Automating the generation of master keys

[Aurélien Vallée]

Hello,

I would like to automate the generation of GPG master keys (I have hundreds
of smartcards to configure for employees). I'm using the default GPG from
CentOS 7 (gnupg 2.0.22).

Ideally, I would like to have:
- 1 masterkey with only the "certify" usage, stored offline.
- 1 subkey with only "encryption" usage, backuped offline, imported on the
smartcard.
- 1 subkey with only "authenticate" usage, generated on the smartcard.
- 1 subkey with only "sign" usage, generated on the smartcard.

I guess this is a rather regular setup.

Now my users are not super tech-savvy, so ideally I would like to generate
the initial keys and configure the smart card before giving them.

I first tried to generate the master keys using the batch mode, but I can't
find a way to generate master keys with only "certify" usage.

Quoting the documentation:

Key-Usage: usage-list

Space or comma delimited list of key usages. Allowed values are ‘encrypt’,
> ‘sign’, and ‘auth’.

This is used to generate the key flags. Please make sure that the algorithm
> is capable of this usage. Note that OpenPGP requires that all primary keys
> are capable of certification, so no matter what usage is given here, the
> ‘cert’ flag will be on. If no ‘Key-Usage’ is specified and the ‘Key-Type’
> is not ‘default’, all allowed usages for that particular algorithm are
> used; if it is not given but ‘default’ is used the usage will be ‘sign’.


So "cert" is a default for primary-keys. If I do not provide any
"Key-Usage", all usages will be set. If I do provide a "Key-Usage", then my
master key is not "certify only" anymore.

Is there something I missed here?

Currently, I fallback to writing an expect script to automate the key
generation. The handling of passphrases input with possibly different
pinentry programs makes the expect script insane to read and fragile in
practice.

Any help or advice greatly appreciated!

Cheers,
Aurelien
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating the generation of master keys

[Dashamir Hoxha]

On Wed, Jun 1, 2016 at 10:56 AM, Aurélien Vallée 
wrote:
>
> So "cert" is a default for primary-keys. If I do not provide any
> "Key-Usage", all usages will be set. If I do provide a "Key-Usage", then my
> master key is not "certify only" anymore.
>

I think that certify and sign are very similar, so it doesn't hurt if the
primary key is both "cert" and "sign".
I do it in batch mode like this:
 - https://github.com/dashohoxha/egpg/blob/gnupg-2.0/src/cmd/key/gen.sh#L42

Anyway, I generate a sign-only subkey later, and gnupg-2.0 picks by default
the latest sign subkey, when it comes to signing, so the primary key
normally will not be used for signing (which is what you want).


> Currently, I fallback to writing an expect script to automate the key
> generation. The handling of passphrases input with possibly different
> pinentry programs makes the expect script insane to read and fragile in
> practice.
>

I use the script above for automatic (batch) key generation.
If you don't mind, can you share your expect script?

Regards,
Dashamir
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Keyserver lookup failure

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


I am running GnuPG 2.1.2 on Windows 10, using the pre-compiled
binaries. Keyserver lookup keeps failing for me as follows:-

>gpg -v --keyserver hkp://pool.sks-keyservers.net --recv-key 0x251BCCEB547B7194
gpg: using character set 'utf-8'
gpg: keyserver receive failed: No keyserver available



>gpg-connect-agent --dirmngr "keyserver --hosttable" /bye
S # hosttable (idx, ipv6, ipv4, dead, name, time):
S #   0 d pool.sks-keyservers.net  (14m50s)
OK




I tried pinging pool.sks-keyservers.net:-

>ping -6 pool.sks-keyservers.net

Pinging pool.sks-keyservers.net [2001:67c:2e80:40:21e:67ff:fe14:69f4] with 32 
bytes of data:
Reply from 2001:67c:2e80:40:21e:67ff:fe14:69f4: time=22ms
Reply from 2001:67c:2e80:40:21e:67ff:fe14:69f4: time=21ms
Reply from 2001:67c:2e80:40:21e:67ff:fe14:69f4: time=22ms
Reply from 2001:67c:2e80:40:21e:67ff:fe14:69f4: time=21ms

Ping statistics for 2001:67c:2e80:40:21e:67ff:fe14:69f4:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 21ms, Maximum = 22ms, Average = 21ms



>ping -4 pool.sks-keyservers.net

Pinging pool.sks-keyservers.net [176.241.243.15] with 32 bytes of data:
Reply from 176.241.243.15: bytes=32 time=45ms TTL=50
Reply from 176.241.243.15: bytes=32 time=45ms TTL=50
Reply from 176.241.243.15: bytes=32 time=44ms TTL=50
Reply from 176.241.243.15: bytes=32 time=44ms TTL=50

Ping statistics for 176.241.243.15:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 44ms, Maximum = 45ms, Average = 44ms


Any ideas how to proceed?


