OT: Best way to send e-mails to a recipient that does know encryption
Hi, I need to send personal infos to a recipient who has no idea what encryption is nor is able to decrypt an encrypted e-mail. I do not want to use Gmail to send that kind of informations and I'm comtemplating using posteo.de. Is this any better? In other words, how do you use e-mails with a recipient that should be able to open and reply to e-mails as usual. Sorry for being OT. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
OT: Re: 32768-bit key
On 8/27/23 08:42, isp_stream via Gnupg-users wrote: I do not get the point of this thread, please stop. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
OT: Re: Does the PGP public key at https://www.washingtonpost.com/anonymous-news-tips/
Sorry for hijacking the thread but without the context I'm not sure that my question would have been understandable. On 8/7/2022 7:59 PM, Andrew Gallagher via Gnupg-users wrote: On 7 Aug 2022, at 17:28, Jay Sulzberger via Gnupg-users wrote: Andrew, do the sks keyservers work today? I was able to find the key by going to https://keyserver.ubuntu.com/ and putting EC6C2905F0F93C0373946CA10642427A5FF780BE into the search box. Do you mean SKS the software (i.e. github.com/sks-keyserver) or SKS the protocol/network? The answer in both cases is “yes”, but for different values of “yes”. 🤓 What doesn’t work any more is the sks-keyservers.net pool, which had become a nightmare to manage. This has been taken by many to mean that the SKS network itself is down, but this is absolutely not the case. sks-keyserver still works, but is IMO not suitable for use in production unless you are an expert willing to roll your own load balancing pool and recompile the code to update blacklists (there are still a few such brave souls left). This may change in the future — the software is maintained but hasn’t had a significant feature bump in some time. The SKS network also still works, and depending on your choice of metric is probably more stable today than it has ever been. The reasons are twofold: many operators have migrated from sks-keyserver to hockeypuck, and most of the rest have shut down. This means that although there are fewer keyservers now than five years ago, the ones that do exist (including keyserver.ubuntu.com) are generally much more reliable. Information about the SKS network can be found at https://spider.pgpkeys.eu Why did you published the key to the sks key servers? I guess my question is about the reasoning behind using sks key server instead of WKD or Hagrid. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: question of verifying signatures
On 6/11/2022 4:24 PM, Linus Virtanen via Gnupg-users wrote: hii try to verify GPG signature of mutiple applications on windows but i failed.a friend of mine tried and failed. He said that you do not need verify GPG signature.He says it is waste of time. is it really necessary to verify GPG signature?if it is necessary, would you tell me why?thank you. It is up to you to decide if you want to verify a GPG signature. To verify a signature it is required to import a public key, look for instructions on the site from which you downloaded what is to be verified. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: use text pinentry in the console
On 2/22/2022 5:28 PM, Fourhundred Thecat via Gnupg-users wrote: Hello, when I type a gpg command in the terminal, such as: gpg -c foo the GUI pinentry dialog pops up to ask for password (I guess its pinentry-gtk-2) How can I confugure so that the ncurses (text based) dialog is used instead ? I am using gpg 2.2.12 on Debian 10 On Debian you need to use: $ update-alternatives --config pinentry -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Install gnupg on Linux machine ( For gpg encryption & decryption )
On 1/4/2022 4:17 AM, Rayapati Rama Rao (NCS) wrote: Hi Team, Good Morning! Could you please let me know which gnupg software to download for Linux machine to make use of gpg encryption & decryption. Also, may I know if any packages required to install on Linux prior to gnupg installation. If possible could you please provide me the steps to install gnupg on Linux machine. Thanks in advance, have a wonderful day. Can't you simply use the package manager of your distribution? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Issue when running in command in batch
On 10/8/2021 9:01 AM, luc.dedroog--- via Gnupg-users wrote: Hi, I have an issue with gnupg because I would like to run it in batch (to allow several users to maintain the keys) but I never succeed to use the parameter '--command-fd n' or '--command-file file' as explain in the documentation for the 'edit-key'. I run gnupg on iSeries IBM machine. Is the version I run (1.4.10) include this possibility? Have you some example for it? Not realy without seeing the command that is failing for you and the expected result. Adding the URL that is pointing to the documentation you are refering to would be best. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A key doesn't get imported from one of the keyservers
On 8/4/2021 10:35 AM, Werner Koch via Gnupg-users wrote: On Tue, 3 Aug 2021 11:19, Vincent Breitmoser said: Unlike the other keyservers, keys.openpgp.org has a [privacy policy] that doesn't permit distributing email addresses without consent. The key It is not a privacy policy but a serious misconception much like what keyserver.com and PGP Universal Server did a long time ago. The OpenPGP spec requires a User ID for the on-wire format of a public key. Any implementation which violates this rule is not OpenPGP compliant. The privacy argument on the a user id is layman's idea of the GDPR. In fact the key itself is not different than an IP address or mail address and in fact more stronger personal data or a natural person than the latter. Note that out of reasons of data minimization I would suggest to create new keys only with a mail address and not with any other data. For example posteo.de has such a rule for keys used on their platform; If I understand correctly, the 'real name' and 'comment' should be left out. 1) https://posteo.de/en/help/policies-for-public-keys#names -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --delete-keys --yes asks for confirmation
On 8/2/2021 11:02 PM, Yuri Kanivetsky via Gnupg-users wrote: Hi, ``` $ gpg --delete-keys --yes 7D2BAF1CF37B13E2069D6956105BD0E739499BDB gpg (GnuPG) 2.2.29; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa4096/105BD0E739499BDB 2016-11-11 Piotr Kuczynski Delete this key from the keyring? (y/N) ``` Is this a bug or a feature? If the latter, why? How do I delete a key from a script? By using the '--batch' option: $ gpg --dry-run --batch --delete-keys --yes 7D2BAF1CF37B13E2069D6956105BD0E739499BDB Note that this e-mail is folded by my mailer. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Call me crazy, but ...
On 7/15/2021 12:51 AM, Стефан Васильев via Gnupg-users wrote: Brandon Anderson wrote: Andrew Gallagher wrote: On 14 Jul 2021, at 18:34, Стефан Васильев via Gnupg-users wrote: Viktor wrote: Is 'Стефан Васильев ' the same person that was ban from this very list a fiew month back? It looks like I'm seeing the same stuff as before. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple Yubikeys/Smartcards and Thunderbird email client
On 7/15/2021 12:24 PM, Ingo Klöcker wrote: On Donnerstag, 15. Juli 2021 03:22:47 CEST Brandon Anderson via Gnupg-users wrote: I have several Yubikeys and smartcards in my setup, each with its own signing subkeys, and I use these, among other things, to sign email messages. Whenever I want to send an email on thunderbird, it demands a specific smartcard by serial number for email signing and will refuse to use the smartcard/Yubikey plugged into the system. Which version of gpg are you using? If you are not using 2.3, then please retry with gpg 2.3.1. Support for multiple smartcards was significantly improved in 2.3. Is this still relevent with the built-in gpg stuff of TB? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Command line decryption/encryption
On 6/23/2021 3:31 PM, Terry Pierce wrote: Hi, Let me start off with I am totally new to GPG/Kleopatra. We use different encryption tools here and one of our clients uses GPG. I have already automated the processing of files using our tool and now have a need to build in a call to handle the decryption of these files. Looking online, I get the basic usage: gpg -d myfile.dat.gpg Two questions: * I don't see the GPG (GGP4win?) executable anywhere in the GPG4Win folders. How do I generate it? The executable is in the subdirectory 'bin' as 'gpg.exe'. * Is there a way to pass any passphrase/key to it on the command line? I would not do that but If I'm not mistaking you could use a file descripter instead of specifying a password on the command line. A better idea is to use a file that contains the passthrase if you need to automate d/encryption or to use the agent. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Follow-up on L'Affaire Stallman
