Re: BAD signatures for GnuPG Stable

[Werner Koch]

On Tue, 26 Jan 2016 05:41, aaront...@gmail.com said:

> $ gpg --verify libgpg-error-1.21.tar.bz2.sig libgpg-error-1.21.tar.bz2
> gpg: Signature made Sat 12 Dec 2015 06:03:30 AM CST using RSA key ID
> 4F25E3B6
> gpg: BAD signature from "Werner Koch (dist sig)"

Please check the length of the file to make sure you downloaded it
complelety.

The size of libgpg-error-1.21.tar.bz2 is 763186 bytes.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problems with 4096 keys on 2.1 card

[Werner Koch]

On Tue, 26 Jan 2016 02:06, gni...@fsij.org said:

> Looking the device info, both of SCR335 and SCR3500 work with TPDU
> level exchange.  Thus, I believe that both works well for RSA-4096
> keys.

Older SCR335 (version < 5.14) have a bug in the USB stack - they do not
work reliable with PCSCD but they work with GnuPG's internal driver (I
developed the smartcard and driver code using such old SCR335 and added
a workaround).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

[Sandra Schreiner]

Hello,

This is my first message to an e-mail list ever. I don't even know if this is 
the right e-mail list for me, please forgive me if I'm wrong, but unfortunately 
I didn't found a GPGME e-mail list.
Currently I'm trying to use GPGME in my C++ application with GnuPG for 
key-management and encryption. Sadly I'm not able to create a new key, because 
my code hangs at gpgme_op_genkey. I have gpg 1.4.18 and gpg2 2.0.26 and GPGME 
1.5.1 on my 64 bit Debian VM system (version Jesse) available. This is how I 
initialize the library:

gpgme_engine_info_t info;
gpgme_error_t  error;
const char * CONFIG_DIR = "/";

// Initializes gpgme
gpgme_check_version(NULL);

// Initialize the locale environment.
setlocale(LC_ALL, "");
gpgme_set_locale(NULL, LC_CTYPE, setlocale(LC_CTYPE, NULL));
#ifdef LC_MESSAGES
gpgme_set_locale(NULL, LC_MESSAGES, setlocale(LC_MESSAGES, NULL));
#endif
error = gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP, NULL,
  CONFIG_DIR);
if(error)
return false;
error = gpgme_new(&mContext);
if(error)
return false;
// Check OpenPGP
error = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
if(error)
return false;
// load engine info
error = gpgme_get_engine_info(&info);
if(error)
return false;
while(info && info->protocol != gpgme_get_protocol(mContext)) {
info = info->next;
}
// set path to our config file
error = gpgme_ctx_set_engine_info(mContext, GPGME_PROTOCOL_OpenPGP, NULL,
  CONFIG_DIR);
if(error)
return false;

-
Here I try to create the key:

 std::string def = " \n"
  " Key-Type: default \n"
  " Subkey-Type: default \n"
  " Name-Real: Joe Tester3 \n"
  " Name-Comment: with stupid passphrase \n"
  " Name-Email: j...@foo.bar \n"
  " Expire-Date: 0 \n"
  " Passphrase: abc \n"
  "  \n";

gpgme_error_t error = gpgme_op_genkey(mContext, def.c_str(), NULL, 
NULL);

if(GPG_ERR_INV_VALUE  == gpgme_err_code(error)){
std::cout << "Value error";
}
if(GPG_ERR_NOT_SUPPORTED == gpgme_err_code(error)){
std::cout << "Not supported error";
}
if(GPG_ERR_GENERAL  ==  gpgme_err_code(error)){
std::cout << "general error";
}
if(error == gpgme_err_code(GPG_ERR_NO_ERROR)){
gpgme_genkey_result_t res = gpgme_op_genkey_result(mContext);
if(res->primary && res->sub){
result = true;
}
}
There is no error while initialising the library, so I don't know why it stops 
at gpgme_op_genkey. Maybe GnuPG is trying to collect entropie? If I generate a 
key using the GnuPG command line it tooks a very long time to collect entropie. 
But after ~15 minutes the key generation completes successfully (I didn't 
noticed that my program finished so far, even after 15 minutes+). I already 
tried to remove the \n in each line, but I received a general error in this 
case. Am I doing something wrong? Any help or hint is highly appreciated.

