Re: how to disable pinentry

2015-02-25 Thread Damien Goutte-Gattat 

On 02/25/2015 02:01 AM, Smith, Cathy wrote:

Can someone tell the how to disable pinentry?  I'd like to be able to run gpg 
--edit-key, or to open a password encrypted file without a GUI.


You could use a console-only pinentry, such as pinentry-curses or 
pinentry-tty. Add the following line in your ~/.gnupg/gpg-agent.conf:


  pinentry-program /usr/bin/pinentry-tty



I have gpg 2.0.14 on CentOS 6.6 and RHEL6U6.

I've tried to disable pinentry, without success, with the following
1. comment out use-agent in ~/.gnupg/gpg.conf


You cannot avoid using GnuPG Agent with gpg 2. As stated in the man 
page, gpg 2 always requires the agent, and the use-agent option has no 
effect.



Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GNU-divert-to-card S2K format

2015-02-25 Thread Peter Lebbing 
Oops, I realised I made a mistake.

On 24/02/15 19:49, Peter Lebbing wrote:
>>  - [Optional] If string-to-key usage octet was 255 or 254, a
>>string-to-key specifier.  The length of the string-to-key
>>specifier is implied by its type, as described above.
> 
> specifier 110
> hash algo 0
> 3 bytes prefix GNU
> (together 5 bytes)

As is apparent from the part of doc/DETAILS Werner quoted from, this is missing
something. It should be:

S2K specifier 110
hash algo 0
3 bytes prefix GNU
GNU protection mode specifier 2 (for mode 1002)
Serial number length 16
(together 7 bytes)

If the specified serial number length (16 for OpenPGP cards) is greater than 16,
only 16 bytes of serial number are read regardless.

Obviously, I could have made more mistakes.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unattended signing

2015-02-25 Thread Peter Lebbing 
On 25/02/15 06:49, NdK wrote:
> Use a smartcard and generate on-card a new key that replaces the expired
> one.

While I agree this could be a neat setup for OP, it might be overkill or even
impractical given the signing speed of a smartcard. I don't know what volume of
signatures will be issued.

Anyway, I said "destroy backups". I would arrange for backups not to include the
signing key in the first place. If the system needs to be restored from backup
(which would be very seldomly), just issue a new signing key.

Still, you might have forgotten to exclude it on a one-off backup you made at
one time or another.

And the point was that it is not /needed/ to destroy the key, so I'll stop
focussing on destroying the key... heh... :S

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can't Encrypt in Freebsd 10.1

2015-02-25 Thread Antoine Michard 
Hi,

Still not working :(
Got no idea why...

#gpg -r 6349E5E0 -e test.txt
Abort

I've deleted my ~.gnupg directory and generate another key

# gpg --list-keys
/root/.gnupg/pubring.gpg

pub   4096R/F2E7CBA5 2015-02-25 [expires: 2015-04-26]
uid   [ultimate] FreeBSD 
sub   4096R/BD0398E3 2015-02-25 [expires: 2015-04-26]

And then try to encryp a file:
# gpg -r F2E7CBA5 -e test.txt
Abort



2014-12-09 16:50 GMT+01:00 Antoine Michard :

> For the GPG Version
> gpg (GnuPG) 2.0.26
> libgcrypt 1.6.1
> Copyright (C) 2013 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <
> http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Home: ~/.gnupg
> Supported algorithms:
> Pubkey: RSA, ELG, DSA
> Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
> CAMELLIA128, CAMELLIA192, CAMELLIA256
> Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> Compression: Uncompressed, ZIP, ZLIB, BZIP2
>
> And the output of pkg info:
> Name   : libgpg-error
> Version: 1.17
> Installed on   : Mon Dec  8 15:32:57 CET 2014
>
> Install is from port up-to-date and I reinstall later with recompil of all
> dependencie
>
> Thanks for help me
>
> 2014-12-09 15:32 GMT+01:00 Werner Koch :
>
>> On Mon,  8 Dec 2014 17:34, michard.anto...@gmail.com said:
>>
>> > I've install it from port, everthing was fine but when I wanna try to
>> > encryt, it says Abort !
>>
>> Which GnuPG version is that? ("gpg --version").
>> What version of libgpg-error do you use?
>>
>>
>> Shalom-Salam,
>>
>>Werner
>>
>> --
>> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>>
>>
>
>
> --
> Antoine Michard
>



-- 
Antoine Michard
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: how to disable pinentry

2015-02-25 Thread Smith, Cathy 
Damien

Adding this line didn't work:
pinentry-program /usr/bin/pinentry-tty

The message was invalid option
gpg: /home/foo/.gunpg/gpg.conf:242:  invalid option

The CentOS6 and RHEL6 distributions don't  provide a /usr/bin/pinentry-tty.   

