pubring.kbx, no secring?
Hello, I was using GnuPG v1.x mostly to cipher some private files, i.e. not for mail and information exchange with other. I will now create a new key to use this for mail and move to GnuPG v2.x. I have a short question. I created (until now for test) the key like this: $ gpg2 --version gpg (GnuPG) 2.1.6 libgcrypt 1.6.3 ... $ gpg2 --full-gen-key $ gpg2 --armor --output revoke.asc --gen-revoke guru the list keys show: $ gpg2 --list-secret-keys /home/guru/.gnupg/pubring.kbx ^^^ - sec dsa2048/FFEE762B922A6CBB 2015-12-22 uid [ultimate] Matthias Apitz (GnuPGv2) ssb elg2048/6C7E963A56E2D675 2015-12-22 $ gpg2 --list-public-keys /home/guru/.gnupg/pubring.kbx - pub dsa2048/FFEE762B922A6CBB 2015-12-22 uid [ultimate] Matthias Apitz (GnuPGv2) sub elg2048/6C7E963A56E2D675 2015-12-22 and I have the following files: $ find .gnupg .gnupg .gnupg/gpg.conf .gnupg/trustdb.gpg .gnupg/pubring.kbx~ .gnupg/private-keys-v1.d .gnupg/private-keys-v1.d/EF8AE0E0D3D7EBBFA6A0230CD105E0DFC04D9DE1.key .gnupg/private-keys-v1.d/8FB0DD8249EC4A24E2A73B4721098FCDE815FEBB.key .gnupg/pubring.kbx .gnupg/openpgp-revocs.d .gnupg/openpgp-revocs.d/812E69DC246DB739AE84473BFFEE762B922A6CBB.rev .gnupg/S.gpg-agent .gnupg/revoke.asc Question: Why I do not have a file .gnupg/secring.kbx (as I have had with v1.x)? And, why are the keys stored in .gnupg/private-keys-v1.d? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pubring.kbx, no secring?
El día Tuesday, December 22, 2015 a las 02:41:24PM +0100, Neal H. Walfield escribió: > Hi Matthias, > > On Tue, 22 Dec 2015 13:28:28 +0100, > Matthias Apitz wrote: > > Question: Why I do not have a file .gnupg/secring.kbx (as I have had > > with v1.x)? And, why are the keys stored in .gnupg/private-keys-v1.d? > > The short answer is that we are using a new format. > > Note: GnuPG 2 will automatically migrate keys from secring.kbx to > .gnupg/private-keys-v1.d the first time it is run. Hi Neal, Just to make sure: there have been no v1.x keys (I move away the old .gnupg dir), why are the new v2 keys in a dir named .gnupg/private-keys-v1.d? Thx matthias -- Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pubring.kbx, no secring?
El día Tuesday, December 22, 2015 a las 03:03:39PM +0100, Neal H. Walfield escribió: > > Just to make sure: there have been no v1.x keys (I move away the old > > .gnupg dir), why are the new v2 keys in a dir named > > .gnupg/private-keys-v1.d? > > I don't really understand your question, but I'll try to answer what I > think you are asking: > > secring is the old format; private-keys-v1.d is the new format. GnuPG > 1 doesn't know about the new format; GnuPG 2 only uses the new format, > but the first time it is run it will migrate any existing keys from > the old format to the new format. I understand the migration of the old v1 keys to a new form/directory; but why the new keys of v2 are stored in a dir private-keys-v1.d and not in a dir for example private-keys-v2.d; don't you think that such name *v1.d* confuses people (like me)? matthias -- Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
keysearch fails
.4.1.7.0.5.1.0.8.f.4.0.1.0.a.2.ip6.arpa. (90) 09:15:58.173415 IP 10.42.0.1.53 > 10.42.0.152.32030: 45608 1/0/0 PTR alita.karotte.org. (121) 09:15:58.173779 IP 10.42.0.152.48813 > 10.42.0.1.53: 38867+ PTR? 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.4.2.1.8.f.6.0.1.0.0.2.ip6.arpa. (90) 09:15:59.037424 IP 10.42.0.1.53 > 10.42.0.152.48813: 38867 FormErr 0/0/0 (90) 09:15:59.037986 IP 10.42.0.152.57139 > 10.42.0.1.53: 19220+ PTR? 0.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.d.1.9.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. (90) 09:15:59.043902 IP 10.42.0.1.53 > 10.42.0.152.57139: 19220 NXDomain 0/0/0 (90) 09:15:59.044301 IP 10.42.0.152.52403 > 10.42.0.1.53: 1040+ PTR? 6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.a.7.0.1.0.a.2.ip6.arpa. (90) 09:15:59.053424 IP 10.42.0.1.53 > 10.42.0.152.52403: 1040 1/0/0 PTR key.ip6.li. (114) 09:15:59.053950 IP 10.42.0.152.25246 > 10.42.0.1.53: 33858+ PTR? 