Re: Detached signature ambiguity

[Werner Koch]

On Mon, 10 Nov 2014 12:59, pe...@digitalbrains.com said:

> If GnuPG encounters this situation, but file.ext.sig is not a detached
> signature, it could display a big fat warning:
>
> WARNING: file.ext.sig is NOT a detached signature; the file file.ext is
> NOT VERIFIED!

I think this is what I will implement.  In addition verifying a detached
signature in --batch mode will required that both files are given and
fail otherwise.  After all the mode where gpg figures out the data file
is a convenience feature which is indicated by

 gpg: assuming signed data in 'FILE'

in --verbose mode.  This will break scripts using the abbreviated
command line version but it is better they break for a valid signature
than accepting faked signatures.  Note that this bug also affects gpgv.

> This does create some related issues:
>
> gnupg_2.1.0.tar.bz2
> gnupg-2.1.0.tar.bz2.sig

That is an entire different thing and not a problem of gpg.  You have
the very same problem with all tools and URLs.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Clang with GnuPG 2.1.0

[Werner Koch]

On Fri,  7 Nov 2014 19:53, r...@sixdemonbag.org said:

> In file included from /usr/include/netinet/in.h:22:
> In file included from ../gl/stdint.h:83:

That file is the cause of a lot of evil.  gnulib is simply to complex to
use only a small part of it and neglect to update it with each release.
Not updating the gnulib code is actually on purpose because it has been
the cause of many regressions.

I have meanwhile remove the gnulib code but need to add two or 3
specific replacement functions which are the only reason gnulib was
used.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.0 "modern" released

[Werner Koch]

Hi,

On Thu,  6 Nov 2014 15:22, mailing-li...@asatiifm.net said:

  >> gcc -I/usr/local/Cellar/libgcrypt/1.6.2/include
! >> -I/usr/local/Cellar/libgpg-error/1.13/include
  >> -I/usr/local/Cellar/libassuan/2.1.2/include
! >> -I/usr/local/Cellar/libgpg-error/1.13/include
  >> -I/usr/local/Cellar/libksba/1.3.1/include
! >> -I/usr/local/Cellar/libgpg-error/1.16/include -g -O2 -Wall
  >> -Wno-pointer-sign -Wpointer-arith -o t-sexputil t-sexputil.o
  >> libcommon.a ../gl/libgnu.a -L/usr/local/Cellar/libgcrypt/1.6.2/lib
! >> -lgcrypt -L/usr/local/Cellar/libgpg-error/1.13/lib -lgpg-error
  >> -L/usr/local/Cellar/libassuan/2.1.2/lib -lassuan
! >> -L/usr/local/Cellar/libgpg-error/1.13/lib -lgpg-error
! >> -L/usr/local/Cellar/libgpg-error/1.17/lib -lgpg-error -liconv

I do not known your build setup, but how did you manage to include 2
different versions of libgpg-error - something most be broken in your
setup. Custom CFLAGS set?  A messed up stow(1) tree?


Shalom-Salam,

   Werner



-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Detached signature ambiguity

[Peter Lebbing]

On 11/11/14 09:52, Werner Koch wrote:
> I think this is what I will implement.

How would the warning be triggered? By the extension of the signature
file or by existence of a file without the .sig extension, or even some
other way?

> That is an entire different thing and not a problem of gpg.

If the warning is triggered by existence of a file without the .sig
extension, it does suggest to me that people should not rely on the
warning and thus always specify both the signature file and the signed
file on the command line. Because they might infer by absence of the
warning that the misnamed file has been verified, when the warning is
absent because GnuPG never noticed the misnamed file.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Detached signature ambiguity

[Werner Koch]

On Tue, 11 Nov 2014 11:00, pe...@digitalbrains.com said:

> How would the warning be triggered? By the extension of the signature
> file or by existence of a file without the .sig extension, or even some
> other way?

