Re: dns cert support
On Tue, 04 Apr 2006, David Shaw wrote:
> > Also, is there a tool that produces a snippet which is ready for
> > inclusion into a zone file anywhere? Something similar to ssh-keygen
> > for SSHFP RRs:
> > [EMAIL PROTECTED]:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key -g
> > galaxy IN TYPE44 \# 22 01 01 40cc5559546421d15fe9c1064713636a02373ad2
> > [EMAIL PROTECTED]:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key
> > galaxy IN SSHFP 1 1 40cc5559546421d15fe9c1064713636a02373ad2
>
> Good idea. I just checked one in to the GnuPG SVN.
It seems it considers whitespace part of the fpr when creating IPGP
data.
For instance:
| [EMAIL PROTECTED]:~/local/src/gnupg/gnupg14/tools$ ./make-dns-cert -f '5B00
C96D 5D54 AEE1 206B AF84 DE7A AF6E 94C0 9C7F' -n foo
| foo TYPE37 \# 31 0006 00 19 5B00 C96D 5D54 AEE1 206B AF84 DE7A
AF6E 94C0 9C7F
^^
| [EMAIL PROTECTED]:~/local/src/gnupg/gnupg14/tools$ ./make-dns-cert -f '5B00
C96D 5D54 AEE1 206B AF84 DE7A AF6E94C09C7F' -n foo
| foo TYPE37 \# 30 0006 00 18 5B00 C96D 5D54 AEE1 206B AF84 DE7A
AF6E94C09C7F
^^
It should just ignore whitespace when counting fingerprint length.
| ./make-dns-cert -f '5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E94C09C7F' -n foo
| foo TYPE37 \# 26 0006 00 14 5B00 C96D 5D54 AEE1 206B AF84 DE7A
AF6E94C09C7F
This should fix it:
Index: make-dns-cert.c
===
--- make-dns-cert.c (revision 4091)
+++ make-dns-cert.c (working copy)
@@ -24,6 +24,7 @@
#ifdef HAVE_GETOPT_H
#include
#endif
+#include
#include
#include
#include
@@ -97,7 +98,20 @@
if(fpr)
{
- fprlen=strlen(fpr);
+ const char *tmp = fpr;
+ while (*tmp)
+ {
+ if (isxdigit(*tmp))
+ {
+ fprlen++;
+ }
+ else if (!isspace(*tmp))
+ {
+ printf("Fingerprint must consist of only hex digits (and
whitespace)\n");
+ return 1;
+ }
+ tmp++;
+ }
if(fprlen%2)
{
printf("Fingerprint must be an even number of characters\n");
And a second patch that uses stderr for errors on top of this one:
--- make-dns-cert.c.orig2006-04-05 09:57:48.725050937 +0200
+++ make-dns-cert.c 2006-04-05 10:00:23.675749478 +0200
@@ -45,20 +45,20 @@
fd=open(keyfile,O_RDONLY);
if(fd==-1)
{
- printf("Cannot open key file %s: %s\n",keyfile,strerror(errno));
+ fprintf(stderr, "Cannot open key file %s: %s\n",keyfile,strerror(errno));
return 1;
}
err=fstat(fd,&statbuf);
if(err==-1)
{
- printf("Unable to stat key file %s: %s\n",keyfile,strerror(errno));
+ fprintf(stderr, "Unable to stat key file %s:
%s\n",keyfile,strerror(errno));
goto fail;
}
if(statbuf.st_size>32768)
{
- printf("Key %s too large for CERT encoding\n",keyfile);
+ fprintf(stderr, "Key %s too large for CERT encoding\n",keyfile);
goto fail;
}
@@ -73,7 +73,7 @@
err=read(fd,buffer,1024);
if(err==-1)
{
- printf("Unable to read key file %s: %s\n",keyfile,strerror(errno));
+ fprintf(stderr, "Unable to read key file %s:
%s\n",keyfile,strerror(errno));
goto fail;
}
@@ -107,14 +107,14 @@
}
else if (!isspace(*tmp))
{
- printf("Fingerprint must consist of only hex digits (and
whitespace)\n");
+ fprintf(stderr, "Fingerprint must consist of only hex digits (and
whitespace)\n");
return 1;
}
tmp++;
}
if(fprlen%2)
{
- printf("Fingerprint must be an even number of characters\n");
+ fprintf(stderr, "Fingerprint must be an even number of characters\n");
return 1;
}
@@ -127,7 +127,7 @@
if(!fpr && !url)
{
- printf("Cannot generate a CERT without either a fingerprint or URL\n");
+ fprintf(stderr, "Cannot generate a CERT without either a fingerprint or
URL\n");
return 1;
}
@@ -150,13 +150,13 @@
}
static void
-usage(void)
+usage(FILE *f)
{
- printf("make-dns-cert\n");
- printf("\t-f\tfingerprint\n");
- printf("\t-u\tURL\n");
- printf("\t-k\tkey file\n");
- printf("\t-n\tDNS name\n");
+ fprintf(f, "make-dns-cert\n");
+ fprintf(f, "\t-f\tfingerprint\n");
+ fprintf(f, "\t-u\tURL\n");
+ fprintf(f, "\t-k\tkey file\n");
+ fprintf(f, "\t-n\tDNS name\n");
}
int
@@ -167,7 +167,7 @@
if(argc==1)
{
- usage();
+ usage(stderr);
return 0;
}
else if(argc>1 && strcmp(argv[1],"--version")==0)
@@ -177,7 +177,7 @@
}
else if(argc>1 && strcmp(argv[1],"--help")==0)
{
- usage();
+ usage(stdout);
return 0;
}
@@ -186,7 +186,7 @@
{
default:
case 'h':
- usage();
+ usage(stdout);
Re: gpg-zip?
