Re: Separate OpenPGP cards for master key and sub-keys

[Peter Lebbing]

On 03/06/13 20:10, Mustrum wrote:
> Note that there is NO valid choice.

Stick it in signature, that works.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Separate OpenPGP cards for master key and sub-keys

[Peter Lebbing]

On 03/06/13 14:41, Branko Majic wrote:
> Does anyone utilise this kind of schema?

I do this as well. The primary key is on a different card than the subkeys.

Unlike Pete, I had to resort to some key splitting and recombination tricks to
get GnuPG to recognise the situation. Perhaps this has since improved and is no
longer needed.

The thing is that when I stuck one smartcard in the computer and ran
--card-status, it would create a stub private key which only referred to the
card I had inserted. So far, this is obvious and correct. However, once I gave
it the other smartcard, I could not get GnuPG to update the private key stub to
refer to that smartcard as well.

Generating two stubs, one for each smartcard, 'gpgsplit'ting the secret key
stubs and recombining them to have stubs for both smartcards in one key, fixed
the situation for me.

If this happens to you as well, I can give detailed instructions.

Good luck,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Separate OpenPGP cards for master key and sub-keys

[Mustrum]

Peter Lebbing  a écrit :

>On 03/06/13 20:10, Mustrum wrote:
>> Note that there is NO valid choice.
>
>Stick it in signature, that works.
>
>Peter.

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


Peter Lebbing  a écrit :

On 03/06/13 20:10, Mustrum wrote:
Note that there is NO valid choice.

Stick it in signature, that works.

Peter.

But I can't.

The keytocard command displays the 3 slots, but none of them are listed as a 
valid choice.
I've to choose from an empty list.
I need a ctrl-c to exit gpg

Regards.
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8

iQI7BAEBCAAlBQJRrxh4HhxNdXN0cnVtIDxNdXN0cnVtQE11c3RydW0ubmV0PgAK
CRBMuv2GX9WDnrnLD/wPD1D7WAJJRqT28EEqRMZPQMLEi/jxtAcFUyYmBJvOSdKN
BS07/y1NoDmPvgMMHmg5h2TRkJ8wkzapnCq5J0wgPtm4P6WDEDRPFOlOqepGmsxK
dZPZ2lobUiUd3WwpKqI6HI5b5QvYtNXliS2tnF4nOpL8tkSzJI3fMDE6E5n46zj7
TJiqnXhyUU9gl/pBtzWkpUc6vrLOve5LJ+q1c6xIe4muvob57TipQK0XXdm6J+e4
QD73A3ByG4FKWRnYpFhMkN6hAvQ+FzoJHGMZ6mOO4UOuGPJ3SxM0ridSKQBSxjrR
C22DyuSR03Fik5PEkd/m/7BivaY5QTNAfe3hSHbB/yDFq/lV1VSKj68hcpR8jL/J
a0fz2XbEMPN5zPer3d2sbLlTLRnqWKdkSNnmKcWjEVg1S8evh6b4H1xxgmnyI0Ja
+tUVNgvNd4ycyexMTqsCBWv5KZ5E7L7IcLydcIJG2penlnKTaAEOlnbOHunpsryP
nAqAX0qqoJ6ulGHqHp2iLabtQr7kwPoJ5h82PnZUtPVT+spLt9YHFZE6PeF48Zed
VtIHdnKJPTVEUIJGN8Mwykc8ISw+OXPZIM1ck47P/7ZngPYCLmOiZ79A1KuAj6aT
MWFHASQZEubppPfYqi3NCtn4VQoAQ8whxYkm7mLvqsI4P41/09kZ2Oh98PDNLw==
=QMEm
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Separate OpenPGP cards for master key and sub-keys

[Peter Lebbing]

On 05/06/13 12:55, Mustrum wrote:
> The keytocard command displays the 3 slots, but none of them are listed as
> a valid choice. I've to choose from an empty list.