- --
Best regards

MFPA  

Alcohol and Calculus don't mix. Never drink and derive.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJXTsleXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwDewIAK9G+bxZL+dUu7fXJN0rih9d
7EISoZgrZ/ybxMPFciOXgHvC476EtZR4DYqowy+Z9bUtNTSGwZ5/LkmzSVm/TG3H
gPiRRVloMJWAzCDPLPxRoi0xJ4tPpKt0xr9X8zqhuhMoYVsZkbMLz0/C8fp1/v+r
jrd8G7lbmalL5yK7lw5y6Ioc7XY+kZJElbY0xW9Cs7OL6m4lJCMDn5PNhZMALWpi
LyZPijBfSwl/YpCf8HhlnmzXzWdDzNT83j9EHQEkh/IwhjmbGpmTJG+QL++xR+KS
N6RLwg9akJNk9LHTfznvamLVGQs32ZDTi5SgHNRVonc5Ziz1ivqQi7E8lRC2OhSI
vgQBFgoAZgUCV07JbF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45D5WAP42dMUW3jvaYAJaA7Zxy2m4j3yc
I1ndF3yQG8JMBN9+QAD/bOyVITPDGA7tpC6NjSUaLLCsvJ78i4L9DYnJil85RgQ=
=pZ5i
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver lookup failure

[Brian Minton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

That was a known bug in that version.
Try the most recent release, 2.1.12.
-BEGIN PGP SIGNATURE-

iIAEAREKACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJXTtYM
AAoJEGuOs6Blz7qpUSEA/1eOzIohTnrAEA2RMIWbRpjeqYAuuoptzBK9zT2D8kNC
AP9WO0ubiiHcMXa5sIGiYiHPGHI6DWPi8fj1Gq1uHyxUQQ==
=o0DU
-END PGP SIGNATURE-
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver lookup failure

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Wednesday 1 June 2016 at 1:34:15 PM, in
,
Brian Minton wrote:



> That was a known bug in that version.
> Try the most recent release, 2.1.12.


Oops. That was a typo; I am using version  2.1.12.


- --
Best regards

MFPA  

All generalisations are dangerous, even this one.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJXTvNfXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwiMoH/i5mR46MmmAItGQT9feLFKec
IX1m8CUCyIeASRKk0gqRKSg1rz1HmPzQy064yO16Xa9UfJa1gXVZKPSdFz5aXh+m
h9FUmSB250/K75MuTL7MHHH5eV2q+AIXkvCUxNysGJ655WCozXSXU1sZHXxketkZ
fGtVQofZKs29j36jIIprOI7p7Iil/maWg5HMXJphnWkB9Gn2izx30Z/SNiQUQ4ez
n4N6FNmbj0kSDlHwMfeMXRK+Dh3EnOI9lF1354tdWeoFXEzkO/VFHFsV9ffQ/llW
Dzi8ZOLtmdXj8sqt1czU82BxgmzRSsAS9/STSEroZGirvONSrk6G1ggrADVp+GmI
vgQBFgoAZgUCV07zaF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45GeyAP9sHGMK+jXlH8MX230nNMoeViHZ
oukw75A5E5zlgWsYTgEA9BVCWwA835WWxggAe54A1sXr+oKfpkye/2JtakljXA8=
=yvB7
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver lookup failure

[Kristian Fiskerstrand]

On 06/01/2016 01:39 PM, MFPA wrote:
> 
> I am running GnuPG 2.1.2 on Windows 10, using the pre-compiled
> binaries. Keyserver lookup keeps failing for me as follows:-
> 
>> gpg -v --keyserver hkp://pool.sks-keyservers.net --recv-key 
>> 0x251BCCEB547B7194
> gpg: using character set 'utf-8'
> gpg: keyserver receive failed: No keyserver available

what is the dig +trace output and any firewall blocking port 11371 anywhere?

