Re: Text (non-binary) keyring format

[Todd Zullinger via Gnupg-users]

Alejandro Colomar via Gnupg-users wrote:
> I don't use git to be able to roll back, but rather to know at which
> state a backup is.  For example, I gave a backup to a family member last
> time I saw him, and I know that backup is N commits behind my current
> keyring.

As a random idea (which you may have already had), you could
include the output of a keyring listing along with the
commit.

Putting that data in git notes is an option if you don't
want the commit message to be too large.  While that doesn't
improve the diff between things, it does make it easier to
know the state of the keyring at each commit.

For diffing, you could also use a script to dump the keyring
(via git show or whatever) and pipe it to gpg to list.  That
could make comparing the revisions a little easier.

I've thought about doing some similar to track a collection
of binary music files -- but have never gotten around to
doing it. :)

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: sopv-gpgpv: an implementation of the verification-only subset of the Stateless OpenPGP CLI using gpgv as a backend

[Todd Zullinger via Gnupg-users]

Hi,

Daniel Kahn Gillmor via Gnupg-users wrote:
> Hi Todd--
> 
> On Fri 2024-07-26 09:54:32 -0400, Todd Zullinger via Gnupg-users wrote:
>> A reasonably common use case for gpgv is to verify
>> signatures on release artifacts by distribution packaging
>> tools.  Being able to use the upstream provided key
>> material, which is typically armored, would make things a
>> bit simpler and easier to verify for people interested in
>> ensuring those packages are using the proper key material
>> and are not introducing any issues.
> 
> I recommend using any sopv implementation for that use case, since sopv
> is specified to explicitly accept both armored and unarmored
> certificates as verification targets.

That's a fine goal for down the road, but it's not going to
be a solid option until those implementations are all
included in the distributions.

Particularly, using sopv-gpgv would introduce more
dependencies to the buildroot (the python stack,
specifically) which is unlikely to be something folks like
Fedora want, after spending time to minimize the default
buildroot.  (I don't care too much about Fedora anymore, as
I'm migrating away from anything Red Hat based, but it's
still what I'm most familiar with.)

Fedora does have the Sequoia SOP command available, but it
doesn't work out of the box (nor does it provide an option
to be more verbose, AFAICT).

Not that I want to turn this into a support chat for an
unrelated command, but here's what the experience looks like
in a minimal Fedora 40 container when attempting to verify
the git source:

[root@6e3fc2ac22a3 tmp]# /usr/lib/rpm/redhat/gpgverify \
--keyring=gpgkey-junio.asc --signature=git-2.46.0.tar.sign \
--data=git-2.46.0.tar
gpgv: Signature made Mon Jul 29 14:27:21 2024 UTC
gpgv:using RSA key E1F036B1FEE7221FC778ECEFB0B5E88696AFE6CB
gpgv: Good signature from "Junio C Hamano "
gpgv: aka "Junio C Hamano "
gpgv: aka "Junio C Hamano "

[root@6e3fc2ac22a3 tmp]# /tmp/sopv-gpgv verify git-2.46.0.tar.sign \
gpgkey-junio.asc 

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: sopv-gpgpv: an implementation of the verification-only subset of the Stateless OpenPGP CLI using gpgv as a backend

[Todd Zullinger via Gnupg-users]

Hello,

Werner Koch via Gnupg-users wrote:
> while talking about gpgv, let me remind you about the new
> --assert-signer option which can be used as a replacement for gpgv.

In a similar way, is there anyone able and interested in
helping to move https://dev.gnupg.org/T2290 (Allow gpgv2 to
use armored GPG keys as keyring file with trusted keys)
forward?

A reasonably common use case for gpgv is to verify
signatures on release artifacts by distribution packaging
tools.  Being able to use the upstream provided key
material, which is typically armored, would make things a
bit simpler and easier to verify for people interested in
ensuring those packages are using the proper key material
and are not introducing any issues.

In the Fedora/Red Hat world, a gpgverify script has been
added which must call `gpg --dearmor` to strip the armor
from an upstream key, requiring tmp files and such.  I
imagine this similarly affects Debian-based packages as
well.

It would be cleaner to just call gpgv (or some form of gpg
with --assert-signer, perhaps).

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Agent forwarding issue

[Todd Zullinger via Gnupg-users]

Hi,

Werner Koch via Gnupg-users wrote:
> On Fri,  5 Apr 2024 13:03, Todd Zullinger said:
> 
>> In such a case, it sounds like it may be reasonable to use
>> the normal socket?  Until the remote side is updated to
> 
> In fact, I also did this for some time but later came up with 
> 
>   CommitDate: Wed Oct 12 11:30:35 2022 +0200
> 
> agent: Introduce attribute "Remote-list" to KEYINFO.
> 
> * agent/command.c (do_one_keyinfo): Add arg list_mode.  Check
> attribute Remote-list.
> (cmd_keyinfo): Change semantics to return nothing in restricted list
> mode.
> 
> which is
> 
>   *** Remote-list
>   Allow to list the key with the KEYINFO command from a remote machine
>   via the extra socket.  A boolean value is expected; the default is
>   "no".  Note that KEYINFO will anyway provide information if the
>   keygrip is specified.
> 
> Not exactly your problem but somehow related.

Neat.  I have probably read agent/keyformat.txt before, but
not in a long time and I never had any reason to consider
editing the .key files.

This caused me to re-read the document and I'll likely add
an additional Token: line to note the two cards which hold a
new key (which I have yet to start using).  That should make
it easier to move between the cards, it sounds like.

In the process, I spotted a few minor typos and sent a patch
to gnupg-devel.

Thanks again, Werner!

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Agent forwarding issue

[Todd Zullinger via Gnupg-users]

Bee via Gnupg-users wrote:
> In the mean time, you could put something along the lines of:
> 
> {CmdCalls ; } 2>&1 | grep -v -e "^gpg: problem with fast path key
> listing: Forbidden - ignored$" or something, to keep that output out
> of your stderr stream.

I think there's a downside to that (but I could always be
wrong).  Redirecting stderr to stdout would prevent mutt (or
whatever tool was using being used) from being be able to
display output only from stderr.  That is helpful when the
exit status is 0 but there were warnings, as in this case.

> If something else unexpected displays, you'll get more issues, but
> then you probably want to know if / when / should that happen.
> 
> If you add --quiet now, even when the change below happens later, your
> script above won't need to change again.

Indeed, if Werner weren't so quick, perhaps I would have
considered some sort of adjustment.  Though I try to use the
mutt's contrib/gpg.rc unaltered so I don't have to remember
to merge in fixes they make there.

This does remind me that I should re-evaluate using  gpgme
as the backend.  I don't recall why I disabled that now.  It
may have been for an issue which is long-since resolved. ;)

-- 
Todd

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Agent forwarding issue

[Todd Zullinger via Gnupg-users]

Hi Werner,

Werner Koch via Gnupg-users wrote:
>> gpg: problem with fast path key listing: Forbidden - ignored
> 
> I'll suppress that message in --quiet mode for the next release.

Excellent, thanks!

> When doing a secret key listing (which happens with -K but also in
> --with-colons mode) gpg walks over all public keys and asks the agent
> for each key whether a corresponding secret key exists.  With many
> secret keys this is quite some overhead and thus gpg first tries to a
> get a listing of all secret keys (the keygrips) and later can do a fast
> memcmp instead of an IPC call.

In theory, would this not occur if I cleaned up the keyring
a bit.  I've got ~350 public keys.  Some are likely expired
or no longer useful.

This is without any sort of auto-key-locate enabled -- just
years or accumulating keys.  It doesn't _seem_ like that
many keys to have around...

> If you use the extra-socket certain operations are forbidden so that a
> rogue gpg version on the remote site won't be able to change passwords,
> export secret keys, or get a listing of all available secret keys.  This
> is why you see this diagnostic.

I manage the remote system and consider it reasonably
secure, to the extent any online system can be call
"secure."  It's not much less secure than the system from
which I am forwarding, other than that I'm not physically
beside it.

In such a case, it sounds like it may be reasonable to use
the normal socket?  Until the remote side is updated to
silence this via --quiet, at least.

I saw you pushed the change already, so I applied it to the
build on the remote host and can confirm it does the trick.

Thanks for the quick reply, fix, and additional details!

Cheers,

-- 
Todd

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Agent forwarding issue

[Todd Zullinger via Gnupg-users]

Hi,

I have been working on setting up agent forwarding¹.

One issue which I have not yet found a solution for is that
gpg prints the following to stderr when performing actions
involving the agent:

gpg: problem with fast path key listing: Forbidden - ignored

Both hosts are running gnupg-2.4.5, based on the Fedora
packages.

With mutt, this causes the signing to pause after entering
the password, as stderr is not empty (I think this is the
reason, anyway).  Can this warning be avoided or silenced
(without directing stderr to /dev/null)?

I can't find much information about it, but it seems like
while this is something useful to note, after seeing it once
it is simply needless.

I believe this is because I've used the extra socket, which
seems like the proper thing to do with agent forwarding, but
perhaps isn't worth the hassle?  I'm not too eager to
forward the regular agent when I can use a more restricted
socket.

¹ https://wiki.gnupg.org/AgentForwarding

Thanks,

-- 
Todd

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 32768-bit key

[Todd Zullinger via Gnupg-users]

Robert J. Hansen via Gnupg-users wrote:
>> I don't know that there's anything to file a bug about.  I
>> don't see any non-rsa4096 keys on the Tails website:
> 
> One of their certificates has a Curve-25519 subkey.  I wonder if that's what
> the original poster saw, and mistook it for being a 25,519-bit subkey.

Ahh, that's a very good guess. I missed that sub key while I
was skimming the list of keys.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 32768-bit key

[Todd Zullinger via Gnupg-users]

Robert J. Hansen via Gnupg-users wrote:
>> The TailsOS team has a key that's wy over 16384-bit.
> 
> I suggest filing a bug report with them and asking them why they ignore the
> best practices of cryptography.

I don't know that there's anything to file a bug about.  I
don't see any non-rsa4096 keys on the Tails website:

https://tails.net/doc/about/openpgp_keys/

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.4.1 released

[Todd Zullinger via Gnupg-users]

Werner Koch via Gnupg-users wrote:
> On Fri, 28 Apr 2023 11:21, Todd Zullinger said:
> 
>> It seems neither of these files have not made it to the
>> server yet:
> 
> Sorry for that.  I have used a new build machine and obviously forgot
> one of the last steps. Most of the release process is scripted but the
> final upload needs to be done manually (after signing, copying to the
> internal archive, updating the repo, writing announcement and updating
> the web page).
> 
> Fixed after Bernhard called me at home.

Sorry it interrupted your weekend.  Thanks for the new
release and all of your work on GnuPG and OpenPGP. :)

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.4.1 released

[Todd Zullinger via Gnupg-users]

Hi,

Werner Koch via Gnupg-users wrote:
> Getting the Software
> 
> 
> Please follow the instructions found at  or
> read on:
> 
> GnuPG may be downloaded from one of the GnuPG mirror sites or direct
> from its primary FTP server.  The list of mirrors can be found at
> .  Note that GnuPG is not
> available at ftp.gnu.org.
> 
> The GnuPG source code compressed using BZIP2 and its OpenPGP signature
> are available here:
> 
>  https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2 (7169k)
>  https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2.sig

It seems neither of these files have not made it to the
server yet:

$ curl -I https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2
HTTP/1.1 404 Not Found
Date: Fri, 28 Apr 2023 15:19:07 GMT
Strict-Transport-Security: max-age=31536000
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=ISO-8859-1

$ curl -I https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2.sig
HTTP/1.1 404 Not Found
Date: Fri, 28 Apr 2023 15:19:07 GMT
Strict-Transport-Security: max-age=31536000
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=ISO-8859-1

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: can't handle public key algorithm 18

[Todd Zullinger via Gnupg-users]

Mike Schleif wrote:
> Yes, I see that.
> 
> However, our public key was generated by our GPG; and this file is
> encrypted with our public key, since there is NO missing "secret key" error.
> 
> Why, then, the subject error message?

Perhaps the file is signed by an ECDH key?  I can only
guess.

You might want to try the --list-packets option on the
encrypted message.  Adding -v (or -vv) when decrypting might
help show the issue.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: can't handle public key algorithm 18

[Todd Zullinger via Gnupg-users]

Mike Schleif wrote:
> $ gpg --version
> gpg (GnuPG) 2.0.22
> libgcrypt 1.5.3
> 
> $ cat /etc/system-release
> CentOS Linux release 7.9.2009 (Core)

Algorithm 18 is ECDH, which is not supported by gpg on
CentOS 7.  You can confirm this in the Pubkey line of the
gpg --version output:

  $ gpg --version
  gpg (GnuPG) 2.0.22
  libgcrypt 1.5.3
  [...]

  Home: ~/.gnupg
  Supported algorithms:
  Pubkey: RSA, ?, ?, ELG, DSA
  Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
  CAMELLIA128, CAMELLIA192, CAMELLIA256
  Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  Compression: Uncompressed, ZIP, ZLIB, BZIP2

On a newer Fedora system, ECDH is present:

  $ gpg --version --no-copyright
  gpg (GnuPG) 2.4.0
  libgcrypt 1.10.1-unknown
  [...]

  Home: /home/user/.gnupg
  Supported algorithms:
  Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
  Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
  CAMELLIA128, CAMELLIA192, CAMELLIA256
  Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  Compression: Uncompressed, ZIP, ZLIB, BZIP2

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Difference between versions--Question

[Todd Zullinger via Gnupg-users]

K S via Gnupg-users wrote:
> It would be helpful to know why I can't get compression in my build. I've
> tried to build from source three times now.
> 
> There are so many packages in Ubuntu with zip, zlib, and bzip2 in the name
> I can't begin to try them all. I've looked at config.log and it doesn't
> give much help.

The config.log should show some information about the
compression algorithms, likely found searching for "zip" in
the output.

Building from source does require a bit of familiarity with
the system on which you are building.  While you shouldn't
need to randomly try all the packages, knowing where to look
for ideas will help.

I don't use Ubuntu or Debian, but if I were trying to build
gnupg from source I'd start by looking at what build
dependencies are required by the system packages.

In the case of gnupg, you can see that in the debian/control
file:

https://salsa.debian.org/debian/gnupg2/-/blob/7f5e9b1b/debian/control#L9-43
https://git.launchpad.net/ubuntu/+source/gnupg2/tree/debian/control#n10

You can install those build dependencies via something like:

apt-get build-dep gnupg2

The debian/rules file is usually also interesting; seeing
what configure and make options are used can be helpful.

Some of the dependencies for the current gnupg may be newer
than what is required by the gnupg2 package in Ubuntu and/or
provided by the OS.  You may first need to build those newer
dependencies.

