Re: gpg --list-packets asks for passphrase
On Wed, 21 Sep 2022 07:06, Fourhundred Thecat said: > Why am I prompted for passphrase? So that --list-packets can show you the encrypted content with all the inetresting packets. Hit cancel and you are done. Please note that the output of --list-packets is strictly for debugging purposes and may change without notice. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: mutt locking
On Tue, 20 Sep 2022 16:56, Louis Holbrook said: > I am using /usr/bin/pinentry-tty for password input, which in the > interactive mode lets me paste a password from the terminal. Please use pinentry-curses or, if you run in an xterm, better one of the GUI pinentries. The pinentry-tty is a very dumb one which is unlikely to work correctly with another curses or slang application like Mutt. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Seeking Assurance on Security and Memory Leaks in SuSE GnuPG
On Sat, 27 Aug 2022 16:17, Tony Lee said:
> Count User Time (s)
> 1024 0.237
For backward compatibility reasons with 1.4 the default count value is
used in this case. The default value is computed by gpg-agent and
depends on your machine (cf. gpg-agent's --s2k-calibration option). See
the first condition in the function below:
/* Pack an s2k iteration count into the form specified in RFC-4880.
* If we're in between valid values, round up. */
unsigned char
encode_s2k_iterations (int iterations)
{
unsigned char c=0;
unsigned char result;
unsigned int count;
if (iterations <= 1024)
return 0; /* Command line arg compatibility. */
if (iterations >= 65011712)
return 255;
/* Need count to be in the range 16-31 */
for (count=iterations>>6; count>=32; count>>=1)
c++;
result = (c<<4)|(count-16);
if (S2K_DECODE_COUNT(result) < iterations)
result++;
return result;
}
This mapped value is required by the RFC-4880. When passing an RFC-4800
encoded value to our KDF function, we decode it first.
> We see the cleartext length is not greatly significant, especially at
> higher count values, but the User Time is nowhere near linear with
> count --- which one would expect. For a count of 65,011,712 rounds,
> the Time is around 0.33 seconds. On the same machine, 23,400,000
> AES-KDF rounds were completed in 1.0~s (with a linear relationship),
You can't compare some AES-KDF to the SHA1 based KDF of OpenPGP. The
increase in speed you see is due to caching effects on modern CPUs and
the highly optimized SHA1 code in Libgcrypt. Something a cracker would
have also.
The default of GnuPG is to let the system take about 100ms for the S2K
to make brute forcing the password of the private key harder. Using any
non-full entropy password for symmetric encryption is a Bad Idea. With
a full entropy password the S2K iterations don't matter at all.
So either use a a full-entropy password or use public key encryption.
If an attacker got access to your private key (encrypted or
non-encrypted) your are anyway in tilt mode.
> If a Yubikey is used to store the User passphrase for gpg, is it
A Yubikey or any other smartcard does not store the password but stores
the private key and only allows operations with that private after
having unlocked the token. For this you use a PIN where the hardware of
the token allows only 3 to 10 false trees - thus a small number is
sufficient to avoid brute forcing.
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Question about redundant smartcard setup
On Fri, 19 Aug 2022 14:48, kho said: > 4. Another approach is that I could for example have created just 3 > subkeys (not 6) and copied all 3 to smartcard1 and again to smartcard2. > I thought that having those subkeys separately is ideal, specially in a > occasion were smartcard2 is stolen. Then I revoke the smartcard2 subkeys No need to. Save a paper copy of the keys before you remove them from the disk. If both cards are broken you can still type the keys in and create a new smartcard. Exact procedures depend on your threat model. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP smartcard and P-256 in non expert mode
On Thu, 11 Aug 2022 17:25, Sosthène Guédon | Nitrokey said: > That makes sense to me. However why offer curves not supported by the > hardware? Because we can't now what curves a certain smartcard supports. The announcement of the car capabilities is a relative new and optional OpenPGP card feature and GnuPG shall still work with older cards. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP smartcard and P-256 in non expert mode
On Thu, 11 Aug 2022 14:58, Sosthène Guédon | Nitrokey said: > I'm using gpg 2.2.36 and a OpenPGP smart card implementation we are > currently developing. You should better use the stable branch (2.3) instead of the LTS. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP smartcard and P-256 in non expert mode
Hi! Please share your GnUPG version and the type of smartcard you are using with us. A 9 year old commit is not very helpful. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Windows x64 binaries, unusable with Thunderbird
On Sun, 7 Aug 2022 12:46, andrew--- said: > It looks like GPG4Win as well as "simple" installer are 32bit-only, > which is somewhat unexpected in 2022. Is there a reason for this? Windows 64-bit-only installations are pretty rare and thus the 32-bit GnuPG suite is not a problem. > Such builds are unusable with the x64 Thunderbird [1], no matter if user Thunderbird does not use GnuPG and the former Enigmail used CreateProcess to start gpg et al. No problem at all. You may very well build libgpgme as 64-bit DLL or static library. (we do this for our Outlook an explorer plugins). The native messaging with gpgme-json does not care about 64 or 32 bit because CreateProcess is used by Thunderbird. The background why we have no 64 bit version of GnuPG are due to problems with HANDLEs, sockets, file descriptors and such. GnuPG uses some tricks to handle this all. Instead of migrating these tricks and assumptions over to a 64 bit world, we are slowing moving towards internal data structures which allow us to avoid all tricks (i.e. our own data object (estream_t) conveying meta information, such as whether we have a socket or a libc file descriptor). Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent
On Thu, 4 Aug 2022 21:27, folkert said: > How can I, programmatically, prevent gpg-agent to cache a passphrase? > Or clear its cache? Put max-cache-ttl 0 into gpg-agent.conf To fluish the cache run gpgconf --reload gpg-agent >err = gpgme_set_ctx_flag(ctx, "no-symkey-cache", "1"); > > but then when I run my program for the second time, it uses a cached > item. If this has been set, the cache should not be used. Note, this is only for this special symmetric password caching (which uses the salt of the S2K) Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG 2.2.36 released
Hi! This is a quick announcement that a new GnuPG release for 2.2 is available. We will also preprare a 2.3 release in the next days but due to summer holidays things are a bit delayed. See also https://dev.gnupg.org/T5949 Shalom-Salam, Werner Noteworthy changes in version 2.2.36 (2022-07-06) - * g10: Fix possibly garbled status messages in NOTATION_DATA. This bug could trick GPGME and other parsers to accept faked status lines. [T6027, CVE-2022-34903] * gpg: Handle leading zeroes in Ed25519 private keys and reverse change regarding Ed25519 SOS encoding as introduced with 2.2.34. [T5120] * gpg: Allow Unicode file names for iobuf_cancel under Windows. * gpgsm: Improve pkcs#12 import. [T6037,T5793,T4921,T4757] * scd,p15: Fix reading certificates w/o length info. * scd,p15: Improve the displayed S/N for Technology Nexus cards. * scd,openpgp: Add workaround for ECC attribute on Yubikey. [T5963] * scd: Fix use of SCardListReaders for PC/SC. [T5979] * gpgconf: New short options -X and -V. * Make sure to always set CONFIDENTIAL flag in Assuan. [T5977] Release-info: https://dev.gnupg.org/T5949 -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpa.exe hungs when click on "smartcards" AND scdaemon cannot recognise SC-HSM
On Fri, 24 Jun 2022 20:47, Minas Argyrou said: >> scdaemon[x]: detected reader 'ACS ACR38U 0' scdaemon[x]: Never got them to run properly. Just stay way from this reader type. > I was never able to get the SC-HSM to work with GnuPG, even though it is > supposedly supported. This is the current time I am trying to figure it out. I have samples here but unfortnately did not came around to test them. However, there are updates to the pkcs#15 handling in the latest GnuPG releases. You may want to check that you are using 2.2.35 or 2.3.6. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Supervised gpg-agent on FreeBSD
On Fri, 17 Jun 2022 12:23, artur.brzozowski said: > I've been trying to get gpg-agent running under supervision using > FreeBSD's native daemon(8) [1] Please don't do that. The --supervised option has been deprecated recently because it conflicts with GnuPG's internal management of daemon processes. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Cannot import private key into gpgsm
On Tue, 14 Jun 2022 08:38, Torsten Bronger said: > Hallöchen! > > Werner Koch writes: > >> please let us known your GnuPG versions and your OS. > > gpgsm (GnuPG) 2.2.27 Please update to 2.2.35 which * gpgsm: Fix parsing of certain PKCS#12 files. [T5793] See https://dev.gnupg.org/T5793 . It is likely that you parsing problem is also solved with this updated. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Cannot import private key into gpgsm
Hi! please let us known your GnuPG versions and your OS. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg auto-locate-key selects expired/revoked key