Using an extension is in general not a good idea but in this case we use
it anyway to determine the matching data file.  Thus we will use both.

> If the warning is triggered by existence of a file without the .sig
> extension, it does suggest to me that people should not rely on the
> warning and thus always specify both the signature file and the signed
> file on the command line. Because they might infer by absence of the

Indeed, this should always be done.  I will also make the 

  gpgv: assuming signed data in 'xzy'

show up always and not just in verbose mode.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 Unattended EC Generation

[Nicholas Cole]

On Mon, Nov 10, 2014 at 4:41 PM, Werner Koch  wrote:
> On Mon, 10 Nov 2014 12:52, nicholas.c...@gmail.com said:
>
>> How does unattended generation of elliptic curve keys work? As far as
>> I can see, that section of the manual has not been updated for the new
>> EC options, but I presume that it has to work slightly differently.
>> Am I right that key-length is now a no-op?  And how do you specify the
>
> Right, you need to use "Key-Curve" or "Subkey-Curve".  Curve names are
> as supported by Libgcrypt, for example: "nistp256" or "ed25519".

Thanks Werner!

Two smaller problems.

Under previous versions, failing to provide a

Passphrase:

would create a key without a passphrase.  This was useful for testing purposes.

Is that still possible?  In version 2.1, if no password is specified,
gpg2 tries to call pin-entry and ask for a passphrase.

The second problem is that if gpg is called with a non-standard
--homedir the whole thing fails with:

gpg: agent_genkey failed: No pinentry
gpg: key generation failed: No pinentry

I'm sure this means that I'm invoking the new gpg2 and gpg-agent
combination incorrectly.

Sorry for all the flood of questions.  gpg2 "modern" is very exciting,
but getting all the pieces to work as they used to (and making changes
for the new system) is going to take a bit of time!

Best wishes,

N

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 Unattended EC Generation

[Werner Koch]

On Tue, 11 Nov 2014 12:56, nicholas.c...@gmail.com said:

> Is that still possible?  In version 2.1, if no password is specified,
> gpg2 tries to call pin-entry and ask for a passphrase.

A quick look into the manual (for me the source, but you may want to use
the online version) gives:

  @item %no-protection
  Since GnuPG version 2.1 it is not anymore possible to specify a
  passphrase for unattended key generation.  The passphrase command is
  simply ignored and @samp{%ask-passpharse} is thus implicitly enabled.
  Using this option allows the creation of keys without any passphrase
  protection.  This option is mainly intended for regression tests.

Thus by adding 

 %no-protection

to the parameter files you can create a key without a passphrase.

> The second problem is that if gpg is called with a non-standard
> --homedir the whole thing fails with:
>
> gpg: agent_genkey failed: No pinentry

Install a pinentry.  I guess you put usually have a 
"pinentry-program" line in your gpg-agent.conf.  With a different home
directory the gpg-agent.conf of that home directory is used.  I suggest
to install a symlink to pinentry into the installation dir of gnupg and
not to use "pinentry-program".


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 Unattended EC Generation

[Nicholas Cole]

I'm so sorry, Werner. I thought I'd checked the manual. Huge apologies.

On Tuesday, 11 November 2014, Werner Koch  wrote:

> On Tue, 11 Nov 2014 12:56, nicholas.c...@gmail.com  said:
>
> > Is that still possible?  In version 2.1, if no password is specified,
> > gpg2 tries to call pin-entry and ask for a passphrase.
>
> A quick look into the manual (for me the source, but you may want to use
> the online version) gives:
>
>   @item %no-protection
>   Since GnuPG version 2.1 it is not anymore possible to specify a
>   passphrase for unattended key generation.  The passphrase command is
>   simply ignored and @samp{%ask-passpharse} is thus implicitly enabled.
>   Using this option allows the creation of keys without any passphrase
>   protection.  This option is mainly intended for regression tests.
>
> Thus by adding
>
>  %no-protection
>
> to the parameter files you can create a key without a passphrase.
>
> > The second problem is that if gpg is called with a non-standard
> > --homedir the whole thing fails with:
> >
> > gpg: agent_genkey failed: No pinentry
>
> Install a pinentry.  I guess you put usually have a
> "pinentry-program" line in your gpg-agent.conf.  With a different home
> directory the gpg-agent.conf of that home directory is used.  I suggest
> to install a symlink to pinentry into the installation dir of gnupg and
> not to use "pinentry-program".
>
>
> Shalom-Salam,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.1 and Mailpile (LWN comments) about GPGME