Ah. I hadn't noticed that. I believe the problem is that the "Key attributes"
(displayed on --card-edit) force a specific keylength and keytocard only works
for that keylength. I think I remember the solution was to create a key on
card of the desired length, and then overwrite that one with keytocard.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Separate OpenPGP cards for master key and sub-keys

[Mustrum]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Le 05/06/2013 14:50, Peter Lebbing a écrit :
> On 05/06/13 12:55, Mustrum wrote:
>> The keytocard command displays the 3 slots, but none of them are
>> listed as a valid choice. I've to choose from an empty list.
> 
> Ah. I hadn't noticed that. I believe the problem is that the "Key
> attributes" (displayed on --card-edit) force a specific keylength
> and keytocard only works for that keylength. I think I remember the
> solution was to create a key on card of the desired length, and
> then overwrite that one with keytocard.
> 
> Peter.
> 

I moved a 4096/rsa signature key to the card, with succes, and tried
to overwrite it with my real primary key

gpg> keytocard
Really move the primary key? (y/N) y
Signature key : A41C 227F C1EB BA5C 3CFE  776D C011 169C 983F E396
Encryption key: [none]
Authentication key: [none]

Please select where to store the key:
Your selection? 1
Invalid selection.
Your selection? 2
Invalid selection.
Your selection? 3
Invalid selection.
Your selection? 0
Invalid selection.
Your selection? 4
Invalid selection.
Your selection? 42
Invalid selection.
Your selection?

Same issue, no valid selection avalaible.

I'm quite sur the root cause is the "certification only" capacity of
my key:

usage: C  <-primary

usage: S  <-subkey
usage: E  <-subkey

All keys with the S or E flags are fine.
All my real and test keys with only the C flag can't be move to my card.

Regards.


-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJRr3dFAAoJEEy6/YZf1YOezg8QAItXI48uKdbEeSKxw6eALJ/p
RSxmib3rH5DlL+BN9WkufPKw3RJkNsRwEDlnojzHaQ4i3QWICw2zgv2lGUBaw1Bw
UoPx1A74hjGZjgzySBjEhoQvjK3pywhRWQebguJ0iMcnZDQHkY92iKPybdR7z3r5
0QASl+WAFsrvkclLS3xawpLf9ZnhixR+w92nobKauTo8lufIrVO4l9QDQvM6BMmi
x//Tx+k7URMJJjb5IyDxkbnsjcSdYFjtWtl0mMCbcm/zbbSEYFHWX/F6EX2yw992
cph8lhvey4/JXiGpSxjxq9/3ReifoYYVlZT15t/AFxj2Jk/Axc8L2eUfmdW9z6YW
b72EYUj531Nio5Dcij4eRQLAP5MTTuksbMSx4FAHALzJbIJDuw1ZW/rtYY3mW3/G
4O1y1uo3SGN8UBzmmxkoad3HUmLiuVYspmt6gnDH2VHUCk9/5MygtbCeiueYgiTE
G8hYpUOsa3A+PMDkbq0b60j3iaKpxtX+DYgtAQYfWbGKzbCl+Z8qAqNtlanPm9qK
HRQ6hucRNV2MY0zbc1SLHRh3sFUs2xKl9PQyEFGJZkLqfZJA4qxHK5dXrX3n2mmP
lY/ZKpQuQP91NmUrBMP9FfFvg9Do6mwz5ZyBoG0GorZIMPyPcz/oVl1prVktrC9k
H1imYGmH44cdHjXLacJy
=z8dK
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Separate OpenPGP cards for master key and sub-keys

[Peter Lebbing]

On 05/06/13 19:37, Mustrum wrote:
> I'm quite sur the root cause is the "certification only" capacity of my
> key:

I'm quite sure I never had data signature capability on my primary key. And I
moved it to an OpenPGP v2 card, so it worked for me. I did use a 2048-bit key,
but I don't see why that should make a difference.

You could try to temporarily add data signature capability to your primary
key, and see if it accepts it then. Then remove it afterwards. But I can't
come up with something better right now, sorry.

