Re: Top-posting
On 2016-04-29 06:54, Paul R. Ramer wrote: > Personally, I would rather not have to hit the "Page Down" button > *every* time I wrote an email (provided I have full-size keyboard). If > you are always varying from the defaults in a consistent way, then the > defaults need to be different. Besides, think of the cumulative time > wasted scrolling or paging down for every you write email. ;-) [1] In Thunderbird, you can set "start my reply below the quote". You still need to remove everything from the reply that you are not directly responding to. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: where is gnupg configure file
Are you sure that you are using gpg2? private-keys-v1.d only contains private keys for gpg2. gpg1 stores them in ~/.gnupg/secring.gpg or something like that. If enigmail uses gpg2 and you created your key with gpg1, they will not see the same keys. '--version' is your friend. IIRC, using the key with gpg2 will import it from gpg1. There was a nice online FAQ entry or something alike where the process is described, but I can't find it at the moment. Regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: EasyGnuPG
On 29.03.2016 05:53, Daniel Villarreal wrote: >> Depending ... the gnupg 2.x executable is still called 'gpg'. I >> guess it depends on if the distributor wants to keep easy backwards >> compatibility. On archlinux,.. only one gnupg package ... The >> executable is called gpg...Regards, Viktor To make my statement more precise, the executable is called gpg2 and /usr/bin/gpg is a symlink to /usr/bin/gpg2. If one wants to use 1.x, one needs to install it from the arch user repositories. Archlinux is not known for emphasizing backwards compatibility. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: EasyGnuPG
On 28.03.2016 19:16, Daniel Villarreal wrote: > Should we not strive to use gnupg v2x ? I always try to use gpg2 on > the command-line, whereas documentation seems to show gpg. > > example... > Encrypting and decrypting documents > https://gnupg.org/gph/en/manual.html#AEN111 Depending on the system, the gnupg 2.x executable is still called 'gpg'. I guess it depends on if the distributor wants to keep easy backwards compatibility. On archlinux, for example, there is only one gnupg package and it currently ships 2.1.11. The executable is called gpg. I'd think all distributions will do that at some point since 2.x is meant to replace 1.x. Regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: EasyGnuPG
On 22.03.2016 23:10, Dashamir Hoxha wrote: > You got this wrong. It does not enforce 1 month expiry. Right after > creating the key you can change its expiry to 10y, if you wish. But if > you say nothing, after 1m you will have to renew it (if you still > remember the passphrase). This is like a safety measure for people who > are not familiar with gpg. In this case, I think you have got a point. I think the gnupg default of 'expires: never' is not the best solution, since people who just try it out might end up with a public key published to keyservers where they have lost the private key. Of course, this is not different from fake keys published by third parties, as long as there are no relevant signatures on it nobody should trust them. But I still think it might be better to set a default expiry of, let's say, 1 year and two months for the primary key and one year for the subkeys. Then there is the problem that the user might not notice that his key is expired. I remember vagely spending a day trying to find the error until I noticed that my subkeys were expired. But this might have been a problem with Enigmail, which did not give a clear error message. However, one month is IMHO too short. But maybe I'm not the best judge since the last time I wrote an encrypted email was multiple months ago and I only once in my lifetime got an encrypted email except for testing purposes. Renewing my keys every month (and, which is more difficult than simply remembering to do so, distributing them between the couple or so machines where I read email) would be too much of a hassle. Regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: more files in private-keys-v1.d than shown with 'gpg --with-keygrip -K'
Thanks, I found it myself but since the sender of a mail to the list does not get a copy of it, I could not simply reply. If I use '--list-options show-unusable-subkeys', I see the missing keys, they are simply expired. Sorry to disrupt. Regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
more files in private-keys-v1.d than shown with 'gpg --with-keygrip -K'
Hi, is there a possibility to list what each of the private keys in ~/.gnupg/private-keys-v1.d is? Some of them I recognize in the listing of 'gpg --with-keygrip -K', but there are six files in the folder while only three keygrips are shown by the command (one of which is the master key and not present in the folder). I guess these are expired subkeys which I somehow deleted from my keyring, but why would the private keys still be present? Regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Should always add myself as recipient when ecrypting?