One of my goals of this is to be able to set a passphrase on a key in batch 
processing.  Perhaps, there is another way to accomplish that?


Thank you

Cathy
---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:  509.375.2687
Fax:    509.375.2330
Email:  cathy.sm...@pnnl.gov

-Original Message-
From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Damien 
Goutte-Gattat
Sent: Wednesday, February 25, 2015 1:06 AM
To: gnupg-users@gnupg.org
Subject: Re: how to disable pinentry

On 02/25/2015 02:01 AM, Smith, Cathy wrote:
> Can someone tell the how to disable pinentry?  I'd like to be able to run gpg 
> --edit-key, or to open a password encrypted file without a GUI.

You could use a console-only pinentry, such as pinentry-curses or pinentry-tty. 
Add the following line in your ~/.gnupg/gpg-agent.conf:

   pinentry-program /usr/bin/pinentry-tty


> I have gpg 2.0.14 on CentOS 6.6 and RHEL6U6.
>
> I've tried to disable pinentry, without success, with the following
>   1. comment out use-agent in ~/.gnupg/gpg.conf

You cannot avoid using GnuPG Agent with gpg 2. As stated in the man page, gpg 2 
always requires the agent, and the use-agent option has no effect.


Damien


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

7. RE: how to disable pinentry (Smith, Cathy)

2015-02-25 Thread Rob Fries 
Hi Cathy,

We use /usr/libexec/gpg-preset-passphrase to set our passphrase. 

 /usr/libexec/gpg-preset-passphrase  -cP "$passphrase" $keygrip

  You would need to add this to your .gpg-agent.conf:

allow-preset-passphrase

you will need to get the KEYGRIP. The easiest way I found is:

gpg2 --fingerprint --fingerprint --list-secret-keys | grep "fingerprint" | cut 
-d= -f2 | tr -d ' '

make sure you get the correct one for the correct key( note the above command 
shows double the number of keygrips for what you need.. ).

and you may want to adjust your max-cache-ttl gpg-agent.conf too.  If you want 
to forget a passphrase before the ttl is up, you can use gpg-preset-passphrase 
to forget it.

Rel6 does provide a pinentry-curses program:

/usr/bin/pinentry-curses


Hope that helps!

Message: 7
Date: Wed, 25 Feb 2015 16:51:23 +
From: "Smith, Cathy" 
To: Damien Goutte-Gattat ,
"gnupg-users@gnupg.org" 
Subject: RE: how to disable pinentry
Message-ID:
<270838a78e5a5342bb9669898fb4cf2011cf3...@ex10mbox01.pnnl.gov>
Content-Type: text/plain; charset="iso-8859-1"

Damien

Adding this line didn't work:
pinentry-program /usr/bin/pinentry-tty

The message was invalid option
gpg: /home/foo/.gunpg/gpg.conf:242:  invalid option

The CentOS6 and RHEL6 distributions don't  provide a /usr/bin/pinentry-tty.   

One of my goals of this is to be able to set a passphrase on a key in batch 
processing.  Perhaps, there is another way to accomplish that?


Thank you

Cathy
---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:? 509.375.2687
Fax:??? 509.375.2330
Email:? cathy.sm...@pnnl.gov


CONFIDENTIALITY NOTICE: This message, including attachments, is intended to be 
viewed only by the addressee. It may contain information that is privileged, 
confidential and/or exempt from disclosure under applicable law. No 
confidentiality or privilege is lost by any transmission error. This message 
may contain nonpublic personal information about consumers subject to the 
restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may 
not directly or indirectly reuse or disclose such information for any purpose 
except as permitted by law. Any dissemination, distribution or copying of this 
message is strictly prohibited without our prior written permission. If you are 
not an intended recipient, or if you have received this message in error, 
please notify us immediately by return e-mail and permanently remove the 
original message and any copies from your computer and all back-up systems.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

disconnected binding of sub and master keys

2015-02-25 Thread Matthew Monaco 
I think we should easily be able to create subkeys on our day-to-day machine,
while maintaining an air-gapped master, without transferring secret material
back and forth. This seems possible [1][2] using gpgsplit and possibly some hand
editing of hex files. By operating an offline master setup, we are agreeing to
more complexity and knowledge about openpgp details, but I think the leap from
basic to offline master is a lot smaller than from offline master to "merging"
subkeys.