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.2.0.2.6.0.0.0.0.0.0.4.3.0.a.2.ip6.arpa. (90) 09:15:59.056508 IP 10.42.0.1.53 > 10.42.0.152.25246: 33858 1/0/0 PTR metalgamer.eu. (117) 09:15:59.057051 IP 10.42.0.152.28425 > 10.42.0.1.53: 31847+ PTR? 1.0.0.b.d.0.6.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.8.0.0.8.8.a.4.0.6.2.ip6.arpa. (90) 09:15:59.058008 IP 10.42.0.1.53 > 10.42.0.152.28425: 31847 1/0/0 PTR openpgp.us. (114) -- Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keysearch fails
El día Wednesday, December 23, 2015 a las 09:23:12AM +0100, Matthias Apitz escribió: > Hello, > > I can not manage to get a keysearch via dirmngr to work; when I use: > > $ gpg2 --keyserver pool.sks-keyservers.net --debug 1024 --search > x...@freebsd.org > gpg: reading options from '/home/guru/.gnupg/gpg.conf' > gpg: enabled debug flags: ipc > gpg: DBG: chan_3 <- # Home: /home/guru/.gnupg > gpg: DBG: chan_3 <- # Config: /home/guru/.gnupg/dirmngr.conf > gpg: DBG: chan_3 <- OK Dirmngr 2.1.6 at your service > gpg: DBG: connection to the dirmngr established > gpg: DBG: chan_3 -> KEYSERVER --clear hkp://pool.sks-keyservers.net > gpg: DBG: chan_3 <- OK > gpg: DBG: chan_3 -> KS_SEARCH -- x...@freebsd.org > gpg: DBG: chan_3 <- [eof] > gpg: error searching keyserver: End of file > gpg: búsqueda del servidor de claves fallida: End of file > gpg: DBG: chan_3 -> BYE > gpg: secmem usage: 0/32768 bytes in 0 blocks Seems to be a known bug: $ dirmngr # Home: ~/.gnupg # Config: /home/guru/.gnupg/dirmngr.conf OK Dirmngr 2.1.6 at your service KEYSERVER hkps://hkps.pool.sks-keyservers.net OK KS_SEARCH matt...@freebsd.org Assertion failed: (a >= 0 && a < hosttable_size), function sort_hostpool, file ks-engine-hkp.c, line 179. Abort trap (core dumped) https://bugs.gnupg.org/gnupg/issue2107 -- Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045 «(über die DDR)... Und allein dieser Mangel (an Sozialismus) und nichts anderes führte zum Tod. Und wer da nicht trauert, hat kein Herz, und wer da nicht neu anpackt, hat auch keins verdient.» «(sobre la RDA)... Y solo esta escasez (de socialismo) y no otra cosa, le llevó a la muerte. Y quien no está de luto, no tiene corazón, y quien no se lanza a luchar de nuevo, no se merece corazón.», junge Welt del 3 de octubre 2015, p. 11 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
signing mails with MUA mutt fails
Hello, To sign mails one configure in the MUA the command in the following form: gpg2 --batch --output - --passphrase-fd 0 --armor --sign --detach-sign --textmode -u %a %f where %a is the actual user and %f the mail attachment to be signed; it does not work and I digged into this; this works as it should: $ gpg2 --output - --armor --sign --detach-sign -u guru msg.asc Please enter the passphrase to unlock the OpenPGP secret key: "Matthias Apitz (GnuPGv2) " 2048-bit DSA key, ID FFEE762B922A6CBB, created 2015-12-22. Passphrase: -BEGIN PGP SIGNATURE- iF4EABEIAAYFAlZ63U8ACgkQ/+52K5IqbLuC+wD/RnSo6soMzg0wxTdAFEbD2ykB Yc15kIv7SPBXDoKohvcA/jUN2FNNEhlrrh5B/gAldFyYsJ7ruD5ktPa3b/DfpEP3 =DXMS -END PGP SIGNATURE- while this gives an error: $ killall gpg-agent $ echo | gpg2 --batch --output - --passphrase-fd 0 --armor --sign --detach-sign --textmode -u guru msg.asc gpg: signing failed: gpg: signing failed: Invalid IPC response gpg: signing failed: Invalid IPC response running with --debug gives some kind of error in the communication with the agent: $ killall gpg-agent $ echo | gpg2 --debug 1024 --batch --output - --passphrase-fd 0 --armor --sign --detach-sign --textmode -u guru msg.asc gpg: reading options from '/home/guru/.gnupg/gpg.conf' gpg: enabled debug flags: ipc gpg: DBG: chan_7 <- OK Pleased to meet you gpg: DBG: connection to agent established gpg: DBG: chan_7 -> RESET gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> OPTION ttytype=rxvt gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> OPTION display=:0 gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> OPTION xauthority=/tmp/kde-guru/xauth-1001-_0 gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/dbus-O4oooGN9t0,guid=4cf4542b4bf772f2892b2ac3567aaf2d gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> OPTION allow-pinentry-notify gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> OPTION agent-awareness=2.1.0 gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> AGENT_ID gpg: DBG: chan_7 <- ERR 67109139 Unknown IPC command gpg: DBG: chan_7 -> HAVEKEY EF8AE0E0D3D7EBBFA6A0230CD105E0DFC04D9DE1 8FB0DD8249EC4A24E2A73B4721098FCDE815FEBB gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> RESET gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> SIGKEY EF8AE0E0D3D7EBBFA6A0230CD105E0DFC04D9DE1 gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22Matthias+Apitz+(GnuPGv2)+%22%0A2048-bit+DSA+key,+ID+FFEE762B922A6CBB,%0Acreated+2015-12-22.%0A gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> SETHASH 8 B0E553EDE7C732CA26D96C45C32E6143AB642BF28E03217400C893CCB0F14B62 gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> PKSIGN gpg: DBG: chan_7 <- INQUIRE PINENTRY_LAUNCHED 4886 gpg: DBG: chan_7 -> END gpg: DBG: chan_7 <- ERR 83886340 Invalid IPC response gpg: signing failed: Invalid IPC response gpg: signing failed: Invalid IPC response gpg: secmem usage: 1568/32768 bytes in 3 blocks What do I miss or do wrong? matthias -- Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: signing mails with MUA mutt fails
El día Wednesday, December 23, 2015 a las 08:40:24PM +0100, Werner Koch
escribió:
> On Wed, 23 Dec 2015 18:54, g...@unixarea.de said:
>
> > To sign mails one configure in the MUA the command in the following
> > form:
>
> You should put
>
> set crypt_use_gpgme
Thanks for that hint! I have had to re-compile the mutt port (on
FreeBSD) to get this option to work, but it now works nicely.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎
+49-176-38902045
pgpHmOKHGj8L1.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: signing mails with MUA mutt fails
El día Wednesday, December 23, 2015 a las 08:40:24PM +0100, Werner Koch escribió: > On Wed, 23 Dec 2015 18:54, g...@unixarea.de said: > > > To sign mails one configure in the MUA the command in the following > > form: > > You should put > > set crypt_use_gpgme > > into your ~/.muttrc to use the modern (ie. from ~2003) version of Mutt's > crypto layer. it works much better that the bunch of configured commands. > > > gpg2 --batch --output - --passphrase-fd 0 --armor --sign --detach-sign > > --textmode -u %a %f > > --passphrase-fd 0 > > does not work with gpg2 (since 2.1) because the gpg-agent is responsible > for the private keys and the passphrase to protect them. If you are > using an xterm the GUI Pinentry pops up from the background (controlled > by the existence of the DISPLAY envvar). If you are using a plain tty, > either the curses pinentry or the dump tty only pinentry can be used. > The curses pinentry is used part of the GUI pinentry and used if DISPLAY > is not set. Take care to set the GPG_TTY envvar (man gpg-agent). > ... As I said, it works very well; only pinentry is not popping up as an X application (which I do not want either); a ps shows: $ ps ax | egrep 'gnu|pin|mutt' 2374 - Ss0:00,01 gpg-agent --homedir /home/guru/.gnupg --use-standard-socket --daemon 2392 - S 0:00,03 pinentry --display :0 (pinentry-tty) 2394 1 S+0:00,00 egrep gnu|pin|mutt 2354 3 S+0:00,23 mutt and of course, I have DISPLAY=:0 in my env; I only wanted to mention this for the records; for me it is fine; matthias -- Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045 «(über die DDR)... Und allein dieser Mangel (an Sozialismus) und nichts anderes führte zum Tod. Und wer da nicht trauert, hat kein Herz, und wer da nicht neu anpackt, hat auch keins verdient.» «(sobre la RDA)... Y solo esta escasez (de socialismo) y no otra cosa, le llevó a la muerte. Y quien no está de luto, no tiene corazón, y quien no se lanza a luchar de nuevo, no se merece corazón.», junge Welt del 3 de octubre 2015, p. 11 pgpbVgkL6dVgv.