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP certificate at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

"Excellence is not a singular act but a habit. You are what you do
repeatedly."
(Shaquille O'Neal)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating the generation of master keys

[Werner Koch]

On Wed,  1 Jun 2016 12:47, dashoho...@gmail.com said:

> I do it in batch mode like this:
>  - https://github.com/dashohoxha/egpg/blob/gnupg-2.0/src/cmd/key/gen.sh#L42

Take care:

--8<---cut here---start->8---
  local commands="addkey|4|4096|1m|addkey|6|4096|1m|save"
  commands=$(echo "$commands" | tr '|' "\n")
  script -c "gpg --batch --command-fd=0 --edit-key $GPG_KEY <<< \"$commands\"" 
/dev/null >/dev/null
  while [[ -n $(ps ax | grep -e '--edit-key' | grep -v grep) ]]; do sleep 0.5; 
done
--8<---cut here---end--->8---

You can't use gpg this way - it does only work with a certain version
and build if GnuPG.  Canned commands too fragile to use - you need to
process the output of --status-fd and act accordingly.

  ps ax | grep -e '--edit-key' | grep -v grep

does not work either because you assume that there is only one gpg
command running (actually any process with a string '--edit-key').

BTW, Unix people use this trick to avoid the inverse grep:

  grep -e '--edit-ke[y]'



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
/* EFH in Erkrath: https://alt-hochdahl.de/haus */


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating the generation of master keys

[Aurélien Vallée]

Okay, so I did try to add the sign usage to the master-key. That works well
and avoids the use of expect for generating the keys.

But the problem of pinentry still kind of happens everywhere: --passphrase
is now ignored when not in batch mode in gpg2, which means there is no way
to provide a passphrase programmatically when using --edit-key ...

On Wed, Jun 1, 2016 at 7:46 PM, Werner Koch  wrote:

> On Wed,  1 Jun 2016 12:47, dashoho...@gmail.com said:
>
> > I do it in batch mode like this:
> >  -
> https://github.com/dashohoxha/egpg/blob/gnupg-2.0/src/cmd/key/gen.sh#L42
>
> Take care:
>
> --8<---cut here---start->8---
>   local commands="addkey|4|4096|1m|addkey|6|4096|1m|save"
>   commands=$(echo "$commands" | tr '|' "\n")
>   script -c "gpg --batch --command-fd=0 --edit-key $GPG_KEY <<<
> \"$commands\"" /dev/null >/dev/null
>   while [[ -n $(ps ax | grep -e '--edit-key' | grep -v grep) ]]; do sleep
> 0.5; done
> --8<---cut here---end--->8---
>
> You can't use gpg this way - it does only work with a certain version
> and build if GnuPG.  Canned commands too fragile to use - you need to
> process the output of --status-fd and act accordingly.
>
>   ps ax | grep -e '--edit-key' | grep -v grep
>
> does not work either because you assume that there is only one gpg
> command running (actually any process with a string '--edit-key').
>
> BTW, Unix people use this trick to avoid the inverse grep:
>
>   grep -e '--edit-ke[y]'
>
>
>
> Shalom-Salam,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
> /* EFH in Erkrath: https://alt-hochdahl.de/haus */
>
>


-- 
Aurélien Vallée
Phone +33 9 77 19 85 61
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating the generation of master keys

[Peter Lebbing]

On 01/06/16 19:46, Werner Koch wrote:
>   ps ax | grep -e '--edit-key' | grep -v grep
> 
> does not work either because you assume that there is only one gpg
> command running (actually any process with a string '--edit-key').

... from any user. That seems odd? Why's the 'a' part of the ps
invocation? Do you perhaps have the same affliction as I, in that when
my fingers type "ps " they invariably append "fax" and press Enter
before I have a chance to think whether I want my processes only? :-)

Anyway, apart from the in this case entirely useful BSD-style ps
behaviour of by default listing only processes from the owner, pgrep
seems to be the even more compact option here. The only thing is that
pgrep does not provide an option to say "the owner" other than naming
the user. Something like:

while pgrep -cfxu "$USER" "gpg --batch --command-fd=0 --edit-key
$GPG_KEY" >/dev/null; do sleep 0.5; done

seems a more logical choice. I couldn't test it though, as I couldn't
reproduce the gpg process outliving the invocation. By the time it gets
to the wait loop, it has already finished. I did use GnuPG 2.1.11 for
it, but it still puzzles me why 2.0 would outlive the invocation.

