Re: Automated processes

[Raphaël Poss]

jkaye wrote:

Hi all,

I'm new to GnuPG, and have been getting some help
from a kind soul.  I seem to have all the knowledge 
that I need with one single, but important, exception.


When I decrypt, it asks for my passphrase.  No problem
there except for the fact that I want to have an automated
script on a unix server perform the decryption of this file.
Of course, if it needs a passphrase, it's going to hang
and I can't have that.

I know that for PGP, there's an environment setting that
can be used to prevent this.  Is there a similar thing for
GnuPG, or do I have to jump through some hoops?  


You can:

- use gpg-agent, or

- echo passphrase | gpg --batch --passphrase-fd 0

Of course the latter provides little to no security.

Regards,

--
Raphaël



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Date and time format

[lusfert]

John W. Moore III wrote on 07.04.2006 2:37:
> David Shaw wrote:
> 
>>> OS setting via LC_TIME, according to Microsoft, though I have no idea
>>> how to set it on win32.
> 
> Right Click on the Clock, Select Setting Time/Date.
> 
http://i10.photobucket.com/albums/a142/someuser00/right_click_on_clock.png
Where is "Setting Time/Date"?

Then I clicked Adjust Date/Time:
http://i10.photobucket.com/albums/a142/someuser00/date_and_time_settings.png


Where can I set date format (via LC_TIME)?

-- 
Regards
OpenPGP Key ID: 0x9E353B56500B8987
Encrypted e-mail preferred.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Date and time format

[John Clizbe]

lusfert wrote:
> John W. Moore III wrote on 07.04.2006 2:37:
>> David Shaw wrote:
>> 
 OS setting via LC_TIME, according to Microsoft, though I have no idea
 how to set it on win32.
> 
> Where can I set date format (via LC_TIME)?

Via LC_TIME? I suppose you could specify an environment variable.

The native Windows way is:

Control Panel --> Regional and Language Options. Select the language you wish to
use, then click 'Customize'. On the Date tab you may specify short and long date
format strings; eg, '-MM-dd' and ',  dd, '.

-- 
John P. Clizbe   Inet:   JPClizbe(a)comcast DOT nyet
Golden Bear Networks PGP/GPG KeyID: 0x608D2A10
"Be who you are and say what you feel because those who mind don't matter
and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go"



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Cygwin and 1.9 branch

[Ismael Valladolid Torres]

Anybody compiled succesfully current 1.9 CVS branch using Cygwin on
Windows?

I'd give it a try but I'd like to know before if I'm bound to try
something imposible given the current status of the source, or if
somebody knows it's perfectly posible.

I'm sure that using Cygwin I won't be able to get smartcard support
and I guess I can live with that unless also somebody tells me that
smartcard support is the only reason for trying 1.9 branch.

Any comments welcome.

Cordially, Ismael
-- 
Need medicine? All here!

  http://lamediahostia.blogspot.com/
  http://www.flickr.com/photos/ivalladt/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] Gpg4win 1.0.0 released

[Werner Koch]

Hi!

After struggling for 6 month with Windows pecularities, we are finally
pleased to announce the *first stable release of Gpg4win*, version 1.0.0!

The gpg4win project aims at updating the gpg4win Windows installation
package with GnuPG encryption tool, associated applications and
documentation on a regular basis.  Especially the documentation
(handbooks "Einsteiger" and "Durchblicker") are directly maintained as
part of the gpg4win project.

It is an international project. Due to the origin of the project the
German language is fully supported.  As of now the the handbooks are
only available in German.  People helping with translations are very
welcome!

The main difference compared to all other similar approaches (mainly
GnuPP, GnuPT, Windows Privacy Tools and GnuPG-Basics) is that the
first thing developed was the *gpg4win-Builder*. This builder allows
to easily create new gpg4win.exe installers with updated components.

The builder runs on any decent Unix system, preferable Debian
GNU/Linux.  Almost all products are automatically cross-compiled for
integration into the installer.

With this concept it is hoped to *prevent quick aging of the*
*installer package*. This is due to easier updating and less
dependancy on single developers.

For installation instuctions, please visit http://www.gpg4win.org or
read on.

