Re: Sign key with externalized master key
On Wed 2015-02-11 17:31:42 -0500, Xavier Maillard wrote: Daniel Kahn Gillmor d...@fifthhorseman.net writes: The fact that you're using a FAT volume is the root cause here; FAT filesystems do not have ownership or permissions, so when a modern OS mounts them, it has to fake permissions for these files. Thank you for this precision. Are you aware of some portable and well supported by the 3-major OSes filesystem type ? FAT, alas, is the portable filesystem that you're looking for. UDF, mentioned elsewhere in this thread, is a read-only filesystem, and i think it doesn't have ownership or permissions either. I see two approaches: a) figure out how to get each operating system to mount the volume with tighter permissions b) convince gpg that looser permissions on fat32 filesystems are acceptable I think (b) is the wrong way to go -- gpg is pointing out, rightly, that your sensitive data is exposed. So that leaves (a), which probably needs to be fixed anyway. Your operating system is exposing sensitive data from your USB stick (which is supposed to be only yours, since you plugged it in while you were in control of the machine) to any other user account on the computer. Reporting this bug to your OS vendor would be a good thing, because it would help other users of the same OS. --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
FAT, alas, is the portable filesystem that you're looking for. NTFS also works. Linux can read/write NTFS through NTFS-3G and FUSE, and a port exists for OS X as well. And yes, the stack is 100% libre. :) smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
The wikipedia article on UDF mentions write support in all major OSes. It also supports POSIX permissions. On Fri, Feb 13, 2015 at 9:49 PM, Robert J. Hansen r...@sixdemonbag.org wrote: FAT, alas, is the portable filesystem that you're looking for. NTFS also works. Linux can read/write NTFS through NTFS-3G and FUSE, and a port exists for OS X as well. And yes, the stack is 100% libre. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
On Wed 2015-02-11 00:41:18 -0500, Xavier Maillard wrote: May I ask how one would sign public keys when a master key is stored onto an USB stick ? I followed instructions from [1]. Now I am in the process of announcing my key transition to all old signers *but*, as a last test, I just tested public signature with my master key and this is where troubles occur: LANG=C gpg --home /Volumes/FSF/.gnupg --recv-keys A KEYID gpg: WARNING: unsafe permissions on homedir `/Volumes/FSF/.gnupg' gpg: external program calls are disabled due to unsafe options file permissions gpg: keyserver communications error: General error gpg: keyserver receive failed: General error So what ? My USB stick is formated using extFat so permissions are something unknown. The fact that you're using a FAT volume is the root cause here; FAT filesystems do not have ownership or permissions, so when a modern OS mounts them, it has to fake permissions for these files. If you mount the filesystem manually, you can usually specify tighter permissions. I don't know the exact syntax for OS X, but on GNU/Linux systems, that would be: mount -t vfat -ouid=$USERNAME,umask=077 /dev/sdx1 /Volumes/FSF umask is the relevant option here to set the default permissions. Alternately, if your umask is set properly before mounting the filesystem, i think mount(8) will just default to it. hth, --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
Daniel Kahn Gillmor d...@fifthhorseman.net writes: On Wed 2015-02-11 00:41:18 -0500, Xavier Maillard wrote: May I ask how one would sign public keys when a master key is stored onto an USB stick ? I followed instructions from [1]. Now I am in the process of announcing my key transition to all old signers *but*, as a last test, I just tested public signature with my master key and this is where troubles occur: LANG=C gpg --home /Volumes/FSF/.gnupg --recv-keys A KEYID gpg: WARNING: unsafe permissions on homedir `/Volumes/FSF/.gnupg' gpg: external program calls are disabled due to unsafe options file permissions gpg: keyserver communications error: General error gpg: keyserver receive failed: General error So what ? My USB stick is formated using extFat so permissions are something unknown. The fact that you're using a FAT volume is the root cause here; FAT filesystems do not have ownership or permissions, so when a modern OS mounts them, it has to fake permissions for these files. Thank you for this precision. Are you aware of some portable and well supported by the 3-major OSes filesystem type ? Regards -- Xavier signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
