Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Werner Koch 
On Wed, 18 Feb 2015 20:24, d...@fifthhorseman.net said:

>> as did a few other maintainers. However there was not only not a 
>> consensus to do this more generally, there was active opposition to 
>> doing it at all.
>
> that's a bummer :( 

I guess that is a GPL issue.  They don't want any GPLed stuff for the
core.  However, there are other implementations and in particular a
signature verification tool is pretty simple.  It might even make sense
to write one stripped down for the Ed25519 signature verification.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Help need to use truecryt + openpgp applet.

2015-02-19 Thread Pete Stephenson 
On Thu, Feb 19, 2015 at 5:53 AM, Ranjini H.K  wrote:
> Hi all,
>
> Am trying to implement disk encryption/decryption using truecrypt with
> security token support. I have a java card with openPGP applet loaded on to
> it. Inspite of configuring truecrypt to use the security token, its not
> finding it and notififng me with an error saying : security token error
> "FUNCTION NOT SUPPORTED ".

Considering the way it was abandoned by its developers, TrueCrypt is
probably not the best choice going forward.

That said, TrueCrypt only supports smartcards that use PKCS #11
libraries. Does the JavaCard you're using support PKCS #11? Does the
OpenPGP applet?

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Help need to use truecryt + openpgp applet.

2015-02-19 Thread Ranjini H.K 
Thanks Pete Stephenson.
Yes my java card supports PKCS#11. Am not so sure about OpenPGP applet.
What should i do othercase To make my OpenPGP applet support PKCS#11.

Ranjini HK

Software Engineer - Tyfone, Inc.

Bangalore
www.tyfone.com

Mobile: +91-9886262192

On Thu, Feb 19, 2015 at 1:46 PM, Pete Stephenson  wrote:

> On Thu, Feb 19, 2015 at 5:53 AM, Ranjini H.K  wrote:
> > Hi all,
> >
> > Am trying to implement disk encryption/decryption using truecrypt with
> > security token support. I have a java card with openPGP applet loaded on
> to
> > it. Inspite of configuring truecrypt to use the security token, its not
> > finding it and notififng me with an error saying : security token error
> > "FUNCTION NOT SUPPORTED ".
>
> Considering the way it was abandoned by its developers, TrueCrypt is
> probably not the best choice going forward.
>
> That said, TrueCrypt only supports smartcards that use PKCS #11
> libraries. Does the JavaCard you're using support PKCS #11? Does the
> OpenPGP applet?
>
> --
> Pete Stephenson
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 2.1.2: keyserver route failure

2015-02-19 Thread Werner Koch 
On Wed, 18 Feb 2015 20:13, d...@fifthhorseman.net said:

> Reasonable IPv6 stacks should return an ENETUNREACH (Network is
> unreachable) error message when trying to connect() to an address for
> which there is no route, which should already cause dirmngr to failover

The error handler after a connect does this:

  switch (gpg_err_code (err))
{
case GPG_ERR_ECONNREFUSED:
case GPG_ERR_ENETUNREACH:
case GPG_ERR_UNKNOWN_HOST:
case GPG_ERR_NETWORK:
  if (mark_host_dead (request) && *tries_left)
retry = 1;
  break;
 
By setting RETRY the connect will be retried after selecting another
random host.  However tehre is a retry limit of 3.  Thus if we happen to
select 3 v6 hosts the keyserver action will fail but the next time it
should work.

Need to replicate the problem and check that we really receive the right
error code.

> Should gnupg also try to detect whether the IPv4 networking
> configuration is actually correct?  That seems like an operating system

Better error reporting would be useful, though.

> level task.  I certainly don't want all of my client software to always
> try to second-guess my netwoking stack, that sounds like a recipe for

dirmngr is a bit special in that it does its own host selection from the
DNS pool instead of leaving it to the usual round-robin scheme.  We want
that to recover from host failures without waiting for the resolver
cache to expire.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GNUPG 2.* and AIX - questions

2015-02-19 Thread Werner Koch 
On Sun, 15 Feb 2015 12:16, aixto...@gmail.com said:

> I took the hint and tried to package gnu/nth but make fails - immediately -
> with this message.

You might find something about this in bugs.gnupg.org.  I have not tried
gnupg 2.0.x on AIX for many years thus it is quite possible that you run
into problems, possible due to newer AIX versions.