Best regards,
Sandra
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

[Robert J. Hansen]

> This is my first message to an e-mail list ever. I don't even know if
> this is the right e-mail list for me, please forgive me if I'm wrong,
> but unfortunately I didn't found a GPGME e-mail list.

Welcome!  You're in the right place, and we'll be happy to help you out.
 You may wish to switch from HTML email to plain-text; that's the
standard for this list.

> There is no error while initialising the library, so I don't know why it
> stops at gpgme_op_genkey. Maybe GnuPG is trying to collect entropie? If
> I generate a key using the GnuPG command line it tooks a very long time
> to collect entropie. But after ~15 minutes the key generation completes
> successfully (I didn't noticed that my program finished so far, even
> after 15 minutes+).

If it's taking your GnuPG setup ~15 minutes to generate a new
certificate, that indicates to me your GnuPG installation has a problem.
Let's tackle that one first before we start looking at your code.

Are you getting periodic messages about "Not enough random bytes
available.  Please do some other work to give the OS a chance to
collect more entropy! (Need 167 more bytes)" or something like that?


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

[Sandra Schreiner]

Von: Gnupg-users [gnupg-users-boun...@gnupg.org]" im Auftrag von 
"Robert J. Hansen [r...@sixdemonbag.org]
Gesendet: Dienstag, 26. Januar 2016 11:43
An: gnupg-users@gnupg.org
Betreff: Re: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

> This is my first message to an e-mail list ever. I don't even know if
> this is the right e-mail list for me, please forgive me if I'm wrong,
> but unfortunately I didn't found a GPGME e-mail list.

Welcome!  You're in the right place, and we'll be happy to help you out.
 You may wish to switch from HTML email to plain-text; that's the
standard for this list.

> There is no error while initialising the library, so I don't know why it
> stops at gpgme_op_genkey. Maybe GnuPG is trying to collect entropie? If
> I generate a key using the GnuPG command line it tooks a very long time
> to collect entropie. But after ~15 minutes the key generation completes
> successfully (I didn't noticed that my program finished so far, even
> after 15 minutes+).

If it's taking your GnuPG setup ~15 minutes to generate a new
certificate, that indicates to me your GnuPG installation has a problem.
Let's tackle that one first before we start looking at your code.

Are you getting periodic messages about "Not enough random bytes
available.  Please do some other work to give the OS a chance to
collect more entropy! (Need 167 more bytes)" or something like that?


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

__

> Are you getting periodic messages about "Not enough random bytes
> available.  Please do some other work to give the OS a chance to
> collect more entropy! (Need 167 more bytes)" or something like that?

Yes. You are right. These messages appear often.

Moreover I noticed that GPGME 1.5 may be outdated. I saw that e.g. the mode 
GPGME_EXPORT_MODE_SECRET is missing for exporting private keys. Therefore I 
would 
like to update GnuPG and GPGME together. Sadly there is no new version of them 
available
in the debian package manager. How can I manage to update them? I found the 
tarball of
GPGME 1.6 but don't know which version of GnuPG would match this GPGME version.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 2.1.10 with libgcrypt 1.7.0-beta300

[Fulano Diego Perez]