If so, you need to be careful not to interfere with the OS
libraries which are used by other packages on the system.
It can get "interesting" trying to update something which is
quite a core dependency of the operating system.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.2.36 released

[Todd Zullinger via Gnupg-users]

Bernhard Reiter wrote:
> Am Montag 11 Juli 2022 14:50:24 schrieb Konstantin Ryabitsev via Gnupg-users:
>>> See https://dev.gnupg.org/T5949#159890 for why it doesn't work for you.
>>
>> Ah, okay, that's unfortunate. I guess I'll skip this release, since I can't
>> verify it without building gnupg from scratch (without verifying it first).
> 
> Maybe it helps to report the problem of missing crypto algorithms to your
> GNU/Linux distribution.

They aren't really missing but rather intentionally removed
due to legal issues on Fedora/Red Hat.  This came up not so
long ago:

https://lists.gnupg.org/pipermail/gnupg-users/2022-May/066054.html

With the current Fedora (36), it's possible to enable these
ciphers via '--with brainpool' when building the libgcrypt
srpm.

Hopefully the legal issues will be cleared sometime soon and
Fedora will stop stripping brainpool.

It's frustrating that the releases are signed with a cipher
that cannot be verified on a reasonably popular distro.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error importing fetching key from wkd

[Todd Zullinger via Gnupg-users]

Konstantin Ryabitsev via Gnupg-users wrote:
> FYI, I also provide gnupg22-static and gnupg23-static packages that can be
> rebuilt and installed on RHEL 7+ (though I haven't tried on RHEL9):
> 
> https://copr.fedorainfracloud.org/coprs/icon/lfit/packages/
> 
> They install into /opt and can be used directly as /opt/gnupg22/bin/gpg (and
> others).

Thanks Konstantin!

On EL8/9, I needed to disable the debugsource packages for a
sucessful build:

%define _debugsource_template %{nil}

I only tested builds of gnupg23-static on EL8/9, but the
gnupg22-static package looks like it would need the same
treatment.

Of course, the difference in algorithm support between
upstream and EL8/9 is much smaller than it was on EL7.
(Here's to seeing the differences disappear entirely.)

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error importing fetching key from wkd

[Todd Zullinger via Gnupg-users]

Hello again,

I wrote:
> Dirk Gottschalk via Gnupg-users wrote:
>> A workaround for this is to download the SRPM, remove the
>> line '--disable-brainpool' and rebuild the package.
> 
> Ahh, excellent.  That's a relatively recent change.  It's
> available in the Fedora (and RHEL) libgcrypt-1.10 packages
> which I believe are only in the freshly released Fedora 36
> and RHEL 9.

For the future, you can now rebuild the libgcrypt rpm from
Fedora 36 with brainpool support without having to edit the
spec file manually¹.  You can pass `--with brainpool` to the
rpmbuild command, e.g.:

rpmbuild -rb --with brainbpool /path/to/libcgrypt.src.rpm

Hopefully that makes life just a little easier for folks
using Fedora who want or need brainpool support.

¹ https://src.fedoraproject.org/rpms/libgcrypt/c/6571417ff

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error importing fetching key from wkd

[Todd Zullinger via Gnupg-users]

Hi,

Dirk Gottschalk via Gnupg-users wrote:
> A workaround for this is to download the SRPM, remove the
> line '--disable-brainpool' and rebuild the package.

Ahh, excellent.  That's a relatively recent change.  It's
available in the Fedora (and RHEL) libgcrypt-1.10 packages
which I believe are only in the freshly released Fedora 36
and RHEL 9.

Previous releases contained a 'hobbled' libgcrypt tarball
where the brainpool curves were removed entirely.  (That's
the usual practice for items which cannot be included for
legal reasons.)

It's good to see things are moving in the right direction,
at least.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error importing fetching key from wkd

[Todd Zullinger via Gnupg-users]

Hi,

Werner Koch via Gnupg-users wrote:
> On Wed, 25 May 2022 22:58, Dirk Gottschalk said:
> 
>> $ gpg --with-colons --list-config curve
>> cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;secp25
>> 6k1
> 
> This should read
> 
> cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;brainpoolP256r1;brainpoolP384r1;brainpoolP512r1;secp256k1
> 
> Note the Brainpool curves.  Seems that Redhat still patches them out of
> libgcrypt.

The question of whether these curves can be kept in Fedora
was brought up on the fedora-legal list some time ago.  The
most recent status update¹ from Fedora Project Leader
Matthew Miller on January 28, 2022 says:

So, these things move slowly, but this _is_ being
worked on. I'll let you know when I can.

That sounds midly hopeful.  With luck, the curves will be
cleared for inclusion (at least eventually, even it not
terribly soon).

¹ 
https://lists.fedoraproject.org/archives/list/le...@lists.fedoraproject.org/message/3ESF4KDVMLQPZX4H2S4L7BP5BHJPMPMB/

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Odd error

[Todd Zullinger via Gnupg-users]

Hi,

Werner Koch wrote:
> I looked at the Fedora Libgcrypt source and noticed that they ship
> libgcrypt with the nistp192 and all brainpool curves removed.  I have
> not yet build this version but given that one of your keys has brainpool
> curves this might be the culprit.
> 
> I can understand that they remove nistp192 for security policy reasons.
> But I do not understand why the brainpool curves are removed.  The
> general statement in the spec file is that curves need to be removed due
> to patent rasons.  However, Brainpool curves are less prone to patent
> claims for fast multiplication than the NIST curves and we actually use
> the very same code for all those Weierstrass curves. 

FWIW, I noticed that someone recently asked about the status
of the ECC Brainpool curves on the Fedora Legal list:

https://lists.fedoraproject.org/archives/list/le...@lists.fedoraproject.org/thread/WUQNAB4EPWSJMMVECL2TZGKB5KIDESII/

With luck, a fresh review by the Red Hat legal folks will
result in those curves becoming accessible in the Fedora
libgcrypt packages.

Cheers,

-- 
Todd

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: setrlimit failure on aarch64 (was: Interesting failure on aarch64)

[Todd Zullinger via Gnupg-users]

Werner Koch via Gnupg-users wrote:
> On Fri, 20 Dec 2019 11:22, Konstantin Ryabitsev said:
> 
>> On x86_64 this succeeds, but when I tried building on aarch64, that step 
> [...]
>>   gpg: Fatal: can't disable core dumps: Operation not permitted
> 
> setrlimit returns an unexpected error code:
> 
> if (getrlimit (RLIMIT_CORE, &limit))
>   limit.rlim_max = 0;
> limit.rlim_cur = 0;
> if( !setrlimit (RLIMIT_CORE, &limit) )
>   return 0;
> if( errno != EINVAL && errno != ENOSYS )
>   log_fatal (_("can't disable core dumps: %s\n"), strerror(errno) );
> 
> This is the first time I see a report that EPERM is returned.

The getrlimit call also fails, according to strace:

getrlimit(RLIMIT_CORE, 0xeb2acf88)  = -1 EPERM (Operation not permitted)
setrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=0}) = -1 EPERM (Operation not 
permitted)

I don't have access to an aarch64 host running RHEL 7
directly, so my only testing is via the mock command from an
aarch74 Fedora 31 host.

Mock can use two styles of container, an old-style chroot or
new-style systemd-nspawn.  Using chroot succeeds, while
systemd-nspawn fails.

I tested with CAP_SYS_RESOURCE added to the capability list
in the systemd-nspawn call, without success.  From my
reading, that should work (thought shouldn't be needed as
we're not trying to raise the limit).

So it seems like a bug either in systemd-nspawn or a lower
level component like glibc or the kernel with RHEL 7 on
aarch64, as you suggested.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Interesting failure on aarch64

[Todd Zullinger via Gnupg-users]

Hi Konstantin,

Konstantin Ryabitsev wrote:
> I came across an interesting gpg failure while trying to build 
> git-2.24.1 RPM for Fedora COPR. As part of RPM build, the prep stage 
> attempts to verify the tarball signature using Junio's PGP key:
> 
>   %prep
>   # Verify GPG signatures
>   gpghome="$(mktemp -qd)" # Ensure we don't use any existing gpg keyrings
>   # Convert the ascii-armored key to binary
>   # (use --yes to ensure an existing dearmored key is overwritten)
>   gpg2 --homedir "$gpghome" --dearmor --quiet --yes %{SOURCE9}
>   xz -dc %{SOURCE0} | # Upstream signs the uncompressed tarballs
> gpgv2 --homedir "$gpghome" --quiet --keyring %{SOURCE9}.gpg 
> %{SOURCE1} -
>   rm -rf "$gpghome" # Cleanup tmp gpg home dir
> 
> On x86_64 this succeeds, but when I tried building on aarch64, that step 
> returned the following error:
> 
>   Building for target aarch64
>   Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.FYxOmt
>   + umask 022
>   + cd /builddir/build/BUILD
>   ++ mktemp -qd
>   + gpghome=/tmp/tmp.dndOuot6S2
>   + gpg2 --homedir /tmp/tmp.dndOuot6S2 --dearmor --quiet --yes 
> /builddir/build/SOURCES/gpgkey-junio.asc
>   gpg: Fatal: can't disable core dumps: Operation not permitted
>   error: Bad exit status from /var/tmp/rpm-tmp.FYxOmt (%prep)
[...]
> I'm curious what exactly is at fault here -- is there something in the 
> COPR build environment that causes this error, or is there something 
> that gnupg is not checking correctly?

I noticed this recently as well.  It only happens on EPEL-7
aarch64, which has gnupg2-2.0.22-5.el7_5.  Builds for EPEL-8
aarch64 work fine.

I've tested this on one of the Fedora package maintainer
aarch64 instances as well and it fails there too.  That
doesn't narrow it down much, other than likely ruling out
something specific to the COPR build environment.

It could still be a bug in gnupg-2.0.22, in the RHEL-7
packages (gnupg2 or otherwise), or when used with mock on
aarch64. For those unfamiliar, mock is a Fedora/EPEL rpm
build tool.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

[Todd Zullinger]

Wiktor Kwapisiewicz via Gnupg-users wrote:
> Hello all,
> 
> I recently saw a message from one of Fedora's maintainers:
> 
>> Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1. Also 
>> dropping keyserver support at Werner's suggestion since upstream plans to 
>> disable that soon.
> 
> Source: https://infosec.exchange/@bcl/101195051788828345
> 
> Does anyone know anything about dropping keyserver support in GnuPG? That 
> seems
> a little bit radical but maybe I've missed something...

This only applies to the gnupg-1.4.x packages in Fedora.

Fedora 30 will ship with gnupg-2.x as /usr/bin/gpg (with
keyserver support intact).

The packages from the 1.4.x branch will be installed as
/usr/bin/gpg1 for users who want to keep using it.  Dropping
the keyserver and photoviewer helpers is part of the next
planned release from the 1.4.x branch, which is being
tracked in https://dev.gnupg.org/T3443.

Hopefully that helps clarify things a bit and removes any
worries that Fedora is stripping keyserver support from the
default /usr/bin/gpg.

-- 
Todd
~~
You know an odd feeling?  Sitting on the toilet eating a chocolate
candy bar.
-- George Carlin, Napalm & Silly Putty



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Errors while creating an g13 encrypted container.

[Todd Zullinger]

Dirk Gottschalk via Gnupg-users wrote:
> Am Freitag, den 13.04.2018, 11:40 +0200 schrieb Werner Koch:
>> On Fri, 13 Apr 2018 03:49, gnupg-users@gnupg.org said:
>> 
>>> There is neither a command or package named userv, nor a script
>>> called
>>> 'gnupg-g13-syshelp' in the repositories. The binary g13-syshelp is
>>> available.
> 
>>   apt-get install userv
> 
> In my case it is dnf, but this tool is not available at all in the
> repos.

I don't see userv available for Arch, Gentoo, openSUSE, or
Slackware either.  It's a very old tool (not that this makes
it bad in any way) which hasn't seen updates in a decade or
so, it appears.

Has userv ever been widely packaged outside of Debian?

-- 
Todd
~~
There are no differences but differences of degree between different
degrees of difference and no difference.
-- William James, under nitrous oxide; 1882



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Will gpg 1.x remain supported for the foreseeable future?

[Todd Zullinger]

Dan Kegel wrote:
> - might save time and anguish if apt-key (and thus gpg[v]?) accepted
> armored keyrings even if filename ends in .gpg

I think that's https://dev.gnupg.org/T2290, in case you want
to follow it or submit a patch to implement it.  Werner did
provide some details about how it would ideally be done.

If I was more capable with C, I'd give it a try since I'd
like to see gpgv work with armored keyrings too.

-- 
Todd
~~
Progress isn't made by early risers. It's made by lazy men trying to
find easier ways to do something.
-- Robert Heinlein



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint of key

[Todd Zullinger]

Daniel Kahn Gillmor wrote:

with more modern versions of gnupg, you can just use:

   gpg --with-fingerprint --import-options show-only --import < 
public-key-file.asc


FWIW, I've used "gpg --with-fingerprint public-key-file.asc" for what 
seems like years to do this sort of quick fingerprint check of keys. 
It's particularly handy with linux distribution package signing keys, 
which are typically not something I have any need to import to my 
keyring.


On a fedora-25 system:

   $ gpg --version
   gpg (GnuPG) 1.4.22

   $ gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
   pub  4096R/FDB19C98 2016-03-31 Fedora 25 Primary (25) 

 Key fingerprint = C437 DCCD 558A 66A3 7D6F  4372 4089 D8F2 FDB1 9C98

   $ gpg2 --version
   gpg (GnuPG) 2.1.13

   $ gpg2 --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
   pub   rsa4096 2016-03-31 [SCE]
 C437 DCCD 558A 66A3 7D6F  4372 4089 D8F2 FDB1 9C98
   uid   Fedora 25 Primary (25) 


I haven't looked at the documentation for --with-fingerprint in a 
while, but it does seem like it's at least leaving out some details 
regarding its use on key files which are not imported.


I have no idea whether those differences are intended and should 
simply be documented or it's considered a bug that --fingerprint and 
--with-fingerprint differ in handling unimported keys.


Also, both 2.1.13 on fedora 25 and 2.1.22 on fedora rawhide, the 
command above complains about the show-only option:


   $ gpg2 --version
   gpg (GnuPG) 2.1.22

   $ gpg2 --with-fingerprint --import-options show-only --import < 
/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
   gpg: unknown option 'show-only'
   gpg: invalid import options

Is there a typo in that command or is show-only not in the latest 
release of the 2.1 branch?