However, GnuPG 2.1 builds and works fine on AIX.  I even test it from
time to time.  Thus instead of settling on 2.0 you may want to jump
directly jump from 1.4 to 2.1.  2.0 will be maintained for some times
but probably not more than two years from now.

> p.s. please forgive the cross post to @devel - not sure which is the best
> list for this question.

Both make sense ;-)


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Compiled binaries execute but exit with "Abort"

2015-02-19 Thread Errol Casey 
Thanks. Now to figure out why make check fails but make works without
error. Are there dependencies besides pth for libgpg-error?

make  check-TESTS
bash: line 5: 11699 Abort   (core dumped) ${dir}$tst
FAIL: t-version
Unspecified source: Success
gcrypt: Invalid length specifier in S-expression
GnuPG: Unknown packet
GpgSM: Certificate too young
GPG Agent: Bad CA certificate
Pinentry: Operation cancelled
SCD: Card removed
GPGME: Bad secret key
Keybox: Unknown error code
bash: line 5: 11708 Abort   (core dumped) ${dir}$tst
FAIL: t-strerror
bash: line 5: 11714 Abort   (core dumped) ${dir}$tst
FAIL: t-syserror
bash: line 5: 11719 Abort   (core dumped) ${dir}$tst
FAIL: t-lock
bash: line 5: 11724 Abort   (core dumped) ${dir}$tst
FAIL: t-printf
==
5 of 5 tests failed
Please report to http://bugs.gnupg.org
==
*** Error code 1


On Wed, Feb 18, 2015 at 9:46 AM, Werner Koch  wrote:

> On Wed, 18 Feb 2015 14:18, er...@askerrol.org said:
>
> > #0  0xfedc28a4 in abort () from /lib/libc.so.1
> > #1  0xff15367c in get_lock_object (lockhd=0xff16e3b0) at posix-lock.c:111
>
> That is an assert() checking that the used library matches the one used
> for building.  This is all in libgpg-error - please build libgpg-error
> and check that "make check" works.
>
>
> Shalom-Salam,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
>


-- 
Errol Casey
er...@askerrol.org
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Help need to use truecryt + openpgp applet.

2015-02-19 Thread Richard Ulrich 
Hi Ranjini,

Does it have to be truecrypt?
LUKS works very well with OpenPGP SmartCards or JavaApplets implementing
it (e.g. YubiKey NEO).
Just follow the steps in this blog post:
https://blog.kumina.nl/2010/07/two-factor-luks-using-ubuntu

Rgds
Richard

Am Donnerstag, den 19.02.2015, 13:53 +0530 schrieb Ranjini H.K:
> Thanks Pete Stephenson.
> Yes my java card supports PKCS#11. Am not so sure about OpenPGP applet.
> What should i do othercase To make my OpenPGP applet support PKCS#11.
> 
> Ranjini HK
> 
> Software Engineer - Tyfone, Inc.
> 
> Bangalore
> www.tyfone.com
> 
> Mobile: +91-9886262192
> 
> On Thu, Feb 19, 2015 at 1:46 PM, Pete Stephenson  wrote:
> 
> > On Thu, Feb 19, 2015 at 5:53 AM, Ranjini H.K  wrote:
> > > Hi all,
> > >
> > > Am trying to implement disk encryption/decryption using truecrypt with
> > > security token support. I have a java card with openPGP applet loaded on
> > to
> > > it. Inspite of configuring truecrypt to use the security token, its not
> > > finding it and notififng me with an error saying : security token error
> > > "FUNCTION NOT SUPPORTED ".
> >
> > Considering the way it was abandoned by its developers, TrueCrypt is
> > probably not the best choice going forward.
> >
> > That said, TrueCrypt only supports smartcards that use PKCS #11
> > libraries. Does the JavaCard you're using support PKCS #11? Does the
> > OpenPGP applet?
> >
> > --
> > Pete Stephenson
> >
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Jonathan Schleifer 
Am 18.02.2015 um 15:57 schrieb Werner Koch :

>> git commit -S 
>> 
>> You can just create an alias for that, I for example use git ci.
> 
> I know that but I would like to have a different key for tag and commit.
> Requiring an option is just too cumbersome.

I don't really see how that is cumbersome if you have an alias for tag and for 
commit that each specify the key you want?