NIIBE Yutaka:
> On 01/23/2016 10:11 PM, Fulano Diego Perez wrote:
>> NIIBE Yutaka:
>>> Please note that you need to invoke gpg-agent with LD_LIBRARY_PATH, too.
>>
>> can explain how you mean to invoke ?
> 
> Well, it seems terminology issue.  I mean, to start, to kick the service,
> and to run the service.
> 
> In general, there are multiple ways.  In my case on Debian, I have a
> startup script, /etc/X11/Xsession.d/90gpg-agent, which invokes
> gpg-agent.
> 
>> i export library path for gpg2 and shows expected libgcrypt version
> 
> Exporting library path is also needed for gpg-agent.
> 
>> i can clearsign with ed25519 EDDSA subkey
> 
> This can be done with libgcrypt 1.6.4.
> 
>> i have problem testing encryption with cv25519 subkey
>>
>>
>> tried to test with $ fortune | gpg2 --sign --encrypt -u abc --recipient
>> 123 --recipient 456 | gpg2 --decrypt
>>
>> gpg: ecdh failed in gcry_cipher_decrypt: Checksum error
>> gpg: ecdh failed in gcry_cipher_decrypt: Checksum error
>> gpg: encrypted with 256-bit ECDH key, ID test, created 2016
>>   "test"
>> gpg: public key decryption failed: Checksum error
>> gpg: encrypted with 256-bit ECDH key, ID test, created 2016
>>   test2
>> gpg: public key decryption failed: Checksum error
>> gpg: decryption failed: No secret key
>>
>> i have secret key
> 
> I know.  The problem is the version of libgcrypt of gpg-agent.
> 
> Public key handling is the role of gpg frontend, while secret key
> handling is done by gpg-agent.  With no newer libgcrypt, gpg-agent
> can't handle CV25519 keys.
> 
>> tried list-packets & -vvv - nothing more on errors
> 
> Yes.
> 
>> maybe this is conflict with persistent gpg-agent and ssh-agent
>>  they are listed in htop with PID but no RAM use
>>
>> how can to figure this out ?
> 
> If you can check the process's memory maps of gpg-agent, you can see
> the maps to libgcrypt.  In my case, I can see the entries in
> /proc//maps like:
> 
> b7617000-b76d5000 r-xp  08:01 35743  
> /usr/local/lib/libgcrypt.so.20.1.0
> b76d5000-b76d9000 rw-p 000bd000 08:01 35743  
> /usr/local/lib/libgcrypt.so.20.1.0
> b76e7000-b76ef000 rw-p  00:00 0
> 