--
Todd
~~
The most overlooked advantage to owning a computer is that if they
foul up, there's no law against whacking them around a little.
   -- Eric Porterfield



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can't import valid GPG keys in Ubuntu

[Todd Zullinger]

Jim Dever wrote:
> I'm sure he meant to reply to the list.  Unfortunately this list
> doesn't generate a "Reply-To" back to the list so if one just hits
> "Reply" it goes back to the original sender and not to the list.
> I've been called on this before until I realized what was happening.
>
> If anyone on the list knows who to contact to get this fixed it
> would be greatly appreciated.  Or if I'm totally missing
> something... please tell me!

Any list configuration inquiries should be sent to the list owner.
The list owners are listed on the listinfo page, included in the
footer of each post.

That said, it's likely intentional that the list does not munge the
Reply-To header.  For much more than you may care to read, check out:

Reply-To Munging Considered Harmful
http://www.unicom.com/pw/reply-to-harmful.html

Reply-To Munging Considered Useful
http://www.metasystema.net/essays/reply-to.mhtml

And perhaps even:

Reply-To Munging Still Considered Harmful. Really.
http://woozle.org/~neale/papers/reply-to-still-harmful.html

It's sad that relatively few mail clients have proper list-reply
functionality.  But if you use one that does, it's easy to forget why
folks regularly ask for Reply-To munging. :)

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
The sunshine bores the daylights out of me.
Chasing shadows moonlight mystery.



pgpOx2AdDQZZw.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Finding key ID of a keypair

[Todd Zullinger]

Dion Moult wrote:
> It's passphraseless, it's DSA, and that's pretty much all I know. I
> made it quite a long time ago, perhaps through ssh-keygen.

If you created the key with ssh-keygen, then it's an SSH key, not an
OpenPGP key.  The two systems, ssh and gpg, do not use the same key
formats.  For an ssh key, you can print out the key's fingerprint
using ssh-keygen -l -f /path/to/key

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
The only difference between a rut and a grave is the depth.



pgpnGlTE4nwn2.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg vs. gnupg2

[Todd Zullinger]

Suno Ano wrote:
> - there is one utterly annoying fact with gpg2 which is the graphical
>   windows which keep poping up http://i43.tinypic.com/154yb04.png How
>   can I get rid of them and have the behavior of gpg which just stays
>   in the shell?

You can use the curses pinentry program.  The prompt is due to gpg2
using gpg-agent.  In ~/.gnupg/gpg-agent.conf, add:

pinentry-program /usr/bin/pinentry-curses

You may also need to set GPG_TTY in your shell init file as well.  For
example, in ~/.bashrc:

export GPG_TTY=`tty`

Give info gnupg 'Invoking GPG-AGENT' a read.  I found that helpful a
while back.

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
If at first you don't succeed, try management.



pgphkcn52BzW1.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to use the Apple Product Security PGP Key + Protecting Security Information ~~ F.Y.I.

[Todd Zullinger]

gerry_lowry (alliston ontario canada) wrote:
> The Internet took off when Microsoft, for better or worse, included
> and promoted Internet Explorer in Windows 95, thus beginning the so
> called browser wars.

That's quite arguable.  Why do you assume that MS introducing IE
*cause* the internet to take off instead of being their (delayed)
reaction to the internet taking off without them? :)

> I would be surprised and also happy to see Microsoft promote PGP/GPG
> technology.  I do not actually expect that to happen.  If it did, it
> would be good if Microsoft could stimulate PGP/GPG technology with
> more user friendliness since at the moment there's much to learn to
> understand and begin using PGP/GPG technology.

Not that I care whether MS uses, promotes, or maligns PGP/GnuPG, but:

https://www.microsoft.com/technet/security/bulletin/pgp.mspx

(Personally, I find that MS using PGP to sign their security notices
amusing.  That must be the most secure thing about their OS. :-)

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Truth is like a well-known whore.  Everybody knows her but it's
embarrassing to meet her in the street.
-- Wolfgang Borchert



pgp5MZw5SZbL1.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Setting up a new laptop - importing keyrings

[Todd Zullinger]

Anne Wilson wrote:
> I'm setting up a new netbook, and have copied into the .gnupg folder
> my keyrings and associated files from this laptop.  Kgpg lists the
> keys correctly, but all is not well.  When I try to set keys for
> signing and encryption I get the endless searching bar, as Chris
> described a few days ago.

I know nothing of Kpg, but perhaps we can determine whether the issue
is with gpg or Kgpg and that might narrow down where to look.

> I considered starting from an empty keyring and importing signatures
> as they arrive in kmail, but I think the problem is that I don't
> know how to get the secret key recognised.

Are your secret keys listed by "gpg --list-secret-keys" ?  If so, then
the problem isn't with the keyrings.  It could be with Kgpg or the
gpg-agent setup (IIRC, that was what the problem a few days ago was).

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
A hen is only an egg's way of making another egg.
-- Samuel Butler



pgprRr9gvvrsb.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GNUPGHOME for Linux?

[Todd Zullinger]

Stefan X wrote:
> On Linux I would like to change the homedirectory from ~/.gnupg to
> /something/else.
> 
> Defining GNUPGHOME has no effect on my Linux system while it worked
> on Windows. Does this option not exist in GnuPG for Linux? How to
> define something similar.

GNUPGHOME works fine on linux.  How are you setting it?  If your shell
is bash, then you should use something like:

export GNUPGHOME=/something/else

Put this in ~/.bash_profile so that it gets set whenever you login.

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
I am willing to make the mistakes if someone else is willing to learn
from them.



pgp7dzBu5dzEu.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Import Secret Key

[Todd Zullinger]

Thomas Chitwood wrote:
> I need to import an additional secret key to my keyring. I am
> running gpg 1.4.5. What is the command to do this? I thought it
> would be "gpg --import-secret-keys , but that doesn't seen
> to work.

Two problems:

1) There is no --import-secret-keys option.  See the manpage for valid
commands.

2) How would specifying a key id for a key that hasn't been imported
yet work?  You can use a key id for keys already on your keyrings or
when searching public keyservers, but for importing, you need to pass
a path or the key data via standard input.

You just want to use "gpg --import /path/to/secret-key" as you would
for importing a public key.  You might also want to set the trust
level on the imported secret key (via gpg --edit-key $keyid trust).

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
The only difference between a rut and a grave is the depth.



pgpPWsrFAissd.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Removing all installed versions of GNUPG

[Todd Zullinger]

giangios wrote:
> When I run the command: rpm -q gnupg, now doesn't show any gnupg
> installation, but I can use it.

Right -- rpm only knows about packages you add via rpm packages, not
about random things you compile from source.

> Now I need to point the distribution packages (CENTOS 4.2) to use
> the last (and unique) installed GNUPG.

You should be building a gnupg rpm.

> What shall I do? I am not very familiar to configure servers. :-/

The only sane advice would be to undo what you have done and not
attempt to replace core system components until you better understand
the system you are working with.

I would recommend reading up on building packages with rpm, if you
really feel that you must have a newer gnupg version installed in your
server(s).

A few places to start might be:

http://fedoraproject.org/wiki/Docs/Drafts/BuildingPackagesGuide
http://docs.fedoraproject.org/drafts/rpm-guide-en/
http://www.rpm.org/max-rpm-snapshot/

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Whenever you find yourself on the side of the majority, it is time to
pause and reflect.
-- Mark Twain



pgpUUfu8dtwhj.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Need recommendation on keyserver code

[Todd Zullinger]

Alan Olsen wrote:
> Those patches do not fix my build problems.  (It is running out of
> memory compiling numerix.ml.)

Odd.  I built it again before sending the patches, on an up to date
Fedora 8 box (i386).  It did compile.  I didn't test any further
though.

> Your patches are also for a much earlier version of numerix.

Yeah, the numerix patch was against the version of numerix included in
the sks tarball.  Packaging numerix and making sks use the system
numerix would be better (if possible), but it wasn't something I
looked at.

> I have sent mail to the SKS author to see if he has any ideas.

Good luck.  :)

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
I've had a perfectly wonderful evening.  But this wasn't it.
-- Groucho Marx



pgpVWUefRqdLj.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Need recommendation on keyserver code

[Todd Zullinger]

Alan Olsen wrote:
> 5) Eventually I want to package at least one keyserver for Fedora.

IIRC from when I built SKS on Fedora 8, the main issue was updating
the code to the newer Berkely DB.  I didn't test it all that much
after building it though -- it just wasn't that interesting.

I'll attach the patches I used to get it to build.  They may help you
get a working package.  I make no guarantees that these are correct,
as I'm far from intelligent in the ways of bdb.

Also, the numerix patch needs to be applied after the numerix tarball
in the sks source is unpacked.

Onak might end up being easier to build.  I never played with it
though.

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Even moderation ought not to be practiced to excess.

diff -ur sks-1.0.10/bdb/bdb_stubs.c sks-1.0.10-built-cleaned/bdb/bdb_stubs.c
--- sks-1.0.10~/bdb/bdb_stubs.c 2005-01-17 18:42:51.0 -0500
+++ sks-1.0.10/bdb/bdb_stubs.c  2008-01-30 19:52:46.0 -0500
@@ -206,7 +206,9 @@
 // calls to DB->err and DBENV->err lead to exceptions.
 
 // FIX: currently, prefix is ignored.  Should be concatenated.
-void raise_db_cb(const char *prefix, char *msg) { raise_db(msg); }
+void raise_db_cb(const DB_ENV *dbenv, const char *prefix, char *msg) {
+raise_db(msg);
+}
 
 
 // #
@@ -238,7 +240,7 @@
 //+ | LOCKDOWN | PRIVATE | SYSTEM_MEM | THREAD
 
 static int dbenv_verbose_flags[] = {
-  DB_VERB_CHKPOINT, DB_VERB_DEADLOCK, DB_VERB_RECOVERY, DB_VERB_WAITSFOR
+  DB_VERB_DEADLOCK, DB_VERB_RECOVERY, DB_VERB_WAITSFOR
 };
 
 //+ 
@@ -679,9 +681,10 @@
   int err;
   void *stat;
   int size;
+  DB_TXN *txn = NULL;
 
   test_db_closed(db);
-  err = UW_db(db)->stat(UW_db(db),&stat,0);
+  err = UW_db(db)->stat(UW_db(db),txn,&stat,0);
   if (err != 0) { UW_db(db)->err(UW_db(db),err,"caml_db_get_size"); }
   switch (*(u_int32_t*)stat) {
   case DB_BTREEMAGIC:
diff -ur sks-1.0.10/Makefile sks-1.0.10-built-cleaned/Makefile
--- sks-1.0.10~/Makefile2005-08-13 21:33:51.0 -0400
+++ sks-1.0.10/Makefile 2008-01-30 21:44:04.0 -0500
@@ -29,9 +29,6 @@
 ifndef CAMLP4O
CAMLP4O=camlp4o
 endif
-ifndef MANDIR
-   MANDIR=/usr/share/man
-endif
 
 export OCAMLC
 export OCAMLOPT
@@ -50,7 +47,7 @@
 
 CAMLP4=-pp $(CAMLP4O)
 CAMLINCLUDE= -I lib -I bdb
-COMMONCAMLFLAGS=$(CAMLINCLUDE) $(OCAMLLIB) -ccopt -Lbdb -dtypes
+COMMONCAMLFLAGS=$(CAMLINCLUDE) $(OCAMLLIB) -ccopt -Lbdb -dtypes -ccopt -pthread
 OCAMLDEP=ocamldep $(CAMLP4) 
 CAMLLIBS=unix.cma str.cma bdb.cma nums.cma numerix.cma bigarray.cma 
cryptokit.cma
 OCAMLFLAGS=$(COMMONCAMLFLAGS) -g $(CAMLLIBS)
@@ -129,14 +126,10 @@
 install: 
mkdir -p $(PREFIX)/bin
install sks_build.sh sks sks_add_mail $(PREFIX)/bin
-   mkdir -p $(MANDIR)/man8
-   install sks.8.gz $(MANDIR)/man8
 
 install.bc: 
mkdir -p $(PREFIX)/bin
install sks_build.bc.sh sks.bc sks_add_mail.bc $(PREFIX)/bin
-   mkdir -p $(MANDIR)/man8
-   install sks.8.gz $(MANDIR)/man8
 
 Makefile.local:
touch Makefile.local
@@ -148,12 +141,6 @@
 
 # Ordinary targets
 
-sks.8.gz: sks.8
-   gzip -f sks.8
-
-sks.8: sks.pod
-   pod2man -c "SKS OpenPGP Key server" --section 8 -r 0.1 -name sks 
sks.pod sks.8
-
 spider: $(LIBS) $(ALLOBJS) spider.cmx
$(OCAMLOPT) -o spider $(OCAMLOPTFLAGS) $(ALLOBJS) spider.cmx
 
diff -ur sks-1.0.10~/Makefile.local sks-1.0.10/Makefile.local
--- sks-1.0.10~/Makefile.local  2008-05-04 19:12:24.079272650 -0400
+++ sks-1.0.10/Makefile.local   2008-05-07 12:47:44.0 -0400
@@ -0,0 +1,10 @@
+BDBLIB=-L/lib
+BDBINCLUDE=-I/usr/include
+PREFIX=/usr/local
+LIBDB=-ldb-4.6
+MANDIR=/usr/share/man
+export BDBLIB
+export BDBINCLUDE
+export PREFIX
+export LIBDB
+export MANDIR
diff -up numerix-0.19c/lib/common/chrono.c.clk_tck 
numerix-0.19c/lib/common/chrono.c
--- numerix-0.19c/lib/common/chrono.c.clk_tck   2008-05-07 12:53:01.0 
-0400
+++ numerix-0.19c/lib/common/chrono.c   2008-05-07 12:56:22.0 -0400
@@ -18,7 +18,7 @@ void chrono(char *msg) {
   struct tms buf;
 
   times(&buf);
-  t = (double)(buf.tms_utime + buf.tms_stime)/CLK_TCK;
+  t = (double)(buf.tms_utime + buf.tms_stime)/CLOCKS_PER_SEC;
   fprintf(stderr,"%8.2f %8.2f %s\n",t,t-tlast,msg);
   fflush(stderr);
   tlast = t;


pgp8l6k1qmwF4.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent/ssh-add asking for passphrase at first usage

[Todd Zullinger]

Axel Thimm wrote:
> some years ago I did create a nice "gpg-agent --enable-ssh-support"
> setup that would register ssh keys with the agent, but the agent
> would only ask for the passphrase when ssh would try a connection.
> 
> Now I upgraded my system and this doesn't work anymore.

What exactly doesn't work?  You don't get any password prompt for
either your ssh nor gpg keys?  Or you get the prompt for both now
instead of having your ssh key automatically added?  Or something else
entirely?