On Tue, 4 Apr 2006 23:47:35 -0700 (PDT), Bjørk said: > I've searched the manual and the installation path for gnupg for > Windows and I can't find the program or find it mentioned in the > manual. Why isn't it included in the Windows version? Because it won't work with Windows. It requires a Bourne shell and the tar tool - this is not available under Windows. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dns cert support
On Wed, 5 Apr 2006 10:02:28 +0200, Peter Palfrader said:
> + const char *tmp = fpr;
> + while (*tmp)
> + {
> + if (isxdigit(*tmp))
Will segv on many non-glibc systems if you pass non-ascii characters
to it. Never ever use isfoo functions without additional checks.
Salam-Shalom,
Werner
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dns cert support
On Wed, 05 Apr 2006, Werner Koch wrote:
> On Wed, 5 Apr 2006 10:02:28 +0200, Peter Palfrader said:
>
> > + const char *tmp = fpr;
> > + while (*tmp)
> > + {
> > + if (isxdigit(*tmp))
>
> Will segv on many non-glibc systems if you pass non-ascii characters
> to it. Never ever use isfoo functions without additional checks.
ick.
Index: make-dns-cert.c
===
--- make-dns-cert.c (revision 4091)
+++ make-dns-cert.c (working copy)
@@ -97,7 +97,22 @@
if(fpr)
{
- fprlen=strlen(fpr);
+ const char *tmp = fpr;
+ while (*tmp)
+ {
+ if ((*tmp >= 'A' && *tmp <= 'F') ||
+ (*tmp >= 'a' && *tmp <= 'f') ||
+ (*tmp >= '0' && *tmp <= '9'))
+ {
+ fprlen++;
+ }
+ else if (*tmp != ' ' && *tmp != '\t')
+ {
+ printf("Fingerprint must consist of only hex digits (and
whitespace)\n");
+ return 1;
+ }
+ tmp++;
+ }
if(fprlen%2)
{
printf("Fingerprint must be an even number of characters\n");
--
PGP signed and encrypted | .''`. ** Debian GNU/Linux **
messages preferred.| : :' : The universal
| `. `' Operating System
http://www.palfrader.org/ | `-http://www.debian.org/
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-zip?
Werner Koch wrote: > On Tue, 4 Apr 2006 23:47:35 -0700 (PDT), Bjørk said: > >> I've searched the manual and the installation path for gnupg for >> Windows and I can't find the program or find it mentioned in the >> manual. Why isn't it included in the Windows version? > > Because it won't work with Windows. It requires a Bourne shell and > the tar tool - this is not available under Windows. > Unless you have Cygwin or MSYS. -- Alphax Message composed: 2006-04-05T19:54:29+09:30 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dns cert support
On Tue, 04 Apr 2006, Peter Palfrader wrote: > On Mon, 03 Apr 2006, Werner Koch wrote: > > > * New auto-key-locate option that takes an ordered list of methods > > to locate a key if it is not available at encryption time (-r or > > --recipient). Possible methods include "cert" (use DNS CERT as > > per RFC2538bis, "pka" (use DNS PKA), "ldap" (consult the LDAP > > server for the domain in question), "keyserver" (use the > > currently defined keyserver), as well as arbitrary keyserver > > URIs that will be contacted for the key. > > > > * Able to retrieve keys using DNS CERT records as per RFC-2538bis > > (currently in draft): http://www.josefsson.org/rfc2538bis > > How would I try to retrieve the key for [EMAIL PROTECTED] from DNS[1] > using GnuPG's command line, other than simulating an encryption (like in > gpg --auto-key-locate cert --recipient [EMAIL PROTECTED] --encrypt) > to the user in question? I notice that if I have both, a IPGP and a PGP CERT RR that GnuPG fails to import the key some of the time: | [EMAIL PROTECTED]:~/tmp/g$ echo fo | gpg --auto-key-locate cert --recipient [EMAIL PROTECTED] --encrypt | gpg: [EMAIL PROTECTED]: skipped: public key not found | gpg: [stdin]: encryption failed: public key not found | [EMAIL PROTECTED]:~/tmp/g$ echo fo | gpg --auto-key-locate cert --recipient [EMAIL PROTECTED] --encrypt | gpg: [EMAIL PROTECTED]: skipped: public key not found | gpg: [stdin]: encryption failed: public key not found | [EMAIL PROTECTED]:~/tmp/g$ echo fo | gpg --auto-key-locate cert --recipient [EMAIL PROTECTED] --encrypt | gpg: ./trustdb.gpg: trustdb created | gpg: key 94C09C7F: public key "Peter Palfrader" imported } ;; ANSWER SECTION: } peter.palfrader.org.43200 IN CERT6 0 0 FFsAyW1dVK7hIGuvhN56r26UwJx/ } peter.palfrader.org.43200 IN CERTPGP 0 0 mQGiBDgp0YcRBACN9s8EycXRsu9ym3Sjou1N. Is having them both not supported or is there a bug somewhere? Cheers, Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dns cert support