So, is there technical reason as to why this isn't straightforward? Is it a
"patches welcome =)" type of thing? Or maybe you want to argue that I'm wasting
my time trying to avoid writing secret data to a cd/sdcard/etc to bridge my 
airgap.

The workflow that makes sense to me is for addkey to work even when "Secret
parts of primary key are not available" (possibly with --expert flag), resulting
an a file such as -bind-request.asc. On the master, --import
-bind-request.asc should do the trick, but a dedicated command would be
fine to. After this, an --export > .pub should be able to communicate the
binding back to the active machine; however a -bind-ack.asc might be nice
so the ultra-paranoid can inspect as little data as possible.

This is for discussion. I'm not complaining that this hasn't been implemented or
that someone needs to get to work!

[1] http://atom.smasher.org/gpg/gpg-migrate.txt
[2] https://lists.gnupg.org/pipermail/gnupg-users/2010-August/039307.html

-Matt

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: 7. RE: how to disable pinentry (Smith, Cathy)

2015-02-25 Thread Smith, Cathy 
Rob

Thanks.  I got an error when trying to do this.  I created the gpg-agent.conf 
file in my home directory and added the directive:

[cathy@foo ~]$ cat gpg-agent.conf 
allow-preset-passphrase
[cathy@foo ~]$ 


[cathy@foo ~]$ /usr/libexec/gpg-preset-passphrase -cP"cry123" "4611 E023 7B7A 
31FE 1388  0FAC 491E FBE6 302B 7D2D"
gpg-preset-passphrase: can't connect to `/home/cathy/.gnupg/S.gpg-agent': No 
such file or directory
gpg-preset-passphrase: caching passphrase failed: Input/output error



Cathy
---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:  509.375.2687
Fax:    509.375.2330
Email:  cathy.sm...@pnnl.gov


-Original Message-
From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Rob Fries
Sent: Wednesday, February 25, 2015 9:14 AM
To: 'gnupg-users@gnupg.org'
Subject: 7. RE: how to disable pinentry (Smith, Cathy)

Hi Cathy,

We use /usr/libexec/gpg-preset-passphrase to set our passphrase. 

 /usr/libexec/gpg-preset-passphrase  -cP "$passphrase" $keygrip

  You would need to add this to your .gpg-agent.conf:

allow-preset-passphrase

you will need to get the KEYGRIP. The easiest way I found is:

gpg2 --fingerprint --fingerprint --list-secret-keys | grep "fingerprint" | cut 
-d= -f2 | tr -d ' '

make sure you get the correct one for the correct key( note the above command 
shows double the number of keygrips for what you need.. ).

and you may want to adjust your max-cache-ttl gpg-agent.conf too.  If you want 
to forget a passphrase before the ttl is up, you can use gpg-preset-passphrase 
to forget it.

Rel6 does provide a pinentry-curses program:

/usr/bin/pinentry-curses


Hope that helps!

Message: 7
Date: Wed, 25 Feb 2015 16:51:23 +
From: "Smith, Cathy" 
To: Damien Goutte-Gattat ,
"gnupg-users@gnupg.org" 
Subject: RE: how to disable pinentry
Message-ID:
<270838a78e5a5342bb9669898fb4cf2011cf3...@ex10mbox01.pnnl.gov>
Content-Type: text/plain; charset="iso-8859-1"

Damien

Adding this line didn't work:
pinentry-program /usr/bin/pinentry-tty

The message was invalid option
gpg: /home/foo/.gunpg/gpg.conf:242:  invalid option

The CentOS6 and RHEL6 distributions don't  provide a /usr/bin/pinentry-tty.   