As an aside, what's the reason for not signing the commits with the key on the 
card? I sign all my commits with the key stored on my Gnuk. What is kinda 
annoying though is if you set commit.gpgsign = true, as it will then even sign 
git stash etc. and ask you to enter the PIN all the time. Which is why I have 
an alias git ci for git commit -S, as I only want to sign commits, not 
temporary state.

--
Jonathan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Jonathan Schleifer 
Am 18.02.2015 um 16:05 schrieb Werner Koch :

> I also do this often to avoid cluttering the screen.  No need to assume
> a backdoor.  It is for a Mac and Mac users want a clean tty ;-)

I also like @ to hide useless output, but is downloading *and executing* from a 
remote location really something you should hide? Especially if everything else 
isn't hidden?

--
Jonathan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Help need to use truecryt + openpgp applet.

2015-02-19 Thread Matthias-Christian Ott 
On 2015-02-19 09:23, Ranjini H.K wrote:
> Yes my java card supports PKCS#11. Am not so sure about OpenPGP applet.
> What should i do othercase To make my OpenPGP applet support PKCS#11.

Your Java Card does probably not support PKCS #11. An applet on the card
might implement it. To make it work, you need a PKCS #11 middleware and
tell TrueCrypt about it (Settings > Security Tokens... > PKCS #11
Library Path). If you are using an applet that is supported by OpenSC,
you can use OpenSC. Otherwise you have to resort to the proprietary
middleware supplied by the vendor. OpenPGP cards should be supported by
OpenSC and should be usable with TrueCrypt [1]. There is also a
proprietary PKCS #11 library that should provide a PKCS #11 interface
for OpenPGP cards [2]. Otherwise you can try Scute [3].

That said, it is probably better to ask on the OpenSC mailing list [4]
about PKCS #11.

The Java Card OpenPGP applet seems to be maintained by Yubico at the
moment [5].

Regards,
Matthias-Christian

[1] https://github.com/OpenSC/OpenSC/issues/125
[2] http://smartcard-auth.de/download-de.html
[3] http://www.scute.org/
[4] http://sourceforge.net/p/opensc/mailman/
[5] https://github.com/Yubico/ykneo-openpgp

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Peter Lebbing 

On 2015-02-19 18:16, Jonathan Schleifer wrote:

I also like @ to hide useless output, but is downloading *and
executing* from a remote location really something you should hide?
Especially if everything else isn't hidden?


I can understand you're pretty darn pissed off that they executed 
untrusted remote code on your computer, which, I think, explains why 
you're "lashing out" so strongly. And I also think that it was truly 
poorly designed. But I find your quest for bad faith on their part a bit 
far fetched... Never attribute to malice that which is adequately 
explained by stupidity.[1][2]


By now, you should probably cool down a bit. I'd say you've made your 
point.


Peter.

[1] https://en.wikipedia.org/wiki/Hanlon%27s_razor ; apparently after 
Robert J. Hanlon, not Hansen ;P
[2] Although with security software, a bit of healthy paranoia can be 
warranted, IMHO.


--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Ville Määttä 
On 17.02.15 23:32, Lukas Pitschl wrote:
> The best way to reach us is either our support platform at 
> https://gpgtools.tenderapp.com or t...@gpgtools.org.

Ok, that link explains the certificate and it makes more sense. I can
see you've already changed at least the first link to the support site
on the front page. Great.

-- 
Ville



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Ville Määttä 
On 18.02.15 07:21, Werner Koch wrote:
>> > command line tools. *I think there is no more reason to develop
>> > MacGPG*, i.e. a port, anymore. Let the port die.
> Can you briefly explain how Patrick's new installer [1] is related to that?
> Would it be an option to use that as the core for gpgtools?
> 
> [1] https://sourceforge.net/p/gpgosx/docu/Download/
> 

I haven't tried Patrick's installer but it should be a fine option as
the core. The Mail plug-in should work just fine with 2.1 like it works
with upstream 2.0.* builds. I'm not aware of any specific need for
MacGPG in that regard. Same goes for the other little helpers.

The things that would require a little changing are the launchd
templates that are used to start gpg-agent et al. I've been using my own
templates already before and with 2.1 it's even simpler as per the
changes to related gpg-agent. This sort of a script is not even
necessary unless one needs SSH support which I do. I've attached my new
template here.