$ cat /proc/PID-of-local-[gpg-ssh]agent/maps

nada

$ /builds/gpg21x/bin/gpg-agent --daemon

$ cat /proc/PID/maps

55fb967f7000-55fb96849000 r-xp  fc:02 2098759
 /builds/gpg21x/bin/gpg-agent
55fb96a48000-55fb96a4a000 r--p 00051000 fc:02 2098759
 /builds/gpg21x/bin/gpg-agent
55fb96a4a000-55fb96a4b000 rw-p 00053000 fc:02 2098759
 /builds/gpg21x/bin/gpg-agent
55fb96a4b000-55fb96a4c000 rw-p  00:00 0
55fb9822-55fb98241000 rw-p  00:00 0
 [heap]
7f714b7e4000-7f714b97e000 r-xp  fc:02 2229058
 /lib/x86_64-linux-gnu/libc-2.21.so
7f714b97e000-7f714bb7e000 ---p 0019a000 fc:02 2229058
 /lib/x86_64-linux-gnu/libc-2.21.so
7f714bb7e000-7f714bb82000 r--p 0019a000 fc:02 2229058
 /lib/x86_64-linux-gnu/libc-2.21.so
7f714bb82000-7f714bb84000 rw-p 0019e000 fc:02 2229058
 /lib/x86_64-linux-gnu/libc-2.21.so
7f714bb84000-7f714bb88000 rw-p  00:00 0
7f714bb88000-7f714bba r-xp  fc:02 2229034
 /lib/x86_64-linux-gnu/libpthread-2.21.so
7f714bba-7f714bd9f000 ---p 00018000 fc:02 2229034
 /lib/x86_64-linux-gnu/libpthread-2.21.so
7f714bd9f000-7f714bda r--p 00017000 fc:02 2229034
 /lib/x86_64-linux-gnu/libpthread-2.21.so
7f714bda-7f714bda1000 rw-p 00018000 fc:02 2229034
 /lib/x86_64-linux-gnu/libpthread-2.21.so
7f714bda1000-7f714bda5000 rw-p  00:00 0
7f714bda5000-7f714bda8000 r-xp  fc:02 271554
 /usr/lib/x86_64-linux-gnu/libnpth.so.0.0.5
7f714bda8000-7f714bfa8000 ---p 3000 fc:02 271554
 /usr/lib/x86_64-linux-gnu/libnpth.so.0.0.5
7f714bfa8000-7f714bfa9000 r--p 3000 fc:02 271554
 /usr/lib/x86_64-linux-gnu/libnpth.so.0.0.5
7f714bfa9000-7f714bfaa000 rw-p 4000 fc:02 271554
 /usr/lib/x86_64-linux-gnu/libnpth.so.0.0.5
7f714bfaa000-7f714bfbc000 r-xp  fc:02 269865
 /usr/lib/x86_64-linux-gnu/libassuan.so.0.7.2
7f714bfbc000-7f714c1bb000 ---p 00012000 fc:02 269865
 /usr/lib/x86_64-linux-gnu/libassuan.so.0.7.2
7f714c1bb000-7f714c1bc000 r--p 00011000 fc:02 269865
 /usr/lib/x86_64-linux-gnu/libassuan.so.0.7.2
7f714c1bc000-7f714c1bd000 rw-p 00012000 fc:02 269865
 /usr/lib/x86_64-linux-gnu/libassuan.so.0.7.2
7f714c1bd000-7f714c1cf000 r-xp  fc:02 225
 /lib/x86_64-linux-gnu/libgpg-error.so.0.17.0
7f714c1cf000-7f714c3cf000 ---p 00012000 fc:02 225
 /lib/x86_64-linux-gnu/libgpg-error.so.0.17.0
7f714c3cf000-7f714c3d r--p 00012000 fc:02 225
 /lib/x86_64-linux-gnu/libgpg-error.so.0.17.0
7f714c3d-7f714c3d1000 rw-p 00013000 fc:02 225
 /lib/x86_64-linux-gnu/libgpg-error.so.0.17.0
7f714c3d1000-7f714c4ce000 r-xp  fc:02 2098729
 /builds/libgcrypt/lib/libgcrypt.so.20.1.0
7f714c4ce000-7f714c6ce000 ---p 000fd000 fc:02 2098729
 /builds/libgcrypt/lib/libgcrypt.so.20.1.0
7f714c6ce000-7f714c6d r--p 000fd000 fc:02 2098729
 /builds/libgcrypt/lib/libgcrypt.so.20.1.0
7f714c6d-7f714c6d6000 rw-p 000ff0

Cross Compiling libgpg-error-1.21 for rsyslog-8.15.0: unrecognized option '--64'.

[Girish Kumar]

Dear All,

I am compiling libgpg-error-1.21 which is a dependency library  for  
libgcrypt-1.6.4  . This for armv7 platform
Found some info on cross compilation, but was not able to understand.

I am getting  "unrecognized option '--64'"  when compiling libgpg-error-1.21.  
Could you please  help me on this.?


gawk -f 
/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src/mkerrnos.awk
 
/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src/errnos.in
 >code-to-errno.h
gawk -f 
/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src/mkerrcodes1.awk
 
/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src/errnos.in
 >_mkerrcodes.h
arm-unknown-linux-gnueabi-gcc -E -mcpu=cortex-a9 -mabi=aapcs-linux -msoft-float 
-O -fno-omit-frame-pointer -mapcs-frame -mno-sched-prolog  
-I/soft/gnu/cross/linux_64/13/arm/sysroot/usr/include 
-I/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/built/46/7.X.X.R01/armv7/include
   -P _mkerrcodes.h | grep GPG_ERR_ | \
   gawk -f 
/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src/mkerrcodes.awk
 >mkerrcodes.h
rm _mkerrcodes.h
cc -I. 
-I/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src
 -o mkerrcodes 
/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src/mkerrcodes.c
as: unrecognized option '--64'
make[4]: *** [mkerrcodes] Error 1
make[4]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error/src'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error'
make[2]: *** [all] Error 2
make[2]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error'
make[2]: Entering directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error'
Making install in m4
make[3]: Entering directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error/m4'
make[4]: Entering directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error/m4'
make[4]: Nothing to be done for `install-exec-am'.
make[4]: Nothing to be done for `install-data-am'.
make[4]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error/m4'
make[3]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error/m4'
Making install in src
make[3]: Entering directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error/src'
cc -I. 
-I/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src
 -o mkerrcodes 
/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src/mkerrcodes.c
as: unrecognized option '--64'
make[3]: *** [mkerrcodes] Error 1
make[3]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error/src'
make[2]: *** [install-recursive] Error 1
make[2]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error'
make[1]: *** 
[/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/installed/46/7.X.X.R01/armv7/ramdisk/lib/libgpg-error.so]
 Error 2
make[1]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps'
make: *** [tps-build] Error 2
+ set +x