Developers who want to *build an installer* need to get the following
files from http://wald.intevation.org/projects/gpg4win/ :

  gpg4win-1.0.0.tar.bz2 (4.0M)
  gpg4win-1.0.0.tar.bz2.sig

The second file is a digital signature of the the first file.  Either
check that this signature is fine or compare with the checksums given
below.  (see also http://www.gnupg.org/download/integrity_check.html)

The *ready to use installer* is available at:

  http://ftp.gpg4win.org/gpg4win-1.0.0.exe  (6.8M)
  http://ftp.gpg4win.org/gpg4win-1.0.0.exe.sig

Or using the ftp protocol at:

  ftp://ftp.gpg4win.org/gpg4win/gpg4win-1.0.0.exe  (6.8M)
  ftp://ftp.gpg4win.org/gpg4win/gpg4win-1.0.0.exe.sig

SHA1 and MD5 checksums for these files are given below.

A separate installer with the the sources used to build the above
installer is available at:

  ftp://ftp.gpg4win.org/gpg4win/gpg4win-src-1.0.0.exe  (40M)
  ftp://ftp.gpg4win.org/gpg4win/gpg4win-src-1.0.0.exe.sig

Most people don't need this source installer; it is merely stored on
that server to satisfy the conditions of the GPL.  In general it is
better to get the gpg4win builder tarball (see above) and follow the
instructions in the README to build new installers; building the
installer is not possible on Windows machines and works best on
current Debian GNU/Linux systems (we use the mingw32 package from
Sid).

SHA1 checksums are:

9525bb4947c02a764948cfe8d78f5400e39afc14  gpg4win-1.0.0.tar.bz2
c0ccd90c9aec23447bcd883cfd0602712967cfc6  gpg4win-1.0.0.exe
9c0bac7627a91ccbddd4dbdab522020b5ac91fe9  gpg4win-src-1.0.0.exe

MD5 checksums are:

73d5f8e8c7e805fbf43075c6c6c09901  gpg4win-1.0.0.tar.bz2
299fa8567a484ea32706b11d318dbe9a  gpg4win-1.0.0.exe
99f941d5d07b7c6e6860e490a081d1e7  gpg4win-src-1.0.0.exe


We like to thank the authors of the included packages, the NSIS
authors, all other contributors and first of all, those folks who
stayed with us and tested the early releases of gpg4win.


Happy hacking,

  Jan, Marcus, Timo and  Werner


-- 
Werner Koch  <[EMAIL PROTECTED]>
The GnuPG Expertshttp://g10code.com
Free Software Foundation Europe  http://fsfeurope.org
Join the Fellowship and protect your Freedom!http://www.fsfe.org


pgpWr4zYWe75C.pgp
Description: PGP signature
___
Gnupg-announce mailing list
[EMAIL PROTECTED]
http://lists.gnupg.org/mailman/listinfo/gnupg-announce
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automated processes

[John W. Moore III]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Raphaël Poss wrote:

> You can:
> 
> - use gpg-agent, or
> 
> - echo passphrase | gpg --batch --passphrase-fd 0
> 
> Of course the latter provides little to no security.

There is another option.  Since you are using Outlook (presumably for
Corporate compliance) you should consider GPGrelay.  This would allow
you automatic decryption & even the ability to store decrypted email for
later searching. (again, not very secure)

JOHN ;)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4-4094cvs: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org
Comment: Homepage:  http://tinyurl.com/9ubue
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJENlveAAoJEBCGy9eAtCsPnKEH/0AhTzEWVfbn0W4+8ZAP+h0I
13uiU1g9Nvz3vRMWUag/bY8wOSKxNRG2K/MqgV36jUzWTUm7BnIiKY6EvJWpARGr
09/TB0ocV/uB2gdOJK834ehZohp6KgTIMTWzwNqoCCqpC/Yv9ammYhxCTn4xtrwZ
yrq/9oCqA3quf4vQtx1nDX41d0PAt+tHBeCuroYinfoQzuITsi1/+zX6yG/hiRpB
sjblX4rIz2+irEAsbLmpb0Lsc+rWKjhQdDRgS6q5pQjHHpUrWKZ+YVLxlqZ0cl76
onm0QKXv6zjq6IuceRwjtoX8Pp8rBc0ZjxU+JP/hEMSfA/AywG1hJKPiAvWguZQ=
=qAAr
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

fetching DE415B0E from sks ([don't know]: invalid packet (ctb=2d))