I know, that's a lot of /shoulds/ :). There is an existing ticket [1]
for MacGPG upgrade to 2.1 and it links to a couple of their support
request [2] [3], one of them mentions the need to /"first have to adapt
our library which is responsible for communicating with the gnupg
binary"/. Lukas, maybe you could comment on the other tools'
dependencies with MacGPG, if any.

[1]:
https://gpgtools.lighthouseapp.com/projects/66001/tickets/142-update-to-gnupg-21
[2]:
https://gpgtools.tenderapp.com/discussions/problems/29108-gnupg-21-ecc-is-now-in-stable
[3]:
https://gpgtools.tenderapp.com/discussions/suggestions/150-gnupg-21-modern-for-mac

-- 
Ville

http://www.apple.com/DTDs/PropertyList-1.0.dtd";>


Label
com.ruriat.gpgagent
ProgramArguments

	/usr/local/gpg21/bin/gpgconf
	--launch
	gpg-agent

RunAtLoad

StandardErrorPath
/dev/null
StandardOutPath
/dev/null
ServiceDescription
Run gpg-agent at login.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Ville Määttä 
On 18.02.15 07:21, Werner Koch wrote:
>> wrappers or fixes upstream. Case in point: Has the fix for gpg-agent /
>> > scdaemon hang been discussed upstream at all [4], [5]? In MacGPG there
>> > is still ../libexec/gnupg-pcsc-wrapper which has been modified in
>> > commit f4c3e1bb to fix the issues of scdaemon hanging in Yosemite
>> > [6]. GnuPG proper has removed it in bc6b45 [7]. How would one go about
> I just tried to figure out what this is about.  The problem description
> is pretty clear but I can't easliy find a description of the solution.
> I don't think this has been discussed upstream. 
> 
> Right, in 2.1 there is no more need for the pcsc-wrapper because we
> switched from Pth to native threads (wrapped by the ntph library).
> 

Yep, unfortunately it would appear the same or identical issue does
occur with a speedo build of 2.1.2. The issue is essentially that
smartcard works for the first time but once some-indeterminate-time has
passed, gpg just hangs. No pinentry, nothing just happens. /Will need to
troubleshoot this further on 2.1.2 to try to find out more./

>> fixing this issue for upstream? Has GPGTools contributed anything
>> regarding this other than the initial discussion[8] about the issue?
> 
> There was no followup on my answer.  As we all now mailing lists are a
> primary source to evaluate problems and thus it is usually a good idea
> to post the found or not-found solution.

I think we might want to move some of this discussion to gnupg-devel
side at some point.

-- 
Ville



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Help need to use truecryt + openpgp applet.

2015-02-19 Thread Werner Koch 
On Thu, 19 Feb 2015 18:22, o...@mirix.org said:

> Your Java Card does probably not support PKCS #11. An applet on the card
> might implement it. To make it work, you need a PKCS #11 middleware and

PKCS#11 is an API between two applications.  It is not directly related
to smartcards.  However, it is very common that the smart card driver
software (on the host) provides an PKCS#11 interface towards
applications.  (Scute can be considered a smartcard card driver
software.)

PKCS#15 is a standard which some cards implement and what OpenPSC is
mostly about.  PKCS#15 is for cards what FHS (Filesystem Hierarchy
Standard) is for Linux.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Werner Koch 
On Thu, 19 Feb 2015 18:15, js-gnupg-us...@webkeks.org said:

> I don't really see how that is cumbersome if you have an alias for tag
> and for commit that each specify the key you want?

Because it is too easy to forget about it.  And I would need to teag
Magit.  I started to use a new key for commits.  Let's hope that I don't
forget to tag the releases with the other key.

> As an aside, what's the reason for not signing the commits with the
> key on the card? I sign all my commits with the key stored on my

Because I have to enter the PIN everytime (right, I do this on purpose),
the RSA signatures a long, and I do not keep my signing key card
inserted all the time.  In fact I have to walk out of the office to pick
it up.

Using a on-disk for commits is okay because it only serves the purpose
to assert that the commit was done on one of my machines.  If that
machine has been compromised all kind of things can be manipulated and
thus it does the extra protection a smartcard gives is not useful.