On Thu, 9 Jun 2022 08:11, Jan Eden said: > Now I corrected the mistake, and all is well. I don't think this is your mistake. We need to do something about it. Tracked at https://dev.gnupg.org/T6023 BTW, to ignore local keys and update from WKD (or whatever has been configured) you can use --locate-external-key which is available since 2.2.17. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: configure script ELF visibility
On Fri, 3 Jun 2022 18:05, Frank said: > And I am currently eyeing at the 'ELF visibility' check in the > configure script. That is pretty old code from 2007. I do not remember any details; it is possible that this is based on Uli Drepper's original paper. it was originally implemented for Libgcrypt - but the code is the same. > I cannot find confdefs.h or conftest.* to see what a manual compile > would result in. If the conftests runs into an error, it is dumped to the config.log. If I want to debug such things, I usually have the configure script to stop right after the test. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Backing up your PGP key by hand
On Mon, 30 May 2022 19:52, Matt Borja said: > - Related to this approach: Is the passphrase on a private key not > sufficient encryption strength to store the private key in a secure > cloud > vault for archival purposes; or could it not be paired with a The currently used protection of private keys as specified by OpenPGP allows to attack the key iff the attacker has a way to modify the protected key on the transport. This is not the old Klima/Rosa attack but a new attack which takes advantage of the fact that the public key parts are not bound to the encrypted private parts of the key. Thus the suggestion is to not rely on the OpenPGP private key protection but to convey those private keys with an additional OpenPGP encryption layer. Note that the internal format used by GnuPG to store the private keys is not affected buy this attack. This is because the public key parts in the files below private-keys-v1.d are included in the authenticated encryption of the private parts as additional data (openpgp-s2k3-sha1-aes-cbc and openpgp-s2k3-ocb-aes schemes) Always take care when conveying private keys. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Error importing fetching key from wkd
On Sun, 29 May 2022 13:07, Johan Wevers said: > Why do they do that? BTW, when I search for brainpool I only find > definitions and RFC's, I seem unable to find why they are needed (or why > they would be peferred) over other curves. That is mostly a political issue: In Europe the use of NIST curves is not allowed due to security concerns. In the US the Brainpool curves are not yet part of the FIPS standard and thus may not be used by the government. However, Curve25519 is also not allowed by FIPS but still included in RedHat's Libgcrypt build. I am not aware of any patent issues with standard Weierstrass curves like NIST-P and Brainpool-P curves. All relevant patents expired a few years ago. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Error importing fetching key from wkd
On Wed, 25 May 2022 22:58, Dirk Gottschalk said: > $ gpg --with-colons --list-config curve > cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;secp25 > 6k1 This should read cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;brainpoolP256r1;brainpoolP384r1;brainpoolP512r1;secp256k1 Note the Brainpool curves. Seems that Redhat still patches them out of libgcrypt. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.3.6 released
mentation and Support = The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in the manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5937 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and has mostly been financed by donations. Three full-time employed developers as well as two contractors exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. Fortunately, and this is still not common with free software, we have now established a way of financing the development while keeping all our software free and freely available for everyone. Our model is similar to the way RedHat manages RHEL and Fedora: Except for the actual binary of the MSI installer for Windows and client specific configuration files, all the software is available under the GNU GPL and other Open Source licenses. Thus customers may even build and distribute their own version of the software as long as they do not use our trademark GnuPG VS-Desktop®. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, or helping with donations. *Thank you all* Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users at gnupg.org mailing list. List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) brainpoolP256r1 2021-10-15 [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Digital Signature Verification
On Tue, 19 Apr 2022 15:52, Vishal Rana said: > Digital signature verification is failing. Getting "*Bad signature*" error. > How to debug this?? gpg --debug hashing --verify .. Creates files with the actual hashed data - compare them to thoe create by the signing process. > But observation is generated signature,"image.sig" files on both scenarios > are different. means hexdump for image.sig in both scenario is different. Sure they are. Please read up on digital signature algorithms. See also this status code we emit: *** SIG_ID This is emitted only for signatures of class 0 or 1 which have been verified okay. The string is a signature id and may be used in applications to detect replay attacks of signed messages. Note that only DLP algorithms give unique ids - others may yield duplicated ones when they have been created in the same second. Note, that SIG-TIMESTAMP may either be a number of seconds since Epoch or an ISO 8601 string which can be detected by the presence of the letter 'T'. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.3.5 released
established a way of financing the development while keeping all our software free and freely available for everyone. Our model is similar to the way RedHat manages RHEL and Fedora: Except for the actual binary of the MSI installer for Windows and client specific configuration files, all the software is available under the GNU GPL and other Open Source licenses. Thus customers may even build and distribute their own version of the software as long as they do not use our trademark GnuPG VS-Desktop®. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, or helping with donations. *Thank you all* Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users at gnupg.org mailing list. List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) brainpoolP256r1 2021-10-15 [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Digital Signature Verification
On Fri, 8 Apr 2022 14:07, Vishal Rana said: > But my received signed image is some unreadable "--detach-sign" file . > How I am able to make a received signed image to * gcry_sexp_t *please > suggest*.* See gnupg/g10/parse-packet.c and gnupg/g10/pkglue.c and please do yourself a favor and start with a simpler project than implementing OpenPGP. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Digital Signature Verification
On Thu, 7 Apr 2022 15:26, Vishal Rana said: > Please suggest to me how to proceed. Most GnuPG tools feature a debug option --debug mpi --debug crypto which shows you lots of debug info. For example the raw RSA parameters. Use "--debug help" to see all debug classes. But always remember that these are debug options and the output is not a stable API in any way. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: using OpenPGP card to unlock a LUKS device on boot
On Tue, 5 Apr 2022 16:57, Matthias Apitz said: > an OpenPGP card could be used to unlock a ciphered LUKS partition during > boot of the L5 mobile device, see this posting at the end: No idea, I don't use LUKS but g13 ;-) > Werner, what about your L5? It is gathering dust in one of my drawers - frankly no time to to play with it. A colleague of mine used it for some time in the home office but then switched back to an old Fairphone. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] Libgcrypt 1.10.1 released
that these additional notices are distributed. Support === For help on developing with Libgcrypt you should read the included manual and if needed ask on the gcrypt-devel mailing list. In case of problems specific to this release please first check https://dev.gnupg.org/T5810 for updated information. Please also consult the archive of the gcrypt-devel mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html . We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html . If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gcrypt-devel mailing list for discussion. Thanks == Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and has mostly been financed by donations. Three full-time employed developers as well as two contractors exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. Fortunately, and this is still not common with free software, we have now established a way of financing the development while keeping all our software free and freely available for everyone. Our model is similar to the way RedHat manages RHEL and Fedora: Except for the actual binary of the MSI installer for Windows and client specific configuration files, all the software is available under the GNU GPL and other Open Source licenses. Thus customers may even build and distribute their own version of the software as long as they do not use our trademark GnuPG VS-Desktop®. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, or helping with donations. *Thank you all* Your Libgcrypt hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these keys: rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) brainpoolP256r1 2021-10-15 [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: (my) E-mail address not found by 'https://keys.openpgp.org'
Hi!
