Re: GPGME: disable S/MIME (signature verification)
That seems to work nicely. Thanks! Ingo Klöcker: It shouldn't. OpenPGP is handled by gpg which has it's own config file. gpgsm.conf is only used by gpgsm which deals with S/MIME. -- ilf If you upload your address book to "the cloud", I don't want to be in it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPGME: disable S/MIME (signature verification)
Thanks. But those sound like they affect OpenPGP, too. Sorry, I didn't make this explicit in my first mail: But I want to use OpenPGP with all features, including Dirmngr. I just don't want to use S/MIME. Ingo Klöcker: Add disable-dirmngr to your gpgsm.conf. This won't disable S/MIME signature verification, but it disables expensive online checks. The alternative in GpgME is https://gnupg.org/documentation/manuals/gpgme/Offline-Mode.html#Offline-Mode -- ilf If you upload your address book to "the cloud", I don't want to be in it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
GPGME: disable S/MIME (signature verification)
Hi How can I disable S/MIME or S/MIME signature verification in GPGME? Many Mutt users use GPGME, but few verify S/MIME signatures. In these cases, the check is useless. It's also annoying, because it can take around 25 seconds to timeout and fail. See the relevant thread over on mutt-users: http://lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20230724/004259.html Thanks -- ilf If you upload your address book to "the cloud", I don't want to be in it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to recover secret key passphrase?
Markus Reichelt: Over the years, I have used quite a number of keypairs. Unfortunately, I have forgotten the passphrase for some of them. But I do know potential parts of the passphrase. This is ancient, but may help you https://www.vanheusden.com/nasty/ Thanks. But my problem is not the actual brute-forcing part, john is perfect for that. My problem is getting a usable input for john from the current the current private-keys-v1.d/ gpg-agent private key key store format. -- ilf If you upload your address book to "the cloud", I don't want to be in it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
how to recover secret key passphrase?
Over the years, I have used quite a number of keypairs. Unfortunately, I have forgotten the passphrase for some of them. But I do know potential parts of the passphrase. What's the current recommended way to recover the passphrase of OpenPGP private keys? The classic John the Ripper includes a tool "gpg2john" to convert ASCII-armored exported private keys to a format that john can work with: http://blog.atucom.net/2015/08/cracking-gpg-key-passwords-using-john.html However, to export a private key from the current private-keys-v1.d/ gpg-agent key store, I need my passphrase. Which I can't remember. I would welcome any hints on how to achieve this. According to Kerckhoffs's principle, this can be public knowledge, in contrast to "security through obscurity". But if you feel like this is sensible, feel free to answer me directly instead of the list. Thanks! -- ilf If you upload your address book to "the cloud", I don't want to be in it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: revoke last valid user ID
Wiktor Kwapisiewicz: I'd try adding one dummy User ID, revoke the rest, then delete that dummy User ID before it gets sent to the keyserver. Thanks, that sounds possible. But I wonder, if there is a reason GnuPG won't let me revoke it directly - and if so, if that reasoning is strong enough to not even have a way to override it. Since I have keys with all user IDs revoked and I only ever used GnuPG, it seems I was able to do that once. I guess you don't want to revoke the entire key... The keys I am trying to do that for *are* revoked or expired. That's why I want to remove the (immediate visibility of the) user IDs, even from the classic SKS keyserver network. -- ilf If you upload your address book to "the cloud", I don't want to be in it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
revoke last valid user ID
Doing more keyring housekeeping, I would like to all revoke user IDs of keypairs with revoked/expired certificates. However, I am getting this error: gpg: Cannot revoke the last valid user ID. This is also in the documentation: --quick-revoke-uid user-id user-id-to-revoke This command revokes a user ID on an existing key. It cannot be used to revoke the last user ID on key (some non-revoked user ID must remain) […] https://www.gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html Why it this? I have keypairs with revoked/expired certificates keys in my keyring which have *all* user IDs revoked. And I am sure I want to do this. Is there a way to override this limitation? -- ilf If you upload your address book to "the cloud", I don't want to be in it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: I deleted 80 % of my keyring, but my keybox file isn't shrinking