[Peter Palfrader]

Hi,

running 1.4.4-cvs, when I try to download DE415B0E I get the following
error:

| [EMAIL PROTECTED]:~$ gpg --keyserver random.sks.penguin.de --recv 94c09c7f 
DE415B0E 
| gpg: requesting key DE415B0E from hkp server random.sks.penguin.de
| gpg: requesting key 94C09C7F from hkp server random.sks.penguin.de
| gpg: key DE415B0E: public key "Susumu OSAWA <[EMAIL PROTECTED]>" imported
| gpg: [don't know]: invalid packet (ctb=2d)
| gpg: read_block: read error: invalid packet
| gpg: Total number processed: 1
| gpg:   imported: 1

While it imports the key in question, it breaks the current download
action, not fetching additional keys given on the command line.

It also aborting any --refresh-keys in mid-action.

Peter
-- 
 PGP signed and encrypted  |  .''`.  ** Debian GNU/Linux **
messages preferred.| : :' :  The  universal
   | `. `'  Operating System
 http://www.palfrader.org/ |   `-http://www.debian.org/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automated processes

[John M Church]

I think it's simplistic to just brush-off this request as a user who 
wants convenience.  There are very valid reasons for automated 
decryption.  I'm working a similar project (and have my own issue - see 
"Automated Decryption via Script Running Setuid" written 4/5/06).  Seems 
to me if you protect your script and you are behind a firewall you're 
not 'trading security for convenience'.  You can even encrypt the 
passphrase in your script if you're afraid someone with sudo or root 
priveldges could open your script.


John_inDenver














John W. Moore III wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

jkaye wrote:

 


I know that for PGP, there's an environment setting that
can be used to prevent this.  Is there a similar thing for
GnuPG, or do I have to jump through some hoops?  
   



Hmm.Let me see if I've understood you.  You desire to use GPG for
security 'Point to Point' then swap security for convenience on your end?

My suggestion would be to either switch to Thunderbird w/Enigmail as
your MUA.  You can set Enigmail to 'remember' your passphrase for a
specified length of time or until you Close the program.

JOHN ;)
Timestamp: Thursday 06 Apr 2006, 19:42  --400 (Eastern Daylight Time)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4-4094cvs: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org
Comment: Homepage:  http://tinyurl.com/9ubue
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJENadvAAoJEBCGy9eAtCsPcecIAKLnkCbOlXQR7sWASIE0oaD7
8Kf7rMw+Me2CSNujNCG6hqPOr4Uh9fhrfAtSVnqoSuq9t96SR5XRpfm7b46K+P3j
1wLoYlwvEhpflhQaMe4x9awWEZDL4LUWswFU2Q9R/h3eDGyxAbXK1CR5vJ22XewJ
25aUAlvYyndcN9G9LPDM6ypOgjKE/+/WAZ06Jegqh9oFQc7tENR0NwfQvi192411
prOXFa3y8A46gswtffdK16FPDJiGiSmFgO+iq+tgWGYkMndH9mtHkY/r2vgBHoPZ
xB/j9IWw33baG5Qe+XqZl8hkr5C8AVKZE+1KJjmx0lFM/SBSboYChDgPrJadAnA=
=++kk
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

 



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fetching DE415B0E from sks ([don't know]: invalid packet (ctb=2d))

[David Shaw]

On Fri, Apr 07, 2006 at 03:40:43PM +0200, Peter Palfrader wrote:
> Hi,
> 
> running 1.4.4-cvs, when I try to download DE415B0E I get the following
> error:
> 
> | [EMAIL PROTECTED]:~$ gpg --keyserver random.sks.penguin.de --recv 94c09c7f 
> DE415B0E 
> | gpg: requesting key DE415B0E from hkp server random.sks.penguin.de
> | gpg: requesting key 94C09C7F from hkp server random.sks.penguin.de
> | gpg: key DE415B0E: public key "Susumu OSAWA <[EMAIL PROTECTED]>" imported
> | gpg: [don't know]: invalid packet (ctb=2d)
> | gpg: read_block: read error: invalid packet
> | gpg: Total number processed: 1
> | gpg:   imported: 1
> 
> While it imports the key in question, it breaks the current download
> action, not fetching additional keys given on the command line.