[Bernhard Reiter]

In https://www.mailpile.is/blog/2014-10-07_Some_Thoughts_on_GnuPG.html
the Mailpile developers would like to replace GnuPG with something better
and for the short term propose to extend GnuPG with a command line JSON 
interface in the short term.

I've commented the article under the LWN news about GnuPG 2.1.0 release
https://lwn.net/Articles/619337/ as following:

"If Smári's thoughts on GnuPG reveal something, it is that we need to spread 
more knowledge about how GnuPG works. In the post, the supported API of 
GnuPG, GPGME is miss-spelled and the current python libaries for interacting 
with it were not identified. http://wiki.gnupg.org/APIs shows that pyme has 
moved to a new location with 0.9 published on May 2014 and the alternative 
pygpgme's 0.3 is from 2012. There is example code which is nice to work with.

Of course the command line interface is not the best stable interface to 
program GnuPG, it is because it is used as an interface to humans using the 
command line. GPGME is much better, of course it can be improved further.

Yes, Werner and his company g10code need your support, see 
http://g10code.com/index.html#sec-1-1 . (Full disclosure: My company 
Intevation is a business partner of g10code.)"

Bernhard


-- 
www.intevation.de/~bernhard (CEO)www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.0 "modern" released

[Ville Määttä]

Hi,

That’s somehow just the result of running ./configure. Running a fresh (fresh 
untarred source, no speedo runs) configure reported this for me:

…
configure: checking for libraries
checking for gpg-error-config... /usr/local/bin/gpg-error-config
checking for GPG Error - version >= 1.15... yes (1.17)
checking for libgcrypt-config...
…

That’s a homebrew installed /usr/local/Cellar/libgpg-error/1.17.

I don’t have CFLAGS set to anything. Mac OS X 10.9 and using homebrew for most 
things. The only thing I do is run ./configure && make in the untarred 
gnupg-2.1.0. I wouldn’t be surprised if there’s something special in the system 
but I’m not consciously doing anything other that the usual make routine.

I also just did a fresh run of speedo.mk and in that case got the same error as 
Nicholas originally reported (“_default_errsource”).

-- 
Ville

On 11 Nov 2014, at 11:28, Werner Koch  wrote:

> Hi,
> 
> On Thu,  6 Nov 2014 15:22, mailing-li...@asatiifm.net said:
> 
>>> gcc -I/usr/local/Cellar/libgcrypt/1.6.2/include
> ! >> -I/usr/local/Cellar/libgpg-error/1.13/include
>>> -I/usr/local/Cellar/libassuan/2.1.2/include
> ! >> -I/usr/local/Cellar/libgpg-error/1.13/include
>>> -I/usr/local/Cellar/libksba/1.3.1/include
> ! >> -I/usr/local/Cellar/libgpg-error/1.16/include -g -O2 -Wall
>>> -Wno-pointer-sign -Wpointer-arith -o t-sexputil t-sexputil.o
>>> libcommon.a ../gl/libgnu.a -L/usr/local/Cellar/libgcrypt/1.6.2/lib
> ! >> -lgcrypt -L/usr/local/Cellar/libgpg-error/1.13/lib -lgpg-error
>>> -L/usr/local/Cellar/libassuan/2.1.2/lib -lassuan
> ! >> -L/usr/local/Cellar/libgpg-error/1.13/lib -lgpg-error
> ! >> -L/usr/local/Cellar/libgpg-error/1.17/lib -lgpg-error -liconv
> 
> I do not known your build setup, but how did you manage to include 2
> different versions of libgpg-error - something most be broken in your
> setup. Custom CFLAGS set?  A messed up stow(1) tree?
> 
> 
> Shalom-Salam,
> 
>   Werner
> 
> 
> 
> -- 
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
> 