On 21.03.2016 10:44, Paolo Bolzoni wrote: > Dear list, > > The subject pretty much says it all already, I am using GnuPG 2.1.11 > (with libgcrypt 1.6.5) and I was wondering if I should always add > myself as recipient when encrypting a file, of course, in addition of > the real recipient. > > Is there a reason not to? Hi, I guess if you have a reason to keep a copy in your 'Sent' folder (talking about email now) you have a reason to also encrypt to yourself. Especially for IMAP, where all you email correspondence is synced between multiple devices, you will not want to keep the cleartext file only on one machine and you will not want to put the cleartext on the server, so you will encrypt it to yourself and store the result on the server. One might argue that you should send a file that is only encrypted to your recipient and store a file that is only encrypted to yourself, so if one of you deletes his copy, the attack opportunities are also reduced. I know that Enigmail has the option to save draft messages encrypted to oneself, but I am not sure what it does with encrypted sent messages. Regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: EasyGnuPG
On 21.03.2016 18:38, Peter Lebbing wrote: > $ gpg2 -Ar de500b3e -e file.txt > > is nicer than: > > $ gpg2 -o file.txt.gpg -r de500b3e -e file.txt Actually, it seems that if you omit -o, gpg2 will do exactly this. Regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: (OT) mathematicians-discover-prime-conspiracy
On 2016-03-18 13:18, Peter Lebbing wrote: > Can someone point me in the direction of the solution to this > counterintuitive probability theory result? Any of a common name for the > property, a mathematical explanation or an intuitive explanation are > much appreciated! Any match of a pattern (HH or HT) to a sequence of coin tosses can be either align (i.e., starting at the first/third/fifth etc. toss) or misaligned (second/fourth etc.). If you count the number of aligned matches in a sequence of a given length, you will get the same probability regardless of the pattern. The same with the misaligned matches. However, the number of aligned and misaligned matches is not independent. For HH, they are correlated (if one pair of tosses is a match, the two overlapping ones are each matches with probability 0.5 instead of 0.25) while for HT they are anticorrelated (if one pair is a match, the overlapping ones can't be matches). Therefore, you will find more matches for HH than for HT. If you toss until you get a result, with HH you will get it quicker on average. Regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Remove photos from OpenPGP key in the keyservers
On 08.03.2016 16:33, Daniel Kahn Gillmor wrote: > Sorry, but no. The keyservers are globally-synced and append-only. you > will not be able to remove stuff once it's posted there. I always wondered what would happen if someone uploaded something to the keyservers where he has no permission to do so. Maybe some revealing photograph of someone. It might also be possible to somehow use the keyservers for file sharing, although it might be difficult to do so since they probably have a file size limitation. How do keyservers manage DMCA claims? Regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Encryption of multiple files into another directory
On 05.03.2016 19:33, Josef Carnap wrote: > It looks as if the files simply were copied to folder_2. But when I try > to open the *.docx files with Libre Office for example I can see that > doesn't work. > So I guess the very problem ist the missing file extension *gpg for the > files in folder_2. > > Do you have any idea to modify the command so that the files in folder_2 > are: foo1.docx.gpg, foo2.docx.gpg, foo3.docx.gpg etc. (without renaming > the files manually)? Hi, the filenames are not important for the content of the files. If you run the 'file' command on the files (i.e., "file /media/usb/folder_2/foo1.docx"), it should tell you that these are indeed gpg-encrypted files. You can simply rename the files to add the '.gpg' extension if you want. The original command can be modified as for x in /media/usb/folder_1/*; do gpg2 -o "/media/usb/folder_2/$(basename "$x").gpg" -r 0x12345678 -e "$x"; done if you want to append the extension directly. Best regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: advice please
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2015-12-27 07:11, Rob Landau wrote: > Good day, I have just received my first Linux system (Ubuntu > 14.04) It has Seahorse installed, but I don't see any GnuPG > application. How can I determine if there is a GnuPG installed, > and if so where to find it. Searching the Dash for GnuPG reveals > nothing, and there doesn't appear to be any program in the Ubuntu > Software Center If I remember correctly, the set of 'applications' on an Ubuntu system is only a subset of the set of packages. Specifically, applications are only programs that, when installed, have entries in the menu (or its Unity replacement). Programs that are console-only are usually not listed in the menu and it is possible that they are also not listed in the Software Center. So the fact that there is no application called gnupg does not mean that gnupg is not installed. It probably is. Maybe just open a terminal and type 'gnupg', that way you can be sure. Regards, Viktor -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWf7egAAoJEPNGVztcQuQ/tCEIAIJvdwTYOWxvp1mmO9q6BYw/ GTG20Oy6zwrQY3TMUeU7qb0ehTLhDPkvXk4XfXPr3izkwyUeZS9BEW5QEcj9ivZ6 d+Nm1oKW495KNY2Gj1sjbUD/zV5I9LlteMDa5xwNfa91dxjp3bXHErrFdJ9tnxAA e47NgpaZ42Z2v7I0bCxddJhuiAhFKU7do+dDwnb3VTuBH5X40cfdLz/2yPCmCvSr a2Egm7/PTJDZTO8clJUITvYq7WCMMElOp6B1qYEeimTpyv2Xv/upqGgwUuTMDy19 xikbKmo3Pzz4W9WcfmZSPnMwwXDChm5Gxtis6g/UTvT0mqApayp6ayIj0NRpnLg= =WSp8 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: protecting pub-keys from unwanted signatures