This is a feature, believe it or not.  During an import (and a
keyserver --recv-keys or --refresh-keys is really just an import), GPG
reads packets off the input stream.  Once any of those packets prove
invalid (a packet starting with 2D is invalid), there is no way to
know where it is in the stream - how many bytes should it jump ahead
to get back on the track.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Date and time format

[lusfert]

John Clizbe wrote on 07.04.2006 15:13:
> lusfert wrote:
>> John W. Moore III wrote on 07.04.2006 2:37:
>>> David Shaw wrote:
>>>
> OS setting via LC_TIME, according to Microsoft, though I have no idea
> how to set it on win32.
>> Where can I set date format (via LC_TIME)?
> 
> Via LC_TIME? I suppose you could specify an environment variable.
> 
> The native Windows way is:
> 
> Control Panel --> Regional and Language Options. Select the language you wish 
> to
> use, then click 'Customize'. On the Date tab you may specify short and long 
> date
> format strings; eg, '-MM-dd' and ',  dd, '.
> 
I have already done that.
See http://lists.gnupg.org/pipermail/gnupg-users/2006-April/028353.html

GnuPG still uses mm/dd/yy date format:
http://i10.photobucket.com/albums/a142/someuser00/gnupg_and_pgpdump_date_format.png
As you can see PGPdump output date format is much better.

Enigmail uses right format, specified in Windows XP system settings:
http://i10.photobucket.com/albums/a142/someuser00/enigmail_date_format.png
07.04.2006 15:14 - dd.mm. H:mm (24 hour)

-- 
Regards
OpenPGP Key ID: 0x9E353B56500B8987
Encrypted e-mail preferred.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fetching DE415B0E from sks ([don't know]: invalid packet (ctb=2d))

[Peter Palfrader]

On Fri, 07 Apr 2006, David Shaw wrote:

> On Fri, Apr 07, 2006 at 03:40:43PM +0200, Peter Palfrader wrote:
> > Hi,
> > 
> > running 1.4.4-cvs, when I try to download DE415B0E I get the following
> > error:
> > 
> > | [EMAIL PROTECTED]:~$ gpg --keyserver random.sks.penguin.de --recv 
> > 94c09c7f DE415B0E 
> > | gpg: requesting key DE415B0E from hkp server random.sks.penguin.de
> > | gpg: requesting key 94C09C7F from hkp server random.sks.penguin.de
> > | gpg: key DE415B0E: public key "Susumu OSAWA <[EMAIL PROTECTED]>" imported
> > | gpg: [don't know]: invalid packet (ctb=2d)
> > | gpg: read_block: read error: invalid packet
> > | gpg: Total number processed: 1
> > | gpg:   imported: 1
> > 
> > While it imports the key in question, it breaks the current download
> > action, not fetching additional keys given on the command line.
> 
> This is a feature, believe it or not.  During an import (and a
> keyserver --recv-keys or --refresh-keys is really just an import), GPG
> reads packets off the input stream.  Once any of those packets prove
> invalid (a packet starting with 2D is invalid), there is no way to
> know where it is in the stream - how many bytes should it jump ahead
> to get back on the track.

I don't believe it's a feature - yet :)

I think a --refresh should always try to refresh all keys.  As it is in
this case - with a key with "evil" packets on the keyserver - I'm stuck
in a situation where "gpg --refresh-keys" only updates half of my
keyring.

I can see a point in aborting in the case of gpg --recv, but it's
confusing that it starts fetching keys starting with the last.  Maybe
that could be turned around.

Cheers,
Peter
-- 
 PGP signed and encrypted  |  .''`.  ** Debian GNU/Linux **
messages preferred.| : :' :  The  universal
   | `. `'  Operating System
 http://www.palfrader.org/ |   `-http://www.debian.org/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Howto setup an OpenLDAP PGP keyserver

[Walter Haidinger]

On Thu, 23 Feb 2006, Walter Haidinger wrote:

> Attached is tarball with the files for OpenLDAP configuration,
> to which will be refered to below. I hope this doesn't violate
> the rules of this list but the attachment is very small anyways.