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

SSH generic socket forwarding for gpg-agent

[Matthew Monaco]

Does anyone have gpg-agent forwarding working with SSH's recent generic socket
forwarding? Does it still require socat on one end, because I've only been able
to specify a socket path on the left-hand side of the forwarding specification.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.1.0 Merging secret key

[Mustrum]

Hi all,

I'm merging one of my 'old' sub-key into another key-pair.
It kept the same keygrip but got a new ID/fingerprint.

How can I use that new subkey to decrypt something encrypted to my 'old'
subkey ?

Regards


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.0 "modern" released

[Werner Koch]

On Tue, 11 Nov 2014 15:59, mailing-li...@asatiifm.net said:

> I don’t have CFLAGS set to anything. Mac OS X 10.9 and using homebrew
> for most things. The only thing I do is run ./configure && make in the
> untarred gnupg-2.1.0. I wouldn’t be surprised if there’s something

I don't know any details about homebrew but it seems to install software
in versioned directories. I guess it is missing a dependency tracker and
thus when installing Libgcrypt an older (but sufficient) version of
libgpg-error gets installed alongside.  GnuPG does not pick up that one
but a different installation of libgpg-error and thus you run into these
problems.

May some someone with more OS X experience look at the problem?


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 and Mailpile (LWN comments) about GPGME

[Werner Koch]

On Tue, 11 Nov 2014 15:21, bernh...@intevation.de said:
> In https://www.mailpile.is/blog/2014-10-07_Some_Thoughts_on_GnuPG.html
> the Mailpile developers would like to replace GnuPG with something better
> and for the short term propose to extend GnuPG with a command line JSON 

I have a reply in the works but there are more important tasks right
now.

JSON seems to be the new standard of the year (it is actually far easier
to work with - the C parser/builder I use as has a mere 1300 lines).  I
don't like to play catch-up with the current whatever data presentation
standard.  But if someone likes to do that: it is pretty easy to add an
JSON interface to gpgme-tool as an alternative to the XML output.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.0 "modern" released

[Ville Määttä]

No worries on my part.

> it seems to install software in versioned directories.

Exactly, under /usr/local… and without messing with the system installed 
binaries or libraries. Some things, like openssl libraries, it will not link 
automatically to avoid some issues with system provided libraries, but most 
things are then symlinked to the usual places to provide the brew installed 
binaries, etc.

> I guess it is missing a dependency tracker and
> thus when installing Libgcrypt an older (but sufficient) version of
> libgpg-error gets installed alongside.

It actually tracks dependencies very well… for anything installed and built 
with Homebrew. It’s a bit like speedo.mk for everything, or the missing apt-get 
for Mac, some things are “bottled” binaries, some things it’ll build for you, 
in any case pulling any dependencies as needed.

In this case when trying to build a tarred source brew is not in the picture at 
all and all dependency handling is manual / left for the source configure 
scripts. And things don’t quite work although the configure script gives an OK 
on the pre-make checklist.

I really have no rush with this. Just debugging for others and happily using 
the stable branch.

I can dig into this myself at some point. It’s also possible whoever is 
maintaining the homebrew repo for gnupg might solve the issue and push an 
update there.