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
Hello, I do not fully understand why some 4 random words like Correct, horse! Battery staple! is a better passphrase like, for example Und allein dieser Mangel und nichts anderes führte zum Tod. i.e. some phrasing which could be memorized better? matthias -- Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
self signing the pub key
Hello, I read that I should self-sign my pub key, but when I do this after creation, it says: $ LANG=C gpg2 --sign-key Matthias pub rsa2048/AA1EF4741F9046D4 created: 2015-12-25 expires: never usage: SC trust: ultimate validity: ultimate sub rsa2048/D6AD2EFF41863FE4 created: 2015-12-25 expires: never usage: E [ultimate] (1). Matthias Apitz (GnuPG v2) "Matthias Apitz (GnuPG v2) " was already signed by key AA1EF4741F9046D4 Nothing to sign with key AA1EF4741F9046D4 Key not changed so no update needed. What I do wrong? matthias -- Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
El día Friday, December 25, 2015 a las 06:50:07PM +0100, Ingo Klöcker escribió: > > Und allein dieser Mangel und nichts anderes führte zum Tod. > > > > i.e. some phrasing which could be memorized better? > > The second sentence is found by search engines (2 hits in DuckDuckGo). Don't > use it or any other phrase that's has been published on the internet. A > phrase > of 4 random words has a high probability that it has not been published on > the > internet (or anywhere else). The tricky part is that you must never put your > 4-random-words phrase into a search engine to check this. > > Instead of using a 4-random-words phrase you can use a proper sentence with > equivalent entropy provided that you do not use a sentence that has been > published anywhere. Come up with your own sentence. Ideally come up with a > sentence that doesn't make any sense like "The horse was correct. You cannot > staple batteries." This phrase might be easier to remember and has a similar > entropy as the above mentioned 4-random-words phrase. Ofc, I would not have used this phrase, which is part of my signature :-) This was only an example. I'd have used something from a book or poem which was written before Internet-times and perhaps never published afterwards. Thanks for all hints in this thread. matthias -- Matthias Apitz, ✉ g...@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045 «(über die DDR)... Und allein dieser Mangel (an Sozialismus) und nichts anderes führte zum Tod. Und wer da nicht trauert, hat kein Herz, und wer da nicht neu anpackt, hat auch keins verdient.» «(sobre la RDA)... Y solo esta escasez (de socialismo) y no otra cosa, le llevó a la muerte. Y quien no está de luto, no tiene corazón, y quien no se lanza a luchar de nuevo, no se merece corazón.», junge Welt del 3 de octubre 2015, p. 11 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Documentation format
On Saturday, 6 February 2016 13:14:37 CET, Lachlan Gunn wrote: ... Does anyone have any particular preferences? What about Markdown and gitbook? Here you have a living example: https://www.gitbook.com/book/gurucubano/bq-aquaris-e-4-5-ubuntu-phone/details matthias -- Sent from my Ubuntu phone http://www.unixarea.de/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What am I missing?
