Re: Thunderbird / Enigmail / Autocrypt
On Mon, 23 Nov 2020 18:03, gnupgpacker said: > After further investigation about html mailing with Claws Mail: > 'Dillo HTML viewer' project has been updated Jun-2015, not available for > Windows. Mature software does not always need updates. Nevertheless the plugin code was recently updated to get rid of conditionals to build with gtk2. Right, it is not availabale for Windows but ... > 'litehtml' is available for Windows, but latest update is Oct-2015. The latest update is just 6 weeks old. The plugin is part of the standard claws installer for Windows. Right, the Windows installer is often behind the source release (right now by a year). But again, this is a project by volunteers. FWIW, for years we distributed Claws as part of Gpg4win but at some point decided that it is better to let the Claws devs do the installer so that we can concentrate on things we are can do best. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.2.25 released
. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5140 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and still mostly financed by donations. Two full-time employed developers as well as two contractors exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, or answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good and secure shape and to address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2021-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] Key fingerprint = 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- "If privacy is outlawed, only outlaws will have privacy." - PRZ 1991 ... some still don't get it. signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Thunderbird / Enigmail / Autocrypt
On Sun, 22 Nov 2020 10:02, gnupgpacker said: > Claws Mail is an useful alternative, but please keep aware it does not > support html mail, text only! > https://www.claws-mail.org/manual/de/claws-mail-manual.html#AEN955 Just load one of the HTML viewer plugins. Note that most plugins are an integral part of Claws and thus don't run into problems like Enigmail with Thunderbird. Right, the first-use setup is not as easy as with Thunderbird. That is the difference between a multi-million dollar per year project and a voluntary thingy. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Thunderbird / Enigmail / Autocrypt
On Mon, 23 Nov 2020 07:22, cqcallaw said: > At my job, I frequently send out summary charts and graphs surrounded by text. > Attachments simply do not work; my audience cannot spend the mental energy to Proper MUAs display inline images without problems. I recall that even exmh did this ~25 years ago. It is just that the marketing department can't enforce the corporate identity on text mails - or are too lazy to create rules which work with plain text (and maybe inline images). And well, I like HTML mails: my main address is free of spam thanks to a simple procmail rule ;-) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Thunderbird / Enigmail / Autocrypt
On Fri, 20 Nov 2020 10:23, Daniel Bossert said: > How secure is it to use Thundebrird with Autocrypt? I use Sylpheed at > the moment, but it is not that comfortable to use as Thunderbird. Checkout Claws-mail which was forked from Sylpheed many years ago. The OpenPGP and S/MIME integration of both was initially done by me but many others improved it at lot. Claws is like Thunderbird cross-platform. The current TB OpenPGP support is pretty basic after they removed Enigmail. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Signing decentralized websites
On Fri, 20 Nov 2020 19:13, cqcallaw said: > change the behavior. Is there some implementation issue with running > multiple gpg signing operations in parallel? This is all serialized because the gpg-agent does the actual signing. There is one gpg-agent per GNUPGHOME. Thus the easiest solution for you is to provide copies of the GNUPGHOME and either set this envvar for each process or pass --homedir=decicated-homedir-copy. You can't use links to the same directory because we use lock files. However, it should be possible to sumlink the private-keys-v1.d sub directories. > 2) Are there any tools to verify detached signatures in the browser? > As a user, I'd like my browser to check for a signature file and Mailvelope comes to mind or you write your own thing using gpgme-json as the native messaging server. Mailvelope can use gpgme-json. There is also openpgp.js as a solid Javascript implementation of OpenPGP. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG Encryption/Decryption Failing
On Wed, 18 Nov 2020 11:51, Sirisha Gopigiri said: > But after debugging a little we found that we are running into this > issue only if we use gpg 2.2.4 version. We tested the same code with You are really using a 3 year old version which was followed by 20 more releases. You also missed 2.2.8 which fixes CVE-2018-12020. > gpg 1.4.20 version and it seems to work fine. I mean we ran the test Same here. If you use 1.4 at all you need to use the latest version (1.4.23 from 2018)! Isn't it a general advise to first thr the latest version of a software if you run into a bug ;-) Anyway, ppl here can in general better help you if you explain your problem in more detail and best show how it can be replicated. For example, I even don't know what this SOPS is and how it used gpg. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to change the protect cipher algorithm and the digest algorithm of the secret key?
On Tue, 17 Nov 2020 02:28, Gao Xiaohui said: > conf.conf". At present, the "--s2k-count" option can be used in both > gpg.exe and gpg-agent.exe.Thank you. In gpg.conf this is used for deriving a passphrase for symmetric encryption. In gpg-agent.conf it is used to override the calibrated iteration code for protecting keys in gpg-agent. There is no need to change the algorithms. For interoperability and maintenance reasons we try to limit the number of user modifiable parameters. Eventually there will be change to an AEAD algorithm, howver interoperability is the main concern and not theoretical attacks. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.2.24 released
ble to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.2.24.tar.bz2, you run the command like this: sha1sum gnupg-2.2.24.tar.bz2 and check that the output matches the next line: 2e8e29fdc06710d1e7f6f4b87098b96e058797fe gnupg-2.2.24.tar.bz2 eeefbaaecc4d69a3b66e1ce333c4c5081501310a gnupg-w32-2.2.24_20201117.tar.xz ab895bd9bc4319b88b1314ede3a816cd0a1cc677 gnupg-w32-2.2.24_20201117.exe Internationalization This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Italian, Japanese, Norwegian, Polish, Russian, and Ukrainian being almost completely translated. Documentation and Support = If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5052 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: <https://gnupg.org/documentation/mailing-lists.html>. We suggest to send bug reports for a new release to this list in favor of filing a bug at <https://bugs.gnupg.org>. If you need commercial support go to <https://gnupg.com> or <https://gnupg.org/service.html>. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and currently mostly financed by donations. Two full-time employed developers as well as two contractor exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, or answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good and secure shape and to address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2021-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] Key fingerprint = 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) The keys are available at <https://gnupg.org/signature_key.html> and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Major problems with gpg and scdaemon, help highly appriciated
On Sat, 14 Nov 2020 21:28, 22h39 said: > The problem lies in Pinentry which for some reason can't hande ccid > pin requests on the contactless interface, after this fix the Which reader and which ccid driver are you using? I assume that you are running pcscd, right? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Major problems with gpg and scdaemon, help highly appriciated
On Sat, 14 Nov 2020 11:22, Juergen Bruckner said: > As far as I know the OpenPGP function of the OpenPGP-Card cannot be > used via NFC / RFID. You need to use the on card chip and a card In fact GnuPG does not support secure messaging and thus using the contactless interface iwould be a security problem. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to change the protect cipher algorithm and the digest algorithm of the secret key?
On Thu, 12 Nov 2020 09:27, A NiceBoy said: > 1. The solution is also in this report. Just install gpg version 2.0.x, Don't! 2.0 reached end-of-life 3 years ago - there are no security fixes etc. You shall not use that version anymore. > Then you can see the algo changed to AES256 and digest changed to SHA512. If you want to convey secret keys do not rely on the passphrase protection of OpenPGP but use a secure transport channel. Which may be just a gpg encrypted file. The problem with the passphrase is that you need to transport a secure passphrase via another secured medium and in this case you can also a transport the secret key with a "weaker" passphrase. Whether you use SHA256 or SHA512 does not matter. The iteration count matters more but in any case you can't create better security from a weak passphrase - the iteration count is a failstop thing but not a proper cryptographic replacement for a weak passphrase. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Avoid recipient-compatibility SHA1
On Fri, 30 Oct 2020 00:10, Phil Pennock said: > I just sent a message to N recipients, and I think one of them probably > has some preference algorithm in their key details, because this one > mail was signed using SHA1, not my defaults. Fixed: commit 15746d60d492f5792e4a179ab0a08801b4049695 Author: Werner Koch Date: Mon Nov 2 13:39:58 2020 +0100 gpg: Do not use weak digest algos if selected by recipient prefs. * g10/misc.c (is_weak_digest): New. (print_digest_algo_note): Use it here. * g10/sig-check.c (check_signature_end_simple): Use it. * g10/sign.c (hash_for): Do not use recipient_digest_algo if it is in the least of weak digest algorithm. -- If a message is signed and encrypted to several recipients, the to be used digest algorithm is deduced from the preferences of the recipient. This is so that all recipients are able to check the the signature. However, if the sender has a declared an algorithm as week, that algorithm shall not be used - in this case we fallback to the standard way of selecting an algorithm. Note that a smarter way of selecting the algo is to check this while figuring out the algorithm - this needs more testing and thus we do it the simple way. or in short if any of the preferences would lead to a weak algo the feature of selecting the digest algo from the preferences is disabled. I intend to put this also in to 2.2.24. > recipient. That's fine. I'd rather create pressure for people to fix > their systems to use modern cryptography than cater to their brokenness > with sensitive messages. People won't update their keys - that just does not work. Ignoring the preferences is a better way here. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Seeking help.