One of my goals of this is to be able to set a passphrase on a key in batch 
processing.  Perhaps, there is another way to accomplish that?


Thank you

Cathy
---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:? 509.375.2687
Fax:??? 509.375.2330
Email:? cathy.sm...@pnnl.gov


CONFIDENTIALITY NOTICE: This message, including attachments, is intended to be 
viewed only by the addressee. It may contain information that is privileged, 
confidential and/or exempt from disclosure under applicable law. No 
confidentiality or privilege is lost by any transmission error. This message 
may contain nonpublic personal information about consumers subject to the 
restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may 
not directly or indirectly reuse or disclose such information for any purpose 
except as permitted by law. Any dissemination, distribution or copying of this 
message is strictly prohibited without our prior written permission. If you are 
not an intended recipient, or if you have received this message in error, 
please notify us immediately by return e-mail and permanently remove the 
original message and any copies from your computer and all back-up systems.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: 7. RE: how to disable pinentry (Smith, Cathy)

2015-02-25 Thread Rob Fries 
Hey Cathy,

You need gpg-agent running with this setup.

Per the error message, it can not connect to a running gpg-agent to enter the 
passphrase.

Your gpg-agent.conf also needs to be with your other gpg configs under .gnupg.

-Rob

-Original Message-
From: Smith, Cathy [mailto:cathy.sm...@pnnl.gov] 
Sent: Wednesday, February 25, 2015 3:21 PM
To: Rob Fries; 'gnupg-users@gnupg.org'
Subject: RE: 7. RE: how to disable pinentry (Smith, Cathy)

Rob

Thanks.  I got an error when trying to do this.  I created the gpg-agent.conf 
file in my home directory and added the directive:

[cathy@foo ~]$ cat gpg-agent.conf 
allow-preset-passphrase
[cathy@foo ~]$ 


[cathy@foo ~]$ /usr/libexec/gpg-preset-passphrase -cP"cry123" "4611 E023 7B7A 
31FE 1388  0FAC 491E FBE6 302B 7D2D"
gpg-preset-passphrase: can't connect to `/home/cathy/.gnupg/S.gpg-agent': No 
such file or directory
gpg-preset-passphrase: caching passphrase failed: Input/output error



Cathy
---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:  509.375.2687
Fax:    509.375.2330
Email:  cathy.sm...@pnnl.gov


-Original Message-
From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Rob Fries
Sent: Wednesday, February 25, 2015 9:14 AM
To: 'gnupg-users@gnupg.org'
Subject: 7. RE: how to disable pinentry (Smith, Cathy)

Hi Cathy,

We use /usr/libexec/gpg-preset-passphrase to set our passphrase. 

 /usr/libexec/gpg-preset-passphrase  -cP "$passphrase" $keygrip

  You would need to add this to your .gpg-agent.conf:

allow-preset-passphrase

you will need to get the KEYGRIP. The easiest way I found is:

gpg2 --fingerprint --fingerprint --list-secret-keys | grep "fingerprint" | cut 
-d= -f2 | tr -d ' '

make sure you get the correct one for the correct key( note the above command 
shows double the number of keygrips for what you need.. ).

and you may want to adjust your max-cache-ttl gpg-agent.conf too.  If you want 
to forget a passphrase before the ttl is up, you can use gpg-preset-passphrase 
to forget it.

Rel6 does provide a pinentry-curses program:

/usr/bin/pinentry-curses


Hope that helps!

Message: 7
Date: Wed, 25 Feb 2015 16:51:23 +
From: "Smith, Cathy" 
To: Damien Goutte-Gattat ,
"gnupg-users@gnupg.org" 
Subject: RE: how to disable pinentry
Message-ID:
<270838a78e5a5342bb9669898fb4cf2011cf3...@ex10mbox01.pnnl.gov>
Content-Type: text/plain; charset="iso-8859-1"

Damien

Adding this line didn't work:
pinentry-program /usr/bin/pinentry-tty

The message was invalid option
gpg: /home/foo/.gunpg/gpg.conf:242:  invalid option

The CentOS6 and RHEL6 distributions don't  provide a /usr/bin/pinentry-tty.   

One of my goals of this is to be able to set a passphrase on a key in batch 
processing.  Perhaps, there is another way to accomplish that?


