Re: TOFU support in GnuPG 2.1

[whitey666]

On Thu, September 1, 2016 6:39 pm, w...@gnupg.org wrote:
> On Thu,  1 Sep 2016 18:27, whitey...@sigaint.org said:
>
>> 1) What must I do to include TOFU support?
>
> If you look through the config.log or the your screen backlog, you will
> notice that GNUTLS is missing which you need for all kind of https:
> access.  And you are missing SQLite3 which we require for TOFU.  You
> need the "-dev" packages.
>

sqlite3 was the problem.  Thanks to you and Damien for pointing it out. I
will probably be back with more questions once I begin testing TOFU in
earnest.

Still having issues with GNUTLS which doesn't completely install on my
Ubuntu-based distro leaving a broken package. But TOFU appears to
function, and that is a step forward.

Thanks again,
Whitey



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: TOFU support in GnuPG 2.1

[Werner Koch]

On Thu,  1 Sep 2016 18:27, whitey...@sigaint.org said:

> 1) What must I do to include TOFU support?

If you look through the config.log or the your screen backlog, you will
notice that GNUTLS is missing which you need for all kind of https:
access.  And you are missing SQLite3 which we require for TOFU.  You
need the "-dev" packages.

> 2) Based on the above output, am I missing anything else I should
>have included?

adns and readline are a good choice


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf   */


pgpnhy2qQtrgE.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: TOFU support in GnuPG 2.1

[Damien Goutte-Gattat]

On 09/01/2016 06:27 PM, whitey...@sigaint.org wrote:

1) What must I do to include TOFU support?


You're probably missing the development files of SQLite (depending on 
your distribution, they're probably in a package called sqlite-dev or 
similar).


To confirm, look at the output of the configure script for the following 
line:


  Building without SQLite support - TOFU disabled

Install the missing package and run the configure script again.


Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

TOFU support in GnuPG 2.1

[whitey666]

Hello,

I have been using GnuPG 2.1.15 for several weeks having compiled
it from source.  After seeing several references to TOFU I decided to
try it.  I added "trust-model tofu+pgp" and "tofu-default-policy ask"
to gpg.conf.  When I ran gpg2, it balked at both entries so I reran
./configure and learned the my GnuPG 2.1.15 was compiled without TOFU
support:

GnuPG v2.1.15 has been configured as follows:

Revision:  6bee88d  (27630)
Platform:  GNU/Linux (x86_64-pc-linux-gnu)

OpenPGP:   yes
S/MIME:yes
Agent: yes
Smartcard: yes (without internal CCID driver)
G13:   no
Dirmngr:   yes
Gpgtar:yes
WKS tools: no

Protect tool:  (default)
LDAP wrapper:  (default)
Default agent: (default)
Default pinentry:  (default)
Default scdaemon:  (default)
Default dirmngr:   (default)

Dirmngr auto start:  yes
Readline support:no
LDAP support:no
DNS SRV support: yes
TLS support: no
TOFU support:no
Tor support: only .onion

Two questions:
1) What must I do to include TOFU support?
2) Based on the above output, am I missing anything else I should
   have included?

Whitey




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How to specify LDAP authentication details with dirmngr/GnuPG 2.1?

[Philip Colmer]

I'm trying to use GnuPG 2.1 and using an LDAP server as the keyserver.

>From what I can tell, the keyserver configuration has moved from gpg
to dirmngr but I am really struggling to figure out how I should be
configuring GnuPG/dirmngr so that it knows how to authenticate with
the LDAP server.

I'm editing the dirmngr.conf file but I cannot come up with a
combination of settings that not only specifies the LDAP server as the
keyserver (that's the easy bit) but also specifies the username and
password to use with it.

I've tried separating with colons, I've tried using something like:

ldap://:password@server

I've tried:

keyserver ldap://server binddn="username" bindpw=password

Does anyone know the correct way to specify a username and password
for use with an LDAP keyserver, please?

Thanks.

Philip

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Where is /usr/local/gnupg-2.1?

[Ben McGinnes]

On Mon, Mar 21, 2016 at 11:31:56PM -0400, Robert J. Hansen wrote:
> > There are two other possible explanations: MacPorts (see macports.org)
> > and Home Brew.
> 
> And Fink, and... etc.  However, I'm omitting the ... let's call them
> "comprehensive" solutions that allow you to install all manner of
> things.  For standalone packages, it's either GPGTools or GPGOSX.

True enough, but at least this time I managed to resist the temptation
to answer the question with the facetious "it's in /usr/local"
response.  ;)


Regards,
Ben


 


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Where is /usr/local/gnupg-2.1?

[Ben McGinnes]

On Mon, Mar 21, 2016 at 06:39:33PM -0400, Robert J. Hansen wrote:
> Edgar reached out to me earlier, and I directed him here to this list in
> the hopes that someone with more clue than me would be able to help.
> 
> Edgar, I'm not particularly up on GPG for OS X.  However:
> 
> > So, I went to the GnuPG site and I was able to download GnuPG-2.1.11. I
> > received a “Installation successful” message, but
> > the Thunderbird/Enigmail Set-up Wizard cannot find the files
> > automatically.
> 
> GnuPG doesn't host an OS X build.  These are provided by either the
> GPGTools group (providing GnuPG 2.0) or Patrick Brunschwig (providing
> GnuPG 2.1).  I don't know which version of GnuPG you installed, but if
> you got it from the GnuPG site then I'm pretty sure it wasn't what you
> think it is.

There are two other possible explanations: MacPorts (see macports.org)
and Home Brew.  By default Mac Ports installs software to /opt/local
and users always have the option of compiling anything from source.
Ports tend to have a a specific set of generic compilation or
configuration options so more ofteh than not I'll use it to grab the
libraries and then do some serious customisation on the last two
packages (GPG and GPGME).

Home Brew, however, is an autocratic little pain in the butt, but
because it uses GitHub as an ad-hoc package manager it is very
popular.  The price os using home brew means that /usr/local is
off-limits for your own projects (a deal breaker for me), it won't run
if MacPorts is installed at all (another deal breaker), it doesn't
source its tarballs from their origin projects they're all separate
github repos with who knows what modifications or added.  Plus it
complains about any installation of Python other than the version each
version of OS X shipped with (yet another deal breaker for me since I
recompile Python each time there's a new OpenSSL release for
starters)

Anyway, there's a fair chance that that subdirectory from /usr/local
is a Homebrew thing.


Regards,
Ben


 


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Where is /usr/local/gnupg-2.1?

[Robert J. Hansen]

> There are two other possible explanations: MacPorts (see macports.org)
> and Home Brew.

And Fink, and... etc.  However, I'm omitting the ... let's call them
"comprehensive" solutions that allow you to install all manner of
things.  For standalone packages, it's either GPGTools or GPGOSX.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Where is /usr/local/gnupg-2.1?

[Robert J. Hansen]

Edgar reached out to me earlier, and I directed him here to this list in
the hopes that someone with more clue than me would be able to help.

Edgar, I'm not particularly up on GPG for OS X.  However:

> So, I went to the GnuPG site and I was able to download GnuPG-2.1.11. I
> received a “Installation successful” message, but
> the Thunderbird/Enigmail Set-up Wizard cannot find the files
> automatically.

GnuPG doesn't host an OS X build.  These are provided by either the
GPGTools group (providing GnuPG 2.0) or Patrick Brunschwig (providing
GnuPG 2.1).  I don't know which version of GnuPG you installed, but if
you got it from the GnuPG site then I'm pretty sure it wasn't what you
think it is.

Try downloading GnuPG 2.1 for OS X from Sourceforge instead:

http://sourceforge.net/projects/gpgosx/files/GnuPG-2.1.11-002.dmg/download

Install that version of GnuPG.  Then open up a Terminal window (it's in
your Applications folder, in the Utilities subfolder, called Terminal).
 At a command prompt type:

ls /usr/local/gnupg-2.1

If you get back a listing of files in that directory, congratulations,
things are installed.  Try Enigmail again.  If that doesn't work, ask us
again and we'll keep on working the problem until it gets solved.  :)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Where is /usr/local/gnupg-2.1?

[Edgar Suter]

I am trying to configure Enigmail for Thunderbird on my Intel Core 2 Duo iMac 
running OSX 10.10.5. 

When attempting the autoinstallation, the Wizard hung up at the “downloading” 
popup. Time passed without any downloading as indicated on the screen shot from 
the Wikipage.



So, I went to the GnuPG site and I was able to download GnuPG-2.1.11. I 
received a “Installation successful” message, but the Thunderbird/Enigmail 
Set-up Wizard cannot find the files automatically. Too, I am unable to manually 
“Browse" to find the files. The website suggests: "The software will be 
installed to /usr/local/gnupg-2.1.”  However I search and look manually and am 
unable to find such a file location.

If you can help I would be most appreciative.

Ed


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 how to delete card based secret key ?

[Werner Koch]

On Tue,  9 Feb 2016 11:38, pe...@digitalbrains.com said:

> I can delete the public key; then the secret key is not listed anymore

Right.

> either. When I re-import my public key, it will instantly remember the
> card as well, so it was there all along :). I do need to set my trust
> again (not a surprise).

You may delete the stub key in private-keys-v1.d which is where
gpg-agent remembers that it has seen the key.  We don't do this
automatically because the key may also be used by other protocols (ssh
or gpgsm).

That the ownertrust is remembered may be called a feature.  IT has
always been the case and I guess it is best to leave that behavior as
is.



Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 how to delete card based secret key ?

[Peter Lebbing]

On 05/02/16 19:51, Oleg Gurevich wrote:
> ... to delete key from the keyring

It doesn't work for me either. Your error message is a lot more
descriptive, though. I just get:

> $ gpg2 --delete-secret-keys de500b3e
> gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> gpg: key "de500b3e" not found
> gpg: de500b3e: delete key failed: Not found

I can delete the public key; then the secret key is not listed anymore
either. When I re-import my public key, it will instantly remember the
card as well, so it was there all along :). I do need to set my trust
again (not a surprise).

But anyway... it's usually harmless, since all it is, is a note that if
you need the secret key, it is located on card X. It will then prompt
you to insert card X. There is nothing secret on the disk of the
computer (unless you consider the fact you use a card and its serial
number as a secret).

So I'd suggest you let it be if you don't consider your card and serial
number a secret.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 how to delete card based secret key ?

[Peter Lebbing]

On 05/02/16 15:08, Oleg Gurevich wrote:
> with GnuPG modern (2.1) i can't delete anymore a secret key based on 
> smartcard. Is there an known workaround ?

Do you want the key off your keyring or off your smartcard?

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 how to delete card based secret key ?

[Oleg Gurevich]

... to delete key from the keyring

mit freundlichen Grüßen/ с уважением/ sincerely yours

Oleg Gurevich


PGP fingerprint: 38A0 D0CC BD23 1707 B0AF  D158 E9D7 6E3F E74A 0B0C

> On 05 Feb 2016, at 19:36, Peter Lebbing  wrote:
> 
>> On 05/02/16 15:08, Oleg Gurevich wrote:
>> with GnuPG modern (2.1) i can't delete anymore a secret key based on 
>> smartcard. Is there an known workaround ?
> 
> Do you want the key off your keyring or off your smartcard?
> 
> Peter.
> 
> -- 
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.1 how to delete card based secret key ?

[Oleg Gurevich]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi @all,

with GnuPG modern (2.1) i can't delete anymore a secret key based on smartcard. 
Is there an known workaround ?

by calling of: gpg --delete-secret-key ABCDEF123
...
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
gpg: deleting secret key failed: Not possible with a card based key
gpg: deleting secret subkey failed: Not possible with a card based key
gpg: deleting secret subkey failed: Not possible with a card based key
gpg: ABCDEF123: delete key failed: Not possible with a card based key



Mit freundlichen Grüßen/ с Уважением/ best regards

Oleg Gurevich

PGP fingerprint: 38A0 D0CC BD23 1707 B0AF  D158 E9D7 6E3F E74A 0B0C
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWtKzgAAoJEH5u5dDzfOKim6oP/2Ek9wbMDw9LB5GqRHwIrnpq
Kz9ZpT9tCPsoMEKWchHop1tjxSB35RKLcYN/BAQPi6i66qHO4WZwrKIAOhCXc/T5
sK25+Fk/jUXaicClEnJTsnlpwItPL4tp+rnp9JMKSMMlajZDQh/MNCOUM1JyCoSw
X4OSGsISkwLYw/75m+yXqeX07czFhxygJCHHauXz9EtKz9/TvGlUDycxDnAcWfAq
4GsU71/4ZWIuYuCdVj3zupTujeSk/PP6m+rtbIzXXgmhn2OIL8B/KaOpwqZbuidN
Jz43AUeRDaeBdmwheezHz2nR8OfmIpTUB44Iog/4XAL6ybau4zKDOyCtHPOvP4kB
E2nQy7u882I1muYdZ2kJ08R509N0Pit0rWshqp3HQ0HWQzlANG00ezRwZcr2T8V1
Kf6Zsk6c2RS6TUZJCHZAfz3Lpbi4LBV5r8HJIJRpgdEYWlfgsH4D81gyd0vHFCLu
+nvfbVGvgLPXbNH5tbHKGcSKgkXMsOC38yvRaU32Bh/oua4ERqXEhjKmdnW9T0wg
72SVAlCkbhSfhEUKz+jFbrx04pSfi9XSIIqWbUcf+9fsnFps96pk5vNti4cjVi/4
yUIZO4YW6AXaVPetT4ZVfr9KY6xxRZla6Ty5PHe+ygWLWFBpdFlsOoz0W4B7jy2K
Bskp4On/AXPH5Q2Idjcb
=fXkb
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[the2nd]

I just want to point out that one may want to add the keygrip to the 
sshcontrol file along with the "confirm" option to get asked by pinentry 
each time ssh requests gpg-agent to sign an ssh challenge (e.g. a ssh 
login). This is at least a useful option if you login to a remote host 
with agent forwarding enabled. I know that there are more secure 
alternatives to agent forwarding but i guess it is still used because of 
its simplicity. I also use it from time to time *shame*


But thats the only reason in know why one would add it to sshcontrol.

Regards
the2nd

On 2016-01-16 00:47, Glenn Rempe wrote:

Thanks Peter, I was not aware of that (and it certainly explains the
double entry in ssh-add -l.

btw, Werner was not writing that response to me. It was just pointed
out to me, so yes it was
probably not smart card specific I would guess. I'll update the blog
post to reflect that we
probably do not need to modify sshcontrol for use with Yubikey.

Back to the main issue I am having. I followed the instructions to
output a verbose scdaemon log
which I was exercising this issue.  Here is a gist with the commands
I was running and the resulting
logfile.

https://gist.github.com/grempe/e143796b8f399f5fa391 [5]

Perhaps NIIBE Yutaka or someone else more knowledgable than I can
take a look and 
get us closer to resolution. :-)

Thanks for everyone who is helping.

On Fri, Jan 15, 2016 at 3:08 PM Peter Lebbing
 wrote:


On 15/01/16 21:17, Glenn Rempe wrote:

I added it at the suggestion of Werner in this post:



https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
[1]


And these blog posts:
http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html

[2]



http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
[3]


Is this suggestion outdated?


No, but I'm fairly sure Werner did not realise you were using a
smartcard when
he wrote that. Obviously, I can't look into the man's mind, but
that's my guess.

For regular, on-disk keys, it is necessary to add the keygrip to
sshcontrol. For
smartcards, it's automatically added when the smartcard is
inserted. I guess it
fits with automatically added secret key stubs when the smartcard
is inserted
(to use a smartcard on a fresh PC, import your own public key,
insert your
smartcard, and you're done).

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at




Links:
--
[1] https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
[2] http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
[3] http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
[4] http://digitalbrains.com/2012/openpgp-key-peter
[5] https://gist.github.com/grempe/e143796b8f399f5fa391

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[Glenn Rempe]

Thanks Peter, I was not aware of that (and it certainly explains the double
entry in ssh-add -l.

btw, Werner was not writing that response to me. It was just pointed out to
me, so yes it was
probably not smart card specific I would guess. I'll update the blog post
to reflect that we
probably do not need to modify sshcontrol for use with Yubikey.

Back to the main issue I am having. I followed the instructions to output a
verbose scdaemon log
which I was exercising this issue.  Here is a gist with the commands I was
running and the resulting
logfile.

https://gist.github.com/grempe/e143796b8f399f5fa391

Perhaps NIIBE Yutaka or someone else more knowledgable than I can take a
look and
get us closer to resolution. :-)

Thanks for everyone who is helping.