Just for the records
> Oh, I didn't know, I was advised yesterday on another irc channel
> (#debian-facile) to change my key server:
>
> "They were ('keys.gnupg.net' and others) all flooded with fake keys
> mid-2019
You can't talk about fake key on a keyserver. That is not the task of a
keyserver. A keyserver is just a place to store arbitrary keys. The
user needs to make sure whether the key is authentic.
The actual DoS problem was that the keyservers also carry key
signatures. This led to some very large keys (due to arbitrary added
key signature) which took very long for gpg to check. This has
meanwhile been fixed by gpg by not importing 3rd party key-signatures
anymore.
There is actual no way in an system, which on purpose is distributed and
non-controlled - to inhibit the storage of keys. The keyserver protocol
unfortunately has had no specification on how to inhibit the addition of
arbitrary key signatures for example by allowing uploads of new
key-signatures only by data signed by the actual key.
keys.openpgp.net OTOH does away with the concept of a decentralized
system and tries again (like PGP.com and keyserver.org 20 years ago) to
establish a single source for keys. That is not for what PGP and thus
GnuPG where invented. Federation is okay for keyserver, but a central
authority is not desirable.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AW: AW: Cancel operation does not return error code
On Wed, 16 Mar 2022 16:22, Schultschik, Sven said: > There must be a possibility to proper kill the pinentry gpg-agent closes the pinentry or kills it on timeout. You need to properly restore your tty in case the used curses version does not act correctly or the pinentry died. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Change Passphrase in Batch Mode
On Wed, 16 Mar 2022 09:26, Daniel Kilimnik said: > mode. With --pinentry-mode loopback --passphrase-fd 0 activated. It asks > for my current passphrase, but then exits with a success. --passphrase-fd works only if a password is request but not if two passwords are quested (the old one and the new one). You need to use the --command-fd thingy and write a state machine for this. Here is a manual example --8<---cut here---start->8--- $ gpg --pinentry-mode loopback --status-fd 2 -v --batch --command-fd 0 --passwd FE894309B6844A3004FE8BF9476CAB1C3623CAA6 [GNUPG:] KEY_CONSIDERED FE894309B6844A3004FE8BF9476CAB1C3623CAA6 0 [GNUPG:] INQUIRE_MAXLEN 100 [GNUPG:] GET_HIDDEN passphrase.enter abc [GNUPG:] GOT_IT [GNUPG:] INQUIRE_MAXLEN 100 [GNUPG:] GET_HIDDEN passphrase.enter def [GNUPG:] GOT_IT [GNUPG:] SUCCESS keyedit.passwd --8<---cut here---end--->8--- Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AW: Cancel operation does not return error code
> I'm using the Cancel methods on ctrl+c but the terminal is anyway messed up.
> Would it be worth a bug report?
No. The pinentry is background process and there is no portable way to
save and restore the screen. Thus your application may want to do
something like this after a gpgme operation:
if ((s = gpgme_get_ctx_flag (ctx, "redraw")) && *s)
fputs ("Screen redraw suggested\n", stdout);
Salam-Shalom,
Werner
p.s.
Please trim your quotes to make them easier for everyone to read.
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to solve this garbled code?
On Fri, 18 Feb 2022 11:34, Gao Xiaohui said: > Hi developers, thanks for your reply. But I tried the method you gave: > use "chcp 65001", and still display abnormal characters. Is there any > other solution to solve it? If it is a bug, please fix it. Grateful. You need to install/configure a proper font for your terminal. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Who protects the private key
On Sat, 19 Feb 2022 15:52, Robert J. Hansen said: > As part of an iterated key derivation function, SHA-1 is still believed safe. > There's no reason to shy away from it, or AES128. FWIW: SHA-1 is also used has part of the OpenPGP MDC construction. This is something alike a MAC and there are not signs anyware that this construction is broken. In fact, it was part of the first widely deployed AE algorithm (in 2001). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Who protects the private key (was: Changing the encryption algorithm used for PGP/GPG private key)
On Fri, 18 Feb 2022 13:08, Daniel Colquitt said: > Is the suggestion the gpg does not respect these flags when applying > symmetric encryption to keys? gpg does not encrypt private keys. This is done by gpg-agent. The method how the keys are protected internally are out of scope for OpenPGP. See gnupg/agent/keyformat.txt for the specification of the internal format. However, for allowing gpg to export a private key in the OpenPGP specified format, gpg-agent applies the encryption. For this S2K mode 3 with AES128 and SHA1 is used. The iteration count is the standard count as figured out by gpg-agent - unless the gpg-agent option s2k-count is used. See these gpg-agent options: --s2k-calibration milliseconds Change the default calibration time to milliseconds. The given value is capped at 60 seconds; a value of 0 resets to the compiled-in default. This option is re-read on a SIGHUP (or gpgconf --reload gpg-agent) and the S2K count is then re-calibrated. --s2k-count n Specify the iteration count used to protect the passphrase. This option can be used to override the auto-calibration done by default. The auto-calibration computes a count which requires by default 100ms to mangle a given passphrase. See also --s2k-calibration. To view the actually used iteration count and the milliseconds required for an S2K operation use: gpg-connect-agent 'GETINFO s2k_count' /bye gpg-connect-agent 'GETINFO s2k_time' /bye To view the auto-calibrated count use: gpg-connect-agent 'GETINFO s2k_count_cal' /bye Remember that the OpenPGP specified protection format has some minor flaws and it is suggested not to rely on this this protection alone. Use the standard OpenPGP symmetric encryption layer on top. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions re auto-key-locate
On Wed, 16 Feb 2022 18:03, raf said: > But maybe it is dead. I don't really need it. My only interest was that Yes, it is dead. Except for a minority of users, it is impossible to easily add new resource records. However, putting new files on a webserver is easy. FWIW, you can build your keys for WKD distribution on your local machine and then rsync (or whatever you use to upload files) them to the webserver. gpg-wks-client -C . --install-key [FILE|FINGERPRINT USER-ID] The command --install-key manually installs a key into a local directory (see option -C) reflecting the structure of a WKD. The arguments are a file with the keyblock and the user-id to install. If the first argument resembles a fingerprint the key is taken from the current keyring; to force the use of a file, prefix the first argument with "./". If no arguments are given the parameters are read from stdin; the expected format are lines with the fingerprint and the mailbox separated by a space. The command --remove-key removes a key from that directory, its only argument is a user-id Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.2.34 (LTS) released
d the file gnupg-2.2.34.tar.bz2, you run the command like this: sha1sum gnupg-2.2.34.tar.bz2 and check that the output matches the next line: b931cc1aa287ad67b0efacb91e7b358bf4852278 gnupg-2.2.34.tar.bz2 1ba27aaa476c75b4be0a7d8958de722ccebc52da gnupg-w32-2.2.34_20220207.tar.xz a43d38390323022ea4af17336978855c9d553cee gnupg-w32-2.2.34_20220207.exe Internationalization This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Italian, Japanese, Norwegian, Polish, Russian, and Ukrainian being almost completely translated. Documentation and Support = The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5703 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and has mostly been financed by donations. Three full-time employed developers as well as two contractors exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. Fortunately, and this is still not common with free software, we have now established a way of financing the development while keeping all our software free and freely available for everyone. Our model is similar to the way RedHat manages RHEL and Fedora: Except for the actual binary of the MSI installer for Windows and client specific configuration files, all the software is available under the GNU GPL and other Open Source licenses. Thus customers may even build and distribute their own version of the software as long as they do not use our trademark GnuPG VS-Desktop®. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, or helping with donations. *Thank you all* Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these keys: rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) brainpoolP256r1 2021-10-15 [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Thunderbird's hints and history for OpenPGP/MIME (new wiki page)
On Mon, 31 Jan 2022 01:09, Ángel said: > Nothing in the email you receive is actually required. You could have a > Fully-Encrypted-Email-Messages, which on SMTP looked like: > > MAIL FROM:<...> > RCPT TO: > DATA > > > . > QUIT > > > No plaintext at all. (Well, some Received: headers would be added, plus > a Return-Path: ) You can even do that today. > > Your problem is that no client supports it. Your problem is that the entire business world would immediatley stop grinding. Mail ist not just a toy for privacy geeks but the glue which connects all kind of processes. If you don't need this just switch to to your favorite chat protocol. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Backup of GPG private keys?