On 4/8/2021 5:19 PM, Robert J. Hansen via Gnupg-users wrote: If anyone in the community has strong feelings about the FAQ -- what should go in, what should be left out, etc. -- now's the time. The only thing that I can say is that I would rather see a FAQ that reflect the current inplementation of GPG than a non-up to date FAQ per lack of user consensus (1). EG: Due to a lack of consensus, the FAQ was never updated to reflect that '3072' is now the default in GPG. That is to say, that in my view a FAQ that explains clearly how to use GPG is somewhat more importent than comunity feedback. A statement to that effect at the top of the page could be added describing why this way was chosen. 1) https://lists.gnupg.org/pipermail/gnupg-users/2021-March/064974.html -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We shall value email usage
On 3/25/2021 12:34 PM, Klaus Ethgen wrote: Hi, Am Do den 25. Mär 2021 um 11:51 schrieb Bernhard Reiter: To me the protected headers implementation Thunderbird is a step back, as it leads to unnecessary data leaks (subject and cc) to other clients with are OpenPGP/MIME compatible. Well, there is other.. For example, if you start editing a mail with thunderbird and put it to drafts. Then finishing the edit with mutt. This will leak the following headers: - user-agent - x-mailer - x-mozilla-draft-info - x-enigmail-draft-status - x-account-key - x-identity-key - fcc Even when sending mails just from thunderbird, it leaks at least the user-agent header. Currently I configured my MTA to remove that headers for outgoing mails. You can disable the usage of the user-agent in TB, one can only hope for the others as well. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
On 3/18/2021 2:39 PM, Andreas K. Huettel wrote: https://www.gentoo.org/glep/glep-0063.html https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys Reading the URLs given by the OP, I see that the GPG FAQ (1) talks about a default of '2048' but in the latest (2.2.17) release of GPG it looks like the default is now '3072': gpg --expert --full-gen-key Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key (14) Existing key from card Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) Am I missing something? 1) https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096 -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
On 3/18/2021 10:21 AM, Andreas K. Huettel wrote: Hi David, when Gentoo switched to requiring gpg-signed git commits and pushes, we put some thought into requirements and best practices. Minus the Gentoo-specific parts, this is probably good reading: https://www.gentoo.org/glep/glep-0063.html https://wiki.gentoo.org/wiki/Project:Infrastructure/ Generating_GLEP_63_based_OpenPGP_keys > On the pages, I get 'There is currently no text in this page. You can search for this page title in other pages, or ...'. Am I missing something? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Verifying and checksumming new release is somewhat cumbersom
On 11/29/2020 12:53 PM, Werner Koch wrote: On Sat, 28 Nov 2020 07:57, john doe said: If I look at Debian (1) for example, the checksum file is gpg signed. Assuming that I understand correctly, the Debian approach is not a safe way to make the checksums available?propagate? No, that is a safe way. Having a separate file with checksums is sometimes better for the signing workflow. It also allows to sign/verify a bunch of files with just one operation. It also avoids the need to download and upload all files to a dedicated signing box. Only since GnuPG 2.2 the latter could be handled using gpg-agent's remote feature. Interesting, just to be sure you are refering to the below option from (1)?: "--extra-socket name" Is the release workflow documented somewhere so a non-dev could look to implement this ? In other words, is it worth considering such a move. 1) https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html#Agent-Options -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Verifying and checksumming new release is somewhat cumbersom
On 11/26/2020 9:10 PM, Werner Koch wrote: Hi, and thanks for asking. Thanks for this. To be sure that I understand you correctly, I took the liberty of rewording your answers. On Thu, 26 Nov 2020 19:12, john doe said: Is there a URL to download those sha1sums and those public keyss as files? The problem with sha1sums is that a single publication would be easy to fake. The only known countermeasure is to widely distribute them. We do have them on the website as you noticed, they are send out by signed mail to several thousand subscribers, and our and other mail archives carry the release announcement with the checksums. If I look at Debian (1) for example, the checksum file is gpg signed. Assuming that I understand correctly, the Debian approach is not a safe way to make the checksums available?propagate? No, there is no single file with the checksums because that would be a too easy target for an attacker. Even if the file would be gpg signed? and for the public key I could do something like: $ wget $ gpg --import $ gpg --verify *.sig And please check the printed fingerprint against copies of the fingerprint distributed in the same way as the checksums. The keys are also quite well connected in the Web-of-Trust, which can also help to to validate them. You mean by checking if the fingerprint of the downloaded keys match the one listed on the web site? The advantage of the public keys and the fingerprints is that they do not change and thus you only need to validate them once once and sign the keys so that you can trust them in the future. Okay, if the fingerprints matches I should sign the keys with mine. I understand that for this last step I could also do: $ gpg --keyserver-options auto-key-retrieve veirfy *.sig Don't. For verification always use gpg --verify file.sig file Okay, won't do that anymore. and check the output well. If you need to automate this, use gpgv and put all the trusted signing keys into a dedicated keyring. For automating this with gpg, I would suggest to write a gpgme based tool. If I want to verify a new release,: - Manually: take advantage of gpgv - Unattended: use a wrapper around gpgme Your input is much appriciated. 1) https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/ -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Verifying and checksumming new release is somewhat cumbersom
Hello all, I see that at (1) and (2) the public keys block and the sha1sums respectively are listed on their corresponding page. Is there a URL to download those sha1sums and those public keyss as files? That is for checksumming I could simply do: $ wget $ sha1sum -c --ignore-missing and for the public key I could do something like: $ wget $ gpg --import $ gpg --verify *.sig I understand that for this last step I could also do: $ gpg --keyserver-options auto-key-retrieve veirfy *.sig Any feedback is appreciated. P.S. If I can I'll be more than happy to help tweaking the release process in that regard. 1) https://gnupg.org/download/integrity_check.html 2) https://gnupg.org/signature_key.html -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cannot verify .sig
On 11/7/2020 6:55 PM, pavel hora via Gnupg-users wrote: Hi, I would like to use GPG to verify installation files (True Crypt this time to be specific) that come with a signature .sig and PGP public key .asc. You should use veracrypt instead. I have installed GPG 4 Win 3.1.13. I have imported the public key. I have tried to verify the .exe with .sig, but Kleopatra tells me the public key is not certified, so I try to certify it myself, but I need my own key pair for that. So I try to build it, only it ends with error, because "No agent running". Now I assume that these issues happen because I prevent Kleopatra or GPG from accessing the net, but then again, why should it do so for the tasks specified above? I have used PGP in the past, long time ago, and it was always offline. So my question is - can I still use GPG to check the signature of the file, pls? And perhaps, why does GPG so desire the net access for my tasks? Does it work if you do: $ gpg --verify <*.sig> -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Five volunteers needed (EU only please)
On 10/5/2020 6:17 PM, Stefan Claas wrote: Konstantin Ryabitsev wrote: On Mon, Oct 05, 2020 at 05:37:57PM +0200, Stefan Claas wrote: Why I came up with this idea? Well I thought of a way to send private content digitally, without Internet usage, so that 3rd parties outside the EU have it difficult to intercept such messages, in order to protect EU businesses and to show the young generation that local postal services should be supported, in favor of a globally surveilled Internet. Wouldn't using NFC chips be counter to this goal? It's extremely easy to identify the presence of NFC chips, such that an agency could easily scan entire bags of mail to identify if there are any present. Yes, it is possible. However we have in Germany for example additional postal services (PIN AG) one could use locally and I doubt (while I do not know) that TLAs or LEAs currently require them to collect such data. You can't assume that this is also the case for other countries if you are looking for EU contributers. I must also say that I don't understand how this is related to this list. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Documentation.