El día Wednesday, March 30, 2016 a las 01:26:23PM -0400, Mauricio Tavares escribió: > On Wed, Mar 30, 2016 at 1:13 PM, Peter Lebbing > wrote: > > (I think this is too far off-topic actually, but hey) > > > > On 30/03/16 15:46, Robert J. Hansen wrote: > >> I try not to get involved in conspiracy theories, but this one's just... > >> outrageous. > > > > Can I ask why the conspiracy theory is "outrageous"? Can't you imagine that > > the > > FBI, or at least part of it, would like to have a backdoor? They even got > > the US > > ... Hello, The thread in general has less or nothing todo with GnuPG, but I understand the interest in the technical background, used tools etc. But we should not discuss here opinions about the politics of the "bad", whoever could be named with this word. This would be really off-topic and should be discussed elsewhere. Just my 0.02 pesos cubanos matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Top-posting
El día Thursday, April 28, 2016 a las 11:02:30AM +0200, Paolo Bolzoni escribió: > I think this text (or variants) are old as email itself and actually, > while funny, makes little sense. > > When you follow an email thread you do not read everything, you just > read the new email and it makes little difference if it is in the top. > Besides most email clients actually put an indentation in the quoted > text so it should look like: I have the feeling (and even could proof this with examples) that top posters do not even read about what they are posting on top of. They just want to say something, sometimes useless, because it is already said/answered a few lines down). Speaking more technically, the problem is that 'modern' MUA, like OutLook crap, thunderbird or other browser-like MUA do not invite to post and quote correctly. They put the cursor above the first line (sometimes you can not even configure this, and also not the correct citation with '> ') and they do not provide the required tools/commands to trim the old text, i.e. for example delete 150 lines with just saying '150dd' or '.,$-20d' or others. In these 'modern' MUA you must carefully place the cursor with the mouse, highlight even more carefully the text you want to delete, and doing this with the limitation of a smartphone is really a PITA. That's why I do prefer 'mutt' and 'vim'. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 ¡Dios querido denos otra vez los problemas de ayer, los que tuvimos en la RDA! My Lord, give us back the problems of yesterday, those we have had in the GDR. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Top-posting
El día Thursday, April 28, 2016 a las 02:28:56PM +0200, Guan Xin escribió: > Your feeling is basically wrong. Here comes the proofing example you asked for: https://lists.launchpad.net/ubuntu-phone/msg20309.html Someone put on top of some mails a question which has nothing todo with the problems the other posters have faced. HIH matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 ¡Dios querido denos otra vez los problemas de ayer, los que tuvimos en la RDA! My Lord, give us back the problems of yesterday, those we have had in the GDR. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Top-posting
El día Friday, April 29, 2016 a las 03:25:10PM +1000, Ben McGinnes escribió:
> I don't have an answer for all smartphone and tablet users (other than
> the sensible ones who will SSH from their phone into another system
> and use Mutt or some other CLI MUA), but for the iPhone and iPad users
> I did find this solution from John Gruber (the guy who invented
> Markdown):
I have mutt+vim on my Ubuntu mobile phone
https://www.gitbook.com/book/gurucubano/bq-aquaris-e-4-5-ubuntu-phone/details
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎
+49-176-38902045
¡Dios querido denos otra vez los problemas de ayer, los que tuvimos en la RDA!
My Lord, give us back the problems of yesterday, those we have had in the GDR.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Top-posting
El día Friday, April 29, 2016 a las 04:35:40PM +0200, Guan Xin escribió: > This post is just another example to show that your feeling is wrong > because I read your example of hijacked thread. > Now you need one more example to show top posters not reading before > replying. You may look for more examples yourself, just open your eyes and you will find them any day. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 ¡Dios querido denos otra vez los problemas de ayer, los que tuvimos en la RDA! My Lord, give us back the problems of yesterday, those we have had in the GDR. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Top-posting
El día Saturday, April 30, 2016 a las 01:24:23AM +0200, Guan Xin escribió:
> A mailing list may recommend bottom posting, and users had better follow it.
> This is perfectly fine.
Fine, that we agree in something. If you sign some contract, you do it
below the text after reading it, and your signature *below* is expression
of "yes I have read it". If you sign (post above) someone could think,
he/she has not read it. To avoid such thinking, it's better to not top
post.
> ...
> This is my concluding remark of this thread.
Mine too.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎
+49-176-38902045
¡Dios querido denos otra vez los problemas de ayer, los que tuvimos en la RDA!