On Sun, 30 Jan 2022 04:25, Ángel said: > Could you elaborate? I am surely missing something. Unfortunately I can't tell you any details because the paper has not yet been published. The attack is not easy to mount but it is not entirely academic. It affects the standard for sending private keys and not any specific implementation. The OpenPGP DT knows about it for nearly a year but they are busy nitpicking on details of the 4880bis and spending way to much time handling and discussing editorial issues and non chartered features. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: YubiKey 5C NFC not detected
Hi! On Sun, 30 Jan 2022 14:37, Felix E. Klee said: > $ echo scd getinfo reader_list | gpg-connect-agent --decode > OK scdaemon does not see any reader. That might simply due to another process which uses the reader (the yubikey tools). Using debug cardio verbose log-file /some/where/scd.log in sdameon.conf can give some insights. You should also try adding pcsc-shared into scdameon.conf - this allows the concurrent use of the reader by more than one process. > gpg (GnuPG) 2.2.32 Note that there is a bug in the reader-port implementation of 2.2.33; you better wait for 2.2.34 instead of updating to 2.2.33. Shalom-Salam, Werner p.s. I did follow the entire thread, thus I may have repeated other advices. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Backup of GPG private keys?
On Thu, 27 Jan 2022 08:25, Teemu Likonen said: > outside your normal computers I suggest using the export format: "gpg > --export-secret-keys". Note that there is an attack on the private key export format. Thus my recommendation not to rely on this unless you can make sure that the exported keys in the backup have not been modified. The problem here is that the public parts of the encrypted private parts are not authenticated and by modifying the public parts and tricking the user to import such a modified backup, information about the secret key can be revealed. GnuPG's internal format to store the private key is not affected by this problem because the public parameters are authenticated. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Help getting gtk or qt pinentry dialog forwarded over ssh connection
On Sun, 23 Jan 2022 21:12, Arjun said: > I have GPG_TTY=$(tty) set in my .bashrc. However, when I ssh in > > ssh remote By default ssh does not allow X forwarding. You need to use an extra option to ssh to allow X programs on the remote to work on your (local) X-server. A quick test is to run "xfd" If it runs and tells you no "no font to display" you can run X programs (like pinentry-gtk) on the remote box. If you do not fully trust the remote machine (and only then you should use X forwarding), you may still use gpg/gpgsm on the remote box: See https://wiki.gnupg.org/AgentForwarding Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --verify in batch mode / how to require a trust level?
On Tue, 18 Jan 2022 15:59, Bernd Graf said: > How can I require `gpg --verify` to only accept keys from my keyring > with a certain trust level and fail otherwise (rc!=0) Use gpgv instead of gpg. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Side-channel attacks
On Tue, 18 Jan 2022 09:50, Johan Wevers said: > Well, a bit more respect for backwards compatibility would help a lot by > that. Now I'm forced to keep an 1.4 and pgp 2.6 version installed just 1.4 should be able to decrypt all 2.6 generated data. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Yubikeys and GnuPG 2.2/2.3
> Just to confirm, my scdaemon.conf file should look like this: > > debug-level ipc,app,cardio Replace that by debug ipc,app,cardio and remove debug-level lines. (The debug-leve thing is IMHO not very useful since we got those dedicated selectors. We should eventually remove the debug level thing and provide a GUI to select them.) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gpg4win LetsEncrypt issue
On Thu, 6 Jan 2022 15:33, Anze Jensterle said: > checked multiple times). Only deleting the old intermediates instead of the > root helped. Do you also check all the intermediate paths? Sure. My former answer was simply wrong. For details please see https://dev.gnupg.org/T5639 which was fixed with GnuPG 2.2.32 and 2.3.4. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Yubikeys and GnuPG 2.2/2.3
On Fri, 7 Jan 2022 16:23, Marko Božiković said: > My scdaemon.conf has a single line: > > card-timeout 1 Please remove this at least for testing. > log-file > debug-level basic > verbose Please change the debug-level ... to debug ipc,app,cardio Actually you should have seen a debug line "Yubikey: config=" due to the verbose option. The "cardio" above returns all commands (so-called APDUs) send to the card. This should help to reveal the problem. > 2022-01-07 15:53:58 scdaemon[9960] pcsc_connect failed: sharing violation > (0x801b) Some other process is accessing the Yubikey. But as you already know pcsc-shared is a good workaround here which usually works fine. You may send me the log by PM if it is too large Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AW: GPG key generated on Windows...
On Sun, 9 Jan 2022 10:25, Robert Flosbach said: > For future reference and people having the same issue: gpg2.3 > introduced a new packet type 20 which provides authenticated > encryption with associated data (AEAD) [1]. A key generated with > gpg2.3 supports this encryption type and encryption in Windows (using > the current Gpg4win 4.0.0) defaults to AEAD for a key generated with There are two ways to change this: the first is to change the preferences on your key (using 2.3's --edit-key) and the second is to put --8<---cut here---start->8--- ignore-invalid-option personal-aead-preferences personal-aead-preferences none --8<---cut here---end--->8--- into gpg.conf . From the man page: --personal-aead-preferences string Set the list of personal AEAD preferences to string. Use gpg --version to get a list of available algorithms, and use none to set no preference at all. This allows the user to safely override the algorithm chosen by the recipient key preferences, as GPG will only select an algorithm that is usable by all recipients. The most highly ranked cipher in this list is also used for the --symmetric encryption command. (the ignore-invalid-option line allows to use the same gpg.conf also with gpg 2.2) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gpg4win LetsEncrypt issue
On Thu, 6 Jan 2022 12:02, Anze Jensterle said: > Any idea why? I suspect it has to do with old intermediates being > crosssigned as well. If you don't have the current LE root certificate the old certification path is tried. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gpg4win LetsEncrypt issue
Hi! instead of working around the problem, I strongly suggest to update gpg4win to 4.0 or at least install gnupg 2.2.33 on top of an older gpg4win. This fixes the problem without a need to tweak the root cert store. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] A New Future for GnuPG
Hi! small but important correction: > Chiasmus: the proprietary GreenBone software from /cryptovision GmbH/ Of course I meant GreenShield and not Greenbone. The latter is a company which provides free software network security scanners. See https://www.greenbone.net/en/ Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] A New Future for GnuPG
rs state of the art file and mail encryption. Our longer term plan is to equip all public agency workplaces with end-to-end encryption software - not only those with an immediate need for an approved VS-NfD solution. This should also fit well into the announced goal of the new German government to foster the development of Open Source. Kudos to all supporters === For many years our work was mainly financed by donations and smaller projects. Now we have reached a point where we can benefit from a continuous revenue stream to maintain and extend the software without asking for donations or grants. This is quite a new experience to us and I am actually a bit proud to lead one of the few self-sustaining free software projects who had not to sacrifice the goals of the movement. Those of you with SEPA donations, please cancel them and redirect your funds to other projects which are more in need of financial support. The Paypal and Stripe based recurring donations have already been canceled by us. All you supporters greatly helped us to keep GnuPG alive and to finally setup a sustainable development model. *Thank you!* Salam-Shalom, Werner p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users at gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) brainpoolP256r1 2021-10-15 [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- g10 Code GmbH-=- GnuPG.com -=- AmtsGer. Wuppertal HRB 14459 Bergstr. 3a Geschäftsführung Werner Koch D-40699 Erkrath https://gnupg.com USt-Id DE215605608 signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Error in 2.3 regarding reader-port (infinite loop)
> I have attached logs of the wrong and correct behavior I observed
> (debug-level guru, debug-all).
Yes, this is an obvious bug. We have not yet seen it because on Unix we
prefer to use the CCID driver using a different code path and further
with 2.3 there is not much need to specify a port.