Regards,
Girish

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AW: Key generation with GPGME and GnuPG hangs at gpgme_op_genkey

[Daniel Kahn Gillmor]

On Tue 2016-01-26 06:02:09 -0500, Sandra Schreiner wrote:
 [ Robert J. Hansen wrote: ] 
>> Are you getting periodic messages about "Not enough random bytes
>> available.  Please do some other work to give the OS a chance to
>> collect more entropy! (Need 167 more bytes)" or something like that?
>
> Yes. You are right. These messages appear often.

You said that you are running in a Jessie VM.  Depending on the type of
VM, it's possible that there are few events that are feeding the
kernel's entropy pool (no virtualized hardware or software or anything
similar).  GnuPG relies on the kernel's entropy to initialize the key
generation process, and it consumes rather a lot of it.

I don't know what kind of virtualization you're using, so i have no
concrete suggestions for how you could increase the entropy in the VM
you're using, other than the usual tricks of typing into keyboard and
wiggling the mouse.

you can see the state of the Linux kernel's entropy by looking at the
contents of the file /proc/sys/kernel/random/entropy_avail -- if that is
staying close to 0, it's likely that this is the problem.

For testing purposes only, you might be interested in using the
--debug-quick-random flag, which would avoid waiting on the kernel's
blocking RNG.


I note that you're passing the root of the filesystem as your preferred
CONFIG_DIR:

  const char * CONFIG_DIR = "/";

This might be a mistake, because it's unlikely that a normal user can
write to the root directory, and you almost certainly don't *want* to
use the root directory as your gpg config dir.

gpgme_set_engine_info() accepts NULL as the HOME_DIR parameter, which
asks for the engine' default homedir to be used.

> Moreover I noticed that GPGME 1.5 may be outdated. I saw that e.g. the
> mode GPGME_EXPORT_MODE_SECRET is missing for exporting private
> keys. Therefore I would like to update GnuPG and GPGME together. Sadly
> there is no new version of them available in the debian package
> manager. How can I manage to update them? I found the tarball of GPGME
> 1.6 but don't know which version of GnuPG would match this GPGME
> version.

gpgme and gnupg are not intentionally tightly coupled.  I wouldn't try
to update them until you've figured out what's going on here.

If the delay is still happening for you even with a system with entropy
available, you might also try looking at the process table to see what
is going on -- if there's a backgrounded gpg or gpg2 process, you could
try attaching to it with strace ("strace -p $PID", where $PID is the
process ID of the gpg process) to see what it's doing.

hth,

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problems with 4096 keys on 2.1 card

[Jorgen Ottosson]

Thanks to you both for commenting on this, I do remember the 335 being one
of the most original readers to work without much hazzle.


> Please note that GnuPG 1.4 supports up to 3072-bit.  This is because
> of internal library limitation.
>
> I believe that "gpg" in Ubuntu is GnuPG 1.4.  It is "gpg2" when we
> want to use GnuPG 2.0.

Ok, well I thought it kinda used the 2 branch anyway when doing stuff with
cards, I may have misunderstood that - see commands further down though,
switching to "gpg2" does not work.


> Besides, generating a key with off-card backup is actually done by two
> steps:
>
>   * generating a key on host PC
>   * importing that key to card

I know, that was just for showing generate command bailing.


> Unfortunately, I don't have specific information (if card reader works
> with RSA-4096 or not), either.  I maintain this list for internal
> driver.
>
> https://wiki.debian.org/GnuPG/CCID_Driver

Nice link.


> According to this list, SCR3500 works well with the internal driver of
> GnuPG.

That's weird. Dead here without additional drivers, used it on another
installation, also Ubuntu but installed some kind of driver so guess I
didn't use the internal then either.