Shalom-Salam,

   Werner


ps. Here is the key I started to use for commits.

pub   ed25519/E3FDFF218E45B72B 2015-02-18 [expires: 2025-02-15]
  Key fingerprint = C1D3 4B69 219E 4AEE C0BA  1C21 E3FD FF21 8E45 B72B
uid   [ unknown] Werner Koch (wheatstone commit signing)


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpAGiQ_oUbEz.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Werner Koch 
On Thu, 19 Feb 2015 18:16, js-gnupg-us...@webkeks.org said:

> I also like @ to hide useless output, but is downloading *and
> executing* from a remote location really something you should hide?
> Especially if everything else isn't hidden?

Okay, someone please write a noscript extension for the loader ;-)


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Ville Määttä 
On 18.02.15 13:05, Jonathan Schleifer wrote:
>> > Upstream still does have the issue which now seems to have been fixed in 
>> > the fork but in a binary removed from upstream…
> I really can not confirm this. I am running vanilla GnuPG 2.1.2 (built from 
> source) on Yosemite (10.10.2 to be exact) with a Gnuk without any problems.

Previously I was running brewed 2.0.26. And now I've experienced the
similar issue with a speedo build of 2.1.2. There's still definately
something going awry but I'll need to do some more testing to find out more.

I'm using the FSFE card and the issue is a hang when it should be asking
for PIN.

> I suppose it might be a good idea to have a Qt GUI.

I kinda had that in mind :). QT 4 is going out of support very soon,
i.e. sometime this year. Surely someone from the KDE / larger community
using pinentry-qt4 has been working on a QT 5 version of pinentry?

-- 
Ville



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Compiled binaries execute but exit with "Abort"

2015-02-19 Thread Werner Koch 
On Thu, 19 Feb 2015 12:01, er...@askerrol.org said:
> Thanks. Now to figure out why make check fails but make works without
> error. Are there dependencies besides pth for libgpg-error?

Are you using a recent Pth version?  I recall that older Pth versions
had problems when used by programs which also make use of pthreads.
That was actually the reasons for the pcsc-wrapper used by scdaemon.

My tests indicated that there was no more problem - on Linux.  However,
this might be because glibc implements mutex directly and not in
libpthread.  Thus we may have the same conflict as we had with older
glibc versions.

A solution for you might be to go back to libgpg-error 1.12 which has no
mutexes and thus no need for pthreads.

I doubt that we can do a real fix for that.  I dropped Pth support for a
reason ;-).  The only thing I can image is an environment variable
forcing libgpg-error to entire disable the mutex support.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Jonathan Schleifer 
Am 19.02.2015 um 20:08 schrieb Werner Koch :

> Because I have to enter the PIN everytime (right, I do this on purpose),
> the RSA signatures a long, and I do not keep my signing key card
> inserted all the time.  In fact I have to walk out of the office to pick
> it up.

Another approach is to not sign them when working on it and only signing them 
before pushing using git rebase. I do agree that it's sometimes annoying to 
always plug it in and out again.

> ps. Here is the key I started to use for commits.
> 
> pub   ed25519/E3FDFF218E45B72B 2015-02-18 [expires: 2025-02-15]
>  Key fingerprint = C1D3 4B69 219E 4AEE C0BA  1C21 E3FD FF21 8E45 B72B
> uid   [ unknown] Werner Koch (wheatstone commit signing)

+1 for choosing Ed25519! (I did the same because I didn't want commits to be 
huge).

As most keyservers still don't support Ed25519 keys, I guess it's worth 
pointing out that you can get the key with --keyserver keyserver.mattrude.com.

Btw, does this mean that basically Ed25519 keys are stable enough now and won't 
change anymore?

--
Jonathan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Help need to use truecryt + openpgp applet.

2015-02-19 Thread Thomas Harning Jr. 
On Thu Feb 19 2015 at 12:23:34 PM Matthias-Christian Ott 
wrote:

> On 2015-02-19 09:23, Ranjini H.K wrote:
> > Yes my java card supports PKCS#11. Am not so sure about OpenPGP applet.
> > What should i do othercase To make my OpenPGP applet support PKCS#11.
>
> Your Java Card does probably not support PKCS #11. An applet on the card
> might implement it. To make it work, you need a PKCS #11 middleware and
> tell TrueCrypt about it (Settings > Security Tokens... > PKCS #11
> Library Path). If you are using an applet that is supported by OpenSC,
> you can use OpenSC. Otherwise you have to resort to the proprietary
> middleware supplied by the vendor. OpenPGP cards should be supported by
> OpenSC and should be usable with TrueCrypt [1]. There is also a
> proprietary PKCS #11 library that should provide a PKCS #11 interface
> for OpenPGP cards [2]. Otherwise you can try Scute [3].
>
> That said, it is probably better to ask on the OpenSC mailing list [4]
> about PKCS #11.
>
> The Java Card OpenPGP applet seems to be maintained by Yubico at the
> moment [5].
>
> Regards,
> Matthias-Christian
>
> [1] https://github.com/OpenSC/OpenSC/issues/125
> [2] http://smartcard-auth.de/download-de.html
> [3] http://www.scute.org/
> [4] http://sourceforge.net/p/opensc/mailman/
> [5] https://github.com/Yubico/ykneo-openpgp
>
The main issue is that TrueCrypt does not generate a key on-card, but
instead it stores pin-protected data which it reads out when it needs to
unlock the disk.

OpenPGP cards, if I recall right, have no capability to store arbitrary
data.

Perhaps you can file a feature-request against VeraCrypt (the "current"
TrueCrypt project) to implement a mechanism where the master key (or subkey
of sorts) is encrypted with a key stored on-card.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Help need to use truecryt + openpgp applet.

2015-02-19 Thread Matthias-Christian Ott 
On 2015-02-19 19:50, Thomas Harning Jr. wrote:
> On Thu Feb 19 2015 at 12:23:34 PM Matthias-Christian Ott 
> wrote:
> 
>> On 2015-02-19 09:23, Ranjini H.K wrote:
>>> Yes my java card supports PKCS#11. Am not so sure about OpenPGP applet.
>>> What should i do othercase To make my OpenPGP applet support PKCS#11.
>>
>> Your Java Card does probably not support PKCS #11. An applet on the card
>> might implement it. To make it work, you need a PKCS #11 middleware and
>> tell TrueCrypt about it (Settings > Security Tokens... > PKCS #11
>> Library Path). If you are using an applet that is supported by OpenSC,
>> you can use OpenSC. Otherwise you have to resort to the proprietary
>> middleware supplied by the vendor. OpenPGP cards should be supported by
>> OpenSC and should be usable with TrueCrypt [1]. There is also a
>> proprietary PKCS #11 library that should provide a PKCS #11 interface
>> for OpenPGP cards [2]. Otherwise you can try Scute [3].
>>
>> That said, it is probably better to ask on the OpenSC mailing list [4]
>> about PKCS #11.
>>
>> The Java Card OpenPGP applet seems to be maintained by Yubico at the
>> moment [5].
>>
>> Regards,
>> Matthias-Christian
>>
>> [1] https://github.com/OpenSC/OpenSC/issues/125
>> [2] http://smartcard-auth.de/download-de.html
>> [3] http://www.scute.org/
>> [4] http://sourceforge.net/p/opensc/mailman/
>> [5] https://github.com/Yubico/ykneo-openpgp
>>
> The main issue is that TrueCrypt does not generate a key on-card, but
> instead it stores pin-protected data which it reads out when it needs to
> unlock the disk.
> 
> OpenPGP cards, if I recall right, have no capability to store arbitrary
> data.

You could store it in the private use data objects (0103, 0104). I look
at both TrueCrypt's and OpenSC's source code. TrueCrypt uses PKCS #11 to
find all private object with a matching label. OpenSC's PKCS #11
implementation in turn uses its PKCS #15 implementation to store
objects. OpenSC's PKCS #15 driver for OpenPGP cards in turn does not
handle data objects even if the card could store them. It doesn't look
too difficult to implement this feature. Perhaps somebody will do it for
you if ask on the OpenSC mailing list.

Scute supports certificates only as well.

> Perhaps you can file a feature-request against VeraCrypt (the "current"
> TrueCrypt project) to implement a mechanism where the master key (or subkey
> of sorts) is encrypted with a key stored on-card.

I think this is impossible TrueCrypt derives keys from the password and
then decrypts the header of the volume. There is no space to store
encrypted key material.

Regards,
Matthias-Christian

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Help need to use truecryt + openpgp applet.