> Now my questions are:
[...]
> - *why* did it break with the update? The old system has gnupg 2.0.8
>  and the new one 2.0.9. But the Changelog doesn't indicate anything
>  that would make these two behave differently.

Is the new system running another agent, like the seahorse agent?  I
think that might be on by default now, and it provides similar
functionlity to gpg-agent and ssh-agent.  Maybe it's causing problems?

That's just my half-educated guess. ;)

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Conscience is what hurts when everything else feels so good.



pgpQtWZ1o6urS.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPH with PHP / install

[Todd Zullinger]

PeterM wrote:
> I need access to gpg with PHP through accounts on my server such as:
> /home/first_account/.gnupg
> /home/other_account/.gnupg
> 
> through cPanel I can also install(& have) public keys for each
> domain/account, but cannot access gpg in the server's root
> directory.
> 
> Any advice will be greatly appreciated,

You want to use either the GNUPGHOME environment variable or --homedir
command line option to tell gpg where to look for it's files.

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
The only consistent feature in all of your dissatisfying relationships
is you.
-- Demotivators (www.despair.com)



pgpmzgplDcx0c.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: keypair to/from armor format

[Todd Zullinger]

Steven Woody wrote:
> I don't trust any electrical medium ( USB disk, DVD-R and so on ) as
> backup copy of my keypairs. I think I want hardcopy of my keys.  In
> the user manual, however, I learned how to export/import public keys
> ( in armor mode ). but I don't see how to do the same on the private
> key. Is it possible? Thanks.

For a hardcopy backup of your secret key, you might also find paperkey
(which David wrote) useful:

http://www.jabberwocky.com/software/paperkey/

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
I do not pretend to know where many ignorant men are sure - that is
all that agnosticism means.
-- Clarence Darrow



pgp8NbV0zMPSa.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: IDEA

[Todd Zullinger]

McDougall, Marshall (STEM) wrote:
> Hi All.
> 
> First postbe gentle :-}
> 
> I have a RHEL server and I am having difficulty decrypting a pgp
> encrypted file.  Near as I can tell, I need the IDEA cipher.  
> 
> [EMAIL PROTECTED] gpg --decrypt myfile.txt 
> gpg: protection algorithm 1 (IDEA) is not supported
> gpg: the IDEA cipher plugin is not present
> gpg: please see http://www.gnupg.org/why-not-idea.html for more
> information
> gpg: encrypted with 1024-bit RSA key, ID C0A298D3, created 2004-07-13
>  "one_of_my_keys"
> gpg: public key decryption failed: unknown cipher algorithm
> gpg: decryption failed: secret key not available
> 
> I roamed around the GNUPG site and found the "idea.c.gz" downloads, but
> the instructions allude to directories that don't exist on my server.
> Has anyone added IDEA to an existing canned redhat installation?  I am
> open to any suggestion.  Thanks.

You can rebuild the gnupg srpm and add idea.  A few small changes to
the spec file (like in the attached diff) should do what you want.

A better solution would be to have sender encrypt the file to you
using a cipher that you can use without any patents or other
encumbrances.  Does your key have a cipher pref for IDEA?  If so, you
should fix that so other people don't encrypt things to you that you
can't easily decrypt.  You can view your prefs with:

$ gpg --edit-key C0A298D3 showpref quit

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
I never met a morphosis I didn't like.

--- gnupg.spec~ 2007-03-01 07:47:37.0 -0500
+++ gnupg.spec  2008-01-23 14:40:16.0 -0500
@@ -1,12 +1,13 @@
 Summary: A GNU utility for secure communication and data storage.
 Name: gnupg
 Version: 1.4.5
-Release: 13
+Release: 13.1
 License: GPL
 Group: Applications/System
 Source0: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2
 Source1: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig
 Source2: gnupg-shm-coprocessing.expect
+Source3: ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz
 Patch0: gnupg-1.4.1-gcc.patch
 Patch1: gnupg-1.4.2-curl.patch
 Patch2: gnupg-1.4.5-CVE-2006-6169.patch
@@ -42,6 +43,7 @@
 %patch4 -p0 -b .CVE-2006-6235
 popd
 %patch5 -p2 -b .multiple-message
+gunzip -c %{SOURCE3} > cipher/idea.c
 autoreconf
 
 %build
@@ -109,6 +111,9 @@
 %{_mandir}/man7/*
 
 %changelog
+* Wed Jan 23 2008 Todd Zullinger <[EMAIL PROTECTED]> - 1.4.5-13.1
+- include the IDEA cipher
+
 * Thu Mar  1 2007 Nalin Dahyabhai <[EMAIL PROTECTED]> - 1.4.5-13
 - incorporate patch from Werner to work around clients which
   can't tell that multiple plain messages have been processed (#230457)


pgpR8n9YbbxWy.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG in Linux

[Todd Zullinger]

Charly Avital wrote:
> My question, please help: where, how can I find and open, actually
> open and edit as required, gpg.conf? A ls search in .gnupg lists
> 'options'. I remember that gnupg.options was the ancestor of
> gpg.conf (probably before gnupg 1.2.*).

Just rename (mv) options to gpg.conf.  Even that isn't strictly
necessary AFAIK, as gpg will read the options file if no gpg.conf is
found.

> Sorry if the question seems [is] silly, but I have a block. I have
> tried to use pico (nano), but I don't seem to strike the right
> commands.

Does running "nano ~/.gnupg/options" fail in some way?

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Now, now my good man, this is no time for making enemies.
-- Voltaire, on his deathbed in response to a priest asking that
he renounce Satan.



pgpj4y5wBps8a.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to use GnuPG to generate sha512sum hash?

[Todd Zullinger]

Moses wrote:
> I want hash some strings by using GnuPG, I know GPG have hash
> function, but I can't find how to do it in the manuals or other
> documentations on the official website. What's parameters used by
> GPG for hash?
> 
> Furthermore, I would like use sha-512 hash strings from standard
> input, rather than from files, is it possible? If not, is there any
> other app can do this for me?

Perhaps this:

echo "some string" | gpg --print-md SHA512

is what you're looking for?

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
The best cure for insomnia is to get a lot of sleep.
-- W.C. Fields



pgpC3keMX14M2.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Questions about generating keys

[Todd Zullinger]

Oskar L. wrote:
> "Name must be at least 5 characters long"
> Why? There are probably many people who like to go only by their
> first name, and have a 3 or 4 character name.

It's generally considered useful to follow the typical format for a
user id (FirstName LastName <[EMAIL PROTECTED]).  You are free to
ignore this and the --allow-freeform-uid option will bypass all checks
on the format of the user id.

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
That men do not learn very much from the lessons of history is the
most important of all the lessons of history.
-- Aldous Huxley Collected Essays, 1959



pgpDhSSbChbb9.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: where i can download gpgsm?

[Todd Zullinger]

redstar wrote:
> thanks but where is official site of gpgsm downloads? its made by
> werner koch right or its debian application???

No, it's not a Debian app.

See http://www.gnupg.org/(en)/download/index.html

"GnuPG 2.0

GnuPG 2.0 is the new modularized version of GnuPG supporting OpenPGP
and S/MIME"

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
You can make it illegal, but you can't make it unpopular.
-- Anonymous



pgpORViW29hrs.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can't generate new keys

[Todd Zullinger]

rocko wrote:
> Your right it seems my permissions are wrong:
> [EMAIL PROTECTED]:~$ ls -la .gnupg/
> total 40
> drwx--  2 acidblue acidblue 4096 2007-06-03 15:42 .
> drwxr-xr-x 72 acidblue acidblue 4096 2007-06-03 17:59 ..
> -rw---  1 acidblue acidblue   28 2007-05-19 11:47 gpg.conf
> -rw---  1 root root 4203 2007-05-19 11:54 pubring.gpg
> -rw---  1 root root 4203 2007-05-19 11:54 pubring.gpg~
> -rw---  1 acidblue acidblue  600 2007-06-03 15:36 random_seed
> -rw---  1 root root 1313 2007-05-19 11:54 secring.gpg
> -rw---  1 root root 1280 2007-05-19 11:54 trustdb.gpg
> 
> How do i change this?
> Can i simply 'sudo chmod' the files 
> or do i have to reinstall gpg?

chown is what you want.  Something like this should do the trick:

$ sudo chown -R acidblue. ~/.gnupg

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
If the world didn't suck, we'd all fall off.



pgpz6SfRiLNaD.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can't generate new keys

[Todd Zullinger]

rocko wrote:
> When i try to make a new key i get the following error:
> gpg: no writable public keyring found: eof
> Key generation failed: eof
> I'm using Ubuntu 7.04 and logged on as regular user.
> I've generated a key before but i used: sudo gpg --gen-key
> that works fine.
> I just can't seem to do it as regular user.

I'd guess that the ownership/permissions on your ~/.gnupg dir and/or
keyring files are not correct.  Check that you own the directory and
the files in ~/.gnupg using "ls -la ~/.gnupg" (as a regular user).  It
should look something like this:

$ ls -la .gnupg/
total 88K
drwx--  2 user user 4.0K Apr  3 15:18 .
drwx-- 43 user user 4.0K Jun  3 20:34 ..
-rw---  1 user user 9.0K Dec  8 15:51 gpg.conf
-rw---  1 user user  11K Dec  8 16:02 pubring.gpg
-rw---  1 user user 9.7K Dec  8 15:56 pubring.gpg~
-rw---  1 user user  600 Dec  8 15:57 random_seed
-rw---  1 user user 1.3K Dec  8 15:52 secring.gpg
-rw---  1 user user 1.3K Dec  8 15:56 trustdb.gpg

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Subtlety is the art of saying what you think and getting out of the
way before it is understood.
-- Anonymous



pgpgeTg8UpUwD.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Spurious warning when using pgp compatibility modes?

[Todd Zullinger]

Hi all,

With sig-keyserver-url $URL in gpg.conf:

$ gpg --pgp7 --detach-sign test

You need a passphrase to unlock the secret key for
[...]
gpg: can't put a preferred keyserver URL into v3 signatures

Now, I know that I can't do that but I don't want to be told about it
every time I sign something when I've explcitly enabled --pgp7.  Would
it be unreasonable to ignore preferred keyserver urls when pgp[67] are
used?

I've been using the attached patch (minus the pgp2 part which I just
added) for a while to do just this and I haven't noticed any problems.
(There may be cleaner ways to do this, but this was what I got working
without knowing the code too well. :)

If it's not appropriate to patch this out, is there a good way to
silence this without losing other info?  The --quiet option doesn't do
it.

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Hang in there, retirement is only thirty years away!

Index: g10/gpg.c
===
--- g10/gpg.c   (revision 4504)
+++ g10/gpg.c   (working copy)
@@ -2998,6 +2998,8 @@
xfree(s2k_digest_string);
s2k_digest_string = xstrdup("md5");
opt.compress_algo = COMPRESS_ALGO_ZIP;
+   free_strlist(opt.sig_keyserver_url);
+   opt.sig_keyserver_url=NULL;
  }
   }
 else if(PGP6)
@@ -3005,12 +3007,16 @@
opt.escape_from=1;
opt.force_v3_sigs=1;
opt.ask_sig_expire=0;
+   free_strlist(opt.sig_keyserver_url);
+   opt.sig_keyserver_url=NULL;
   }
 else if(PGP7)
   {
opt.escape_from=1;
opt.force_v3_sigs=1;
opt.ask_sig_expire=0;
+   free_strlist(opt.sig_keyserver_url);
+   opt.sig_keyserver_url=NULL;
   }
 else if(PGP8)
   {


pgpuhq7mUXP7L.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: The Polish language in gnupg.spec is horrible

[Todd Zullinger]

Werner Koch wrote:
> You need to create an account first.  Sorry for that but it avoids
> spam and helps to make people think before they use the tarcker as a
> help forum.  I add a comment.

Yeah, understandable.  I had created an account and still didn't see
any obvious way to add a comment.  I may just be incredibly dense
today. :)

As far as rpm goes, I'm pretty sure it will happily try to process a
spec file written in various encodings, but the results won't likely
be sane or consistent.  For Fedora, the ascii/utf8 requirement is a
sanity check for packagers so that if someone else edits a spec file
they can be assured that it is either ascii or utf8.

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
User, n.: The word computer professionals use when they mean "idiot."
-- Dave Barry



pgpxCC3ew1bwX.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: The Polish language in gnupg.spec is horrible

[Todd Zullinger]

Werner Koch wrote:
> we have this 
> 
>https://bugs.g10code.com/gnupg/issue676
> 
> bug report in the tracker.  I'd appreciate if someone else speaking
> Polish can check the supplied patch
> 
>   https://bugs.g10code.com/gnupg/file84/corrected-polish.diff.gz

I can't help with the translation, but I do know that when creating
spec files for Fedora and Red Hat, the spec file is to be encoded in
either ascii or utf8.

(I'd add this to the bug directly, but it's early for me and I'm not
seeing any way to add a comment. :)

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Bureaucracy is the enemy of innovation.
-- Mark Shepherd, former President and CEO of Texas Instruments



pgpOJEnaRbC9T.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: no, it's not an email client problem, it's what I said at the start

[Todd Zullinger]

[EMAIL PROTECTED] wrote:
> It's either a GnuPG problem or an RFC problem.

It could also be a PEBKAC. :)

> It's possible to add or remove or modify text in a clearsigned
> message. If that's what the RFC allows, then the RFC is broken. If
> the RFC doesn't allow it then GnuPG is broken.

It is neither.  You can change a comment field which is not used for
any cryptographic purpose.

This is not a GnuPG problem, therefore by your logic it must be a
problem with the RFC.  In that case, please direct further mail to the
openpgp working group.

> This kind of sloppy exposure is out of place in the product/RFC.
> Making excuses or trying to explain around it or blame it on email
> clients is silly and not fooling anyone.

Perhaps the comment field should simply be renamed to "this is only a
comment, it's not part of the signed message so you shouldn't infer
that it is secured:".  Or, if you don't like the comment field, don't
set it in your gpg config.

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
It seems such a pity that Noah and his party did not miss the boat.
-- Mark Twain



pgpUtlGz7i7dI.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: comment and version fields. [Long]

[Todd Zullinger]

Matt wrote:
> Now I haven't read the OpenPGP RFC, but if it is anything like the other
> RFCs that I've looked at (but been unable to read) its language is the
> worst possible combination between a lawyer and an engineer. Designed to
> kill all interest in the subject before getting down to the subject.

Yes, you've found the true purpose of all RFCs.  Unfortunately they
aren't working as intended as numerous folks have managed to glean
just enough detail out of them to make working implementations based
on these documents. :)

> Now I just double checked, but the RFC wasn't included as the
> documentation of the last GPG release I received.