> In general, the list by PCSC-lite helps.
>
> https://pcsclite.alioth.debian.org/ccid/supported.html
>
> Looking the device info, both of SCR335 and SCR3500 work with TPDU
> level exchange.  Thus, I believe that both works well for RSA-4096
> keys.

Then I should be able to do some things differently..


Some misc. commands:

$ gpg --version
gpg (GnuPG) 1.4.16
..


$ gpg2 --version
gpg (GnuPG) 2.0.22
..


$ gpg --list-keys

-> works

$ gpg2 --list-keys

also works

However:

$ gpg --card-status

-> works

whereas gpg2 does NOT. (should it really? - but it is listed in help
output though)

$ gpg2 --card-status
gpg: selecting openpgp failed: Unsupported certificate
gpg: OpenPGP card not available: Unsupported certificate


NOTE: v2.1 card inserted in attached SCR335 reader all the time above.


Not sure if there's something here confusing me or I need to buy (yet)
another reader or what..
Maybe I can turn on debugging somewhere to solve this, really need to use
a couple of 4096 subkeys so this is kinda bugging me.


TIA,




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] GnuPG 2.1.11 released

[Werner Koch]

Hello!

The GnuPG team is pleased to announce the availability of a new release
of GnuPG modern: Version 2.1.11.  See below for new features and bug
fixes.

The GNU Privacy Guard (GnuPG) is a complete and free implementation
of the OpenPGP standard which is commonly abbreviated as PGP.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  A wealth of frontend applications
and libraries making use of GnuPG are available.  Since version 2 GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom). It can
be freely used, modified and distributed under the terms of the GNU
General Public License.

Three different branches of GnuPG are actively maintained:

- GnuPG "modern" (2.1) is the latest development with a lot of new
  features.  This announcement is about this branch.

- GnuPG "stable" (2.0) is the current stable version for general use.
  This is what most users are currently using.

- GnuPG "classic" (1.4) is the old standalone version which is most
  suitable for older or embedded platforms.

You may not install "modern" (2.1) and "stable" (2.0) at the same
time.  However, it is possible to install "classic" (1.4) along with
any of the other versions.


Noteworthy changes in version 2.1.11


 * gpg: New command --export-ssh-key to replace the gpgkey2ssh tool.

 * gpg: Allow to generate mail address only keys with --gen-key.

 * gpg: "--list-options show-usage" is now the default.

 * gpg: Make lookup of DNS CERT records holding an URL work.

 * gpg: Emit PROGRESS status lines during key generation.

 * gpg: Don't check for ambigious or non-matching key specification in
   the config file or given to --encrypt-to.  This feature will return
   in 2.3.x.

 * gpg: Lock keybox files while updating them.

 * gpg: Solve rare error on Windows during keyring and Keybox updates.

 * gpg: Fix possible keyring corruption. (bug#2193)

 * gpg: Fix regression of "bkuptocard" sub-command in --edit-key and
   remove "checkbkupkey" sub-command introduced with 2.1.  (bug#2169)

 * gpg: Fix internal error in gpgv when using default keyid-format.

 * gpg: Fix --auto-key-retrieve to work with dirmngr.conf configured
   keyservers. (bug#2147).

 * agent: New option --pinentry-timeout.

 * scd: Improve unplugging of USB readers under Windows.

 * scd: Fix regression for generating RSA keys on card.

 * dirmmgr: All configured keyservers are now searched.

 * dirmngr: Install CA certificate for hkps.pool.sks-keyservers.net.
   Use this certiticate even if --hkp-cacert is not used.

 * gpgtar: Add actual encryption code.  gpgtar does now fully replace
   gpg-zip.

 * gpgtar: Fix filename encoding problem on Windows.

 * Print a warning if a GnuPG component is using an older version of
   gpg-agent, dirmngr, or scdaemon.

A detailed description of the changes found in the 2.1 branch can be
found at .

Please be aware that there are still known bugs which we are working on.
Check https://bugs.gnupg.org, https://wiki.gnupg.org, and the mailing
list archives for known problems and workarounds.