2015-02-19 Thread Matthias-Christian Ott 
On 2015-02-19 20:00, Werner Koch wrote:
> On Thu, 19 Feb 2015 18:22, o...@mirix.org said:
> 
>> Your Java Card does probably not support PKCS #11. An applet on the card
>> might implement it. To make it work, you need a PKCS #11 middleware and
> 
> PKCS#11 is an API between two applications.  It is not directly related
> to smartcards.  However, it is very common that the smart card driver
> software (on the host) provides an PKCS#11 interface towards
> applications.  (Scute can be considered a smartcard card driver
> software.)
> 
> PKCS#15 is a standard which some cards implement and what OpenPSC is
> mostly about.  PKCS#15 is for cards what FHS (Filesystem Hierarchy
> Standard) is for Linux.

I'm well aware of this. That why I wrote "middlware" instead of
"driver". SoftHSM is a good example of a PKCS #11 middleware that is not
a smartcard.

Regards,
Matthias-Christian


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent does not authenticate ssh connections

2015-02-19 Thread Rainer Keller 
> Gpg-agent uses the smartcard key which is identified by the $AUTHKEYID
> attribute:
> 
>   $ gpg-connect-agent 'scd getattr $AUTHKEYID' /bye
>   S $AUTHKEYID OPENPGP.3
>   OK
I get the same output for my card.

> Thus only the keys listed in ~/.gnupg/sshcontrol will be used.
The keygrip from the card is listed in sshcontrol.

> of course you need to make sure that the key is capable of signing.
I created the key with authentication flag set. It has no other flags set.

Just a general note, I did not do anything special. I just used "keytocard" to 
move the key over. But unfortunately it does not work out ouf the box 
afterwards.

gpg --card-status
Application ID ...: 
Version ..: 2.0
Manufacturer .: ZeitControl
Serial number : 
Name of cardholder: Rainer Keller
Language prefs ...: de
Sex ..: male
URL of public key : [not set]
Login data ...: [not set]
Signature PIN : forced
Key attributes ...: 2048R 2048R 4096R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key : [none]
Encryption key: [none]
Authentication key: XXX
  created : XXX
General key info..: pub  4096R/A7 2014 Rainer Keller 
sec#  4096R/D8  created: 2005  expires: never 
ssb   2048R/4C  created: 2008  expires: 2010
ssb   2048R/CC  created: 2008  expires: 2010
ssb   2048R/26  created: 2010  expires: 2012
ssb   2048R/B0  created: 2010  expires: 2012
ssb   2048R/A5  created: 2012  expires: 2014
ssb   2048R/09  created: 2012  expires: 2014
ssb   4096R/A9  created: 2014  expires: 2016 usage: S
ssb   4096R/6F  created: 2014  expires: 2016 usage: E
ssb>  4096R/A7  created: 2014  expires: 2016 usage: A
  card-no: XXX

Regards
Rainer

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.0.27 "stable" released

2015-02-19 Thread Richard Stallman 
[[[ To any NSA and FBI agents reading my email: please consider]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

Congratulations on the new release.

-- 
Dr Richard Stallman
President, Free Software Foundation
51 Franklin St
Boston MA 02110
USA
www.fsf.org  www.gnu.org
Skype: No way! See stallman.org/skype.html.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Ville Määttä 
On 19.02.15 21:18, Ville Määttä wrote:
> Surely someone from the KDE / larger community
> using pinentry-qt4 has been working on a QT 5 version of pinentry?

Ok, found it :). Issue #1806 [1].

[1]: https://bugs.g10code.com/gnupg/issue1806

-- 
Ville



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent does not authenticate ssh connections

2015-02-19 Thread NIIBE Yutaka 
On 02/09/2015 02:41 AM, Rainer Keller wrote:
> In .gnupg/sshcontrol I have added the correct keygrip and "ssh-add -l" shows 
> the right key:
> 
>> 4096 XX:XX:XX cardno: (RSA)

Well, you don't need to add this manually, for your smartcard.

>> gpg-agent smartcard signing failed: Bad PIN
> 
> It sounds like the PIN entered was wrong, but I am sure it is correct.
> The PIN retry counters are still at 3.

One possibility is that it's gpg-agent which says "Bad PIN".  The
gpg-agent does its own check for pin length.  OpenPGPcard
specification requires minimum length of user's PIN to be 6.
gpg-agent checks if it's at least 6.  If not, it returns "Bad PIN"
error.