Nor should it be.  As an end user of the software you shouldn't need
to know the details of implementation.  And unless you have buggy
software that mixes the comment field in with the signed data, there
isn't really any problem here.

> There are man pages, which can't be read under windows

Not that I take much glee in knowing there are things I can read on
linux that Windows users can't, but I thought that the man pages were
generally included with the windows builds and you could open them
with a text editor.  But it's been a long time since I even looked at
a windows box with gpg installed.

> Does it say that the comment lines I read in the (clearsigned)
> message before running it through GPG are not part of the signed
> message, that any third party between the sender and me could have
> altered them?

If you're not comfortable with the tool, then that's why there are
many convenient wrappers/plugins that handle this automatically.  I
think it seems reasonable to assume that if you're running things
through gpg manually, on the command-line, that you ought to have a
little more understanding of the tool.

> Fixing the RFC is probably not an option, but being more clear in
> user documentation is. Not just the official GnuPG manual, but the
> OpenPGP help file in enigmail, and other MUA wrappers.

Since enigmail doesn't even show you the comment field, why would
anything need to be added to its help file about it?  Ditto for most
of the other mail plugins that I've seen and used.

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
I never forget a face, but in your case I'll be glad to make an
exception.
-- Groucho Marx



pgpQnMa4glh3m.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG fails to verify clamav

[Todd Zullinger]

Roy Carin wrote:
> I downloaded clamav 0.90rc3 from
> http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125
> 
> I want to verify the integrity of the downloaded file. When I do
> 
> gpg --keyserver random.sks.keyserver.penguin.de --verify 
> clamav-0.90rc3.tar.gz.sig
> 
> it fails, saying this:
> 
>> gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B
>> gpg: Can't check signature: public key not found
> 
> René Berber, in message
> 
>   , says that my GPG installation is broken.
> 
> Can anyone tell me how I can fix it?

I think that the problem may be that you don't have the key on your
keyring already and you don't have the auto-key-retrieve keyserver
option enabled (it's not enabled by default).  You can either enable
that option or import the key before verifying the signature (via a
keyserver webpage or using gpg --recv-key 985A444B).

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
What a terrible thing to have lost one's mind. Or not to have a mind
at all. How true that is.
-- Dan Quayle, speaking to the United Negro College Fund



pgpiI6nHdx2jQ.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Signed patch against 2.0.1

[Todd Zullinger]

Werner Koch wrote:
> Basically I am the list owner :-(.

Good grief man, your head must hurt from all those hats. :)

I've spent a good bit of time hanging around the mailman-users list
and managing a few smaller lists for others.  I would be glad to try
and help figure out what list settings could be tweaked to get the
archives into better shape.  It should be doable as I've seen and sent
pgp signed (mime and inline) message that included attachments and the
pipermail archiver handled them alright.  There was a bug fixed in
2.1.8 that would scrub some parts of pgp/mime messages with
attachments, but even that one left the main message body intact for
the archives.

I believe I found the culprit that has scrubbed your last few signed
patch mails in the archives.  It seems that since the mime parts lack
a content-type: text/plain header, Mailman's scrubber removes them.  I
think this is probably a bug in the scrubber module, as the MIME RFC
states that messages lacking such a header should be assumed
text/plain.  I've sent a query to mailman-users to see if others
agree[2].  If so, hopefully that can be fixed without too much hassle.

I setup a test list on my box and twiddled with your initial post in
this thread.  All that was required to get it to archive was the
attached diff.  Perhaps you can convince Gnus to include the
content-type headers as a work-around to the mailman archive problem?

> I already installed a new version of Mailman and tried to rebuild
> it.  However it mixed up the numbers and thus most existing URLs
> won't be correct anymore.

Yeah, that's a very unfortunate limitation of the archiver.  Its
weaknesses were just discussed on mailman-users the other day with
main dev Barry Warsaw saying[1]:

Have I mentioned recently how long I've been looking for a
volunteer  to help make all this not suck?  ;}  Pipermail is just
one of those  things that people either live with or ditch.

While it would be bad to have to rebuild and break external links into
the archives, I think it'd be worth it as some of the most valuable
messages in the archives are those that you or any other GnuPG
developer send announcing a problem and attaching a patch.

> Recently I had another issue.  Pipermail break the message if it
> sees a ">From " at the beginning of a line.  I also had to resort to
> manual editing.

Another icky problem caused by older versions of the python email
module which Mailman uses.  Anything since Python 2.3 should include
an email module that defaults to escaping such From_ lines.  So once
the mbox is edited to correct the old, unescaped From_ lines it
shouldn't happen again.

>> BTW, I really like your Content-Type boundary string. :)
> 
> A gadget posted to the Gnus list some years ago:

Very nice.  Some cold and rainy day I may have to add something
similar to my mutt setup.

[1] http://www.mail-archive.com/mailman-users%40python.org/msg42504.html
[2] http://mail.python.org/pipermail/mailman-users/2006-December/054904.html

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
In God we trust. Everybody else we verify using PGP!
-- Tim Newsome

--- wk-orig 2006-12-08 11:43:53.0 -0500
+++ wk-munged   2006-12-08 11:46:11.0 -0500
@@ -42,6 +42,7 @@
 Lines: 294
 
 --=KGB-Sundevil-gamma-Skipjack-government-Vince-Foster-Treasury-bce-S-B
+Content-type: text/plain; charset=us-ascii
 
 Hi!
 
@@ -55,6 +56,7 @@
 
 
 --=KGB-Sundevil-gamma-Skipjack-government-Vince-Foster-Treasury-bce-S-B
+Content-type: text/plain; charset=us-ascii
 Content-Disposition: inline; filename=filter-context-20-small.diff
 Content-Description: Patch against 2.0.1
 


pgpo69efmoeou.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: GnuPG 2.0.1 compile error

[Todd Zullinger]

David Shaw wrote:
> Ok.  The problem is simple: you don't have zlib installed, or at
> least don't have the zlib development package installed.  I'm not
> sure what it's called on Ubuntu, but there is probably some
> variation of "zlib" and some variation on "zlib-devel".  You need
> zlib-devel.

It appears to be (the obviously named) zlib1g-dev. :)

Likewise, the bzip development package is named libbz2-dev.

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Duct tape is like the Force. It has a light side, a dark side, and it
holds the universe together
-- Carl Zwanzig



pgpLTSOrg1doE.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Signed patch against 2.0.1

[Todd Zullinger]

Wouter van Heyst wrote:
> I got a patch plus sig just fine, sure it isn't somewhere between
> the list server and you that the scrubbing happens?

I'm only talking about the archives.  The patch arrived here just fine
as well.  But say I want to point at it in a distribution package or
tell a friend about it.  The archives are less than useful:

http://lists.gnupg.org/pipermail/gnupg-users/2006-December/029976.html

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
The American people are becoming more and more afraid of, and are
running away from, their own revolution.
-- Leonard E. Read



pgpiQQAXUM9mZ.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Signed patch against 2.0.1

[Todd Zullinger]

Werner Koch wrote:
> Here comes a signed patch against 2.0.1 for those who care to verify
> signatures ;-).

Thanks Werner.  Seems that the list archives scrub the attachment,
which makes it less useful than it'd be otherwise, 'cause you can't
point others to the signed patch.  If any of the list owners have some
free time I'd be happy to try to get that corrected or take it to the
mailman-users list for advice if need be.  (It seems that the content
filter settings for the list may be a little aggressive.)

BTW, I really like your Content-Type boundary string. :)

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Lack of money is the root of all evil.
-- George Bernard Shaw "Man and Superman", 1903



pgpPBgw3tjWod.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Info doc conflict between 1.4.6 and 2.0.1?

[Todd Zullinger]

Werner Koch wrote:
> On Thu,  7 Dec 2006 05:37, [EMAIL PROTECTED] said:
> 
>> I don't recall seeing this before, but I don't use the info docs
>> much, so maybe I've just missed it previously.  It seems that 1.4.6
>> changed the texinfo file to use the dircategory "GNU Utilities"
>> just as 2.0.1 does.  1.4.5 used GnuPG.  Without knowing much about
>> how install-info
> 
> That is quite possible.  I forgot to did this chnage in the release
> candidate and it was too late to do another one due to the security
> bug.

Yes, I can understand that there were far more important things to be
done.  Here's hoping you can take this weekend off and relax. :)

>> If I'm doing something wrong or am incorrect in expecting that the
>> info files should be parallel installable, let me know.  If not, would
>> a proper fix be to use gpg2 as the entry for 2.0.1?
> 
> I think so and will change it for the next release.

If it helps, attached a one line patch against current svn.  That
seems to be all that's needed to get both 1.4 and 2.0 installed
together happily.

Thanks again to you and the whole GnuPG team!

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
To tax and to please, no more than to love and be wise, is not given
to men.
-- Edmund Burke

Index: doc/gnupg.texi
===
--- doc/gnupg.texi  (revision 4372)
+++ doc/gnupg.texi  (working copy)
@@ -48,7 +48,7 @@
 
 @dircategory GNU Utilities
 @direntry
-* gpg: (gnupg).OpenPGP encryption and signing tool.
+* gpg2: (gnupg).   OpenPGP encryption and signing tool.
 * gpgsm: (gnupg).  S/MIME encryption and signing tool.
 @end direntry
 


pgpRCQVqLRW84.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Info doc conflict between 1.4.6 and 2.0.1?

[Todd Zullinger]

Charly Avital wrote:
> I am MacOS X user (10.4.6), unable till now to compile 2.0.1 (posted
> a few messages explaining why).
> If you are MacOS X user, could you please explain how you succeeded
> to compile 2.0.1. Thanks.

Sorry, I'm using linux.

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
It is impossible to enjoy idling thoroughly unless one has plenty of
work to do.
-- Jerome K. Jerome



pgpeT7d3729pq.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Info doc conflict between 1.4.6 and 2.0.1?

[Todd Zullinger]

I was updating my system to 1.4.6 today and noticed the following in
the make install output (I've got 2.0.1 installed already):

install-info: menu item `gpg' already exists, for file `gnupg'

I don't recall seeing this before, but I don't use the info docs much,
so maybe I've just missed it previously.  It seems that 1.4.6 changed
the texinfo file to use the dircategory "GNU Utilities" just as 2.0.1
does.  1.4.5 used GnuPG.  Without knowing much about how install-info
works, I'm guessing that it's balking because both programs try to
create a gpg entry in the same info section.

If I'm looking to install both 1.4.6 and 2.0.1 simultaneously,
shouldn't the info pages for both versions be able to coexist?

If I'm doing something wrong or am incorrect in expecting that the
info files should be parallel installable, let me know.  If not, would
a proper fix be to use gpg2 as the entry for 2.0.1?

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
No oppression is so heavy or lasting as that which is inflicted by the
perversion and exorbitance of legal authority.
-- Joseph Addison



pgpzKcvT8nwVM.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt the sent folder

[Todd Zullinger]

Robert J. Hansen wrote:
> Todd Zullinger wrote:
>> That seems more like not feasible than unreasonable.  But the
>> results are the same. :-)
> 
> Infeasible: "we have the manpower, we have the tools, we have the
> talent, but the architecture is working against us in a big way."
> 
> Unreasonable: "our manpower is stretched so thin that all infeasible
> RFEs are unreasonable expectations of us."

I suppose that's one way to define the terms.  I was thinking that
unreasonable would be more aptly applied to a request that wasn't
grounded in any good reasoning.  Not feasible could be applied for
either lack of manpower or lack of an available set of hooks to
achieve the goal.

> As is unfortunately common with open-source projects, there's a
> major lack of manpower on Enigmail.  If you know Javascript and
> would like to get your hands dirty with Enigmail, why not volunteer
> over on the Enigmail list?  :)

While I think that the Enigmail team has done a really great job of
integrating OpenPGP into Thunderbird[1], I'm a happy Mutt user and not
looking to switch back to any graphical MUA. ;-)

I sincerely appreciate the efforts of all those folks that create the
tools so many of us use, from the kernel hackers working on low level
drivers for obscure funtions I will likely never understand, to David,
Werner, Timo and all the GnuPG developers/contributors, to Ingo, John,
Patrick and others who spend hours integrating those pieces into easy
to use graphical interfaces that I can teach a friend to use pretty
quickly.

[1] For Windows, Thunderbird with Enigmail is the only thing I'd
recommend to friends getting started.  For linux, it's either
Thunderbird/Enigmail or Kmail.  Both projects have done a lot to make
using PGP both seemless and secure.

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
The chains of habit are too weak to be felt until they are too strong
to be broken
-- Samuel Johnson (1709-1784)



pgpzF1I6pZfTk.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt the sent folder

[Todd Zullinger]

Eray Aslan wrote:
> I thought it was a mis-configuration on my part.

Nope.  As John pointed out this is simply not feasible to do from
within Enigmail based on the way it has to interact with Thunderbird.

>> If you don't trust the IMAP server admins, then you should store
>> your mail somewhere you do trust.
> 
> Nope. I am the admin.

I'll assume that means you trust you.  ;-)

>> If you are worried about someone cracking the server and getting at
>> your sent messages then encryption on the server may be sufficient,
>> but would involve either changes to you mail client or some other
>> sort of access to your mailbox on the server.
> 
> The servers in question already has encryption at the file system
> level with cryptsetupLUKS for Linux and truecrypt for windows boxes.
> But the trouble is these do not provide any defense against attacks
> through the network.  They will happily serve the emails thru the
> network to the appropriate user when asked.  FS encryption is only
> good at boot time.  Once the partition is mounted, you can access
> the data.

True.  An encrypted FS that's always mounted isn't too secure.

> I can give the end users a smartcard or a usb stick.  The objective
> is to provide a solution so that not even the admin can read the
> emails

Well, as I understand your original query, you're looking to get
security on the sent messages that are not encrypted to the recipient.
In that case, the message goes out via IMAP and SMTP on the server and
thus the admin could just grab a copy somewhere in that process.
That'd be a lot easier to do than trying to crack the gpg encrypted
message in your sent mailbox.

ISTM that the only good way for you to get the security you want in
this case is to send the mail encrypted in the first place.

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Rupert!  I told you to watch the bags!  You were watching the boys
again weren't you!
-- Stewie Griffin



pgprVzBoQm0pY.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt the sent folder

[Todd Zullinger]

John Clizbe wrote:
> Sounds unreasonable to me. It's completely beyond our scope to
> implement.

That seems more like not feasible than unreasonable.  But the results
are the same. :-)

Thank you for the explanation.

-- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
The American Republic will endure until the day Congress discovers
that it can bribe the public with the public's money.
-- Alexis De Tocqueville.



pgpnGAm8vs6jh.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt the sent folder

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Eray Aslan wrote:
> Surely there must be a better way.  These all require admin access
> to the IMAP server.  The software already does what I want some of
> the time (when I send the recipient encrypted email).  I just want
> it to do it all the time.