Do note it is all academical because Werner just said "you can't use gpg
this way", which kind of defeats the purpose of the pgrep altogether.

Oh, when I say pgrep is more compact, that's because the equivalent of
the ps ax | ... etcetera invocation seems to be:

while pgrep -c -- --edit-key >/dev/null; do

It is a pity pgrep doesn't provide an option for silence.

> BTW, Unix people use this trick to avoid the inverse grep:
> 
>   grep -e '--edit-ke[y]'

A very useful little trick, but pgrep does it automatically, so in the
cases where pgrep is the more logical choice than grep, it is not needed.

HTH,

Peter.

PS: Talking about never learning about command-line invocation of a
tool... ps, sheesh... I think I just know three:

$ ps fax
$ ps fx
$ ps -fp 1 `pgrep blah`

(the latter has the init process in there because I don't like it
erroring out when pgrep turns up empty-handed)

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Configuration hints for using gnupg (2.0.x) interchangeably with graphical frontend and in the terminal

[Bjoern Kahl]

 Dear All,

 I am looking for hints or best practices to seamlessly mix use of
 GnuPG in the terminal and with frontends, in my case Enigmail in
 Thunderbird.

 I am on MacOS X (10.9.5 "Mavericks") with GnuPG installed through
 MacPorts as my main machine and also quite often logged into other
 Macs and other Linux boxes using SSH, coming from that main Mac.


 Problem:

 I quite often use gpg through Enigmail and also regularly use it in
 the terminal or when remotely logged into a box using ssh.

 Currently, whenever Enigmail needs a passphrase, it throws up a popup
 window (actually, it runs gpg, which runs the agent, which runs
 pinentry-mac, which throws up the window) _somewhere_: sometimes on
 the screen I am looking at, sometimes on another physical screen,
 sometimes hidden behind other windows, sometimes in the front.

 When using gpg in the terminal originally the same happened: Some
 random window popping up at some random spot on some random monitor.

 Even worse, when logging in through SSH, it throw up a pin entry
 window on the locked graphical session idling on the remote machine
 instead of in the terminal I am working in.


 Partial solution tried:

 I created a second gpg-agent.conf named "gpg-agent-term.conf" and
 configured the first to run pinentry-mac and the latter to run
 pinentry-curses.

 _Usually_ Enigmail/Thunderbird picks the first one and pops up its
 passphrase dialogue on one of my physical screens (I have no idea how
 it decides which one).

 If (and only if) I remember to explicitly start an agent with the
 second configuration, then gpg running in the terminal ask for my
 passphrase in that terminal.  But *only* in that terminal.  If I run
 gpg in another terminal, I either get the pinentry-mac (i.e. I forgot
 to set GPG_AGENT_INFO to the running "terminal-config" agent), or it
 asks me in that other terminal.  On an average day, I have about 10
 shell running in parallel, partly in terminal windows, partly in
 "screen" sessions in a single terminal window.  Searching through
 all my shells where the passphrase dialogue appeared is annoying.

 However, when I start an agent with the second configuration, before
 starting Thunderbird, then Enigmail ask me for a passphrase in the
 terminal where I started that agent.


 Questions:

 How can I configure gpg and the agent such that:

 - Whenever I run gpg in a terminal, it will ask me for my passphrase
   in exactly that terminal where I am interacting with it and expect
   the prompt?  I.e. on that TTY that is the controlling TTY of the
   gpg process I am interacting with?

 - Is there a way to have a single agent (with a single config file,
   so I can start it at first login and have it available in all
   terminals/shells and programs (e.g. Thunderbird) started from there)
   but still a graphical passphrase in programs which (no longer) have
   StdIn connected to a terminal or don't have a controlling TTY; and
   have a plain prompt in the terminal for programs that run in a
   terminal?


 I seriously doubt that there is any way to get back the just perfect
 behaviour of the old GnuPG 1.x where Enigmail would show a blocking
 dialogue attached to exactly that Thunderbird window where I was
 signing or decrypting a message.  But I hope there is at least a way
 to get the terminal version to prompt for the passphrase in the one
 spot where it makes sense: the TTY it is running in.


