SIGN="--sign" ;;
*) echo $usage
   exit 2
   ;;
  esac
done

shift $(($OPTIND - 1))

if [[ $# -ne 2 ]]; then
  echo "gpg_encrypt:  Must supply 2 parameters" >&2
  echo " usage: $usage" >&2
  exit 99
fi

rm -f "$2.$EXT" > /dev/null

if [[ -z $SIGN ]]; then
  gpg --batch --homedir $homedir --quiet --no-tty --always-trust $ARMOR \
  --no-permission-warning --recipient $1 --output "$2.$EXT" --encrypt "$2"
  x=$?
else
  $xrgbin/default gpg_pass2  | gpg \
 --batch --homedir $homedir --quiet --no-tty --always-trust $ARMOR \
  --sign --passphrase-fd 0 --default-key helpd...@fchn.com \
  --no-permission-warning --recipient $1 --output "$2.$EXT" --encrypt "$2"
  x=$?
fi

if [ $x -ne 0 ]; then
  echo "gpg_encrypt: gpg failure code '$x'" >&2
fi
echo "$2.$EXT"
exit $x
#

From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Jim Ernst
Sent: Thursday, October 06, 2016 5:39 AM
To: gnupg-users@gnupg.org
Subject: Syntax Question on GPG2 on LINUX

Hello All -

I am working in a LINUX environment using GPG version 2.1.15

Can anyone give me the syntax to use gpg2  to create a signed, encrypted file 
using a passphrase in a LINUX shell script ?  This is being run from Oracle EBS 
on a schedule so there would not be a user interacting to answer prompts. With 
this mode, is there any terminal settings I would need to set ?

Thanks !!
Jim Ernst
NTT Data
NOTE: The sender of this email is an independent contractor of Invacare 
Corporation or one of its subsidiaries. CONFIDENTIALITY NOTICE: The information 
in this e-mail message and any attachments may contain privileged, confidential 
or proprietary information, including confidential health information, 
protected by applicable Federal or state laws. Such information is intended 
only for the recipient named above. If you are not the intended recipient, 
please notify the sender immediately, and take notice that any use, disclosure 
or distribution of such information is prohibited by law.

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: What to do at failed integrity check?

2016-10-03 Thread Steve Butler 
Go to any public key server and get that key ID.

However, before doing that, I'd first verify the checksum without using GnuPG.  
That process should also have been described on the download page.



-Original Message-
From: Gnupg-users [mailto:gnupg-users-bounces+sbutler=fchn@gnupg.org] On 
Behalf Of Simon Albrecht
Sent: Monday, October 03, 2016 6:36 AM
To: gnupg-users@gnupg.org
Subject: What to do at failed integrity check?

Hello everybody,

I’m having a problem getting GnuPG set up: I downloaded the tarball and 
signature (for v2.0.30), then did the integrity check as described on 
 using the packaged 
version of GnuPG (1.4.something), and it failed with this message:

gpg: Signature made Do 31 Mär 2016 12:56:02 CEST using RSA key ID 4F25E3B6
gpg: Can't check signature: public key not found

I already tried getting the files from a mirror – same thing.

Now, the instructions on the linked webpage only say ‘the file should be 
treated suspiciously’. But what can I do now? Just use it anyway and hope it’s 
not a real problem?

Best regards,
Simon Albrecht

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Decryption failed: No secret key found (Please help !)

2016-08-18 Thread Steve Butler 
-Original Message-
From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Hariharan 
Shweta

Thanks for the response. We have provided them our public key. 
The key 31743B64 is not our public key. I'm confused as our vendor is able to 
decrypt our message but we are not able to do it. 

Any advise is appreciated.

From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Ben 
McGinnes
Sent: Thursday, August 18, 2016 2:40 PM
> 
> We have setup the entire GnuPG software along with the keys in our 
> Linux server. We are able to encrypt our message and send it to our 
> vendor. even our vendor is able to decrypt it at their end. But we are 
> not able to decrypt the message sent by the vendor to us.

Let's say that you public key has an ID of PKA and your vendor has public key 
ID of PKB.