I've uploaded the tarball to my webspace too:

http://members.kstp.at/wh/pgp/openldap_pgp_keyserver.tar.gz

Regards, Walter

-- 
Walter Haidinger <[EMAIL PROTECTED]>
PGP public key: http://haidinger.webhop.org/pgp/5802B67C.asc


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Date and time format

[Mica Mijatovic]

-BEGIN PGP SIGNED MESSAGE-
Hash: TIGER192

Was Fri, 07 Apr 2006, at 13:55:47 +0400,
when lusfert wrote:

> John W. Moore III wrote on 07.04.2006 2:37:
>> David Shaw wrote:
>>
 OS setting via LC_TIME, according to Microsoft, though I have no idea
 how to set it on win32.
>>
>> Right Click on the Clock, Select Setting Time/Date.
>>
> http://i10.photobucket.com/albums/a142/someuser00/right_click_on_clock.png
> Where is "Setting Time/Date"?

> Then I clicked Adjust Date/Time:
> http://i10.photobucket.com/albums/a142/someuser00/date_and_time_settings.png

> Where can I set date format (via LC_TIME)?

Since you use XP, then...

Control Panel | Regional and Language Options | Regional Options |
Customize... | Time.

The next tab is for the Date format.

Clicking on the Clock (squatting in the tray) makes you able just to
"wind up" the clock and to set the Time Zone.

  ***

These settings are automatically accepted then by the "command line"
environment in XP as well, and thus should be accepted by all programs
working in this/such environment.

  ***

In Windows 98 SE for instance, the time/date format in DOS is set in a
different way(s). One of them is to define a permanent environment
variable via Config.sys file where you enter the "country code", which
defines time/date format.

It looks like this...

country=038,,c:\Windows\command\country.sys

...and this one gives format like this...

-mm-dd HH:mm:ss

...where the capitalized "HH" gives 24 hours time format while the lower
case "hh" gives 12 hour AM/PM format.

  ***

Now, some previous versions of GnuPG are, with the US time format,
displaying verbosely (the local) Time Zone as well, which is a bit
better anyway, whilst the newer 1.4x versions are displaying only the US
format giving no data about Time Zone.

For instance, in version 1.2.3-nr1 it displays this...

gpg: Signature made 04/07/06 11:55:58 Central Europe Daylight Time using
DSA key ID 500B8987

...whilst in versions 1.4x it is like this...

gpg: Signature made 04/07/06 11:55:58 using DSA key ID 500B8987.

  ***

The inconsistency in the, for instance, US date format (although it can
be found in some other countries as well), might be elegantly corrected
by using the so called "universal" or "astronomical" (or "military")
date/time format which makes such sort of orientation much clearer,
faster and better. It gives consistent values going from the higher to
lower ones, that is yy|yy, mm, dd, HH, mm, ss (century|year, month, day,
24hour information, minute, second), which makes it excellent for
computing/administration (and with minimum data; no PM, AM and similar).

I don't know how to solve this in GnuPG, or in some programs/parts of
the very OS. Notepad itself in XP for instance gives anyway a messed
format (via F5) displaying firstly time and then date...

14:38 06-04-07

...which makes it useless for the ".LOG" function, whilst EDXOR (and
some other programs like KeyNote, Treepad Lite etc.) gives it exactly as
it is set on the OS level...

06-04-07 14:38:44

...which shows that such a response of a program to the OS is possible.

I am not sure for EDXOR and Treepad Lite, but KeyNote is of open source
so analyzing the related parts of the code maybe might help.