Thank you

Cathy
---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:? 509.375.2687
Fax:??? 509.375.2330
Email:? cathy.sm...@pnnl.gov


CONFIDENTIALITY NOTICE: This message, including attachments, is intended to be 
viewed only by the addressee. It may contain information that is privileged, 
confidential and/or exempt from disclosure under applicable law. No 
confidentiality or privilege is lost by any transmission error. This message 
may contain nonpublic personal information about consumers subject to the 
restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may 
not directly or indirectly reuse or disclose such information for any purpose 
except as permitted by law. Any dissemination, distribution or copying of this 
message is strictly prohibited without our prior written permission. If you are 
not an intended recipient, or if you have received this message in error, 
please notify us immediately by return e-mail and permanently remove the 
original message and any copies from your computer and all back-up systems.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

CONFIDENTIALITY NOTICE: This message, including attachments, is intended to be 
viewed only by the addressee. It may contain information that is privileged, 
confidential and/or exempt from disclosure under applicable law. No 
confidentiality or privilege is lost by any transmission error. This message 
may contain nonpublic personal information about consumers subject to the 
restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may 
not directly or indirectly reuse or disclose such information for any purpose 
except as permitted by law. Any dissemination, distribution or copying of this 
message is strictly prohibited without our prior written permission. If you are 
not an intended recipient, or if you have received this message in error, 
please notify us

RE: 7. RE: how to disable pinentry (Smith, Cathy)

2015-02-25 Thread Smith, Cathy 
Rob

I'm not familiar with running gpg-agent.  I've started with the man page.I 
don't see a process running.


Cathy

---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:  509.375.2687
Fax:    509.375.2330
Email:  cathy.sm...@pnnl.gov


-Original Message-
From: Rob Fries [mailto:rob.fr...@ascensus.com] 
Sent: Wednesday, February 25, 2015 12:27 PM
To: Smith, Cathy; 'gnupg-users@gnupg.org'
Subject: RE: 7. RE: how to disable pinentry (Smith, Cathy)

Hey Cathy,

You need gpg-agent running with this setup.

Per the error message, it can not connect to a running gpg-agent to enter the 
passphrase.

Your gpg-agent.conf also needs to be with your other gpg configs under .gnupg.

-Rob

-Original Message-
From: Smith, Cathy [mailto:cathy.sm...@pnnl.gov] 
Sent: Wednesday, February 25, 2015 3:21 PM
To: Rob Fries; 'gnupg-users@gnupg.org'
Subject: RE: 7. RE: how to disable pinentry (Smith, Cathy)

Rob

Thanks.  I got an error when trying to do this.  I created the gpg-agent.conf 
file in my home directory and added the directive:

[cathy@foo ~]$ cat gpg-agent.conf 
allow-preset-passphrase
[cathy@foo ~]$ 


[cathy@foo ~]$ /usr/libexec/gpg-preset-passphrase -cP"cry123" "4611 E023 7B7A 
31FE 1388  0FAC 491E FBE6 302B 7D2D"
gpg-preset-passphrase: can't connect to `/home/cathy/.gnupg/S.gpg-agent': No 
such file or directory
gpg-preset-passphrase: caching passphrase failed: Input/output error



Cathy
---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:  509.375.2687
Fax:    509.375.2330
Email:  cathy.sm...@pnnl.gov


-Original Message-
From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Rob Fries
Sent: Wednesday, February 25, 2015 9:14 AM
To: 'gnupg-users@gnupg.org'
Subject: 7. RE: how to disable pinentry (Smith, Cathy)

Hi Cathy,

We use /usr/libexec/gpg-preset-passphrase to set our passphrase. 

 /usr/libexec/gpg-preset-passphrase  -cP "$passphrase" $keygrip

  You would need to add this to your .gpg-agent.conf:

allow-preset-passphrase

you will need to get the KEYGRIP. The easiest way I found is:

gpg2 --fingerprint --fingerprint --list-secret-keys | grep "fingerprint" | cut 
-d= -f2 | tr -d ' '

make sure you get the correct one for the correct key( note the above command 
shows double the number of keygrips for what you need.. ).

and you may want to adjust your max-cache-ttl gpg-agent.conf too.  If you want 
to forget a passphrase before the ttl is up, you can use gpg-preset-passphrase 
to forget it.

