Re: New keyserver at keys.openpgp.org - what's your take?

On 2019-07-02 at 11:56 +0200, Wiktor Kwapisiewicz via Gnupg-users wrote: > On 01.07.2019 14:36, Andrew Gallagher wrote: > > OpenPGP already has the "keyserver" field which is rarely used. It is > > supposedly a hint to clients to tell them to prefer a particular > > keyserver, but it could also be

Re: Testing WKD setup?

On 2019-07-07 at 20:48 +0200, Wolfgang Traylor via Gnupg-users wrote: > > is there a service or similar where I can check if this email address is > > properly WKD-enabled? > > https://metacode.biz/openpgp/web-key-directory It's nice, but it also checks stuff which isn't per the spec, so gives

Re: Infinite loop?

On 2019-06-25 at 18:47 -0400, Daniel Kahn Gillmor via Gnupg-users wrote: > Interesting! my pubring.kbx is 147MiB, but GnuPG still should not run > forever when doing --list-keys. It takes 17s to complete the listing of > my pubring.kbx, as measured by "time gpg --list-keys > /dev/null" With

Re: New keyserver at keys.openpgp.org - what's your take?

On 2019-07-03 at 09:17 +0100, Andrew Gallagher wrote: > I didn't even know it supported finger URLs - handy to know! Opening a > finger port may be a step too far for the security-conscious though... Depends upon the implementation. I'm biased here, I wrote my own in Go back in 2016:

Re: How to create an authinfo.gpg encrypted file with a GitHub token

On 2020-02-26 at 00:18 +, John Stevenson wrote: > I would like to store a GitHub personal access token in a file called > ~/.authinfo.gpg so that the token is not stored unencrypted on my > computer. This file would be used by Emacs to talk to GitHub via its API. > > I have never used GnuPGP

Re: Help me on this

On 2020-02-28 at 22:31 +, Gubba, Srikanth (HNI Corp) via Gnupg-users wrote: > When I want to decryption for the encrypted file am getting below error > message : > gpg: using subkey 7E5B6A6AB3392A8D instead of primary key 1CC8C8AD84BF7E76 > gpg: encrypted with 2048-bit ELG key, ID

Re: Re: Help me on this

On 2020-03-02 at 14:23 +, Gubba, Srikanth (HNI Corp) wrote: > Thank you for your response , please see this screen shot it has both keys. > I have imported secret key but still getting same error message , can you > please help on this. Oh, I didn't look closely enough at the error in the

Re: swdb.lst problem

On 2020-02-09 at 16:44 -0500, murphy via Gnupg-users wrote: > With a new version of raspbian out for the raspberry pi I'm having > trouble with a speedo compile of gnupg-2.2.19 with error messages: > Also when I try to download swdb.lst directly it fails with: > >

Re-sign subkey binding with changed digest?

So, this SHA-1 mess is "fun". To get a fresh self-sig user ID signature on the main key, I can do this: gpg --expert --cert-digest-algo SHA256 --sign-key ${KEYID:?} The `--expert` overrides the "already signed" safety check, letting you confirm that yes you really want this. Alas, it seems

Re: Reason string revocation

On 2019-12-26 at 23:06 +0100, Dirk-Willem van Gulik wrote: > Is there a flag that shows you the 'reason/explanation' string and cause > when examining a revocation msg with gpg2 ? > > It seems that both --import and a simple 'gpg2 revoc.asc' show you the key - > but not the rest of the info ? $

Re: WKS server problems

On 2020-03-21 at 23:30 +, Andrew Gallagher wrote: > I'm trying to follow the WKS instructions from the wiki[1] on a remote > VM, but it hangs at the key generation stage: [...] > gpg (GnuPG) 2.2.4 Is this a newly created VM? Can you not use the opportunity of "nothing else on the system

Re: gpg-agent is older than us

On 2020-08-21 at 19:00 +, Ajax via Gnupg-users wrote: > On a Debian box, 'gpg -K' gives "server 'gpg-agent' is older than us > (2.2.12 < 2.2.21)". 2.2.21 was built using speedo in my home > directory populating ~/bin which appears at the head of $PATH. The > commands 'which gpg' and 'which

Re: Which keyserver

On 2020-09-18 at 15:04 +0200, accounts-gn...@holbrook.no wrote: > Is it possible to define multiple sources of keys with WKD, for example > with a dns TXT record? The use-case would be if the main server is down, > alternative places to get it. The SRV record approach had to be dropped because

Re: Which keyserver

On 2020-09-17 at 22:57 +0200, Martin wrote: > Which keyserver do you recommend these days? For what purpose? For receiving updates to previously known keys, of people who care enough about their keys to distribute their keys across multiple keyservers instead of just going "I pushed it to the

Re: Which keyserver

On 2020-09-19 at 11:44 +0100, MFPA via Gnupg-users wrote: > On Friday 18 September 2020 at 4:32:55 PM, in > , Phil > Pennock via Gnupg-users wrote:- > > > > keys.gnupg.net is a CNAME for > > hkps.pool.sks-keyservers.net -- which is > > now returning zero re

Re: how to suppress new "insecure passphrase" warning

On 2020-09-16 at 15:03 -0700, Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and >

Re: Which keyserver

On 2020-09-18 at 08:06 -0700, Mark wrote: > I use GPG4Win and I've noticed that "hkp://keys.gnupg.net" is not > working right. I was not getting any hits back when searching with > Kleopatra and then I tried to ping that server which returned host not > found. So I'm also interested if there is a

Re: Which keyserver

On 2020-09-18 at 10:08 +0200, Franck Routier (perso) wrote: > Le jeudi 17 septembre 2020 à 18:13 -0400, Phil Pennock via Gnupg-users > a écrit : > > If publishing keys, I do recommend setting up WKD for your > > domain, which helps a little. > > What

Re: WKD - .onion redirects mapping

On 2020-08-04 at 16:46 +0200, Werner Koch via Gnupg-users wrote: > Yes, privacy. But that is just a welcome side-effect. What we need is > that the domain is authenticated so that we can consider the key to be > valid at a certain level. I see no way how you can do this via an > anonymizer

Re: Multiple UIDs or multiple master keys?