This doesn't like an entirely unreasonable feature request to make of
Enigmail.  Perhaps you'd want to check in with the Enigmail folks to
see if the would consider adding such a feature?  It has some
potential to be useful but it might be icky to implement.

Obviously, if you send a message unencrypted but store it encrypted,
you won't really have an accurate record of your sent mail.  The
headers and MIME parts will be different.  Some people prefer that
what's in their sent mailbox be exactly equal to what was sent.
(Pedants. :)

I am curious though, what particular threats are you concerned about?
That might help shape what options would be best to take.

If you don't trust the IMAP server admins, then you should store your
mail somewhere you do trust.

If you are worried about someone cracking the server and getting at
your sent messages then encryption on the server may be sufficient,
but would involve either changes to you mail client or some other sort
of access to your mailbox on the server.

- -- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Oh, I feel so deliciously white trash!  Mommy, I want a mullet!
-- Stewie Griffin

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6rc1 (GNU/Linux)

iQFDBAEBAgAtBQJFdfoRJhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90
bXouYXNjAAoJEEMlk4u+rwzjIIcIAKIcq+3PoQ/WaEZ2MExTp2vimQ/ReNOpu/vB
BGYVylEg0yJ2mVRtodexGZ+GCSFxaQYmXqyS+5H93AbY7SlhKByRGkCi5caHOlLQ
aED3FL5SL8ANzXDWDDWABt9YL43+Rx/0/PM81X4m5ueLJUyBC0agtlxGWHlgzUha
t0ENzdf/DkjSOVxDvovoHcBmBBhwJMPlQvWd50l1MYbyFWamer3BDOZke1rVKS2p
0rDTvrWfMIqDKRR8Isbfj5LRIJ2ln99GdioDnKDvB24uzUFHWmCMSj6usFggqM09
EwX0sNAZoQ6DYqRNbMPiN1le2hACv0YJllatBYLZOPaiR0Zpjoc=
=JPs0
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Logo ballot reminder

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Wouter van Heyst wrote:
> It certainly was enough to make my brain register it as unreadable,
> I only went back to it when Warner mentioned the deadline again.
> Looking at it now I agree it is rather minimal as far as html goes,
> but it's still not something I'd willingly read as email (had to
> spawn a browser to look at it).

Egad, open a browser for that?  :)

I just have mutt dump html only messages through w3m -dump and display
the text.  That's after my other filters weed out the really obvious
trash and spam.  And then only for messages that are HTML only.  If
they are multipart alternative I prefer the text/plain part.

Until it was mentioned here I hadn't noticed that the message was HTML
only actually.

> The system was fairly easy to use, the hardest part was deciding how
> the various entries ranked :)

I'll second that.  :)

- -- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Statistics are like a lamp-post to a drunken man - more for leaning on
than illumination.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6rc1 (GNU/Linux)

iQFDBAEBAgAtBQJFb5zaJhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90
bXouYXNjAAoJEEMlk4u+rwzj3zcIAITZK+Yse2sJjXBcp4av4XK3aS/cOI1c5/Uc
BLRG4F7cYcJgbjQuVOpV70Ts07q5NSSsJ7fqfWDoRNP9nxpmKiSHQhbhq7q580GP
su4WI4cVpKcEH/fyfYi4PO8h0ZsYd963qGmdktLrBUBuAFuCnJstQ+4QHXpAOQGA
71VM58ldNJb7n8F8iYx8cCSYQkXOtLkjGuy9WEZtLSkEj15pnGBJBDn63zDWSc/s
TJ3x6f1gUQ6BTAlR+LgHShHcjULqESB70mHqsrUkvehaqyWp6xiuzVPRveDUBRrL
oy6qheye0mGEx6kIwrw6ShX1ysob1RMlSr6gHCKrT3CnlL8fXmY=
=26us
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: pgp.sig as an attachment

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sebastian wrote:
> I am using GnuPG with Apple Mail and the GPGMail plugin.
> 
> When I sign a message, the mail is sent with the attached file
> pgp.sig. However, I would prefer to have the signature inside the
> message and not in an attachment.
> 
> How would I do this?

You need to tell GPGMail not to use PGP/MIME.  You can disable that by
default (in the prefs on the Composing tab).  Check the GPGMail docs
for details on this.  The GPGMail mailing list might be able to offer
more insights if you need them.

- -- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Outside of a dog, a book is a man's best friend.  Inside of a dog,
it's too dark to read.
-- Groucho Marx

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)

iQFDBAEBAgAtBQJFMoJwJhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90
bXouYXNjAAoJEEMlk4u+rwzjnqAIAJpYIVOH6Oc0a95ufeT80Tj8SK4bWm3I8CDd
P1dH1Fcp5hF5XiMZd/J8GKw6nqSjGja8pVfyCfP2k7kMlaojYw/ZSaWlkGAyAcri
K8WaFIDMJ6Ih6MrP2Qau9TG34WK4AEBC5Nq0A7c+OPovO0AYUQqiKXU5Cn6kNL/3
ksJL/HTXSpy3JzN8wSBD69ggPf3mhrsm2kHTILxMK9+Zq19/LuZoJnO9E7nruN+c
246QMC5Rz5rxekSGQc+NxP0WpuPQaL55Lz8wz72WfoHwAxRVQ9srbCY70HyZEWwS
wp3Zor2DagpGKexsJnmFNWByZyYJq4Qz5sttoFWT46pYP46ZY7s=
=lEy/
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "sig!3" entry vs "sig!" entry on certain GnuPG keys from the PuTTY software site

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alphax wrote:
> There is a "default certification level" option that can be used
> either on the command line or in a config file - normally GnuPG will
> ask you for the certification level when you sign a key, but the
> default /can/ be used if the right options are set, and /will/ be
> used at the time of key generation.

I believe you will not normally be asked for a cert-level, at least
not with most recent versions of gpg (I forget when that changed
exactly).  You must set ask-cert-level in your config or on the
command line to be prompted.

- -- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
What it means to take rights seriously is that one will honor them
even when there is a significant social cost in doing so.
-- Ronald Dworkin

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)

iQFDBAEBAgAtBQJE7v24JhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90
bXouYXNjAAoJEEMlk4u+rwzjBxAH/3g+/Whk3cubupcbQPQ0uIa/NjwxZOH20ABZ
ZWyTR1++ZHJgNxyUcqN+MkeiVCtS3uieqEFfDV40v53aZE2flAr/gDZWcwG5Xlek
qWJOn9EnOzjsoHLVbWekBGA88IAx4X6yyBd5qvoEwYynkW/tIInNQqmtg1/HNYmI
IjJjtGrWSATEdJ5o4Ojmqmwz0R4vhpVVSfXXReQ42Fb03VXBgy6/soNjZzsUrza2
IrjTyW23+W0vfKbgEZTjrqG+Kdz5BXHfPlG4TRqwdGlRCJUT5Twzhv1NiXW1m3Q3
spnI8bm6SDWBXcLD51yFZ8bDkAObffpQ86XyrDWnz3YcYK48k4A=
=jwpd
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG and 1024-bit (or multiple) subkeys

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Charles Franklin Bernard wrote:
> "By itself" meaning a key without any other subkey.  They want us to
> generate a new public key with only one subkey, and that at 2048-bit
> instead of 1024.

I'd ask them to explain why they think this is required by GnuPG and
why they believe it needs to be a new key.  I can understand that they
might desire a stronger encryption subkey (2048 vs. 1024), but if
they're only requesting this because they misunderstand how the system
works, then they are just wasting your time. :)

> I suppose we could also make a copy of our existing public key, then
> delete the 1024-bit subkey (keeping the 2048-bit subkey we recently
> added), but I'm hoping there's a command line argument/flag for GPG
> to encrypt a file using a public key with two subkeys, specifying
> the 2048-bit subkey and ignoring the 1024-bit subkey.

There is.  Just append a ! to the keyid.  See the section "How to
specify a user ID" in the gpg man page.

If you had a key like this:

pub   1024D/1B324765 2006-05-21
uid   [ultimate] Testing <[EMAIL PROTECTED]>
sub   2048g/263C2EA4 2006-05-21
sub   4096g/9BDAA7FA 2006-08-15

You could tell gpg to encrypt to the 2048 subkey like so:

$ gpg -e -r 263C2EA4! ...

(note that you may need to quote or otherwise protect the ! from being
interpreted by your shell.)

If the senders you are dealing with don't grok this, then export your
whole key, delete the 1024 subkey, export the pubkey containing only
the 2048 subkey for them and then import your full key again.

- -- 
ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Even if you're on the right track, you'll get run over if you just sit
there.
-- Will Rogers

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)

iQFDBAEBAgAtBQJE4gMoJhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90
bXouYXNjAAoJEEMlk4u+rwzjhgYH/33peFQhKuPXxVXBOSRn6r1Ln1q3WeT6VnPD
vE3mwovHVgsPbANAZ3+XvY7/i9dMv7+9NbBdXwUzdJOI6rSmE5d/NdZ/bEmyLtGJ
j7wrCSPkMJow07EnWJT0NL2sdbbw4WdfzvXCGONZzwwkkUyKvEdqOcIWqAZ4jC6J
qcV4Aug4J7ryaWpm7ZYECj8k/h2r+wK7v1tA46yqups7ihDzwBrZFoZaziZTVnkX
Dv0XCFBFjD2Szja02cTs3FBBikSkbQnm2TPRqmf9e1xwhblmLNIGghdwadSNTvks
djDA9bKAN+Ei/OgapCDYeF6JWtnpvkqSjrRri19Dn6ddKTXydfE=
=+CBK
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to verify the file was successfully encrypted...

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jonathan Rockway wrote:
> BTW, why are you encrypting these files anyway?  If someone broke into 
> your computer they could just steal the crypto key too.

True, unless the private key isn't kept on the same machine.  Which
also would negate the ability to decrypt the file on the server to
verify that the encryption was successful. :)

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Those who have been intoxicated with power... can never willingly
abandon it.
-- Edmund Burke

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkS1SQQmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1otkgCgnP7KTsByYiIOddJmAG7HNyB+JA4AniX2DvJw
d0uPX2K0oA+DO8iZ5K4x
=YnXM
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Atom Smasher wrote:
> pgp Key Signing Observations: Overlooked Social and Technical
> Considerations
> 
> 
> there's a few sections in that article that might be of interest.

Indeed, thank you Atom!  I'll pass this link along for more
information after my short talk.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Politicians are the same all over. They promise to build bridges even
when there are no rivers.
-- Nikita Khrushchev

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSzxCQmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1ritwCeL/ePib2q8dHR4C97Y123fmAHj7cAn2O5jfDf
eOZHarR6d6HWF8qYfYp6
=X0Vq
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi David,

David Shaw wrote:
> I've been away on vacation and only picked up this thread now.

Hope it was relaxing.  Welcome back seems like a negative thing to
say.  ;)

> This statement is not correct.  Back in the PGP 2.x days, this might
> have been true, but with OpenPGP, there is no particular requirement
> that the ability to sign and the ability to decrypt are connected.
> You can have a shared key with separate capabilities.
> 
> Sending an signed key via encrypted mail does not ensure anything
> about the key owner.

Marcus and Ingo have very been helpful in providing pretty specific
procedures that they've used (and documented) for key signing.  I've
read with interest the comments that you've made over the years as the
topic of keysigning has come up and I'd be very appreciative if you
could share a basic outline of the procedure you take or recommend.

As I alluded to at the start of this thread, I've been volunteered to
give a talk on the process and reason behind key signing at an
upcoming meeting of my local LUG.  I've been trying to find as many
different peoples policies and procedures as I can prior to my
presentation to a) refresh my memory and b) prepare for potential
questions on why one might use a particular method.

I highly respect the methods you've outlined on this list and I think
the members of my local LUG could benefit greatly from being exposed
to the policy/procedure for handling keys the come across at a key
signing party.

Thanks much for your efforts on GnuPG.  Like OpenSSH, it's one of the
applications that I use every single day and would have a hard time
living without.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Life is the art of drawing without an eraser.
-- John Gardner

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSvRTwmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1oIFACg1o1VlJkJc3qnus5D24wxs1+c+nMAnif/DXQB
GM8hQmMqt6RFQ6AxQObg
=yZQj
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ingo Klöcker wrote:
> On Friday 07 July 2006 16:56, Todd Zullinger wrote:
[...]
>> Could you elaborate a little on the procedure you use to generate the
>> challenges?  I'd love to have some examples of how other folks do
>> things to present to my fellow LUG members.
> 
> My script does the following:
> For each key id that's given on the command line it first determines all 
> UIDs which are neither revoked nor expired nor have already been signed 
> by me. Then for each UID a random string is generated. I use the 
> command 
>   head -c 18 /dev/urandom | mimencode
> for this. (mimencode is part of metamail.) This challenge and the key id 
> and the UID are then inserted into a text explaining what the receiver 
> of the challenge has to do. This text is then encrypted with the key 
> corresponding to the key id. The encrypted text is then prepended with 
> another text explaining what the encrypted text is about. Finally the 
> resulting text is given to KMail together with the email address 
> (==UID). Now I only have to click on the Send button in KMail to send 
> the message.

Thank you much for this.

> (I could make KMail automatically send the messages, but I prefer to
> have a last look at them before I send them in order to check that
> everything worked correctly.)

Yeah, I understand that perfectly.  Too much automation can bite you
when you least expect it. :)

> I've attached the script.

And thank you very much for this!  It'll be very handy to have
something concrete to point others to for an example.  Between that
and the caff script in pgp-tools I've now got two nice perl examples
my fellow LUG members can check out and use or adapt.

>> Of course, but they can't sign it with the key I've been asked to
>> sign and which I verified from the key fingerprint and other owner
>> details, unless they are the proper owner of that key.
> 
> Yes, they can if it was them who asked you to sign their key. For
> example, I could create a key with my name and your email address,
> go to a key signing party and make everybody sign the fake user id.
> And if I can intercept your mail then I can even reply to
> challenges.

But if you do this, then even encrypting the challenge wouldn't help,
as I'd be encrypting it to the key you presented to me.  It seems that
this is a problem outside the scope of what the challenge will solve.

Or am I missing something?  (I've been busy all morning fixing some
plumbing, so my mind isn't as sharp as usual -- not that I'm the
sharpest tool in the shed on a good day. ;)

Many thanks to you for indulging my questions and posting your
procedures and script!