Good luck,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Read --status-fd with Expect

[Jack Bates]

I am working on non-interactively creating a new subkey, with Expect and 
--status-fd, but I haven't figured out how to read from --status-fd with 
Expect:


$ expect -c '
spawn gpg --status-fd 3 --edit-key 
CF11451A9BF0C50DA6B17B5926FB09F7C0D5639E addkey;

interact'
spawn gpg --status-fd 3 --edit-key 
CF11451A9BF0C50DA6B17B5926FB09F7C0D5639E addkey

gpg: fatal: can't open fd 3 for status output: Bad file descriptor
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/0
$

Has anyone else figured out how to read from --status-fd with Expect?

Thanks!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Separate OpenPGP cards for master key and sub-keys

[Mustrum]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Le 05/06/2013 20:20, Peter Lebbing a écrit :
> On 05/06/13 19:37, Mustrum wrote:
>> I'm quite sur the root cause is the "certification only" capacity
>> of my key:
> 
> I'm quite sure I never had data signature capability on my primary
> key. And I moved it to an OpenPGP v2 card, so it worked for me. I
> did use a 2048-bit key, but I don't see why that should make a
> difference.
> 
> You could try to temporarily add data signature capability to your
> primary key, and see if it accepts it then. Then remove it
> afterwards. But I can't come up with something better right now,
> sorry.
> 
> Good luck,
> 
> Peter.
> 

how can we change a key capability ?


-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJRr6ZXAAoJEEy6/YZf1YOe93MP/0+TLKw5q0qmcpF9edxZov+D
82Hpd6L6JRRmVh0dxKmE2jwTvBc0bbN/e8+en7Ds00OCVbhwbIePzXf/01MWyE78
8MELesvlDuSetiym8ePPMufrRkzxsocJ1gHFAPDmjrt5FAokiQkofWZNGHbd4Zac
ZB0GQVRujzo0fJ6uQNNiH0o3ASECTvL2VLIgAOeoS2GtaW+Sv3WnQLCrLzYyVSd3
k2/wRJdlDM4zeAcqEwP6yh2ivfmnXRzB9lyhqh9WnDO4kPDypCs7W7gFNghxv15D
nEDEML0M7VtmcQFeIoRt9cSxWnGabnIrLuHi+u7/3Sw16RCnHxRTAkF61L4neMyP
6PmZKE6y4sFoiN67YZqido6AmwSDVtJZch04a+ofIzBSECnEO/8wGbY6RemegvjH
8iJcCqFrrvLP20/Cj5lN1ewi1+oCnuMT9NBaJA0vvLw8HpdQkf63HPfXWjKhQhJX
5G9yUq66Uy0bCvxBzqreAumvMUnejpoEo9a6GZSq3KmxxhUjSu92NDEzLYCLENql
vOKBF9+u/7gQGbJx0cteNblqmOcLGvmuv+rJr1ADkYq3DDK4Y27Uz6jcmbUfYAm/
xr0RU/oZe5dqCodmtplKCQZJX5rj0Dw5bmMQkBzUTNqUTjf32a42OReszH4IFJTW
VZEkbId0IINu1PTSbJkX
=ds9h
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Read --status-fd with Expect

[Fraser Tweedale]

Hi Jack,

The argument to --status-fd must be an open file descriptor.  Not
sure of a way to open a raw file descriptor in expect, but you could
use mkfifo(1) and the --status-file argument instead, I think.

Regards,

Fraser

On Wed, Jun 05, 2013 at 11:14:27AM -0700, Jack Bates wrote:
> I am working on non-interactively creating a new subkey, with Expect and 
> --status-fd, but I haven't figured out how to read from --status-fd with 
> Expect:
> 
> $ expect -c '
> spawn gpg --status-fd 3 --edit-key 
> CF11451A9BF0C50DA6B17B5926FB09F7C0D5639E addkey;
> interact'
> spawn gpg --status-fd 3 --edit-key 
> CF11451A9BF0C50DA6B17B5926FB09F7C0D5639E addkey
> gpg: fatal: can't open fd 3 for status output: Bad file descriptor
> secmem usage: 0/0 bytes in 0/0 blocks of pool 0/0
> $
> 
> Has anyone else figured out how to read from --status-fd with Expect?
> 
> Thanks!
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users