Here is the bug:
while (dl->idx < dl->idx_max)
{
const char *rdrname = pcsc.rdrname[dl->idx];
if (DBG_READER)
log_debug ("apdu_open_reader: %s\n", rdrname);
/* Check the identity of reader against already opened one. */
for (slot = 0; slot < MAX_READER; slot++)
if (reader_table[slot].used
&& !strcmp (reader_table[slot].rdrname, rdrname))
break;
if (slot == MAX_READER)
{ /* Found a new device. */
if (DBG_READER)
log_debug ("apdu_open_reader: new device=%s\n", rdrname);
/* When reader string is specified, check if it is the one. */
if (readerno < 0
&& strncmp (rdrname, dl->portstr, strlen (dl->portstr)) != 0)
continue;
The /continue/ causes the loop because the loop index is not bumped.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Error in 2.3 regarding reader-port (infinite loop)
On Wed, 29 Dec 2021 14:55, Anze Jensterle said: > I just updated my Windows PC to 2.3. I used the "reader-port" option in Do you mean gnupg 2.3.4 for Windows or the gpg4win 4.0 ? > I have attached logs of the wrong and correct behavior I observed > (debug-level guru, debug-all). Thanks. We will try to replicate this. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gpg4win LetsEncrypt issue
On Wed, 29 Dec 2021 21:33, Andrew Gallagher said: > OK, so you definitely need to solve the root certificate issue. This has been fixed with gnupg 2.2.32 - please get an update. The workaround is to delete the old LE certificate from your Root CA store. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm "Encrypt failed" "Unusable public key: 53A51054BB68F7C3" root certificate missing?
On Sun, 26 Dec 2021 09:20, Uwe Brauer said: > gpgsm (GnuPG) 2.1.11 Please get a decent version. The LTS branch is currently at 2.2.33. Your version is 5 years old! Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Curve25519 key generation on GnuPG card or import key to the card failures
On Wed, 22 Dec 2021 14:47, Benoît said: > I got 3x OpenPGP Smart Card v3.3 and I am unable to generate Curve25519 > on the card nor importing a cv/ev25519 to it. Whether this is supported depends on the type of the card. The Gnuk and newer Yubikeys support curve25519 but the Zeitcontrol card does not yet. With the Zeitcontrol cards of version 3.3 you may use the NIST and with 3.4 also Brainpool curves. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.3.4 released
t of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.3.4.tar.bz2, you run the command like this: sha1sum gnupg-2.3.4.tar.bz2 and check that the output matches the next line: 436823f57b8387ece6053d9a395374243d64feff gnupg-2.3.4.tar.bz2 c1443f71a2be02a4ab30027e2ec6336dd08fdc26 gnupg-w32-2.3.4_20211220.tar.xz 2af6d08717f5367f1e8c7306bd10f8a20ef9ebdc gnupg-w32-2.3.4_20211220.exe Internationalization This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Italian, Japanese, Norwegian, Polish, Russian, and Ukrainian being almost completely translated. Documentation and Support = The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in the manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5654 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and has mostly been financed by donations. Three full-time employed developers as well as two contractors exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. Fortunately, and this is still not common with free software, we have now established a way of financing the development while keeping all our software free and freely available for everyone. Our model is similar to the way RedHat manages RHEL and Fedora: Except for the actual binary of the MSI installer for Windows and client specific configuration files, all the software is available under the GNU GPL and other Open Source licenses. Thus customers may even build and distribute their own version of the software as long as they do not use our trademark GnuPG VS-Desktop®. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, or helping with donations. *Thank you all* Your GnuPG hackers p.s Those of you with standing SEPA donations, please cancel them or consider to redirect your funds to other projects which are more in need of financial support. The donations done via Stripe or PayPal have already been canceled. p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users at gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) brainpoolP256r1 2021-10-15 [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Please read Nils Melzer: Der Fall Julian Assa
[Announce] GnuPG 2.2.33 (LTS) released
end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.2.33.tar.bz2, you run the command like this: sha1sum gnupg-2.2.33.tar.bz2 and check that the output matches the next line: 70053b799a79139e0e7889282805fc889dd22540 gnupg-2.2.33.tar.bz2 6bf876e04ba00bebb64dffe7d2224206521948a7 gnupg-w32-2.2.33_20211123.tar.xz c67151e92fc82bd4138ef441dbeba61e9bf4de5f gnupg-w32-2.2.33_20211123.exe Internationalization This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Italian, Japanese, Norwegian, Polish, Russian, and Ukrainian being almost completely translated. Documentation and Support = The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5641 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and until this year mostly financed by donations. Three full-time employed developers as well as two contractors exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, or answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not have been possible to keep GnuPG in a good and secure shape and to address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these keys: rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) brainpoolP256r1 2021-10-15 [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Please read Nils Melzer: Der Fall Julian Assange It is really important to know the background of the Assange case to understand the massive perils to free journalism. The book is right now only available in German: https://dev.gnupg.org/u/melzerassang signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: Note: secret key [...] expired...
On Tue, 9 Nov 2021 15:28, Keine Eile said: > I have a revoked private key in my key ring, which I replaced with new > one. I really do not want to discard this old key, for what I think > good reasons. Is there a way to let gpg ignore this key or suppress > this this¹ notification? You can delete your old key from the keyring. However, you would also lose the ability to decrypt old messages. Thus in general not a good idea. >> gpg: Note: secret key [KeyID] expired at [Some day in September] >> gpg: Note: key has been revoked We can't suppress the latter diagnostic because that is an important information. The former diagnostic is also of some interest. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: make check -> libgcrypt is too old
On Mon, 8 Nov 2021 20:30, Christoph Klassen said: > repos). The solution was to run first dpkg --purge --force-all > libgcrypt20 (couldn't remove it the normal way because of some Not a good idea. That may break things. It is better to install libgcrypt and the other libs to /user/local/lib and then set LD_LIBRARY_PATH accordingly (or fix search order in ld.so.conf). > one application didn't work, so I reinstalled libgcrypt20. Now both, Libgcrypt 1.9 is compatible to 1.8 but not vice versa. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Too many open files caused by repeated decryption operations via a GPGME API
On Fri, 29 Oct 2021 16:24, Kazunori Kobayashi said: > On modern Linux, we can change the maximum number of file descriptors > per process in some ways. This feature is a well-known way for long > time operation without reboot in cases such as server machines. That is a known problem we recently raise the priority of the feature request https://dev.gnupg.org/T2385 to high. Thus there is a good chance that this problem will be solved in the not too distant future. > https://github.com/gpg/gpgme/blob/gpgme-1.10.0/src/posix-io.c#L673 Please don't refer to github for gnupg; their copy is out of date. Use our https://dev.gnupg.org instead. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: BT -> mutt -> SMTP -> Wifi
On Sat, 6 Nov 2021 12:09, Matthias Apitz said: > This message is typed on a BT keyboard connected to the L5 and sent > from mutt on the L5 via SMTP and Wifi to the list while sitting > in the sun in a beergarden. Alright. I eventually need to figure out how to turn my Cosmo Communicator into a dump BT keyboard for the L5 ;-) Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
On Fri, 5 Nov 2021 17:30, Matthias Apitz said: > But, it does not work locally on the L5 in its "terminal app", the > "pass" command in the terminal raises an error about no secret provided. You did the gpg-connect-agent updatestartuptty /bye thing to tell gpg-agent where it shall pop up the pinentry? Further you can debug thing with adding "-v" to the gpg invocation or by letting gpg-agent create a debug file: --8<---cut here---start->8--- log-file /foo/bar/gpg-agent.log verbose debug ipc debug-pinentry --8<---cut here---end--->8--- Or use log-file tcp://1.2.3.4:40711 and run "watchgnupg --tcp 40711" on the host with IP 1.2.3.4. Not TLS, so take care. But it is convenient to see what's going on. Thanks for your other mail on thenneed to flush the firmware for the BT device. I have not yet found the time to do that, though. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
Hi Matthias, On Thu, 4 Nov 2021 09:40, Matthias Apitz said: > I got mine in early October after exactly 4 years waiting. I do not Same here. I actually met with Todd back then and my colleague Gniibe write the driver for their planned card reader. Then we had that long delay. it is good that things work for you. And thanks for the hint with the smartcard. I was probably blind that I didn't noticed it. I put an older card into the slot (cut down with a sharp wire cutter) but I have not seen the device. Even after an OS update there is still no Bluetooth device (regardless of the kill switch position) and the WLAN sometimes needs a reboot. I also wonder why there are no easy accessible teardown images - the long Youtube video is not very helpful because it shows obvious things, > I have and have had some Linux mobiles, also the OpenMoko. The > Purism L5 is the most usefull until now for me. You see, I really don't As long as you do not count the Jollas in. Purism's decision to write yet another software stack is highly questionable. IMHO they should have used the free stuff from SFOS and replace the proprietary UI using Qt instead of GTK+. That would have solved the battery problems instantly, Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
On Wed, 3 Nov 2021 18:55, Matthias Apitz said: > card, and available without any laptop or USB dongel, just in my phone -- a > big progress. Thanks to Purism to bring this with the L5 to the Linux world! You mean the Librem5 has indeed a second slot for a smartcard? I recently received mine but it is more or less unusable to me. It even comes w/o a bluetooth device - at least according to the warning notice I see - for things I can see because the network setting are not fully accessible. It is more or less a brick; the OpenMoko used to be better. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What are the file in ~/.gnupg ?