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Going to hell when I die would just be redundant.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSuxUwmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qNPgCgs7ZSgz8W6nxwl3MdwL1N5WVKwckAnig/ITip
qc3hM02PxYoEwJxQzPa+
=aKEB
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ingo Klöcker wrote:
> On Friday 07 July 2006 17:09, Todd Zullinger wrote:
[...]
>> But that does mean that you can't get a signed key to someone if
>> the key you've signed doesn't have any encryption capabilities,
>> correct?
> 
> That's obviously correct. In this case you could give the key owner
> a piece of paper with a random string and ask him to send it in a
> signed message to your email address. Then you know that he can use
> this key for signing messages. Obviously, you can't check the
> validity of the email addresses belonging to this key (unless he's
> got an encryption key you can use for checking the addresses).

Is it really necessary to encrypt the challenge?  If the key has
encryption capabilities, I would do so, but if it was a sign only key
and I could not do so, just what sort of attacks or weaknesses are
there in sending the challenge in the clear?  I've seen David Shaw
point out that it didn't gain you much.  I'm just trying to work
through the possible scenarios so I have them clear in my mind before
trying to present this to a larger group, who may well end up with
questions on this that I'd like to have better answers for than I do
now.

>> Have you found in practice that you don't run into many sign-only
>> keys that you are asked to certify?
> 
> Among a few hundreds keys I've signed so far only a handful were
> sign-only or certification-only keys. I did simply sign them with a
> lower verification level.

Okay.  I would have guessed that you probably wouldn't run into
terribly many keys like this, but thank you for giving some practical
experience to support this.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
...unfortunately, we can't control the actions of everyone.
-- Bill Clinton, April 20, 1993

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSuwMcmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1ogLQCfdgI3cZPmG30R7Ho9S6wERT1Bf0MAoJnW40cG
UqfQ+iNwqQUwaDyhHVFH
=gsl0
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Marcus Frings wrote:
> * Todd Zullinger <[EMAIL PROTECTED]> wrote:
> 
>> What I don't see in any of the links is more information about
>> sending an email challenge before signing a key.  (My apologies if
>> I'm overlooking it on your page or any of the others.)
> 
> Before I used a protocol to signing keys where I sent out random
> strings as challenge response but it's not worth. There is no
> enhanced security and only more work for "signer" and "signee". If
> you send the signed UIDs encrypted to each mail address separately
> it has the same effect in security because if the mail address
> bounces or the person behind the address doesn't have the private
> key your signed UIDs won't become publicly available.

But that does mean that you can't get a signed key to someone if the
key you've signed doesn't have any encryption capabilities, correct?
Unless, of course, you have told the signee that they must provide you
with a key which they wish to have the signed keys encrypted to.

Have you found in practice that you don't run into many sign-only
keys that you are asked to certify?

> There are some scripts around but don't use CA-Bot as Ingo
> suggested. As he has already said it has problems with so-called
> sign-only-keys and it sends out broken mails. caff, from the same
> author, handles these keys much better. It can be downloaded from
> the third link I mentioned. Besides it is already available in
> Debian and FreeBSD.

Thanks, I'll look closer at caff.  I didn't pull down the package and
play with it yet.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
You're not drunk if you can lie on the floor without holding on.
-- Dean Martin

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSueUMmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1pmfwCg+sxhZadaXGAJYLU/7yBAT/1XIq0An2UnRecE
3bNFigiZqvEXMotWpR5z
=09Wl
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ingo Klöcker wrote:
> Try CA-Bot (http://cabot.alioth.debian.org/).

Thanks Ingo.

> I haven't used it myself because I'm using a self-written script for
> creating challenges with KMail.

Could you elaborate a little on the procedure you use to generate the
challenges?  I'd love to have some examples of how other folks do
things to present to my fellow LUG members.

> But I've been sent a few challenges generated by CA-Bot. Last time I
> received such a message, it said (at least IIRC) that CA-Bot
> couldn't handle signed and/or encrypted replies. So using CA-Bot you
> can only check whether the person you send the challenge to can
> decrypt the challenge, but you can't check whether he also controls
> the signing key.

That's unfortunate, since the signature is more important than the
decryption, AFAIAC.  I'll take a look and see if CA-bot can't be
useful as a starting point for some scripts of my own.

>> Isn't it a good thing to send some random data to each UID on the
>> key someone wishes you to sign and require that they send back that
>> data signed by the key to prove they control both the key and the
>> email address in the UID?
> 
> Where "control the email address" is different from "is the owner of
> the email address". Anybody between you and the owner of the email
> address can intercept the challenge, sign it and send it back to
> you.

Of course, but they can't sign it with the key I've been asked to sign
and which I verified from the key fingerprint and other owner details,
unless they are the proper owner of that key.

> This is especially a problem with email addresses which don't
> contain the name, but just some random alias, nickname or whatever.
> [EMAIL PROTECTED] could be anyone's email address.

Right.  But if we met in person and I showed you acceptable ID,
provided you with the key fingerprint and other key data, then
returned a challenge from you signed using the key matching the
fingerprint that you verified in our meeting, you know that I am in
control of the key and that I can get mail at [EMAIL PROTECTED]
Obviously, others can read mail there too and that's why I'm using GPG
to ensure that I'm the only one that will be able to decipher mail
sent to that address and generate verifiable email from that address.

Thanks,

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
You will never find time for anything.  If you want time you must make
it.
-- Charles Buxton

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSudgomGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qhDQCg113UiRsz5aUYeNGvRWOQdOHRzT0AnAnXloPp
xhBU91pupwwlzXFTFOjm
=xk6i
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Marcus Frings wrote:
> * Todd Zullinger <[EMAIL PROTECTED]> wrote:
> 
>> I was wondering if some folks here have detailed their challenge
>> policies and procedures and if you'd mind sharing them if you have?
>> Even handier would be some scripts to help in the automation of this
>> task.  ;)
> 
> http://www.sc-delphin-eschweiler.de/pgp/
> http://sion.quickie.net/keysigning.txt
> http://pgp-tools.alioth.debian.org/

Thank you Marcus.  I had actually found your page while doing some
research and read it.  Very nicely outlined.  Thank you for sharing it
with the world.

I believe that we will be using the method outlined in Len Sassaman's
and Phil Zimmermann's paper from above.  This too I had read while
researching this earlier.  (It's good to know I've run across some of
the same info you recommend. :)

What I don't see in any of the links is more information about sending
an email challenge before signing a key.  (My apologies if I'm
overlooking it on your page or any of the others.)

It's been discussed here before but I've not found any scripts or good
details that I could point my fellow LUG members toward.  Isn't it a
good thing to send some random data to each UID on the key someone
wishes you to sign and require that they send back that data signed by
the key to prove they control both the key and the email address in
the UID?

Many thanks for the helpful information,

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Money can't buy happiness, but it sure makes living in misery easier.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSt44gmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qEygCbBVGaCdjOa7MJ9gjkdRphpmz/Rx8AoO7Fh4Zd
/pIdv/NHTQTTvue9nY2r
=O8C/
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I'm putting together a short talk for my local LUG as we're planning
to have a keysigning party in the near future and some folks want to
hear more details so they'll understand better.

I was wondering if some folks here have detailed their challenge
policies and procedures and if you'd mind sharing them if you have?
Even handier would be some scripts to help in the automation of this
task.  ;)

In particular, I like how David Shaw has explained the pitfalls with
various approaches to doing the email challenge several times on the
list.  David, is your challenge policy something you've posted
anywhere?

Thanks in advance for any tips and pointers,

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Politics:  A strife of interests masquerading as a contest of
principles.  The conduct of public affairs for private advantage.
-- Ambrose Bierce

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkStWjImGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1rfhgCgppgUCneHGIDbicUjD6D2CObVB1wAoO4mITD/
rzoIwYVh4mlSML5fMhdx
=PKSA
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mime and pgp.asc

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

alifbaa wrote:
> I am currently using GPG 1.4.3 on my mac powerbook G4 OSX 10.4.6  I hope that
> this is the right forum to post this question, but when i send an email with
> attachment and encrypt and sign it, it converts the message into two
> attachments, one that says "mime-attachment" and one that says "pgp.asc".  I
> don't want this.  I want it to encrypt and sign it and it have an encrypted
> message at the top and an encrypted attachment at the bottom.  I am
> currently sending these emails with the two attachments to a coworker with a
> PC that uses PGP and he cannot decrypt my emails.  Any help would be greatly
> appreciated.

It sounds like you are sending mail using the PGP/MIME format and your
coworker's mail client can't handle that.  What mail clients are you
and your recipient using?  What version of PGP is your coworker using?

Knowing that, someone here may be able to let you know what, if any,
settings scan be changed on either system to enable you to
communicate.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
What it means to take rights seriously is that one will honor them
even when there is a significant social cost in doing so.
-- Ronald Dworkin

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSPAbomGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1rvIwCgtnOK0D6MSVwgGnopoaUHjSNLcd0AnArkRlBC
5ZazzBt0RhUjd9qLY4w5
=VR9o
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: sha2 utilities: Print or check SHA-2 digests

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

rmyster wrote:
> Yes, suse 10.1 with coreutils-5.93-20.  In the info manual, sha2 is
> mentioned under section 6.6 (sha2 utilities) and all it says is "The
> usage and options of these commands are precisely the same as for
> `md5sum'."
> 
> While this isn't a linux mailing list, md5sum is part of gnupg.

No, it's not.  md5sum is part of the coreutils package.  You're using
suse, which is an rpm based distro, so if I may extend the slightly
off-topic posts a little, here's a handy way for you to find out what
package a file belongs to:

$ rpm -qf /usr/bin/md5sum

On my FC5 system this returns coreutils-5.93-7.2.

> The closest other choice was the coreutils bug lists and this didn't
> seem like a bug related question.

How not?  If the docs state an application is available and it's not
it's a bug - either in the docs or in the packaging.  In any case, I
took a blind leap of faith and searched for the string sha2 on the
coreutils mailing list and the very first item returned[1] was titled:

Re: Not finding sha256sum

It's a documentation bug in coreutils.  Total time spent, 30 secs. :)

[1] http://lists.gnu.org/archive/html/bug-coreutils/2005-12/msg00170.html

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
A diplomat is a person who can tell you to go to Hell in such a way
that you actually look forward to the trip.
-- Anonymous

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSK+zkmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1pfBwCfQpESyyiX4VaoB3PxkUfu6tmgzHYAoMtHAQz9
86lV+58Vw46GWqxG5S0s
=BkqK
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: sha2 utilities: Print or check SHA-2 digests

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

David Shaw wrote:
> Man page:
> 
>--print-md algo [files]
>--print-mds [files]
>   Print message digest of algorithm ALGO for all  given
>   files  or stdin.   With  the  second  form  (or  a
>   deprecated "*" as algo) digests for all available
>   algorithms are printed.

Would it be slightly more consistent to use hash instead of algo here?
And/or to note somewhere that the list of available hash algorithms is
the same as what's printed by gpg --version on the Hash: line?

I imagine that with a slight amount of autofoo the same list that's
printed by the --version option could be added to the man page here as
well.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
It is easier to fight for one's principles than to live up to them.
-- Alfred Adler

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSJ+MsmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1oJ/gCg6ExS7S8jOzfk2w0ikI8XNDiBzB4An1syS7PG
4fSw9FuAWYanWz/LtGEd
=Y+pS
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP zip

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Snoken wrote:
> Hi,
> I cannot find any "gpg-zip"-program after installing GnuPG
> 1.4.3 for Windows.
> 
> The announce message tells:
> 
> "Added "gpg-zip", a program to create encrypted archives that can
>interoperate with PGP Zip."

On my linux system, gpg-zip is a shell script.  I'm guessing that it's
not installed on windows because there isn't an sh compatible shell
there.  Perhaps if you were using cygwin you could get it to work, but
I don't know.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Show me a politician who does not lie through his teeth, and.I'll
show you one who can't find his dentures.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSJ0s8mGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qfkQCbBxhKVC0+/9qBosNCojH+9dBPbs4AoL8R9jXC
KBTjCrTaY6gIa3mqQ24V
=OJIi
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: signature comments?

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Zach Himsel wrote:
> I've always wondered how to get comments put under the signature
> header... I've seen them on sigs before and would like to have my
> public key address put there. Does anyone know how to do this?

In addition to the comment option, you may also find the
sig-keyserver-url option useful in this respect as well.  See the man
page for details.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Conscience is what hurts when everything else feels so good.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSFE2omGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qo+gCeKGz1lP/NVXRJmwDincBwOSWKTCAAn1goWYGn
knLS2zRgE1cuk9yjy8RJ
=KNow
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg-agent not working...

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Zach Himsel wrote:
> I am using Thunderbird with the Enigmail extension. It gets annoying
> to me to have to enter in my password every time I want to send a
> signed (every email) or encrypted (only some) email. Sure, it saves
> it for 5 minutes idle time, but it's not like someone is going to go
> on my computer and send emails signed by me as it is a private
> computer which only I have access to. In the past I have used the
> gnupg-agent to not have to enter my password and it worked, but now
> it doesn't. I do not know why. I have GnuPG 1.4.3 under Windows XP
> (I have it for SUSE 10.0 also, but I haven't tried it on that
> machine yet.).  Thunderbird is 1.5.0.4 and Enigmail is 0.94.0.

I got the impression from this thread a few months ago that getting
the agent working in windows was a bit difficult:

http://lists.gnupg.org/pipermail/gnupg-devel/2006-January/022635.html

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
A person who smiles in the face of adversity ... probably has a
scapegoat.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSFC8ImGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qZZACeIe72pN+F/2rlCLouXu4PjTMgg54An0/3CBzC
YX/1RpstjFfRWtSePX0w
=2TiF
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: signature comments?

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Zach Himsel wrote:
> I've always wondered how to get comments put under the signature
> header... I've seen them on sigs before and would like to have my
> public key address put there. Does anyone know how to do this?

Use the comment option in your gpg.conf file.  You can use this on the
command line too, if you want.  Perhaps you would do this if you
wanted to change the comment based upon which key you were using to
sign the message.  How you'd incorporate that into a windows
environment with thunderbird/enigmail is another question.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
The ultimate result of shielding men from the effects of folly is to
fill the world with fools.
-- Herbert Spencer

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSFDcQmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1q+dQCfZV8yCea/gSxDvsV3ryJi8XX1iI4An11JvrbX
SDXIT5BrI4Y7gu9X/XGe
=p1o9
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [lists] re: Signing vs. encrypting was: Cipher v public key

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Graham wrote:
> On Thu, 01 Jun 2006 11:33:14 -0400 <[EMAIL PROTECTED]> wrote:
[...]
>> the cost is *astronomical*
>> 
>> have played around with it when it was released as a free command
>> line pgp 8.5 beta
> [snipped]
> 
> AFAIK this is the latest PGP command line version available - except
> for server based systems, which is why the cost is *astronomical*.