On 16.08.2015 16:26, Stefan Claas wrote: > if i understand you correctly it would not help me if someone > would sign my key without my approval, so to speak. Sure it helps. If Alice signs my key and Bob wants to send me something and trusts Alice, he can derive some trust that my key is also genuine. One could argue that anyone who I do not know and who anyhow signs my key will probably not be (rightfully) trusted by anyone. However, some magazines (I'm thinking of c't) for example might put their fingerprint on each issue and someone who buys it might sign their key so that some friend of theirs who has not direct access to that can still be somehow sure that the key is correct. I haven't looked at Facebook's public key, but let's assume that I want to send them an e-mail and tell my client 'get the key of i...@facebook.com'. It will download the key with a lot of signatures, some of which might be owned by someone in my web of trust. This person has probably just checked that the fingerprint given on their webpage matches the one of this particular key, but then that's something I do not need to check myself. (Not sure if that should be enough to sign a key, though...) Kind regards Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
On 31.07.2015 01:11, MFPA wrote: > Only if you download the key from the GPGTools website and find the > key-id first. (If the GPGTools team shows their key ID or Fingerprint on their website, I failed to find it.) On the front page they have 'to verify the signature, please download and import our ' right below the download button. There is no fingerprint, but the whole key is there. But I was talking about the fact that of the six results, one has hundreds of signatures. Sure, in the web of trust concept this doesn't mean anything unless there is a (short) trust chain from me to one of these, but in practice this still significantly rises the chance that it is the correct key (and it is, I checked with the one on their homepage). > My output from searching a keyserver for "gpgtools.org":- 'gpg --search-keys' does not seem to give a list of signatures (which explains why enigmail also doesn't), I was searching using a web interface. I guess this is because it is assumed that signatures do not mean anything without a trust chain. But if I had to bet money on one of the keys, I would still take the one with hundreds of signatures. > However, what would be different if one of the keys found happened to > carry one of your proposed email address validation signatures? If I could quickly check (or rather, my client could do that automatically) that the signature is also found on their web page, I can assume that either the web page is fake (which is unlikely for something known like ccc.de), it has been hacked (unlikely for a random troll) or someone intercepted either my HTTP request or the original verification e-mail (possible with a secret service, unlikely with a troll). Therefore, it will raise my estimated probability that the owner of the key also has access to the mailbox, which will pretty surely now be much higher than for any fake key. The advantage with respect to the proof of work concept is that the procedure is asymmetric: it costs much more to troll than to verify a genuine key. Best regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
On 2015-07-30 16:39, MFPA wrote: > On Thursday 30 July 2015 at 1:43:35 PM, in > , n...@enigmail.net wrote >> BTW, as another example, several keys of >> t...@gpgtools.org are faked (search for these keys and >> the the interesting result). > > Sorry, I don't see a result that leaps out at me as interesting. Are > you willing to elaborate? I'd say if one searches on a keyserver, it is pretty clear which key is real. I'm a bit worried because when I search with Enigmail it does not show the signatures, so from there they all seem equally valid. Regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
On 2015-07-30 10:17, Ingo Klöcker wrote: > I'm sorry to tell you that you have fallen into the trap. There is only one > genuine pg...@ct.heise.de key the fingerprint of which is printed in each > issue of the c't magazine. The other one is a fake. And the fact that the > fake > key with the author's email address is signed by different keys only means > that a lot of people have signed this fake key without following the proper > procedure of key validation (or that the trolls created even more fake keys > to > sign the author's fake key to make it look more credible). > Not according to http://www.heise.de/security/dienste/PGP-Schluessel-der-c-t-CA-473386.html where three different keys are listed (two DSS and one RSA). signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
On 2015-07-29 18:24, n...@enigmail.net wrote: > So, could somebody explain in a bit more detail how a PoW approach works? > As far as I understand it, for any key that you have - regardless whether you have access to the mail address in the uid - you can add some signature where anyone with the public key can quickly check that the person that posesses the private key has spent a specific amount of computing power (p.e., 1 week with an average PC) to create this signature. It is hard to create the signature (impossible without the private key, a lot of computing power with it) but easy to check. Essentially, you create the possibility to make a key 'premium' by spending this time and hope that trolls who flood the keyservers with fake keys will be deterred by the costs. Anyone who does not have any problem with trolls can of course still upload a non-premium key. I myself find the idea not so appealling. I would not like it if after creating a key my machine had high CPU load for a couple of weeks. And I doubt that many trolls will be deterred by it - the number of fake keys per time interval will go down, but since they are anyhow going out of