When you encrypt your message to the vendor you encrypt with their PKB key ID.  
If you also want to decrypt that same message later for yourself you need to 
also encrypt it to PKA (encrypt to both key IDs).

When your vendor sends a message to you they need to encrypt to your public key 
ID of PKA.  It looks like they encrypted the message to two public keys.  
However, neither one is yours.  You need to contact the vendor and ensure they 
encrypt messages to you with your PKA key ID. [Substitute actual fingerprint 
values as needed.]

Give them the key IDs to which they did encrypt the message as that will help 
them figure out what they did wrong on their end.

On a couple of occasions I've had vendors send me their private key along with 
the public key.  [Holding head in hands!]  You may need to hold their hands to 
get this working right for you.

--Steve

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Use of --passphrase-file

2016-02-18 Thread Steve Butler 
Any "secure" storage for the passphrase will itself need a mechanism to 
"unlock".  This only digs the hole one more level down.  Only you can decide 
when to stop digging.  But remember, whatever the automated script can do, a 
human following the script can also do.  [Note to self, use "hacker" instead of 
"human" next time.]

After wrestling with this for some time several years ago, I came to the 
conclusion that I could only delay the inevitable and could not prevent it.  I 
my case I chose to "hide" the plaintext passphrase in a fashion that kept the 
casual looker (non-hacker) at bay (1 level down) but was real easy to implement 
and didn't require another password/phrase.  Any serious programmer could 
easily read the code and reveal the passphrase.  Then I limit who has access to 
that particular box.

Stephen M. Butler, PMP, PSM
IT Manager - Software Engineering
First Choice Health Network
Email: sbut...@fchn.com
Voice: 206-268-2309
Fax:  206-268-6173

From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Harman, 
Michael
Sent: Wednesday, February 17, 2016 8:34 AM
To: gnupg-users@gnupg.org
Subject: Use of --passphrase-file

I am attempting to automate a process that decrypts files. The files are 
encrypted with my key which has a passphrase. I have determined I can use the 
"--passphrase-file" option to get the passphrase of my key. In the gpg 
documentation at 
https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html, 
under "--passphrase-file file" it says "Don't use this option if you can avoid 
it", but I can't find any alternative solution in the documentation. I found 
one blog that says to just remove the passphrase, however I'd like to preserve 
the passphrase. Do you have any recommendations where I can have a passphrase 
but still use it in an unattended fashion that is secure?

Michael W. Harman, MIT | Senior Application Architect, Information Services | 
UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 
610.768.3416

UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including 
any attachments, is for the sole use of the intended recipient(s) and may 
contain confidential and privileged information. Any unauthorized review, use, 
disclosure or distribution of this information is prohibited, and may be 
punishable by law. If this was sent to you in error, please notify the sender 
by reply e-mail and destroy all copies of the original message.

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: BAD signatures for GnuPG Stable

2016-01-28 Thread Steve Butler 
Did you say this was on a VM?  We've had corrupted files with 'cp' from one 
file system to another on a VM box if it decided to do a vmotion while the copy 
was in progress.

Just remember -- "To err is human, but to really foul things up you need a 
computer."(Paul Ehrlich)


-Original Message-
From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Ingo 
Klöcker
Sent: Thursday, January 28, 2016 11:52 AM
To: gnupg-users@gnupg.org
Subject: Re: BAD signatures for GnuPG Stable

On Thursday 28 January 2016 09:31:31 Aaron Tovo wrote:
> Thanks for the info.
> 
> Today I re-downloaded the .bz2 and .sig. And the verification worked 
> (see output below). I did file diffs between the new and the previous 
> downloads with 'diff' and they are identical. So I tried verify on the 
> previous download and it worked this time. Very confusing.

I had a similarly confusing incident with some FLAC files intermittently being 
logged as corrupted by vlc. It turned out that I had bad RAM that lead to 
subtle differences in the files if they happened to be put onto the bad RAM by 
the kernel's file cache.

Long story short, I suggest that you check your RAM.


Regards,
Ingo

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: BAD signatures for GnuPG Stable

2016-01-27 Thread Steve Butler 
Perhaps an ASCII download instead of binary?  That would make the download file 
larger!


