Re: Insecure memory message on PC-BSD

[Robert J. Hansen]

> Hey Everyone,

Hey, Anthony.  Sorry for the long-delayed response: I'm just now
crawling out from beneath my backlog.

> I'm using PC-BSD 10.2 and I get the message "using insecure memory!"
> when I type gpg2 at the terminal. Is this a major issue or is it
> something I can (usually) ignore? Is there a way to use "secure" memory?

Some operating systems allow GnuPG more low-level control over memory.
Others don't, and these other systems get the insecure memory warning.
However, it's  pretty hard  to exploit
insecure memory without root privileges -- and if your attacker has root
privileges on your machine then it's all over anyway.

In my own environment, I don't care about this.  It's a nonissue.  You
can disable the warning by putting no-secmem-warning in your gpg.conf file.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Malware detected

[Robert J. Hansen]

> I downloaded gpupg for windows, during the installation Webroot Endpoint
> Protection reported that GSPAWN-WIN32-HELPER.EXE was infected with
> W32.Malware.Gen and was blocked.. has the source code been infected or
> is this some kind of false detection?

I'd be happy to look into this for you, but I'm going to need to know
specifically which version of GnuPG for Windows you downloaded and where
you downloaded it from (a link would be best).




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New FAQ items

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 12/01/2015 09:47 PM, Robert J. Hansen wrote:
> 1.  A new user contacted me via email to point out there was no
> FAQ entry about whether there's anything to be done about a lost 
> passphrase.  I added a FAQ entry for this, with text that
> basically amounted to "if you truly can't remember your passphrase
> then we can't help you, revoke your certificate with a pre-made
> revocation certificate and start anew."  If anyone has better
> suggestions (that don't amount to "well, have you tried all
> permutations of what you think the passphrase was?"), please let me
> know.  :)

Would a reference to nasty[0] or other tools to aid such brute-force
attacks be useful in this context?

Reference:
[0] http://freecode.com/projects/nasty

- -- 
- 
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Donec eris sospes, multos numerabis amicos.
Tempora si fuerint nubila, solus eris.
As long as you are wealthy,you will have many friends.
When the tough times come, you will be left alone
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJWXghhAAoJECULev7WN52F5+AH/iHpwr7O6VveZkU7qEolvoIh
LtN04Z0DHr9vrjwylhiqjKx0q9GeUy9nMoFXV6Aaz6b6SvLgqjTmeHVrCg6URA8C
5DAxgQdwmYvvPLbZbH+Ttg4MQpeHGopC9NsVKv0qcwwgybKJsINLMUlxbIqYtRlb
rtOofFZVZa7eDf/PhxM5OOasyFGU08MX/cE8IcBuM+k2OmbrKgn9/En0A2Eh3vzx
NABXhKVBuGD35lFeAzSQTRHhNNczQVlBEQ5Ezk4w8RdWF7UhhrNeKKfX6hvE7pKv
s4nS4pmsQ/jb2wjp+pFV9GU8wVw9HM6VV27p8RLJhe0pYwZ9hI+0M6nw5z8DSkw=
=Vjs4
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New FAQ items

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 12/01/2015 10:01 PM, Robert J. Hansen wrote:
>> Would a reference to nasty[0] or other tools to aid such
>> brute-force attacks be useful in this context?
> 
> I thought about it but decided against it.  I've never heard of
> someone successfully using nasty to recover their passphrase.  I
> hate to recommend a tool where I can't point to a single user who's
> had a good experience with it.

I've hard of a few users with good experiences using it, but it has
always been in the context of rotation of several known password
string using separators and number paddings etc so they have been able
to build a good pattern to base it on


- -- 
- 
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Donec eris sospes, multos numerabis amicos.
Tempora si fuerint nubila, solus eris.
As long as you are wealthy,you will have many friends.
When the tough times come, you will be left alone
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJWXgpoAAoJECULev7WN52FX4wH/0yE7XgBLbF4TKWBBxYR0Gv6
mgYtqSq7/3cmXWkUmw2Oz5me63T9NKyA/j+KeTdWoOskryCDvU46X5I3OVf26lkV
4hFQl0rS5qMT3vtyK7wu8W53Ry6JcBIOhbjk2nQ3zCcVhMYEZBlxPCVcCI0KDorD
7H8C+tBpmsqLhHHP3RzDWQWkdNfFsSbJda+0Gvemt9hE52COCKEp0HqM42c4Grwp
t2UOqq2yL4Wq6bWtKZbp3OS6+NCrkYyOA5lb5UOFVypCTIkj7isskhSPSufzoe6L
Hf+YnJM8hKbv/r+4B/yRts/Uf64uKEgq3czkO9NEof9RxUbXhoN7CBkKjfdnjIU=
=nozz
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New FAQ items

[Robert J. Hansen]

> Would a reference to nasty[0] or other tools to aid such brute-force
> attacks be useful in this context?