On Wed, 21 Oct 2020 18:59, Mike said: > I had to recover gnupg file from a corrupted os. The contents of the gnupg > file are encrypted and are not in openpgp data. So when I try to import my > keys from 'private-keys-v1.d' nothing happens. Output says no openpgp data > found and 0 items processed. You simply restore the files from private-keys-v1. These are internal to gnupg and it is not possible or needed to importat them. The format of the private key files is well specified and we take care to keep them compatible with all GnuPG 2 versions. To make the restored private keys actually work you also need the public keys. Ask someone else or a keyserver to send you your public key if you don't have a backup. With the private keys in place gpg will be able list them and be able to decrypt or sign data. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Dealing with duplicate keys
On Wed, 21 Oct 2020 23:52, Ludovic Courtès said: > For some reason (perhaps a bug in a previous version of GnuPG I used > long ago?), my public key ring had come to contain my own public key > twice, with the same fingerprint and all. Should not happen because we use on Unix a copy-to-temp/update/rename strategy. There are bugs of course and so there is no guarantee that it does not happen. Eventually this will go away because 2.3 will come with the optional keyboxd daemon which uses sqlite and keeps a unique index on the primary key's fingerprint. It will also makes things faster and more robust related to changes when running several gpg processes. Drawback is that we have yet another format to store keys. > To recover from it, I deleted my public key with ‘--delete-key’ twice, > ‘--delete-secret-key’ once for the corresponding secret key, and then > re-imported both the public key and the secret key, which I had > previously exported. Now everything is back to normal. That is sound fix. I am not aware of other reports but ppl might not have considered this a bug. kbxutil --find-dups pubring.kbx should print a list of duplicate records. Take care: kbxutil is more of a debugging aid than a real tool. While you spoke about easypg: I often have problems with it and it would be nice if we could find a maintainer for it. With the Emacs' new FFI a move to GPGME might also be an idea. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is Blowfish's key size limited to 128 bits in RFC 4880?
On Sat, 10 Oct 2020 03:00, Dieter Frye said: > I've been using Blowfish on older machines for years now without issue and > I always wondered if this is one of those things that could possibly > benefit from an update. Nope. I used Blowfish back then because it was the only free and modern algorithm. PGP didn't support it. Later, in 1998 we added Twofish and had to do a clean room implementation (kudos to Matthew Skala) because it was not clear whether the implementaion was in the PD or compatible with the GPL. I asked Bruce Schneier during this period several times on whether he would suggest to use Twofish for OpenPGP and his answer depended a bit on his current mood. Anyway, all these cipher algorithm competition is mood since everyone has agreed to use AES; formerly known Rijndael which may have even been preferred over Twofish because of its non-US origin. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: No single-page manual on gnupg.org
On Mon, 27 Jul 2020 03:02, Dmitry Alexandrov said: > it would really help those, who do not use Emacs (itʼs odd, but there > are such people!), if there would be single-page version of the manual > (makeinfo --html --no-split ...) — just like all software on gnu.org Please use the PDF version instead. It is easy to search in PDF files. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg bug
On Sun, 4 Oct 2020 18:28, Werner Koch said: > On Tue, 23 Jun 2020 14:21, Brian L. Matthews said: > >> $ ./configure --prefix=$HOME/gnu >> $ make >> >> successfully. However, on make check I found that it doesn't work if I >> have a space in PATH. I do because VMWare Fusion adds > > Sure. That can't work. You need to quote the envvar: > > ./configure --prefix="$HOME"/gnu Oops. The problem was PATH and not HOME. Anyway this has been fixed in 2.2.23 with commit b2590f2e47fe8ab7352a9e3769b195ff9f398dd7 . (I need to port this fix to master, though.) Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg bug
On Tue, 23 Jun 2020 14:21, Brian L. Matthews said: > $ ./configure --prefix=$HOME/gnu > $ make > > successfully. However, on make check I found that it doesn't work if I > have a space in PATH. I do because VMWare Fusion adds Sure. That can't work. You need to quote the envvar: ./configure --prefix="$HOME"/gnu Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: agent refused operation when using GnuPG key for ssh
On Mon, 28 Sep 2020 23:54, Pankaj Jangid said: > debug3: sign_and_send_pubkey: signing using rsa-sha2-512 > sign_and_send_pubkey: signing failed: agent refused operation Algorithm looks okay. You need to look at the gpg-agent log. Put log-file /somewhere/gpg-agent.log verbose into ~/.gnupg/gpg-agent.conf and restart the agent ("gpgconf --reload gpg-agent" should be sufficient. Run ssh again, check the log and post it. What vesion of GnUPg are you running? ("gpg-agent --version"). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Recovering private keys in a friend's GPG installation
On Mon, 21 Sep 2020 12:58, Andrew Engelbrecht said: > private keys, and were merely left behind. If there is a way to check > the fingerprint of the keys they belong to, and to import them, that > would be super helpful. Is there a way to do that? Unfortunately this is not instantly possible because the creation time is part of the fingerprint computation. We don't have a tool yet to do this. Needs to be written. GnuPG 2.3 will record the creation time to make things easier in the future. For now you need to guess the time (the "protected-at" value in the key file might give a hint) and weel, write a little tool to compute the fingerprint. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
On Thu, 17 Sep 2020 11:27, Alan Bram said: > configuration, there was an already-running agent that I had to kill first > in order to get it to reread the config. Just for the reecords: gpgconf --reload gpg-agent would have been sufficent but "gpgconf --kill gpg-agent: works of course also. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
On Wed, 16 Sep 2020 15:03, Alan Bram said: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. Please check your configuration in gpg-agent.conf. Is there a min-passphrase-nonalpha option set? Note that some external software may have modified your configuration. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private-keys-v1.d and preserve-permissions
On Thu, 10 Sep 2020 10:34, Martin Pätzold said: > the keys, therefore we had to extend the permissions for the > "private-keys-v1.d" directory to group access. I see. Just a hint: You may use the remote socket feature to run gpg-agent under a different account. It might take a bit of effort to get the details right and make the system robust enough. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private-keys-v1.d and preserve-permissions
On Wed, 9 Sep 2020 19:37, Werner Koch said: > I looked at the history and the reason for the described behaviour is > documented at https://dev.gnupg.org/T2312. I re-opened that bug. Fixed in master and 2.2 see the ticket above for the patch. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private-keys-v1.d and preserve-permissions
Hi, I looked at the history and the reason for the described behaviour is documented at https://dev.gnupg.org/T2312. I re-opened that bug. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private-keys-v1.d and preserve-permissions
On Wed, 9 Sep 2020 15:22, Martin Pätzold said: > And if the setting is not what I need, how can I prevent the > permissions for "private-keys-v1.d" from changing? The --preserve-permissions is a gpg option and not one of gpg-agent. In fact gpg does not known anything about private-keys-v1.d. And well, the gpg option does nothing because gpg has no control over secret keys. I will update the documentation to clarify that this is a dummy option. Is there a special reason that you need to give group access to those files? Salam-Shalom, Werner signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to migrate my key from card to file?