On Fri, Jan 15, 2016 at 3:08 PM Peter Lebbing 
wrote:

> On 15/01/16 21:17, Glenn Rempe wrote:
> > I added it at the suggestion of Werner in this post:
> >
> > https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
> >
> > And these blog posts:
> > http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
> > http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
> >
> > Is this suggestion outdated?
>
> No, but I'm fairly sure Werner did not realise you were using a smartcard
> when
> he wrote that. Obviously, I can't look into the man's mind, but that's my
> guess.
>
> For regular, on-disk keys, it is necessary to add the keygrip to
> sshcontrol. For
> smartcards, it's automatically added when the smartcard is inserted. I
> guess it
> fits with automatically added secret key stubs when the smartcard is
> inserted
> (to use a smartcard on a fresh PC, import your own public key, insert your
> smartcard, and you're done).
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[Peter Lebbing]

On 15/01/16 21:17, Glenn Rempe wrote:
> I added it at the suggestion of Werner in this post:
> 
> https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
> 
> And these blog posts:
> http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
> http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
> 
> Is this suggestion outdated?

No, but I'm fairly sure Werner did not realise you were using a smartcard when
he wrote that. Obviously, I can't look into the man's mind, but that's my guess.

For regular, on-disk keys, it is necessary to add the keygrip to sshcontrol. For
smartcards, it's automatically added when the smartcard is inserted. I guess it
fits with automatically added secret key stubs when the smartcard is inserted
(to use a smartcard on a fresh PC, import your own public key, insert your
smartcard, and you're done).

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[Glenn Rempe]

I'm not sure when the use of sshcontrol emerged. My impression was that it
is only used as part of GnuPG 'Modern' 2.1.x versions. That being said, If
I remove the keygrip entry from the sshcontrol file it appears to work
fine.  The only difference I've just noticed is in the output of 'ssh-add
-l':

with keygrip in sshcontrol:
~/.gnupg$ ssh-add -l
error fetching identities for protocol 1: agent refused operation
2048 SHA256:X3YiWulZ1xJlqGRFqeaQOmLuZvyfJV/r7Qwo/kmUgCg cardio:000MYCARDNUM
(RSA)
2048 SHA256:X3YiWulZ1xJlqGRFqeaQOmLuZvyfJV/r7Qwo/kmUgCg (none) (RSA)

without key grip in sshcontrol:
~/.gnupg$ ssh-add -l
error fetching identities for protocol 1: agent refused operation
2048 SHA256:X3YiWulZ1xJlqGRFqeaQOmLuZvyfJV/r7Qwo/kmUgCg cardno:000MYCARDNUM
(RSA)

Any ideas for also eliminating that error message, or understanding why its
there are appreciated.

As for the suggestion by the2nd at otpme.org regarding the scdaemon bug.
This sounded promising, but when I investigated a bit it seems that the
commit in that thread that indicated this issue might be fixed on master
(f42c50dbf00c2e6298ca6830cbe6d36805fa54a3) was committed on Dec 2, 2015,
and gnupg version 2.1.10 was tagged on Dec 4, 2015.  So that fix should
already be in the version of GnuPG I am using (2.1.10) and yet I am still
seeing a problem.

/tmp/gnupg (master ✔)$ git log f42c50dbf00c2e6298ca6830cbe6d36805fa54a3
commit f42c50dbf00c2e6298ca6830cbe6d36805fa54a3
Author: NIIBE Yutaka 
Date:   Thu Dec 3 11:26:24 2015 +0900

scd: Fix "Conflicting usage" bug.

* scd/apdu.c (apdu_close_reader): Call CLOSE_READER method even if we
  got an error from apdu_disconnect.
* scd/app-common.h (no_reuse): Remove.
* scd/app.c (application_notify_card_reset): Deallocate APP here.
(select_application, release_application): Don't use NO_REUSE.

--

Reproducible scenario: Invoke gpg --card-edit session from a terminal.
Invoke another gpg --card-edit session from another.  Remove a token.
Insert a token again.  Type RET on both terminals.  One of terminal
answers "Conflicting usage".

Perhaps, having NO_REUSE field was to avoid race conditions.  Now,
APP can be safely deallocated by application_notify_card_reset.

Thanks to the2nd.

I installed 2.1.10 from this homebrew recipe:

https://github.com/Homebrew/homebrew-versions/blob/master/gnupg21.rb

My SSH client is the one that comes with OS X 'El Capitan':

/tmp/gnupg (master ✔)$ ssh -V
OpenSSH_6.9p1, LibreSSL 2.1.8




On Fri, Jan 15, 2016 at 12:31 PM Simon Josefsson 
wrote:

> > > Why do you add the keygrip to the sshcontrol file?  I have never
> > > needed that step.  For me it uses the right key directly.  Is it
> > > because you have another (revoked) A subkey?  It sounds somewhat of
> > > sub-optimal behaviour for gpg-agent's SSH support to use a revoked
> > > key instead of the non-revoked key.
> >
> > I do have a revoked Authentication sub-key on my primary key, but I
> > no longer use it and that is also not why I added the keygrip entry to
> > sshcontrol file.  I added it at the suggestion of Werner in this post:
> >
> > https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
> >
> > And these blog posts:
> > http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
> > http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
> >
> > Is this suggestion outdated?
>
> I don't recall ever using it, and I've been using SSH with smartcards
> through gpg-agent for over 10 years.  What happens if you drop that
> part?  For me it has always selected the right subkey automatically.
>
> /Simon
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[Glenn Rempe]

On Fri, Jan 15, 2016 at 10:29:13AM +0100, Simon Josefsson wrote:
> Glenn Rempe  writes:
> 
> > I recently setup my own Mac w/ gnupg 2.1.10, and I am using a Yubikey to
> > manage my gpg private keys and I am using that key for SSH auth.  I have it
> > all up and running but I ran into some issues as well so I wrote up a blog
> > post.  I'd appreciate any suggestions for improvement and especially for
> > any ideas for a better fix for the workaround I had to do that I documented
> > at the end of the post.  Maybe this will be of some use to those wanting to
> > use the latest gpg for SSH auth on a Mac with a Yubikey.
> >
> > https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/
> 
> Have you tried killing/restarting scdaemon only, not gpg-agent?
> 
> Try:
> 
> gpgconf --reload scdaemon
> 
> or
> 
> gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye

I am on OS X, and just so you know I have turned off the OS X system
scdaemon per this blog post (I did this before upgrading to GnuPG 2.1):

https://gpgtools.tenderapp.com/discussions/problems/28634-gpg-agent-stops-working-after-osx-upgrade-to-yosemite#comment_35808149

So I am using just the scdaemon embedded with GPG I believe.

I just tried your suggestion to reload the internal scdaemon with
'gpgconf --reload scdaemon' and that also worked just as well as killing
gpg-agent, and probably without some side effects, none of which I've
noticed yet. So that is a step in the right direction, but I still have to
run it every time I remove/reinsert the card and SSH to a remote host
or it fails with a 'Permission denied (publickey)' error. So this seems
like a step in the right direction, but I still have to use ControlPlane
to restart scdaemon on insert/remove events.

> 
> Why do you add the keygrip to the sshcontrol file?  I have never needed
> that step.  For me it uses the right key directly.  Is it because you
> have another (revoked) A subkey?  It sounds somewhat of sub-optimal
> behaviour for gpg-agent's SSH support to use a revoked key instead of
> the non-revoked key.

I do have a revoked Authentication sub-key on my primary key, but I
no longer use it and that is also not why I added the keygrip entry to
sshcontrol file.  I added it at the suggestion of Werner in this post:

https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html

And these blog posts:
http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key

Is this suggestion outdated?

> 
> /Simon



-- 
Glenn Rempe

email : gl...@rempe.us
voice : (415) 613-1653
twitter   : @grempe
gpg key id: 0xA4A288A3BECCAE17
gpg fingerprint   : 497A 6138 963D 6C47 202B  238B A4A2 88A3 BECC AE17


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[Simon Josefsson]

> > Why do you add the keygrip to the sshcontrol file?  I have never
> > needed that step.  For me it uses the right key directly.  Is it
> > because you have another (revoked) A subkey?  It sounds somewhat of
> > sub-optimal behaviour for gpg-agent's SSH support to use a revoked
> > key instead of the non-revoked key.
> 
> I do have a revoked Authentication sub-key on my primary key, but I
> no longer use it and that is also not why I added the keygrip entry to
> sshcontrol file.  I added it at the suggestion of Werner in this post:
> 
> https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
> 
> And these blog posts:
> http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
> http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
> 
> Is this suggestion outdated?

I don't recall ever using it, and I've been using SSH with smartcards
through gpg-agent for over 10 years.  What happens if you drop that
part?  For me it has always selected the right subkey automatically.

/Simon


pgpfOOtgB7R5k.pgp
Description: OpenPGP digital signatur
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[the2nd]

You might hit this bug: 
http://lists.gnupg.org/pipermail/gnupg-users/2015-December/054756.html


On 2016-01-15 01:08, Glenn Rempe wrote:

I recently setup my own Mac w/ gnupg 2.1.10, and I am using a Yubikey
to manage my gpg private keys and I am using that key for SSH auth. 
I have it all up and running but I ran into some issues as well so I
wrote up a blog post.  I'd appreciate any suggestions for improvement
and especially for any ideas for a better fix for the workaround I had
to do that I documented at the end of the post.  Maybe this will be
of some use to those wanting to use the latest gpg for SSH auth on a
Mac with a Yubikey.

https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/ [1]

Here is a discussion thread that describes *exactly* the issue I am
still having (if I don't use my workaround to kill and restart
gpg-agent on every yubikey insertion and deletion):

https://lists.gnupg.org/pipermail/gnupg-users/2015-June/053796.html
[2]

Glenn



Links:
--
[1] https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/
[2] https://lists.gnupg.org/pipermail/gnupg-users/2015-June/053796.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[Simon Josefsson]

Glenn Rempe  writes:

> I recently setup my own Mac w/ gnupg 2.1.10, and I am using a Yubikey to
> manage my gpg private keys and I am using that key for SSH auth.  I have it
> all up and running but I ran into some issues as well so I wrote up a blog
> post.  I'd appreciate any suggestions for improvement and especially for
> any ideas for a better fix for the workaround I had to do that I documented
> at the end of the post.  Maybe this will be of some use to those wanting to
> use the latest gpg for SSH auth on a Mac with a Yubikey.
>
> https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/

Have you tried killing/restarting scdaemon only, not gpg-agent?

Try:

gpgconf --reload scdaemon

or

gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye

Why do you add the keygrip to the sshcontrol file?  I have never needed
that step.  For me it uses the right key directly.  Is it because you
have another (revoked) A subkey?  It sounds somewhat of sub-optimal
behaviour for gpg-agent's SSH support to use a revoked key instead of
the non-revoked key.

/Simon


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Yubikey, GnuPG 2.1 Modern, and SSH on OS X

[Glenn Rempe]

I recently setup my own Mac w/ gnupg 2.1.10, and I am using a Yubikey to
manage my gpg private keys and I am using that key for SSH auth.  I have it
all up and running but I ran into some issues as well so I wrote up a blog
post.  I'd appreciate any suggestions for improvement and especially for
any ideas for a better fix for the workaround I had to do that I documented
at the end of the post.  Maybe this will be of some use to those wanting to
use the latest gpg for SSH auth on a Mac with a Yubikey.

https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/

Here is a discussion thread that describes *exactly* the issue I am still
having (if I don't use my workaround to kill and restart gpg-agent on every
yubikey insertion and deletion):

https://lists.gnupg.org/pipermail/gnupg-users/2015-June/053796.html

Glenn
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1: --auto-key-locate dane

[Daniel Baur]

Hallo,
Am 27.11.2015 um 07:58 schrieb Werner Koch:
>> The OpenPGPKey-DNS-entry for my mail-adress works, if you like to test gpg.
> Not for me:

sorry, this is a misunderstanding. I meant: My entry is correct in the
DNS, while Felix’ is not. I have no such recent version of gpg to test
if it is working there.

Sincerely,
DaB.





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

WG: GnuPG 2.1: --auto-key-locate dane

[Felix Seip]

-Ursprüngliche Nachricht-
Von: Felix Seip 
Gesendet: Freitag, 27. November 2015 15:13
An: 'Werner Koch' 
Betreff: AW: GnuPG 2.1: --auto-key-locate dane

I tried this once again using the Werner Koch's key:
gpg --auto-key-locate dane -v --locate-key w...@gnupg.org

However, I didn't receive the answer that I was expecting. Here is what I got:
gpg: using PGP trust model
gpg: error retrieving 'w...@gnupg.org' via DANE: Not found
gpg: error reading key: Not found

I should have received a fingerprint with the corresponding key.

 I also tried:
gpg --auto-key-locate pka -v --locate-key w...@gnupg.org

The response I received was:
gpg: using PGP trust model
gpg: auto-key-locate found fingerprint 80615870F5BAD690333686D0F2AD85AC1E42B367
gpg: error retrieving 'w...@gnupg.org' via PKA: No public key
gpg: key "w...@gnupg.org" not found: No public key

Best Regards,
Felix Seip


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: GnuPG 2.1: --auto-key-locate dane

[Felix Seip]

Thank you for your responses!
I was receiving the unknown IPC command because I had the GnuPG 2.0 agent and 
the GnuPG 2.1.9 agent running at the same time

Best Regards,
Felix Seip

-Ursprüngliche Nachricht-
Von: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] Im Auftrag von Werner 
Koch
Gesendet: Freitag, 27. November 2015 07:58
An: Daniel Baur 
Cc: gnupg-users@gnupg.org
Betreff: Re: GnuPG 2.1: --auto-key-locate dane

On Thu, 26 Nov 2015 23:00, m...@dabpunkt.eu said:

> returns no key. So AFAIS the error is not at you or gpg, but at gmx.
>
> The OpenPGPKey-DNS-entry for my mail-adress works, if you like to test gpg.

Not for me:

  $ gpg --auto-key-locate clear,pka,dane,local -v --locate-key m...@dabpunkt.ue
  [...]
  gpg: error retrieving 'm...@dabpunkt.ue' via PKA: Not found
  gpg: error retrieving 'm...@dabpunkt.ue' via DANE: Not found
  gpg: can't handle public key algorithm 105
  gpg: error retrieving 'm...@dabpunkt.ue' via Local: No public key
  gpg: key "m...@dabpunkt.ue" not found: No public key
  
This is the current version but there are no changes related to DANE
since 2.1.9.  I redacted your address in the above transscript (eu->ue).
A likely reason for the problem is a change of the algorithm from
SHA-224 to a truncated SHA-256 in one of the last OpenPGP drafts.

Use "gpg --print-dane-records -k m...@dabpunkt.ue" to output a suitbale
DANE record.

Here is a working example:

  $ gpg --auto-key-locate clear,dane,local -v --locate-key w...@gnupg.org
  [...]
  gpg: pub  dsa2048/F2AD85AC1E42B367 2007-12-31  Werner Koch 
  gpg: key F2AD85AC1E42B367: "Werner Koch " not changed
  gpg: Total number processed: 1
  gpg:  unchanged: 1
  gpg: auto-key-locate found fingerprint 
80615870F5BAD690333686D0F2AD85AC1E42B367
  gpg: automatically retrieved 'w...@gnupg.org' via DANE
  [...]

Note that using --locate-key is better because it uses the same strategy
as used by -r.  In the second example I left out PKA because I also have
a PKA entry for my address. By using "clear" I override defaults set in
gpg.conf and "local" instructs gpg to check the local keyring after
"dane".  Another address for testing is my g10code address.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1: --auto-key-locate dane

[Werner Koch]

On Thu, 26 Nov 2015 23:00, m...@dabpunkt.eu said:

> returns no key. So AFAIS the error is not at you or gpg, but at gmx.
>
> The OpenPGPKey-DNS-entry for my mail-adress works, if you like to test gpg.

Not for me:

  $ gpg --auto-key-locate clear,pka,dane,local -v --locate-key m...@dabpunkt.ue
  [...]
  gpg: error retrieving 'm...@dabpunkt.ue' via PKA: Not found
  gpg: error retrieving 'm...@dabpunkt.ue' via DANE: Not found
  gpg: can't handle public key algorithm 105
  gpg: error retrieving 'm...@dabpunkt.ue' via Local: No public key
  gpg: key "m...@dabpunkt.ue" not found: No public key
  
This is the current version but there are no changes related to DANE
since 2.1.9.  I redacted your address in the above transscript (eu->ue).
A likely reason for the problem is a change of the algorithm from
SHA-224 to a truncated SHA-256 in one of the last OpenPGP drafts.

Use "gpg --print-dane-records -k m...@dabpunkt.ue" to output a suitbale
DANE record.