PGP Commandline 9.0 is what I saw reference to.

> When Network Associates sold the rights to PGP to PGP Corporation,
> they kept the rights to the command line version, and unless things
> have changed this is why PGP Corporation don't offer it.

I believe it has.  See:

http://www.pgp.com/products/commandline/index.html

And the cost is astronomical, IMO.  The quote from their store:

PGP Commandline 9.0, Perpetual License W/ SI - 2 Processors, 1
Key, Send and Receive Functionality

$3,170.00   QTY: 1

> But why bother when there is GPG?

No argument there. :)

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Even moderation ought not to be practiced to excess.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSDGP8mGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1pGjgCfU7XZ19ML5OFqGIPhe/3uDymY8R8AoNgYsjcQ
e7JkzALcKZo4FE6Fhh3u
=B1TU
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG asks for confirmation...

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ingo Klöcker wrote:
> On Saturday 03 June 2006 04:57, engage wrote:
>> On Thursday 01 June 2006 08:59 pm, Todd Zullinger wrote:
>>>engage wrote:
>>>> Why is someone sending an encrypted message to this list?
>>>
>>>It's not encrypted.  It's just signed and armored.
>>>
>>>Doesn't your mail client automatically display this for you?
>>
>> No. I keep getting prompted for my passphrase for this message.
>> Kmail.
> 
> My KMail (1.9.x) shows the message without asking for a passhphrase.
> And I'm not aware of changes in this part of the code which would
> explain the different behavior. Strange.

Ingo, are you using the gpg-agent?

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Well at first I was skeptical but then I thought I could be like
Hillary Clinton, just without the penis.
-- Lois Griffin, The Family Guy

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSCdZQmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1oSrQCgtoIHIRdNYTq00cEs6i3RvfFCWBIAn02w0d5J
oLJNPYsOaHGXxNku2Kpy
=9FtZ
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG asks for confirmation...

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

engage wrote:
> On Thursday 01 June 2006 08:59 pm, Todd Zullinger wrote:
>>engage wrote:
>>> Why is someone sending an encrypted message to this list?
>>
>>It's not encrypted.  It's just signed and armored.
>>
>>Doesn't your mail client automatically display this for you?
> 
> No. I keep getting prompted for my passphrase for this message.
> Kmail.

Just hit enter.  There isn't any encryption, but the message is
armored and as others have pointed out, email software often just
assumes any pgp chunk that begins with "BEGIN PGP MESSAGE" is
encrypted and asks for a passphrase to pass on to gpg.  I've used mutt
with gpg-agent for years now and have grown accustomed to not having
that prompt unless a passphrase was truly required.  :)

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Be who you are and say what you feel because those who mind don't
matter and those who matter don't mind.
-- Dr Seuss, "Oh the Places You'll Go"

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSBIvkmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1q4mwCgmNVQcxB4nbERt8ovWRTA8ZmBmMgAoJPpYPT5
H8TSvRoU+Nks86qDnpSS
=5G/L
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG asks for confirmation...

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark Brown wrote:
> On Thu, Jun 01, 2006 at 10:59:54PM -0400, Todd Zullinger wrote:
>> engage wrote:
>>> Why is someone sending an encrypted message to this list?
> 
>> It's not encrypted.  It's just signed and armored.
> 
>> Doesn't your mail client automatically display this for you?
> 
> Many mail clients will assume that any GPG message is encrypted and
> prompt for a passphrase prior to invoking GPG.

I guess I just take it for granted because using mutt along with
gpg-agent, I don't get such a password request.  I'd be curious if
kmail would do the same if configured to use the gpg-agent.

Without the agent, mutt prompts as well.  It's just been a long long
time since I wasn't using gpg-agent. :)

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Nothing says, "Obey me!" like a bloody head on a fence post.
-- Stewie Griffin

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSAg2kmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qhxQCggs0wv8cejnK4Q4Wjdt632zMzX2UAoJz7rb3m
KbVGtmAeLGjkE//lkFuf
=gim2
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Headers on this echo...

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Laurent,

Laurent Jumet wrote:
> Why the Headers on this echo are not correct?

You'll have to provide some proof that they are incorrect.  What
defines "correct" headers?  :)

> Messages come with this
> 
> Sender: [EMAIL PROTECTED]
> 
> and it should be of course "gnupg-users@gnupg.org"

This is the way Mailman sends mail.  Sender is set to use
[EMAIL PROTECTED] because there are broken MTA's that will
send bounces back to Sender, rather than to the address in the
Errors-To or Return-Path headers.

This may be changed in a future version of mailman, as the number of
broken MTA's is diminishing and the number of MUA's that display
things like "on behalf of" when the Sender header differs from the
- From header is increasing.

See this recent thread on the mailman-users list for more discussion
and links to relevant RFC's:

http://www.mail-archive.com/mailman-users@python.org/msg38403.html

> And there is no "Reply-To: gnupg-users@gnupg.org" Header.

See Mailman FAQ 3.48. 'What about setting a "Reply-To:" header for the
list?' for discussion of why many lists do not add a reply-to header
and why the Mailman default is to not set this to the list address.

http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq03.048.htp

Your MUA should be able to handle this.  Mutt does quite well without
the reply-to header pointing to the list.  Submit a feature request to
the developers of your MUA if it's missing a list reply function.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
It was probably drugs more than anything else that made me a
Libertarian.
-- John Gilmore

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkR/6nAmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1pfnwCfU0nD1m//OvPGGpHsHyqpHkTs0zAAn3eAPj9h
CUdFAqF5vKLlwCQc6Bze
=98UM
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG asks for confirmation...

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

engage wrote:
> Why is someone sending an encrypted message to this list?

It's not encrypted.  It's just signed and armored.

Doesn't your mail client automatically display this for you?

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Democracy means simply the bludgeoning of the people by the people for
the people.
-- Oscar Wilde "The Soul of Man Under Socialism", 1895

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkR/qakmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1oekQCfSYXbEkj/XMGYx7YrSkEQVDIH3qcAoNoVNE3e
Nhq4mlux61kMHghjPP1J
=flz7
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Signing vs. encrypting was: Cipher v public key.

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Janusz A. Urbanowicz wrote:
> gpg integrates better with autimation and I really doubt that there is
> current, supported PGP for anything else than windows and mac.

While I prefer gnupg to pgp myself, I did just happen to see a
reference to pgp command line today.  Here are the platforms it
supports:

 * Windows 2003
 * Windows XP SP1
 * Windows 2000 SP4
 * HP-UX 11i or above (PA-RISC only)
 * IBM AIX 5.2 or above
 * Red Hat Enterprise Linux 3.0 or above (x86 only)
 * Solaris 8 or above (SPARC only)
 * Mac OS X 10.3 or above

http://download.pgp.com/products/pdfs/PGP_CL902_DS_050825_F.pdf

Not a terribly small list, except when compared to what gnupg will run
on. :)

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
The man who is a pessimist before forty-eight knows too much; the man
who is an optimist after forty-eight knows too little.
-- Mark Twain

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkR+t4gmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1pPxgCg+sDnINDLpwKXpLkqVpXEEDV4CmcAoOlQxtEo
YKcINHqaop0I87a/Iy82
=jdsS
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Filename is not embedded when using redirection

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

feitao wrote:
> Hi,
> 
> My environment is Windows XP, gpg 1.4.2.2. I just found out that the
> following are different:
> 1) gpg -o a.gpg -e a.txt
> 2) gpg -e < a.txt> a.gpg
> 
> When using -o, the gpg file embeds the original filename, thus
>   gpg --use-embedded-filenmae a.gpg 
> is valid. However, 2) does not embed the filename, and
>   gpg --use-embedded-filenmae a.gpg
> prints to stdout. 
>
> My question is how I can embed the filename using Method 2 (<>)? The
> reason I hate Method 1 (-o) is that it fails for large (~5G) files
> in Windows XP.

I haven't tested this, but --set-filename looks like the option you
want to check out.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Dawn, n.:
The time when men of reason go to bed.
-- Ambrose Bierce, "The Devil's Dictionary"

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkRAgNEmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1o/mgCgpV7pW9C/oyUJzwSMMCzV1veAe4QAoKhQQiEM
GHrqZy5Uor1v/v4dVH75
=tq1k
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] Gpg4win 1.0.0 released

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thomas Hühn wrote:
> --On Freitag, 7. April 2006 13:56 +0200 Werner Koch <[EMAIL PROTECTED]>
> wrote:
> 
>> The gpg4win project aims at updating the gpg4win Windows
>> installation package with GnuPG encryption tool, associated
>> applications and documentation on a regular basis.  Especially the
>> documentation (handbooks "Einsteiger" and "Durchblicker") are
>> directly maintained as part of the gpg4win project.
> 
> Is there no current man page included or did I just overlook it?

I don't know about the win32 builds...  Building from source on linux
the man page is available and current.

> Is a current man page (including "cross-certify" etc.) available
> somewhere online?

I thought this would be what you wanted, but it's definitely not
current:

http://www.gnupg.org/documentation/manpage.en.html

It's linked from the main documentation page.

FWIW, here are the sections on cross-certify from the 1.4.3 manual:

--edit-key name
Present a menu which enables you to do all key related tasks:
[...]
cross-certify
Add cross-certification signatures to signing
subkeys that may not  currently have them.
Cross-certification signatures protect against a
subtle attack against signing subkeys.  See
--require-cross-certification.
[...]
--require-cross-certification

--no-require-certification
When verifying a signature made from a subkey, ensure that
the cross certification "back signature" on the subkey is
present and valid.  This protects against a subtle attack
against subkeys that can sign.   Currently  defaults  to
--no-require- cross-certification,  but  will be changed
to --require-cross-certification in the future.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
There is no pleasure in having nothing to do; the fun is in having
lots to do and not doing it.
-- Mary Wilson Little

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkQ5gBYmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1rS6wCfaIOm0dV+RhyfYH8DXr5ht+aD//oAn0KlCMIN
6pRojI6Vh2fbqv3mJg4Q
=Gw6G
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to tell the gpg agent to forget a passphrase

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Olaf Gellert wrote:
> Hi,
> 
> is there any documentation on the commands that the
> gpg agent understands?

info gnupg has documentation on gpg-agent.  I'm not sure if it has all
that you're looking for, but it should be a good start.

> I am usign gpg agent with Mozilla/Enigmail. This works
> fine. One thing that I am missing is how to tell the
> agent to forget the stored passphrases.

Send the agent a SIGHUP.  That will clear all stored passphrases.

> By the way: What does "--enable-ssh- support" do? Sounds
> like acting as a replacement for the ssh-agent?

It is.  The info page has an example for how to do this.

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Every time I close the door on reality, it comes in through the
windows.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkQZmF0mGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1o0vACggau2751AzNGMlB+YGceMqkM3vF0AoLK2t0L3
Qt+YR2fPe3qZ4o2GwqD+
=kD2L
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG for PalmOS 5

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Wolfgang Klein wrote:
> Since there is already a version of pgp for Palm (palmopgp12), I was
> thinking that it shouldn't be too difficult to modify that code to
> work under PalmOS 5 in a convenient way. But on the other hand: I am
> not a programmer. So my estimation will most probably be totally
> wrong.

I don't know much at all about the Palm or programming for them, but
FWIW I recalled questions about OS 5 on the pgp-users list a while
back.  Will Price, a long-time developer of PGP, answered someone this
way in June of 2003:

- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

In some respects, we are just as frustrated as you may be. If I may be 
quite frank, Palm OS 5 was a hack job not ready for prime time. If we 
felt that some amount of maintenance work would quickly clean up issues 
with different Palm OS 5 devices, we would engage the effort.

I look forward to Palm OS 6. Palm OS 5 appears to be a halfway step 
down the transition road towards Palm OS 6 later this year which will 
(finally!) bring full support for the new processor types allowing 
acceptable speeds for all the key sizes and one hopes fix the API 
issues which prevent some of the features of PGP on Palm OS 4.X from 
working properly on Palm OS 5. It is my hope that a major new release 
of PGP Mobile will be ready for that OS and others.



On Saturday, June 7, 2003, at 06:54  AM, Michael Disabato wrote:
>> I hope someone there is doing some work with Palm OS 5's s/w 
>> development and
>> getting progressively more familiar with its possibilities. It's hard 
>> to
>
> I certainly hope so as well. I just got my Tungsten T, and PGP
> Mobile's operation on it is just about as bad as you can get. Their
> web site is highly misleading when it says that some of the
> functionality may not be there. Even encrypting/decrypting mail is
> broken, though not seriously if you tinker.
>
> Since Palm OS 5 is going to be the standard, it would be nice if PGP
> caught up with the industry.
- - --

Will Price, VP Engineering
PGP Corporation


- -BEGIN PGP SIGNATURE-
Version: PGP 8.0.2

iQA/AwUBPuPS3ay7FkvPc+xMEQK2UACg5qGyPODtVKurgV+HiyQr+3reGnUAoK4G
tdzK3JxEcHNZsosV27w7Gq9y
=tfYC
- -END PGP SIGNATURE-

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Never do anything against conscience even if the state demands it.
-- Albert Einstein, Quoted in Saturday Review obituary, 1955

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkQAjxYmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1r8AQCcCH7+f1CTlT6t7eI4vJ1K2dTiCqoAnjMKAUmG
VFsnJdu20MR3Wz/xRL6N
=wKAM
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Migrate from gnupg/Linux to gnupg/win32

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Kevin L. Collins wrote:
> Following a Mozilla guide, I tried to move my gpg keyrings to the
> CLI of gpg for windows.  This was done so that I could get
> Thunderbird signing and encrypting my e-mails.
>
> Apparently my secret key mae in just fine, as I can at least sign
> outgoing e-mails.  But my public keyring is hosed.  Here's what I
> get when I run 'gpg --list-keys':

Any pointers as to what Mozilla guide and how it instructed you to
move the keyrings?  Maybe that'd make it easier for someone to spot
why your pubring didn't get imported properly.

Here's how I'd try this (not tested since I'm fortunate enough to not
have a windows box handy):

# export
gpg --export > public-keys.gpg
gpg --export-secret-keys > secret-keys.gpg
gpg --export-ownertrust > ownertrust.gpg

# import
gpg --import public-keys.gpg secret-keys.gpg
gpg --import-ownertrust ownertrust.gpg

- -- 
ToddOpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Ocean:  A body of water occupying about two-thirds of a world made for
man -- who has no gills.
-- Ambrose Bierce

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkPvijYmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1pDqQCgjb/fqmA7vnKEHuoHwwcFKqmtozoAn36KAbQ/
9s0i1CXFSnPVo/lesE+p
=12Hu
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users