Re: [Announce] GnuPG 2.1.10 released

[Neal H. Walfield]

On Mon, 07 Dec 2015 01:05:51 +0100,
MFPA wrote:
> >  * gpg: New trust models "tofu" and "tofu+pgp".
> 
> >  * gpg: New command --tofu-policy.  New options
> >  --tofu-default-policy   and --tofu-db-format.
> 
> Should these be available in the Windows version? I get:-
> 
> gpg: unknown trust model 'tofu+pgp'
> gpg: unknown TOFU policy 'ask'

TOFU depends on libsqlite, which you are probably missing.  If GnuPG
doesn't find it, then it disables TOFU.  Can you check whether this is
the case?

Thanks!

:) Neal


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.10 released

[Werner Koch]

On Mon,  7 Dec 2015 01:05, 2014-667rhzu3dc-lists-gro...@riseup.net said:

> Should these be available in the Windows version? I get:-
>
> gpg: unknown trust model 'tofu+pgp'
> gpg: unknown TOFU policy 'ask'

Have a look into the announcement:

  The source used to build the Windows installer can be found in the same
  directory with a ".tar.xz" suffix.  This Windows installer is missing
  translations, it has no TOFU support and no HKPS support.  However, it
   ^^^
  fully supports Tor and the Tor browser.
  
The reason for the missing Tofu support is that we need to package
Sqlite in a way to make it easy to cross-compile for Windows.  It is
just a bit of work but other things have higher priority for now than
Windows.

HPKS support is missing because out NTBTLS library is not yet ready.  We
want to use that small footprint library to avoid the huge overhead of
installing GNUTLS with all its dependencies on Windows which duplicates
most of our crypto code since GNUTLS switched to another crypto library.
However, installing Tor and using an .onion keyserver is anyway a better
option for OpenPGP keys.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPA - unsupported certificate

[Peter Lebbing]

On 07/12/15 01:24, da...@gbenet.com wrote:
> Every Linux distro has gnupg installed - so at a terminal just type gpg -
> this will create ALL the folders and files needed (.gnupg) it's pointless
> installing GPA without running gpg first - I think it's pretty silly.

Eh? I don't find it silly at all. Why would someone, unprompted, fire up a
terminal to initialise the GUI program they installed because they'd rather
use a GUI program than a terminal program? That's like saying you should fire
up Vim before you can use XFCE's Mousepad editor. Well, not really, but it's
still silly to suggest that it is silly to expect a GUI program to do what it
is supposed to do: pretty much replace the command line alternative. Wow, long
complicated sentence. Better end with sentence fragments to compensate.

Anyway, a quick glance at the open bugs for GPA in Jessie[1] show that it is a
problem for people, but developers have difficulty reproducing it. In fact,
those bugs are still open in Sid.

That is, apart from the well-known issue: GNOME Keyring hijacks the agent
connection, which causes all sorts of problems. Up until recently, they were
unwilling to stop breaking GnuPG this way; but recently, they've finally
agreed to provide their functionality in a different way that actually agrees
with the GnuPG architecture.

GPA will get very confused when GNOME Keyring hijacks the agent connection.
For me, Debian Jessie x86_64 with XFCE, I'm pretty sure I fixed it with
"Settings -> Session and Startup", "Application Autostart", uncheck the box
next to "GPG Password Agent (GNOME Keyring: GPG Agent)". But a search on the
web for disabling GNOME Keyring's GPG Agent should provide more information.

HTH,

Peter.

[1] https://bugs.debian.org/cgi-bin/pkgreport.cgi?package=gpa;dist=stable

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPA - unsupported certificate

[Daniel Kahn Gillmor]

On Mon 2015-12-07 01:24:55 +0100, "da...@gbenet.com"  wrote:
> The first thing to say is - when installing any Linux distro you need to 
> ensure that the
> distro has installed every software update every security fix first. This is 
> important when
> installing GPA Kleopatra and KGPG.
>
> Every Linux distro has gnupg installed - so at a terminal just type gpg - 
> this will create
> ALL the folders and files needed (.gnupg) it's pointless installing GPA 
> without running gpg
> first - I think it's pretty silly.

hm, i'd say that if gpa knows that gpg needs to be run first, and it
hasn't been run, it should run it on the user's behalf instead of
expecting that they know this bit of esoterica.

Dark Penguin, if you're experiencing problems with GPA integration with
the rest of the OS, I encourage you to report a bug to debian.

On a debian system, you might use the "reportbug" utility to do this.

> Then you may wish to install gpgv2 via the package manager. Only then install 
> GPA Kleopatra
> or KGPG. And only after installing all the updates and security fixes.

If these packages must be installed in a certain order, the package
manager should know about that order.  if it does not, this is a bug in
the stated dependencies of the packages in question.

For example, if gpa won't work without the gnupg2 package installed,
but it doesn't state that it explicitly depends on gnupg2, that would be
a bug in gpa.