Here is a working example:

  $ gpg --auto-key-locate clear,dane,local -v --locate-key w...@gnupg.org
  [...]
  gpg: pub  dsa2048/F2AD85AC1E42B367 2007-12-31  Werner Koch 
  gpg: key F2AD85AC1E42B367: "Werner Koch " not changed
  gpg: Total number processed: 1
  gpg:  unchanged: 1
  gpg: auto-key-locate found fingerprint 
80615870F5BAD690333686D0F2AD85AC1E42B367
  gpg: automatically retrieved 'w...@gnupg.org' via DANE
  [...]

Note that using --locate-key is better because it uses the same strategy
as used by -r.  In the second example I left out PKA because I also have
a PKA entry for my address. By using "clear" I override defaults set in
gpg.conf and "local" instructs gpg to check the local keyring after
"dane".  Another address for testing is my g10code address.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1: --auto-key-locate dane

[Daniel Baur]

Hello,
Am 26.11.2015 um 16:00 schrieb Felix Seip:
> Clearly I am doing something wrong and was wondering if someone could
> help me with this problem.

Hello,
Am 26.11.2015 um 16:00 schrieb Felix Seip:
> Clearly I am doing something wrong and was wondering if someone could
> help me with this problem.

dig type61
1ed6d5e274e32624065e36218dd952070defca5ad2618ec8d64511c6._openpgpkey.gmx.de

returns no key. So AFAIS the error is not at you or gpg, but at gmx.

The OpenPGPKey-DNS-entry for my mail-adress works, if you like to test gpg.

Sincerely,
DaB.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.1: --auto-key-locate dane

[Felix Seip]

Hi,

The past week I have been trying to figure out how to receive a public key from 
a DNS domain through GnuPG 2.1.9. The way I have been attempting to do this is 
by executing:
gpg --auto-key-locate dane -ea -r felixs...@gmx.de

However, every time I get the following error message:
gpg: error retrieving 'felixs...@gmx.de' via PKA: Unknown IPC command
gpg: felixs...@gmx.de: skipped: Unknown IPC command
gpg: [stdin]: encryption failed: Unknown IPC command

Clearly I am doing something wrong and was wondering if someone could help me 
with this problem.

Thank you in advance,
Felix Seip

Verschlüsseln Sie Ihre E-Mails mit gpg4o für Outlook | Encrypt your email with 
gpg4o
---
Felix Seip
Auszubildender

[cid:image001.jpg@01D12862.B4B67EE0]Giegerich & Partner GmbH
Robert-Bosch-Straße 18 | D-63303 Dreieich
Tel. +49 6103 5881-54 | Fax +49 6103 5881-39
felix.s...@giepa.de | 
http://www.giepa.de

Geschäftsführer: Dipl.-Ing. (TU) Hans-Joachim Giegerich
Amtsgericht Offenbach/Main | HRB 33236
---

[cid:image002.jpg@01D12862.B4B67EE0]
---

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "g13" tool in GnuPG 2.1

[Peter Lebbing]

On 16/09/15 17:39, Werner Koch wrote:
> For my own needs I am working on yet another dm-crypt wrapper which will
> be another backend for g13.

I'd much prefer dm-crypt as backend, so all the better! In fact, I think
LUKS might be better than plain dm-crypt; it seems to be getting the
most love from the devs.

Peter.

(PS: I accidentally addressed my reply wrong; it went to Werner instead
of the list, so this is a new copy)

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "g13" tool in GnuPG 2.1

[Werner Koch]

On Thu,  2 Apr 2015 18:35, pe...@digitalbrains.com said:

> So is G13 ready for use?

Not really.  For example the management features are missing: Adding
another key, adding an symmetric key, removing a key, and so on.  And
well, encfs itself has show some problems and I am not sure whether
encfs is still maintained.

For my own needs I am working on yet another dm-crypt wrapper which will
be another backend for g13.



>
> (note that the LUKS script written by me and modified by Jan also uses
> real public key cryptography; that remark in the quote refers to a
> different method of unlocking an encrypted drive using an OpenPGP card).
>
> Cheers,
>
> Peter.
>
> [1] http://lists.gnupg.org/pipermail/gnupg-users/2009-November/037599.html

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

unattended key deletion GnuPG 2.1

[HW42]

Hi,

I try to delete a public and it's secret key via gpgme. The problem is
that it always pops a pinentry confirmation dialog. Since I want do the
action unattended this is a problem.

By looking at the gpg-agent code it seems that there is currently no way
to do this. But maybe I missed something.

There are two possibly workarounds I have think of

1) use a fake pinentry which always says yes.
2) delete the key in private-keys-v1.d

but those are obviously crude hacks.

Thank you.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Wednesday 22 July 2015 at 3:48:15 PM, in
, Werner Koch wrote:


> Nope, you won't see changes here - at least not for the
> standard NIST or Brainpool curves.

Is the format for encryption keys using Curve 25519
finalised/implemented yet?



- --
Best regards

MFPA  

Ballerinas are always on their toes.  We need taller ballerinas!
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJVsCQMXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw4TwH/1otuYBgAPZtKAKWv3hoJgXe
ItJvVGR3V747X20PK0FY8ZYPv4sFP/txgCjdd5fydlmmo/jnpuONlwSTyhpzoBHu
5nRd75v9+7UEgPdck31jmRqxoS5wdubz92YtD1HCDP8//5iUM9avyDD4oUJZZf7U
1HdGXEID4w7TeziIIqy/C3Mvka99qKaaPelkrAzvxgxP9xDJJoKhDXZDunX7cB45
eR8yDFDqezAchNc4TYe88sbxVF470Kcv2K2qNJwzdrTVz5bX8JFX4yDpICeN8gXP
ZnW5cBQgxRsQC48pykr3HvxsQOdhGgBwqF7kJuSPrW+Tk76mwzyjnlirfCMR8RyI
vgQBFgoAZgUCVbAkEl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45AvqAQCefexf2zbT+6iUir9WolI6rDgn
4gOZPQD4xgc1KKbuWQD9Eo7zEsbjfpRqPV3eUt8E/Pbvq9i9KH3d57BSDEnw8gE=
=bQVB
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1

[Werner Koch]

On Tue, 21 Jul 2015 19:31, r...@sixdemonbag.org said:

> Right now, I wouldn't recommend ECC for production use.  We're still
> getting the kinks worked out of it, and it isn't beyond the realm of
> possibility to think we might see significant changes by GnuPG 2.2.

Nope, you won't see changes here - at least not for the standard NIST or
Brainpool curves.  The problem with ECC is that the software supporting
ECC is not not yet widely deployed and thus people either can't verify
your messages or not send you encrypted messages.  This is also the
reason why ECC requires the --expert option.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1

[Robert J. Hansen]

> Please feel free to laugh out loud if I'm missing something stupidly 
> obvious - I did tell you I was old :-)

Nonsense: good questions deserve good answers.  :)

> I'm not sure whether I should be asking in here or in the Enigmail 
> group, so I'm trying here first - please refer me to the other group
> if it is more appropriate.

It's a little of both, actually.  You may want to ask again on Enigmail,
although you'll likely get a lot of the same answers from a lot of the
same people (myself included).

> I've just changed over to GnuPG 2.1.x and have been trying out an
> ECC key too.

Right now, I wouldn't recommend ECC for production use.  We're still
getting the kinks worked out of it, and it isn't beyond the realm of
possibility to think we might see significant changes by GnuPG 2.2.
That said, if your purpose is edification and education, go for it! :)

> The first problem is trivial - if I send an HTML message, the
> signature verifies correctly, but the body of the message vanishes
> without trace - nothing at all shows up when trying to read the
> received message. There's an easy answer, I know - don't use HTML.

The easy answer is also the wrong one.  This appears to be a serious
usability bug, and we very much want to fix those!

Could you please do the following?

1.  Write a short message in HTML.  (Just "Hello, world!"
will do.)
2.  Send it to me, *off-list*.
3.  Write the exact same short message in a new email.
4.  Sign it using PGP/MIME and send it to me *off-list*.

I'll take a look at it.  If I can't see the problem, I'll kick it over
to Patrick and Nicolai for some in-depth debugging.

> Above, and as part of, the message text, appear two of the message
> headers:-

This is a known issue.  Enigmail expects GnuPG to behave in a certain
way, and since 2.1 GnuPG acts just slightly different than what we
expect.  Getting this fixed is on our to-do list.  :)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.1

[Bob Henson]

I'm not sure whether I should be asking in here or in the Enigmail
group, so I'm trying here first - please refer me to the other group if
it is more appropriate.

I've just changed over to GnuPG 2.1.x and have been trying out an ECC
key too. By and large, it all seems to work well (signatures verify, and
encryption/unencryption works fine too) , but whilst sending test
messages back and forth to myself using new and old keys for signing and
encryption I noticed a couple of odd things, and it would be useful to
know if they are related to GnuPG 2.1.x, or Enigmail (or even the ECC
key - although that isn't likely). I'm using PGP/MIME for all messages.

The first problem is trivial - if I send an HTML message, the signature
verifies correctly, but the body of the message vanishes without trace -
nothing at all shows up when trying to read the received message.
There's an easy answer, I know - don't use HTML. I'm quite happy to do
that, but I'm old and I forget :-(

The second is a bit of a problem and will look odd if it happens when I
send mail to others. Signing a message with either my old key or the new
ECC key, and sending it to myself encrypted to both keys results in no
problems with the signature or decryption, and the message appears OK.
Above, and as part of, the message text, appear two of the message headers:-

Content-Type: text/plain; charset=windows-1252

Content-Transfer-Encoding: quoted-printable

This would look a bit odd to another recipient - albeit they don't
prevent the rest of the message from being read.

Why am I asking in here - well it didn't happen with the same versions
of Thunderbird/Enigmail and GnuPG 2.0.x . That doesn't mean it isn't an
Enigmail thing, of course, and I'm hoping you'll be able to tell me
which it is.

Please feel free to laugh out loud if I'm missing something stupidly
obvious - I did tell you I was old :-)

Regards,

Bob




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

"g13" tool in GnuPG 2.1 (was: decrypt luks with gnupg Card: determine if cardreader has pinpad)

[Peter Lebbing]

On 31/03/15 13:25, Jan Kowalsky wrote:
> I wrote a howto (in german) in addition to the one from Peter Lebbing
> (thanks a lot!):
> https://wiki.datenkollektiv.net/public/gnupg/luks_gnupg_card

... in which the following message by Werner from 2009 is linked: [1]

>From which I will quote:
> Another option would be to wait a while and use the new g13 tool which
> is part of the new development branch of GnuPG.  It is fully integrated
> into GnuPG and provides a platform independent replacement for LUKS.
> For now only Encfs is supported but the system is designed to support
> all kinds of backends (Even one on top of LUKS is possible).  The
> advantage of G13 is that you use real public key cryptography and thus
> your actual private key never leaves the card - it is only used to
> encrypt the bulk encryption key(s). 

So is G13 ready for use?

(note that the LUKS script written by me and modified by Jan also uses
real public key cryptography; that remark in the quote refers to a
different method of unlocking an encrypted drive using an OpenPGP card).

Cheers,

Peter.

[1] http://lists.gnupg.org/pipermail/gnupg-users/2009-November/037599.html

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS and GnuPG 2.1

[Werner Koch]

On Wed, 18 Mar 2015 22:52, david.j.woo...@gmail.com said:

> I debugged this issue a few days ago. I've posted a patch for testing and
> hopefully incorporation into a future GnuPG 2.1 build at

It is on my shortlist.

Thanks,

  Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

SKS Keyserver, HKPS and GnuPG 2.1

[David Wood]

Dear all,

Apologies for the thread break - I was reading via the archives and have
only just subscribed.

I debugged this issue a few days ago. I've posted a patch for testing and
hopefully incorporation into a future GnuPG 2.1 build at
https://bugs.g10code.com/gnupg/issue1792

With this patch, hkps://hkps.pool.sks-keyservers.net works correctly for me.


David
-- 
David Wood
david.j.woo...@gmail.com
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

[Samir Nassar]

On Wednesday, March 18, 2015 06:18:53 PM Daniel Kahn Gillmor wrote:
> It looks to me like you're using the server's certificate as the CA
> certificate.  I don't think that's going to work.  Maybe you want to use
> the Addtrust root cert (attached here)

Ahem. You are so very right. Somehow it escaped me that what I want for the 
setup is the CA cert, this despite dirmngr.conf having the line: hkp-cacert

> and then point hkp-cacert to that?

Now things work. I feel a bit foolish, but it's just wounded ego.

David Wood wrote me off-list and pointed out 
https://bugs.g10code.com/gnupg/issue1792 fixes access to my keyserver so I am 
writing for clarification.

Thank you Kristian and Daniel and David for your help.

Samir


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

[Daniel Kahn Gillmor]

On Wed 2015-03-18 18:03:11 -0400, Samir Nassar wrote:
> On Wednesday, March 18, 2015 10:40:57 PM Kristian Fiskerstrand wrote:
>> try renaming  /home/snassar/.gnupg/myriapolis.net.crt to
>> /home/snassar/.gnupg/myriapolis.net.pem
>
> Done.

It looks to me like you're using the server's certificate as the CA
certificate.  I don't think that's going to work.  Maybe you want to use
the Addtrust root cert (attached here)

and then point hkp-cacert to that?

--dkg

-BEGIN CERTIFICATE-
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-END CERTIFICATE-
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

[Samir Nassar]

On Wednesday, March 18, 2015 10:40:57 PM Kristian Fiskerstrand wrote:
> try renaming  /home/snassar/.gnupg/myriapolis.net.crt to
> /home/snassar/.gnupg/myriapolis.net.pem

Done.

> if that doesn't help , can you increase debug verbosity in
> dirmngr.conf and set the logfile?
> $ cat dirmngr.conf
> verbose
> debug 4096
> debug-level 4096
> debug-all
> log-file /tmp/dirmngr.log

Results:

2015-03-18 22:57:20 dirmngr[23026.0] listening on socket 
'/home/snassar/.gnupg/S.dirmngr'
2015-03-18 22:57:20 dirmngr[23027.0] permanently loaded certificates: 0
2015-03-18 22:57:20 dirmngr[23027.0] runtime cached certificates: 0
2015-03-18 22:57:21 dirmngr[23027.0] handler for fd 0 started
2015-03-18 22:57:21 dirmngr[23027.0] DBG: chan_0 -> # Home: 
/home/snassar/.gnupg
2015-03-18 22:57:21 dirmngr[23027.0] DBG: chan_0 -> # Config: 
/home/snassar/.gnupg/dirmngr.conf
2015-03-18 22:57:21 dirmngr[23027.0] DBG: chan_0 -> OK Dirmngr 2.1.2 at your 
service
2015-03-18 22:57:21 dirmngr[23027.0] connection from process 23024 (1000:1000)
2015-03-18 22:57:21 dirmngr[23027.0] DBG: chan_0 <- KEYSERVER --clear 
hkps://keyserver.myriapolis.net
2015-03-18 22:57:21 dirmngr[23027.0] DBG: chan_0 -> OK
2015-03-18 22:57:21 dirmngr[23027.0] DBG: chan_0 <- KS_SEARCH -- 
sa...@samirnassar.com
2015-03-18 22:57:21 dirmngr[23027.0] getnameinfo returned for 
'keyserver.myriapolis.net': 'keyserver.myriapolis.net' [already known]
2015-03-18 22:57:22 dirmngr[23027.0] TLS verification of peer failed: 
status=0x0042
2015-03-18 22:57:22 dirmngr[23027.0] TLS verification of peer failed: The 
certificate is NOT trusted. The certificate issuer is unknown. 
2015-03-18 22:57:22 dirmngr[23027.0] DBG: expected hostname: 
keyserver.myriapolis.net
2015-03-18 22:57:22 dirmngr[23027.0] DBG: BEGIN Certificate 'server[0]':
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  serial: 
4BC6878D433B6F5CA74E0142C8C2CA6B
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   notBefore: 2013-12-11 00:00:00
2015-03-18 22:57:22 dirmngr[23027.0] DBG:notAfter: 2015-12-11 23:59:59
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  issuer: CN=COMODO RSA Domain 
Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater 
Manchester,C=GB
2015-03-18 22:57:22 dirmngr[23027.0] DBG: subject: 
CN=*.myriapolis.net,OU=EssentialSSL Wildcard,OU=Domain Control Validated
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   hash algo: 1.2.840.113549.1.1.11
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   SHA1 fingerprint: 
47D0B4CAA99B5D3F9EA9C2E2F26B380CD60129C7
2015-03-18 22:57:22 dirmngr[23027.0] DBG: END Certificate
2015-03-18 22:57:22 dirmngr[23027.0] DBG: BEGIN Certificate 'server[1]':
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  serial: 
2B2E6EEAD975366C148A6EDBA37C8C07
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   notBefore: 2014-02-12 00:00:00
2015-03-18 22:57:22 dirmngr[23027.0] DBG:notAfter: 2029-02-11 23:59:59
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  issuer: CN=COMODO RSA 
Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater 
Manchester,C=GB
2015-03-18 22:57:22 dirmngr[23027.0] DBG: subject: CN=COMODO RSA Domain 
Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater 
Manchester,C=GB
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   hash algo: 1.2.840.113549.1.1.12
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   SHA1 fingerprint: 
339CDD57CFD5B141169B615FF31428782D1DA639
2015-03-18 22:57:22 dirmngr[23027.0] DBG: END Certificate
2015-03-18 22:57:22 dirmngr[23027.0] DBG: BEGIN Certificate 'server[2]':
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  serial: 
2766EE56EB49F38EABD770A2FC84DE22
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   notBefore: 2000-05-30 10:48:38
2015-03-18 22:57:22 dirmngr[23027.0] DBG:notAfter: 2020-05-30 10:48:38
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  issuer: CN=AddTrust External CA 
Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
2015-03-18 22:57:22 dirmngr[23027.0] DBG: subject: CN=COMODO RSA 
Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater 
Manchester,C=GB
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   hash algo: 1.2.840.113549.1.1.12
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   SHA1 fingerprint: 
F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
2015-03-18 22:57:22 dirmngr[23027.0] DBG: END Certificate
2015-03-18 22:57:22 dirmngr[23027.0] DBG: BEGIN Certificate 'server[3]':
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  serial: 01
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   notBefore: 2000-05-30 10:48:38
2015-03-18 22:57:22 dirmngr[23027.0] DBG:notAfter: 2020-05-30 10:48:38
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  issuer: CN=AddTrust External CA 
Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
2015-03-18 22:57:22 dirmngr[23027.0] DBG: subject: CN=AddTrust External CA 
Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   hash algo: 1.2.840.113549.1.1.5
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   SHA1 fingerprint: 
02FAF3E291435468607857694DF5E45B68

