Re: Multiple Smartcards - Signing
On 05/01/2015 08:36 PM, Daniel Kahn Gillmor wrote: > On Thu 2015-04-30 17:49:28 -0400, Matthew Monaco wrote: >> Why isn't gpg smarter about selecting only from the /available/ keys >> at the time of signing? BTW, I'm using 2.1.3 > > I think this is the crux of your issue. It sounds like a bug to me. > > I've opened a bug report about it: > > https://bugs.gnupg.org/gnupg/issue1967 > > hth, > > --dkg > Ah, thanks! I ended up moving forward with separate signing keys on each smartcard, filtering gpg.conf from rsync, and adding -u !. Conversely, I am using the same auth key on both smartcards. For me, managing multiple SSH keys is more trouble then it's worth. Most notably, OpenStack will only seed one key to a new instance and I don't want to deal with having to keep track of which smartcard I'm using. So this would be related, but maybe I'll file a second bug report to request that the shadow copy of a key is automatically updated if its seen on a new smartcard. This doesn't appear to be the case, however I may have broken it by getting fancy: I moved my .key files to -CAPS-8charkeyid-comment (e.g. rsa2048-E-DDEC74FE-revoked) and then symlinked .key. This is because sometimes I lose track of fingerprint <-> keygrip. It would be nice if --list-packets .key or some such listed info about the key... signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
--with-sig-check silently ignored when used with --import and --recv-keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Howdy all, I've been playing around with key signatures and ran across an interesting situation. For some reason, --with-sig-check is silently ignored when used with - --import and --recv-keys. Is this something I should file a bug on? ==Summary== I have setup a public key for Alice that has one valid signature from Bob and one invalid signature from Mallory. http://p80.pool.sks-keyservers.net/pks/lookup?op=vindex&search=0xA5452207 When you import Alice's public key via gpg --import or --recv-keys, GnuPG does not verify the signatures on Alice's public key, even if I have Bob and/or Mallory's public keys already in my keyring. ==Steps To Reproduce== 1. Request Bob and Mallory's public keys from the keyserver. > $ gpg2 --recv-keys --with-sig-check 65B57FDF B8062D4C > gpg: requesting key 65B57FDF from hkp server keys.gnupg.net > gpg: requesting key B8062D4C from hkp server keys.gnupg.net > gpg: key 65B57FDF: public key "Bob User (Good Signature) > " imported > gpg: key B8062D4C: public key "Mallory User (Bad Signature) > " imported > gpg: Total number processed: 2 > gpg: imported: 2 (RSA: 2) 2. Request Alice's public keys from the keyserver. > $ gpg2 --recv-keys --with-sig-check A5452207 > gpg: requesting key A5452207 from hkp server keys.gnupg.net > gpg: key A5452207: public key "Alice User (Signature Test) > " imported > gpg: no ultimately trusted keys found > gpg: Total number processed: 1 > gpg: imported: 1 (RSA: 1) 3. Checking signatures shows that Mallory's signature is bad. > $ gpg2 --check-sigs > /home/user/testring/pubring.gpg > -- > pub 2048R/65B57FDF 2015-04-01 > uid Bob User (Good Signature) > sig!365B57FDF 2015-04-01 Bob User (Good Signature) > > sub 2048R/83518D34 2015-04-01 > sig! 65B57FDF 2015-04-01 Bob User (Good Signature) > > > pub 2048R/B8062D4C 2015-04-01 > uid Mallory User (Bad Signature) > sig!3B8062D4C 2015-04-01 Mallory User (Bad Signature) > > sub 2048R/FDE6C57B 2015-04-01 > sig! B8062D4C 2015-04-01 Mallory User (Bad Signature) > > > pub 2048R/A5452207 2015-04-01 > uid Alice User (Signature Test) > sig!3A5452207 2015-04-01 Alice User (Signature Test) > > sig! 65B57FDF 2015-04-01 Bob User (Good Signature) > > sig- B8062D4C 2015-04-01 Mallory User (Bad Signature) > > sub 2048R/0BE64ECE 2015-04-01 > sig! A5452207 2015-04-01 Alice User (Signature Test) > > > 1 bad signature ==What Should Happen== When importing public keys, --with-sig-check should not get silently ignored when added to --import or --recv-keys. Alternatively, the --with-sig-check flag should throw an error if included with --import or --recv-keys since silently ignoring it might make a user assume that all signatures were valid. Thanks! Daniel Roesler -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJVRVcQAAoJEOf2+tFy7+494jMP/RPTkAj94Q4ZCkyWvbMmcKqs 2y18GOhY1ETwTIlYPNY6ley8LhOpGZS7DmQ+vczpMf9PCCoTkBvUCdorwbSo1B2c N2t71jn65/wAQAYSGirTYCqqFALf9EZVk70RcjOIHc7jxr0sp3kUllCKBtNuRYWj i2+JOVV8+/qWkByxEkCTSY0N7w83IivRqRdVsfsm4kaDI7cQJ8l/ETPtS3nzSJcQ s1RRtvwEw/yOnBvHZ1Q1WnQAR9P2edafzR4Wx/UTgtJqj1pRaE4f6ceiW5eGtX6N UQoBoFQ0+iMVvtNGX6eE/1bvp8uifnIWKfQOacUHO/eq2AdH2pkBgKe5yl0vL4dN wEbjTm046c2SQf6e57EfwNAX2dVjDsLUFOnLdYxAE0wUX40MlbYI+5we1LATAfoV CruDl2BWUKUM7QgT9Aiv6GSh2q+btVhljX13wVuhPMeXr+xorMq4R5XPdzimdnyH CSkIsonf21I9AbESOvG5nH7hbeRgAHn5sE9Zvj/+AsFpjV/5cAWyA6/R+vk9d6/J rUpap0MxtK79ZP35U1w57pbESMniE+owEDlTUd/Jjy3rbcdvmAUVJPdFJDqJmo7k q5MjfsgPeedLBC1bXklR30jyQyoOAerbiCWnpW6390AJDF+oRyJ2+r+dhTSJBm26 3WLQkeeHKZnSpbwrMDDs =6tWl -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is Open PGP or GnuPG or GPG possible on a Mac?