On Sun, 6 Sep 2020 01:24, Olav Seyfarth said: > private_stub.gpg, pubkey.gpg and sk_xxx.gpg. The pubkey and the sk_KEYID.gpg is all you need but unfortunately there is no tool support to create a file from it. It would require a little bit of hacking to do this with the current code base. The feature I would propose here is a way to create a private-keys-v1.d/xxx.key file from a sk_KEYID.gpg file. It should not be too much work and I can imagine that this will go into 2.3. Can you please do me a favor and open a feature request at dev.gnupg.org ? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] [security fix] GnuPG 2.2.23 released
for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.2.23.tar.bz2, you run the command like this: sha1sum gnupg-2.2.23.tar.bz2 and check that the output matches the next line: bd949b4af7426e4afc13667d678503063c6aa4b5 gnupg-2.2.23.tar.bz2 c4435707bef33a612d54114f53837b19fcea38f5 gnupg-w32-2.2.23_20200903.tar.xz 489bc6de0a078248086f3214ca298dd6145ec497 gnupg-w32-2.2.23_20200903.exe Internationalization This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Japanese, Norwegian, Polish, Russian, and Ukrainian being almost completely translated. Documentation and Support = If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5045 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: <https://gnupg.org/documentation/mailing-lists.html>. We suggest to send bug reports for a new release to this list in favor of filing a bug at <https://bugs.gnupg.org>. If you need commercial support go to <https://gnupg.com> or <https://gnupg.org/service.html>. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and currently mostly financed by donations. Two full-time employed developers as well as two contractor exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, or answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good and secure shape and to address all the small and larger requests made by our users. Thanks. Special thanks to Andreas Stieger for reporting a bug and providing detailed information for us to track this down. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2021-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] Key fingerprint = 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) The keys are available at <https://gnupg.org/signature_key.html> and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg --fetch-key problems
On Tue, 1 Sep 2020 14:27, Björn Jacke said: > I talked with Wiktor about the http 1.0 issue in gpg and he also > mentioned that a number of weird problems that people have reported with > WKD in the past might be related to gpg talking http 1.0 only. And what are with those servers which don't support 1.1 ? Will that be more than those 1.1 servers disabling 1.0 without any valid reasons? There is more HTTP infrastructure out there than the standard servers. RFC-7230 explicitly describes the versioning scheme and how it shall be used. Dirmngr does not feature the required 1.1 parts and thus it is not okay to enable 1.1. > You didn't mention the suggested libcurl yet - if you would use that you We are glad that we could remove most of the duplicated code and library duplication from the GnuPG code base. Adding libcurl would pull in for example OpenSSL, GnuTLS, GMP, Hogweed/Nettle, Kerberos, P11 Kit, and libgcrypt. The latter might even be a different version than what GnuPG uses which is a very brittle thing and should be avoided. Granted, the standard Dirmngr on Linix also pulls in libldap and a respective crypto lib which is not good either. Any hints on hooks in libldap to avoid this would be very appreciated. Maybe we may need to get back to a helper process for ldap. > would not have to worry about the details of how to implement more > modern http protocols in gpg. We use only very basic HTTP features and won't follow any fashionable new things - there is just no need for it and will only break things. Well, if people voluntary break their HTTP infrastructure I would like to learn what reasons are given for that. Complexity is the worst enemy of security. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg --fetch-key problems
On Mon, 31 Aug 2020 02:48, Ángel said: > HTTP/1.1 would require support for things that currently may not be > present, such as chunked transfer encodings, whereas HTTP/1.0 is That is for the server site but not for the client. IIRC, the only mandatory request header for a client has is "Host:". This is optional in 1.0 but we have always send this. I see no benefit for requiring 1.1 and also no reason why a site should block 1.0 - that would be a pretty lame DoS mitigation because bots could also send 1.1 without any problems but don't do so because it is not needed. > I agree it should provide an User-Agent, though. There is no User-Agent header to minimize the amount of identifiable information. You want a User-Agent header to make debugging requests easier? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.2.22 released
Hi! As a workaround please run --gpg --card-status after plugging in a Gnuk token. We are working on a fix; see https://dev.gnupg.org/T5039 Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Brace yourself: User-friendly but broken OpenPGP is here
On Sun, 30 Aug 2020 00:50, Johan Wevers said: > Sorry, I see from Vincent's mail that GnuPG already does this but it > might be the keycard that is causing this. Right, smartcards are pretty strict in what they accept as input. Thus you can't use certain keys on a smartcard for different purposes. In particular the signing key, which is in most cases also the primary key, allows only signing and even checks the padding. I am not sure whether this works, but the OP could try gpg --try-all-secrets -vd Form the man page: --try-all-secrets Don't look at the key ID as stored in the message but try all secret keys in turn to find the right decryption key. This option forces the behaviour as used by anonymous recipients (created by using --throw-keyids or --hidden-recipient) and might come handy in case where an encrypted message contains a bogus key ID. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.2.22 released
On Fri, 28 Aug 2020 21:39, mlnl said: > For Claws i had compiled and installed gpgme-1.12.1. I'm using a Yubikey > for key storage & usage. Works flawless with GnuPG 2.2.21. Please run this command: gpg-connect-agent 'scd getinfo version' /bye and check that the returned version is 2.2.22. Also run the gpg command with option --verbose to get more diagnostics. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.2.22 released
". Assuming you downloaded the file gnupg-2.2.22.tar.bz2, you run the command like this: sha1sum gnupg-2.2.22.tar.bz2 and check that the output matches the next line: 6afc2f6b20d42f243d039a1f19abde6d55b7632e gnupg-2.2.22.tar.bz2 849577288146cda3befc6a024ba8a4a225a8f070 gnupg-w32-2.2.22_20200827.tar.xz 4d080669656b108fb9f2d7be11043ca01d67a6e4 gnupg-w32-2.2.22_20200827.exe Internationalization This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Japanese, Norwegian, Polish, Russian, and Ukrainian being almost completely translated. Documentation and Support = If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5030 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: <https://gnupg.org/documentation/mailing-lists.html>. We suggest to send bug reports for a new release to this list in favor of filing a bug at <https://bugs.gnupg.org>. If you need commercial support go to <https://gnupg.com> or <https://gnupg.org/service.html>. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and currently mostly financed by donations. Two full-time employed developers as well as two contractor exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, or answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good and secure shape and to address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2021-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] Key fingerprint = 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) The keys are available at <https://gnupg.org/signature_key.html> and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unknown key in gpg-agent
Hi! it works for me: $ ~/b/gnupg-2.2/g10/gpg -k \&E9CAF66DDA858EE60D654C864BB8E12E41C78242 gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! pub rsa4096 2011-05-16 [C] [expires: 2050-12-31] 85D4CA42952C949B175362B379D0B06F4E20AF1C [...] The difference is that you use the legacy pubring.gpg and I use the pubring.kbx. It is quite possible that keygrip based lookup does not work with the old format - I have not checked. Try this: --8<---cut here---start->8--- cd ~/.gnupg gpg --export-options backup --export >allkeys.gpg mv pubring.gpg pubring.gpg-saved gpg --import-options restore --import 8--- Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why does gpg -k write to tofu.db?