On Wed, Apr 05, 2006 at 12:30:42PM +0200, Peter Palfrader wrote: > I notice that if I have both, a IPGP and a PGP CERT RR that GnuPG fails > to import the key some of the time: [..] > } ;; ANSWER SECTION: > } peter.palfrader.org.43200 IN CERT6 0 0 > FFsAyW1dVK7hIGuvhN56r26UwJx/ > } peter.palfrader.org.43200 IN CERTPGP 0 0 > mQGiBDgp0YcRBACN9s8EycXRsu9ym3Sjou1N. > > Is having them both not supported or is there a bug somewhere? At the moment, GnuPG will take whichever it sees first (the PGP or the IPGP, but not both). So given round robining, if you have both, it will seem to flip back and forth between the two. I'm thinking about having GPG favor one or the other in these cases (probably PGP since if it has already fetched the whole key, it may as well import it rather than go to a web page or keyserver somewhere). The reason it is not fetching from the IPGP record you have there is there is only a fingerprint, and you must have a --keyserver defined for it to fetch the fingerprint from in that case. Do you have a --keyserver defined? David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dns cert support
On Wed, 05 Apr 2006, David Shaw wrote: > On Wed, Apr 05, 2006 at 12:30:42PM +0200, Peter Palfrader wrote: > > > I notice that if I have both, a IPGP and a PGP CERT RR that GnuPG fails > > to import the key some of the time: > > [..] > > > } ;; ANSWER SECTION: > > } peter.palfrader.org.43200 IN CERT6 0 0 > > FFsAyW1dVK7hIGuvhN56r26UwJx/ > > } peter.palfrader.org.43200 IN CERTPGP 0 0 > > mQGiBDgp0YcRBACN9s8EycXRsu9ym3Sjou1N. > > > > Is having them both not supported or is there a bug somewhere? > > At the moment, GnuPG will take whichever it sees first (the PGP or the > IPGP, but not both). So given round robining, if you have both, it > will seem to flip back and forth between the two. I'm thinking about > having GPG favor one or the other in these cases (probably PGP since > if it has already fetched the whole key, it may as well import it > rather than go to a web page or keyserver somewhere). On the other hand the key that is fetched via DNS has serious size constraints - DNS limits the RDATA to 64k and I think GnuPG further limits this to 16k. In my case I have significantly stripped down my key in order to store it in DNS, so maybe going to the keyserver or the location specified in IPGP might be a good idea. > The reason it is not fetching from the IPGP record you have there is > there is only a fingerprint, and you must have a --keyserver defined > for it to fetch the fingerprint from in that case. Do you have a > --keyserver defined? Ah, now that I do it works nicely. Thanks! Maybe gpg should say that it wants to have a keyserver in this case? Cheers, Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-zip
On Wed, 05 Apr 2006 05:23:40 -0400 [EMAIL PROTECTED] wrote: >Send Gnupg-users mailing list submissions to > gnupg-users@gnupg.org > >Message: 6 >Date: Tue, 4 Apr 2006 23:47:35 -0700 (PDT) >From: Arild "Bjørk" <[EMAIL PROTECTED]> >Subject: gpg-zip? >* Added "gpg-zip", a program to create encrypted archives >that can interoperate with PGP Zip. > >I've searched the manual and the installation path for gnupg for >Windows and I can't find the program or find it mentioned in the >manual. Why isn't it included in the Windows version? >Message: 8 >Date: Wed, 05 Apr 2006 11:11:07 +0200 >From: Werner Koch <[EMAIL PROTECTED]> >Subject: Re: gpg-zip? >Because it won't work with Windows. It requires a Bourne shell >and >the tar tool - this is not available under Windows. but it is easily available in a front end for windows, and works from file manager in winpt (for .zip files, for comaptibility with common windows unzip programs ) but could just as easily be made to work with .rar or other format vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
pka-lookups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Throughout the 'snapshot' phase of 1.4.3 this ability was turned OFF by default. With the release of 1.4.3 stable and the availability of cross-certification and pka-lookup now widely available, will the features once defaulted to off be defaulted to ON for the 1.4.4 'snapshot' releases? Also, in gpg.man the reference is "see require-cross-certification" but I have been unable so far to find that particular option in the Manual. When I do, what will I "see"? JOHN :) Timestamp: Wednesday 05 Apr 2006, 10:55 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4-4092cvs: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJEM9qGAAoJEBCGy9eAtCsP8/YH/js/PyBQGhcSrHxUXZMCC+PJ CmuQdEBJHfQ4zEda0D5f+crQO+7A20AvH7FD10AkEspMuXoWgImAdqVhSkj7LiQ/ /VA6CynAIlt4/GhhgdWYiE96PRJf1T0DBmGypOMOxBlPUl0mAsclbDUinEn1P5c3 kTQS4G5H7uljt5k1o0l20jG1gQb2TdSKxsaBGB3ZIuGFGqpV/bStFxxYJ5R9SpXQ KyK1aMyJgWUr0eHWX82Nn2Q6cYFoOW5tllRYngRETMvJqC/rzR6hpJGsIoqY5TtN M2iFR8GGEsxvWMByBMN6M9ZZligjcRFB15nPXh+6BjSnykbx8FHQlmFoRn+P92I= =RzxT -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG - where is the .exe file???