On 7/23/2020 1:44 AM, Ayoub Misherghi via Gnupg-users wrote: Hi, I find documentation lacking, both free and commercial. Are there any efforts to remedy this? If I am wrong, can anybody please show me where I can get a good tutorial and good reference material please? What are you looking for that is not online? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKS server problems
On 3/23/2020 5:21 PM, Andrew Gallagher wrote: > On 23/03/2020 15:58, john doe wrote: >> $ gpg --version >> gpg (GnuPG) 2.1.18 >> libgcrypt 1.7.6-beta >> >> Is it not working because of a too old release? > > Yes, that's FAR too old. :-) You need to dist-upgrade to buster. > I'll go back to using havege then as I need to generate a gpg key for testing purposes on this VM. I thought that 'only-urandom' could be used as an replacement of haveged on this Stretch VM, looks like I misunderstood when to use this option. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKS server problems
On 3/23/2020 1:01 PM, Werner Koch wrote: > On Mon, 23 Mar 2020 10:16, john doe said: > >> Thank you Werner, I wrapped the above as an one liner: > > This is even easier. > > $ mkdir -p /etc/gcrypt && echo only-urandom>/etc/gcrypt/random.conf > > The '#' lines are merely comments to show which other options are > available. > > > Shalom-Salam, > Actually, I just reinstalled the Stretch VM in question to test the above option and I'm back to square one. $ gpg --version gpg (GnuPG) 2.1.18 libgcrypt 1.7.6-beta Is it not working because of a too old release? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKS server problems
On 3/22/2020 8:55 PM, Werner Koch via Gnupg-users wrote: > On Sun, 22 Mar 2020 12:36, Andrew Gallagher said: >> On 22/03/2020 05:38, john doe wrote: >>> Do you have enough entropy on the VM? >> >> Argh, thank you. I thought I had enough entropy because monkeysphere >> created its trust root without issue, but installing haveged did fix the >> problem. > > You might be better off using this: > > --8<---cut here---start->8--- > $ cat /etc/gcrypt/random.conf > # Options for the random generator > > # We don't trust the the Jitter based thing - do not use it. > #disable-jent > > only-urandom > > --8<---cut here---end--->8--- > > instead if the very brittle and CPU dependent haveged. On any decent > Linux urandom is good enough. Right at some early boot stages and on a > fresh or not properly shutdown system, it might have too less entropy. > But if you have such concerns you should anyway use the latest Libgcrypt > which does not only mix in RDRAND but als entropy from its own > JitterRNG. > Thank you Werner, I wrapped the above as an one liner: $ mkdir -p /etc/gcrypt && printf "# Options for the random generator\n#\n# https://lists.gnupg.org/pipermail/gnupg-users/2020-March/063372.html\n#\n# We don't trust the Jitter based thing - do not use it.\n#disable-jent\n\nonly-urandom\n" > /etc/gcrypt/random.conf Note that this e-mail is folded by my mailer. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: monkeysign removal from bullseye
On 3/22/2020 5:42 PM, Andrew Gallagher wrote: > On 22/03/2020 05:31, Michał Górny wrote: >> Gentoo has removed it back in 2018. It says: >> >> | Please use caff from app-crypt/signing-party instead. >> >> Maybe that's an option for you as well. > > Not really. Monkeysign is a caff replacement, not the other way around. > And monkeysign's GUI, monkeyscan, is the real killer app. I know of > nothing comparable. > I might be missing the point here but why don't you simply use a Buster VM for monkeysign? Also, monkeysign is convenient but you can do it yourself as well! :) -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKS server problems
On 3/22/2020 12:30 AM, Andrew Gallagher wrote: > Hi, all. > > I'm trying to follow the WKS instructions from the wiki[1] on a remote > VM, but it hangs at the key generation stage: > > ``` > key-submission@keys1:~$ gpg --passphrase '' --batch --quick-gen-key > "$SUBMISSION_ADDRESS" > > > ^C > gpg: signal Interrupt caught ... exiting > ``` > > There are no rogue pinentry processes in the `ps` list. I've tried > pinentry loopback just in case, but to no avail. > > Any idea what's going on? > > gpg (GnuPG) 2.2.4 > > [1] https://wiki.gnupg.org/WKS > Do you have enough entropy on the VM? In a Stretch VM, I had to install 'haveged' to have enough entropy otherwise it would hang for ages. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ed448 support in gpg?
On 3/11/2020 8:49 PM, Robert J. Hansen wrote: >> In this situation, I just want to avoid creating a new key-pair as >> long as possible and ed448 is likely to survive just a bit longer from >> what I understand. > > Why is it so important your keypair be as long-lived as possible, when > there's very little likelihood of you going for that long a period > without a key compromise event? > You could also "transsition" to a new key. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to use reprepro (or anything really) over ssh?
On 3/11/2020 11:47 AM, Andrew Gallagher wrote: > On 11/03/2020 10:07, Andrew Gallagher wrote: >> >> The evidence would suggest that pinentry-gnome3 v1.1.0-2 on Debian >> blindly uses `:0` no matter what parameters are passed. > > As suggested by the stackoverflow answer here: > > https://superuser.com/a/1327409/244202 > > I used update-alternatives to change pinentry-gnome3 to pinentry-gtk-2 > and sane behaviour is now observed. > > The linked ticket in the above answer is still open and has seen no > activity in three years: > > https://dev.gnupg.org/T2818 > > Is it the same with pinentry-tty? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Different key pare for e-mail and signing code
On 1/4/2020 10:10 AM, Robert J. Hansen wrote: >> Following my thread at (1), unless I'm missing something, it became >> apparent that Enigmail/Tunderbird does not fit the bill anymore. > > It should be noted that Enigmail hasn't changed how it does anything. > No argument there, Patrick is doing an outstanding job with Enigmail. I should have said that enigmail does not fit the bill for my needs anymore, sorry about that. >> My goal is to sign code and sign/encrypt e-mail but I'm not sure what's >> the best way forward: > > We don't know, either. It's going to depend on your own personal risk > profile. > >> - Am I missing something/better approach > > If you want to segregate your code signing from your email, the best way > to do that is with a second certificate -- not adding subkeys to your > current one. > > Ask yourself this: how often have you noticed that my signed messages > bear *two* signatures from *two* subkeys belonging to the same > certificate? I've been doing this for years and nobody's ever noticed. > (Or at least, nobody's ever mentioned it to me to ask why I'm doing > something so weird.) > > So if you're depending on people ascribing special semantic value to > which subkey is used -- honestly, I doubt people will ever even notice > which subkey you're using. It's simply not a use case that comes up > very often, if ever. > >From the answer in this thread, it looks like having two key pares (one for signing and one for e-mailing) is somewhat more flexible but this approach is more complicated for the web of trust. I guess , I'll go with separate key pares. Thanks Robert for your answer in all my threads! :) I'd like to also thank (1) for his answer, and (2) for his answer in an other thread (3). 1) Wiktor Kwapisiewicz 2) Konstantin Ryabitsev 3) https://lists.gnupg.org/pipermail/gnupg-users/2020-January/063190.html -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Different key pare for e-mail and signing code
Hello all, Following my thread at (1), unless I'm missing something, it became apparent that Enigmail/Tunderbird does not fit the bill anymore. My plan is to use something like the following: - sec rsa4096 2020-01-03 [C] [expires: 2020-01-04] 3C5CFD620005347A62052A6B596CB80D30E8829D uid [ultimate] Firstname Lastname ssb rsa4096 2020-01-03 [S] [expires: 2020-01-04] ssb rsa4096 2020-01-03 [S] [expires: 2020-01-04] ssb rsa4096 2020-01-03 [E] [expires: 2020-01-04] With mabey more signing subkeys. My goal is to sign code and sign/encrypt e-mail but I'm not sure what's the best way forward: - One key pare for e-mail (sign/encrypt) and an other key pare for signing code - Finding a way to do what I want with only one key pare (multiple signing subkeys and one encryption subkey) - Am I missing something/better approach For now I'm considering notmuch/sup to get what I want, it looks like Mutt uses 'ncurses' which is not an option for me. Any input is welcome 1) https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2020-January/005562.html P.S. By key pare, I mean private/public key. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
master key certify capability
Hi,
I use the following command to test my new key setup:
$ gpg --batch --passphrase '' --yes --quick-gen 'Firstname Lastname
' rsa4096 cert 1d&& for u in sign sign encrypt; do gpg
--batch --passphrase '' --yes --quick-add-key $(gpg --with-colons -k
test | awk -F: 'NR==3{print substr($2,1,length($2)-1)}') rsa4096
$u 1d || exit $?; done
which give the following:
$ gpg -K
-
sec rsa4096 2020-01-03 [C] [expires: 2020-01-04]
3C5CFD620005347A62052A6B596CB80D30E8829D
uid [ultimate] Firstname Lastname
ssb rsa4096 2020-01-03 [S] [expires: 2020-01-04]
ssb rsa4096 2020-01-03 [S] [expires: 2020-01-04]
ssb rsa4096 2020-01-03 [E] [expires: 2020-01-04]
Is there any downside to have my master key with the certify capability
only?
In other words, is it required for the master key to have the sign and
certify capabilities.
--
John Doe
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Best way to get fingerprint programatically
On 12/18/2019 10:56 AM, Andrew Gallagher wrote:
> On 18/12/2019 09:32, Werner Koch via Gnupg-users wrote:
>> The -F:: is an interesting hack but Andrew's or my variant works
>> with all AWK implementations:
>>
>>awk -F: '$1=="fpr" {print $10}' | head -1
>
> Aha, I forgot about handling multiple results. Note that you don't need
> head if you're already using awk:
>
> awk -F: '$1=="fpr" {print $10; exit}'
>
Thanks to both of you, I'll go with the awk version, that way, I can
avoid unneeded pipe redirection! :)
By any chance, could something like the following be implemented?:
$ gpg -K --print-fingerprint-only test
Which would only print the fingerprint to avoid the awk redirection
altogether.
--
John Doe
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Best way to get fingerprint programatically
Hi,
I'm using the following command to get the fingerprint to quickly change
the expiration date on a key.
$ gpg --quick-set-expire $(gpg --with-colons -k test | awk -F:
'NR==3{print substr($2,1,length($2)-1)}') 1d
I'm just wondering if there isn't a better, programatically, way to go
about it?
In other words, why '--quick-set-expire' requires a fingerprint and does
not accept a .
Any input is welcome.