Getting the Software


Please follow the instructions found at  or
read on:

GnuPG 2.1.11 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.11.tar.bz2  (5102k)
 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.11.tar.bz2.sig

or here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.11.tar.bz2  (5102k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.11.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
basic Pinentry tool is available here:

 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.11_20160126.exe  (2630k)
 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.11_20160126.exe.sig

or here

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.11_20160126.exe  (2630k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.11_20160126.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.  This Windows installer is missing
translations, it has no TOFU support, and no HKPS support.  However, it
fully supports Tor and the Tor browser.


Checking the Integrity
==

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a vers

NSA Civil Liberties & Privacy Report

[Robert J. Hansen]

The United States National Security Agency was required by Congress to
assemble a report on how they conduct electronic surveillance and the
measures taken to preserve the privacy of U.S. citizens.  It was
released last Friday, but I've yet to see it in the press.  It's very
dry reading, but there are some interesting nuggets within.

https://www.nsa.gov/civil_liberties/_files/UFA_Civil_Liberties_and_Privacy_Report.pdf


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problems with 4096 keys on 2.1 card

[NIIBE Yutaka]

On 01/27/2016 07:59 AM, Jorgen Ottosson wrote:
> $ gpg --card-status
> 
> -> works

Yes.  GnuPG 1.4 works here, but it doesn't work for RSA-4096 keys.
I guess that you don't configure GnuPG 1.4 to use gpg-agent.
In that setting, gpg tries to connect your reader directly.

> $ gpg2 --card-status
> gpg: selecting openpgp failed: Unsupported certificate
> gpg: OpenPGP card not available: Unsupported certificate

This is different thing.  It is the problem of smartcard, not specific
to RSA-4096.

I think you are using GNOME keyring.  Old versions of GNOME keyring
had a feature to try to replace a part of functionality of gpg-agent,
it was a kind of emulation of gpg-agent.  And it doesn't support
any commands for smartcard, and it resulted mysterious errors like
above.

It had been difficult to configure GNOME keyring (to stop the feature
of gpg-agent) properly.  Here is some info:

http://www.gniibe.org/memo/notebook/gnome3-gpg-settings.html

In the days of GNOME 2.x, it was gconftool-2.  In the days of GNOME
3.0, it was gnome-session-properties.  For GNOME 3.1 or later, we
need to change the way how to invoke gnome-keyring.

Fortunately, I've heard that gnome-keyring is fixed now.  I, for
myself, gave up with GNOME and currently using XFCE4.  However, I
encountered another:

https://bugs.debian.org/791378
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Migrating to Gmail. Recommendations?

[Bob (Robert) Cavanaugh]

Hi All,
My company is merging with another and the new corporate e-mail will use Gmail. 
Is there a group consensus as to which client uses GPG most 
efficiently/securely? What about the UI?

Thanks,
Bob Cavanaugh

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Cross Compiling libgpg-error-1.21 for rsyslog-8.15.0: unrecognized option '--64'.

[Girish Kumar]

Hi All,

I  found  following in README doc. Could you please explain what I should for 
armv7.
Cross-Compiling
---

Libgpg-error needs to figure out some platform specific properties.
These are used to build the platform specific gpg-error.h file.  The
detection is done during build time but can't be done when
cross-compiling.  Thus if you run into an error during building you
need to figure out these values.  You may use these commands:

  build="$(build-aux/config.guess)"
  ./configure --prefix=TARGETDIR --host=TARGET --build=$build
  cd src
  make gen-posix-lock-obj
  scp gen-posix-lock-obj TARGET:
  ssh TARGET ./gen-posix-lock-obj >tmp.h
  mv tmp.h "syscfg/$(awk 'NR==1 {print $2}' tmp.h)"

If you are using a VPATH build adjust accordingly.  If this all works
for you (make sure to run the test programs on the target platform),
please send the generated file to the gnupg-devel mailing list so that
we can include it in the next release.  Note that in addition to the
aliasing done by config.sub the src/mkheader build tool does some
extra aliasing to avoid having too much identical syscfg files.
Regards,
Girish

From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Girish 
Kumar
Sent: Tuesday, January 26, 2016 8:36 PM
To: gnupg-users@gnupg.org
Subject: Cross Compiling libgpg-error-1.21 for rsyslog-8.15.0: unrecognized 
option '--64'.