I am trying to set up secure email encryption using Thunderbird, Enigmail and GnuPG. I have everything in place bar GnuPG. I downloaded it and extracted it. I then have to add the GnuPG executable path in Enigmail so that they work together. My problem is finding GnuPG.exe. It doesn't seem to be in my GnuPG folder. Any ideas where I am going wrong? -- View this message in context: http://www.nabble.com/GnuPG---where-is-the-.exe-file--t1399921.html#a3765831 Sent from the GnuPG - User forum at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dns cert support
On Wed, Apr 05, 2006 at 03:18:31PM +0200, Peter Palfrader wrote: > On Wed, 05 Apr 2006, David Shaw wrote: > > > On Wed, Apr 05, 2006 at 12:30:42PM +0200, Peter Palfrader wrote: > > > > > I notice that if I have both, a IPGP and a PGP CERT RR that GnuPG fails > > > to import the key some of the time: > > > > [..] > > > > > } ;; ANSWER SECTION: > > > } peter.palfrader.org.43200 IN CERT6 0 0 > > > FFsAyW1dVK7hIGuvhN56r26UwJx/ > > > } peter.palfrader.org.43200 IN CERTPGP 0 0 > > > mQGiBDgp0YcRBACN9s8EycXRsu9ym3Sjou1N. > > > > > > Is having them both not supported or is there a bug somewhere? > > > > At the moment, GnuPG will take whichever it sees first (the PGP or the > > IPGP, but not both). So given round robining, if you have both, it > > will seem to flip back and forth between the two. I'm thinking about > > having GPG favor one or the other in these cases (probably PGP since > > if it has already fetched the whole key, it may as well import it > > rather than go to a web page or keyserver somewhere). > > On the other hand the key that is fetched via DNS has serious size > constraints - DNS limits the RDATA to 64k and I think GnuPG further > limits this to 16k. In my case I have significantly stripped down my > key in order to store it in DNS, so maybe going to the keyserver or the > location specified in IPGP might be a good idea. Certainly the CERT PGP type has size restrictions, but I think that's fine: I don't really see the CERT PGP type as a repository for whole keys with dozens of signatures like on a keyserver. Rather, it's a place to store minimal (via export-minimal) keys. Once this "seed" key is gotten via CERT PGP, it can be fleshed out via a keyserver or preferred keyserver subpacket on the key itself. The GnuPG 16k max-cert-size is changeable, by the way: --keyserver-options max-cert-size=65536 16k was a bit of a guess as to a good value since CERT is so new. Whether to favor CERT PGP or CERT IPGP is one of those things where a reasonable case can be made for either path. It depends on what you're using CERT for: if you were using CERT in a PKA-like scheme, you'd want CERT PGP to get the answer as fast as possible, while if you were using CERT as a automatic key locater you'd probably want CERT IPGP to get all the signatures. > > The reason it is not fetching from the IPGP record you have there is > > there is only a fingerprint, and you must have a --keyserver defined > > for it to fetch the fingerprint from in that case. Do you have a > > --keyserver defined? > > Ah, now that I do it works nicely. Thanks! Maybe gpg should say that > it wants to have a keyserver in this case? Yes, I think it should. Note that you could make your IPGP contain both a fingerprint and a URL - that way you get to specify where the user will fetch your key from (it may not exist in the manner you desire on their particular keyserver). David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card: What RSA problems? Why not for key signing?
I consider creating a new master key: My old one wasn't stored securely
in the past and it has been rarely used. This new key I want to
generate on a system with a temporary fresh LINUX install and upload it
to two Smartcards (one is for backup). Now, the only thing that's
preventing me from doing this are the following paragraphs that I found
in The GnuPG Smartcard HOWTO ("How to use the Fellowship Smartcard"):
The card does not support DSA keys. Even if you are using a RSA key
you might encounter problems. The cards available at the moment only
support 1024 bit keys.
The suggestion is to use the key on the card only for signing and
decrypting but NOT for key signing.
This calls for some questions:
* What are those problems that one may encounter with RSA?
* Why should the key on the card not be used for key signing?
* Is there any advantage in using a DSA master key (not supported by the
OpenPGP card, I know) instead of an RSA master key?
* What's the best tool for generating the 1024 bit RSA key? Should I
simply use plain "gpg --gen-key --no-random-seed-file" or should the
key be generated on card, or does it not really matter?