- --
Mica
PGP keys nestled at: http://blueness.port5.com/pgpkeys/
~~~ For personal mail please use my address as it is *exactly* given
 in my "From|Reply To" field(s). ~~~
Don't put a cat on your head, it hurts real bad!
-BEGIN PGP SIGNATURE-

iQEVAwUBRDZlzrSpHvHEUtv8AQbCwAf9HDdnOMJv5NJYVqnSR2yjtgqtmaIDdGFj
Cd5iQOdtWLUJ6wEip4Ed2R2bCLgGrSbFeHfhKGQzi7udozFUiQdt8WQE9F8camsF
wWfcev46QXKk9IeDDnFKbqSQc73vKawuNrM/W0fiNDvu4h1vn2XhRpqE7dYn92Qj
mUBRw6KnljAjD7ul345Mh73OUU0CjVdCdAZNSn1yb792kvsNAXeBPR92CmlQvZop
DIf2gj+kBaksoHNsFX7PDwYeJSaVuoUTBmae+28uz2DdcoXsmIst6oQLFt3Ovuqi
DuahR0mKQOH9glyQ8RhcFFT98L05Bb1NNiK4s8tktqU6YSC2Pk0qEw==
=9RV4
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automated processes

[John M Church]

I wasn't thinking of encrypting the passphrase with gpg. I have on 
occasion embedded a password in a perl script and then encyrpted that 
portion of the script via Perl module Filter::CBC. The script upon 
execution decrypts on-the-fly w/o the need for a passphrase. A user can 
never decrypt it though so you have to keep a nonencrypted backup of 
your script (w/o the password of course).


John_inDenver












Benjamin Mord wrote:


(Don't encrypt the passphrase - if you do, then you still need a
passphrase to decrypt the passphrase, etc... etc...)

Asymmetric cryptography can be extremely handy for automated
encryption/decryption scenarios. For example, I sometimes have a
somewhat vulnerable general-purpose machine encrypt data using only a
public key, and write it somewhere shared. Then I'll have a tightly
secured single-purpose machine later read and decrypt that data for some
purpose. This is analogous to a one-way mail drop, where you trust the
mailman more than the general public. I use this technique in scenarios
where although both machines are somewhat trusted, one is machine is
more trusted than the other. This way the machine that does the
encryption has no knowledge of how to decrypt, so that if compromised,
only the data that it processes from point of compromise going forward
is in any kind of danger. (At this point you've reduced the security
problem to one of monitoring or periodic cleaning, e.g. periodic reboots
while running off read-only media.) The second machine is entrusted with
knowledge of how to decrypt, but in exchange it is tightly secured and
specialized for a single task.

Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John M Church
Sent: Friday, April 07, 2006 10:16 AM
To: [EMAIL PROTECTED]; GnuPG Users List
Subject: Re: Automated processes

I think it's simplistic to just brush-off this request as a user who 
wants convenience.  There are very valid reasons for automated 
decryption.  I'm working a similar project (and have my own issue - see 
"Automated Decryption via Script Running Setuid" written 4/5/06).  Seems


to me if you protect your script and you are behind a firewall you're 
not 'trading security for convenience'.  You can even encrypt the 
passphrase in your script if you're afraid someone with sudo or root 
priveldges could open your script.


John_inDenver














John W. Moore III wrote:

 


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

jkaye wrote:



   


I know that for PGP, there's an environment setting that
can be used to prevent this.  Is there a similar thing for
GnuPG, or do I have to jump through some hoops?  
  

 


Hmm.Let me see if I've understood you.  You desire to use GPG for
security 'Point to Point' then swap security for convenience on your
   


end?
 


My suggestion would be to either switch to Thunderbird w/Enigmail as
your MUA.  You can set Enigmail to 'remember' your passphrase for a
specified length of time or until you Close the program.

JOHN ;)
Timestamp: Thursday 06 Apr 2006, 19:42  --400 (Eastern Daylight Time)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4-4094cvs: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org
Comment: Homepage:  http://tinyurl.com/9ubue
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJENadvAAoJEBCGy9eAtCsPcecIAKLnkCbOlXQR7sWASIE0oaD7
8Kf7rMw+Me2CSNujNCG6hqPOr4Uh9fhrfAtSVnqoSuq9t96SR5XRpfm7b46K+P3j
1wLoYlwvEhpflhQaMe4x9awWEZDL4LUWswFU2Q9R/h3eDGyxAbXK1CR5vJ22XewJ
25aUAlvYyndcN9G9LPDM6ypOgjKE/+/WAZ06Jegqh9oFQc7tENR0NwfQvi192411