On Tue, 11 Aug 2020 14:56, Brian Minton said: > Why does gpg -k need to write to the tofu db? I should mention that gpg > is running at 100% cpu in the R state. Before starting the gpg -k I was not able to replicate it but I must say that I don't have a large useful tofu.db. AFAICS, gpg sometimes updates the tofu.db to track expired bindings. You can have a closer look at hi8t by running gpg -k --debug trust or to disable updates by using gpg -k --dry-run I suspect that the TOFU database scheme is not well suited for large number of keys. In particular not if several gpg processes are running. I also don't like that it stores meta data of all signatures ever verified. Revamping the tofu stuff is on my list but I have not yet found the time (as usual). The Tofu information should be stored along the key and not in a separate database with all its transaction overhead. The optional keyboxd we will provide in 2.3 may help to solve the problems. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unknown key in gpg-agent
On Fri, 14 Aug 2020 14:31, Klaus Ethgen said: > However, `gpg --list-keys --list-options show-unusable-subkeys > --with-keygrip` does not display this keygrip. You can also use gpg -k \&KEYGRIP to list a key. And with gpgsm use gpgsm -k --with-ephemeral-keys \&KEYGRIP to see whether there is such a key. > Is there any posibility to export that key or get info about that key, > find it whatever? Make a backup of the key and if sometime in the future you run into decrypt problems (or trying to connect to some rareley used server) restore it. > So, ssh-add does not show the key (as well as KEYINFO --ssh-list) and > gpg doesnt show the key. What could have put that key there when it is > none of that commands? A canceled or crashed key generation or import might be the culprit. > By the way, using '&KEYGRIP' does not work with gpg to select a key for > listing by keygrip. Just to be sure, you quoted the ampersand, right. It works for me and some GnuPG components are using it a lot. Just a quick test: $ ~/b/gnupg-2.2/g10/gpg -k \&1BFC2CF9BC9C265E6D3CC6B966C883722C5256C8 gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! pub ed25519 2020-08-24 [SC] [expires: 2030-06-30] 6DAA6E64A76D2840571B4902528897B826403ADA uid [ultimate] Werner Koch (dist signing 2020) using my development version of 2.2 but I can't remember that we ever had a regression. It is a bit slow on a larger keyring, though. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
On Thu, 20 Aug 2020 00:36, Johan Wevers said: > You mean like the conspiracy myth that the NSA was eavesdropping on > everyone, whether they were allowed to or not? Yes, that was not > supported by facts (before the Snowden revelations) so it must have been There have been technical facts around for a long time. Examples are the Interception Report 2000 to the European Parliament and later a testimony from an AT&T employee. Checkout cryptome.org ;-) Snowden then provided internal NSA documents as final evidence. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent support for GNUPGHOME and systemd
Hi! On Wed, 19 Aug 2020 23:19, Ben Fiedler said: > % gpgconf --dry-run --create-socketdir > gpgconf: socketdir is '/run/user/1000/gnupg/d.6oynbz4mc38pz8n5gyedka7a' > gpgconf: non-default homedir > > This is pretty unexpected to me, why is this the case? And is there a > way to mitigate this behaviour? It should be obvious that for a different homedirectory GnuPG also requires a different socket. Thus we hash the name of the homedir and append it to the standard directory for sockets. The ~/.gnupg file name is pretty important and there is no way to chnage this to something different without breaking a lot of stuff. You can simply use a symlink, though. That is how I handle this with .gnupg being stored on a g13 encrypted partition. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Accidentally deleted ~/.gnupg/pubring.gpg
On Sun, 16 Aug 2020 04:33, renws said: > And I don't have any backup of my public key, so I would like to know > whether it's possible to decrypt my files (I've still got > ~/.gnupg/private-keys-v1.d, which I think stores my private key?). If you just want to decrypt your files, you can do this: - Create a new key, best using the mail address you used in your lost key. - Add a subkey so you can decrypt old data, for example $ gpg --expert --edit-key NEWKEYID Secret key is available. [Prints infor about that key] gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key (14) Existing key from card Your selection? 13 Enter the keygrip: here you need to enter the keygrip of your lost key. That is the name of the file in private-keys-v1.d/ without the ".key" suffix. With your new key you should have 4 files in that directory, chekc the date to pick the right one; if it does not work, you picked then signing key and not the encryption key. Start over in this case. Enter "save" and you have a new encryption subkey which matches the old one mathematically. - To decrypt with the new/old file you need to add the option: --try-all-secrets The last point is an obvious drawback but it is the easiest way to get to your data. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD - .onion redirects mapping
On Mon, 27 Jul 2020 15:01, Phil Pennock said: > My understanding is that for .onion hostname services they already have > security equivalent to TLS providing privacy in their direct links onto Yes, privacy. But that is just a welcome side-effect. What we need is that the domain is authenticated so that we can consider the key to be valid at a certain level. I see no way how you can do this via an anonymizer because the two goals are in contradiction. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD question
On Sun, 2 Aug 2020 07:38, Dmitry Alexandrov said: > I dunno why @w...@gnupg.org did that, but whatever his reasons were, the > fact that he was _able_ to do that, is exactly the key reason why I have a post-it on my CA laptop to add a signing subkey to my new key, I should really do that soon. Because ed25519 was not in widespread use when I created the key in 2018 I decided to use it only for encryption for some time and add a signing key later. > BTW, does anyone remember, how to command gpg(1) to print the above in > a human-readable format? There was some incantation, IIRC, but GPGʼs gpg --locate-external-key -v f...@example.rog looks up f...@example.org even if a key with that user id already exists. It then imports the key and lists it with all existing user ids. The -v is there to get information on how f...@example.org was retrieved. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "skipped: Unusable public key"
On Mon, 27 Jul 2020 15:52, Ayoub Misherghi said: > ayoub@vboxpwfl:~/testdir$ gpg -r sentry -e textfile > > gpg: sentry: skipped: Unusable public key > gpg: textfile: encryption failed: Unusable public key There is no key with a user id "sentry" which has a key capable of encryption ([E]). I agree that the diagnostic could be better. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: question regarding using gpg to verify a file from a .sign file
On Fri, 24 Jul 2020 19:30, Semih Ozlem said: > when I run the command > > gpg --verify SHAxSUM.sign SHAxSUM > > I get the following message > > gpgv: unknown type of key resource 'trustedkeys.kbx' As you can see by the error message ("gpgv:...") you invoked the gpgv tool and not the gpg tool as you showed above. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is there no secret key?
On Sun, 26 Jul 2020 13:25, Ayoub Misherghi said: > I am not asked for pass phrase. Right; that is because: > # Lines uncommented in $HOME/.gnupg/gpg-agent.conf > log-file $HOME/gpg-log.txt > # The same thing happens when I comment this line out > allow-loopback-pinentry > > batch of the "batch" option. This option should in general not be used for gpg-agent. > # Lines uncommented in $HOME/.gnupg/gpg.conf > > batch Do not but this option into the conf file. All kind of stuff won't work; --batch is used case-by-case on the command line. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Passphrase Pop up
On Mon, 27 Jul 2020 02:41, Dmitry Alexandrov said: > GnuPG version 3 does not exist yet. The stable release is 2.2.21. The OP probably meant Gpg4win 3.1.12 which is our Windows installer featuring GnuPG 2.2.21, Kleoptra, and our Outlook plugin. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Newbie question.
On Sun, 26 Jul 2020 12:59, Ayoub Misherghi said: > The moderators on this list (I do not know who they are) have been > tyrannical excluding some of my posts; I am not bitter or resentful. I This mailing list is not moderated and thus your post are not excluded by any moderated. The only automatic rejection we have are for too long posts. In some very rare cases we set the moderation flag for a specific user but that is announced on the list. I just checked that it is not the case for you. What our helpful moderators are mainly doing is to allow posts from non-subscribers. Please calm down and don't spread unjustified accusations. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is this supposed to happen?
On Fri, 17 Jul 2020 09:17, Ayoub Misherghi said: > Is this supposed to happen? Yes. As almost all Unix tools, gpg defaults to take input from stdin and writes output to stdout. Because you did not use --armor the output is binary and messes up your tty. The reason why already get some output despite that you have nothing typed in yet (stdin is per default the current tty) is due to buffering: gpg already outputs the OpenPGP header data (encrypted session key) and now waits for the actual data to show up at stdin. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Detached signature file.
On Thu, 16 Jul 2020 20:52, Ayoub Misherghi said: > Is it possible to add content to a detached signature file? You may add other detached signatures (for the same file) by simply concatenating them. See the attached script for an example. In case you meant whether you can add meta data, see the option --set-notation. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. #!/bin/sh # Append a signature to an existing detached signature. # Copyright (C) 2016 g10 Code GmbH # # This file is free software; as a special exception the author gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. set -e PGM="$(basename $0)" GPGV=gpgv # Prints usage information. usage() { cat <&2 ;; *) break; ;; esac shift done if [ $# -ne 2 ]; then usage 1 1>&2 fi tarball="$1" tarballsig="$1".sig newsig="$2" [ -n "$verbose" ] && echo "tarball: $tarball" [ -n "$verbose" ] && echo "sig ...: $tarballsig" [ -n "$verbose" ] && echo "newsig : $newsig" if ! $GPGV --version >/dev/null 2>/dev/null ; then echo "${PGM}: Command \"gpgv\" is not installed" >&2 exit 1 fi distsigkey="/usr/local/share/gnupg/distsigkey.gpg" if [ ! -f "$distsigkey" ]; then distsigkey="/usr/share/gnupg/distsigkey.gpg" fi if [ ! -f "$distsigkey" ]; then echo "${PGM}: File \"$distsigkey\" is not installed" >&2 exit 1 fi if ! $GPGV $verbose --keyring "$distsigkey" \ -- "$tarballsig" "$tarball" 2>/dev/null ; then echo "${PGM}: Existing signature '$tarballsig' does not verify" >&2 exit 1 fi if ! $GPGV $verbose --keyring "$distsigkey" \ -- "$newsig" "$tarball" 2>/dev/null; then echo "${PGM}: New signature '$newsig' does not verify" >&2 exit 1 fi cat "$newsig" >> "$tarballsig" if ! $GPGV $verbose --keyring "$distsigkey" \ -- "$tarballsig" "$tarball"; then echo "${PGM}: Update signature '$tarballsig' does not verify" >&2 exit 1 fi signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple UIDs or multiple master keys?