Re: SKS Keyserver, HKPS, and GnuPG 2.1

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/18/2015 10:33 PM, Samir Nassar wrote:
> On Wednesday, March 18, 2015 10:14:53 PM Kristian Fiskerstrand
> wrote:
>> gpg-connect-agent --dirmngr 'KEYSERVER --help' /bye S # Known
>> schemata: S #   hkp S #   hkps S #   http S #   finger S #
>> kdns
> 
> Same.
> 
> When I set the keyserver to: hkp://keyserver.myriapolis.net
> everything works.
> 
> When I set the keyserver to: hkps://keyserver.myriapolis.net it
> stops working.
> 
> To test whether it is a general hkps problem or now, I tried: 
> hkps://keys.niif.hu with the same issue.
> 
> Is it possible that dirmngr isn't reading the cert I have for
> myriapolis.net properly?

try renaming  /home/snassar/.gnupg/myriapolis.net.crt to
/home/snassar/.gnupg/myriapolis.net.pem

if that doesn't help , can you increase debug verbosity in
dirmngr.conf and set the logfile?
$ cat dirmngr.conf
verbose
debug 4096
debug-level 4096
debug-all
log-file /tmp/dirmngr.log

- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
"A committee is a group that keeps minutes and loses hours."
(Milton Berle)
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJVCfDfAAoJEP7VAChXwav6rr8H/jl2Vlly7ivDNnT/BmhhYRUq
qoX3AFDbW8z7p7V9RZ07oxFI0GL5qim1VoMgJQZjb0Ygv2F9f7oOfeu1KOBAxxok
CKEBGQinxj/PRQi8uIT5ZrTVJIsDTyTG6QnmbMBpABoqOMDOrVXwhfGlec5YqxuA
h5ReotqLH8LzrQj9EA/MBPKv4XHFW/tAfvXzLj4oyPqeUAGdOyT/RF6VPswwk4ce
0RlQ5MbNNAuYqvgJ1KRujgg9I/2M9jTvx88n//N+XI1yc07iXsSVBig+zi9WF06W
kSeATYbxk19ssKSK3sVHpnIuceLThRC0Xw4Mh/2bVJeDFGM0QDYaYtLMuhI8rmE=
=XC4g
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

[Samir Nassar]

On Wednesday, March 18, 2015 10:14:53 PM Kristian Fiskerstrand wrote:
> gpg-connect-agent --dirmngr 'KEYSERVER --help' /bye
> S # Known schemata:
> S #   hkp
> S #   hkps
> S #   http
> S #   finger
> S #   kdns

Same.
 
When I set the keyserver to: hkp://keyserver.myriapolis.net everything works.

When I set the keyserver to: hkps://keyserver.myriapolis.net it stops working.

To test whether it is a general hkps problem or now, I tried: 
hkps://keys.niif.hu with the same issue.

Is it possible that dirmngr isn't reading the cert I have for myriapolis.net 
properly?

Samir

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/18/2015 10:08 PM, Samir Nassar wrote:
> On Wednesday, March 18, 2015 09:21:08 PM Kristian Fiskerstrand
> wrote:
>> 11371 is expected to be for HKP, so requiring this to be TLS is
>> bad practice.
> 

...

> gpg: DBG: chan_4 <- ERR 1 General error  gpg:
> error searching keyserver: General error gpg: keyserver search
> failed: General error gpg: DBG: chan_4 -> BYE gpg: DBG: [not
> enabled in the source] stop gpg: random usage: poolsize=600 mixed=0
> polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: secmem
> usage: 0/32768 bytes in 0 blocks

Are you only experiencing issues with your own server or with HKPS in
general? Is dirmngr compiled with gnutls support?

gpg-connect-agent --dirmngr 'KEYSERVER --help' /bye
S # Known schemata:
S #   hkp
S #   hkps
S #   http
S #   finger
S #   kdns

or ldd /usr/bin/dirmngr|grep gnutls
> 
> 
> 
> ___ Gnupg-users mailing
> list Gnupg-users@gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
"Statistics are like a bikini. What they reveal is suggestive, but
what they conceal is vital."
(Aaron Levenstein)
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJVCerJAAoJEP7VAChXwav6QawH/iYRspyutKC0pdqH9XmGF9gL
U2k7au0hFbXFP9BwTa2k80uAQCtNve6AaZVtEaCwbr/+rSw8tlTdv8/8qfuvZmFG
2jcl2T/jkl7Ute7tlw9OxWptDbBsdPIpzmY41iRBT/7NQ3G2tZL1ScwGqEpj4kjn
63qKoW1YoysK32Og1wSKyQQoXotnyBkmUjeTjN8Lf2wPB9KvyH+7mkYWDfFbv8eM
n10JT41AEKE0VRICNrCPJZnxaDo/PRR4fZrCbGsvYuoxlG2nw8KXbMvc7Kg7X87M
HxY7k7GNBwLEAEaNUZS+qj6Ax5MvNCpKUj6vlDLoHe0lWcx6mM+b6tli1Cx+Xc4=
=QBc6
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

[Samir Nassar]

On Wednesday, March 18, 2015 09:21:08 PM Kristian Fiskerstrand wrote:
> 11371 is expected to be for HKP, so requiring this to be TLS is bad
> practice.

Oh oops. Fixed now.
 
> > gpg-connect-agent --verbose --dirmngr 'keyserver
> > hkps://keyserver.myriapolis.net:11371' 'ks_get 1e42b367' /bye
> > 
> > gpg-connect-agent --verbose --dirmngr 'keyserver
> > hkps://holdfast.myriapolis.net:11371' 'ks_get 1e42b367' /bye
> 
> What if you just update the keyserver in gpg.conf and kill the dirmngr
> (it will auto-restart)?

Done

> increase verbosity, e.g. gpg --debug-level guru --search
> b...@invaliddomain.com , alternatively specify debug / debug-level in
> dirmngr.conf along with a log-file

$ gpg --debug-level guru --search sa...@samirnassar.com
gpg: enabled debug flags: packet mpi cipher filter iobuf memory cache memstat 
trust hashing extprog cardio assuan clock
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_3 <- # Home: /home//.gnupg
gpg: DBG: chan_3 <- # Config: /home//.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.1.2 at your service
gpg: DBG: chan_4 <- # Home: /home//.gnupg
gpg: DBG: chan_4 <- # Config: /home//.gnupg/dirmngr.conf
gpg: DBG: chan_4 <- OK Dirmngr 2.1.2 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_4 -> KEYSERVER --clear hkps://keyserver.myriapolis.net
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> KS_SEARCH -- sa...@samirnassar.com
gpg: DBG: chan_4 <- ERR 1 General error 
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error
gpg: DBG: chan_4 -> BYE
gpg: DBG: [not enabled in the source] stop
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
  outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: secmem usage: 0/32768 bytes in 0 blocks


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/18/2015 09:13 PM, Samir Nassar wrote:
> On Wednesday, March 18, 2015 08:54:47 PM Kristian Fiskerstrand 
> wrote:
>> Hmm, I didn't notice that it was a wildcard cert, that should 
>> also support holdfast.myriapolis.net in the cert matching, 
>> however it results a redirect and404 for [0]. If you add this 
>> as a vhost I suspect it will work in your configuration.
> 
> I configured nginx to also server up holdfast.myriapolis.net on 
> port 11371

11371 is expected to be for HKP, so requiring this to be TLS is bad
practice.

> 
> testing with:
> 
> gpg-connect-agent --verbose --dirmngr 'keyserver 
> https://keyserver.myriapolis.net:11371' 'ks_get 1e42b367' /bye
> 
> gpg-connect-agent --verbose --dirmngr 'keyserver 
> https://holdfast.myriapolis.net:11371' 'ks_get 1e42b367' /bye

https shouldn't work in this regard, it require the API from HKP protocol

> 
> and with:
> 
> gpg-connect-agent --verbose --dirmngr 'keyserver 
> hkps://keyserver.myriapolis.net:11371' 'ks_get 1e42b367' /bye
> 
> gpg-connect-agent --verbose --dirmngr 'keyserver 
> hkps://holdfast.myriapolis.net:11371' 'ks_get 1e42b367' /bye
> 

What if you just update the keyserver in gpg.conf and kill the dirmngr
(it will auto-restart)?


> Gives this result:
> 
> OK ERR 1 General error  gpg-connect-agent: 
> closing connection to agent

increase verbosity, e.g. gpg --debug-level guru --search
b...@invaliddomain.com , alternatively specify debug / debug-level in
dirmngr.conf along with a log-file

> 
> Samir
> 
> 
> 
> ___ Gnupg-users
> mailing list Gnupg-users@gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Testis unus, testis nullus
A single witness is no witness
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJVCd36AAoJEP7VAChXwav6gDQIAJ9WiiGHT1dLkbyGAxzW8h5X
Es6CZBWZ7fAvpZvR5ES/4BtnPXC2Wcw1QAbed0fzlZDe2SJf4t6JznYsOJAm7VGS
Ru629/ecytSdPddIhQkFaI+Exc5uA4lX8qGHi6L5zKH9t9EgMbF9KBJzIDPSngFz
hbrY4d1TWHC8jX53vPIAwB2xX5EdBlQpJiKpoL+RzHkLzCh3TcnHbIcInCEUgSpI
gxPUWhvFgPX+AOS4Bpp/Mv7hE7w9Kb6KrVDA2r6jtsi/1oA2rnnz9gtZ8B1qYBlr
YYG8aoOsfb5Y00GGSRa5FL5TiSIsCehP8wA2A5pHqfLSECxm6y/PauEYCuyqkl4=
=VVlz
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

[Samir Nassar]

On Wednesday, March 18, 2015 08:54:47 PM Kristian Fiskerstrand wrote:
> Hmm, I didn't notice that it was a wildcard cert, that should also
> support holdfast.myriapolis.net in the cert matching, however it
> results a redirect and404 for [0]. If you add this as a vhost I
> suspect it will work in your configuration.

I configured nginx to also server up holdfast.myriapolis.net on port 11371

testing with:

gpg-connect-agent --verbose --dirmngr 'keyserver 
https://keyserver.myriapolis.net:11371' 'ks_get 1e42b367' /bye

gpg-connect-agent --verbose --dirmngr 'keyserver 
https://holdfast.myriapolis.net:11371' 'ks_get 1e42b367' /bye

and with:

gpg-connect-agent --verbose --dirmngr 'keyserver 
hkps://keyserver.myriapolis.net:11371' 'ks_get 1e42b367' /bye

gpg-connect-agent --verbose --dirmngr 'keyserver 
hkps://holdfast.myriapolis.net:11371' 'ks_get 1e42b367' /bye

Gives this result:

OK
ERR 1 General error 
gpg-connect-agent: closing connection to agent
 
Samir


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/18/2015 08:39 PM, Samir Nassar wrote:
> On Wednesday, March 18, 2015 07:28:31 PM Kristian Fiskerstrand
> wrote:
>> Likely related to the PTR issues[0, 1], its already in the
>> roadmap[2]
> 
> Thank you Kristian,
> 
> So I understand this better. When using non-encrypted connections
> GnuPG doesn't have a problem, but when I am using a wildcard
> certificate GPG 2.1 has a problem?
> 
> Is there anything I can do to mitigate for now?

Hmm, I didn't notice that it was a wildcard cert, that should also
support holdfast.myriapolis.net in the cert matching, however it
results a redirect and  404 for [0]. If you add this as a vhost I
suspect it will work in your configuration.

References:
[0] https://holdfast.myriapolis.net/pks/lookup?op=stats

- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Acta est fabula
So ends the story
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJVCdgDAAoJEP7VAChXwav6KAYH/jXuBobsYer/R16EFNHeCyz5
wa+9azd3oJP0t/ucVwM59vCv5dGbG4bRGqoNOp5pE9D7/BDY/F+7Y4UGJKsT1z5D
yiEL/xyfWmv18YaSYLU+WCC5UaQHZxagaJF9pcZE3VTPrBf21SIyvKm8LQ+ijrj9
iY+RHJZpOGS4U0s3M+2M3rsbZxSvO1vBeXB6KR9jzRpApcTpsZlB5tewxJGZjeGh
90RYecK8KDnjvPCOB3t7tT4/1JQHVhAIizTxc4ZoqcT3VuiAkNYEdryqUiCIeMAQ
wsnNynaXREWybQ2bkImHN4NyRzfSRbm50TNPl7RxuKQcOfkO3RC/2hhwrjoALUs=
=IGgm
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

[Samir Nassar]

On Wednesday, March 18, 2015 07:28:31 PM Kristian Fiskerstrand wrote:
> Likely related to the PTR issues[0, 1], its already in the roadmap[2]

Thank you Kristian,

So I understand this better. When using non-encrypted connections GnuPG 
doesn't have a problem, but when I am using a wildcard certificate GPG 2.1 has 
a problem?

Is there anything I can do to mitigate for now?
 
Samir

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/18/2015 03:54 PM, Samir Nassar wrote:
> Hello,
> 
> I originally posted this on the sks-devel mailing list, but after
> thinking about it, I believe this might be something I am doing
> wrong on the GnuPG side.:
> 
> I set up a keyserver at keyserver.myriapolis.net.
> 


...

> 
> I get the following error: ERR 1 General error  source>
> 

Likely related to the PTR issues[0, 1], its already in the roadmap[2]

References:
[0] http://lists.gnupg.org/pipermail/gnupg-devel/2015-February/029491.html
[1] http://lists.gnupg.org/pipermail/gnupg-devel/2014-May/028458.html
[2] https://gnupg.org/roadmap.html

- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Nihil lacrima citius arescit
Nothing dries more quickly than a tear
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJVCcPLAAoJEP7VAChXwav6cj4H/iFdJjkiuhWL/wE+V/X+DxIU
0p/BpiOJkt0rzgFoX5pWcEedZxDyxLkOLlIDeMIkqxdpP0CeELf+YohqoGY+0iUE
yZy5joiJqK8XMADqT5FpB301ULvRkyXiGdKFolR4uE0XBOEJx0ZY9UKG20BG0wsW
JUBIT21Kzpd4vfAEO7To8oWsxTodkdwBOSq8U0+wlMJR3eYhBAEd2hzS31N6jbvb
EC5vGKeXCFT6VJOpsW9mkLxdczWzpo/PorSnMAb8r6OAE7DIbI+p5M9FfIBBNJb1
bWsM50BQAgSsv7TA91Aa+9rmYshseTTBLiw9gJNCytd+ed3TaoBk0vo9pL1l1NA=
=1mc4
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

SKS Keyserver, HKPS, and GnuPG 2.1

[Samir Nassar]

Hello,

I originally posted this on the sks-devel mailing list, but after thinking 
about it, I believe this might be something I am doing wrong on the GnuPG 
side.:

I set up a keyserver at keyserver.myriapolis.net.