On Sat, 30 Oct 2021 00:20, Damien Goutte-Gattat said: > Private key only. I believe the purely “mathematical” components of > the public key can be derived from it (though I may be wrong here), That is right. Since some releases we also record the creation date of the key so that we can easily derive the OpenPGP fingerprint. Without that creation time we would need to loop over all seconds since about 1997 to figure out the fingerprint. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
On Sat, 30 Oct 2021 15:50, Matthias Apitz said:
> I just withdraw the USB dongle after the operation. I was thinking that
> the gpg-agent.conf entry 'max-cache-ttl' will also expire the unlocked
> state of the OpenPGP card, which it does not. How could I do this?
No, it does not because it is the decision of the card how long the
VERIFY command send to the card allows the use of the key. For most
cards and keys the keys are unlocked by VERIFY until the card is powered
down. The OpenPGP cards allow to limit the VERIFY command for the first
key to one signing operation ("forcesig" toggles this).
As a workaround use "gpgconf --reload scdaemon" to power down the card.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: v2.3 of gnupg for automation?
On Tue, 26 Oct 2021 18:21, Robert J. Hansen said: > That's true, and is correct. If you're passing a passphrase via the > command line, that passphrase becomes visible to anyone with the > privileges to get a list of processes and arguments. At that point the > passphrase really isn't providing much in the way of security. I fully agree. If, for whatever reasons, a passphrase is required the suggested workaround is to add --pinentry-mode=loopback to the gpg invocation. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.3.3 released
nd to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.3.3.tar.bz2, you run the command like this: sha1sum gnupg-2.3.3.tar.bz2 and check that the output matches the next line: b19a407076424704f1b00e8265254de1b3061659 gnupg-2.3.3.tar.bz2 bfb4e9fe2a69c763f15f6a7dd980c7ef6807277f gnupg-w32-2.3.3_20211012.tar.xz f95dec36a3905c1a928e7b8b83d4eee8a8200364 gnupg-w32-2.3.3_20211012.exe Internationalization This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Italian, Japanese, Norwegian, Polish, Russian, and Ukrainian being almost completely translated. Documentation and Support = The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in the manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5565 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and still mostly financed by donations. Three full-time employed developers as well as two contractors exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, or answering questions on the mailing lists. The financial support of the governmental CERT of Luxembourg (GOVCERT.LU) allowed us to develop new and improved features for smartcards (Yubikey, PIV and Scute) as well as various usability features. Thanks. Many thanks also to all other financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good and secure shape and to address all the small and larger requests made by our users. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users at gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: ed25519 2020-08-24 [expires: 2030-06-30] Key fingerprint = 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Please read Nils Melzer: Der Fall Julian Assange It is really important to know the background of the Assange case to understand the massive perils to free journalism. The book is right now only available in German: https://dev.gnupg.org/u/melzerassang signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.2.32 (LTS) fixes a problem with Let's Encrypt
es or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5601 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and still mostly financed by donations. Three full-time employed developers as well as two contractors exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, or answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good and secure shape and to address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these keys: rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Please read Nils Melzer: Der Fall Julian Assange It is really important to know the background of the Assange case to understand the massive perils to free journalism. The book is right now only available in German: https://dev.gnupg.org/u/melzerassang signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Error messages reconfiguring an OpenPGP smartcard
On Sat, 4 Sep 2021 12:11, Borden said: > According to gpg --card-status, I have an OpenPGP card v. 2.1 made by > LogoEmail (that's not from whom I bought it, so I'm not sure if the Note that re-configuring a card is only possible with certain cards; it is an optional feature of the specification. I don't know the card from www.scardsolutions.com - you may want to ask them what they implement. If gpg --card-status -v does not hsow any hints and you have the time, you can add some debugging options: Add these lines to ~/.gnupg/scdameon.conf: --8<---cut here---start->8--- log-file /some/where/scd.log verbose debug ipc,reader,cardio --8<---cut here---end--->8--- and gpgconf --kill scdaeemon then try again and have a look at the log file. We might be able to help anlyzing the log but we would see the PINs etc. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.2.31 (LTS) released
how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5571 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and still mostly financed by donations. Three full-time employed developers as well as two contractors exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, or answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good and secure shape and to address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these keys: rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Please read Nils Melzer: Der Fall Julian Assange It is really important to know the background of the Assange case to understand the massive perils to free journalism. The book is right now only available in German: https://dev.gnupg.org/u/melzerassang signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What is the state of https://git.gnupg.org/?
On Mon, 6 Sep 2021 19:25, meator said: > Ok, thanks! Sorry for that. This is a sponsered VM and sometimes we run into OOM problems. We like to keep these repos on this different machine so that we can conitnue to collaborate even if other servers fail, or vice versa. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What is the state of https://git.gnupg.org/?