-- 
Ville

On 11 Nov 2014, at 21:04, Werner Koch  wrote:

> On Tue, 11 Nov 2014 15:59, mailing-li...@asatiifm.net said:
> 
>> I don’t have CFLAGS set to anything. Mac OS X 10.9 and using homebrew
>> for most things. The only thing I do is run ./configure && make in the
>> untarred gnupg-2.1.0. I wouldn’t be surprised if there’s something
> 
> I don't know any details about homebrew but it seems to install software
> in versioned directories. I guess it is missing a dependency tracker and
> thus when installing Libgcrypt an older (but sufficient) version of
> libgpg-error gets installed alongside.  GnuPG does not pick up that one
> but a different installation of libgpg-error and thus you run into these
> problems.
> 
> May some someone with more OS X experience look at the problem?
> 
> 
> Salam-Shalom,
> 
>   Werner
> 
> -- 
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
> 



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG 2.1.0/Win32: keyserver lookup problems

[MichaelQuigley]

"Gnupg-users"  
wrote on 11/08/2014 12:54:30 PM:
> - Message from Werner Koch  on Fri, 07 Nov 2014 
> 17:32:49 +0100 -
> 
> To:
> 
> "Robert J. Hansen" 
> 
> cc:
> 
> gnupg-users@gnupg.org
> 
> Subject:
> 
> Re: GPG 2.1.0/Win32: keyserver lookup problems
> 
> On Thu,  6 Nov 2014 20:09, r...@sixdemonbag.org said:
> 
> > getting all different kinds of weird errors, from the keyserver helper
> > not being able to communicate with the outside world, to GnuPG
> 
> Well, there are no more keyserver helpers.  All is done by dirmngr.
> 
> > swearing it's created output but no output file being created (!!), to
> 
> Hmmm, I can't see that.
> 

If your system is trying to write to the Program Files directory, look in 
the VirtualStore. This can be found at 

C:\Users\{YourUserID}\AppData\Local\VirtualStore

I've been bit by several applications where files end up there instead of 
the original location. I forget, but I think this feature was introduced 
in Vista--don't hold me to that.

> > (The "GnuPG insists it's created output, but none exists" -- this one
> > was so surreal that I was seriously considering whether I was
> 
> Sorry, I can't replicate that.  Well, with the fixed version but I
> didn't touched anything relevant in gpg.exe.
> 

Again, check for the results in VirtualStore.

> > So I repeated the same command line.  This time, GnuPG told me the
> > file foo.asc already existed, and did I want to overwrite it?
> 
> Is that some weird Windows symlink setup?
> 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Tweeting for GnuPG

[Aaron Toponce]

On Wed, Nov 05, 2014 at 09:21:14PM +0100, Werner Koch wrote:
> I am looking for one or two people who would like to fill the @gnupg
> Twitter account with some life.
> 
> I am not one of those short message people but Twitter seems to be a big
> deal these days.  Thus if someone would be interested to post short
> stuff there on a regular base we can arrange for it.  We have 1400
> followers right now.  Anyone?

If there is still need for this, I don't mind stepping in. Most of my personal
tweets belong in the crypto topic. So long as guidelines and expectations are
established on what should be tweeted and when, I could probably fill this
role.

FYI.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o


pgpSReFnh7pus.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.1.0: --refresh-keys regression

[Luis Ressel]

Hello,

One of the changes introduced with GnuPG 2.1 -- namely, using dirmngr
for key retrieval -- has caused some problems for me. First of all, I'm
not able to use gpg --refresh-keys anymore, as dirmngr requests all of
the keys from the keyserver at once, instead of one-by-one as GnuPG 2.0
did.

For keyrings with more than approx. 70 keys, the keyserver
(sks-keyservers.net) denies the request, thereby causing the error
gpg: keyserver refresh failed: Too many objects
and failure to receive any key updates.

I assume keymngr should handle this in a better way (or is it wrong for
the keyservers to deny such requests?)

dirmngr also seems to have problems with hkps certificate checking for
keyserver addresses with round-robin DNS, but I need to examine this
further before I can provide details.


Regards,
Luis Ressel

-- 
Luis Ressel 
GPG fpr: F08D 2AF6 655E 25DE 52BC  E53D 08F5 7F90 3029 B5BD

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users