What I have done so far:

Installed sks (1.1.5) from wheezy-backports

SKS is behind a nginx reverse proxy using the instructions from: 
https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering

I can access SKS on the web through:
https://keyserver.myriapolis.net:11371/
https://keyserver.myriapolis.net:443/
http://keyserver.myriapolis.net:80/

When I access the keyserver through:

gpg-connect-agent --verbose --dirmngr 'keyserver 
http://keyserver.myriapolis.net' 'ks_get 1e42b367' /bye things work.

WHen I try the following:

gpg-connect-agent --verbose --dirmngr 'keyserver 
https://keyserver.myriapolis.net' 'ks_get 1e42b367' /bye

gpg-connect-agent --verbose --dirmngr 'keyserver 
https://keyserver.myriapolis.net:11371' 'ks_get 1e42b367' /bye

gpg-connect-agent --verbose --dirmngr 'keyserver 
hkps://keyserver.myriapolis.net:11371' 'ks_get 1e42b367' /bye

I get the following error: ERR 1 General error 

dirmngr.conf contains:

hkp-cacert /home/snassar/.gnupg/myriapolis.net.crt

Any pointers would be lovely.

Samir
PGP Fingerprint: 19AE 0BC4 7DA8 4683 3AB6 9A53 69A7 5542 488B 4A1A

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 and Mailpile (LWN comments) about GPGME

[Robert J. Hansen]

On 11/13/2014 12:17 PM, Werner Koch wrote:
> Did you want to test a beta installer?

Sure, I'm up for that.

> Any volunteer to maintain one?

Can't.  I'm a forensics researcher who's received some USG funding; in
the eyes of a lot of people, especially post-Dual_EC_DRBG, I'd be
suspect.  It's best for the overall trustworthiness of GnuPG if I stay
away from development tasks.

I wish it was otherwise, but ... there you have it.





smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 and Mailpile (LWN comments) about GPGME

[Werner Koch]

On Thu, 13 Nov 2014 16:02, r...@sixdemonbag.org said:

> Not to beat a broken drum, but making it easier to use GPGME from a
> Microsoft environment would also be nice.  MSVC++ needs a .lib file for
> each DLL you're going to link against, and GPGME/Win32 doesn't ship with

Looking at the Gpg4win source I see

  SetOutPath "$INSTDIR\lib"
  File /oname=libgpgme.imp "${prefix}/lib/libgpgme.dll.a"
  File /oname=libgpgme-glib.imp "${prefix}/lib/libgpgme-glib.dll.a"

which means that an import file for the DLL is installed.  No library
for static linking but a DLL is anyway better.  Actually I added this on
your request:

commit c5404abb7cc8c284c2a8184a529fb0fdb82d8b50
Author: Werner Koch 
Date:   Wed Dec 5 10:18:43 2012 +0100

Install development files for the GnuPG related libraries.

* src/inst-gpgme.nsi: Install gpgme import lib and header file,
* src/inst-libassuan.nsi: Likewise.
* src/inst-libgcrypt.nsi: Likewise.
* src/inst-libgpg-error.nsi: Likewise.
* src/inst-libksba.nsi: Likewise.
* src/uninst-gpg4win.nsi: Remove the new files.
* src/uninst-gpgme.nsi: Ditto.
* src/uninst-libassuan.nsi: Ditto.
* src/uninst-libgcrypt.nsi: Ditto.
* src/uninst-libgpg-error.nsi: Ditto.
* src/uninst-libksba.nsi: Ditto.

> ideological purity, MS should be avoided; if our goal is to provide
> privacy tools to the most people possible, we need to consider MS
> environments to be a high priority.

It is and that is why I consider to separate GnuPG proper from Gpg4win
and provide a core installer with just the core.  This has not yet
happened because building a side-by-side assembly needs some more
experimenting or help.

The next installer for 2.1 should fix the major flaws from the first try
and be usable.  I will add the dev file too.  However, it still carries
the Pinentry and GPA which should be removed from the core installer.

Di you want to test a beta installer?

> Given the announcement yesterday from MS about how they're opening up
> the .NET server stack, I think we might see a resurgence of C# in the
> UNIX space.  I have to say, it'd be really nice to see C# bindings for
> GPGME.  There's already one set of them, gpgme-sharp, but I believe
> they're unmaintained.

Any volunteer to maintain one?


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 and Mailpile (LWN comments) about GPGME

[Robert J. Hansen]

A good step forward would be the integration of language bindings
into the gpgme package.


Not to beat a broken drum, but making it easier to use GPGME from a
Microsoft environment would also be nice.  MSVC++ needs a .lib file for
each DLL you're going to link against, and GPGME/Win32 doesn't ship with
one.  Although workarounds exist (making your own .lib file, dynamically
opening the DLL, etc.), it would be nice if GPGME could be released with
a .lib file.

I'm not particularly keen on Microsoft environments for a lot of
reasons.  However, they do have 85%-90% marketshare.  If our goal is
ideological purity, MS should be avoided; if our goal is to provide
privacy tools to the most people possible, we need to consider MS
environments to be a high priority.


That should make it easier to use it from languages other than C, C++
(, and CL).  However, someone needs to feel responsible for such a
language binding and try to keep it up to date.


Given the announcement yesterday from MS about how they're opening up
the .NET server stack, I think we might see a resurgence of C# in the
UNIX space.  I have to say, it'd be really nice to see C# bindings for
GPGME.  There's already one set of them, gpgme-sharp, but I believe
they're unmaintained.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 and Mailpile (LWN comments) about GPGME

[Bernhard Reiter]

On Thursday 13 November 2014 at 11:54:57, Werner Koch wrote:
> A good step forwad would be the integration of lnaguage bindings into
> the gpgme package.  That should make it easier to use it from languages
> other than C, C++ (, and CL).  

Because of possible dependencies, they should end up in different Debian 
packages. You are talking the source package I guess?

http://wiki.gnupg.org/APIs starts to have an overview about language bindings,
help appreciated to complete and maintain the list and possible links
to tutorials.

> However, someone needs to feel reponsible 
> for such a language binding and try to keep it up to date.

Pyme has a debian package. pygpgme has an Ubuntu package.
And there are more.

Mostly we need more packagers. :)

Bernhard

-- 
www.intevation.de/~bernhard (CEO)www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 and Mailpile (LWN comments) about GPGME

[Werner Koch]

On Thu, 13 Nov 2014 10:08, bernh...@intevation.de said:

> job there.  Gpgme needs to get more popular, probably improved along the way,
> but it also would help to make the crypto-experience with GnuPG a lot better 
> for developers and users alike.

Actually I see 88 Debian projects depending on libgpgme11.

A good step forwad would be the integration of lnaguage bindings into
the gpgme package.  That should make it easier to use it from languages
other than C, C++ (, and CL).  However, someone needs to feel reponsible
for such a language binding and try to keep it up to date.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 and Mailpile (LWN comments) about GPGME

[Bernhard Reiter]

On Wednesday 12 November 2014 at 21:55:10, Nicholas Cole wrote:
>  The --with-colons
> --command-fd --status-fd interface has been remarkably stable.

True, Werner went a long way to keep it stable.

> The stability and utility of this interface is one of my favourite
> aspects of the gnupg project, and I really admire Werner for his work
> here.

Still it is a bit of a pain to keep it this way and a better interface is 
called for anyway, because this has limitations to build good interface. 
This is whey we have gpgme for more than 10 years, Werner also did a very good 
job there.  Gpgme needs to get more popular, probably improved along the way,
but it also would help to make the crypto-experience with GnuPG a lot better 
for developers and users alike.



-- 
www.intevation.de/~bernhard (CEO)www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 and Mailpile (LWN comments) about GPGME

[Nicholas Cole]

On Tue, Nov 11, 2014 at 2:21 PM, Bernhard Reiter  wrote:
> In https://www.mailpile.is/blog/2014-10-07_Some_Thoughts_on_GnuPG.html
> the Mailpile developers would like to replace GnuPG with something better
> and for the short term propose to extend GnuPG with a command line JSON
> interface in the short term.
>
> I've commented the article under the LWN news about GnuPG 2.1.0 release
> https://lwn.net/Articles/619337/ as following:

I actually disagree with the assumption here.  The --with-colons
--command-fd --status-fd interface has been remarkably stable.  The
last major incompatible change was in 1.4.9 and 2.0.11 when the order
in which subkey algorithms were presented was changed.  Other than
that, it is an incredibly well-designed an easy to parse interface.
The only way in which it can trip you up is that you need to keep a
careful watch on whether you are expecting further data from gpg or
not.

The stability and utility of this interface is one of my favourite
aspects of the gnupg project, and I really admire Werner for his work
here.

Nicholas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 and Mailpile (LWN comments) about GPGME

[Werner Koch]

On Tue, 11 Nov 2014 15:21, bernh...@intevation.de said:
> In https://www.mailpile.is/blog/2014-10-07_Some_Thoughts_on_GnuPG.html
> the Mailpile developers would like to replace GnuPG with something better
> and for the short term propose to extend GnuPG with a command line JSON 

I have a reply in the works but there are more important tasks right
now.

JSON seems to be the new standard of the year (it is actually far easier
to work with - the C parser/builder I use as has a mere 1300 lines).  I
don't like to play catch-up with the current whatever data presentation
standard.  But if someone likes to do that: it is pretty easy to add an
JSON interface to gpgme-tool as an alternative to the XML output.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.1 and Mailpile (LWN comments) about GPGME

[Bernhard Reiter]

In https://www.mailpile.is/blog/2014-10-07_Some_Thoughts_on_GnuPG.html
the Mailpile developers would like to replace GnuPG with something better
and for the short term propose to extend GnuPG with a command line JSON 
interface in the short term.

I've commented the article under the LWN news about GnuPG 2.1.0 release
https://lwn.net/Articles/619337/ as following:

"If Smári's thoughts on GnuPG reveal something, it is that we need to spread 
more knowledge about how GnuPG works. In the post, the supported API of 
GnuPG, GPGME is miss-spelled and the current python libaries for interacting 
with it were not identified. http://wiki.gnupg.org/APIs shows that pyme has 
moved to a new location with 0.9 published on May 2014 and the alternative 
pygpgme's 0.3 is from 2012. There is example code which is nice to work with.

Of course the command line interface is not the best stable interface to 
program GnuPG, it is because it is used as an interface to humans using the 
command line. GPGME is much better, of course it can be improved further.

Yes, Werner and his company g10code need your support, see 
http://g10code.com/index.html#sec-1-1 . (Full disclosure: My company 
Intevation is a business partner of g10code.)"

Bernhard


-- 
www.intevation.de/~bernhard (CEO)www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 Unattended EC Generation

[Nicholas Cole]

I'm so sorry, Werner. I thought I'd checked the manual. Huge apologies.

On Tuesday, 11 November 2014, Werner Koch  wrote:

> On Tue, 11 Nov 2014 12:56, nicholas.c...@gmail.com  said:
>
> > Is that still possible?  In version 2.1, if no password is specified,
> > gpg2 tries to call pin-entry and ask for a passphrase.
>
> A quick look into the manual (for me the source, but you may want to use
> the online version) gives:
>
>   @item %no-protection
>   Since GnuPG version 2.1 it is not anymore possible to specify a
>   passphrase for unattended key generation.  The passphrase command is
>   simply ignored and @samp{%ask-passpharse} is thus implicitly enabled.
>   Using this option allows the creation of keys without any passphrase
>   protection.  This option is mainly intended for regression tests.
>
> Thus by adding
>
>  %no-protection
>
> to the parameter files you can create a key without a passphrase.
>
> > The second problem is that if gpg is called with a non-standard
> > --homedir the whole thing fails with:
> >
> > gpg: agent_genkey failed: No pinentry
>
> Install a pinentry.  I guess you put usually have a
> "pinentry-program" line in your gpg-agent.conf.  With a different home
> directory the gpg-agent.conf of that home directory is used.  I suggest
> to install a symlink to pinentry into the installation dir of gnupg and
> not to use "pinentry-program".
>
>
> Shalom-Salam,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 Unattended EC Generation

[Werner Koch]

On Tue, 11 Nov 2014 12:56, nicholas.c...@gmail.com said:

> Is that still possible?  In version 2.1, if no password is specified,
> gpg2 tries to call pin-entry and ask for a passphrase.

A quick look into the manual (for me the source, but you may want to use
the online version) gives:

  @item %no-protection
  Since GnuPG version 2.1 it is not anymore possible to specify a
  passphrase for unattended key generation.  The passphrase command is
  simply ignored and @samp{%ask-passpharse} is thus implicitly enabled.
  Using this option allows the creation of keys without any passphrase
  protection.  This option is mainly intended for regression tests.

Thus by adding 

 %no-protection

to the parameter files you can create a key without a passphrase.

> The second problem is that if gpg is called with a non-standard
> --homedir the whole thing fails with:
>
> gpg: agent_genkey failed: No pinentry

Install a pinentry.  I guess you put usually have a 
"pinentry-program" line in your gpg-agent.conf.  With a different home
directory the gpg-agent.conf of that home directory is used.  I suggest
to install a symlink to pinentry into the installation dir of gnupg and
not to use "pinentry-program".


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 Unattended EC Generation

[Nicholas Cole]

On Mon, Nov 10, 2014 at 4:41 PM, Werner Koch  wrote:
> On Mon, 10 Nov 2014 12:52, nicholas.c...@gmail.com said:
>
>> How does unattended generation of elliptic curve keys work? As far as
>> I can see, that section of the manual has not been updated for the new
>> EC options, but I presume that it has to work slightly differently.
>> Am I right that key-length is now a no-op?  And how do you specify the
>
> Right, you need to use "Key-Curve" or "Subkey-Curve".  Curve names are
> as supported by Libgcrypt, for example: "nistp256" or "ed25519".

Thanks Werner!

Two smaller problems.

Under previous versions, failing to provide a

Passphrase:

would create a key without a passphrase.  This was useful for testing purposes.

Is that still possible?  In version 2.1, if no password is specified,
gpg2 tries to call pin-entry and ask for a passphrase.

The second problem is that if gpg is called with a non-standard
--homedir the whole thing fails with:

gpg: agent_genkey failed: No pinentry
gpg: key generation failed: No pinentry

I'm sure this means that I'm invoking the new gpg2 and gpg-agent
combination incorrectly.

Sorry for all the flood of questions.  gpg2 "modern" is very exciting,
but getting all the pieces to work as they used to (and making changes
for the new system) is going to take a bit of time!

Best wishes,

N

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 Unattended EC Generation

[Werner Koch]

On Mon, 10 Nov 2014 12:52, nicholas.c...@gmail.com said:

> How does unattended generation of elliptic curve keys work? As far as
> I can see, that section of the manual has not been updated for the new
> EC options, but I presume that it has to work slightly differently.
> Am I right that key-length is now a no-op?  And how do you specify the

Right, you need to use "Key-Curve" or "Subkey-Curve".  Curve names are
as supported by Libgcrypt, for example: "nistp256" or "ed25519".


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.1 Unattended EC Generation

[Nicholas Cole]

Dear List,

How does unattended generation of elliptic curve keys work? As far as
I can see, that section of the manual has not been updated for the new
EC options, but I presume that it has to work slightly differently.
Am I right that key-length is now a no-op?  And how do you specify the
curve?

Best wishes,

N.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 pinentry copy/paste on windows system

[Werner Koch]

Hi,

actually the delivered pinentry should be able to do that.  It works on
Unix but I just figured that it does not work on Windows.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.1 pinentry copy/paste on windows system

[Mustrum]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

If you need to be able to past your 'very strong passphrase' (may be from 
keepass) you can use the old pinentry provided with gpg4win 2.2, without 
install it.

Open the installer with 7z and copy all the dll and pinentry exec onto a new 
ditectory.

Edit your gpg-agent.conf to add the option:
Pinentry-program "your own pinentry full path"

Restart your gpg-agent..

Works on my xp and win7..

