I've been reading about symmetric encryption of the private key.
When I tried to experiment with the `--s2k` options, attempting to
change the passphrase on my key, I found that they were ignored. A brief
search identified issue 1800 [1] on the bug tracker which was last
updated in 2015, some 20
On 23/01/17 12:34, Peter Lebbing wrote:
> On 23/01/17 12:54, John Lane wrote:
>> Ok, so - if I understand you correctly - when I *export* the secret key
>> I can choose which algorithms are applied to the exported copy ?
>
> No, I meant that the bug report (turned feat
On 23/01/17 11:22, Peter Lebbing wrote:
> It's close to what you're talking about, but not exactly. That is
> specifically about *exporting* an OpenPGP secret key, not how it is
> *stored* in your keyring. The protection on private-keys-v1.d is
> implemented differently than the protection of the
>> I'm trying to experiment with trust signatures but I can't work out how
>> the 'domain' question is used ?
>>
the only thing I've been able to find is this regular expression
|<[^>]+@example.net>$|
On 17/01/17 19:51, Peter Lebbing wrote:
> Seems like an extended regexp with a mistake. The dot would actually match any
> character, it needs to be quoted:
>
Quite right, but it would match a dot too!
I did try it with and without an escape without success.
There seems to be very little
On 18/01/17 15:39, Damien Goutte-Gattat wrote:
>
> I believe there's a bug in the handling of the regular expression
> associated with a trust signature. I've just submitted a patch to fix it
> [1]. With that patch applied, I get the expected result for step 10
> (Blake's key is fully valid, not
On 18/01/17 03:03, David Shaw wrote:
>
> Can you post the actual user IDs of the keys you are testing with (or a
> similar example.com set) so I can try them as well?
Hi David,
I have written a test shell script to experiment with trust signatures.
The script is at https://git.io/vMXMQ
There
I'm trying to experiment with trust signatures but I can't work out how
the 'domain' question is used ?
I think I understand what it is for, but I can't enter a value and get
it to work.
I have a key A that has signed b...@example.com and c...@example.org
If I tsign A at level 2 with the domain
> I have to admit to being extremely annoyed with the state of the language we
> use. OpenPGP is hard enough to learn without having to be confused by
> multiple names for the same algorithms, confusing usage of "certificate",
> "key", and "Key", and every other bit of linguistic tomfoolery we
> [1] http://www.ietf.org/mail-archive/web/openpgp/current/msg07712.html
>
> [2] ftp://ftp.pgpi.org/pub/pgp/6.5/docs/english/IntroToCrypto.pdf
>
Great link [1], very interesting. I think the language used hasn't
helped the uptake of this technology. The other thing mentioned in there
is trust
On 06/10/16 08:11, Werner Koch wrote:
> On Wed, 5 Oct 2016 17:26, gn...@jelmail.com said:
>> I know how to list signatures with "gpg --list-sigs" but is it possible
>> to do so whilst in "gpg --edit-key" mode ?
>
> There is a "check" command which does the same as --check-sigs.
> However, I just
On 06/10/16 19:41, Peter Lebbing wrote:
> On 06/10/16 21:10, John Lane wrote:
>> Would I not expect to see sigs by FC91A390 and 63AB1D1A on E8BB8D0 ?
> No, the cross-certification signature is part of the signature of
> 1E8BB8D0 on 63AB1D1A. This cross-certification signatur
> One possible way is invoking gpg with an option
> --pinentry-mode=loopback.
Yes, just tried this. It works but you lose the pinentry dialog.
> I created a ticket at the bug tracker.
>
> https://bugs.gnupg.org/gnupg/issue2739
>
thanks for creating the ticket.
> With the situation of
The requirement for tty ownership for commands where pinentry is
required causes problems for shells opened with sudo or su, where
such commands generally result in a "permission denied" kind of error:
$ gpg -d /tmp/encrypted.asc
gpg: public key decryption failed: Permission denied
I can
I was reading the FAQ and noticed that it uses the word 'certificate' to
describe what I think people commonly refer to as their 'key' (ref
gnupg-faq.html section 7.4 and 7.5) that they would upload to a 'key
server'.