Rel6 does provide a pinentry-curses program:

/usr/bin/pinentry-curses


Hope that helps!

Message: 7
Date: Wed, 25 Feb 2015 16:51:23 +
From: "Smith, Cathy" 
To: Damien Goutte-Gattat ,
"gnupg-users@gnupg.org" 
Subject: RE: how to disable pinentry
Message-ID:
<270838a78e5a5342bb9669898fb4cf2011cf3...@ex10mbox01.pnnl.gov>
Content-Type: text/plain; charset="iso-8859-1"

Damien

Adding this line didn't work:
pinentry-program /usr/bin/pinentry-tty

The message was invalid option
gpg: /home/foo/.gunpg/gpg.conf:242:  invalid option

The CentOS6 and RHEL6 distributions don't  provide a /usr/bin/pinentry-tty.   

One of my goals of this is to be able to set a passphrase on a key in batch 
processing.  Perhaps, there is another way to accomplish that?


Thank you

Cathy
---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:? 509.375.2687
Fax:??? 509.375.2330
Email:? cathy.sm...@pnnl.gov


CONFIDENTIALITY NOTICE: This message, including attachments, is intended to be 
viewed only by the addressee. It may contain information that is privileged, 
confidential and/or exempt from disclosure under applicable law. No 
confidentiality or privilege is lost by any transmission error. This message 
may contain nonpublic personal information about consumers subject to the 
restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may 
not directly or indirectly reuse or disclose such information for any purpose 
except as permitted by law. Any dissemination, distribution or copying of this 
message is strictly prohibited without our prior written permission. If you are 
not an intended recipient, or if you have received this message in error, 
please notify us immediately by return e-mail and permanently remove the 
original message and any copies from your computer and all back-up systems.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

CONFIDENTIALITY NOTICE: This message, including attachments, is intended to be 
viewed only by the addressee. It may contain information that is privileged, 
confidential and/or exempt from disclosure under applicable law. No 
confiden

Re: disconnected binding of sub and master keys

2015-02-25 Thread NIIBE Yutaka 
On 02/26/2015 03:22 AM, Matthew Monaco wrote:
> I think we should easily be able to create subkeys on our day-to-day machine,

I'd understand your point.  IIUC, you don't want to export "secret"
from an air-gapped machine by any chance.

The practice of having air-gapped master key is because of risk of
attacks.  In that practice, it is considered OK, having subkey on your
day-to-day machine.  But, your proposal goes further: creating subkey
on a day-to-day machine.  It worries me, a bit.

There would be some cases (or troubles) that an air-gapped machine
wouldn't have enough entropy (like using LiveCD or embedded).  But,
this particular issue should be fixed on that specific environment.
Other than this point, it is highly recommended, in general, to create
a key (master or subkey) on an air-gapped environment (if that's your
practice).
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: 7. RE: how to disable pinentry (Smith, Cathy)

2015-02-25 Thread Smith, Cathy 
Rob 

Apparently gpg-agent doesn't start automatically by default on CentOS6.  I've 
read some different recommendations for how to configure that.  Do you have any 
recommendations?

Thanks


Cathy

---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:  509.375.2687
Fax:    509.375.2330
Email:  cathy.sm...@pnnl.gov


-Original Message-
From: Smith, Cathy 
Sent: Wednesday, February 25, 2015 3:32 PM
To: 'Rob Fries'; 'gnupg-users@gnupg.org'
Subject: RE: 7. RE: how to disable pinentry (Smith, Cathy)

Rob

I'm not familiar with running gpg-agent.  I've started with the man page.I 
don't see a process running.


Cathy

---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:  509.375.2687
Fax:    509.375.2330
Email:  cathy.sm...@pnnl.gov


-Original Message-
From: Rob Fries [mailto:rob.fr...@ascensus.com] 
Sent: Wednesday, February 25, 2015 12:27 PM
To: Smith, Cathy; 'gnupg-users@gnupg.org'
Subject: RE: 7. RE: how to disable pinentry (Smith, Cathy)

Hey Cathy,

You need gpg-agent running with this setup.

Per the error message, it can not connect to a running gpg-agent to enter the 
passphrase.

Your gpg-agent.conf also needs to be with your other gpg configs under .gnupg.