 Sorry for the long mail, and thanks for reading all this.  I tried to
 be precise on what my problem is and failed to be concise in the same
 time.


 Best regards

Björn

-- 
| Bjoern Kahl   +++   Siegburg   +++Germany |
| "mls@-my-domain-"   +++www.bjoern-kahl.de |
| Languages: German, English, Ancient Latin (a bit :-)) |

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating the generation of master keys

[Peter Lebbing]

On 01/06/16 21:20, Aurélien Vallée wrote:
> Okay, so I did try to add the sign usage to the master-key. That works
> well and avoids the use of expect for generating the keys.

I think it's still an odd limitation of the Key-Usage: option that you
cannot generate a master key without optional usages. Either "none" or
"certify" would be a good option to have, where I regard "certify"
definitely the prettier way to phrase it.

Then

Key-Usage: sign

would do Sign, Certify for a primary key, implicitly adding certify.

And

Key-Usage: certify

would do just Certify for a primary key.

> But the problem of pinentry still kind of happens everywhere:
> --passphrase is now ignored when not in batch mode in gpg2, which means
> there is no way to provide a passphrase programmatically when using
> --edit-key ...

Disclaimer: I know very little of programmatic use of GnuPG.

Is it an option to upgrade your GnuPG to 2.1? I think it provides for a
less bumpy ride with the pinentry loopback.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating the generation of master keys

[Dashamir Hoxha]

On Wed, Jun 1, 2016 at 9:40 PM, Peter Lebbing 
wrote:
>
> Is it an option to upgrade your GnuPG to 2.1? I think it provides for a
> less bumpy ride with the pinentry loopback.
>

I couldn't make "pinentry loopback" work in 2.1.11, so, to be sure, try to
upgrade
to 2.1.12 where it may work better.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

secret key not available

[DODDI ANTHONY BALARAJU cs15d008]

 hI,


I'm new to this GPG usage. I dont need any internals. I am running a shell
script in which following line causes error :

gpg --yes --sign message.txt

It shows the following error:

gpg: no default secret key: secret key not available
gpg: signing failed: secret key not available

How can I solve this error, without modifying the command? (do I need to
change any settings). I am using gpg version (GnuPG) 1.4.16

>which gpg

is giving the output

/usr/bin/gpg

I Tried with --default-key 

Still it dint work!!

Any suggestion to get past this error will be greatly helpful.

Thank you
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating the generation of master keys

[Dashamir Hoxha]

On Wed, Jun 1, 2016 at 7:46 PM, Werner Koch  wrote:
>
> --8<---cut here---start->8---
>   local commands="addkey|4|4096|1m|addkey|6|4096|1m|save"
>   commands=$(echo "$commands" | tr '|' "\n")
>   script -c "gpg --batch --command-fd=0 --edit-key $GPG_KEY <<<
> \"$commands\"" /dev/null >/dev/null
>   while [[ -n $(ps ax | grep -e '--edit-key' | grep -v grep) ]]; do sleep
> 0.5; done
> --8<---cut here---end--->8---
>
> You can't use gpg this way - it does only work with a certain version
>

You are right, it only works with gnupg-2.0. For gnupg-2.1.11 the tricks
above do not work and I had to change the script:
 - https://github.com/dashohoxha/egpg/blob/gnupg-2.1/src/cmd/key/gen.sh

I don't remember exactly why they didn't work, but I think that in gnupg-2.1
the pinentry is used more frequently and I couldn't find any way to send
data to it from stdin.

I wish that the batch mode was more pervasive in gpg2, so that my scripts
could do the interaction with the user and then just use gpg2 in batch mode
to get the job done.


> and build if GnuPG.  Canned commands too fragile to use - you need to
> process the output of --status-fd and act accordingly.
>

I couldn't find out how to use --status-fd properly, and maybe using it
would
make the logic of the scripts more complex, because my script would have
to take care of all the possible outputs of --status-fd, in all the
possible cases.


>   ps ax | grep -e '--edit-key' | grep -v grep
>
> does not work either because you assume that there is only one gpg
> command running (actually any process with a string '--edit-key').
>

I agree, this is a stupid trick.