--
John Doe
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Android
On 10/16/2019 3:45 PM, Michał Górny via Gnupg-users wrote: > On Wed, 2019-10-16 at 13:02 +0200, Daniel Bossert wrote: >> Hi >> >> Is anybody using pgp on Android? I did some years ago, would like to, but am >> afraid of security reason. >> >> I have safed my keys on my laptop only. >> >> How are you handling it in ages of mobiles? >> > > Get yourself a hardware key, and use that. I've been successfully using > USB NitroKey with OpenKeychain (for mail) and TermBot, though I admit > it's not the most convenient solution. FWIH, NFC keys are more > convenient; that is, if someone considers it safe to keep NFC enabled > with Google Pay installed. > On AndroidI use k9mail with openkeychain and one subkey which has only the sign capability. The use of subkey makes it possible to revoke only that subkey incase of lost of theft without having to revoked all your key. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to improve our GUIs (was: We have GOT TO make things simpler)
> Hi > > > On Monday 7 October 2019 at 9:15:54 AM, in > , john doe wrote:- > > >> would it be possible to add the ability to >> checksum the binaries? > > When a new GnuPG version is announced, there are checksums in the > announcement. For example, see https://gnupg.org/index.html#sec-3-2. > To summarize: - Checksumming a file insures that the file has not been corrupted - Verifying a file insures that the file has not been tempered with Idealy, both steps are to be done. To download gnupg: https://gnupg.org/download/index.html To checksum gnupg files you will fine the checksums in the announcement e-mail which can be found at: https://gnupg.org/index.html#sec-3-2 For example, the checksums for 2.2.17 are to be found at: https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html To download gpg4win: https://gpg4win.org/download.html Thanks to "Werner Koch wk at gnupg.org" and "MFPA <2017-r3sgs86x8e-lists-gro...@riseup.net>" for the help. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to improve our GUIs
On 10/7/2019 12:03 PM, Werner Koch wrote: > On Mon, 7 Oct 2019 10:15, john doe said: > >> In the above link, only the cli version of the 1.4 release is available. >> I got it from (1). > > Nope. That is always the current 2.2. > Yes it is there, some how I mist it! :) Maybe adding something like the following would avoid such confusion in the future: "A frontend for GPG is available in the 'gpg4win' executable, this is a CLI only release." -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to improve our GUIs (was: We have GOT TO make things simpler)
Hi, thanks for your answer. > Hi > > > On Saturday 5 October 2019 at 7:05:55 PM, in > , john doe wrote:- > > >> In other words, how can I only install the command >> line version of GPG on >> Windows. > > At https://gnupg.org/download/index.html#sec-1-2 there's a link to > download "Simple installer for the current GnuPG" (and a link to > a signature file to check integrity of the installer file). > > In the above link, only the cli version of the 1.4 release is available. I got it from (1). As far as I can tell, at (1) there is noway to checksum the downloaded files, would it be possible to add the ability to checksum the binaries? Idealy, all binaries would be checksummed in a file and that file would be also gpg signed. 1) https://gnupg.org/ftp/gcrypt/binary/ -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to improve our GUIs (was: We have GOT TO make things simpler)
On 10/5/2019 6:54 PM, Werner Koch via Gnupg-users wrote: > On Mon, 30 Sep 2019 10:58, Roland Siemons said: > >> 4/ Here is my proposal: >> 4.1/ Stimulate that people use a GUI like GPA or Kleopatra. Not Enigmail, > > Enigmail folks won't like that suggestion. Users need to install a > second tool which behaves different (because Enigmail implements parts > of GnuPG on its own). > > I agree with you and, although I sometimes hack on GPA, I would suggest > Kleopatra. On Windows Kleopatra and the Explorer plugin do actually do > what you suggest and we LOTS of folks using Gpg4win. Be it for plain > file encryption or for its Outlook plugin. > >> 4.2/ Ensure that, when generating a keypair, GnuPG creates one directory >> "Secretkeys", and one directory "Publickeys". Make GnuPG to store the public >> part and the secret part separately in those directories. If GnuPG needs also >> keypairs in a single file, store that under Secretkeys. > > That are all internals of GnuPG (except for the revocations directory) > and should not be touched by most users. The problem is that there are > so many howtos and tutorials floating around which suggest to modify > this or that or to do that. In most cases this is not appropriate. > gpg --import and --export are the interfaces which users need to know > about - iff they really want to use the gpg _tool_. See your first point. > >> 4.3/ Get rid of the confusing menu/Exportkeys/ vs. menu/Exportsecretkey. etc. > > Exporting public keys is an important operation for everyone and thus it > needs to be prominent. Exporting secret keys should come with a strong > warning or better be removed and replaced by a sync-with-other-device > feature. > > If you have concrete suggestions for Kleopatra, I am sure Andre will > listen to you. For GPA it is unlikely that we put a lot work into it - > it is these days mostly a test bench for my changes to GPGME. > Given that, wouldn't be better to remove GPA all together from Gpg4win? As an aside, I don't use Cleopatra at all, is there anyway to install Gpg4win without Cliopatra? Inother words, how can I only install the command line version of GPG on Windows. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Info for GnuPG users which have a keybase account
On 9/10/2019 6:00 PM, Stefan Claas via Gnupg-users wrote: > Hi all, > > slightly OT, but since some of you are on keybase I would > like to inform you about a current promo from Stellar Network > running on keybase. > > https://keybase.io/a/i/r/d/r/o/p/spacedrop2019 > > I received yesterday my free Lumens, currently worth $21.29 USD :-) > Who are you, anything to disclose? I don't think this is appropriate to advertise on this list. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Forward entire gnupg $HOME
On 9/4/2019 10:41 PM, Andre Klärner wrote: > Hi all, > > is there a way to properly shared the entire keyring and trust settings > between two machines? > > My use case is the following: > > Mutt, my email client, runs on a containerized mailserver on another machine > right under my desk. > > My GPG key is stored on a Yubikey attached to my workstation (another > physical machine compared to the mailserver's host system) > > I usually use my workstation to do everything, but since I can't access my > mailbox via NFS anymore (different story), I resorted to sshing into my > email server, and doing all the mailing needs right there, locally. > > My Yubikey also is used as the SSH key for everything, and hence plugged > into my workstation. > > After following https://wiki.gnupg.org/AgentForwarding and batteling with > the autostarting gpg-agent (fixed with no-autostart in the remote system's > gpg.conf), masking all but the dirmngr systemd socket and service units, and > struggeling with the removal of /run/user/1000/gnupg on logout, I finally > got it to work. (Nice how the last one doesn't matter, if dirmngr.socket is > enabled.) > > Now I have another problem: my main machine knows all my internet friend's > keys, my mailserver not. I can of cause gpg --export, scp and gpg --import, > but that is nothing scalable and needs to be repeated over and over again > when anything changes. > > Do I expect to much, or is this simply and typically invalid usecase? > Is there a simpler way to configure a remote GPG just for a session, so > that it uses another socket to connect to the gpg-agent (I also sign git > commits, sometimes with etckeeper even on remote machines). > The obvious solution would be to use mutt on your work station! :) I would also use one signing key per device on which you need to sign commits/tags/... That way if one device is compromised you simply revoke that subkey. Sorry for not directly answering your question! -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "There's always light..........."
