Re: --export-options export-reset-subkey-passwd
Regarding my Devuan forums topic:
Safe GnuPG setup (with offlined master secret key)
https://dev1galaxy.org/viewtopic.php?id=1929
I've only found this email recenty on Gnupg Users ML that actually helped me a
lot to get my hands-on tentative/tutorial right.
This email that I'm replying to, but vaguely, below.
On 180128-17:37-0700, Daniele Nicolodi wrote:
> On 23/08/2017 23:59, Werner Koch wrote:
> > On Sun, 13 Aug 2017 08:17, dani...@grinta.net said:
> >
> >> Digging a bit more, it seems that the functionality got dropped because
> >> with GnuPG 2.x all key manipulations go through gpg-agent and it does
> >> not (yet?) support password reset on expert.
> >
> > Unfortunately this is still an open bug:
> >
> > https://dev.gnupg.org/T1753
> >
> > we won't be able to fix it for 2.2.0 but given that it is marked as a
> > bug it can and should be fixed in the soon to be release 2.2 series.
>
> As a work around I come up with this simple script, which has the sole
> problem of asking the secret subkey passphrase a few times too much, and
> to require to explicitly enter an empty passphrase.
>
> Let me know if it is excessively dummy or if there is a better way.
>
> Cheers,
> Daniele
>
>
> #!/bin/sh
>
> set -e
>
> KEY="$1"
> shift
>
> # make sure to have a "!" at the end of the key fingerprint to export
> # exclusively the corresponding subkey and not the primary key
> if [ "$KEY" == "${KEY%\!}" ]
> then
> KEY="$KEY"\!
> fi
>
> umask 0077
> TMPDIR=$(mktemp -d)
> trap "rm -r $TMPDIR; exit" 0 1 2 3 15
>
> gpg --export-secret-subkey "$KEY" | gpg --home $TMPDIR --import
> gpg --home $TMPDIR --change-passphrase "$KEY"
> gpg --home $TMPDIR --armor "$@" --export-secret-subkey "$KEY"
>
I only now, on umptieth read, much better understand this script. Too late to
include it in my already mostly finished tentative/tutorial.
In this post:
https://dev1galaxy.org/viewtopic.php?id=1929#p7915
I linked to the web-location of this email:
https://lists.gnupg.org/pipermail/gnupg-users/2018-January/059887.html
(that I'm replying to from my maibox).
I think my setup (and I had longed for a couple of years to accomplish it!; I'm
a slow learner) works for me fine already I believe, and is safe [1].
And I hoped I'd mostly just thank the developers for this really great tool in
the first place.
OTOH, the FAQ entry that I found some tips at the onset of this days-long GnuPG
setup rework of mine, I believe should be updated:
8.20. How can I use GnuPG in an automated environment?
https://gnupg.org/faq/gnupg-faq.html#automated_use
I'd help, but firstly, I had already stolen too much time from other work of
mine, and secondly, my understanding is not sufficiently clear on these matters
at this time.
Best regards!
---
[1] I set up a good password for both my subkeys, and will probably mostly go
offline, and try to quickly ascertain my system status --logs are most always
"tail -f"-ed on top in real time for me, and will often go offline, physically
disconnecting from the internet, for just the time to type the password to do
the encryption/signing.
So maybe a question to advanced users/devs. Any tips on protection from the
dangers to my subkeys (and subkeys of those who will come along from my
tutorial pages) from the bad place called internet? On defence from keyloggers,
from meltdown/spectre exploits big or small users (ah, I know; kernel with all
the mitigations and updated microcode, but maybe the gentle readers can tell
more yet), and such?
--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --export-options export-reset-subkey-passwd
On 23/08/2017 23:59, Werner Koch wrote:
> On Sun, 13 Aug 2017 08:17, dani...@grinta.net said:
>
>> Digging a bit more, it seems that the functionality got dropped because
>> with GnuPG 2.x all key manipulations go through gpg-agent and it does
>> not (yet?) support password reset on expert.
>
> Unfortunately this is still an open bug:
>
> https://dev.gnupg.org/T1753
>
> we won't be able to fix it for 2.2.0 but given that it is marked as a
> bug it can and should be fixed in the soon to be release 2.2 series.
As a work around I come up with this simple script, which has the sole
problem of asking the secret subkey passphrase a few times too much, and
to require to explicitly enter an empty passphrase.
Let me know if it is excessively dummy or if there is a better way.
Cheers,
Daniele
#!/bin/sh
set -e
KEY="$1"
shift
# make sure to have a "!" at the end of the key fingerprint to export
# exclusively the corresponding subkey and not the primary key
if [ "$KEY" == "${KEY%\!}" ]
then
KEY="$KEY"\!
fi
umask 0077
TMPDIR=$(mktemp -d)
trap "rm -r $TMPDIR; exit" 0 1 2 3 15
gpg --export-secret-subkey "$KEY" | gpg --home $TMPDIR --import
gpg --home $TMPDIR --change-passphrase "$KEY"
gpg --home $TMPDIR --armor "$@" --export-secret-subkey "$KEY"
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --export-options export-reset-subkey-passwd
Hello Werner, On 8/23/17 11:59 PM, Werner Koch wrote: > On Sun, 13 Aug 2017 08:17, dani...@grinta.net said: > >> Digging a bit more, it seems that the functionality got dropped because >> with GnuPG 2.x all key manipulations go through gpg-agent and it does >> not (yet?) support password reset on expert. > > Unfortunately this is still an open bug: > > https://dev.gnupg.org/T1753 > > we won't be able to fix it for 2.2.0 but given that it is marked as a > bug it can and should be fixed in the soon to be release 2.2 series. I would like to help get this fix. What is the plan to implement it? Thanks. Cheers, Daniele ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --export-options export-reset-subkey-passwd
On Sun, 13 Aug 2017 08:17, dani...@grinta.net said: > Digging a bit more, it seems that the functionality got dropped because > with GnuPG 2.x all key manipulations go through gpg-agent and it does > not (yet?) support password reset on expert. Unfortunately this is still an open bug: https://dev.gnupg.org/T1753 we won't be able to fix it for 2.2.0 but given that it is marked as a bug it can and should be fixed in the soon to be release 2.2 series. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpXBER8dlYhj.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --export-options export-reset-subkey-passwd
On 12/08/17 20:15, Daniele Nicolodi wrote: > Hello, > > I have a workflow were I use this option to reset the subkey passphrase > during export to a remote system where the subkey is used for unattended > signing. This option has been removed in GnuPG 2.1, and I haven't found > a way to obtain the same result. Digging a bit more, it seems that the functionality got dropped because with GnuPG 2.x all key manipulations go through gpg-agent and it does not (yet?) support password reset on expert. Is there any plan to bring back this functionality? I'm willing to contribute code, but I would need guidance on the foreseen way to implement this. Cheers, Daniele ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
--export-options export-reset-subkey-passwd
Hello, I have a workflow were I use this option to reset the subkey passphrase during export to a remote system where the subkey is used for unattended signing. This option has been removed in GnuPG 2.1, and I haven't found a way to obtain the same result. Does anyone have any tip? Thanks! Cheers, Daniele ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