Dashamir
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: secret key not available

[Daniel Kahn Gillmor]

On Wed 2016-06-01 11:44:16 -0400, DODDI ANTHONY BALARAJU cs15d008 wrote:

> 
> I'm new to this GPG usage. I dont need any internals. I am running a shell
> script in which following line causes error :
>
> gpg --yes --sign message.txt
>
> It shows the following error:
>
> gpg: no default secret key: secret key not available
> gpg: signing failed: secret key not available
>
> How can I solve this error, without modifying the command? (do I need to
> change any settings). I am using gpg version (GnuPG) 1.4.16
>
>>which gpg
>
> is giving the output
>
> /usr/bin/gpg
>
> I Tried with --default-key 
>
> Still it dint work!!
>
> Any suggestion to get past this error will be greatly helpful.

You don't mention whether you have any secret keys available.  What
do you get by running:


 gpg --list-options show-usage --list-secret-keys


Are there any signing-capable secret keys listed?

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: secret key not available

[Juan Miguel Navarro Martínez]

What's the output of `gpg -K`?

El 01/06/16 a las 17:44, DODDI ANTHONY BALARAJU cs15d008 escribió:
> hI,
> 
> 
> 
> I'm new to this GPG usage. I dont need any internals. I am running a
> shell script in which following line causes error :
> 
> |gpg --yes --sign message.txt |
> 
> It shows the following error:
> 
> |gpg: no default secret key: secret key not available gpg: signing
> failed: secret key not available |
> 
> How can I solve this error, without modifying the command? (do I need to
> change any settings). I am using gpg version (GnuPG) 1.4.16
> 
> |>which gpg |
> 
> is giving the output
> 
> |/usr/bin/gpg
> 
> |
> 
> |I Tried with --default-key 
> |
> 
> |Still it dint work!!
> 
> |
> 
> Any suggestion to get past this error will be greatly helpful.
> 
> Thank you
> 
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juan Miguel Navarro Martínez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: secret key not available

[Jonas Hedman]

On 16-06-01 21:14:16, DODDI ANTHONY BALARAJU cs15d008 wrote:
>  hI,
> 
> 
> I'm new to this GPG usage. I dont need any internals. I am running a shell
> script in which following line causes error :
> 
> gpg --yes --sign message.txt
> 
> It shows the following error:
> 
> gpg: no default secret key: secret key not available
> gpg: signing failed: secret key not available
> 
> How can I solve this error, without modifying the command? (do I need to
> change any settings). I am using gpg version (GnuPG) 1.4.16
> 
> >which gpg
> 
> is giving the output
> 
> /usr/bin/gpg
> 
> I Tried with --default-key 
> 
> Still it dint work!!
> 
> Any suggestion to get past this error will be greatly helpful.
> 
> Thank you

Did you generate a key? (gpg --gen-key) 

-- 
Jonas Hedman 

XMPP:n...@nstr.se
PGP Key: 0x5c3989e0616bb08c
Fingerprint: 8F72 C5BE AAFA B4BA 8F46  9185 5C39 89E0 616B B08C


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver lookup failure

[MFPA]

Hi


On Wednesday 1 June 2016 at 5:31:30 PM, in
,
Kristian Fiskerstrand wrote:



> what is the dig +trace output and any firewall
> blocking port 11371 anywhere?  

Thanks for replying. Port 11371 is not blocked:- 

 I can reach a keyserver's web interface in my browser at 
 .

 I can connect to . 

 The gpg --recv-key command works if I use GnuPG version 1.4.18,
 and one of the lines of output is "gpgkeys: HTTP URL is`http:/
 /pool.sks-keyservers.net:11371/pks/lookup?op=get&options=mr&
 search=0x251BCCEB547B7194'".






As for dig +trace, I am using Windows and don't have it. The dig web 
interface at 

gives me:-

pool.sks-keyservers.net@8.8.4.4 (Default):
dig A +noadditional +noquestion +nocomments +nocmd +nostats +trace 
pool.sks-keyservers.net. @8.8.4.4