PS: Of course, I will use a subkey with limited lifetime for everyday
use, and I'll store this key on a third card.
--
Felix E. Klee
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG - where is the .exe file???
Forgot to say I am using Windows. And it helps to download the Windows version . . . -- View this message in context: http://www.nabble.com/GnuPG---where-is-the-.exe-file--t1399921.html#a3768339 Sent from the GnuPG - User forum at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG - where is the .exe file???
I found my problem - I did not download Windows version! I am an idiot. You are a great person for helping a stranger. On 5 Apr 2006 at 9:30, Ramprasad B wrote: > > [EMAIL PROTECTED] wrote: > > > Did you download GnuPG 1.4.3 from > > http://www.gnupg.org/(en)/download/index.html? > > yep. > > > Even searching my computer does not find that .exe file. > > Please try to uninstall and install again. > or try to find gpg.exe in program files folder. > probably u tried to search gnupg.exe > > -- > Ramprasad B > > New Yahoo! Messenger with Voice. Call regular phones from your PC and save > big. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG - where is the .exe file???
--- joeking <[EMAIL PROTECTED]> wrote: > I then have to add the GnuPG executable path in Enigmail so that they work > together. > My problem is finding GnuPG.exe. It doesn't seem to be in my GnuPG folder. I downloaded today and installed gnupg. The gpg.exe guy was at -> C:\Program Files\GNU\GnuPG\gpg.exe -- Ramprasad B __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG - where is the .exe file???
Thanks for your help! Did you download GnuPG 1.4.3 from http://www.gnupg.org/(en)/download/index.html? Even searching my computer does not find that .exe file. On 5 Apr 2006 at 8:07, Ramprasad B wrote: > --- joeking <[EMAIL PROTECTED]> wrote: > > > I then have to add the GnuPG executable path in Enigmail so that they work > > together. > > > My problem is finding GnuPG.exe. It doesn't seem to be in my GnuPG folder. > > I downloaded today and installed gnupg. > The gpg.exe guy was at -> C:\Program Files\GNU\GnuPG\gpg.exe > > -- > Ramprasad B > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG - where is the .exe file???
--- joeking <[EMAIL PROTECTED]> wrote: > I then have to add the GnuPG executable path in Enigmail so that they work > together. > My problem is finding GnuPG.exe. It doesn't seem to be in my GnuPG folder. I downloaded today and installed gnupg. The gpg.exe guy was at -> C:\Program Files\GNU\GnuPG\gpg.exe -- Ramprasad B __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG - where is the .exe file???
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 [EMAIL PROTECTED] wrote: > Thanks for your help! > > Did you download GnuPG 1.4.3 from > http://www.gnupg.org/(en)/download/index.html? > > Even searching my computer does not find that .exe file. Perhaps you might look under C:\GnuPG You could always click on the Start Key and then use Search to look for gpg.exe JOHN ;) Timestamp: Wednesday 05 Apr 2006, 14:33 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4-4092cvs: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJENA12AAoJEBCGy9eAtCsPirgIAJtlbWZiyIAdg4jwSE6SM/Tz 71Sh64LTu//WrUVEuEdibtXuPXldz1AguWJQn33/MhLTs+1jtDpDmLGVyrc6jxAp oXJJBxi3UTf1rQzGQUefI5QsZfocBsckrsiC+Dd3VgcSb8yp8Yzqf+biXv9m7tEO fCHvzDjyWqS0574zzvnyUHD/x+cf5SnAo0Fzk/cuBR1DsTtrpcGF85g/9nLBZgxA bhZK0+36C+P/38S4LqOIB8zdKAzEThfa1VHx9UCxSB9NG5oa+kqhgTKHvAMkFTS0 CtRj1VFVuA1ghRoKe8Pa3wbKAwXOyMu9jHxjaYhT+FYq2rHp/3VvdOqxzO9RgiE= =HQmT -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
1.4.3 // proper syntax for --edit-key cross-certify ?