On Wed, 15 Jul 2020 11:03, Ingo Klöcker said: > But it will create problems for people who want to send you encrypted > messages > because there's no way for them to know which of the encryption subkeys to > use. You may work around this by making sure that the non-personal encryption BTW, I was once considering to add notations to the subkeys and then let gpg select a subkey based on the "--sender me@mydomain" option. This would solve the problem. It will make things even more complex so it is unlikely that this will be implemented. So indeed, I would also suggest to use different keys for different rules. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Accidentally deleted ~/.gnupg/pubring.gpg
On Sat, 11 Jul 2020 13:33, MFPA said: > If the OP just wants to decrypt previously encrypted data, wouldn't > the options --try-secret-key or --try-all-secrets work in this > situation? Yes, I think this should work. Have not looked into it, though. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.2.21 released
1fc5e98f82b7288ad4e0716afa3a gnupg-w32-2.2.21_20200709.tar.xz e707e54bc57f19704a5e302119ea4d509486892f gnupg-w32-2.2.21_20200709.exe Internationalization This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Japanese, Norwegian, Polish, Russian, and Ukrainian being almost completely translated. Documentation and Support = If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T4897 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: <https://gnupg.org/documentation/mailing-lists.html>. We suggest to send bug reports for a new release to this list in favor of filing a bug at <https://bugs.gnupg.org>. If you need commercial support go to <https://gnupg.com> or <https://gnupg.org/service.html>. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Maintenance and development of GnuPG is mostly financed by donations. The GnuPG project currently employs two full-time developers and one contractor. They all work exclusively on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We have to thank all the people who helped the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good and secure shape and to address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these three keys: rsa2048 2011-01-12 [expires: 2021-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) The keys are available at <https://gnupg.org/signature_key.html> and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Decryption stalling after SIGINT
On Tue, 7 Jul 2020 18:05, Andrew Pennebaker said: > I am seeing some strange behavior with gpg --decrypt . I had to > lookup a password recently, and so naturally pressed Control+C to cancel > the prompt. However, when gpg terminated, it did not fully cleanup the This will terminate gpg and thus the connection to gpg-agent. However, depending on the type of the pinentry it may happen that the pinentry is still active and you did not notice that. It will eventually time out and a new pinentry can come up; a complete deadlock should not happen, even not on macOS. Please run the gpg commands with option --verbose so you should be notified about active pinentries; for example: gpg: pinentry launched (5591 gtk2 1.1.1-beta29 /dev/pts/123 xterm [...] If this does not reveal anything add --debug ipc to the gpg invocation and you will see the communication between gpg and gpg-agent and possible with dirmngr (for network actions). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Accidentally deleted ~/.gnupg/pubring.gpg
On Tue, 7 Jul 2020 22:22, Stefan Claas said: > Mmmhhh, I was under the impression when he still has the secret key that > he exports his secret-key (makes a back-up, just in case) re-imports The gpg-agent does not store the OpenPGP secret keyblock. It fact that is only created when you run a gpg --export-secret-key. The agent stored the bare numbers required for the crypto operations and nothing else - it is protocol agnostic. Sure, you can create a new public or (with --export-secret-key) secret key from that but it won't have the same preference, creation date, expire date and so on. Even the fingerprint will be different because the creation date is part of the fingerprint computation. That latter is the reason why the OpenPGP card stored the creation date of the key, so that the fingerprint can be re-computed from the the bare numbers. If you know the fingerprint it is of course easy to find the creation date; that are at worst a mere 710 million hashes (from 1998 to now). it is just that we don't have the tooling. To make things easier I will probably store the creation date as meta data along with the bare numbers in the forthcoming 2.3. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: keyserver refresh failed: No keyserver available
On Mon, 6 Jul 2020 09:11, Jerry said: > gpg2 --refresh-keys > gpg: enabled debug flags: memstat > gpg: refreshing 168 keys from hkp://pool.sks-keyservers.net > gpg: keyserver refresh failed: No keyserver available Please add in the error case always the --verbose option which may yield more diagnostics. For network related problems, it is best to enable logging for dirmngr: Put --8<---cut here---start->8--- log-file /foo/bar/dirmngr.log verbose debug ipc --8<---cut here---end--->8--- into ~/.gnupg/dirmngr.conf and gpgconf --kill dirmngr (see watchgnupg(1) for a consolidated debug output of all components) If the output does not show anything helpful, add more debug options: debug ipc,network,dns will give you a trace of all requests to dirmngr (ipc), Network conenctions and data (network), and DNS lookups (dns). dirmngr --debug help gives a list of such debug options. Sometimes it is required to either add the option "disable-ipv4" or "disable-ipv6" to dirmngr.conf. After changing any dirmngr option better restart dimngr as described above. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Accidentally deleted ~/.gnupg/pubring.gpg
On Mon, 6 Jul 2020 09:58, renws said: > Thanks for your reply. However I've never uploaded the public key to > any keyservers, is it possible to recover the public key from the > private key (I still have ~/.gnupg/private-keys-v1.d)? If you really can't find a backup of the public key you can create an new key compatible to the old key. There is no instant way to do this and it requires quite some manual work now; for example you need to figure out the exact key creation time to get the same fingerprint. Decryption can be done simpler. The upshot is that you better create a fresh new key and use the manual restore process only if you need to decrypt important data (but in that case you should have created a backup in the first place ;-). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] Libgcrypt 1.8.6 released
rate and individuals. Without you it would not be possible to keep GnuPG in a good shape and to address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gcrypt-devel'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these three keys: rsa2048 2011-01-12 [expires: 2021-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) The keys are available at <https://gnupg.org/signature_key.html> and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: decrypt aes256 encrypted file without gpg-agent
On Tue, 30 Jun 2020 00:55, Johan Wevers said: >> Do not use 1.4 unless you have to decrypt old non-MDC protected data or >> data encrypted to a legacy v3 key. > > Do not break backwards compatibility if you want all people to upgrade. Do not update so that the bad guys can exploit your legacy software ;-) There are well documented reasons what we don't support MDC and PGP3 keys anymore - it was complex to support and virtually impossible to make sure that the message has not been tampered with. See the discussion around EFFail of MUAs using gpg in a brittle and insecure way. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: decrypt aes256 encrypted file without gpg-agent
On Mon, 29 Jun 2020 13:07, vedaal said: > otherwise , just use GnuPG 1.4.x , and unless you ever need an Do not use 1.4 unless you have to decrypt old non-MDC protected data or data encrypted to a legacy v3 key. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: decrypt aes256 encrypted file without gpg-agent
On Sun, 28 Jun 2020 16:24, Robert J. Hansen said: > GnuPG sees the symmetrically encrypted message and knows it needs to > recover/derive a key. It calls gpg-agent, which in turn calls pinentry. In addition gpg-agent also takes care of caching passphrases which makes even symmetrically encryption more convenient. It is also used to figure out a suitable number of hash iteration to make new symmetric passphrase encryption stronger - this can't be done by a plain command line tool. In theory it is possible to pass a set of option to avoid the use of gpg-agent for plain symmetric encryption but as soon as any pubkey key is used as an alternative to the symmetric encryption the agent is required to check whether a private key exists. From engineering and security POVs it does not make sense to special case very rare use cases. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: decrypt aes256 encrypted file without gpg-agent
On Fri, 26 Jun 2020 09:33, Fourhundred Thecat said: > How can I decrypt it without using gpg agent ? You can't the agent is a cornerstone of gpg and is thus required. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG for WIndows and key management files.