I thought about it but decided against it.  I've never heard of someone
successfully using nasty to recover their passphrase.  I hate to
recommend a tool where I can't point to a single user who's had a good
experience with it.

I'm not saying they don't exist.  Just that if they do exist, I don't
know about them, and for that reason I feel I can't recommend the tool.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New FAQ items

[Robert J. Hansen]

> I've hard of a few users with good experiences using it...

Good enough for me.  I'll adjust the language and submit a revision to
the list for review.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

New FAQ items

[Robert J. Hansen]

1.  A new user contacted me via email to point out there was no FAQ
entry about whether there's anything to be done about a lost
passphrase.  I added a FAQ entry for this, with text that basically
amounted to "if you truly can't remember your passphrase then we
can't help you, revoke your certificate with a pre-made revocation
certificate and start anew."  If anyone has better suggestions (that
don't amount to "well, have you tried all permutations of what you
think the passphrase was?"), please let me know.  :)

2.  GNU contacted me via email asking for a FAQ entry about how to use
GnuPG to verify downloaded software.  This was present in a prior
iteration of the FAQ but not this re-written one, so I figured it
was an unobjectionable addition.

I would normally present things on the list before pushing to Git, but
GNU's keen on a fast turnaround on #2.  If you're interested in the FAQ,
give it a day or so for the HTML version of it to get generated and
check out the new entries.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Provide user PIN to gpg-agent?

[NIIBE Yutaka]

On 12/01/2015 10:50 PM, Harbord Jonathan-EURITEC wrote:
> Is it possible to pass the user PIN of a smartcard to gpg-agent in a command?
> 
> I'd like to stop the pinentry program appearing for an automated system.

Please note that I don't have any experience like that, and I don't
generally recommend such a usage.

In general, we can provide a special application specific pinentry
program for such a special purpose.

In GnuPG 2.1.x, there is allow-loopback-pinentry option.  When enabled
it by .gnupg/gpg-agent.conf or as an argument invoking gpg-agent, we
can do something like:

gpg-connect-agent \
"OPTION pinentry-mode=loopback"
'/definqfile PASSPHRASE /tmp/passphrase-for-smartcard' \
"SCD CHECKPIN " /bye


having a file /tmp/passphrase-for-smartcard, where  is the one
in the output of 'gpg --card-status' like:

Application ID ...: D276000124010200F5170001

Substitute  by D276000124010200F5170001.

Please try.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: problems decrypting ASCII-armored file

[Andrew Gallagher]

>> On 11/30/15 5:41 PM, Andrew Gallagher wrote:
>> That's a Unicode byte order mark. Strictly, it should only be used in
>> UTF-16 documents but in the real world it's commonly used to mark any
>> Unicode file
> 
> It's a UTF-16BE BOM, you mean.  The UTF-8 BOM is 0xEF 0xBB 0xBF.
> 
> It's a little weird.  You don't see much UTF-16BE out there.

It's the same thing. One is just a different encoding of the other. The OP's 
software is obviously Unicode-capable as it displayed the unknown character as 
a U+ code point. The underlying code point is identical no matter which 
encoding is being used. The only time you would see the raw utf-8 bytes would 
be if the software was Unicode-incapable or if the locale was set incorrectly, 
leading it to be interpreted as a sequence of bytes.

Andrew
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: problems decrypting ASCII-armored file

[Ryan Hoffman]

That worked! Deleting that one character made the difference. Thanks!
Ryan

On Mon, Nov 30, 2015 at 2:41 PM, Andrew Gallagher 
wrote:

> >
> > Here's the file's header as viewed with "less" (the starting
> non-printing character is suspicious):
> > -BEGIN PGP MESSAGE-
>
> That's a Unicode byte order mark. Strictly, it should only be used in
> UTF-16 documents but in the real world it's commonly used to mark any
> Unicode file. I'm assuming this is a UTF-8 file? If so, you should just be
> able to delete the character using vim or similar and try again.
>
> Andrew.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why gpg 2.1.9 cannot export secret key without passphrase?

[Peter Lebbing]

On 30/11/15 23:54, Andrey Utkin wrote:
> Could you please direct me to exact S2K-stuff modes for exporting it 
> which would be compliant with earlier GnuPG branches 1.4 and 2.0?
> [...]
> But for unattended processing cases, I'd like a mode that makes utils
> skip all passphrase entry prompts. I guess the no-encryption case
> ("trivially cracked by anyone") is needed here. Which of the
> mentioned modes was used in 1.4 and 2.0 for exporting without
> passphrase?

"Trivially cracked" implies that there is something to crack. That would
be the silly case with the empty string as the password. Instead, the
first octet in the secret part of the secret key packet indicates
whether to use an S2K or not:

>From [1]:
>  - One octet indicating string-to-key usage conventions.  Zero
>indicates that the secret-key data is not encrypted.  255 or 254
>indicates that a string-to-key specifier is being given.  Any
>other value is a symmetric-key encryption algorithm identifier.