what is the syntax needed to use the cross-certify to have a signing subkey sign the master? i tried cross-certify with --edit-key and got no response (not even the polite customary error message ;-) ) here is the command and gpg output: $ gpg --edit-key 0x6A589A97 gpg (GnuPG) 1.4.3; Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: using PGP trust model gpg: key 6A589A97: accepted as trusted key Secret key is available. pub 4096R/6A589A97 created: 2001-04-26 expires: neverusage: SCEA trust: ultimate validity: ultimate sub 4096R/04ADEE20 created: 2001-04-26 expires: neverusage: SCEA [ultimate] (1). vedaal nistar (preferred e-mail address) <[EMAIL PROTECTED]> [ultimate] (2) vedaal nistar (preferred key) <[EMAIL PROTECTED]> [ultimate] (3) vedaal nistar <[EMAIL PROTECTED]> Command> cross-certify Command> gnupg just returns the command prompt (the same happens after a uid is selected, and then cross-certify entered at the command prompt) the same thing also happens with the following variations: Command> cross-certify Command> Command> cross-certify sub 4096R/04ADEE20 Command> Command> cross-certify pub 4096R/6A589A97 Command> Command> cross-certify 6A589A97 Command> Command> cross-certify 04ADEE20 Command> what should the proper syntax be ? tia, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1.4.3 // proper syntax for --edit-key cross-certify ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 [EMAIL PROTECTED] wrote the following on 4/5/06 3:50 PM: > what is the syntax needed to use the cross-certify > to have a signing subkey sign the master? > > i tried cross-certify with --edit-key > and got no response > (not even the polite customary error message ;-) ) When I tried that, I was prompted to enter my passphrase after a row showing that my signing subkey was selected: - - Charly-Avitals-PBG4:~ shavital$ gpg --edit-key C91B085E gpg (GnuPG) 1.4.3; Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Secret key is available. pub 1024D/C91B085E created: 2002-05-11 expires: never usage: SCA trust: ultimate validity: ultimate sub 2048g/084539C7 created: 2002-05-11 expires: never usage: E sub 4096R/727327CF created: 2005-02-17 expires: never usage: S [ultimate] (1). Charly Avital (1.0.7) <[EMAIL PROTECTED]> [ultimate] (2) Charly Avital (1.0.7) <[EMAIL PROTECTED]> [ revoked] (3) Charly Avital (1.0.7) <[EMAIL PROTECTED]> Command> cross-certify You need a passphrase to unlock the secret key for user: "Charly Avital (1.0.7) <[EMAIL PROTECTED]>" 4096-bit RSA key, ID 727327CF, created 2005-02-17 Enter passphrase: - - After I enter the passphrase, I get the same output as above: - - pub 1024D/C91B085E created: 2002-05-11 expires: never usage: SCA trust: ultimate validity: ultimate sub 2048g/084539C7 created: 2002-05-11 expires: never usage: E sub 4096R/727327CF created: 2005-02-17 expires: never usage: S [ultimate] (1). Charly Avital (1.0.7) <[EMAIL PROTECTED]> [ultimate] (2) Charly Avital (1.0.7) <[EMAIL PROTECTED]> [ revoked] (3) Charly Avital (1.0.7) <[EMAIL PROTECTED]> = But when I Quit, I am prompted to save changes: - -- Command> quit Save changes? (y/N) n Quit without saving? (y/N) y - -- I have chosen to quit without saving any changes, because the truth is I do not fully understand what the change is, and what it would do to my key and/or to my signing subkey. [...] > (the same happens after a uid is selected, and then cross-certify > entered at the command prompt) When you select a uid, can you select the signing subkey itself? I can't. I can only select one of the existing uids (1,2 or 3). >[...] > what should the proper syntax be ? > I hope you get more significant feedback from the list. I just wanted to let you know that cross-certify provokes, in my system, a certain response and output that can be saved in the key. Charly -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRDQ/kG69XHxycyfPAQgg7BAAqXTx45ETj04X0OK4ILPZ8BXINE4mP37n J+AVdrFApncNnXOx/jQ2rOvZyN/f17accOlLCef6dtpOIHGqSoXTxHFZq9yncwPQ s1/OfERI384qFgs21YbJCE70cE2wlmJiRO06uHUFQ/QUgaP3W7uNTX4iYXHFBNQJ VcS4bjGKEN0t5yV3M39J4wBU1yCd43TN6YYQaK0xNvvPfKm6V3HWGARQ0PhhsdyH YX9HifwcE0BHslU9SXZIfDE9GhZJeT7VEj3Pu3CDYh5GVPnv6a5LFFZh3Wv1R3Eh nrc0GTbUULg/oeAMkuwLZ6ZO6CLoJP8jot1BIAhX9FxlsxASgxSWlnhr7qioSiNe nSZTklyXTdKXMJVL4+7OkxKACQqx/cWNWUJPKQogDkkAkVabcB3JB9g6jPMPIV1s 7tJezG8/LvQmOZfzlxGkARdESE0fROTmqL8Lax7xmybN5OsSNNzbWfDR4j0558Dm FKAGEoNSZq1g8VwXCTuDTsH5ycpqjeDYYLjwecOvEyKAB6wt/vOGufei5hFmzFVC COg+8fgF7XmqqT3ojTDTKmCJkU5xJosHLXvnY6fUia2Ik9oGiic47eN+OCMVW8Ww 0+hHtcXZlooHwcZr5QSTv2PspLiDHO/0RUqWL5nkrEMhbibS8lMQD2w/BLQTv2xq qV9bFqDPZGU= =bq6u -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Automated Decryption via Script Running Setuid
Searched the archives back through Oct. '05 and didn't see a solution to
my problem...
Bottom line to problem: If a script running setuid as userA but called
by userB contains a GPG command, GPG responds with userB information
instead of userA.
I have a perl script 'parseMail_andSubmit_toDB.pl' that is being routed
information from a C-wrapper that runs as userA.