* A certificate is a large data structure that contains one or more
/keys/, and
I've been trying out the SSH compatibility. Everything working as per
the documentation, except I have one question.
How can I extract the SSH PRIVATE key ?
I am using "gpg --export-ssh-key alice > ssh_key.pub" for the public key
but I can't find an equivalent for the private key.
The reason
>
> Agreed, that would be useful. Feel free to open a bug report.
>
raised https://bugs.gnupg.org/gnupg/issue2760
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
> I don't know if you can do private key export; perhaps with monkeysphere?
I have Monkeysphere on my radar but I haven't got around to trying it
out. I had hoped for a gpg solution without resorting to third party...
> How about you just create a separate key for the machine where you don't
>
>>
>> I think I vaguely remember Monkeysphere supporting it.
>
> fwiw, monkeysphere doesn't explicitly support exporting OpenPGP secret
> key material to arbitrary formats.
>
Ok, I have done it using "openpgp2ssh" from monkeysphere (I just
installed 0.39 just to get that tool).
The key has to
>
> I created a ticket at the bug tracker.
>
> https://bugs.gnupg.org/gnupg/issue2739
>
>
> With the situation of gpg-agent's allow-loopback-pinentry is default
> now, perhaps, it would be the best (from the user's viewpoint) that
> gpg-agent automatically fallbacks to loopback mode.
>
>
This is just an observation. I thought that perhaps, if I had an
extracted private key, that I could use "ssh-add" to add it and remove
the need to manually edit "sshcontrol". I tried:
$ ssh-add alice.key
Identity added: alice.key (alice.key)
Looking good. However...
$ ssh-add -l
The agent has
>
> John, can you please tell us which version of GnuPG you are using, and
> just to be sure, also check that
>
> gpg-connect-agent 'getinfo version' /bye
>
> prints the expected version number?
>
>
$ gpg --version
gpg (GnuPG) 2.1.14
libgcrypt 1.7.2
$ gpg-agent --version
gpg-agent
On 10/10/16 21:12, Mauricio Tavares wrote:
> Would
>
> gpg --export-secret-keys -a C00FFEE > secret
>
> do the trick?
No, because that exports a gpg keyring and not an ssh private key.
One might imply the below is possible, but the error would indicate that
it isnt:
$ gpg
The SSH public key format contains a comment field (RFC4716, s3.3.2):
The comment header contains a user-specified comment.
u...@example.com
>From "man sshd":
Public keys consist of the following space-separated fields:
options, keytype, base64-encoded key, comment.
The
>
> Thanks. That bug is fixed in GnuPG 2.1.15.
>
> Justus
>
Thanks Justus. I have just updated my system and now have 2.1.15 and I
can confirm that it works as one would expect.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
>
> Then, the command "updatestartuptty" can fix the situation.
>
I tried this and it worked, in a su/sudo I had to do this:
$ script -q -c '(gpg-connect-agent updatestartuptty /bye; ssh-add
alice.subkey)'
___
Gnupg-users mailing list
Just experimenting in a sandbox homedir, I noticed that the homedir path
needs to be below a certain size.
$ pwd
/home/user/a////eee/fff/ggg
$ mkdir -m 700 alice.gpg
$ gpg --homedir alice.gpg --gen-key
gpg: can't connect to
Hello, I have a scenario where gpg is prompting for a passphrase when I
don't think it should because it is cached in the agent. It seems to be
triggered by concurrent use. Here is an example.
First, create some encrypted data:
$ echo test | gpg --encrypt -o test.gpg -r
Then decrypt it a
>
> Probably the easiest way to avoid this is to seed the cache of gpg-agent with
> the needed passphrases before starting the concurrent invocations. See
> man gpg-preset-passphrase
> for details.
>
I just tried that to see if it would help. It doesn't make any
difference because the
On 16/03/2021 11:19, John Lane wrote:
> Hello, I have a scenario where gpg is prompting for a passphrase when I
> don't think it should because it is cached in the agent. It seems to be
> triggered by concurrent use. Here is an example.
>
I've asked someone else to try this and the
30 matches
Mail list logo