My Lord, give us back the problems of yesterday, those we have had in the GDR.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using a GnuPG CCID card in another computer
Hello, I have a GnuPG smart card OMNIKEY 6121 Mobile USB and configured its use in my FreeBSD 12-CURRENT netbook, generated keys and I'm able to use it to login with SSH into other servers (after moving the pub key to the server into ~/.ssh/authorized_keys); the only tricky part was to figure out how to enter the PIN behind 'ssh' --> 'gpg-agent' --> /usr/local/bin/pinentry So far so good. Now I wanted the same SIM in another FreeBSD workstation (at work), but when I do use it there, for example with 'gpg2 --card-status', there is no key in the card and as well 'gpg2 --export-ssh-key guru' does not know how to export the key due to missing pub key. Should I move the full content of ~/.gnupg as well to the 2nd computer? And if so, why? I was thinking that all the key material (apart of the backup) is on the SIM and I only need its PIN... Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG CCID card in another computer (follow-up)
El día lunes, mayo 15, 2017 a las 07:25:12p. m. +0200, Matthias Apitz escribió: > > Hello, > > I have a GnuPG smart card OMNIKEY 6121 Mobile USB and configured its > use in my FreeBSD 12-CURRENT netbook, generated keys and I'm able to use > it to login with SSH into other servers (after moving the pub key to > the server into ~/.ssh/authorized_keys); the only tricky part was to figure > out how to enter the PIN behind 'ssh' --> 'gpg-agent' --> > /usr/local/bin/pinentry > > So far so good. > > Now I wanted the same SIM in another FreeBSD workstation (at work), but when > I do use it there, for example with 'gpg2 --card-status', there is no key in > the > card and as well 'gpg2 --export-ssh-key guru' does not know how to > export the key due to missing pub key. > > Should I move the full content of ~/.gnupg as well to the 2nd computer? > And if so, why? I was thinking that all the key material (apart of the > backup) is on the SIM and I only need its PIN... Follow-up. I have now copied all the files below to the other workstation and now all is fine there too, i.e. I can export the pub key with 'gpg2 --export-ssh-key guru' and use it for SSH being asked for the PIN of the card. The files are: $ ls -lR .gnupg total 52 -rw--- 1 guru wheel 2649 12 may. 22:41 dirmngr.conf -rw-r--r-- 1 guru wheel19 15 may. 11:41 gpg-agent.conf -rw--- 1 guru wheel 5191 12 may. 22:41 gpg.conf drwx-- 2 guru wheel 512 14 may. 20:30 openpgp-revocs.d drwx-- 2 guru wheel 512 14 may. 20:29 private-keys-v1.d -rw-r--r-- 1 guru wheel 3573 14 may. 20:30 pubring.kbx -rw--- 1 guru wheel32 12 may. 22:41 pubring.kbx~ -rw--- 1 guru wheel 600 15 may. 09:58 random_seed -rw-r--r-- 1 guru wheel 7 15 may. 15:21 reader_0.status -rw--- 1 guru wheel 1865 14 may. 20:29 sk_61F1ECB625C9A6C3.gpg -rw-r- 1 guru wheel 676 15 may. 11:45 sshcontrol -rw--- 1 guru wheel 1280 15 may. 09:23 trustdb.gpg .gnupg/openpgp-revocs.d: total 4 -rw--- 1 guru wheel 1799 14 may. 20:30 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11.rev .gnupg/private-keys-v1.d: total 24 -rw--- 1 guru wheel 1873 14 may. 20:17 147F71A678B411855B4BCCC48FAEC8689B5E1C23.key -rw--- 1 guru wheel 615 14 may. 20:29 314DE72F03D41683E06A504769970A1643825B38.key -rw--- 1 guru wheel 617 14 may. 20:09 45BDBABA30A3511D507B8A08A28D425F7CD417C6.key -rw--- 1 guru wheel 615 14 may. 20:29 7E22A904DB3BE5A98F98AFDEED61DF1364DD949B.key -rw--- 1 guru wheel 615 14 may. 20:29 937BA1F6A95F68222EC2C6F9573100E17EE9522E.key -rw--- 1 guru wheel 617 14 may. 20:17 B0E0BFC22F116B541848DF6593B418BBB63C0CC0.key When I generated the keys on the card (gpg2 --cardedit --> admin --> generate) on May 14, I have had to do this twice because I was logged out from the card due to to long thinking about the passphrase for the backup of the key to the file sk_61F1ECB625C9A6C3.gpg; one can see this on the time of the files below .gnupg/private-keys-v1.d; the 2nd run started around 20:20 and was successful at 20:29. The question remains: Why I do have to move the files below .gnupg/ to the other workstation? And, what are the files below .gnupg/private-keys-v1.d are exactly? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG CCID card in another computer (follow-up)
El día martes, mayo 16, 2017 a las 11:12:18a. m. +0200, Peter Lebbing escribió:
> On 16/05/17 07:55, Matthias Apitz wrote:
> > The question remains: Why I do have to move the files below .gnupg/ to
> > the other workstation?
