Hi @Brian Minton and @Doug Barton, thanks for the info. I use then GPG suite (https://gpgtools.org/), which has the really useful GPG Keychain GUI for managing keys. So I don’t need to use the command line, but I want to learn how to do so, hence my question, which was really about the behaviour of gpg (I am using version 2.0.26).
I think it would be nice to have gpg (on the command line) show an auto-completion list of the short IDs of all keys associated with a particular email when the user does $ gpg --edit-key <email> simply because although it is easier to remember an email than a key ID, no matter how short. Users think in terms of emails, not key IDs (maybe this would be different for a regular user of encryption tools). At the moment what this does is launches gpg and points it to a revoked key. This seems wrong, even if the command is ambiguous. I can always do $ gpg —edit-key <short key ID> to edit a specific key, but I’m making a point about having gpg be neater on the command line. I don’t know whether this is an issue with other users, but I thought I would bring to the forum’s attention. I’m still relatively new to GnuPG (and using encryption) but I think what confuses (or overwhelms) a lot of people about encryption tools is the amount of work involved in key management - for example, what is the actual difference in practice between a revoked key and an expired key? Do most people here think that it is OK to delete a revoked key only a sufficient passage of time, Sandeep Murthy s.mur...@mykolab.com > On 29 Dec 2014, at 15:28, gnupg-users-requ...@gnupg.org wrote: > > Send Gnupg-users mailing list submissions to > gnupg-users@gnupg.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.gnupg.org/mailman/listinfo/gnupg-users > or, via email, send a message with subject or body 'help' to > gnupg-users-requ...@gnupg.org > > You can reach the person managing the list at > gnupg-users-ow...@gnupg.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Gnupg-users digest..." > > > Today's Topics: > > 1. Re: [Gnupg-users] (Brian Minton) > 2. Using a GPG key as ssh key: ssh socket & coments on "rsa" > keys. (Pablo Olmos de Aguilera C.) > 3. Re: [Gnupg-users] (MFPA) > 4. Re: Key selection (MFPA) > 5. RE: Unable to encrypt file with private/public key > (Haritwal, Dhiraj) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 27 Dec 2014 18:12:57 -0500 > From: Brian Minton <br...@minton.name> > To: Sandeep Murthy <s.mur...@mykolab.com> > Cc: GnuPG Users <gnupg-users@gnupg.org> > Subject: Re: [Gnupg-users] > Message-ID: > <canyoob3prm7tb5kr8rb7jp8z717wxpmrsv2p0c_cbxjpcoj...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > I would just backup the expired and revoked keys, then delete them. I > personally never have used my revoked keys. I mean maybe once in a very > great while, I come across a file encrypted with my old key on my hard > drive, but that's happened maybe twice in the last ten years. > On Dec 27, 2014 1:54 PM, "Sandeep Murthy" <s.mur...@mykolab.com> wrote: > > > Hi > > > > I have GnuPG/MacGPG2 (v. 2.0.26) on my system (OS X 10.10.1), installed > > via GPG Tools Suite. > > > > I have four keypairs associated with my main email, two of which are > > revoked and one expired. But if I > > try to edit the main key associated with email by > > > > $ gpg --edit-key <email> > > > > then it invokes gpg and points to one of the revoked keys rather than the > > active key. I have to explicitly > > give the short ID of the active key to edit that key and get its > > fingerprint. > > > > Is there a way to change this, or I am doing something wrong? > > > > Sandeep Murthy > > s.mur...@mykolab.com > > > > > > > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users@gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: </pipermail/attachments/20141227/9faa6914/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Sat, 27 Dec 2014 02:22:46 -0300 > From: "Pablo Olmos de Aguilera C." <pa...@odac.co> > To: gnupg-users@gnupg.org > Subject: Using a GPG key as ssh key: ssh socket & coments on "rsa" > keys. > Message-ID: > <1419657766.1420258.207045969.3abb8...@webmail.messagingengine.com> > Content-Type: text/plain > > I've read about using a GPG key as SSH key, but somehow I can't > implement it correctly, I have been following the steps outlined in this > post from 2012[1]. > > Here's the steps I have been following: > > 1. Create a new subkey with authentication capabilities: > > sub rsa4096/989A8388 > created: 2014-12-19 expires: 2015-12-19 usage: A > > 2. Find keygrip: > > $ gpg --with-keygrip -k pablo > sub rsa4096/989A8388 2014-12-19 [expires: 2015-12-19] > Keygrip = 5541F31ADF830A61126C8F0167A506F9ABF2D324 > > 3. Add the keygrip to sshcontrol > > echo '5541F31ADF830A61126C8F0167A506F9ABF2D324 0' >> > .config/gnupg/sshcontrol > > This works okay, though, sometimes the SSH_AUTH_LOCK is lost. As a > workaround I'm exporting the default location: > > export SSH_AUTH_SOCK=/home/pablo/.config/gnupg/S.gpg-agent.ssh > > But I guess something is happening. > > Also, when listing keys, with ssh-add -l: > > 4096 11:22:33:44:55:66:77:88:99..... (none) (RSA) > > The keys (obviously?) doesn't have any comment, which makes a bit hard > to manage (when I copy them with ssh-add -L to the desired host, I write > a comment in the `.ssh/authorized_keys` file, but I imagine there that > it should be a more straightforward way. > > [1]: http://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html > > PS.- Please cc me, since I'm not subscribed to the list. > > Regards > -- > Pablo Olmos de Aguilera C. > > > > ------------------------------ > > Message: 3 > Date: Mon, 29 Dec 2014 00:11:07 +0000 > From: MFPA <2014-667rhzu3dc-lists-gro...@riseup.net> > To: "Sandeep Murthy on GnuPG-Users" <gnupg-users@gnupg.org> > Subject: Re: [Gnupg-users] > Message-ID: <229257575.20141229001107@my_localhost> > Content-Type: text/plain; charset=utf-8 > > Signed PGP part > > > On Saturday 27 December 2014 at 5:36:25 PM, in > <mid:57c2f421-f088-44a5-8007-f4f6b3623...