On 8/16/2019 10:53 AM, David wrote: > Hi All, > > Many moons ago I added the line "there's always light at the end of the > tunnel" in my postmaster key pair. > > But when crating my new keys - I'd completely forgotten how to do this. > I read the GPG Manual and could find no reference to this. > > Am wondering now that I've created the keys - can I add a comment? If so > what is the command?? > Have a look here: https://security.stackexchange.com/questions/67796/adding-a-comment-to-pgp-mail-signature-files A better comment would be the URL where to download your public key. If you are talking about the comment in your UID, you would need to creat a new UID to do that but you are better off without the one that you want to use or without a comment altogether. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: new to GPG: "gpg: Fatal: zlib inflate problem: invalid code lengths set"
On 7/24/2019 6:38 PM, Lentes, Bernd wrote: > > > - On Jul 24, 2019, at 5:58 PM, john doe johndoe65...@mail.com wrote: > > > >>> >> >> Quoting your original e-mail: >> >> "i'm new to GPG, so please excuse asking silly questions. >> I managed to create my keys with "gpg2 --gen-key" >> I wrote an e-Mail to ad...@gnupp.de with the subject "Mein öffentlicher >> Schlüssel", which is german for "my public key". >> Shortly thereafter i got an encrypted response which, i assume, i have to >> decrypt with my private key. >> I pasted the encrypted stuff into a file and then tried to decrypt: >> >> gpg2 -d nachricht.txt >> >> I've been asked for the passphrase for my private key which i entered, >> but then >> i got the following error: >> >> gpg: encrypted with 2048-bit RSA key, ID F742DB29, created 2019-07-23 >> "Bernd Lentes (Helmholtz GPG Schluessel) >> " >> gpg: Fatal: zlib inflate problem: invalid code lengths set >> >> The file has a size of 68 KB, could that be the culprit ?" >> >> Now addressing what I think is the culprit: >> You encrypt your e-mail with the public key of the recipient. >> When you are the recipient of an encrypted e-mail, the sender needs your >> publick key to be able to encrypt the e-mail that will be send to you. >> You, the recipient, will use your private key to decrypt this e-mail. >> > > That's exactly what i did. > I sent my Public key to ad...@gnupp.de, which is a german project for GPG, > and the server and adele are for practicing. > Adele took my public key and sent me an e-Mail with some text and her public > key, > so i should be able to decrypt that with my private key. > > I don't have a plugin for my e-Mail-program because i just use the > webinterface of the e-Mail-Server. > > In addition to "Andrew Gallagher "'s answer: Can't you use IMAP/POP3 to access your e-mail and SMTP to send your e-mail (1, my German is not that great)? 1) https://docplayer.org/2073295-Neue-e-mail-einstellungen-fuer-pop3-und-imap-benutzer.html -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: new to GPG: "gpg: Fatal: zlib inflate problem: invalid code lengths set"
On 7/24/2019 5:20 PM, Lentes, Bernd wrote: > > > - On Jul 24, 2019, at 12:15 PM, john doe johndoe65...@mail.com wrote: >>> I sent a cleartext e-Mail with my public key to ad...@gnupp.de (which is an >>> automated system for practicing encryption and decryption) >>> and i got an answer which is encrypted. I think it's encrypted with my >>> public >>> key so i should be able >>> to decrypt it with my private key. That's what i tried. But i got the >>> message >>> while decrypting: >>> >>> gpg: encrypted with 2048-bit RSA key, ID F742DB29, created 2019-07-23 >>> "Bernd Lentes (Helmholtz GPG Schluessel) >>> " >>> gpg: Fatal: zlib inflate problem: invalid code lengths set >>> >>> What does this meesage mean ? >>> >>> >> >> I might be rong here, but I would use build-in GPG capability in my >> e-mail client to decrypt the encrypted e-mail. >> >> >> Do you have the same error if you encrypt and decrypt a file? > > I just tried it and it worked like a charm with a file. > Quoting your original e-mail: "i'm new to GPG, so please excuse asking silly questions. I managed to create my keys with "gpg2 --gen-key" I wrote an e-Mail to ad...@gnupp.de with the subject "Mein öffentlicher Schlüssel", which is german for "my public key". Shortly thereafter i got an encrypted response which, i assume, i have to decrypt with my private key. I pasted the encrypted stuff into a file and then tried to decrypt: gpg2 -d nachricht.txt I've been asked for the passphrase for my private key which i entered, but then i got the following error: gpg: encrypted with 2048-bit RSA key, ID F742DB29, created 2019-07-23 "Bernd Lentes (Helmholtz GPG Schluessel) " gpg: Fatal: zlib inflate problem: invalid code lengths set The file has a size of 68 KB, could that be the culprit ?" Now addressing what I think is the culprit: You encrypt your e-mail with the public key of the recipient. When you are the recipient of an encrypted e-mail, the sender needs your publick key to be able to encrypt the e-mail that will be send to you. You, the recipient, will use your private key to decrypt this e-mail. That having been said, as far as I know, you need to configure your e-mail client (TB/Enigmail, Mutt ...) to do that for you . In otherwords, the encrypted stuff should not be pasted into the file "nachricht.txt". -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: new to GPG: "gpg: Fatal: zlib inflate problem: invalid code lengths set"
On 7/24/2019 11:52 AM, Lentes, Bernd wrote: > > - On Jul 24, 2019, at 2:56 AM, David da...@gbenet.com wrote: > >> Lentes, Bernd: >>> Hi ML, >>> >>> i'm new to GPG, so please excuse asking silly questions. >>> I managed to create my keys with "gpg2 --gen-key" >>> I wrote an e-Mail to ad...@gnupp.de with the subject "Mein öffentlicher >>> Schlüssel", which is german for "my public key". >>> Shortly thereafter i got an encrypted response which, i assume, i have to >>> decrypt with my private key. >>> I pasted the encrypted stuff into a file and then tried to decrypt: >>> >>> gpg2 -d nachricht.txt >>> >>> I've been asked for the passphrase for my private key which i entered, but >>> then >>> i got the following error: >>> >>> gpg: encrypted with 2048-bit RSA key, ID F742DB29, created 2019-07-23 >>> "Bernd Lentes (Helmholtz GPG Schluessel) >>> " >>> gpg: Fatal: zlib inflate problem: invalid code lengths set >>> >>> The file has a size of 68 KB, could that be the culprit ? >>> >>> Bernd >>> >> >> The simpe rules are as follows: >> >> (1) You encrypt to another persons public key >> (2) You decrypt with your private key >> > > Hi David, > thanks for your response. > I know these simple rules. > >> That's it! >> >> You can sign your emails - this means no one can tamper with them whilst >> in transit - if it was tampered with then there's an eror in the check >> sum of the message. >> > > I sent a cleartext e-Mail with my public key to ad...@gnupp.de (which is an > automated system for practicing encryption and decryption) > and i got an answer which is encrypted. I think it's encrypted with my public > key so i should be able > to decrypt it with my private key. That's what i tried. But i got the message > while decrypting: > > gpg: encrypted with 2048-bit RSA key, ID F742DB29, created 2019-07-23 > "Bernd Lentes (Helmholtz GPG Schluessel) > " > gpg: Fatal: zlib inflate problem: invalid code lengths set > > What does this meesage mean ? > > I might be rong here, but I would use build-in GPG capability in my e-mail client to decrypt the encrypted e-mail. Do you have the same error if you encrypt and decrypt a file? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg installation and verification
On 6/7/2019 9:13 PM, Samir Zulfiquar wrote: > Hello I just downloaded gnupg and tried to install and verify it. > Unfortunately I hardly know how to do anything with a computer other than > the basics, so maybe I just didn't interpret the instructions correctly. I > downloaded the installer and the open pgp signature to verify it (I have no > clue what a pgp signature even is). after I downloaded both I opened the > pgp signature file which didn't seem to do much other than bring up text of > some sort of code. I then installed gnupg, but I wasn't sure if I verified > it correctly. so I decided to try again. I looked at the website again and > tried right clicking on the gpg4win-3.1.8 file and went to "moreGpgEX > options" and clicked verify. The computer tried to verify it with the pgp > signature file but failed. I then went to the wiki page on integrity > checks. Most of the things there were too technical for me to understand. > the only thing I was able to do is check the file length, which was exactly > what it was supposed to be. It dose not seem like there were any download > problems, but I highly doubt it could be an attacker like the website said > (I downloaded both of the files from gnupg's own website and not some other > place) Anyway could someone explain in Leyman's terms what to do? Sorry if > the question sounds stupid. > > If you don't have access to an other instance of gpg, you don't have any other choise then to first install gpg4win and 'verify' if the downloaded executable has not been tempered with. That is, what you have already done. You should familiorize your self with 'checksum' 'gpg signature verification', the below URL is a start: https://security.stackexchange.com/questions/189000/how-to-verify-the-checksum-of-a-downloaded-file-pgp-sha-etc -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Identifying one of multiple authentication subkeys