The "any other" stuff is ancient legacy stuff, and MUST NOT be produced
by a conforming implementation. This byte is zero when there is no
encryption, and the following bytes are just the plaintext version of
the secret parts:

>  - Plain or encrypted multiprecision integers comprising the secret
>key data.  These algorithm-specific fields are as described
>below.

In this case, read it as "plain multiprecision integers ...".

HTH,

Peter.

[1] http://tools.ietf.org/html/rfc4880#section-5.5.3

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: scdaemon lockup with Yubikey NEO

[the2nd]

There is just one gpg-agent + scdaemon. Do you keep the first SSH 
session open when re-plugging the yubikey? If i close the first session 
do problem does not occur.


On 2015-12-01 05:16, NIIBE Yutaka wrote:

On 12/01/2015 08:19 AM, the...@otpme.org wrote:

So are any devs reading on this list? The problem is reproducible
and i am willing to help debugging and whatever is needed to fix the
issue. :)


Yes.

It is not reproducible for me.  I'm using OpenSSH 6.9p1.


i've done some more testing and found out that the problem starts to
exist with openssh version 6.8p1. With 6.7p1 everything works 
perfect.

I downloaded the openssh tarballs one by one, compiled with
./configure;make and just copied the "ssh" binary.

I was able to reproduce the problem with the following steps:

1. Start gpg-agent: eval $(gpg-agent --daemon --enable-ssh-support
--log-file ~/.gnupg/gpg-agent.log)
2. Login to any host with your SSH key and keep the session open: ssh
-l root localhost
3. Plug your yubikey out/in
4. Try to login with your SSH key to any other host


Do you have multiple gpg-agent when you encounter failure?  Or
multiple scdaemon?


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Malware detected

[Jay Barker]

I would suggest you check the SHA1 or SHA256 checksum for the exe you
downloaded, the checksums are provided in this release note from the
developers:

http://lists.wald.intevation.org/pipermail/gpg4win-announce/2015-November/67.html

On 30 November 2015 at 22:34, Dale Sander  wrote:

> I downloaded gpupg for windows, during the installation Webroot Endpoint
> Protection reported that GSPAWN-WIN32-HELPER.EXE was infected with
> W32.Malware.Gen and was blocked.. has the source code been infected or is
> this some kind of false detection?
>
> Thank you,
>
> Dale
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: problems decrypting ASCII-armored file

[Werner Koch]

On Tue,  1 Dec 2015 09:41, andr...@andrewg.com said:

> point is identical no matter which encoding is being used. The only
> time you would see the raw utf-8 bytes would be if the software was
> Unicode-incapable or if the locale was set incorrectly, leading it to
> be interpreted as a sequence of bytes.

Would it be worth to detect this corner case and ignore the BOM? 


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg-agent protocol

[Dubravszky József]

Hello,

Before I do any coding or trials I would like to clear some GPG4Win
questions. 

Atsuhiko Yamanaka made an excellent Eclipse SSH agent plugin
(https://github.com/ymnk/jsch-agent-proxy) to proxy SSH agents to Eclipse
subsystems. Currently it supports ssh-agent on Linux and Pageant on Windows.
As of GPG4Win 2.2 the gpg-agent.exe can function as an SSH agent for Putty.
It would be just awesome to be able to use gpg-agent.exe in Eclipse. For
that, a connector needs to be developed but first I would like to get
information on how could I "talk to" the gpg-agent.exe? The Pageant
connector uses Win32 shared memory operations. My question might sound
silly, but is there anything that would prevent me writing a connector that
uses the same Win32 shared memory operations based protocol? 
I also recognized that on Windows an S.gpg-agent.ssh file is created in the
users roaming AppData
(C:\Users\USERNAME\AppData\Roaming\gnupg\S.gpg-agent.ssh), that pretty much
resembles a Unix socket. As far as I know there is no such compatible domain
socket on Windows, but what is this file then?

Thank you for your help.


BR,

joe


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: problems decrypting ASCII-armored file

[Andrew Gallagher]

On 01/12/15 12:09, Werner Koch wrote:
> On Tue,  1 Dec 2015 09:41, andr...@andrewg.com said:
> 
>> point is identical no matter which encoding is being used. The only
>> time you would see the raw utf-8 bytes would be if the software was
>> Unicode-incapable or if the locale was set incorrectly, leading it to
>> be interpreted as a sequence of bytes.
> 
> Would it be worth to detect this corner case and ignore the BOM? 

I think so. The use of BOM as a UTF-8 marker is not going to go away any
time soon...

Andrew.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: problems decrypting ASCII-armored file

[Robert J. Hansen]

> It's the same thing. One is just a different encoding of the other.

Ah, I read it as being straight-up hex, not a code point.  Thank you.  :)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Provide user PIN to gpg-agent?

[Harbord Jonathan-EURITEC]

Is it possible to pass the user PIN of a smartcard to gpg-agent in a command?

I'd like to stop the pinentry program appearing for an automated system.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users