Thanks, that explains it. And the faketime gpgsm command worked (after installing faketime). But that's a hack, and users should not have to do this. Especially since GnuPG 2.1 defauls to keybox and more people recommend it with of the recent flooding issues. I opened an issue to track this: https://dev.gnupg.org/T4644 Werner Koch: Good catch. In gpg we have not implenteted the compression run: faketime -f +3 gpgsm -k foo >/dev/null -- ilf If you upload your address book to "the cloud", I don't want to be in it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
I deleted 80 % of my keyring, but my keybox file isn't shrinking
Over the years, my keyring grew and got rather big. So I did some cleaning and deleted some revoked and otherwise useless certificates. (If you wonder how, see this script - feedback welcome: https://github.com/ilf/gpg-maintenance/blob/master/gpg-delete-revoked-keys.sh) This got my keyring down from 4.600 to 1.000 keys: % kbxutil --stats ~/.gnupg.bak/pubring.kbx | grep -e "Total" -e "openpgp" Total number of blobs: 4656 openpgp: 4617 % kbxutil --stats ~/.gnupg/pubring.kbx | grep -e "Total" -e "openpgp" Total number of blobs: 1041 openpgp: 1002 But the keybox file didn't get any smaller: % du -h ~/.gnupg/pubring.kbx ~/.gnupg.bak/pubring.kbx 99M ~/.gnupg/pubring.kbx 99M ~/.gnupg.bak/pubring.kbx Why is this? I really don't understand keybox well enough to answer this myself. Thanks! PS: This could probably be updated: Well, OpenPGP keys are not implemented, gpg still used the keyring file pubring.gpg. https://www.gnupg.org/documentation/manuals/gnupg/kbxutil.html -- ilf If you upload your address book to "the cloud", I don't want to be in it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: mutt message skipped: public key already present
Christian Aistleitner: http://lists.gnupg.org/pipermail/gnupg-devel/2012-December/027216.html ... or bribe someone with commit access to push it and wait for a new GnuPG release. Thanks a lot! Werner pushed something like it (swapping --quiet and non --verbose) here: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=8325d616593187ff227853de0295e3269b96edcb -- ilf Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg! -- Eine Initiative des Bundesamtes für Tastaturbenutzung signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: mutt message skipped: public key already present
Christian Aistleitner: skipped: public key already present Press any key to continue. How can I disable having to press a key after this message or disable it completely? So if you set encrypt-to to your own key, and Cc to yourself, your key would be added twice to this list, and GnuPG warns against this. mutt in turn sees that pgp_encrypt_only_command resulted in some output on stderr and therefore pauses so you can read the output. IIRC, mutt does not allow to skip the waiting (as $wait_key does not apply here). pgpewrap does not allow to mangle stderr. GnuPG does not allow to turn this logging off. Right. I would like to disable this warning in GnuPG. Back in 2001, Werner Koch w...@gnupg.org said on this list: I should better output thsoe messages only in verbose mode. http://lists.gnupg.org/pipermail/gnupg-users/2001-May/008354.html Has that ever happened? Does anyone know how to do that? Maybe mutt's fcc_clear covers your use case? Thanks for that hint. But I prefer keeping mails sent encrypted also encrypted locally. -- ilf Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg! -- Eine Initiative des Bundesamtes für Tastaturbenutzung signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
mutt message skipped: public key already present
I am using GnuPG (1.4.11) with mutt (1.5.21) and the following muttrc settings: set crypt_autosign set pgp_encrypt_only_command=/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f When encrypting a mail with myself in Cc:, I get the following: skipped: public key already present Press any key to continue. How can I disable having to press a key after this message or disable it completely? -- ilf Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg! -- Eine Initiative des Bundesamtes für Tastaturbenutzung signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users