On 3/15/2019 11:28 PM, Brian Exelbierd wrote: > Hi, > > I would like to eliminate my SSH keys and consolidate my existing keys into > my gpg key. I can do this by either importing my existing keys (easier) or > creating new authentication subkeys. > > Either way, I am unsure how to identify which subkey is which SSH key. I > created a test key, below, with two authentication subkeys. I can't tell > which subkey matches each key. How do you know? Without this knowledge it > is hard to know which key goes with which server and which key is safe to > delete later. > > Any advice? Thank you. > > regards, > > bex > > --- > > # gpg2 -K --with-keygrip > /root/.gnupg/pubring.kbx > > sec rsa2048 2019-03-15 [SC] [expires: 2021-03-14] > 84B9177ECD98386DACDA102DF80B5DDF8D55076A > Keygrip = 13C8D80A6B3A5A7CC4095A254A07AFC9F287CF16 > uid [ultimate] keyname > ssb rsa2048 2019-03-15 [E] [expires: 2021-03-14] > Keygrip = 26FD3D7D54BEE12111354B9E968C23EEDC445A4E > ssb rsa2048 2019-03-15 [A] > Keygrip = A04EA628443B5C1C60411C15E1EC35C21186D405 > ssb rsa2048 2019-03-15 [A] > Keygrip = 45F02D545B6B6ADC32FCB7BC64B943F23B35D3FF > > # ssh-add -l > 2048 SHA256:T/SZUtqVEzoo4c4rmh5e4jrnCd5ewGNj1Nrsg3VYbCE (none) (RSA) > 2048 SHA256:+Qbn7T5rQms4+bBfzc7D68H2TynS/8gyT0pjrMOaiQA (none) (RSA) > > # ssh-add -L > ssh-rsa > B3NzaC1yc2EDAQABAAABAQC8vnk7hPdP9tWdw8DUV8rOYDTAlhbvSWPuEUwr0FdaveJoJtgYhceKVoyFnOYZnZ8QP0nAytHGeSAHkL/9Vw0Whyouu94awwoEERdkIzvl/KVRU3n0dBabbjbqlY6Dz+4zjIUo/KbyZ9PZHohCVQs/DzFUqnLsPoHzVVDBPvMHFkf0t2qSe0Pv2I7vLmI1UVBFMspjy80kmoijheFAmXebCGC3uzr23BKqzqfj2/HYv/DJAQufGiHsH+/I855U8Dckd4TQmHS4aRsIY0px1HA4of9nIiWWifvqxwshax2VSdJucJi1RB6YbSxbTIbjnl0YJbbIajV8xJjyloaOofph > (none) > ssh-rsa > B3NzaC1yc2EDAQABAAABAQCnrIe/fe6i6AMA+evGzz3Gc56rSH5D3cJ9R/cMta2jHjtNlZZD/uJNdbuALsI4elB5m0Yxsbiz0j3UG2L/2nHfjD73oPQkwFIacvtkZT/hpp/BWPFDWQnGaWeWdFfsxlzu6gOMsfYJQDxNIPRjLbYkcIOL3Xw5EIFlS2xEr+/ZGsD2uNnReXj5XZnXh6FrxcX7vhnKpHHsVzDZG+xRs+xhErhiini8J1REZaQzZnVftD/WZGbAU8f3LSDfSCFQVxRTibXW5JMd6JfFe1zZXST+JfAEqg5LhucpzsQAbYWtNiqZ5McerI1HYPjYNUqoYhGzXsWvEuvPp3qugVjH3ZI5 > (none) > My understanding is that one subkey is to be used for authentication . -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple dev one signing key
On 3/10/2019 8:29 PM, Werner Koch wrote: > On Fri, 8 Mar 2019 20:05, johndoe65...@mail.com said: > >> What is the best way forward? >> - One signing key accessible on the release system > > I'd say depends on the release system. In most cases this is a > networked box and I would hesitate to do this. Using gpg --with a > remote gpg-agent would be an option, though. > Looks like this approach is out of the question, we are scattered around the world without knowing eatch other in real life! :) >> - Eatch dev having a copy of the key to be able to sign a release > > That is what we do in GnuPG. We have a few core developers which carry > a key and that set of key is distributed with each gpg release and also > via other channels. We also demand that the keys are all smartcard based > and thus a remote key compromise would need physical access. Well, a > developer could be tricked into sign a bad release bu tat leas this > would not compromise the widely distributed key. > > We often add a second signature to a release. For example, I sign many > of the releases and when Niibe-san then sends me his signature for the > same tarball I then append that signature to mine [1]. This is also the > reasons why you often notice changed signature file (you can simply > concatenate detached signatures). For a small group this works really > well, but for a larger group the system Konstantin describes in his mail > is better up to the task. > Just to be clear, you Werner will sign everything that needs to be signed for a release with your personal key. As an extra layer of security Niibe will also sign the release and send you the detacht signature. Is that correct or what am I missing? Thank you Werner for your input, along with Werner's input I'd also like to thank the below two for their input: Daniel Kahn Gillmor Konstantin Ryabitsev -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: user id question
On 3/8/2019 9:15 AM, Werner Koch wrote: > On Sun, 24 Feb 2019 10:09, johndoe65...@mail.com said: > >> What I understand is that there is no clear convention. > 'Consensus' and not 'convention'! :) > Meanwhile I would suggest to only use the mail address, that is > > j...@example.org > > and leave out all other parts. There are even mail providers which > demand this for data privacy reasons. However if you prefer to have > your mail in it, do it in the same was as it is common in your > country/culture like > > John Doe > > If you plan to take part in that nerdy key signing game, some > participants have the policy to check the real name agains a passport; > obviously you would need the latter form then. > > I used to include my real name in my keys but for my new ed25519 key I > use only the mail addresses (I use 3 different mail addresses in my > keys). > Thank you Werner for your answer. If the former is acceptable to you, I might as well do that. Looks like your are not keen on key signing party, may I ask why? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Multiple dev one signing key
Hi, I'm considering working on a project that has only for now a couple of developers. As part of that project everything that will be released will need to be gpg signed. What is the best way forward? - One signing key accessible on the release system - Eatch dev having a copy of the key to be able to sign a release - Other suggestions In other words: What is, if any, the best way to sign a file, when the same key is to be used by multiple persons. Any help is appriciated. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: user id question
On 2/23/2019 4:34 PM, MFPA wrote: > Hi > > > On Saturday 23 February 2019 at 7:06:20 AM, in > , john doe wrote:- > > >> Is it acceptable to have multiple 'user ID's with the >> same address e-mail? > > Yes. It might be simpler to have a single UID containing only the > email address and with neither form of your name. > > Thank you everyone for your answers. What I understand is that there is no clear convention. Lets say that my first name 'abcdefgh' is and my short name is 'abcd', based on this thread I'll use something like: abcdefgh abcd LAST-NAME Should I put the short name between '()' or quoates or is the above example the best way forward? Thanks again for the help/input. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
user id question
Hi, I'm in the process of creating a gpg key, I have one question though: Some time I use the name x and sometime I use a shorter form of that name but the e-mail address is the same. EG: first-name last-name short-name Is it acceptable to have multiple 'user ID's with the same address e-mail? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Setup encrypted email
On 12/12/2018 9:01 PM, Arthur Ulfeldt wrote: > Yes! All the encryption happens on your computer (and or your phone) and > you have complete control of the process. True for the computer, by nature phone are not secure. > The flip side of this is you are responsible for the whole process. There > are *many* ways to go about this for different > people in different situations. Here is just one option. > > * make yourself a key using gpg > * put that key on the devices you want to use (I use a yubikey for this, > and that costs $ which is totally optional) > * setup your email, gpg4win is one popular option: > https://www.gpg4win.org/about.html Thunderbird with enigmail. Obviously, the recipient would need to use gpg to be able to decrypt. > * set it up on your phone. openkeychain is popular on android and has been > solid for me for years. I recommend to sign only e-mails using your phone. That is one signing key per device and one encryption key on a computer. > * setup facebook to send you encrypted notifications (optional and purely > for fun) Yes, Facebook rings more with security breach. > * get comfortable with this process for a while then explore more complex > and or customized options. > TB and enigmail are a good place to start on Windows or Linux for that matter. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG on Android
On 11/9/2018 6:58 AM, Arthur Ulfeldt wrote: > for years I've been using openkeychain and keeping a signing and encryption > subkey on an nfc yubikey. when I went to use encrypted email on the phone > (which is basically only from Facebook) I tap the key to the back of the > phone. if I want to read the same email on my laptop I plug out in there. > it's been smooth and solid for years. > > recently I got a yubikey 4 which i plug into the USB port on the phone. it > works just as well. I slightly preferred the NFC version. > > On Thu, Nov 8, 2018, 7:40 AM amuza >> >> >> john doe: >>> On 11/4/2018 10:55 PM, Roland wrote: >>>> Hello list, >>>> >>>> I share the wish for encrypted email on Android, but I am afraid of >> storing a secret key on my android phone. (theft, hacking, loss, etc) >>> >>> In case of theft/lost using subkey is somewhat easier because you can >>> revoke that subkey only. >>> >> >> An encrypted Replicant phone [0] + K-9 Mail + Openkeychain using subkeys >> >> [0] https://replicant.us/ >> > When I said above that subkey is easier to manage I was talking only about signing subkey, that is, one signing subkey per device. That is based on the assumption that you can have only one encryption subkey and multiple signing subkeys. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG on Android