.   4154IN  NS  a.root-servers.net.
.   4154IN  NS  b.root-servers.net.
.   4154IN  NS  c.root-servers.net.
.   4154IN  NS  d.root-servers.net.
.   4154IN  NS  e.root-servers.net.
.   4154IN  NS  f.root-servers.net.
.   4154IN  NS  g.root-servers.net.
.   4154IN  NS  h.root-servers.net.
.   4154IN  NS  i.root-servers.net.
.   4154IN  NS  j.root-servers.net.
.   4154IN  NS  k.root-servers.net.
.   4154IN  NS  l.root-servers.net.
.   4154IN  NS  m.root-servers.net.
;; Received 228 bytes from 8.8.4.4#53(8.8.4.4) in 37 ms

net.172800  IN  NS  a.gtld-servers.net.
net.172800  IN  NS  b.gtld-servers.net.
net.172800  IN  NS  c.gtld-servers.net.
net.172800  IN  NS  d.gtld-servers.net.
net.172800  IN  NS  e.gtld-servers.net.
net.172800  IN  NS  f.gtld-servers.net.
net.172800  IN  NS  g.gtld-servers.net.
net.172800  IN  NS  h.gtld-servers.net.
net.172800  IN  NS  i.gtld-servers.net.
net.172800  IN  NS  j.gtld-servers.net.
net.172800  IN  NS  k.gtld-servers.net.
net.172800  IN  NS  l.gtld-servers.net.
net.172800  IN  NS  m.gtld-servers.net.
;; Received 510 bytes from 199.7.83.42#53(199.7.83.42) in 25 ms

sks-keyservers.net. 172800  IN  NS  ns2.kfwebs.net.
sks-keyservers.net. 172800  IN  NS  ns2.sks-keyservers.net.
sks-keyservers.net. 172800  IN  NS  ns6.sks-keyservers.net.
sks-keyservers.net. 172800  IN  NS  ns9.sks-keyservers.net.
sks-keyservers.net. 172800  IN  NS  ns13.sks-keyservers.net.
;; Received 359 bytes from 192.42.93.30#53(192.42.93.30) in 450 ms

pool.sks-keyservers.net. 60 IN  A   46.4.212.178
pool.sks-keyservers.net. 60 IN  A   78.47.176.74
pool.sks-keyservers.net. 60 IN  A   84.200.66.125
pool.sks-keyservers.net. 60 IN  A   95.89.12.215
pool.sks-keyservers.net. 60 IN  A   104.131.30.118
pool.sks-keyservers.net. 60 IN  A   188.40.206.8
pool.sks-keyservers.net. 60 IN  A   206.176.170.195
pool.sks-keyservers.net. 60 IN  A   5.135.158.148
pool.sks-keyservers.net. 60 IN  A   37.59.213.225
pool.sks-keyservers.net. 60 IN  A   37.97.129.189
sks-keyservers.net. 60  IN  NS  ns13.sks-keyservers.net.
sks-keyservers.net. 60  IN  NS  ns7.sks-keyservers.net.
sks-keyservers.net. 60  IN  NS  ns2.sks-keyservers.net.
sks-keyservers.net. 60  IN  NS  ns9.sks-keyservers.net.
sks-keyservers.net. 60  IN  NS  ns6.sks-keyservers.net.
sks-keyservers.net. 60  IN  NS  ns12.sks-keyservers.net.
sks-keyservers.net. 60  IN  NS  ns1.kfwebs.net.
sks-keyservers.net. 60  IN  NS  ns2.kfwebs.net.
sks-keyservers.net. 60  IN  NS  ns10.sks-keyservers.net.
;; Received 493 bytes from 199.74.220.4#53(199.74.220.4) in 22 ms





"nslookup pool.sks-keyservers.net" gives me:-

Non-authoritative answer:
Name:pool.sks-keyservers.net
Addresses:  2a01:4f8:150:7142::2
  87.106.9.235
  2001:980:53c0:1:46a:efff:fecf:701b
  2001:41d0:2:3979:4f56:862a:d056:11c9
  2001:41d0:2:a8b4::10
  2001:41d0:8:d894::1
  2604:a8

Re: Automating the generation of master keys

[Werner Koch]

On Wed,  1 Jun 2016 21:48, dashoho...@gmail.com said:

> I don't remember exactly why they didn't work, but I think that in gnupg-2.1

Because gpg inserts other prompts depending on version and options.

> make the logic of the scripts more complex, because my script would have
> to take care of all the possible outputs of --status-fd, in all the
> possible cases.

You need to write a FSM.  See gpa/src/gpgmeedit.c for examples.  Agreed,
this is a bit complex.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
/* EFH in Erkrath: https://alt-hochdahl.de/haus */


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users