prOXFa3y8A46gswtffdK16FPDJiGiSmFgO+iq+tgWGYkMndH9mtHkY/r2vgBHoPZ
xB/j9IWw33baG5Qe+XqZl8hkr5C8AVKZE+1KJjmx0lFM/SBSboYChDgPrJadAnA=
=++kk
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



   



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

 



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automated processes

[John M Church]

Qed,
Not sure if "mask the passphrase in a non-obvious way" does justice to 
encrypting it with a filter and strong algorithm - ref. 
.  Were you 
thinking I was only hiding it in clear text? 

In any event, I agree with you - access to my script should be extremely 
limited both from a permissions standpoint and location (firewall).


John_inDenver












Qed wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

On 04/07/2006 04:16 PM, John M Church wrote:
 


I think it's simplistic to just brush-off this request as a user who
wants convenience.  There are very valid reasons for automated
decryption.  I'm working a similar project (and have my own issue - see
"Automated Decryption via Script Running Setuid" written 4/5/06).  Seems
to me if you protect your script and you are behind a firewall you're
not 'trading security for convenience'.
You can even encrypt the passphrase in your script if you're afraid
someone with sudo or root priveldges could open your script.
   


???
If you encrypt the passphrase in your script you still need a secure way
to provide the key to decrypt it, same problem as providing the passphrase.
Instead, if you meant "mask the passphrase in a non obvious way",
this solution offer no additional security, since that could be easily
reversed having access to the script.
- --

 Q.E.D.

ICQ UIN: 301825501
OpenPGP key ID: 0x58D14EB3
Key fingerprint: 00B9 3E17 630F F2A7 FF96  DA6B AEE0 EC27 58D1 4EB3
Check fingerprints before trusting a key!

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFENpdgH+Dh0Dl5XacRAzugAJ4pW92ux9VYNp/wg8fYcWBdfcBVnACgib6v
euCOOtD4KGRXjSjPmf5h0f0=
=gVPv
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

 



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automated processes

[Qed]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

On 04/07/2006 09:56 PM, John M Church wrote:
> Not sure if "mask the passphrase in a non-obvious way" does justice to
> encrypting it with a filter and strong algorithm - ref.
> .  Were you
> thinking I was only hiding it in clear text?
Simply I don't know anything about this perl module, but where the key
to decrypt the passphrase would be stored? If such a safe place exists
why not using it directly for the gpg passphrase?
- --

  Q.E.D.

ICQ UIN: 301825501
OpenPGP key ID: 0x58D14EB3
Key fingerprint: 00B9 3E17 630F F2A7 FF96  DA6B AEE0 EC27 58D1 4EB3
Check fingerprints before trusting a key!


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFENt6xH+Dh0Dl5XacRA53ZAJ9cgwj5/gJGetJ7atqPWKLX/hfTBACfXIGi
1djGAaNrtAzKILj1YqrjU1c=
=emRC
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automated processes

[John M Church]

Qed/Ryan et al,
Yes you have to pass the filter a seed to run the encryption but I have 
to admit I don't know how it decrypts the code automagically.  Ben Mord 
and I took this offline and he likened the resulting block to a fancy 
lock with the key in it b/c the seed I passed to start the encryption 
has to be available to Perl when it interprets my code.  I suspect you 
would agree.  Ben has a similar need for automated decryption as I do 
but does the decryption via a specialized computer dedicated to the task 
whose access and config is tightly controlled - see his response.


Do either of you guys do automated decryption?  This doesn't seem to be 
addressed in the FAQ - just automated signing.  I'm open to suggestions.


btw - am I screwing up my responses?  There seem to be mult. threads 
being generated.  I'm just hitting reply.


John














Qed wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

On 04/07/2006 09:56 PM, John M Church wrote:
 


Not sure if "mask the passphrase in a non-obvious way" does justice to
encrypting it with a filter and strong algorithm - ref.
.  Were you
thinking I was only hiding it in clear text?
   


Simply I don't know anything about this perl module, but where the key