Regards.
-BEGIN PGP SIGNATURE-
Version: APG v1.1.1

iQI7BAEBCgAlBQJUXH8tHhxNdXN0cnVtIDxNdXN0cnVtQE11c3RydW0ubmV0PgAK
CRBMuv2GX9WDni7eEADDmoKx5y0x6SavYJ79Bw7uCDH49js01W19WVwocaHW042d
oCZRbdcgIQSfzEqCdVggm+V5CMhyxqYotxKxKSn2Vq3fLXyxfB8DMP465PsDqFma
6PslQrlE2rulW1mkwj3mLMo/08q9GRebQJK/Dha9wAEz9uouEDP3rCaCYuJ6rp5R
LzIc4jM1BQoJHDTP32XIwbGBkBPjJgrBU2LhxHgveiN1M2wMFfWY7P7YOsUoRV95
FLzcXpaImmNsMyTFTatgnwgn3ALDDWhX7FQoK/irTmxsOxGFVdk0M9crczY6Gf0v
uzW3vaw9r6TeiX4VkOiwTzafGrAYioZvf3ooyA9z/5tvoSiG7HHuJ6m1c+aIt7R/
vLnpq8CMKOeu0wAYLdOlC3Ql5fsL0aiQDAhU7d9hqEzzEUwfUeRoe+0PA2dH6uOr
xWQ0rEgb5FofzVnqIJDZSoWjtnNkhrXBl+UtHVLCNWl+Q3Nr3D68qyn4qH4a2+a0
FPG2DxJyBABtFn7um8cYs146jB76/GjL149Szs0jKVwvE5GxhWTHCFtqUvBazelu
PVzWrphyIlAOO9N9u3ujGNuXVwPjyPqZzcjWkxCzqajNiCWVWGF4Q4tutRMmrLqY
PjGlmt2Rp3dkgX10epJfgIPqrgjltFqmC707IKr10Y+9kbfpecaR12OKNt04qA==
=bT3x
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Pete Stephenson]

On Fri, Oct 3, 2014 at 4:35 PM, Werner Koch  wrote:
> Hello!
>
> I just released another *beta* version of GnuPG *2.1*.  It has been
> released to give you the opportunity to check out new features and to
> help fixing bugs.

Hi all,

I had a few minor issues/questions with GnuPG 2.1 beta895 that I
thought would be good to report/ask here:

1. Default key prefs[1] don't seem to permit encrypting+signing a
message to a brainpoolP512r1 key. Evidently that curve requires SHA512
only for signatures, and all other algorithms will fail. Since SHA256
and SHA384 are prioritized over SHA512 by default in the key prefs, an
error occurs.

Here's an excerpt of the terminal output, where AF25682B is a primary
test key using brainpoolP512r1 while D74B165F is a test encryption
subkey using the same curve:

=
pete@kaylee:~/gpg/gnupg-2.1.0-beta895/PLAY/inst/bin$ ./gpg2 --homedir
~/gnupg/ --encrypt --armor --sign -r AF25682B
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
Hello world!
gpg: ECDSA key D74B165F requires a 512 bit or larger hash (hash is SHA256)
gpg: checking created signature failed: General error
gpg: signing failed: General error
-BEGIN PGP MESSAGE-
Version: GnuPG v2

hL4DWouX3RbM7L4SBAMEbW91unR/0/0QZ9fxeeIo9StkO2c90E9RQT9Cxy4yM7pI
dz3siYcAgzEtohdCcpy8BWCPRscqyUcD9iX/QDcxpj3CGG3RHJWdq8ezXVg2m460
ONeb1SnkQGxKsU7oDOo5lu6qQ+pAsvEqhKooyBxlIXPu/qqrtkx3DTvmCudld+Aw
od3AWiOPPQOSAzkRDSfk12/FhrWsZUz/q7mq0W/DlYem+B0OvOD+n1dcPDuAJAXR
gpg: [stdin]: sign+encrypt failed: General error
=

Is it normal/desired for 512-bit curves to only work with SHA512? If
so, shouldn't a newly-minted key have default prefs appropriate for
that key so it will work as expected?

If a 512-bit digest is required for a 512-bit ECC key, shouldn't the
signing system know that and be able to override the key prefs that
might specify a non-512-bit digest?

Similarly, brainpoolP512r1 curves seem unable to make a signature
using digest algorithms other than SHA512. For example, if a
brainpoolP512r1 key is encrypting+signing a message to another key
with the default prefs, it uses SHA512. Is this intended?

Signing/clearsigning a message with a brainpoolP512r1 curve also uses
SHA512, even if one tries to override it. In this example, I try to
override it by using SHA1 instead of SHA512:

pete@kaylee:~/gpg/gnupg-2.1.0-beta895/PLAY/inst/bin$ ./gpg2 --homedir
~/gnupg/ --armor --clearsign -u AF25682B --personal-digest-preferences
SHA1
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
Test.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Test.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iJ4EARMKAAYFAlRTekYACgkQRgJQM68laCuoDwH+KNKsSm01h6lJ659FDEGDoorM
/TpWvaVyVbvRa4+8Xya6+c73jt6jSDAeJZMEFBBQYIx3tJy7T6eowYgx3P2eUAIA
gvlSuuFVLqiV2Iujd0oa46PEnZZnxIz8Di6vUWqDq/WhhASDuQiidqc1zQ2VexP8
ET23riihBSBDTdTTR8Dp2Q==
=sUNG
-END PGP SIGNATURE-

2. While Curve25519-based keys can be used for signing using Ed25519,
there doesn't seem to be any way to use Curve25519 for encryption.
While one could use non-Curve25519 subkeys for encryption, that seems
a little sub-optimal. I assume this is known already and will be
resolved prior to the production release.

3. Curve25519 has a security level of 128-bits. In addition to the
Brainpool curves, are there any plans to add other curves with higher
security levels like Curve41417 (>200-bits)? I ask simply because
having various components (e.g. the symmetric, asymmetric, and hash
algorithms) at similar security levels is logical: it wouldn't make
sense to, for example, use 1024-bit RSA with SHA512 due to the wide
difference in security levels, but using a 3072-bit RSA key with
SHA256 would be logical.

4. Are there any plans to add user-specified arbitrary curves in
addition to "baked-in" curves like the NIST, Brainpool, and Curve25519
curves? I realize that using arbitrary curves is something that is not
for the faint of heart, but having options is nice.

5. Why are so many key-generating options hidden behind the
"--full-gen-key" flag? The regular "--gen-key" flag makes a 2048-bit
RSA key, which is fine. I understand hiding the ECC options, as
support is not widespread, but why hide "traditional" algorithms like
DSA/ELG?

Cheers!
-Pete

[1] Cipher: AES256, AES192, AES, 3DES
 Digest: SHA256, SHA384, SHA512, SHA224, SHA1
 Compression: ZLIB, ZIP, Uncompressed
 Features: MDC, Keyserver no-modify

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Pete Stephenson]

On Sun, Oct 26, 2014 at 7:56 PM, Murphy  wrote:
> Problem solved.  The error in finding the shared libraries was
> resolved with a single command after the successful speedo install
> using the INSTALL_PREFIX=/usr/local option on my ubuntu 14.04 machine:
>
> sudo ldconfig

My apologies for not responding earlier.

I used the same method, only I used "sudo ldconfig
/path/to/PLAY/inst/lib/" rather than installing the beta to
/usr/local.

Cheers!
-Pete

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Murphy]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Problem solved.  The error in finding the shared libraries was
resolved with a single command after the successful speedo install
using the INSTALL_PREFIX=/usr/local option on my ubuntu 14.04 machine:

sudo ldconfig

To summarize the following worked for me on a fresh installation of
ubuntu 14.04

sudo apt-get install libldap2-dev, gtk+-2.0
install pinentry-0.8.4
unpack then cd gnupg-2.1.0-beta864
sudo make -f build-aux/speedo.mk native INSTALL_PREFIX=/usr/local
sudo ldconfig

Now we await the stable version!
Thanks
Murphy
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iJwEAQECAAYFAlRNQ8AACgkQUVKxkWZz2Q2jCwP/c3rDYMEK+F6L84mVXUjx56T/
l0CkSU6yqgKhRhzqoiQ+dfddpNKLlKBh1yWYhvDG3C6+AGLCyeYFwWMfdFR2Yd4/
CTfKHDYY89NZoBz60xIKUrbTH57RYGOtWWp0pe7r0o96Lp4UiNqgfZzUuRlnSMUq
1E+YG1tpQBGR/0GiaO0=
=gC60
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Murphy]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> On Wed, Oct 15, 2014 at 1:00 PM, Peter Lebbing  wrote:

> Success! Installing the libldap2-dev package resolves the issue
> and the build process completes with no other errors.

> When I add PLAY/inst/bin/ to my path and PLAY/inst/lib/ to the list
> of shared libraries, everything works as expected.

> Many thanks for your help and patience.

> Cheers! -Pete

Hey Pete I am just at the point of success also using your methods
except I don't know how to put PLAY/inst/lib/ to the list of shared
libraries in my ubuntu 14.04 machine.  Speedo compiles perfectly yet
when I run

gpg2 --version
gpg2: error while loading shared libraries: libcrypt.so.20: cannot
open shared object file: No such file or directory

Can you share for us non-unix guru's how you added the list of shared
libraries?
Thanks for your patience.

- -Murphy
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iJwEAQECAAYFAlRNJ5gACgkQUVKxkWZz2Q3vRAP/clJp1LdEODn9IQGdBNDfgrXT
PlhZPA5uOfYmyzeRiOON7t8TBJnThY6fsz0viWoEFl3oHDI10jY3xw9rO4a/OcVu
aO9NjgaH2c/VZawW1CuSflTsatU6xBVIePlC6anKp7EeueX1NaoTfGCYlx0QYTLf
4YvHO/zLAsAMEra7/l4=
=u1uN
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1: make LDAP optional

[Claus Assmann]

On Wed, Oct 15, 2014, Werner Koch wrote:

> FWIW, I am consider to make LDAP and optional feature.  Most users are

Yes, please!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Werner Koch]

Hi Pete,

thanks for looking at this case.

FWIW, I am consider to make LDAP and optional feature.  Most users are
likely interested in OpenPGP and thus keyserver access and don't need
the former main feature of Dirmngr (LDAP based X.509 certifciate
lookup).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Pete Stephenson]

On Wed, Oct 15, 2014 at 1:00 PM, Peter Lebbing  wrote:
> On 04/10/14 00:28, Pete Stephenson wrote:
>> To my untrained, non-developer[1] eye, there appears to be several
>> things that failed though I'm not sure how to interpret things
>> correctly. The full config log is ~250kB. I've posted it to a Pastebin
>> at http://pastebin.com/xZjzsZju if that would help.
>
> Wow, that is one verbose log. I started reading from the top, but
> switched to reading from the bottom up, which is more useful for
> configure logs. I didn't expect it to be quite that long at first.

Indeed.

> Near the end, there's this bit:
>
> ---8<>8---
> ***
> *** The Dirmngr part requires an LDAP library
> *** Check out
> ***http://www.openldap.org
> *** for a suitable implementation.
> ***
> configure:16877: error:
> ***
> *** Required libraries not found. Please consult the above messages
> *** and install them before running configure again.
> ***
> ---8<>8---
>
> Note how it says to consult the above messages. You should not interpret
> this as all lines up to that bit, but rather the bits that immediately
> precede that final message.
>
> I don't see any other showstoppers. It is normal that a lot of tests
> "fail". For instance, it's not really realistic to expect the file
> ac_nonexistent.h to exist; it's all just part of the tests.
>
> The format of the message above made me look for three consecutive stars
> in the output, which only turned up the one you mentioned:

Thanks!

Success! Installing the libldap2-dev package resolves the issue and
the build process completes with no other errors.

When I add PLAY/inst/bin/ to my path and PLAY/inst/lib/ to the list of
shared libraries, everything works as expected.

Many thanks for your help and patience.

Cheers!
-Pete

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Peter Lebbing]

On 04/10/14 00:28, Pete Stephenson wrote:
> To my untrained, non-developer[1] eye, there appears to be several
> things that failed though I'm not sure how to interpret things
> correctly. The full config log is ~250kB. I've posted it to a Pastebin
> at http://pastebin.com/xZjzsZju if that would help.

Wow, that is one verbose log. I started reading from the top, but
switched to reading from the bottom up, which is more useful for
configure logs. I didn't expect it to be quite that long at first.

Near the end, there's this bit:

---8<>8---
***
*** The Dirmngr part requires an LDAP library
*** Check out
***http://www.openldap.org
*** for a suitable implementation.
***
configure:16877: error:
***
*** Required libraries not found. Please consult the above messages
*** and install them before running configure again.
***
---8<>8---

Note how it says to consult the above messages. You should not interpret
this as all lines up to that bit, but rather the bits that immediately
precede that final message.

I don't see any other showstoppers. It is normal that a lot of tests
"fail". For instance, it's not really realistic to expect the file
ac_nonexistent.h to exist; it's all just part of the tests.

The format of the message above made me look for three consecutive stars
in the output, which only turned up the one you mentioned:

---8<>8---
***
*** Building without NTBTLS and GNUTLS - no TLS access to keyservers.
***
*** Requested 'gnutls >= 3.0' but version of GnuTLS is 2.12.23
*** You may find new versions of GnuTLS at
http://www.gnu.org/software/gnutls/
***
---8<>8---

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Ludwig Hügelschäfer]

On 12.10.14 12:36, Ben McGinnes wrote:

> (...) /usr/include/inttypes.h:235:8: error: unknown type name
> 'intmax_t' extern intmax_t ^ /usr/include/inttypes.h:236:9: error:
> unknown type name 'intmax_t' imaxabs(intmax_t j); ^ 
> /usr/include/inttypes.h:240:2: error: unknown type name 'intmax_t' 
> intmax_t quot; ^ /usr/include/inttypes.h:241:2: error: unknown type
> name 'intmax_t' intmax_t rem; ^ /usr/include/inttypes.h:246:9:
> error: unknown type name 'intmax_t' imaxdiv(intmax_t __numer,
> intmax_t __denom); ^ /usr/include/inttypes.h:246:27: error: unknown
> type name 'intmax_t' imaxdiv(intmax_t __numer, intmax_t __denom); 
> ^ /usr/include/inttypes.h:250:8: error: unknown type name
> 'intmax_t' extern intmax_t ^ /usr/include/inttypes.h:256:8: error:
> unknown type name 'uintmax_t'; did you mean 'uintptr_t'? extern
> uintmax_t ^ /usr/include/sys/_types/_uintptr_t.h:30:24: note:
> 'uintptr_t' declared here typedef unsigned long
> uintptr_t; ^ In file included from allocsa.c:21: In file included
> from ./allocsa.h:23: In file included from
> /usr/include/stdlib.h:65: In file included from
> /usr/include/sys/wait.h:110: In file included from
> /usr/include/sys/resource.h:72: In file included from
> ./stdint.h:76: /usr/include/inttypes.h:263:8: error: unknown type
> name 'intmax_t' extern intmax_t ^ /usr/include/inttypes.h:269:8:
> error: unknown type name 'uintmax_t'; did you mean 'uintptr_t'? 
> extern uintmax_t ^ /usr/include/sys/_types/_uintptr_t.h:30:24:
> note: 'uintptr_t' declared here typedef unsigned long
> uintptr_t; ^ 10 errors generated. make[3]: *** [allocsa.o] Error 1 
> make[2]: *** [all] Error 2 make[1]: *** [all-recursive] Error 1 
> make: *** [all] Error 2

Ben, does

export
gl_cv_absolute_stdint_h=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk/usr/include/stdint.h
(or wherever your used SDK is located)

help your case?

Ludwig




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Ben McGinnes]

On 9/10/2014 12:48 am, Werner Koch wrote:
> On Sun,  5 Oct 2014 09:13, b...@adversary.org said:
> 
>> Now since the configure script for pinentry is about 13,000 lines
> 
> That is generated.  The actual configure.ac script is 565 lines.
> 
> I do not understand you remarks about libc++ - is that required for the
> Qt version of Pinentry?  The other pinentryies do not use any C++ code.
> 
> You may build a ncurses only pinentry by disabling all other
> pinentries.  See ./configure --help.