their way to create problems for others without any gain for themselves, I think a significant portion will still do it even if it costs more. I rather like the idea of servers that offer to sign your key (or rather a specific UID) and send it to your email, encrypted to you. For the user this just means that if he has the problem of trolls using his address he has to send his key to such a server or upload it in a webinterface, then receive the mail, decrypt it and import the contained signatures to his key, and optionally upload his new key to a keyserver - with enigmail, for example, everything done within a few clicks. Anyone who looks for a key to a specific mail address on a keyserver will probably, when faced with multiple results, take the one that has most signatures (and isn't expired) - especially if some of the signatures are from email-verification-sounding hostnames. Therefore, there is no necessity to create a whitelist of servers (but it can be done, if a user decides to trust signatures of a specific server) and it is still decentralized - anyone can set up such a verification server. Of course with a lot of effort, a troll could still try to create a complete fake network and cross-sign different keys. But here the amount of work to be done for a troll is much bigger than that for a genuine user, so hopefully it will not be a problem. It would also be possible to check for known services if the signature is actually theirs (by checking the key with that on the homepage or something like that), but of course it should have been possible to do that with the original recipient already... These signatures should expire after a year or so, so keys where the owner no longer has acces to the private key will loose these signatures after a while. I myself have two older keys from early experiments (where I did not specify an expiry date) uploaded to the keyserver network, but I guess anyone who looks me up will take my current key, because it has much more subkeys (which I now change every year) and also some signatures. Now that I think about it - if I search for the original author of the c't article (j...@ct.de), who complained about getting mails that were encrypted to some fake key, I would assume that the keys 38EA4970 and E1374764 are both genuine, because they both have not only selfsigs. BTW, they are both signed by different keys with the UID 'pg...@ct.heise.de', so they already have a similar service in place - of course I had to do a websearch to find if these keys are genuine, which should probably be easier. I guess ideally the UID would contain a weblink to a page that has the fingerprint and describes the service shortly. Regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Merging private subkeys into other key
OK, it seems that the actual problem was that --export-secret-subkeys does not work if I leave the passphrase empty. Since my hard disks are encrypted, I usually do not have passphrases for my secret keys and since GnuPG 2.0 this created some problems. When I exported them with a passphrase and imported them, giving that passphrase, they are correctly merged into the existing key. Afterwards the passphrase can be deleted again. I now also understand why gnupg is always asking multiple times for a (new) passphrase when exporting or changing the passphrase - it seems to have a different passphrase for each subkey. Of course this is not very helpful if the dialog does not specify which key is about to be changed. I guess I should file a bug report for this, if I create a new subkey every year it will take quite a while to export the complete key if I have to type a passphrase for each of them in a few years... Thanks, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Merging private subkeys into other key
On 04.07.2015 14:03, Juan Miguel Navarro Martínez wrote: > I could do it myself by importing the keys in GPG 2.1, then exporting > them. Hi, thanks for the quick reply, but I am using GPG 2.1.5 and 'gpg --import sec.key' does not seem to work if there are already other subkeys of the same key present. I guess the patch mentioned in the link in my earlier post has never been accepted into the source code. In principle I also found this problematic on earlier occasions, namely even if I the key on my backup partition was up-to-date and I added a new subkey there, it was somehow non-intuitive to get the keyrings on my PC and laptop up-to-date. It seems it is necessary to delete the complete key from them first and then re-import them. Or is there a better way? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Merging private subkeys into other key
Hi, there has already been a discussion on this two years ago, see https://lists.gnupg.org/pipermail/gnupg-users/2013-September/047567.html I have been following the intstructions on https://wiki.debian.org/Subkeys for some time now, with my master key only residing on my backup disk and several machines having only the subkeys. But now I somehow have the problem that only an older version of the master key is still there, so I have one keyring with the master secret key but without the most recent subkeys and another with the most recent subkeys but without the master key. Does anyone have an idea how to merge them? Using --import results in ### gpg: Total number processed: 2 gpg: unchanged: 1 gpg: secret keys read: 2 ### I also tried ### $ gpg --homedir /mnt/backup/.gnupg --expert --edit-key gpg> addkey Please select what kind of key you want: (13) Existing key Your selection? 13 Enter the keygrip: No key with this keygrip ### I am not sure what the keygrip is, but I guess it is only valid within the same keyring or something? Any help is greatly appreciated. In a month or so I need to create new subkeys and I would rather not lose my current subkeys. Regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users