to decrypt the passphrase would be stored? If such a safe place exists
why not using it directly for the gpg passphrase?
- --

 Q.E.D.

ICQ UIN: 301825501
OpenPGP key ID: 0x58D14EB3
Key fingerprint: 00B9 3E17 630F F2A7 FF96  DA6B AEE0 EC27 58D1 4EB3
Check fingerprints before trusting a key!


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFENt6xH+Dh0Dl5XacRA53ZAJ9cgwj5/gJGetJ7atqPWKLX/hfTBACfXIGi
1djGAaNrtAzKILj1YqrjU1c=
=emRC
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

 



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fetching DE415B0E from sks ([don't know]: invalid packet (ctb=2d))

[Werner Koch]

On Fri, 7 Apr 2006 17:53:43 +0200, Peter Palfrader said:

> I think a --refresh should always try to refresh all keys.  As it is in
> this case - with a key with "evil" packets on the keyserver - I'm stuck
> in a situation where "gpg --refresh-keys" only updates half of my

Actually, keyservers should never accept such a key in the first
place.

> I can see a point in aborting in the case of gpg --recv, but it's
> confusing that it starts fetching keys starting with the last.  Maybe
> that could be turned around.

I think we can do that. 


Salam-Shalom,

   Werner



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fetching DE415B0E from sks ([don't know]: invalid packet (ctb=2d))

[David Shaw]

On Fri, Apr 07, 2006 at 05:53:43PM +0200, Peter Palfrader wrote:
> On Fri, 07 Apr 2006, David Shaw wrote:
> 
> > On Fri, Apr 07, 2006 at 03:40:43PM +0200, Peter Palfrader wrote:
> > > Hi,
> > > 
> > > running 1.4.4-cvs, when I try to download DE415B0E I get the following
> > > error:
> > > 
> > > | [EMAIL PROTECTED]:~$ gpg --keyserver random.sks.penguin.de --recv 
> > > 94c09c7f DE415B0E 
> > > | gpg: requesting key DE415B0E from hkp server random.sks.penguin.de
> > > | gpg: requesting key 94C09C7F from hkp server random.sks.penguin.de
> > > | gpg: key DE415B0E: public key "Susumu OSAWA <[EMAIL PROTECTED]>" 
> > > imported
> > > | gpg: [don't know]: invalid packet (ctb=2d)
> > > | gpg: read_block: read error: invalid packet
> > > | gpg: Total number processed: 1
> > > | gpg:   imported: 1
> > > 
> > > While it imports the key in question, it breaks the current download
> > > action, not fetching additional keys given on the command line.
> > 
> > This is a feature, believe it or not.  During an import (and a
> > keyserver --recv-keys or --refresh-keys is really just an import), GPG
> > reads packets off the input stream.  Once any of those packets prove
> > invalid (a packet starting with 2D is invalid), there is no way to
> > know where it is in the stream - how many bytes should it jump ahead
> > to get back on the track.
> 
> I don't believe it's a feature - yet :)
> 
> I think a --refresh should always try to refresh all keys.  As it is in
> this case - with a key with "evil" packets on the keyserver - I'm stuck
> in a situation where "gpg --refresh-keys" only updates half of my
> keyring.

--import (and therefore --refresh) does try to handle all keys in the
stream.  It just can't continue once there is a stream error as there
is no way to reestablish its place in the stream.  The stream coding
more or less says stuff like "here's a signature and it's 40 bytes
long (40 bytes here)".  GPG reads that and keeps going.  If GPG sees
"here's garbage and it's garbage bytes long", it can't read it because
it's garbage, and it can't skip it because it doesn't know how many
(garbage) bytes to skip over.  The only thing it can do at that point
is stop.

Keyserver operations result in multiple streams (one per key).  If one
errors out, it might be possible to jump to the next BEGIN header, but
that would be a pretty nontrivial undertaking given how the code
currently works.

All that said, though, I'm not convinced that the armored stream you
got from the keyserver is invalid.  I think there may be a problem in
GPG's armor parser (hard to imagine after this many years, but..)  It
seems that the bad key is the right length (exactly 8192 bytes) to
trigger a problem.

> I can see a point in aborting in the case of gpg --recv, but it's
> confusing that it starts fetching keys starting with the last.  Maybe
> that could be turned around.

That's easy.  I'll do that.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users