On Fri, 19 Jun 2020 13:43, Илья Пирогов said: > I am interested in the question of where to find the files > pubring.gpg, secring.gpg and randseed.bin in GnuPG for WIndows. Those files are not anymore used (see the otehr replies). However to figure out GnuPG's home directory you use the command gpgconf --list-dirs homedir or leave out "homedir" and it lists all important file system locations. This command works on all platforms. "gpg --version" also prints the home directory right before the list of supported algorithms. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Bug? Vulnerability? gpgme_op_verify_result() can be made to return a list of zero signatures
Hi! On Mon, 15 Jun 2020 12:36, Justin Steven said: > GPG_ERR_NO_ERROR but for gpgme_op_verify_result() to return a list of zero > signatures. This feels like an erroneous condition to me, and with libgpgme We already explained that this is a requirement for OpenPGP because OpenPGP allows to embed a signature in encrypted data (combined method in contrast to the rarely used MIME containers). Thus when calling the decrypt function you can't know in advance whether there will be a signature - not returning an error if there is no signature is proper behaviour. More important: Checking the signature is one thing; its result is basically whether the data is corrupted. The more important step is to check whether you can trust the key used to generate a signature; this is basic crypto knowledge which can't be ignored even if you use "GnuPG Made Easy". GPGME has mechanisms to do this in a not too complicated way and of course it requires to loop over all signatures. 20 years ago when Debian started to sign packages it was figured that this is not a trivial task and together we developed gpgv which is a simple command line tool dedicated to check signatures against a fixed set of keys. There is no gpgme support for gpgv because calling gpgv is pretty straightforward. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
On using --debug flags (was: gpg generate key is not finishing)
On Tue, 9 Jun 2020 09:47, Bernhard Reiter said: > GNUPGHOME=~/dot-gnupg-test2/ gpg -vvv --debug-all --quick-generate-key Pretty please do not use --debug-all. It is better to use dedicated debug flags to get useful logs and avoid leaking secrets. All GnuPG components support symbolic debug constants; use for example gpg --debug help to view them. In many cases --debug ipc is helpful and won't reveal any long term secrets. The very first thing after a problem is to use --verbose which often is enough to see what's wrong. Only then try the debug constants. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Standalone signature (0x02) ?
On Fri, 5 Jun 2020 14:14, Denis BEURIVE said: > *Is it possible to generate this kind of signature with GPG ?* No. > *What is this signature used for ?* I can't remember. I am pretty sure this has been discussed in the WG back in 1998 or so. If you are really interested you could dive into the archives or ask on the WG ML; maybe Jon Callas remembers for what it was intended. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg generate key is not finishing
On Tue, 2 Jun 2020 13:59, Williams, Chad L said: > [cid:image002.jpg@01D638BC.16B954A0] [Which is a screenshot of the curses pinentry waiting for input.] If you want the volunteers here to help you, it is important that you write a proper bug report. This includes telling us the version of GnuPG and of the OS, describing _exactly_ what you did, and providing logs. You should be aware thata curses based panel disturbs the stderr diagnostics printed to the tty; thus you should redirect it to a log file. BTW, there are commercial support service providers available [1] who will be able to talk you to a solution. Shalom-Salam, Werner [1] https://gnupg.org/service.html for a list. gnupg.com is my own service which also develops and maintains GnuPG and friends. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgAnon, draft 20150
On Fri, 29 May 2020 15:39, LisToFacTor said: > vaguely as "group policies". Other than that, the only substantial > change is the replacement of pgp 2.6.3ia-multi06 with gpg 1.4.10 You should not propose the use of 1.4 for any other use than decrypting old data. In particular not in a guide which is being read by people who risk high personal trouble and worse. Friends don't tell friends to use 1.4. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg generate key is not finishing
On Sat, 30 May 2020 14:51, Williams, Chad L said: > Attempting to generate a key on Solaris 10 server using the below command > > gpg --full-generate-key --pinentry-mode=loopback Do not use loopback unless you know what you are doing. Adding --verbose should give you some insight what goes wrong. On an old Solaris box you may want to run something like find /usr -type f | xargs cat >/dev/null which is more effective than typing on the keyboard. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
On Sun, 31 May 2020 12:35, Patrick Brunschwig said: > Let's first define Standard users. The majority of users who use > smartcards that *I* know are expert or power users. They can handle this. I have a different experience here and we are actually promoting the use of smartcards because they better protect your private key and it is easy to explain why users need to take care of their card than of a bunch of files in the GnuPG home directory. > The "Standard users" I have in mind don't use GnuPG for anything else > than encrypting mails, and they don't use smartcards either. They won't > have this issue in any way. The standard user clicks right on a file icon, encrypts the file, and sends it as attachment using his MUA. That is an easy to teach and understand workflow and does not require any special MUA. Well, Outlook users are more and more using the well integrated support we provide in Gpg4win. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
On Sun, 31 May 2020 11:10, David Flory said: > How does one identify a v3 key? By trying to import it with gpg; you should get a hint that v3 keys are not anymore supported. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
On Fri, 29 May 2020 14:43, karel-v_g--- said: > But it's a pity that Thunderbird developed its own solution because of > licensing issues while we have a proven working solution with GnuPG... For the records: There is no licensing issue; it is just a Mozilla policy issue not to use or depend on software which is not fully under their policy control. We have had long discussions with them more than 15 years ago with the result: no OpenPGP support and no improvements to their (back then) not very well working S/MIME code. This decision forced us to implement S/MIME in GnuPG and is also one of the reasons why Patrick does not use GPGME has interface to GnuPG, despite that it is a well tested, maintained, and widely used (think Windows) interface to GnuPG. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: libgcrypt: random source via library on Linux?
On Fri, 29 May 2020 17:54, Steffen Nurpmeso said: > Looking at the source it seems libgcrypt knows about the Linux > getrandom systemcall. Yet it does not seem to know about glibc's > getrandom library function. Which was not available back then when I implemented support for getrandom. Further; there is no guarantee that getrandom(2) is supported on all machines. We care a lot about backward compatibility and can't simply demand a certain Linux kernel or glibc version. > i would change, maybe with a new call-in to rndlinux.c which > should be made responsible for Linux-only environmental detections You don't change audited RNG code if there is not a very good reason for that. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
On Tue, 26 May 2020 12:27, karel-v_g--- said: > Because of this I have been using a combination of Thunderbird, > Enigmail and Gpg4Win, as the latter one is certified by German BSI. Well, it is not certified but approved to handle data at the EU RESTRICTED level (BSI-VSA-10400 and 10412). There a lot of side condition you have to meet to use that which are detailed in the SecOPs. TB has not been approved to handle restricted data because it does not clearly show whether important conditions are met. GpgOL and KMail are able to meet these requirements for email; Kleopatra for file encryption. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: libgcrypt: random source via library on Linux?
On Thu, 28 May 2020 14:43, Steffen Nurpmeso said: > ./configure \ > --prefix=/usr \ > --disable-padlock-support \ > --enable-static=yes > make > make DESTDIR=$PKG install That is pretty standard except for the --disable-padlock-support - why do you use this? Padlock is only used on VIA CPUs and has an auditable design in contrast to RDRAND (which is used by Libgcrypt be default). Are you running in FIPS mode? Can you run the Libgcrypt test suite? In particular $ libgcrypt/tests/version $ libgcrypt/tests/random --verbose --debug Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: libgcrypt: random source via library on Linux?