On 11/4/2018 10:55 PM, Roland wrote: > Hello list, > > I share the wish for encrypted email on Android, but I am afraid of storing a > secret key on my android phone. (theft, hacking, loss, etc) In case of theft/lost using subkey is somewhat easier because you can revoke that subkey only. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dirmngr cygwin resolv.conf
On 7/5/2018 12:18 PM, john doe wrote: On 7/4/2018 2:25 PM, Werner Koch wrote: On Wed, 4 Jul 2018 09:11, gni...@fsij.org said: The patch is: Don't try to look the error code, but fallback TOR_PORT2 always. I don't like this patch because it is not specific enough. If Cygwin really returns EPERM, than this is a bug in the Cygwin emulation because all Unix systems (and actually all BSD sockets based systems) return ECONNREFUSED. We should not try to fix bugs for Cygwin given that Cygwin is not offically supported. What would it take to make Cygwin officially supported? Thanks to the help on this mailing list I've been able to isolate the issue that was bugging me: I was trying to use the cygwinized version of dirmngr while having gpg4win installed. As soon as I removed 'gpg4win, Cygwin dirmngr is able to connect to TBB for Windows. So Cygwin returns the proper error code and gnupg can connect to TBB for Windows without issue. On Cygwin I use git and need to verify tags and commits using gpg but I also use enigmail with gpg4win to verify e-mail signature. When I need to use Cygwin dirmngr or gpg4win dirmngr, I do, 'gpgconf --kill dirmngr' as a work around. Is this approatche reasonable or how can I insure that gpg4win dirmngr won't interfer with Cygwin dirmngr? As an aside, gpg4win dirmngr is running as an processe. I'd like dirmngr to use TBB for Windows instead of Windows's DNS, is 'gpgconf --reload dirmngr' the correct way to reload dirmngr for it to use TBB? Thanks again to NIIBE Yutaka and Werner Koch for their help. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gpg (GnuPG) 2.2.9 versus gpg (GnuPG) 1.4.23
On 8/17/2018 3:59 PM, Anna Kitces and Seth Fishman wrote: Dear gpg users: I am migrating to gpg 2.2 All my gpg 1.4 keys were migrated to 2.2 during the upgrade. When I try to decrypt a document I am getting the following: gpg: encrypted with 2048-bit RSA key, ID 2BDB2DD8782B904E, created 2017-03-15 "mykey " gpg: public key decryption failed: No pinentry gpg: decryption failed: No secret key I am thinking maybe there is a minimum version of pinentry required? I am running on two platforms: Linux, RHEL 7.3 (Maipo) and Unix, Solaris 11. The Solaris machine has pinentry 0.7.6 already provided and the Linux box has 0.8.1. Is that the reason I am having this issue? I have tried to upgrade pinentry going through the ./configure, gmake, gmake check, gmake install2 steps but I keep getting errors. So if I must upgrade pinentry, then if anyone has some pointers on this for either of both of these platforms, I'd be most appreciative. Also, pinentry was not a factor before. Can I just get pinentry out of the equation altogether somehow or is that a bad idea. Sorry for so many questions. Would appreciate any insight you can provide. Regards, Seth Fishman From the ML archive: https://lists.gnupg.org/pipermail/gnupg-users/2018-June/060688.html HTH. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: mute output of gpg2 -d
On 7/13/2018 11:13 AM, J. Tull wrote: It seems the usual way to supress the output of a command in linux is not working for gpg2: $gpg2 -d my_file.gpg 2>/dev/null still outputs some data through stderr. So could someone try to find out a way to get rid of everything gpg2 is outputting but the decrypted output of the gpg file? It is working fine here, which version of gpg2 do you have and which distro are you using? Output redirection is more a shell issue then a gpg2 problem. Can you redirect STDERR of other commands to the null device? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dirmngr cygwin resolv.conf
; QT_IM_MODULE INSIDE_EMACS PINENTRY_USER_DATA(pinentry-user-data) PASS: t-session-env.exe standard ECC curve missing FAIL: t-openpgp-oid.exe t-ssh-utils.c:351: error getting fingerprint for sample key 0: Not operational FAIL: t-ssh-utils.exe PASS: t-mapstrings.exe PASS: t-zb32.exe PASS: t-mbox-util.exe PASS: t-iobuf.exe PASS: t-strlist.exe PASS: t-name-value.exe PASS: t-ccparray.exe PASS: t-recsel.exe PASS: t-exechelp.exe error running '/bin/false': exit status 1 PASS: t-exectool.exe === 2 of 20 tests failed Please report to https://bugs.gnupg.org === make[3]: *** [Makefile:2701: check-TESTS] Error 1 make[3]: Leaving directory '/home/john/git/gnupg/common' make[2]: *** [Makefile:2824: check-am] Error 2 make[2]: Leaving directory '/home/john/git/gnupg/common' make[1]: *** [Makefile:2826: check] Error 2 make[1]: Leaving directory '/home/john/git/gnupg/common' make: *** [Makefile:614: check-recursive] Error 1 I really appriciate any help. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dirmngr cygwin resolv.conf
On 7/4/2018 9:11 AM, NIIBE Yutaka wrote:
Hello,
john doe wrote:
I'm willing to confirm that but I'm not sure how I would do that!?
I am considering a patch like following. If you can build GnuPG for
Cygwin, you can try. Or, you can ask Cygwin's package maintainer for
GnuPG.
The patch is: Don't try to look the error code, but fallback TOR_PORT2
always.
==
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index ffac816f9..88a4fce5c 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -735,13 +735,12 @@ libdns_res_open (struct dns_resolver **r_res)
static int
libdns_switch_port_p (gpg_error_t err)
{
- if (tor_mode && gpg_err_code (err) == GPG_ERR_ECONNREFUSED
- && libdns_tor_port == TOR_PORT)
+ if (tor_mode && libdns_tor_port == TOR_PORT)
{
/* Switch port and try again. */
if (opt_debug)
-log_debug ("dns: switching from SOCKS port %d to %d\n",
- TOR_PORT, TOR_PORT2);
+log_debug ("dns: switching from SOCKS port %d to %d (%s)\n",
+ TOR_PORT, TOR_PORT2, gpg_strerror (err));
libdns_tor_port = TOR_PORT2;
libdns_reinit_pending = 1;
return 1;
I have applied your patch on top of master in the gnupg repository
I'm now in the process of building all the libraries require by 'gnupg'
but I'm still missing the following libraries:
gcrypt
libiconv
How can I clone gcrypt and libiconv from git?
$ git clone git://git.gnupg.org/gcrypt.git
Cloning into 'gcrypt'...
fatal: remote error: access denied or repository not exported: /gcrypt.git
--
John Doe
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dirmngr cygwin resolv.conf
On 7/4/2018 4:05 AM, NIIBE Yutaka wrote: Werner Koch wrote: ... on Windows. Actually I developed the fallback on Windows becuase there it is easier to install the Tor browser. Anyway, Gniibe probably found and fixed the problem in our DNS resolver. I suggest to wait for the next release - probably next week. That's not for Cygwin on Windows, but for GNU/Linux. In dirmngr, the DNS resolver using Tor assumes that it returns ECONNREFUSED when Tor doesn't run at 9050, then, it tries to the port 9150. There was a bug of the DNS resolver. When there are multiple "nameserver" in /etc/resolv.conf, it should try all. It was fixed, but this fix had a side effect for ECONNREFUSED fallback mechanism for using Tor. This was fixed on Monday. For the particular issue for Cygwin, it seems that connect(2) in Cygwin environment may return EPERM instead of ECONNREFUSED. I suspect this. I'm willing to confirm that but I'm not sure how I would do that!? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dirmngr cygwin resolv.conf
On 7/2/2018 8:48 AM, Werner Koch wrote: On Sat, 30 Jun 2018 21:26, johndoe65...@mail.com said: How can I force dirmngr to use port "9150"? So Tor ports are fixed. As Niibe-san already explained Dirmngr will first try port 9050 and if it is not able to connect (ECONNREFUSED) it will try port 9150. This is implemented for Dirmngr in Libassuan. On Debian Stretch I tried to do the same thing: $ dirmngr --version dirmngr (GnuPG) 2.1.18 Tor browser for linux (7.5.6) downloaded from the torproject.org site. On linux it works out of the box! :) Which bring me to two possible causes: 1) Cygwin dirmngr can't be used in that way. If I start "tor.exe" from the Tor Browser for windows bundle it works like a charm because Tor then listen on port 9050. So I don't thing this is the issue. 2) Regression in dirmngr between version 2.1.18 and 2.2.8. It looks like the code that is responsible for falling back to port 9150 when port 5090 is not available is somehow failing. I'm stuck here and would appriciate any help on finding a solution to this issue. If any one can test dirmngr 2.2.8 and Tor Browser for linux 7.5.6 and can let me know how it goes? beyond '-v' and '--debug-all' what can I do to furder troubleshoot? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dirmngr cygwin resolv.conf
Hi Niibe,
On 6/29/2018 1:40 PM, NIIBE Yutaka wrote:
Hello,
Sorry, my explanation was not accurate. In the Tor-mode of dirmngr, it
uses the port 9050 at first. And there is some code to fallback to the
port 9150. It's like:
libdns_switch_port_p (gpg_error_t err)
{
if (tor_mode && gpg_err_code (err) == GPG_ERR_ECONNREFUSED
&& libdns_tor_port == TOR_PORT)
{
/* Switch port and try again. */
if (opt_debug)
log_debug ("dns: switching from SOCKS port %d to %d\n",
TOR_PORT, TOR_PORT2);
libdns_tor_port = TOR_PORT2;
libdns_reinit_pending = 1;
return 1;
}
return 0;
}
I suspect the error detection is not working well. If it works,
you should see the debug message of "dns: switching from SOCKS port...".