-Rob

-Original Message-
From: Smith, Cathy [mailto:cathy.sm...@pnnl.gov] 
Sent: Wednesday, February 25, 2015 3:21 PM
To: Rob Fries; 'gnupg-users@gnupg.org'
Subject: RE: 7. RE: how to disable pinentry (Smith, Cathy)

Rob

Thanks.  I got an error when trying to do this.  I created the gpg-agent.conf 
file in my home directory and added the directive:

[cathy@foo ~]$ cat gpg-agent.conf 
allow-preset-passphrase
[cathy@foo ~]$ 


[cathy@foo ~]$ /usr/libexec/gpg-preset-passphrase -cP"cry123" "4611 E023 7B7A 
31FE 1388  0FAC 491E FBE6 302B 7D2D"
gpg-preset-passphrase: can't connect to `/home/cathy/.gnupg/S.gpg-agent': No 
such file or directory
gpg-preset-passphrase: caching passphrase failed: Input/output error



Cathy
---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:  509.375.2687
Fax:    509.375.2330
Email:  cathy.sm...@pnnl.gov


-Original Message-
From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Rob Fries
Sent: Wednesday, February 25, 2015 9:14 AM
To: 'gnupg-users@gnupg.org'
Subject: 7. RE: how to disable pinentry (Smith, Cathy)

Hi Cathy,

We use /usr/libexec/gpg-preset-passphrase to set our passphrase. 

 /usr/libexec/gpg-preset-passphrase  -cP "$passphrase" $keygrip

  You would need to add this to your .gpg-agent.conf:

allow-preset-passphrase

you will need to get the KEYGRIP. The easiest way I found is:

gpg2 --fingerprint --fingerprint --list-secret-keys | grep "fingerprint" | cut 
-d= -f2 | tr -d ' '

make sure you get the correct one for the correct key( note the above command 
shows double the number of keygrips for what you need.. ).

and you may want to adjust your max-cache-ttl gpg-agent.conf too.  If you want 
to forget a passphrase before the ttl is up, you can use gpg-preset-passphrase 
to forget it.

Rel6 does provide a pinentry-curses program:

/usr/bin/pinentry-curses


Hope that helps!

Message: 7
Date: Wed, 25 Feb 2015 16:51:23 +
From: "Smith, Cathy" 
To: Damien Goutte-Gattat ,
"gnupg-users@gnupg.org" 
Subject: RE: how to disable pinentry
Message-ID:
<270838a78e5a5342bb9669898fb4cf2011cf3...@ex10mbox01.pnnl.gov>
Content-Type: text/plain; charset="iso-8859-1"

Damien

Adding this line didn't work:
pinentry-program /usr/bin/pinentry-tty

The message was invalid option
gpg: /home/foo/.gunpg/gpg.conf:242:  invalid option

The CentOS6 and RHEL6 distributions don't  provide a /usr/bin/pinentry-tty.   

One of my goals of this is to be able to set a passphrase on a key in batch 
processing.  Perhaps, there is another way to accomplish that?


Thank you

Cathy
---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:? 509.375.2687
Fax:??? 509.375.2330
Email:? cathy.sm...@pnnl.gov


CONFIDENTIALITY NOTICE: This message, including attachments, is intended to be 
viewed only by the addressee. It may contain information that is privileged, 
confidential and/or exempt from disclosure under applicable law. No 
confidentiality or privilege is lost by any transmission error. This message 
may contain nonpublic personal information about consumers subject to the 
restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may 
not directly or indirectly reuse or disclose such information for any purpose 
except as permitted by law. Any dissemination, distribution or copying of this 
message is strictly prohibited without our prior written permission. If you are 
not an

Re: how to disable pinentry

2015-02-25 Thread Stephan Beck 
Hi, Cathy,

Am 25.02.2015 um 17:51 schrieb Smith, Cathy:


>
> One of my goals of this is to be able to set a passphrase on a key in batch
processing.  Perhaps, there is another way to accomplish that?
>
>

I am not sure if that's the solution to your problem, but according to the
*Unattended Key Generation* chapter in the DETAILS doc in
/usr/share/doc/gnupg2/DETAILS, you can use the "passphrase " parameter
as part of the parameter file.

Hope that helps

Stephan





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users