On Tue, 26 May 2020 15:35, Steffen Nurpmeso said: > Fatal: no entropy gathering module detected Which version of libgcrypt is that and what build options were used? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
On Fri, 22 May 2020 15:08, MFPA said: > How would it be used only with ECC keys? The MUA doesn't know the > flavour of key/subkey. For sure the MUA knows your own key. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Wed, 20 May 2020 15:16, Mark said: > It must be... With all the talk of "anonymous" keys I wanted to see if I > could create one with Kleopatra, especially since it says optional for > name. The name should indeed be optiona; If that has not been fixed in the latest version, please file a bug. GPG has always allowed to create a key with just a mail address: --8<---cut here---start->8--- $ gpg --gen-key Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: Email address: f...@example.org You selected this USER-ID: "f...@example.org" Change (N)ame, (E)mail, or (O)kay/(Q)uit? o --8<---cut here---end--->8--- Or with the not anymore new quick command: --8<---cut here---start->8--- $ gpg --quick-gen-key f...@example.org About to create a key for: "f...@example.org" Continue? (Y/n) --8<---cut here---end--->8--- Now, if you want to have the fingerprint as a User-ID, that needs a bit of extra work: First create a key with some arbitrary user-id, then use --edit-key to add a new User-ID containg the fingerprint, delete the original User-ID, save, and publish the key. I do not suggest such user IDs because they would only confuse users. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Wed, 20 May 2020 19:11, Stefan Claas said: > Curious as I am, did Mr Schönbohm never asked you why your public > keyblock is not signed by Governikus? I don't know a Mr. Schönbohm. I know Governikus and recently noticed that their software does not even support the recommended set of algorithm for ECC in S/MIME. > https://keybase.io/stefan_claas Mandating no user id and using a service which by design is the quite the opposite of it ;-) Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
On Wed, 20 May 2020 18:06, MFPA said: > Does (or will) --include-key-block have an argument that can be set to > tell it to only include ECC keyblocks, or to set a maximum keyblock No, it is better to let the caller (ee.g. the MUA) pass this option than to have it in a config file. (I initially used this too in my gpg.conf with the result that all my Git commits carried my key, which is useless). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FW: gpg-agent connection errors
On Fri, 22 May 2020 03:18, Ángel said: > how this AF_UNIX socket is actually implemented on Gpg4win (as a named > pipe, perhaps?), but your issues might be related to having it on a It is a regular file with a nonce and a port. The server listens on localhost:THATPORT for connections and checks that the client provides the nonce in an initial handshake. Now if some plain stupid firewall software (Symantec _used_ to be one) blocks connections from localhost to localhost things won't work. But that can't be the problem of the OP because it worked most of the times. FWIW, Named pipes are not used because there is no mechanism on Windows to restrict them to the local machine. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Tue, 19 May 2020 10:29, Robert J. Hansen said: > * PII-free UIDs are possible today Well, according to European law this is not that easy because a public key is in most cases an attribute which identifies a natural person. This is the same as with phone numbers and mail addresses. In Germany even dynamically assigned IP addresses are attributes which can be used to identify a person and thus are subject to GDPR. OTOH, the GDPR does not forbid the use of this data, there are just rules on how they can be used. WP describes the basic rules as: Unless a data subject has provided informed consent to data processing for one or more purposes, personal data may not be processed unless there is at least one legal basis to do so. Article 6 states the lawful purposes are: (a) If the data subject has given consent to the processing of his or her personal data; (b) To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract; (c) To comply with a data controller's legal obligations; (d) To protect the vital interests of a data subject or another individual; (e) To perform a task in the public interest or in official authority; (f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children). IMHO, point d covers the case of distributing and using a public key for the purpose of securing the communication with the data subject. The key may of course not be used for any other purpose (i.e. tracking behaviour etc). Hacker be aware, the lay is not a machine, it works different than we tend to assume. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Mon, 18 May 2020 12:16, Robert J. Hansen said: > Centralized key management schemes are sometimes very useful. I fully agree and I personally known that this is a common use case. However, people requiring such a use case do not talk in the public about their specific infrastructure and are also not affected by the alleged privacy enhancements needs people are talking about. The nice thing with OpenPGP is that you can implement any kind of PKI with it and you are not as restricted as with X.509/PKIX. And it is just one RFC and not several dozens RFCs and other documents you all need to read, analyze, and guess like we see the PKIX world. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Help setting gpgsm to do LDAP lookup
On Sat, 16 May 2020 23:24, John Scott said: > Looking up recipients with both dirmngr-client and > gpgsm --verbose --list-external-keys [recipient] > are fruitless whether I drop the ads\ from my username or not. I've bumped > the > ldaptimeout to 25. Still both commands finish instantaneously—not unlike I just did a quick test using using ldap.pca.dfn.deo=DFN-Verein,c=DE:ldap which works as expected. It has no username and password, though. To better debug this you should add --8<---cut here---start->8--- verbose log-file socket:// debug ipc,lookup,extprog no-use-tor --8<---cut here---end--->8--- (if you are not using watchgnupg, repalce socket:// by a regular file name) This gives more specifc debug output. (BTW, "dirmngr --debug help" shows all debug options). Instead of using gpgsm it is often easier to use gpg-connect-agent: $ gpg-connect-agent --dirmngr > /hex > lookup Werner D[] 30 82 05 AF 30 82 04 97 A0 03 02 01 02 02 0C 1D 0...0... D[0010] B0 E4 78 EA 1D 5C 64 E5 03 8C 9E 30 25 30 44 06 ..x..\d0%0D. [...] END S TRUNCATED 3 OK Look at the log file while running these commands; hopefully you see an error message. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
On Sun, 17 May 2020 04:33, Ángel said: > In both cases, most of the signature space is taken by a hashed > subpacket of type 38. This value is not assigned, but looking at You are using --include-key-block; this is intended to be used by MUAs to send the encryption key along with a signature to allow for immediate encrypted reply. This is similar to what has been done in S/MIME for decades and a mitigation to the comedown of the keyservers. MUAs may decide not to use this on mailing lists - if short mails are important. Or use it only with ECC keys. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Sun, 17 May 2020 10:48, Vincent Breitmoser said: > 1. Without consent, we don't distribute email addresses. And by that changing the distributed system of keyservers into a centralized key database like PGP tried this with their Universal Server. Which unavoidable will change OpenPGP to a centralized systems. If you want that use X.509 or to get complete centralization use Signal. > 2. We want to distribute revocations and subkey updates regardless. Go readup on the failures and impracticalities of CRLs and OCSP. > GnuPG upstream rejects such updates. Conretely, if you hand a primary > key with only a revocation signature to GnuPG, it will parse the > revocation, verify that it is cryptographically valid, and then throw There is a simple reason for that: You don't want to type in an entire keyblock in the case you need to revoke your key and you only got the printout of the revocation certificate. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Fri, 15 May 2020 14:35, Ingo Klöcker said: > UIDs. No UID -> invalid key. Why do you want to be able to import a key in > GnuPG that would be utterly unusable? FWIW, the expiration time of a key is also bound to the user-id as well as key preferences and all kind of other possiblke gadgets. And no, a direct-key signature is no replacement for this. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
keys require a user-id (was: Comparison of RSA vs elliptical keys)
On Thu, 14 May 2020 23:01, Stefan Claas said: > you would consider including it in GnuPG too and reflecting it in the > respective RFC? The User-IDs are an integral part of OpenPGP and at the core of its design. All kind of important information is bound to the user ids and thus a key w/o a user ID is basically useless. There is one exception for this: Derek Atkins (one of the original PGP authors) requested certain features to allow the use of a stripped down OpenPGP key by space and CPU constrained devices. We integrated this into the standard because it is better to use even a stripped down format than to come up with just another format. Direct key signatures were never intended to replace User-IDs and their self-signatures. And no, it is not a privacy issue. If you don't want to put your name or mail address into the user ID, just don't do it but use a random string or even the keys fingerprint. For the majority of use cases a mail address is still the best way to identify and even lookup a key. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
On Wed, 13 May 2020 15:09, Stefan Claas said: > defaults to cv25519... (and does not need to generate a UID for privacy > reasons, simply fantastic!) And willfully violating the the standard. Not requiring a user id was bug in PGP 2 and fixed more than 25 years about with PGP 2.6.3in. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
On Wed, 13 May 2020 10:54, Damien Goutte-Gattat said: > Not yet. Officially, only the NIST P-256, P-384, and P-521 curves are > part of the standard (since RFC 6637). The first mention of Curve RFC-6637 allows for arbitrary curves because curves are specified using an ASN.1 OID. So for example the Brainpool curves can as well be used. The problem is similar to using RSA (which was optional in the old OpenPGP specs) or to use large RSA keys or even RSA keys which odd lengths on which some implementations choke. For a public key algorithm we unfortunately can't use the preference system. The worst thing which can happen to a user is that they can't verify a signature or encrypt to a key. But there are no backward compatibility issues related to data etc. > 25519 for OpenPGP was in a draft by Werner in 2014 [2]. The draft > never made it to a RFC but the 25519 curve is now part of the draft For Ed25519 we actually added a new algorithm id so that it is indeed not covered by RFC-6637. Anyway, the two Curve22519 algorithms (ed25519 for signing, and cv25519 for encryption) are available in GnuPG as "future-default". Given that older GnuPG versions reached end-of-life 2.5 years ago I consider it okay to change the default and create new keys using ed25519/cv25519. GnuPG master, which will eventually be 2.3, uses them as default. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent connection errors
