Re: Unattended/batch key signing

2016-03-20 Thread Peter Lebbing 
On 14/03/16 16:51, Tobias Mueller wrote:
> The reason is that I don't necessarily want my regular keyring to carry
> the signature just yet. From what I understand of the currently
> believed best practices, I would want to send the signature to the
> email address first to verify that the person does indeed have access
> to the mailbox.
> 
> Currently, this seems to require a rather artistic dance of [...]

For this, you can use external tools, like caff, which is available in
the signing-party package on Debian, and is also available for other
distributions. It will do all the work in its own homedir, so you can
keep your certifications separate.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

win32 gpgme passphrase callback FD issues

2016-03-20 Thread Tony Caduto 
Hi,
I have looked back in the list archives and did find some info about this
but no resolutions.

I am using FPC (free pascal) and have gpgme.dll working (currently using
older versions that don't require the pinentry support)

The problem I am having is with the passphrase call back.
Basically the win32 writefile function does not work, I did see in the docs
that a internal function
is available in newer versions called gpgme_io_writen
problem is I can't find a version that has that function exposed except the
very
newest which have that pinentry, I need to use this on a server and a
dialog popping up
to ask for the passphrase is not good.

I have tried this with verison 1.1.8 through 1.3.0 and they all fail.
What happens is it just goes into a loop calling back over and over that
the password was bad.
The only way I can get it to not hang is to close the file handle, then on
the next callback it fails because
the file handle is gone.

Does anyone know what is the newest version of gpgme.dll that still
supports the passphrase call back function?



Here is my FCP call back function:
(it gets called back and all params are populated but it just hangs after
returning 0.

function
gpgme_passphrase_cb(handle:pointer;uid_hint:pchar;passphrase_info:pchar;prev_was_bad:integer;fd:integer):Tgpgme_error;cdecl;
var
   password:pchar;
   ret:dword;
   filehandle:windows.HANDLE;
   newline:pchar = #10;
begin
 filehandle:=windows.HANDLE(fd);
 password:='coutweha';
 windows.WriteFile(filehandle,password,Length(password),ret,nil);
 windows.WriteFile(filehandle,newline,Length(newline),ret,nil);
 //windows.FlushFileBuffers(filehandle);   // Tried this to see if it
was not fully writing to handle.
 windows.CloseHandle(filehandle);//Loops forever if you don't close
handle, errors out on second try because handle is closed.

 result.errorcode:=GPG_ERR_NO_ERROR;
 result.error:=GPG_ERR_NO_ERROR;;
 result.errorsource:=0;
end;
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

2016-03-20 Thread Daniel Kahn Gillmor 
On Fri 2016-03-18 03:21:30 -0400, Werner Koch wrote:
> Most people are actually not able to check even the SHA-1 checksums
> because they are missing a tool to do so (e.g. Windows) and have not the
> knowledge to install or compile and audit a shaXsum tool.

On any modern Windows installation (since Vista at least, i think) there
is "certutil.exe"

  https://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_hashfile

the syntax is:
 
  certutil -hashfile FileToHash.ext sha256

Looks like there's an older version available even for Windows XP (not
that i recommend anyone use that) via something called "Windows Server
2003 Administration Pack":

 https://support.microsoft.com/en-us/kb/934576?spid=12925&sid=1569
 (appears to require javascript, sorry)

> Further, in my experience many users do not check the entire SHA-1 sum
> but just a few of the first and last digits.  With the longer and
> harder to read SHA-256 checksums this will only get worse (“oh yes,
> the checksum is longer and thus safer and thus I need to compare less
> digits” :-().

Right, but surely you wouldn't advocate only displaying the first and
last few digits of the SHA1 digest just because most people aren't going
to look at anytihng else.  Right?