-Original Message-
From: Gnupg-users [mailto:gnupg-users-bounces+sbutler=fchn@gnupg.org] On 
Behalf Of Aaron Tovo
Sent: Tuesday, January 26, 2016 8:45 PM
To: gnupg-users@gnupg.org
Subject: Re: BAD signatures for GnuPG Stable

Interesting. The file I downloaded is actually larger than what it should be!

-rw-rw-r--  1 aaron aaron  855815 Jan 25 21:44 libgpg-error-1.21.tar.bz2


On 01/26/2016 03:26 AM, Werner Koch wrote:
> On Tue, 26 Jan 2016 05:41, aaront...@gmail.com said:
>
>> $ gpg --verify libgpg-error-1.21.tar.bz2.sig 
>> libgpg-error-1.21.tar.bz2
>> gpg: Signature made Sat 12 Dec 2015 06:03:30 AM CST using RSA key ID
>> 4F25E3B6
>> gpg: BAD signature from "Werner Koch (dist sig)"
> Please check the length of the file to make sure you downloaded it 
> complelety.
>
> The size of libgpg-error-1.21.tar.bz2 is 763186 bytes.
>
>
> Shalom-Salam,
>
>Werner
>


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Get gpg to use keyring files in the current directory

2015-12-16 Thread Steve Butler 
Either set --homedir on the command line or in the options file.

-Original Message-
From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Jarle 
Hammen Knudsen
Sent: Wednesday, December 16, 2015 8:19 AM
To: Gnupg-users@gnupg.org
Subject: Get gpg to use keyring files in the current directory

I'm trying to get gpg to create and use keyryring files in the current 
directory.
In e:\test I have this options file named test.conf :

 utf8-strings
 no-default-keyring
 keyring test-public.keyring
 secret-keyring test-secret.keyring

If I cd to e:\test and use this command line:

 gpg --gen-key --options test.conf

the keyrings are not created in the current directory, but in 
C:\Users\username\AppData\Roaming\gnupg
The options file is read, since the keyring files use the specified names.

I'm using gpg to encrypt small backup files which will be decrypted by 
non-tech-savvy users that do not usually use gpg. I'm going to store the 
keyrings ready for use on a USB-stick and will not know the absolute path to 
the keyfiles.

Any suggestions?

gpg (GnuPG) 2.0.29 (Gpg4win 2.3.0)
Windows 10


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Can I pass the password from the command line?

2015-12-15 Thread Steve Butler 
There is under 1.4.  Don't know if it is in v2.  I'm not at my desk to pop the 
script open.   But you could pipe the passphrase via stain and tell gpg  to 
grab it from there.  Be careful as that still leaves it in the clear to those 
reading your script.   Potential local users could also see it if you echo'd it 
to the pipe.



Sent from my Verizon Wireless 4G LTE smartphone


 Original message 
From: Andrew Gallagher 
Date: 12/15/2015 15:09 (GMT-08:00)
To: Anthony Papillion 
Cc: gnupg-users@gnupg.org
Subject: Re: Can I pass the password from the command line?


> On 15 Dec 2015, at 22:58, Anthony Papillion  wrote:
>
> I'd like to script encryption and decryption from the command line. Is
> there a way to pass the encryption passphrase to GnuPG from the
> command line.

I don't think there is a password parameter, and I'd strongly recommend not 
doing it even if there was. Many OSes make the command line parameters of 
processes available to any local user.

Have you tried piping the password to stdin?

Andrew
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Gnupg Decryption Question

2015-07-24 Thread Steve Butler 
-Original Message-
From: Werner Koch [mailto:w...@gnupg.org] 
Sent: Friday, July 24, 2015 4:24 AM

On Thu, 23 Jul 2015 19:11, sbut...@fchn.com said:
 This is a snippet of the script I use to decrypt any file coming to me that 
 has my private key (or my companies private key)

   $DFLT gpg_pass2 \
   | gpg --homedir $homedir --quiet --passphrase-fd 0 --no-tty --skip-verify \
 --no-permission-warning --no-mdc-warning --batch  \
 --output $oname --decrypt $x  /dev/null 21

If you receive arbitrary data you may want to add

  --max-output SUITABLELARGENUMBEROFBYTES

to avoid a DoS using special crafted compression data.