It is not possible for OpenPGP card to have user's PIN with length of
less than 6.  Your user's PIN would be the factory default still.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Robert J. Hansen 
> [1] https://en.wikipedia.org/wiki/Hanlon%27s_razor ; apparently
> after Robert J. Hanlon, not Hansen ;P

There are at least four guys in the security world named Robert Hansen;
to make matters worse, some of us have spoken at the same conferences.
My middle initial is only to distinguish me from the others; my friends
just call me Rob.  :)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Help need to use truecryt + openpgp applet.

2015-02-19 Thread Ranjini H.K 
Yes i used Scute. No success with it. I better ask OpenSC mailing list with
the help asking for the support for handle data objects even if the card
could store them..

Ranjini HK

Software Engineer - Tyfone, Inc.

Bangalore
www.tyfone.com

Mobile: +91-9886262192

On Fri, Feb 20, 2015 at 1:50 AM, Matthias-Christian Ott 
wrote:

> On 2015-02-19 20:00, Werner Koch wrote:
> > On Thu, 19 Feb 2015 18:22, o...@mirix.org said:
> >
> >> Your Java Card does probably not support PKCS #11. An applet on the card
> >> might implement it. To make it work, you need a PKCS #11 middleware and
> >
> > PKCS#11 is an API between two applications.  It is not directly related
> > to smartcards.  However, it is very common that the smart card driver
> > software (on the host) provides an PKCS#11 interface towards
> > applications.  (Scute can be considered a smartcard card driver
> > software.)
> >
> > PKCS#15 is a standard which some cards implement and what OpenPSC is
> > mostly about.  PKCS#15 is for cards what FHS (Filesystem Hierarchy
> > Standard) is for Linux.
>
> I'm well aware of this. That why I wrote "middlware" instead of
> "driver". SoftHSM is a good example of a PKCS #11 middleware that is not
> a smartcard.
>
> Regards,
> Matthias-Christian
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Help need to use truecryt + openpgp applet.

2015-02-19 Thread Doug Barton 

On 2/19/15 12:16 AM, Pete Stephenson wrote:


Considering the way it was abandoned by its developers, TrueCrypt is
probably not the best choice going forward.


We don't know the whole story about what happened there, so I would be 
hesitant to attribute malice. For some of us who need to have the same 
data accessible on multiple platforms there is not a better option.


Doug


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Help need to use truecryt + openpgp applet.

2015-02-19 Thread Antony Prince 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On February 20, 2015 1:00:52 AM EST, Doug Barton  wrote:
>On 2/19/15 12:16 AM, Pete Stephenson wrote:
>
>> Considering the way it was abandoned by its developers, TrueCrypt is
>> probably not the best choice going forward.
>
>We don't know the whole story about what happened there, so I would be
>hesitant to attribute malice. For some of us who need to have the same
>data accessible on multiple platforms there is not a better option.
>
>Doug
>
>
>___
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users

I wasn't aware TrueCrypt had been abandoned. I also haven't visited their site 
for some time. That's a shame though. Its a useful piece of software. I hope 
someone continues in their footsteps.
- --

Antony Prince

Key ID: 0x4F040744
Fingerprint: FE96 5B7F A708 18D3 B74B 959F A6E1 6242 4F04 0744
URL: 
https://hkps.pool.sks-keyservers.net/pks/lookup?op=get&search=0xA6E162424F040744
-BEGIN PGP SIGNATURE-
Version: APG v1.1.1

iQFCBAEBCAAsBQJU5tnDJRxBbnRvbnkgUHJpbmNlIDxhbnRvbnlAYmxhenJzb2Z0
LmNvbT4ACgkQpuFiQk8EB0RrjQgArr080em0l2sznMPMpmDGkB8PZs+v8eiPaJAj
F8Qbgg2h04H1bpUGvOv6Mk5fJeqffBXs/3o6yr8MEqiVLGxXNGxLIuS2r0mEgT7Z
3RkR10R6hixPyEQZw6ysl9Mk1aVM8TZDPUHvdCtqUzOIWHIlWNUtmnW2GqurRS+B
UhkqxV+4VAmriYx3GgZMbCAcokjIY++xTFYkLnVuRRpZWhWXo/OqhFRLQ+R7rDcH
kODlTmjdCjlpqCq5GSyxWrhoXxY//+k6r4LT7Qw6Wq2mPjImyJNVvBGhtrj9u0He
8OVveL9LF1TxR4kOZBhDTPvLYmoOiM53ukLHAGA5wvwMixWfvA==
=tySd
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users