On Sun, 5 Sep 2021 18:45, meator meator said: > Hello, what's up with https://git.gnupg.org/? Is there some > maintenance happening? The OOM kicked in and killed the TLS frontend. Its up again. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
On Thu, 26 Aug 2021 16:23, Klaus Ethgen said: > It seems that I have the problem all time I use the QT pinentry. The > gtk2 pinentry seems to be fine and with the switch to QT one, the Did you tried pinentry 1.2.0 which we released last week? FWIW, I am using xfce and had some problem with icons and thus also pinentry in the past. The solution was to set QT_QPA_PLATFORMTHEME=qt5ct in the environment and use one of the latest gnupg versons (2.2.30, 2.3.2). But Pinentry 1.2.0 should also work if icons are not accessible etc. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.2.30 (LTS) released
gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5519 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and still mostly financed by donations. Three full-time employed developers as well as two contractors exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, or answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good and secure shape and to address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: ed25519 2020-08-24 [expires: 2030-06-30] Key fingerprint = 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) rsa2048 2011-01-12 [expires: 2021-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Please read Nils Melzer: Der Fall Julian Assange It is really important to know the background of the Assange case to understand the massive perils to free journalism. The book is right now only available in German: https://dev.gnupg.org/u/melzerassang signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Decryption w/o public key does not work in GnuPG 2.3.2
Hi! On Wed, 25 Aug 2021 21:36, Thomas Cage said: > I have installed the new 2.3.2 version which supports "decryption w/o > public key but with correct card inserted" with commit 50293ec2eb. The description is a bit too brief. What we do is to lookup the key on a configured LDAP server. This allows to start using a new box immediately by simply inserting your smartcard. It is a feature for largers deployments. > I have tried it out with a couple files encrypted with a public key > that got lost recently but the private key remains in my smart card. $ You need to get the public key or re-create it. To do this you need to know the creation time. This can be done by looping over a range of dates - unfortunately tehre is still no tool to do this. > Am I using this feature in the correct way? I just hope my files won't > get lost forever. Thanks a lot! It is a matter ot the available tools or the time required to write them :-( Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.3.2 released
work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, or answering questions on the mailing lists. The financial support of the governmental CERT of Luxembourg (GOVCERT.LU) allowed us to develop new and improved features for smartcards (Yubikey, PIV and Scute) as well as various usability features. Thanks. Many thanks also to all other financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good and secure shape and to address all the small and larger requests made by our users. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users at gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: ed25519 2020-08-24 [expires: 2030-06-30] Key fingerprint = 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) rsa2048 2011-01-12 [expires: 2021-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Please read Nils Melzer: Der Fall Julian Assange It is really important to know the background of the Assange case to understand the massive perils to free journalism. The book is right now only available in German: https://dev.gnupg.org/u/melzerassang signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-wks-client generates empty files
On Thu, 19 Aug 2021 17:14, Jonas Tobias Hopusch said: > It's good to see one of you respond to my mail. I was worried that maybe the > mailinglist broke both the SPF and DKIM checks and prevented it from being Sorry, for taking long to reply. > It's been a few months since I generated the key with GnuPG so I don't know > if I > put the extra spaces there. Maybe it's a consequence of leaving out my name > during UID creation? (Back then I was hesitant to put my name on that key > though > my view on that is more relaxed by now.) I general we strip all leading and trailing spaces. But there are of course ways to generate such a user-id, it is covered by the specs. > This question I'm asking myself at this explanation for the issue is why my > Gitea instance's signing key was also affected by the bug. (The one with the > autos...@gitea.jotoho.de UID) Well, this /* Fixme: Unescape fields[9] */ if (!append_to_uidinfo_list (&mboxes, fields[9], explains it. gpg --with-colons returns the user-id with C-style escapes. The "https://"; has a colon and thus needs escaping. I have pushed fixes for both bugs to 2.3 and 2.2 Shalom-Salam, Werner signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-wks-client generates empty files
Hi! On Sat, 31 Jul 2021 23:05, Jonas Tobias Hopusch said: > Does anyone know what may have gone wrong? Is there any additional > information I > can provide to help with tracking down what I presume to be a bug? It took me a while to track this down. If you look closely at the listing: pub rsa4096/612F3350DB59D359 2021-01-27 [C] [verfällt: 2024-01-27] Schl.-Fingerabdruck = 1F42 EF02 BE3E 6FE8 F624 C8BC 612F 3350 DB59 D359 uid [vollständig] (Domain owner of jotoho.de) " ^ Although that is somewhat peculiar it does not harm. But, gpg-wks-client does some processing of the key: 1. It list all mail addresses from the key and matches them to the requested mail address. (in your example hostmaster@...) 2. Now it may happen tha there are several user-ids all with the same mail address. gpg-wks-tools picks one of them and then extracts exactly that user id - however in this case it does not match by the mail address but by the full user-id so that there will be only one user-id in the final key. 3. The filter built expression unfortunately strips leading blanks but requires a verbatim match. Thus it won't find the user id again and errors out. Right there is a second error that the empty file should not have been written. But after all that error should never happen. I need to see how I can avoid to trim the leading space from the filter expression. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard Status Message Inconsistency
Hi! On Fri, 6 Aug 2021 18:36, Joey Berkovitz said: > I was looking through the Smartcard commands and found that while most > commands related to attribute changes output an SC_OP_SUCCESS, except for > the name change command which doesn't output a success message on the > status-fd. Probably an overview or lazyness in 2009. I just added this to master. Thanks for reporting. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys retrieved from keyserver (keys.openpgp.org) are unusable
On Tue, 27 Jul 2021 11:12, root said: > I am new to GnuPG and this is a great tool in programming. I am not sure how > to > use gpg commands directly in C/C++ codes though. I thought gpgme is > providing the > interface to use gpg ? Yes, please use GPGME or the GPGME C++ bindings Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A key doesn't get imported from one of the keyservers
On Tue, 3 Aug 2021 11:19, Vincent Breitmoser said: > Unlike the other keyservers, keys.openpgp.org has a [privacy policy] that > doesn't permit distributing email addresses without consent. The key It is not a privacy policy but a serious misconception much like what keyserver.com and PGP Universal Server did a long time ago. The OpenPGP spec requires a User ID for the on-wire format of a public key. Any implementation which violates this rule is not OpenPGP compliant. The privacy argument on the a user id is layman's idea of the GDPR. In fact the key itself is not different than an IP address or mail address and in fact more stronger personal data or a natural person than the latter. Note that out of reasons of data minimization I would suggest to create new keys only with a mail address and not with any other data. For example posteo.de has such a rule for keys used on their platform; gpg-wks-client even has direct support for such a requirement. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --search-keys: "gpg: error searching keyserver: No inquire callback in IPC"
On Thu, 29 Jul 2021 18:36, Andrew Gallagher said:
> If you built gnupg from its default configuration, it does not
> automatically look in /etc/ssl/certs for CA certificates. You may want
On Unix and unless gnupg was build with --with-default-trust-store-file
the following collections of certificates are used for TLS:
{ "/etc/ssl/ca-bundle.pem" },
{ "/etc/ssl/certs/ca-certificates.crt" },
{ "/etc/pki/tls/cert.pem" },
{ "/usr/local/share/certs/ca-root-nss.crt" },
{ "/etc/ssl/cert.pem" }
> to add a soft link from /etc/gnupg/trusted-certs to /etc/ssl/certs so
> that dirmngr looks in the Mozilla certificate library.
Not a too good idea becuase these certificates are used for a different
purpose.
FWIW, here is the list of internal certificate classes used:
CERTTRUST_CLASS_SYSTEM = 1, /* From the system's list of trusted certs. */
CERTTRUST_CLASS_CONFIG = 2, /* From dirmngr's config files. */
CERTTRUST_CLASS_HKP = 4, /* From --hkp-cacert*/
CERTTRUST_CLASS_HKPSPOOL= 8, /* The one and only from sks-keyservers */
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: used key is not marked for encryption use.
On Fri, 23 Jul 2021 20:00, Jonathan Kaczynski said: > I'm trying to understand the scenario in which we see the log message, > "gpg: used key is not marked for encryption use." I haven't been able to > find any mentions of the phrase on the web, so I turned to the source code. This is a warning that the encryption tool used a key which it should not have used for encryption (ie. a signing signing key). Proper OpenPGP implementation won't allow to encrypt to such a key but some implementations have bugs. Technically the keys can be used for both purposes but out of crypto hygiene this should not be done. No immediate risk, though. For S/MIME is is quite common to use the same key for encryption and signing. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: HID Omnikey 3121 Smart Card Reader and GPG
On Thu, 8 Jul 2021 16:48, NIIBE Yutaka said: > So, I think that Omnikey CardMan 3121 can work in the use case with > OpenPGP card if it's key is RSA 1024. Exactly, I used to use Omnikey readers too but I had to gave up due to this problem. On Windows Omnikey's driver uses proprietary escape codes to make it work: /* We employ a hack for Omnikey readers which are able to send TPDUs using an escape sequence. There is no documentation but the Windows driver does it this way. Tested using a CM6121. This method works also for the Cherry XX44 keyboards; however there are problems with the ccid_transceive_secure which leads to a loss of sync on the CCID level. If Cherry wants to make their keyboard work again, they should hand over some docs. */ The 6121 is a PCMCIA style reader which I could make work for my old laptop. As usual with reader vendors they use their ASICs for all types of readers and thus he sees the problem also with the 3121. I have an 5121 here but I can use it only for RFID. He may be able to use the 3121 with ECC keys. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: recommendation for key servers
On Wed, 7 Jul 2021 08:30, Daniel Kahn Gillmor said: > Without a canonical form, we simply can't make such a proposal. You need to check for the canonical form anway and thus it is easier to directly sort it. In case of signature subpackets (if that is one of your concerns), this if of course not possible and thus this would require that the specs require a specfic order > I'm happy for OpenPGP to continue avoiding ASN.1 as much as possible! > (and a bit bummed that a tiny, mangled bit of ASN.1 has crept in with > ECC but i guess that's water under the bridge) Oh, it is already also in PCKS#1.5 Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: recommendation for key servers
On Tue, 6 Jul 2021 15:59, Daniel Kahn Gillmor said: > There are no published specifications for how to canonically order > OpenPGP packets, but i sketched a proposal here: There has never been a need for such an ordering except for what the specs require. Introducing a specific order will make most applications non-compliant. Further, and more important, it does not help because an application can't rely on this and needs to do sort anyway. ASN.1 DER rules for a SET require a specific order but OpenPGP fortuntalely avoid ASN.1 encodings. > Adoption of such a canonical ordering would reduce the amount of > computation for synchronizing keyservers, once they all adopted the same Keyservers can of course do that if that better fits their processing model. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.2.29 (LTS) released
ages are included as well but they miss some of the details available only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5498 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and still mostly financed by donations. Three full-time employed developers as well as two contractors exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, or answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good and secure shape and to address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: ed25519 2020-08-24 [expires: 2030-06-30] Key fingerprint = 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) rsa2048 2011-01-12 [expires: 2021-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- "If privacy is outlawed, only outlaws will have privacy." - PRZ 1991 signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: BSI - Why PQC for Thunderbird and not gpg4win in the first place?