Regards,

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot revoke a certificate

[Daniel Kahn Gillmor]

On Wed 2015-12-02 18:18:46 -0500, David wrote:
> I am trying to revoke a very old certificate that may be compromised.  I
> generated a revocation certificate using the following gpg command with
> no errors.  I did get a warning about MD5 being deprecated.
>
> C:\Users\David> gpg --output kill7827.asc --gen-revoke 80942C8D
>  
> However, I cannot use it.  Here is the output:
>
> C:\Users\David> gpg --import .\kill7827.asc
> gpg: Note: signatures using the MD5 algorithm are rejected
> gpg: key 80942C8D: invalid revocation certificate: Invalid digest
> algorithm - rejected
> gpg: error reading `.\\kill7827.asc': Invalid digest algorithm
> gpg: import from `.\\kill7827.asc' failed: Invalid digest algorithm
> gpg: Total number processed: 0
> C:\Users\David>

You should try adding "--cert-digest-algo sha1" arguments before the
--gen-revoke command to make a SHA1-based certificate revocation.

 --dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.10 released

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Monday 7 December 2015 at 10:06:49 AM, in
, Werner Koch wrote:



> Have a look into the announcement:

>   The source used to build the Windows installer can be
>   found in the same directory with a ".tar.xz" suffix.
>   This Windows installer is missing translations, it
>   has no TOFU support and no HKPS support.  However, it
>   ^^^ fully supports
>   Tor and the Tor browser.


Oops! I missed that bit. Sorry.



> The reason for the missing Tofu support is that we need
> to package Sqlite in a way to make it easy to
> cross-compile for Windows.  It is just a bit of work
> but other things have higher priority for now than
> Windows.

Thanks for the explanation.

- --
Best regards

MFPA  

Colourless green ideas sleep furiously (Noam Chomsky)
-BEGIN PGP SIGNATURE-

iL4EARYKAGYFAlZmBKlfFIAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eORn5QD9EhcV419z4t0hM/I2nfgaeFLf
mfMlkM7qMwCsKp1/FWYA/3ZW/Y3M8gu6NVYGq1/qry2bFaUGHf7+PXyLmLKadqEH
iQF8BAEBCgBmBQJWZgSuXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwqkAIAJEiH684AJNY2phReHsBJ/WH
SfGTFXeqNrvvverpbgb3EaJfvgrZIklI2BykdjT28DCzYC63CW5IizERuIskbZBT
elhzEEtSuQh7twJofaORX9n1vC+rcGyUMUUuUToxGZXsWGXWiVnyUQ8e6LgjGO5Z
jtkuUb/jaBigivnTq2iFgIq0/JToA2ajlxAP/zt+WjIecIF+hznqaqmsPCkIz579
ptxZiQ8Z4wcx/xMj1rNT/t2gw6HstqmUkqNeJWRo/5Pd1JsQJMNy2pcvJABkfa5O
bZDIgojc1h8vgNFPjjihEHmpUokVu1z1pedlOPiSv71vMeon4iFl47FDee1M4D4=
=Es3b
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Error message "gpg: Can't check signature: Broken public key"

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



What does the error message "gpg: Can't check signature: Broken public
key" mean?

One of the members of PGPNET reports getting that error
message when verifying the signatures on my signed and encrypted
messages to the group. He gets it for the signatures from my EDDSA subkey
0x1712BC461AF778E4, and says he uses GnuGP 2.1.8.


The only references I can find (eg [0]) say:-

  592 GPG_ERR_BROKEN_PUBKEY Broken public key
  593
  594 The public key was mathematically not correctly generated.



[0]



- --
Best regards

MFPA  

Why is the universe here? Well, where else would it be?
-BEGIN PGP SIGNATURE-

iL4EARYKAGYFAlZmG4xfFIAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eORUAAD/XZQqwtz7Q1+Lem/ev5EwrE9O
BJCWG/6+dlyAvQSogR0BANsB14r4s6s+Udhd35Zhj/m4q3cOZ84thFqB5hNT3lkK
iQF8BAEBCgBmBQJWZhuZXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwpS0H/ipta+E5Dq7f3+aDnpDbAJJS
4XFUM6tmJY2AdAzRqhxjSsCRmCkyekZX9R9CPGT2RlqYRJfqFLSSODka8VIMA4kk
XYuJo+AK9+LnDSVh0/G4DKjPRb67CZCT9Fx4UH+6uFrtQTsTWcACb2xzQE62fkxr
ntMNwROqo90D4mbEemUTvv33rSl/00KysbJC3eg9ybbIjNpn1hO/VtIAK9ipF3iU
3NPwXHgmJk5sJ6esyS1Eqtm0QkckZa/sHAV1GrRtKC91k9d4/4qzdK96MKkKLbdo
rUClB8SF3YsO1KwxxbOT0RiUUAa5MUMvwm1oPmEKtw9XymImQDZ7IaR3VoE8ko4=
=td+o
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users