Okay, restricting the pinentry config to ncurses did indeed do the
job.  Unfortunately OS X still hates GPG 2.1 (standard configure
options except for installing to /opt/local so it doesn't break
anything in /usr/local):

GnuPG v2.1.0-beta864 has been configured as follows:

Revision:  0943c7c  (2371)
Platform:  Darwin (x86_64-apple-darwin13.4.0)

OpenPGP:   yes
S/MIME:yes
Agent: yes
Smartcard: yes (without internal CCID driver)
G13:   yes
Dirmngr:   yes
Gpgtar:yes

Protect tool:  (default)
LDAP wrapper:  (default)
Default agent: (default)
Default pinentry:  (default)
Default scdaemon:  (default)
Default dirmngr:   (default)

Dirmngr auto start:  yes
Readline support:yes
DNS SRV support: no
TLS support: gnutls

bash-4.3# make
/Applications/Xcode.app/Contents/Developer/usr/bin/make  all-recursive
Making all in m4
make[2]: Nothing to be done for `all'.
Making all in gl
{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \
  cat ./alloca_.h; \
} > alloca.h-t
mv -f alloca.h-t alloca.h
rm -f stdint.h-t stdint.h
{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \
  sed -e 's/@''HAVE_WCHAR_H''@/1/g' \
  -e 's/@''HAVE_STDINT_H''@/1/g' \
  -e
's|@''ABSOLUTE_STDINT_H''@|"///Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/include/stdint.h"|g'
\
  -e 's/@''HAVE_SYS_TYPES_H''@/1/g' \
  -e 's/@''HAVE_INTTYPES_H''@/1/g' \
  -e 's/@''HAVE_SYS_INTTYPES_H''@/0/g' \
  -e 's/@''HAVE_SYS_BITYPES_H''@/0/g' \
  -e 's/@''HAVE_LONG_LONG_INT''@/1/g' \
  -e 's/@''HAVE_UNSIGNED_LONG_LONG_INT''@/1/g' \
  -e 's/@''BITSIZEOF_PTRDIFF_T''@/64/g' \
  -e 's/@''PTRDIFF_T_SUFFIX''@/l/g' \
  -e 's/@''BITSIZEOF_SIG_ATOMIC_T''@/32/g' \
  -e 's/@''HAVE_SIGNED_SIG_ATOMIC_T''@/1/g' \
  -e 's/@''SIG_ATOMIC_T_SUFFIX''@//g' \
  -e 's/@''BITSIZEOF_SIZE_T''@/64/g' \
  -e 's/@''SIZE_T_SUFFIX''@/ul/g' \
  -e 's/@''BITSIZEOF_WCHAR_T''@/32/g' \
  -e 's/@''HAVE_SIGNED_WCHAR_T''@/1/g' \
  -e 's/@''WCHAR_T_SUFFIX''@//g' \
  -e 's/@''BITSIZEOF_WINT_T''@/32/g' \
  -e 's/@''HAVE_SIGNED_WINT_T''@/1/g' \
  -e 's/@''WINT_T_SUFFIX''@//g' \
  < ./stdint_.h; \
} > stdint.h-t
mv stdint.h-t stdint.h
/Applications/Xcode.app/Contents/Developer/usr/bin/make  all-am
gcc -DHAVE_CONFIG_H -I. -I..   -I/opt/local/include  -g -O2 -Wall
-Wno-pointer-sign -Wpointer-arith -MT allocsa.o -MD -MP -MF
.deps/allocsa.Tpo -c -o allocsa.o allocsa.c
In file included from allocsa.c:21:
In file included from ./allocsa.h:23:
In file included from /usr/include/stdlib.h:65:
In file included from /usr/include/sys/wait.h:110:
In file included from /usr/include/sys/resource.h:72:
In file included from ./stdint.h:76:
/usr/include/inttypes.h:235:8: error: unknown type name 'intmax_t'
extern intmax_t
   ^
/usr/include/inttypes.h:236:9: error: unknown type name 'intmax_t'
imaxabs(intmax_t j);
^
/usr/include/inttypes.h:240:2: error: unknown type name 'intmax_t'
intmax_t quot;
^
/usr/include/inttypes.h:241:2: error: unknown type name 'intmax_t'
intmax_t rem;
^
/usr/include/inttypes.h:246:9: error: unknown type name 'intmax_t'
imaxdiv(intmax_t __numer, intmax_t __denom);
^
/usr/include/inttypes.h:246:27: error: unknown type name 'intmax_t'
imaxdiv(intmax_t __numer, intmax_t __denom);
  ^
/usr/include/inttypes.h:250:8: error: unknown type name 'intmax_t'
extern intmax_t
   ^
/usr/include/inttypes.h:256:8: error: unknown type name 'uintmax_t'; did you
  mean 'uintptr_t'?
extern uintmax_t
   ^
/usr/include/sys/_types/_uintptr_t.h:30:24: note: 'uintptr_t' declared here
typedef unsigned long   uintptr_t;
^
In file included from allocsa.c:21:
In file included from ./allocsa.h:23:
In file included from /usr/include/stdlib.h:65:
In file included from /usr/include/sys/wait.h:110:
In file included from /usr/include/sys/resource.h:72:
In file included from ./stdint.h:76:
/usr/include/inttypes.h:263:8: error: unknown type name 'intmax_t'
extern intmax_t
   

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Ben McGinnes]

On 9/10/2014 12:48 am, Werner Koch wrote:
> On Sun,  5 Oct 2014 09:13, b...@adversary.org said:
> 
>> Now since the configure script for pinentry is about 13,000 lines
> 
> That is generated.  The actual configure.ac script is 565 lines.
> 
> I do not understand you remarks about libc++ - is that required for the
> Qt version of Pinentry?  The other pinentryies do not use any C++ code.

After a standard configure (no extra flags) the result of make is:

nefarious:pinentry-0.8.4 ben$ make
/Applications/Xcode.app/Contents/Developer/usr/bin/make  all-recursive
Making all in assuan
/Applications/Xcode.app/Contents/Developer/usr/bin/make  all-am
make[3]: Nothing to be done for `all-am'.
Making all in secmem
make[2]: Nothing to be done for `all'.
Making all in pinentry
make[2]: Nothing to be done for `all'.
Making all in curses
make[2]: Nothing to be done for `all'.
Making all in gtk+-2
gcc  -g -O2 -Wall -Wcast-align -Wshadow -Wstrict-prototypes
-Wno-pointer-sign   -o pinentry-gtk-2 pinentry-gtk-2.o gtksecentry.o
../pinentry/libpinentry.a ../assuan/libassuan.a ../secmem/libsecmem.a
-L/opt/local/lib -lgtk-x11-2.0 -lgdk-x11-2.0 -lpangocairo-1.0 -lgio-2.0
-lXrender -lXinerama -lXi -lXrandr -lXcursor -lXcomposite -lXdamage
-lXfixes -lX11 -lXext -latk-1.0 -lcairo -lgdk_pixbuf-2.0 -lgio-2.0
-lpangoft2-1.0 -lpango-1.0 -lm -lgobject-2.0 -lglib-2.0 -lintl
-lfontconfig -lfreetype  ../pinentry/libpinentry-curses.a -lncurses -liconv
Undefined symbols for architecture x86_64:
  "_iconv", referenced from:
  _pinentry_utf8_to_local in libpinentry.a(pinentry.o)
  _pinentry_local_to_utf8 in libpinentry.a(pinentry.o)
  "_iconv_close", referenced from:
  _pinentry_utf8_to_local in libpinentry.a(pinentry.o)
  _pinentry_local_to_utf8 in libpinentry.a(pinentry.o)
  "_iconv_open", referenced from:
  _pinentry_utf8_to_local in libpinentry.a(pinentry.o)
  _pinentry_local_to_utf8 in libpinentry.a(pinentry.o)
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see
invocation)
make[2]: *** [pinentry-gtk-2] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
nefarious:pinentry-0.8.4 ben$

I went looking for an explanation for the ld and clang errors and
found a rather large amount of grief on StackOverflow where people had
discovered the libstdc++ vs libc++ issue.  Clearly here it's tied to
gtk2 stuff, whereas Qt should be able to be handled by installing the
Qt libs directly.

Anyway, if it is the C++ thing, then in theory pointing things to
/usr/lib/libstdc++* instead of /usr/lib/libc++* should do the trick.
It's just that none of the options I tried to pass to LDFLAGS seemed
to do anything.  Plus the view that Apple deliberately broke something
seems pretty much typical of them.

> You may build a ncurses only pinentry by disabling all other
> pinentries.  See ./configure --help.

I'll try that later.  At least this time it's getting a lot further
than the last beta I took a swing at (I can't remember which, it was a
while ago).


Regards,
Ben



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Werner Koch]

On Sat,  4 Oct 2014 23:19, joh...@vulcan.xs4all.nl said:

> 2.1.0 final? Shoudn't that be 2.2.0, or did GnuPG stop with the old
> version numbering system of the Linux kernel?

Good question.  From my experience only a few people look at development
versions/beta/whatever-you call it.  Those who are really interested in
the development are building directly from GIT.  Thus I doubt that a
pure development branch makes much sense.

My plan is to offer 2.1 as the new feature branch of GnuPG which may
actually be used but might not be as stable as the, well, stable branch.
As soon as this has stabilized the version will be bumped up to 2.2 and
earmarked as the new stable branch (LTS in modern parlance).  At that
time an end-of-life date will be announced for 2.0.

The question is on how long it will take until we can do that.  Maybe we
can look at the number of ECC keys on the keyservers to decide whether
ECC and thus 2.2 can go mainstream.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Werner Koch]

On Sun,  5 Oct 2014 09:13, b...@adversary.org said:

> Now since the configure script for pinentry is about 13,000 lines

That is generated.  The actual configure.ac script is 565 lines.

I do not understand you remarks about libc++ - is that required for the
Qt version of Pinentry?  The other pinentryies do not use any C++ code.

You may build a ncurses only pinentry by disabling all other
pinentries.  See ./configure --help.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Werner Koch]

On Sat,  4 Oct 2014 00:28, p...@heypete.com said:

> That said, if I did want to compile the latest version of GnuTLS from
> source, where should one place the compiled results so that the GnuPG
> build process would know about it?

That depends on your system.  It is hard to put this all into the Speedo
script because we will run into too many dependency problems.  This is one
of the reasons why I am working on a stripped down TLS library which
utilizes Libgcrypt and Libksba - which we need anyway.

> correctly. The full config log is ~250kB. I've posted it to a Pastebin
> at http://pastebin.com/xZjzsZju if that would help.

I am sorry, I can't help right now.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Ben McGinnes]

On 4/10/2014 12:35 am, Werner Koch wrote:
> Hello!
> 
> I just released another *beta* version of GnuPG *2.1*.  It has been
> released to give you the opportunity to check out new features and to
> help fixing bugs.

I'm most of the way through a test compile (in /opt/local) on OS X
10.9 (64-bit) here and it's mostly okay, save for pinentry.  This is
where I encounter what is likely to be a *big* deal in the not too
distant future.

Specifically with OS X Apple have moved from using libstdc++ as the
default to libc++ as the default and they're not binary compatible.
Since Apple's decision apparently relates to the license, there's a
lot of speculation that libstdc++ will be dropped entirely in a future
release of OS X.

Now since the configure script for pinentry is about 13,000 lines
long, I'd appreciate some pointers regarding which bit I need to
change to tell it to use libstdc++ and behave itself (obviously
getting the code to work with libc++ is a much bigger job).


Regards,
Ben



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Johan Wevers]

On 3-10-2014 19:15, Robert J. Hansen wrote:

> Ministerium fuer Staatsicherheit[*], commonly known as Stasi, practiced
> surveillance of its own citizens on a scale that's hard to imagine.

Is this a sollicitation for remarks about the NSA, FBI, DEA, etc. etc.? :-)

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Johan Wevers]

On 3-10-2014 16:35, Werner Koch wrote:

> This version is marked as BETA and as such it should in general not be
> used for real work.  However, the functionality is solid enough and thus
> this may actually be the last beta before we release 2.1.0 some time
> this year.

2.1.0 final? Shoudn't that be 2.2.0, or did GnuPG stop with the old
version numbering system of the Linux kernel?

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Pete Stephenson]

On Fri, Oct 3, 2014 at 6:39 PM, Werner Koch  wrote:
> On Fri,  3 Oct 2014 17:40, p...@heypete.com said:
>
>> make -f build-aux/speedo.mk native
>>
>> it does quite a bit, but always seems to spit out the following errors
>> and fails to complete. The bit about gnutls is non-critical for me,
>> but it'd be nice to resolve it. The "required libraries not found"
>
> That is easy: Install the libgnutls-dev package.

Now I get "Requested 'gnutls >= 3.0' but version of GnuTLS is 2.12.23"
-- again, this isn't a big deal. I'm just trying to do a test build,
and I'm not worried about TLS connectivity to keyservers.

That said, if I did want to compile the latest version of GnuTLS from
source, where should one place the compiled results so that the GnuPG
build process would know about it?

>> error seems to be a showstopper, though.
>
>> configure: error:
>> ***
>> *** Required libraries not found. Please consult the above messages
>> *** and install them before running configure again.
>> ***
>
> You should see other warning messages in the config log which tells you
> which library is missing.  You should find the full config long in
> PLAY/build/gnupg/config.log.  My guess is that there is some problem
> with libiconv which is expected to exist. It is usually part of glibc
> but you need to install the development package.

To my untrained, non-developer[1] eye, there appears to be several
things that failed though I'm not sure how to interpret things
correctly. The full config log is ~250kB. I've posted it to a Pastebin
at http://pastebin.com/xZjzsZju if that would help.

[1] I've written and compiled a few ad-hoc C programs for my research,
but I'm very much a beginner at this sort of thing. I apologize for my
lack of knowledge in this regard. Thank you (and others) for your
patience and help.

Cheers!
-Pete



-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Murphy]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Pete - beta 864 compiled perfectly for me in Ubuntu 14.04 LTS.  I
suspect you need to use super user powers here.  If you want a
practice version try in a safe directory try:

sudo make -f build-aux/speedo.mk native

otherwise if you want it installed on your machine ready to go use

sudo make -f build-aux/speedo.mk native INSTALL_PREFIX=/usr/local

and Thanks Werner for putting in the INSTALL_PREFIX=/usr/local to make
it work instantly, for us non-unix gurus :)  I am now using gpg2.1 as
my main version 2.  If there is anything truly mission critical I can
always use version 1.x until the stable version of 2.1 comes out.

Cheers!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iJwEAQECAAYFAlQvEJoACgkQUVKxkWZz2Q0/VQQAjrks7Dvhi5LZZMapE4i+qKnG
3oHyRyD6Q9K2T05zR9sWBAI2ZJwE5z3soOH/2+vcazy/uLyl1qN68cFIaE86k75T
QZ4S/1UilHV8SBnP91nS2xSRLr4TyuKWGTZrEaF0EZtV8XN8TY9a00NtJ+RsTsmo
1eK141d/t2yOaWmFNOs=
=X5VP
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Peter Lebbing]

> I am getting the same problem.   I already have that package installed.

Please try to get the relevant part of the error message that actually tells
what it didn't find, because the log posted by Pete is cut down too far to
actually tell. You could also include the whole log, I think. Or would that hit
some size limit, either technical or social?

If so, would sharing it as a gist on github be an acceptable way? I've never
seen it suggested on this mailing list, but I encountered it while doing bug
reports, and it seems like a reasonable way to share a big make log...

Peter.

PS: Please don't top-quote. The usual way to explain it is:
A: Because it messes up the reading order
Q: Why is it annoying?
A: Top-posting
Q: What is the wrong way to quote?
But while remembering this, I'm suddenly reminded of Time-Reversed Owls and I
like that one better now: http://www.smbc-comics.com/?id=2684

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[David Schraeder]

I am getting the same problem.   I already have that package installed.


On 10/3/2014 11:39 AM, Werner Koch wrote:
> On Fri,  3 Oct 2014 17:40, p...@heypete.com said:
>
>> make -f build-aux/speedo.mk native
>>
>> it does quite a bit, but always seems to spit out the following errors
>> and fails to complete. The bit about gnutls is non-critical for me,
>> but it'd be nice to resolve it. The "required libraries not found"
> That is easy: Install the libgnutls-dev package.
>
>> error seems to be a showstopper, though.
>> configure: error:
>> ***
>> *** Required libraries not found. Please consult the above messages
>> *** and install them before running configure again.
>> ***
> You should see other warning messages in the config log which tells you
> which library is missing.  You should find the full config long in
> PLAY/build/gnupg/config.log.  My guess is that there is some problem
> with libiconv which is expected to exist. It is usually part of glibc
> but you need to install the development package.
>
>
> Shalom-Salam,
>
>Werner
>

-- 



David Schraeder
Russell Regional Hospital
Direct Dial: 785-483-0890
Direct Fax:  785-483-0891
dav...@russellhospital.org



**
Electronic Mail Confidentiality Notice:
 
This electronic mail message and all attachments may contain confidential
information belonging to the sender or the intended recipient(s).  This
information is intended ONLY for the use of the individual or entity named
above.  If you are not the intended recipient(s), you are hereby notified that
any disclosure, copying, distribution (electronic or otherwise), forwarding
or taking any action in reliance on the contents of this information is
strictly prohibited and may be unlawful.
 
If you have received this electronic transmission in error, please
immediately notify the sender by telephone, facsimile, or email to arrange
for the return of the electronic mail, attachments, or documents and delete 
all materials from any and all computers.
 
Russell Regional Hospital
200 South Main Street   Tele. 
785-483-3131
Russell, KS  67665Fax  
785-483-4859
**


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Ludwig Hügelschäfer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03.10.14 19:47, Peter Lebbing wrote:

> It is most definitely Staatssicherheit as in "die Sicherheit des 
> Staat(e)s". It's a genetive, just like it's People's Republic of
> China and not People Republic of China.

Perfect explanation!

> In my mind, I pronounce the two esses.

A german news speaker would do it so, but you wouldn't notice it in
every day german.