Wow, thank you for your search engine skills and all this great information! I will put it to use on getting GPG/GnuPG stuff running on my Mac. I'm trying to start a code, cipher, invisible ink/steganography club for kids, adults can be in it too, but kids like the mystical powers of a secret cipher "code" that's not too hard, to write to a friend with. I found that siblings and cousins do this more often than not. I think kids grow out of it maybe, and there were periods where it waned for years but I always came back to them for fun. A phyc thought I had Obsesive Compulsive Disorder (OCD), but in the 2000's I found it was Asperger's but I don't mind being an Auspie. My sister has it too. Lots of nephews with it too. If I could find an Auspie club maybe I could recruit there, lol. :-)) Elwin On Friday, May 1, 2015, Martin Behrendt wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > It should be possible but it might require high technical skills in > the operation of a search engine of your choice. > > Lets try your topic: > > > https://startpage.com/do/search?q=Is+Open+PGP+or+GnuPG+or+GPG+possible+on+a+Mac > > Looks like some usable answers turn up. But lets try something shorter > and more specific: > > https://startpage.com/do/search?q=gnupg+on+mac > > Looks also good. Maybe we can see if people asked about this on the > mailing list before? Lets try: > > > https://www.google.de/search?&q=gnupg%20on%20mac%20site%3Agnupg.org&ie=iso-8859-1&q=mac+installer++site:lists.gnupg.org%2Fpipermail%2Fgnupg-users%2F2014 > > Looks also interesting for 2014. Maybe there will also be some results > for 2015? Hope that gets you somewhere. > > Greetings > Martin > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > > iEYEARECAAYFAlVDKJYACgkQ/6vdZgk46siVKQCfQy5CoANLrJiK5dSpoS75DG9X > 5FcAnROfi88h0UYDQ0L4ZMYWSLYiWe5N > =O6Pn > -END PGP SIGNATURE- > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is Open PGP or GnuPG or GPG possible on a Mac?
Your information is most valuable. I went over the EFF link and I'm a proud member off EFF. Why didn't I think to look there! Thank you, Thank you, Thank you for this link. I went to an EFF meetting in SF and some guy said he had a special database manipulation program and dasseled me with terms that were way above my pay grade or a bunch of dasseling bull. He acted so Smart and superior then walked out.I don't trust people like that. I tried to follow him to ask more questions but he disappeared. I had a systems manager from Google that told me PGP used weakened math to let someone with superior computing power like the NSA break it but offered no proof. Snowden said certain encryption can be broken in real time but Snowden Uses the over 4000 (4096?) keys all the time. I found some of his keys at the MIT key server. I used to use PGP in the 90's (2 or 3 point something's for my Mac IIsi, but platforms changed). I wrote a former Scientology leader from Sweeden once with it. We traded some interesting information about the ownership that was behind the scenes. I got into politics, met Some top politicians and was forced out because I was honest. As they say the scum rises to the top of the pond. The higher you go the dirtier it gets. Want to meet big criminals? Get into politics and you'll meet a few. I found some honest people mixed in there too, but their success at the top was short lived. Elwin On Friday, May 1, 2015, Samir Nassar wrote: > On Thursday 30 April 2015 23:47:42 Mercury Rising wrote: > > I will take the answer on the list and at mercuryrisin...@gmail.com > . I Up > > graded to Mavericks on the Mac. I am looking for a whole package of open > > source PGP-like programs that will let me encrypt to other keys and > manage > > other keys and my own. It is for private corrispondence. I was sending > > messages from my iPhone to the list but don't see them posted. Perhaps > > directly form my Mac will help this time. > > Yes, it is possible to use OpenPGP with GnuPG on OS X: > > https://ssd.eff.org/en/module/how-use-pgp-mac-os-x > > The best (most stable, best supported, easiest overall) results tend to > involve: > > GPG Suite: https://gpgtools.org/ > Mozilla Thunderbird: https://www.mozilla.org/en-US/thunderbird/ > Enigmail: https://www.enigmail.net/home/index.php > > Keep in mind that the parties you want to communicate with also have to > understand how to handle OpenPGP. > > If it matters to you to be more secure in communication, I would strongly > suggest making sure your computer is using full disk encryption. In the > case > of OS X on a Mac, this means enabling FileVault. > > Samir > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