Xavier Maillard: Daniel Kahn Gillmor d...@fifthhorseman.net writes: On Wed 2015-02-11 00:41:18 -0500, Xavier Maillard wrote: May I ask how one would sign public keys when a master key is stored onto an USB stick ? I followed instructions from [1]. Now I am in the process of announcing my key transition to all old signers *but*, as a last test, I just tested public signature with my master key and this is where troubles occur: LANG=C gpg --home /Volumes/FSF/.gnupg --recv-keys A KEYID gpg: WARNING: unsafe permissions on homedir `/Volumes/FSF/.gnupg' gpg: external program calls are disabled due to unsafe options file permissions gpg: keyserver communications error: General error gpg: keyserver receive failed: General error So what ? My USB stick is formated using extFat so permissions are something unknown. The fact that you're using a FAT volume is the root cause here; FAT filesystems do not have ownership or permissions, so when a modern OS mounts them, it has to fake permissions for these files. Thank you for this precision. Are you aware of some portable and well supported by the 3-major OSes filesystem type ? Since your issue only affects signing of other keys - which normally is not a daily scenario - what about using a GNU/Linux live system/CD/USB for that purpose? That way you can use a normal GNU/Linux supported filesystem and don't have to worry whether to trust your normal OS or which filesystem is compatible with all OSses you intend to use. ~flapflap ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Feb 11, 2015, 5:33 PM Xavier Maillard xav...@maillard.im wrote: Thank you for this precision. Are you aware of some portable and well supported by the 3-major OSes filesystem type ? Just UDF -BEGIN PGP SIGNATURE- Version: OpenKeychain v3.1.2 iIAEAREIACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJU3BNJ AAoJEGuOs6Blz7qpz9MA/0MioB8VjrF/4+6UnN4RP9E+PNWzumMPpYsfkEXej8tW AP95+irR2/yR6Rbv7WXGsV3GSftc/iYaiykwGB1VdIHmMQ== =aHkI -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
flapflap flapf...@riseup.net writes: Xavier Maillard: Daniel Kahn Gillmor d...@fifthhorseman.net writes: On Wed 2015-02-11 00:41:18 -0500, Xavier Maillard wrote: May I ask how one would sign public keys when a master key is stored onto an USB stick ? So what ? My USB stick is formated using extFat so permissions are something unknown. The fact that you're using a FAT volume is the root cause here; FAT filesystems do not have ownership or permissions, so when a modern OS mounts them, it has to fake permissions for these files. Thank you for this precision. Are you aware of some portable and well supported by the 3-major OSes filesystem type ? Since your issue only affects signing of other keys - which normally is not a daily scenario - what about using a GNU/Linux live system/CD/USB for that purpose? That way you can use a normal GNU/Linux supported filesystem and don't have to worry whether to trust your normal OS or which filesystem is compatible with all OSses you intend to use. Good catch. I did something close: refurbished and updated my old slackware GNU/linux system with FUSE exfat support. That does the job ! Thank you for your help. -- Xavier ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Sign key with externalized master key
Hello,
May I ask how one would sign public keys when a master key is
stored onto an USB stick ?
I followed instructions from [1]. Now I am in the process of
announcing my key transition to all old signers *but*, as a last
test, I just tested public signature with my master key and this is
where troubles occur:
LANG=C gpg --home /Volumes/FSF/.gnupg --recv-keys A KEYID
gpg: WARNING: unsafe permissions on homedir `/Volumes/FSF/.gnupg'
gpg: external program calls are disabled due to unsafe options file permissions
gpg: keyserver communications error: General error
gpg: keyserver receive failed: General error
So what ? My USB stick is formated using extFat so permissions are
something unknown.
Do you have any way to workaround that ? Or better, USB stick storage
best practice ? My environment is very hetereogenous but I may only
sign from my OS X machine so there can be a better choice than extFat
I presume.
I did something odd as a very short temporary workaround:
umask 077; mkdir /tmp/_gpg-to-sign
gpg --home /tmp/_gnupg-to-sign --import
/Volumes/FSF/2015-02-09/{public+private}.gpg
then did my keysigning.
Thank you very much.
Footnotes:
[1] https://alexcabal.com/creating-the-perfect-gpg-keypair/
--
Sent with my mu4e
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