On Tue, 5 May 2020 12:09, Kent A. Larsen said: > needed). Does gpg-agent auto-terminate after a certain period of > inactivity? No. Fruther, gpg-agent and all other background processes are always started on demand. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Error running auto-key-locate wkd in Windows 10
On Thu, 26 Mar 2020 17:55, gus said: > gpg: error retrieving 'torbrow...@torproject.org' via WKD: Ricevuto > un > messaggio di avviso fatale > gpg: error reading key: Ricevuto un messaggio di avviso fatale That is: "Fatal alert message received" which comes from the TLS layer. To see the actual cause you need to add log-file /some/file tls-debug 2 or a higher level to dirmngr.conf and "gpgconf --reload dirmngr". For me a gpg --locate-external-keys -v torbrow...@torproject.org (--locate-external-key is easier to type than yours. It excludes the local keys and thus always goes out to the WKD) then gives: DBG: ntbtls(2): got an alert message, type: [2:40] DBG: ntbtls(1): is a fatal alert message (msg 40) DBG: ntbtls(1): (handshake failed) DBG: ntbtls(1): read_record returned: Fatal alert message received DBG: ntbtls(2): handshake ready TLS handshake failed: Fatal alert message received error connecting to 'https://openpgpkey.tor[...] A reason for the failed handhake might be that no common parameters could be found. We would need to look at the server log or run tests with that server to see what it expects. I copy the full TLS log below. I have no GNUTLS based build currently available, if that works, it log could give also some conclusion. However, on Windows we always use NTBTLS. Salam-Shalom, Werner --8<---cut here---start->8--- DBG: ntbtls(2): handshake DBG: ntbtls(2): client state: 0 (hello_request) DBG: ntbtls(3): flush output DBG: ntbtls(2): client state: 1 (client_hello) DBG: ntbtls(3): flush output DBG: ntbtls(2): write client_hello DBG: ntbtls(3): client_hello, max version: [3:3] DBG: ntbtls(3): client_hello, current time: 1585298512 DBG: client_hello, random bytes: 5e7dbc5008b76aa83d09c4393a4bdbe792ad9fee5198c6d9f88357ad16020156 DBG: ntbtls(3): client_hello, session id len.: 0 DBG: client_hello, session id: DBG: ntbtls(5): client_hello, add ciphersuite: 49192 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 DBG: ntbtls(5): client_hello, add ciphersuite: 107 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 DBG: ntbtls(5): client_hello, add ciphersuite: 49172 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite:57 TLS-DHE-RSA-WITH-AES-256-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite: 49271 TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384 DBG: ntbtls(5): client_hello, add ciphersuite: 196 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 DBG: ntbtls(5): client_hello, add ciphersuite: 136 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite: 49191 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 DBG: ntbtls(5): client_hello, add ciphersuite: 103 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 DBG: ntbtls(5): client_hello, add ciphersuite: 49171 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite:51 TLS-DHE-RSA-WITH-AES-128-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite: 49270 TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 DBG: ntbtls(5): client_hello, add ciphersuite: 190 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 DBG: ntbtls(5): client_hello, add ciphersuite:69 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite: 49170 TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite:22 TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite: 49208 TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 DBG: ntbtls(5): client_hello, add ciphersuite: 179 TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 DBG: ntbtls(5): client_hello, add ciphersuite: 49206 TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite: 145 TLS-DHE-PSK-WITH-AES-256-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite: 49307 TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 DBG: ntbtls(5): client_hello, add ciphersuite: 49303 TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 DBG: ntbtls(5): client_hello, add ciphersuite: 49207 TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 DBG: ntbtls(5): client_hello, add ciphersuite: 178 TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 DBG: ntbtls(5): client_hello, add ciphersuite: 49205 TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite: 144 TLS-DHE-PSK-WITH-AES-128-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite: 49302 TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 DBG: ntbtls(5): client_hello, add ciphersuite: 49306 TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 DBG: ntbtls(5): client_hello, add ciphersuite: 49204 TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite: 143 TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite:61 TLS-RSA-WITH-AES-256-CBC-SHA256 DBG: ntbtls(5): client_hello, add ciphersuite:53 TLS-RSA-WITH-AES-256-CBC-SHA DBG: ntbtls(5): client_hello, add ciphersuite: 192 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 DBG: ntbtls(5): client_hello, add ciphersuite: 132 TLS-
Re: WKS server problems
On Mon, 23 Mar 2020 10:16, john doe said: > Thank you Werner, I wrapped the above as an one liner: This is even easier. $ mkdir -p /etc/gcrypt && echo only-urandom>/etc/gcrypt/random.conf The '#' lines are merely comments to show which other options are available. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKS server problems
On Sun, 22 Mar 2020 12:36, Andrew Gallagher said: > On 22/03/2020 05:38, john doe wrote: >> Do you have enough entropy on the VM? > > Argh, thank you. I thought I had enough entropy because monkeysphere > created its trust root without issue, but installing haveged did fix the > problem. You might be better off using this: --8<---cut here---start->8--- $ cat /etc/gcrypt/random.conf # Options for the random generator # We don't trust the the Jitter based thing - do not use it. #disable-jent only-urandom --8<---cut here---end--->8--- instead if the very brittle and CPU dependent haveged. On any decent Linux urandom is good enough. Right at some early boot stages and on a fresh or not properly shutdown system, it might have too less entropy. But if you have such concerns you should anyway use the latest Libgcrypt which does not only mix in RDRAND but als entropy from its own JitterRNG. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.2.20 released
th Chinese (traditional and simplified), Czech, French, German, Japanese, Norwegian, Polish, Russian, and Ukrainian being almost completely translated. Documentation and Support = If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T4860 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: <https://gnupg.org/documentation/mailing-lists.html>. We suggest to send bug reports for a new release to this list in favor of filing a bug at <https://bugs.gnupg.org>. If you need commercial support go to <https://gnupg.com> or <https://gnupg.org/service.html>. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks == Maintenance and development of GnuPG is mostly financed by donations. The GnuPG project currently employs two full-time developers and one contractor. They all work exclusively on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We have to thank all the people who helped the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good shape and to address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these three keys: rsa2048 2011-01-12 [expires: 2021-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) The keys are available at <https://gnupg.org/signature_key.html> and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys.openpgp.org not working on CentOS 7
On Fri, 20 Mar 2020 14:22, Andrew Gallagher said: > Even for keys with verified user-ids? I have no idea because I do not have such a key. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys.openpgp.org not working on CentOS 7
On Fri, 20 Mar 2020 11:35, Andrew Gallagher said: > CentOS 7* uses gnupg v2.022, and it appears to be unusable with Hagrid. > Does anyone know what's going on here? GnuPG 2.0.22 was released in fall 2013(!) has since then received 8 updates and reached end-of-life at thend of 2017. The question is why they are using such an old version and in particular on a network connected box. Shalom-Salam, Werner p.s. And well, keys.openpgp.org does not send compliant keys backs but strips off important parts of OpenPGP key blocks. It reminds me on the problems we had pre-2000 with the keyserver.net company. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to use reprepro (or anything really) over ssh?
On Wed, 11 Mar 2020 10:07, Andrew Gallagher said: > The evidence would suggest that pinentry-gnome3 v1.1.0-2 on Debian > blindly uses `:0` no matter what parameters are passed. Oh pinentry-gnome - it is intertwined with the gnome-keyring stuff and does all kind of surprings things. Indeed, the GTK and QT pinentries are easier to understand. BYW: Running gpg with -v (aka --verbose) shows infos about the used pinentry. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ed448 support in gpg?
On Wed, 11 Mar 2020 13:30, Jonathan Cross said: > How will older clients deal with a certification signature from this > unrecognized algorithm? They want use them and print a '?' with --check-sigs. > Yes, I intend to do this with the subkeys (Curve25519) > Only the primary (certification key) would use ed448 which would > rarely be used and only offline. If the primary key can't be validated the subkeys can't be validated either. For migration you can use an ed488 subkey though. I did similar with my old key by having a Cv25519 subkey and an rsa subkey. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to use reprepro (or anything really) over ssh?
On Tue, 10 Mar 2020 15:59, Andrew Gallagher said: > reprepro uses gpgme, so it doesn't support `pinentry-mode loopback` (it > crashes if I try). And since I am normally logged in to my home machine, GPGME supports pinentry modes since 1.4.0 (release early 2013): 7.4.7 Pinentry Mode --- -- Function: gpgme_error_t gpgme_set_pinentry_mode (gpgme_ctx_t CTX, gpgme_pinentry_mode_t MODE) SINCE: 1.4.0 The function ‘gpgme_set_pinentry_mode’ specifies the pinentry mode to be used. For GnuPG >= 2.1 this option is required to be set to ‘GPGME_PINENTRY_MODE_LOOPBACK’ to enable the passphrase callback mechanism in GPGME through ‘gpgme_set_passphrase_cb’. > Is pinentry ignoring its command line parameters? And how do I get it to > behave? I can only manage this repository when I'm sitting at my home > computer, which is not acceptable. After having sshed into the other box run there: gpg-connect-agent updatestartuptty /bye Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users