Ludwig

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCgAGBQJULu/uAAoJEA52XAUJWdLjObIH/RBFQM4x+0D7Yk4EBfo/4+7u
zMtcOM+0WJ/nYRFCdpW0lt+tyZSSzxi1FLaVypktowV3W3DdSvIbMpZ8ZffyqXn8
M/xeyifD4faV+5EfFf7KETj231y2PVxwygFEW4jfepvjrDNz4dsI7BkXrP+zItUm
C+JgysES8Hq2e0bW0fyCyjoit0CTeLpAtN5OFnT7//SayGWYpH05QwlEjQ2I/MJ5
dnXG6I1y3ys8lgLFJme5oJCumSLc8NLt92f28rVaIDv/A9lNphY/Xwtmk/DLl3N5
bSC5nJJwDjrbC4FJbpt6K282VwYMxwo1VOQALS54Gi89O8ej+38giOzLEk2501o=
=aSew
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Robert J. Hansen]

> Disclaimer: I'm not Werner, and I'm Dutch.

These are forgivable character flaws.  :)

> It is most definitely Staatssicherheit as in "die Sicherheit des
> Staat(e)s". It's a genetive, just like it's People's Republic of China
> and not People Republic of China.

Ah, that explains my difficulty.  My usual grammatical rule of thumb for
German is "imagine 18th-century English," which works fine most of the
time but breaks for the genitive case (on account of English not having
one -- the way we structure possessives is a remnant of the Saxon
genitive, but it does not represent an actual grammatical case).

Thanks.  :)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Peter Lebbing]

On 03/10/14 19:15, Robert J. Hansen wrote:
> [*] Werner, Wikipedia lists it as Staatssicherheit, but for some reason
> that just doesn't look right to me.  Is it?

Disclaimer: I'm not Werner, and I'm Dutch.

It is most definitely Staatssicherheit as in "die Sicherheit des
Staat(e)s". It's a genetive, just like it's People's Republic of China
and not People Republic of China.

In my mind, I pronounce the two esses. Not sure how much you would
notice that, though.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Robert J. Hansen]

>> Maintaining and improving GnuPG is costly.  For more than a decade,
>> g10 Code GmbH, a German company owned and headed by GnuPG's principal
>> author Werner Koch, is bearing the majority of these costs.  To help
>> them carry on this work, they need your support.  See
>>
>>   https://gnupg.org/donate/
> 
> Thanks for the reminder.

Indeed.  Today's also Tag der Deutschen Einheit ("German Unity Day"),
which celebrates the end of the GDR -- whose secret police service, the
Ministerium fuer Staatsicherheit[*], commonly known as Stasi, practiced
surveillance of its own citizens on a scale that's hard to imagine.  So,
celebrate your privacy by donating to GnuPG and sitting down with the
movie _Das Leben der Anderen_, released in English-speaking countries as
_The Lives of Others_.  It's a remarkable film and worth seeing.


[*] Werner, Wikipedia lists it as Staatssicherheit, but for some reason
that just doesn't look right to me.  Is it?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Werner Koch]

On Fri,  3 Oct 2014 17:40, p...@heypete.com said:

> make -f build-aux/speedo.mk native
>
> it does quite a bit, but always seems to spit out the following errors
> and fails to complete. The bit about gnutls is non-critical for me,
> but it'd be nice to resolve it. The "required libraries not found"

That is easy: Install the libgnutls-dev package.

> error seems to be a showstopper, though.

> configure: error:
> ***
> *** Required libraries not found. Please consult the above messages
> *** and install them before running configure again.
> ***

You should see other warning messages in the config log which tells you
which library is missing.  You should find the full config long in
PLAY/build/gnupg/config.log.  My guess is that there is some problem
with libiconv which is expected to exist. It is usually part of glibc
but you need to install the development package.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] The maybe final Beta for GnuPG 2.1

[Pete Stephenson]

On Fri, Oct 3, 2014 at 4:35 PM, Werner Koch  wrote:
> Hello!
>
> I just released another *beta* version of GnuPG *2.1*.  It has been
> released to give you the opportunity to check out new features and to
> help fixing bugs.

Excellent!

[snip]

> GnuPG requires a couple of extra libraries, which need to be build and
> installed before GnuPG.  The configure script will tell you about the
> requirements.
>
> You may try the Speedo system as an alternative build method:
>
>   make -f build-aux/speedo.mk native INSTALL_PREFIX=/usr/local

When I run

make -f build-aux/speedo.mk native

it does quite a bit, but always seems to spit out the following errors
and fails to complete. The bit about gnutls is non-critical for me,
but it'd be nice to resolve it. The "required libraries not found"
error seems to be a showstopper, though.

I'm doing the build on a stock Ubuntu Server 14.04 32-bit system. I've
installed the "build-essential" package from the repo, so I have gcc,
make, etc.

configure: WARNING:
***
*** Building without NTBTLS and GNUTLS - no TLS access to keyservers.
***
*** No package 'gnutls' found
***
configure: error:
***
*** Required libraries not found. Please consult the above messages
*** and install them before running configure again.
***
make[1]: *** 
[/home/pete/gpg/gnupg-2.1.0-beta864/PLAY/stamps/stamp-gnupg-01-configure]
Error 1
make[1]: Leaving directory `/home/pete/gpg/gnupg-2.1.0-beta864'
make: *** [native] Error 2

Any ideas?

> Maintaining and improving GnuPG is costly.  For more than a decade,
> g10 Code GmbH, a German company owned and headed by GnuPG's principal
> author Werner Koch, is bearing the majority of these costs.  To help
> them carry on this work, they need your support.  See
>
>   https://gnupg.org/donate/

Thanks for the reminder.

Cheers!
-Pete

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] The maybe final Beta for GnuPG 2.1

[Werner Koch]

Hello!

I just released another *beta* version of GnuPG *2.1*.  It has been
released to give you the opportunity to check out new features and to
help fixing bugs.

  If you need a stable and fully maintained version of GnuPG,
  you should use version 2.0.26 or 1.4.18.

This version is marked as BETA and as such it should in general not be
used for real work.  However, the functionality is solid enough and thus
this may actually be the last beta before we release 2.1.0 some time
this year.


What's new in 2.1.0-beta864 since beta784
=

 * gpg: Removed the GPG_AGENT_INFO related code.  GnuPG does now only
   use a fixed socket name in its home directory.

 * gpg: Renamed --gen-key to --full-gen-key and re-added a --gen-key
   command using less prompts.

 * gpg: Use SHA-256 for all signature types also on RSA keys.

 * gpg: Default keyring is now created with a .kbx suffix.

 * gpg: Add a shortcut to the key capabilies menu (e.g. "=e" sets the
   encryption capabilities).

 * gpg: Fixed obsolete options parsing.

 * speedo: Improved the quick build system.

 Already released with beta834:

 * gpg: Improved passphrase caching.

 * gpg: Switched to algorithm number 22 for EdDSA.

 * gpg: Removed CAST5 from the default preferences.

 * gpg: Order SHA-1 last in the hash preferences.

 * gpg: Changed default cipher for --symmetric to AES-128.

 * gpg: Fixed export of ECC keys and import of EdDSA keys.

 * dirmngr: Fixed the KS_FETCH command.

 * speedo: Downloads related packages and works for non-Windows.


Getting the Software


GnuPG 2.1.0-beta864 is available at

 ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0-beta864.tar.bz2
 ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0-beta864.tar.bz2.sig

and soon on all mirrors <http://www.gnupg.org/mirrors.html>.

Please read the README file !


Checking the Integrity
==

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a trusted version of GnuPG installed, you
   can simply check the supplied signature.  For example to check the
   signature of the file gnupg-2.1.0-beta864.tar.bz2 you would use
   this command:

 gpg --verify gnupg-2.1.0-beta864.tar.bz2.sig

   Depending on your installation you may use "gpg2" instead of "gpg".
   This checks whether the signature file matches the source file.  You
   should see a message indicating that the signature is good and made
   by that signing key.  Make sure that you have the right key, either
   by checking the fingerprint of that key with other sources or by
   checking that the key has been signed by a trustworthy other key.
   Note, that you can retrieve the signing key using the command

 finger wk ,at' g10code.com

   or using a keyserver like

 gpg --keyserver keys.gnupg.net --recv-key 4F25E3B6

   The distribution key 4F25E3B6 is signed by the well known key:

 pub   dsa2048/1E42B367 2007-12-31 [expires: 2018-12-31]
 Key fingerprint = 8061 5870 F5BA D690 3336  86D0 F2AD 85AC 1E42 B367
 uid  Werner Koch 

   Never use a GnuPG version you just downloaded to check the
   integrity of the source - use an existing GnuPG installation!


Building


GnuPG requires a couple of extra libraries, which need to be build and
installed before GnuPG.  The configure script will tell you about the
requirements.

You may try the Speedo system as an alternative build method:

  make -f build-aux/speedo.mk native INSTALL_PREFIX=/usr/local

This method downloads all required libraries and does a native build of
GnuPG to "/usr/local" (or to "PLAY/inst/" if you do not specify the
INSTALL_PREFIX).  Note that you need installation privileges on the
install directory, GNU make, and a decent Unix system.  Building for
Windows is in theory possible but has not been tested for this release.


Documentation
=

The file gnupg.info has the complete user manual of the system.
Separate man pages are included as well; however they have not all the
details available in the manual.  It is also possible to read the
complete manual online in HTML format at

  https://www.gnupg.org/documentation/manuals/gnupg-devel/

The chapters on gpg-agent, gpg and gpgsm include information on how
to set up the whole thing.  You may also want search the GnuPG mailing
list archives or ask on the gnupg-users mailing lists for advise on
how to solve problems.  Many of the new features are around for
several years and thus enough public knowledge is already available.

Almost all mail clients support GnuPG-2.  Mutt users may want to use
the configure option "--enable-gpgme" during build time and put a "set
use_crypt_gpgme" in ~/.muttrc to enable S/MIME support along with the
reworked OpenPGP support

Re: [Announce] The sixth Beta for GnuPG 2.1 is now available for testing

[Jerry]

On Mon, 18 Aug 2014 07:14:53 +, KA IT User stated:

> Again, we request to remove us from the mailing list.

And again, have you checked the email headers?

List-Unsubscribe: ,
 

-- 
Jerry

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AW: [Announce] The sixth Beta for GnuPG 2.1 is now available for testing

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 08/18/2014 09:14 AM, KA IT User wrote:
> Again, we request to remove us from the mailing list.

See the list-unsubscribe header or the bottom of every mail for how to
unsubscribe.

- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Ne nuntium necare
Don't kill the messenger
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJT8eZkAAoJEPw7F94F4TagAPAP/3ypT8ZCPPv2XtM3RrktYXvZ
RWCARkzuatIA68PWh7pK0s8q85IqUT3a36V6OIwB57SL00AuL5uHs7kEKxRAXyKy
31A8TlziA9C7/TT3d3bQqaKESNmGjklsHKrcSRdmz+BYZMEg4Bt26u0yfxE0SRfk
WQ3nd94o6cFBytzriYwO1wRuGX5rfYtdzQ/yW9s/6Gk+HCrkVQyb/XIlwm2goXH9
ZZ1XgOa8fRgD8bKetgRG6UrQZ3SqHySZOaFtxsMJOE9sAoiTL9cAlzIKk4XgpukU
J+DpwSE6Mty9Q6/r452IlNI8LauX3wvXm1VwRDRHzKfJzeX3QA6KB1ButWueM+96
RlsNhgo/dDyGp/UlQDyvGhuCSCEQrL9/V5UkCAPQ8UZWunwtx6+hKnpSoxqx6EdW
VdWGRdvp2yMbIIcflL8yHbfBv9NCwnghsVRBvA1DXIpvo6fu2xZjPY9lqzSzxtdl
gMsA67zfqwcb34CDmj5hLSs+nmVLeJPhycZygiYpQcbQ7p/Ywx3kXTpuuYZhQenu
VTwZ/tLst7NCxCLGqJZ9oV16wa4TCIolVOoKjHSNsy2hMTyrWVmQilWV1QLyfAQL
93lx3QsgO+HbErzy7vLfkYFCJpEygz8q1UlnJhwqHbdZ+0MkHUBFAWp2vfigiIru
cjITkvBwPVLQrw7HYa/O
=Ld9y
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: [Announce] The sixth Beta for GnuPG 2.1 is now available for testing

[KA IT User]

Again, we request to remove us from the mailing list.

Mit freundlichen Grüßen / Kind regards
__
Ing. Roman Höller, MSc
Informationstechnologie
Information Technology
Kommunalkredit Austria AG
1092 Wien, Türkenstraße 9
Tel.: +43 (0) 1/31631 519, Fax: -99519
Mobil: +43 (0) 664/80 31631 519
r.hoel...@kommunalkredit.at
www.kommunalkredit.at

-Ursprüngliche Nachricht-
Von: Gnupg-announce [mailto:gnupg-announce-boun...@gnupg.org] Im Auftrag von 
Werner Koch
Gesendet: Donnerstag, 14. August 2014 18:07
An: gnupg-annou...@gnupg.org
Betreff: [Announce] The sixth Beta for GnuPG 2.1 is now available for testing

Hello!

I just released the sixth *beta* version of GnuPG *2.1*.  It has been released 
to give you the opportunity to check out new features and to help fixing bugs.

  If you need a stable and fully maintained version of GnuPG,
  you should use version 2.0.26 or 1.4.18.

This versions is marked as BETA and as such it should in general not be used 
for real work.  However, the core functionality is solid enough for a long time 
and I am using this code base for a couple of years now.


What's new in 2.1.0-beta783 since beta751 
=

 * gpg: Add command --quick-gen-key.

 * gpg: Make --quick-sign-key promote local key signatures.

 * gpg: Added "show-usage" sub-option to --list-options.

 * gpg: Screen keyserver responses to avoid importing unwanted keys
   from rogue servers.

 * gpg: Removed the option --pgp2 and --rfc1991 and the ability to
   create PGP-2 compatible messages.

 * gpg: Removed options --compress-keys and --compress-sigs.

 * gpg: Cap attribute packets at 16MB.

 * gpg: Improved output of --list-packets.

 * gpg: Make with-colons output of --search-keys work again.

 * gpgsm: Auto-create the ".gnupg" directory like gpg does.

 * agent: Fold new passphrase warning prompts into one.

 * scdaemon: Add support for the Smartcard-HSM card.

 * scdaemon: Remove the use of the pcsc-wrapper.



Getting the Software


GnuPG 2.1.0-beta783 is available at

 ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0-beta783.tar.bz2
 ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0-beta783.tar.bz2.sig

and soon on all mirrors <http://www.gnupg.org/mirrors.html>.

Please read the README file !


Checking the Integrity
==

In order to check that the version of GnuPG which you are going to install is 
an original and unmodified one, you can do it in one of the following ways:

 * If you already have a trusted version of GnuPG installed, you
   can simply check the supplied signature.  For example to check the
   signature of the file gnupg-2.1.0-beta783.tar.bz2 you would use
   this command:

 gpg --verify gnupg-2.1.0-beta783.tar.bz2.sig

   Depending on your installation you may use "gpg2" instead of "gpg".
   This checks whether the signature file matches the source file.  You
   should see a message indicating that the signature is good and made
   by that signing key.  Make sure that you have the right key, either
   by checking the fingerprint of that key with other sources or by
   checking that the key has been signed by a trustworthy other key.
   Note, that you can retrieve the signing key using the command

 finger wk ,at' g10code.com

   or using a keyserver like

 gpg --keyserver keys.gnupg.net --recv-key 4F25E3B6

   The distribution key 4F25E3B6 is signed by the well known key
   1E42B367.

   NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE
   INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION!


Documentation
=

The file gnupg.info has the complete user manual of the system.
Separate man pages are included as well; however they have not all the details 
available in the manual.  It is also possible to read the complete manual 
online in HTML format at

  https://www.gnupg.org/documentation/manuals/gnupg-devel/

The chapters on gpg-agent, gpg and gpgsm include information on how to set up 
the whole thing.  You may also want search the GnuPG mailing list archives or 
ask on the gnupg-users mailing lists for advise on how to solve problems.  Many 
of the new features are around for several years and thus enough public 
knowledge is already available.

Almost all mail clients support GnuPG-2.  Mutt users may want to use the 
configure option "--enable-gpgme" during build time and put a "set 
use_crypt_gpgme" in ~/.muttrc to enable S/MIME support along with the reworked 
OpenPGP support.


Support
===

Please consult the archive of the gnupg-users mailing list before reporting a 
bug <https://gnupg.org/documentation/mailing-lists.html>.
We suggest to send bug reports for a new release to this list in favor of 
filing a bug at <https://bugs.gnupg.org>.  We also have a dedicated service 
directory at:

  https://www.gnupg.org/service.html

Maintaining