On Tue, 29 Jun 2021 15:31, Стефан Васильев said: > I don't understand why the BSI is looking for Post Quantum Cryptography > support with OpenPGP for Thunderbird and not for the promoted gpg4win, I can't tell you that. I do not have anymore information than you. From reading the tender it is clear that this project is for evaluating new algorithms in a real worl application. The goal is not to kickoff a new standard or feature. > As understood, Germany recently passed a law to strengthen authorities > to allow the usage of their Government trojan, which tells me that using It is quite a problem for the BSI that the gov is trying to shift them into the same trouble the NSA has. Protecting the citizen while at the same time helping to attack them. Will citizens still be able to trust them in a few years? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AW: gpgme_op_decrypt segfault
On Tue, 29 Jun 2021 09:59, Schultschik, Sven said: > I looked now for days at the code and didn't saw this trivial fault. The > Nullpoint check for the outstream was missing. valgrind is your best friend in such cases. > But a null point check for gpgme wouldn't be a bad idea. This way it could > be a catchable exception. We can do that to make things more robust but other stdio functions also don't check for NULL. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start
On Fri, 25 Jun 2021 15:26, Marco said: > Failed to set input file with error: 117440567 --> Invalid value Sorry. I missed that we did not implement that (because it is actually a legacy compatibility function). Thus I can't offer you any function which takes a file name. You need to open the file yourself and use one of these functions: gpgme_error_t gpgme_data_new_from_cbs (gpgme_data_t *dh, gpgme_data_cbs_t cbs, void *handle); That is the most flexible one. But there are some convenience functions which relieves you from implementing the callbacks: gpgme_error_t gpgme_data_new_from_fd (gpgme_data_t *dh, int fd); This takes a file descriptior; i.e. open(3). gpgme_error_t gpgme_data_new_from_stream (gpgme_data_t *dh, FILE *stream); This takes an stdio stream; i.e. fopen(3). gpgme_error_t gpgme_data_new_from_estream (gpgme_data_t *r_dh, gpgrt_stream_t stream); This takes a estream_t, i.e. gpgrt_fopen (aka es_fopen). For an example how to use the see gpgme/tests/run-decrypt.c Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPGME Cannot allocate memory on gpgme_op_decrypt_start
On Fri, 25 Jun 2021 09:39, Marco said: > err = gpgme_data_new_from_file(&in, input.string().c_str(), 1); The 1 means copy the data to an internal buffer. Use 0 here to stream the data. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Detaching signature from signed object
On Wed, 23 Jun 2021 17:55, Matthew Richardson said: > provide enough inforation to extract the signature? Does it vary depending > upon whether the signature is ASCII armored? Actually gpgsplit can be used to slit an OpenPGP message. In theory it is possible to convert an encrypted and signed mail into a PGP/MIME signed mail. However, this requires that the creator strictly followed the suggestions from RFC-3156. In fact it is better to not use the combined method but do signing and encryption at the MIME level; which makes it trivial to strip the encryption layer. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Command line decryption/encryption
On Thu, 24 Jun 2021 09:41, john doe said: > The executable is in the subdirectory 'bin' as 'gpg.exe'. Which is usuallay part of the PATH. > A better idea is to use a file that contains the passthrase if you need > to automate d/encryption or to use the agent. An even better idea is not to use a passphrase at all - there is no security win with a passphrase in an automated setting. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Long Term Key Management With Hardware Tokens
On Thu, 24 Jun 2021 02:21, Brandon Anderson said: > First, if you are working on a new revision of the OpenPGP card, > please let me know if I can reasonably do anything to help. While I Thanks for your offer. However, it is mainly a spec and hardware thing and the software part is minor. If you are a vendor of an OpenPGp comliant card, you are likely already in contact with Achin Pietig, who is responsible for the specs. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG agent forwarding multiple yubikeys with distinct public keys/subkeys over SSH
On Wed, 23 Jun 2021 11:38, Christian Chavez said: > I would like to be able to connect multiple yubikeys representing multiple > opengpg pub/priv key-pairs/identities to the same _client_, and make use of > _both_ on a remote I've SSH'ed to (using one of the yubikeys), without Use gnupg 2.3 and this should work. I am using several tokens in a local setup for years. Not tested with remote; if you run into problems enabled IPC debugging for gpg-agent and watch out for GPG_ERR_FORBIDDEN. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Long Term Key Management With Hardware Tokens
On Tue, 22 Jun 2021 21:53, Brandon Anderson said: > concerned, you could use three. The probability that one card out of > ten will have a failure in a decade is far higher than the chance that You should also be concerned that malware bricks your (backup) card. You can only avoid that by using an always air-gaped box which is pretty inconvenient. Paper copies are actually much more reliable. I meanwhile scribble down the key using a pencil and paper. Modern keys are short enough to do that. (you should also note the creation date). > all two or three cards will have a failure. Allowing retirement key > slots means you can easily choose your level of redundancy while still > keeping your keys on secure hardware only. Back to your original request. A new revision of the OpenPGP card is in the works and the plan is to add more key slots. Surely there will be some support for this in GnuPG. If you want support for the extra PIV slots, we first need to find a business case for this (its not just the development effort but also the future maintanence work which I have to consider). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Long Term Key Management With Hardware Tokens
On Mon, 21 Jun 2021 23:47, Brandon Anderson said: > the PIV functions only support 2048 RSA and NIST curves. The only card That's per PIV specs. > What would it take to add support for retirement key slots into the > GPG smartcard specification? If retirement slots were added to the > smartcard spec, then after several years, other smartcard Frankly, I am not convinced about the retirement slots on the card. They are of course useful if you rotate you key. But the question is why you want to do this given that the keys are anyway securely stored on a card. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: safe curves in openPGP smartcard
On Sun, 20 Jun 2021 18:57, mailinglisten--- said: > is there any educated guess, when some safe curve (25519?) will find > their ways into openPGP smart cards? Yubikeys and the Gnuk token support 25519 for a long time now. For the Zeitcontrol card, I can't give a concrete timeline. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Where is swdb.lst
On Wed, 16 Jun 2021 21:18, Ajax said: >> $ build-aux/getswdb.sh > > Which gave : > ... No such file or directory $ tar tjvf gnupg-2.2.28.tar.bz2 | grep getswdb.sh -rwxr-xr-x 1000/1000 4831 2021-05-21 07:35 gnupg-2.2.28/build-aux/getswdb.sh Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