-rwsr-sr-x userA pass_STDIN_to_parseMail_andSubmit_toDB.exe
The info contained in STDIN is an emailed message with an attached file
(encrypted with userA's public key). In parseMail_andSubmit_toDB.pl, I
save the attachment to a file and call a second perl script
'decrypt_file.pl'. This script contains userA's passphrase which I am
attempting to use to decrypt the file ala:
"cd $dir_containing_file; echo \'${passphrase}\' |
/usr/local/share/bin/gpg --passphrase-fd 0 --output
${file_to_decrypt}_cleartext$$ --decrypt $file_to_decrypt".
However GPG responds with:
"cp: cannot create /.gnupg/gpg.conf: Permission denied
gpg: fatal: can't create directory `~/.gnupg': No such file or directory
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768"
It is as-if GPG knows that userB originated the call (in this case the
email daemon which probably doesn't have a /home/daemon and certainly
doesn't have GPG keys). So I setup a second test where jchurch (as
userB) called the c-wrapper and changed the GPG command in
decrypt_file.pl to 'echo \'Calling whoami\'; /usr/ucb/whoami;
/usr/local/share/bin/gpg --list-keys' and I received the key info for
userB instead of userA. See below.
pub 1024D/63A468CF 2006-03-23
uid John Church (Second Key working with Joel)
<[EMAIL PROTECTED]>
sub 2048g/2D0142AB 2006-03-23
pub 1024D/F3D3D15D 2006-04-03
uid razoradm (Razor Administrator) <[EMAIL PROTECTED]>
sub 2048g/B73F17B6 2006-04-03
The key info for userA should have been returned.
Does anyone have any clue as to whether GPG is this smart? I admit to
being a newbie to GPG so perhaps I'm doing something stupid. Any
suggestions would be appreciated.
Thanks-in-advance,
John_inDenver
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
keytocard doesn't move key
Hi, using an SCR335 card reader with gnupg 1.4.3 under debian-sarge AMD64 i can do gpg --card-edit > generate > list which generates new keys on the smartcard fine and puts them also into file secring.gpg. But then trying to move the secret key to the smartcard by gpg --edit-key Befehl> toggle Befehl> keytocard does _not_ work: The newly generated secret key persists in secring.gpg. E. g. i can do --export-secret-key without smartcard. Gpg tells: Really move the primary key? (y/N) y ... Wählen Sie den Speicherort für den Schlüssel: (1) Unterschriften-Schlüssel (3) Authentisierungs-Schlüssel Ihre Auswahl? 1 gpg: WARNING: such a key has already been stored on the card! Vorhandenen Schlüssel ersetzen? (j/N) j gpg: geheimer Schlüssel ist bereits auf einer Karte gespeichert When i delete the secret key manually from secring.gpg, the secret key on the card won't be found, probably as the "stub" is missing in secring.gpg. So the question is: How can i get the secret key away from the secring.gpg and still have the stub so that the secret key is requested then from the smartcard? Thanks a lot for any hints. Regards, Hartmut___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1.4.3 // proper syntax for --edit-key cross-certify ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Charly Avital wrote: > But when I Quit, I am prompted to save changes: > -- > Command> quit > Save changes? (y/N) n > Quit without saving? (y/N) y > -- > > I have chosen to quit without saving any changes, because the truth is I > do not fully understand what the change is, and what it would do to my > key and/or to my signing subkey. Knee-jerk response is to say "It does Nothing to you Key/sub-Key" but that is not /exactly/ true. What occurs is that your Key & sub-Key are inextricably linked. This is prevent a very remote & arcane possibility of your signing sub_key being hijacked. Real World effect.with 'require-cross-certification' active in my gpg.conf File your message Opened with a yellow stripe across the top of my Enigmail Screen and a 'Red' Pen in the lower right corner. Clicking on the pen gives me a verbose text indicating that you have *not* back signed the sub-Key. When I comment out the gpg.conf entry I Open the message to the familiar Green Line indicating 'Good Signature from Trusted Key'. Had you chosen to 'save' the changes it would have appeared Green when I first Opened this Post. My suggestion would be to go ahead and 'save' the changes and rest comfortably that it will have no negative effect whatsoever. Others will surely disagree with me and should appear here shortly. JOHN ;) Timestamp: Wednesday 05 Apr 2006, 19:11 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4-4092cvs: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJENE7sAAoJEBCGy9eAtCsPFZEH/j0T49h7lh3ugrZE2WN3KB3S cQre6aVgJ0ectjc1aam0nfu2oZJMMbrvFbpgrKHsUYZF/BBEtyvRIZ8ABwK8Wqo8 BO+JVu4egZQ4mxHOR3X/LDc956kuCOq5/DOj0oTc07dTb5OToLL/bi1GTKXx9WWn LMgKLnU18RYCuCoJie/t9zyz/XmepQDQ5/6Lb6sjKfyQsylC+KWbIeASSjxJuphn jQZJOvQpEZ/wA3MVByuK4oibWlLJIECldRH7uB+inD+nNpdW1hHklb721hQnAcH0 C06qsXhbDjnLmm6zeqLyWGNtCB03+0mAeulaXkwzRV5POKd+bEAUURVFm0JGFr8= =Uz8J -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
1.4.3 // proper syntax for --edit-key cross-certify ?