I tested with the port 9050, my dirmngr works fine.
Appologies for not answering sooner.
The issue is that in the case of "Tor Browser" it listens only for
socks5 connection on port 9150.:
https://lists.torproject.org/pipermail/tor-community-team/2018-June/000188.html
How can I force dirmngr to use port "9150"?
Sorry again for my late answer, I had overlooked your e-mail.
I really appriciate any help/input! :)
--
John Doe
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dirmngr cygwin resolv.conf
On 6/29/2018 6:40 PM, john doe wrote: On 6/29/2018 4:24 PM, Werner Koch wrote: On Thu, 28 Jun 2018 17:05, johndoe65...@mail.com said: dirmngr.conf: use-tor http-proxy socks5://localhost:9150 Nobody said that you should configure a proxy ;-) Dirmngr has integrated Tor support which will be used automatically when Tor or the Tor Browser is up and running. --use-tor merely enforces the use of Tor and inhibits any network access without going over Tor. Ok, "proxy" is a red herring -- I used the option '--use-tor' to be sure tor will be used to furder isolate the issue. In an earlier sent e-mail: https://lists.gnupg.org/pipermail/gnupg-users/2018-June/060740.html As you can see no command proxy option is being used. Some how I'm stuck at DNS name resolving if I'm not mistaking? Any help is welcome. Ok -- I think I got it: If I start Tor Browser as usual by clicking on "Start Tor Browser" it does not work. But if I start "Browser\TorBrowser\Tor\tor.exe" it works like a charm. How can I socks5 dirmngr connections to "Tor Browser"? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dirmngr cygwin resolv.conf
On 6/29/2018 4:24 PM, Werner Koch wrote: On Thu, 28 Jun 2018 17:05, johndoe65...@mail.com said: dirmngr.conf: use-tor http-proxy socks5://localhost:9150 Nobody said that you should configure a proxy ;-) Dirmngr has integrated Tor support which will be used automatically when Tor or the Tor Browser is up and running. --use-tor merely enforces the use of Tor and inhibits any network access without going over Tor. Ok, "proxy" is a red herring -- I used the option '--use-tor' to be sure tor will be used to furder isolate the issue. In an earlier sent e-mail: https://lists.gnupg.org/pipermail/gnupg-users/2018-June/060740.html As you can see no command proxy option is being used. Some how I'm stuck at DNS name resolving if I'm not mistaking? Any help is welcome. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dirmngr cygwin resolv.conf
On 6/29/2018 9:30 AM, NIIBE Yutaka wrote: john doe wrote: Now, the next step is to configure dirmngr to do the same!: dirmngr.conf: use-tor http-proxy socks5://localhost:9150 Only "use-tor" is needed, then, dirmngr connects to localhost:9150 for Tor. Looks like the issue isDNS name resolving: $ dirmngr --homedir ~/try --use-tor -v --debug-all --server OK Dirmngr 2.2.8-unknown at your service KS_GET -- 0x6C6ACD6417B3ACB1 dirmngr[6496.0]: DBG: chan_3 <- KS_GET -- 0x6C6ACD6417B3ACB1 dirmngr[6496.0]: DBG: dns: libdns initialized (tor mode) dirmngr[6496.0]: DBG: dns: getsrv(_pgpkey-https._tcp.hkps.pool.sks-keyservers.net): Server indicated a failure dirmngr[6496.0]: command 'KS_GET' failed: Server indicated a failure dirmngr[6496.0]: DBG: chan_3 -> ERR 219 Server indicated a failure ERR 219 Server indicated a failure I'm not sure how to go about it? Any hints/... is much appriciated. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dirmngr cygwin resolv.conf
On 6/28/2018 1:25 PM, Werner Koch wrote: On Thu, 28 Jun 2018 11:54, johndoe65...@mail.com said: Can you elaborate on how I would let "Cygwin dirmngr" use "Tor Browser for Windows"? I have not tested it but given that the Tor browser is listening on localhost, TCP port 9150, I see no reason why a native Windows Tor Browser can't work with the Cygwinized GnuPG. For testing purposes I have configured Firefox to use socks5 proxy "localhost:9150", as you suggested, it is working. Now, the next step is to configure dirmngr to do the same!: dirmngr.conf: use-tor http-proxy socks5://localhost:9150 gives the following error: ERR 219 Server indicated a failure How can I use socks5 with dirmngr? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dirmngr cygwin resolv.conf
Hi Werner, thanks for your answer. On 6/27/2018 6:51 PM, Werner Koch wrote: On Mon, 25 Jun 2018 10:50, johndoe65...@mail.com said: On Cygwin '/etc/resolv.conf' is not needed, as ilustrated by the below log dirmngr requires 'resolv.conf': Cygwin is Unix emulation on Windows and thus GnuPG considers the platform to be unix. In turn /etc/resolv.conf is required. Fair enough. Could dirmngr use the DNS provided by windows or is there a way to bypass the use of 'resolv.conf'? Use the standard Windows GnuPG and you get Windows features. Or, well, use the Tor support which redirects all DNS over Tor. Just install the Tor Browser and GnuPG will use that. Can you elaborate on how I would let "Cygwin dirmngr" use "Tor Browser for Windows"? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg2
On 6/27/2018 5:10 AM, Aaron Tovo wrote: 'gpg2 -k' gives me the following error: $ gpg2 -k gpg: invalid item 'BZIP2' in preference string gpg: invalid default preferences But 'gpg -k' works fine. However, I to use gpg2 in my Thunderbird-with-Enigmail email client because I've read in a few places that gpg2 is better for desktop purposes <https://linux.die.net/man/1/gpg2>. Also, Enigmail rejects gpg because /usr/bin/gpg is 'out of date' (meaning it's not gpg2, I think) and seems to REALLY want gpg2. The error message makes it sound like the problem is in my gpg2 configuration. I don't see any zip settings in .gnupg2/gpg.conf nor do I see a 'preferences string'. I'm not sure when this started happening because I've been going without Enigmail for a while on this computer. How can I correct the preference string? Some hints: 1) Do you have 'BZIP2' in .gnupg/gpg.conf in the preference string? $ grep -n 'BZIP2' .gnupg/gpg.conf If the above grep command prints something to the screen try removing 'BZIP2' from the file. 2) If you do: $ gpg2 --version look at the gpg.conf found in the directory specified by the line 'Home: ...'. 3) If you pass the option '--homedir' to gpg2 you should look in the gpg.conf found in that directory. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
dirmngr cygwin resolv.conf
Hi, I'm using gpg2/dirmngr on Cygwin: $ gpg2 --version gpg (GnuPG) 2.2.8-unknown libgcrypt 1.8.2 $ dirmngr --version dirmngr (GnuPG) 2.2.8-unknown On Cygwin '/etc/resolv.conf' is not needed, as ilustrated by the below log dirmngr requires 'resolv.conf': I used the commands from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854359 $ dirmngr --server --homedir $PWD -v dirmngr[7576]: error opening '/home/john/try/dirmngr-test/dirmngr_ldapservers.conf': No such file or directory dirmngr[7576.0]: permanently loaded certificates: 134 dirmngr[7576.0]: runtime cached certificates: 0 dirmngr[7576.0]:trusted certificates: 134 (133,0,0,1) # Home: /home/john/try/dirmngr-test # Config: [none] OK Dirmngr 2.2.8-unknown at your service KS_GET -- 0x6C6ACD6417B3ACB1 dirmngr[7576.0]: stat'ing '/etc/resolv.conf' failed: No such file or directory dirmngr[7576.0]: stat'ing '/etc/resolv.conf' failed: No such file or directory dirmngr[7576.0]: failed to load '/etc/resolv.conf': No such file or directory dirmngr[7576.0]: command 'KS_GET' failed: No such file or directory ERR 167805009 No such file or directory If I populate /etc/resolv.conf with my DNS nameserver it works. This is not practical because everytime my DNS changes I would need to modify that file manually. Could dirmngr use the DNS provided by windows or is there a way to bypass the use of 'resolv.conf'? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