Shalom-Salam,

   Werner
===

I'll look into that.  We do IP filtering on the firewall so we do know who is 
getting to our SFTP box (on Aug 3 we will shut down port 21 and standard FTP).  
All who send data to us must sign a business agreement (HIPAA rules).  One such 
does send us encrypted files that approach 25 GB in size -- yikes!!  Thankfully 
that is once a month.


-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Gnupg Decryption Question

2015-07-23 Thread Steve Butler 
This is a snippet of the script I use to decrypt any file coming to me that has 
my private key (or my companies private key)

  $DFLT gpg_pass2 \
  | gpg --homedir $homedir --quiet --passphrase-fd 0 --no-tty --skip-verify \
--no-permission-warning --no-mdc-warning --batch  \
--output $oname --decrypt $x  /dev/null 21

The DFLT gpg_pass2 script manages to obtain the pass phrase for the private key 
and pipe it to gpg via stdin
The statement right after the above does check to see if the status ($?) is 0.

From: Gnupg-users [mailto:gnupg-users-bounces+sbutler=fchn@gnupg.org] On 
Behalf Of David Carter
Sent: Thursday, July 23, 2015 7:47 AM
To: gnupg-users@gnupg.org
Subject: Gnupg Decryption Question

Hello,

We currently use Gnupg 1.4.10 as part of our interactions with an online 
mailbox system. We are able to successfully encrypt our data files but we 
haven't been able to find the combination of options that will let us decrypt 
files that we receive - so we've used a different product for that purpose.  
Our desire is to use only one product to perform both encryption and decryption.

This is a sample of how we would call gpg to encrypt a text file prior to 
transmission:

gpg -c -o DataFile.gpg --batch --compress-algo 1 --cipher-algo cast5 
--passphrase KeyValue DataFile.txt


The files that we receive share the same KeyValue, so we would appreciate some 
guidance on undoing what was done above.

Thanks very much.

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Teaching GnuPG to noobs

2015-06-16 Thread Steve Butler 
Biggest pitfall -- new users sending me both their public and private keys. 
Most have a mental block on how these are used.

I generated a set of documents about a decade ago that someone asked permission 
to post on the web.  Just did a search and could not find.  I'll try to dig 
through my thumb drive at home to see if they are buried someplace there.

--Steve 


-Original Message-
From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of A.T. 
Leibson
Sent: Tuesday, June 16, 2015 6:50 AM
To: Gnupg-users@gnupg.org
Subject: Teaching GnuPG to noobs

Hi everyone,

What has your experience been teaching inexperienced users how to use GnuPG 
properly? What are common pitfalls on the part of the instructor?
What aspects are the most challenging for new users to understand?

Lastly, what's your favorite noob-friendly guide, and why?

Thanks,
Adamh

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Facebook and OpenPGP

2015-06-04 Thread Steve Butler 

MFPA:
 
 
 On Monday 1 June 2015 at 5:37:33 PM, in 
 mid:20150601183733.3fc5b...@frustcomp.home.hnjs.ch,
 gnupg-us...@henk.geekmail.org wrote:
 
 
 A comment worth reading in case one does not see it oneself IMHO:
 https://blogs.fsfe.org/gerloff/2015/06/01/facebook-offers-to-send-you
 -encrypted-emails-this-wont-help-you/
 
 Whatever Facebook's motivation, doesn't anything that increases the 
 proportion of emails that are encrypted during transit count as a Good 
 Thing?

Yeah, I think it sets a great precedent for other large organizations to 
follow.  Plus it increases the amount of PGP-encrypted email flowing around, 
which reduces PGP as a marker for secret messages.

.hc

==
One thing I learned in college, if all inbound mail came in the same color 
(pink) and scented then nobody knew which one came from the girl-friend.  It 
was easier to get her to use a brown non-descript envelope though!


-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users