Charly Avital shavital at mac.com wrote on Thu Apr 6 00:07:18 CEST 2006 : >When I tried that, I was prompted to enter my passphrase after a row showing that my signing subkey was selected: >But when I Quit, I am prompted to save changes: hmmm, ok, tried this again, same result as before, then generated a new dh/dsa key and a new rsa subkey and tried it with the new key, and it worked, with the same result that you got, *but* only for new or recent keys, the key i originally wrote in about, is an older (but still v4) rsa key and rsa signing subkey and i couldn't get it to cross-certify can others try this out on any older PGP-generated keys they might have, and see if it works or not, tia, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1.4.3 // proper syntax for --edit-key cross-certify ?
On Wed, Apr 05, 2006 at 06:07:18PM -0400, Charly Avital wrote: > I have chosen to quit without saving any changes, because the truth is I > do not fully understand what the change is, and what it would do to my > key and/or to my signing subkey. http://www.gnupg.org/faq/subkey-cross-certify.html You should do it. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pka-lookups
On Wed, Apr 05, 2006 at 10:56:13AM -0400, John W. Moore III wrote: > Throughout the 'snapshot' phase of 1.4.3 this ability was turned OFF by > default. With the release of 1.4.3 stable and the availability of > cross-certification and pka-lookup now widely available, will the > features once defaulted to off be defaulted to ON for the 1.4.4 > 'snapshot' releases? It depends on the feature. Certainly require-cross-certification will not be turned on by default in 1.4.4. Too soon. > Also, in gpg.man the reference is "see require-cross-certification" but > I have been unable so far to find that particular option in the Manual. > When I do, what will I "see"? It's there. It says: When verifying a signature made from a subkey, ensure that the cross certification "back signature" on the subkey is present and valid. This protects against a subtle attack against subkeys that can sign. Currently defaults to --no-require-cross-certification, but will be changed to --require-cross-certification in the future. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1.4.3 // proper syntax for --edit-key cross-certify ?
On Wed, Apr 05, 2006 at 07:47:12PM -0400, [EMAIL PROTECTED] wrote: > the key i originally wrote in about, > is an older (but still v4) rsa key and rsa signing subkey > and i couldn't get it to cross-certify > > can others try this out on any older PGP-generated keys they might > have, > and see if it works or not, PGP does not generate signing subkeys. You generated a RSA encryption key that happened to be without key flags (I guess that version of PGP didn't use them yet), and so it appears as a RSA sign+encrypt key in GnuPG. Bottom line is, this does not work on PGP generated keys. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1.4.3 // proper syntax for --edit-key cross-certify ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John W. Moore III wrote the following on 4/5/06 7:13 PM: [...] > Had you chosen to 'save' the changes it would have appeared Green when I > first Opened this Post. My suggestion would be to go ahead and 'save' > the changes and rest comfortably that it will have no negative effect > whatsoever. Thank you for the clarification. I have just done that and saved the change. > > Others will surely disagree with me and should appear here shortly. Well, not really, since David Shaw concurs: David Shaw wrote the following on 4/5/06 9:38 PM: > On Wed, Apr 05, 2006 at 06:07:18PM -0400, Charly Avital wrote: > >> I have chosen to quit without saving any changes, because the truth is I >> do not fully understand what the change is, and what it would do to my >> key and/or to my signing subkey. > > http://www.gnupg.org/faq/subkey-cross-certify.html > > You should do it. > > David I have also uploaded the 'corrected' key to a keyserver. Thanks to all. Charly -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRDSZPG69XHxycyfPAQhwOQ/+IS4ZVVWFsxLA+J3wS9z3omySCQprvNXA 86YCjBHTTHFXebvWSMsxSXc4hnj2ewlte3/gAy6i7qCYxNv7iw3TwK2WfH7R0TPe J+WLmqu0NCOABMqEXU3Dqrh8FXQ6rT4inL4ZYrAF3Qo7do91/uQbgkhWni0IobJq 29wKR0FS35M/RKzC398ses8YDlCWsbZifycBrGTXgW0faJoiobwQK62vXAaxlkCA 8PJgtgufG+bcbD158TYZBW48tm0oJNavQYxmVx/g4V7U6no5Ag483C8oD09n17pv DXMvYbBhvdr6j/zEHe0Aw6UGMw7vQ28d3oXRV+b3yYwm9c+5Khvt5XhZKpqdghvM CHTqJLXO9d4w6yG4o8HLjQTbRYz3ffCuRabWtZcorwFXUTKrK/RrhkmIvrr8m1eZ S8cDEBFogQpieCVm8o9UWhSfP2cYgQfc+UUfYB6kwoaPIYp8CSGUCvLc3+GlRona GuIAkzCW8ZhWDdjzCIHW8Xdza8nIdiP/y5zioYt5GhVXxiIUP4MJKKGh85pyHv0t +zVBLR1pk+HRnJR/8AvGyvpYp56D+ZJuTR4wmNzvH3CjF+KAkxeegTs2uWne7Idc qGFyWr/YnJMxAFhRjojkAjMu8diIbfTNcmmViY9yWHh526O2hmVXDpURyz3z56i2 KoKLghFgEGk= =uNwC -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