Dear All,

I am compiling libgpg-error-1.21 which is a dependency library  for  
libgcrypt-1.6.4  . This for armv7 platform
Found some info on cross compilation, but was not able to understand.

I am getting  "unrecognized option '--64'"  when compiling libgpg-error-1.21.  
Could you please  help me on this.?


gawk -f 
/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src/mkerrnos.awk
 
/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src/errnos.in
 >code-to-errno.h
gawk -f 
/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src/mkerrcodes1.awk
 
/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src/errnos.in
 >_mkerrcodes.h
arm-unknown-linux-gnueabi-gcc -E -mcpu=cortex-a9 -mabi=aapcs-linux -msoft-float 
-O -fno-omit-frame-pointer -mapcs-frame -mno-sched-prolog  
-I/soft/gnu/cross/linux_64/13/arm/sysroot/usr/include 
-I/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/built/46/7.X.X.R01/armv7/include
   -P _mkerrcodes.h | grep GPG_ERR_ | \
   gawk -f 
/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src/mkerrcodes.awk
 >mkerrcodes.h
rm _mkerrcodes.h
cc -I. 
-I/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src
 -o mkerrcodes 
/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src/mkerrcodes.c
as: unrecognized option '--64'
make[4]: *** [mkerrcodes] Error 1
make[4]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error/src'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error'
make[2]: *** [all] Error 2
make[2]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error'
make[2]: Entering directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error'
Making install in m4
make[3]: Entering directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error/m4'
make[4]: Entering directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error/m4'
make[4]: Nothing to be done for `install-exec-am'.
make[4]: Nothing to be done for `install-data-am'.
make[4]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error/m4'
make[3]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error/m4'
Making install in src
make[3]: Entering directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error/src'
cc -I. 
-I/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src
 -o mkerrcodes 
/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/libgpg-error-1.21/src/mkerrcodes.c
as: unrecognized option '--64'
make[3]: *** [mkerrcodes] Error 1
make[3]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error/src'
make[2]: *** [install-recursive] Error 1
make[2]: Leaving directory 
`/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/objs/46/7.X.X.R01/armv7/libgpg-error'
make[1]: *** 
[/home/gkuma020/PERFORCE/7.X.X.R01-gkuma020-new/engr/sw/tps/installed/46/7.X.X.R01/armv7/ramdisk/lib/libgpg-error.so]
 Error 2
make[1]: Leaving directory 
`/home/gkuma020/PERFORCE/

Re: Migrating to Gmail. Recommendations?

[F Rafi]

If IMAP or ActiveSync are enabled for that Gmail ("Gmail for Work")
account, you may continue using whatever client you're using today.

-Farhab

On Tuesday, January 26, 2016, Bob (Robert) Cavanaugh 
wrote:

> Hi All,
>
> My company is merging with another and the new corporate e-mail will use
> Gmail. Is there a group consensus as to which client uses GPG most
> efficiently/securely? What about the UI?
>
>
>
> Thanks,
>
> Bob Cavanaugh
>
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: BAD signatures for GnuPG Stable

[Aaron Tovo]

Interesting. The file I downloaded is actually larger than what it
should be!

-rw-rw-r--  1 aaron aaron  855815 Jan 25 21:44 libgpg-error-1.21.tar.bz2


On 01/26/2016 03:26 AM, Werner Koch wrote:
> On Tue, 26 Jan 2016 05:41, aaront...@gmail.com said:
>
>> $ gpg --verify libgpg-error-1.21.tar.bz2.sig libgpg-error-1.21.tar.bz2
>> gpg: Signature made Sat 12 Dec 2015 06:03:30 AM CST using RSA key ID
>> 4F25E3B6
>> gpg: BAD signature from "Werner Koch (dist sig)"
> Please check the length of the file to make sure you downloaded it
> complelety.
>
> The size of libgpg-error-1.21.tar.bz2 is 763186 bytes.
>
>
> Shalom-Salam,
>
>Werner
>


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users