@mykolab.com>, Sandeep Murthy > wrote: > > > > I have four keypairs associated with my main email, two > > of which are revoked and one expired. But if I try to > > edit the main key associated with email by > > > $ gpg --edit-key <email> > > > then it invokes gpg and points to one of the revoked > > keys rather than the active key. I have to explicitly > > give the short ID of the active key to edit that key > > and get its fingerprint. > > To just view the fingerprints, you could try:- > > gpg --list-keys <email> > > The listing should indicate which keys are revoked or expired. > > > > -- > Best regards > > MFPA mailto:2014-667rhzu3dc-lists-gro...@riseup.net > > A closed door is an invitation to knock > > > > > > ------------------------------ > > Message: 4 > Date: Mon, 29 Dec 2014 01:14:46 +0000 > From: MFPA <2014-667rhzu3dc-lists-gro...@riseup.net> > To: "Doug Barton on GnuPG-Users" <gnupg-users@gnupg.org> > Subject: Re: Key selection > Message-ID: <1314470459.20141229011446@my_localhost> > Content-Type: text/plain; charset=utf-8 > > Signed PGP part > > > On Saturday 27 December 2014 at 7:41:41 PM, in > <mid:549F0B75.1070203@dougbarton.email>, Doug Barton wrote: > > > > > If you have multiple keys that match a pattern (such as > > your e-mail address) then gpg is going to take its best > > guess as to which one you mean. > > > If several signing keys match the "From" email address, my email > client manages to get GnuPG to return a list so that I can choose > which key to use for signing. Conversely, if I sign a file from the > commandline using the --local-user option with a string that matches > several signing keys, I am not presented with this choice. > > If several encryption keys match the "To" address of an email, there > is no such choice of keys offered by my MUA and GnuPG picks one to use > for encryption. GnuPG also picks the key itself when I encrypt from > the commandline and use a non-unique pattern. > > > > -- > Best regards > > MFPA mailto:2014-667rhzu3dc-lists-gro...@riseup.net > > Wise men learn many things from their enemies. > > > > > > ------------------------------ > > Message: 5 > Date: Mon, 29 Dec 2014 14:57:18 +0000 > From: "Haritwal, Dhiraj" <dhiraj.harit...@ap.sony.com> > To: Pete Stephenson <p...@heypete.com> > Cc: "gnupg-users@gnupg.org" <gnupg-users@gnupg.org> > Subject: RE: Unable to encrypt file with private/public key > Message-ID: > <bb9b5a6872d97741bfa9070540661288018d5...@apsinxms07.ap.sony.com> > Content-Type: text/plain; charset="utf-8" > > Almost done now. After I signed partner?s public key, that warring has gone. > > I am using below command to encrypt file with my private key & partner?s > public key & partner is using my private key & their public key to decrypt it > but it?s getting fail. M I using anything wrong here. > > ./gpg --local-user 'MY USER? --recipient partner_pubkey --encrypt --armor > /tmp/test/data1.CSV > > Tried to use --sign which is asking passphrase which don?t want to use. Can > we sign without passphrase & only with public/private key. > > > Dhiraj > > > From: Pete Stephenson [mailto:p...@heypete.com] > Sent: 23 December 2014 11:24 > To: Haritwal, Dhiraj > Cc: gnupg-users@gnupg.org > Subject: RE: Unable to encrypt file with private/public key > > > On Dec 22, 2014 7:30 AM, "Haritwal, Dhiraj" > <dhiraj.harit...@ap.sony.com<mailto:dhiraj.harit...@ap.sony.com>> wrote: > > > > Thank you very much for all the explanation/links. Now things are bit clear. > > Now I have to encrypt file with partner's Public Key. I tried with below > > command which is still showing warning message (gpg: 89709B71: There is no > > assurance this key belongs to the named user) whereas if I am checking > > partner_pubkey, it's showing full trust. How can I remove this message. > > Even I have added partner's public key as trusted. > > > > ./gpg --encrypt --recipient partner_pubkey --armor /tmp/test/data.CSV > > I'm glad things are working better. > > To resolve the issue with the assurance message, manually verify that the key > belongs to the recipient (e.g. meet in person or call them and verify the > fingerprint of their key) and then sign the key using GnuPG. (gpg --sign-key > 0xKEYID) > > In GnuPG you vouch that a particular public key belongs to a person (or > organization) by signing their public key. This signature can be local or > published publicly. > > "Trust" in GnuPG is different, and reflects how much you trust the other key > to correctly vouch for the identity of others. If you set their key as fully > trusted, keys that are signed by that key are treated by your copy of GnuPG > with the same level of assurance as if you signed them yourself. Typically > this should only be reserved for people you know to always check the identity > of other people thoroughly and correctly before signing their keys. The > default is for trust to be set to "marginal". > > By combining signatures and trust, one forms a "web of trust": > https://en.wikipedia.org/wiki/Web_of_trust > > Cheers! > -Pete > > ________________________________ > > This email is confidential and intended only for the use of the individual or > entity named above and may contain information that is privileged. If you are > not the intended recipient, you are notified that any dissemination, > distribution or copying of this email is strictly prohibited. If you have > received this email in error, please notify us immediately by return email or > telephone and destroy the original message. - This mail is sent via Sony Asia > Pacific Mail Gateway.. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: </pipermail/attachments/20141229/183a0715/attachment.html> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > ------------------------------ > > End of Gnupg-users Digest, Vol 135, Issue 42 > ********************************************
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