At any rate, checking the first and last X digits of SHA-256 is probably
better than checking the first and last X digits of SHA-1, for any value
of X.  SHA-1 has worse cryptographic properties than SHA-256 (and about
a decade more of intense analysis that reveals flaws).  Likewise, i'm
glad that we at least offer SHA-1, even though it's longer and harder to
read than MD5, which itself is longer and harder to read than CRC32 :P

We cannot force anyone to compare anything, but we can choose whether we
give them the information that is capable of strong comparison. (while
understanding that it's not meaningful in the face of webserver
compromise)

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

testing installation for the new modern version 2.1.11

2016-03-20 Thread amr 
Hi,  every one
I have just installed  gpg2 version 2.1.11 from a previous version
2.0.29  (without removing the old version ) with some difficulties , and
I managed to create new keys but I need to make sure that   it has been
installed properly ,
how can I run self test for all the components and programs  conforming
this new version ,sorry for redundancy that might occur  and my English .
Thanks and Best Regards
Amr Kamal

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

testing installation for the new modern version 2.1.11

2016-03-20 Thread amr 

Hi,  every one
I have just installed gpg2 version 2.1.11 from the previous version
2.0.29 (without removing the old version) with some difficulties , and I
managed to create new keys but I need to make sure that   it has been
installed properly ,
how can I run self test for all the components and programs  conforming
this new version ,sorry for redundancy and my english .
Thanks and Best Regards
Amr Kamal

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: using master key from usb

2016-03-20 Thread Me Self 
Hi Damian and Dashamir

Those are all great solutions, tnx :)


On Sat, Mar 19, 2016 at 7:26 PM, Damien Goutte-Gattat <
dgouttegat...@incenp.org> wrote:

> On 03/19/2016 01:24 PM, Me Self wrote:
>
>> I can use the master key with:
>> gpg --homedir /media/myusb/gnupg ...
>>
>> Now I want to --sign-keys a key that is imported in the keyring on the
>> harddrive.
>>
>
> You can use the --keyring option to add your normal public keyring
> (containing the key you want to sign):
>
>   $ gpg --homedir /media/myusb/gnupg --keyring ~/.gnupg/pubring.gpg ...
>
>
> Is there an easier way to use the master key?
>>
>
> If you’re using GnuPG 2.1, an easy and (IMHO) elegant way is to create a
> symlink pointing to your master key on the USB stick:
>
>   $ ln -s /media/myusb/gnupg/private-keys-v1.d/XXX.key
> ~/.gnupg/private-keys-v1.d/XX.key
>
> (where XX is the *keygrip* of your master key, which you can learn
> with the --with-keygrip option when listing keys).
>
> You can then call gpg as usual, without needing to change its home
> directory. When you are done, just remove the symlink and unmount your USB
> stick.
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: using master key from usb

2016-03-20 Thread Dashamir Hoxha 
Solutions explained by Damien are better than mine. I was not aware of
them. I would recommend one of them.

On Sun, Mar 20, 2016 at 9:51 PM, Me Self  wrote:

> Hi Damian and Dashamir
>
> Those are all great solutions, tnx :)
>
>
> On Sat, Mar 19, 2016 at 7:26 PM, Damien Goutte-Gattat <
> dgouttegat...@incenp.org> wrote:
>
>> On 03/19/2016 01:24 PM, Me Self wrote:
>>
>>> I can use the master key with:
>>> gpg --homedir /media/myusb/gnupg ...
>>>
>>> Now I want to --sign-keys a key that is imported in the keyring on the
>>> harddrive.
>>>
>>
>> You can use the --keyring option to add your normal public keyring
>> (containing the key you want to sign):
>>
>>   $ gpg --homedir /media/myusb/gnupg --keyring ~/.gnupg/pubring.gpg ...
>>
>>
>> Is there an easier way to use the master key?
>>>
>>
>> If you’re using GnuPG 2.1, an easy and (IMHO) elegant way is to create a
>> symlink pointing to your master key on the USB stick:
>>
>>   $ ln -s /media/myusb/gnupg/private-keys-v1.d/XXX.key
>> ~/.gnupg/private-keys-v1.d/XX.key
>>
>> (where XX is the *keygrip* of your master key, which you can learn
>> with the --with-keygrip option when listing keys).
>>
>> You can then call gpg as usual, without needing to change its home
>> directory. When you are done, just remove the symlink and unmount your USB
>> stick.
>>
>>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users