On 2020-07-14 at 00:48 +, Philihp Busby via Gnupg-users wrote: > 2: What benefits benefits are there to having separate master keys for >personal and professional use? Outside of not wanting the >identities linked, because I am not yet famous enough for that. When the day comes that I

WKD - .onion redirects mapping

Folks, Is there any facility in GnuPG, or any neat hacks which can be applied to current releases, to be able to remap WKD queries to go to specified .onion hosts? Eg, lists: openpgpkey.debian.org: http://habaivdfcyamjhkk.onion/ and indeed if I use `gpg

Re: Avoid recipient-compatibility SHA1

On 2020-11-17 at 22:18 -0700, Mark wrote: > Not to ask a stupid question but how can you tell which algorithm your > keys are using and if using SHA1 update them to a more secure one? I have a better answer than my previous one, because the very next mailing-list I read has a post today from the

Re: Avoid recipient-compatibility SHA1

On 2020-11-17 at 22:18 -0700, Mark wrote: > Not to ask a stupid question but how can you tell which algorithm your > keys are using and if using SHA1 update them to a more secure one? With GnuPG, `gpg --list-packets` shows a lot of fine detail, but unless you're familiar with the standards it can

Re: Avoid recipient-compatibility SHA1

On 2020-11-17 at 15:47 +, Stefan Claas wrote: >} Since 2005, SHA-1 has not been considered secure against well-funded >} opponents;[4] as of 2010 many organizations have recommended its >} replacement.[5][6][7] NIST formally deprecated use of SHA-1 in 2011 >} and disallowed its use for digital

Avoid recipient-compatibility SHA1

Folks, Normally everything I do with GnuPG is using SHA256 digests, and I normally keep "weak-digest SHA1" in my gpg.conf file. I just sent a message to N recipients, and I think one of them probably has some preference algorithm in their key details, because this one mail was signed using SHA1,

Re: Avoid recipient-compatibility SHA1

On 2020-11-02 at 13:49 +0100, Werner Koch via Gnupg-users wrote: > On Fri, 30 Oct 2020 00:10, Phil Pennock said: > > recipient. That's fine. I'd rather create pressure for people to fix > > their systems to use modern cryptography than cater to their brokenness > > with sensitive messages. > >

Re: RSS/Atom for the GnuPG blog?

On 2021-01-21 at 11:46 +0100, jman wrote: > There's no direct RSS/Atom feed (afaics). However the blog is a git > repository [0] with a RSS/Atom feed (there's a link at the bottom of the > page). As a workaround you subscribe to that feed (I didn't test it). I have tested it: I use Slack with the

Re: RSS/Atom for the GnuPG blog?

On 2021-01-22 at 18:10 +0100, Werner Koch via Gnupg-users wrote: > BTW, if you are just interested in updates to our software you can check > also https://versions.gnupg.org/swdb.lst for updates. Or watch the > source of this list, which is is in the gnupg-doc repo as swdb.mac. > > The tool

Re: Why is --auto-key-locate only for encrypting?

On 2021-09-01 at 13:50 +0200, Ingo Klöcker wrote: > On Mittwoch, 1. September 2021 07:55:21 CEST raf via Gnupg-users wrote: > > Why is the --auto-key-locate only for encrypting (says > > the gpg(1) manpage)? Wouldn't it also be useful when > > receiving emails and verifying signatures? > >

Re: WKD docs on the wiki, restructuring. Feedback on forUsers page

On 2021-09-30 at 12:17 +, ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users wrote: > Hmm, this is odd. I setup WKD as detailed on the > https://wiki.gnupg.org/WKDHosting (using the openpgpkey subdomain), currently > only for one address on my domain (s...@chiraag.me). Opening the file > directly in a web

trust-model and federated lookups

Folks, When evaluating the trust we have in the identity attached to a key, I often see "WARNING: We have NO indication whether the key belongs to the person named as shown above"; at the same time, `--with-key-origin` for the very same key will show "origin=wkd". GnuPG uses the trust-model

Re: --auto-key-retrieve fails for some keys

On 2021-11-02 at 16:05 +0100, Tadeus Prastowo via Gnupg-users wrote: > The signature on a Linux kernel can be verified successfully using > `--auto-key-retrieve', but the signature on an Emacs cannot be > verified in the same manner because gpg is unable to retrieve the > needed public key

Re: trust-model and federated lookups

On 2021-10-25 at 15:12 +0200, Neal H. Walfield wrote: > This absolutely makes sense. One way to model this in the web of > trust is to imagine that you have a "WKD key," which you consider a > partially trusted introducer, and which certifies keys that you > retrieve via WKD. Practically, it's a

Re: WKD: conveying intent of encrypt-by-default?

On 2022-10-04 at 20:00 -0400, Daniel Kahn Gillmor wrote: > Autocrypt's focus is ubiquitous deployment of keying material (in the > form of OpenPGP certificates) so that people *can* encrypt when sending > mail. We found that one of the big risks is that a peer might > *automatically* encrypt when

WKD: conveying intent of encrypt-by-default?

Folks, I setup WKD for work a while back, to publish the PGP keys for those who had them. Then in November I removed the first key because it was causing Protonmail users to keep sending encrypted to the recipient and a lot of his communications turned out to be with Protonmail users. Now we've