>
> The card only holds the basic cryptographic material. But a certificate
> ("public key") holds much more information: your name, the relations
> between the cryptographic keys and how they are used, your preferences
> with regard to algorithms, how long the key is valid, and certifications
> by other users who have signed your key, to name some important ones.
>
> So before you can use the smartcard, you need to import your
> certificate/public key. You could publish this to the keyserver network,
> or put it on the web. If the latter, you /can/ enter the URL in a data
> field on the smartcard, enabling you to use the "fetch" command of
> --card-edit.
Thanks for the two tips re/ the pub key; I did so and now it works:
I exported the pub key with:
$ gpg2 --export --armor > ccid--export-key-guru.pub
placed it on my webserver and configured its URL with the card's url-command
as
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
On the 2nd workstation I moved away the GNUPGHOME:
$ env | grep GNU
GNUPGHOME=/home/guru/.gnupg-ccid
$ mv .gnupg-ccid .gnupg-ccid-saved
gpg2 is unwilling to start due to missing dir and I have had
to create it with mkdir:
$ gpg2 --card-status
gpg: keyblock resource '/home/guru/.gnupg-ccid/pubring.kbx': No such file or
directory
gpg: failed to create temporary file
'/home/guru/.gnupg-ccid/.#lk0x000802616210.r314251-amd64.65213': No such
file or directory
gpg: can't connect to the agent: No such file or directory
gpg: OpenPGP card not available: No agent running
$ mkdir /home/guru/.gnupg-ccid
$ chmod 0700 /home/guru/.gnupg-ccid
As you can see the keys are completely missing in the card's status:
$ gpg2 --card-status
gpg: keybox '/home/guru/.gnupg-ccid/pubring.kbx' created
Reader ...: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D2760001240102010005532B
Version ..: 2.1
Manufacturer .: ZeitControl
Serial number : 532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data ...: [not set]
Signature PIN : forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key : 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11
created : 2017-05-14 18:20:07
Encryption key: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3
created : 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D EA4B 6AA5 C5C4 51A1 CD1C
created : 2017-05-14 18:20:07
General key info..: [none]
but after fetching the pub key, all is fine:
[guru@r314251-amd64 ~]$ gpg2 --card-edit
Reader ...: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D2760001240102010005532B
Version ..: 2.1
Manufacturer .: ZeitControl
Serial number : 532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data ...: [not set]
Signature PIN : forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key : 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11
created : 2017-05-14 18:20:07
Encryption key: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3
created : 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D EA4B 6AA5 C5C4 51A1 CD1C
created : 2017-05-14 18:20:07
General key info..: [none]
gpg/card> fetch
gpg: requesting key from 'http://www.unixarea.de/ccid--export-key-guru.pub'
gpg: /home/guru/.gnupg-ccid/trustdb.gpg: trustdb created
gpg: key 47CCF7E476FE9D11: public key "Matthias Apitz (GnuPG CCID)
" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg/card> list
Reader ...: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D2760001240102010005532B
Version ..: 2.1
Manufacturer .: ZeitControl
Serial number : 532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data ...: [not set]
Signature PIN : forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key : 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11
created : 2017-05-14 18:20:07
Re: Unknown key type
El día lunes, mayo 22, 2017 a las 02:06:56p. m. -0400, Brian Minton escribió: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On Mon, May 22, 2017 at 12:07 PM, David Vallier > wrote: > > Can someone please explain why I am getting a yellow bar on a LOT of > > signed msgs saying that the key type is unknown?? > > > > the exact msg is "Part of the message signed with unknown key; the key > > type is not supported by your version of GnuPG" > > > > I am running GnuPG 2.0.30 (Gpg4Win 2.3.3) on a win 7 box. > > > If I had to guess, Id say the sender of those messages is using ECC keys. > They are only supported in GnuPG 2.1. In fact, Im using such a key to > sign this message (but my key also has a DSA subkey, so gpg 2.0 should > still verify the signature). So, you may see the warning on this message. > -BEGIN PGP SIGNATURE- > > iHUEARYIAB0WIQTu0BWAE9wubW4AHqQ3uVB6z/IBbgUCWSMoqQAKCRA3uVB6z/IB > bphCAQDgR8N3EWlJX5sfzfXCVHFi3rWpXfinGtRbl8tlVxEm8AEA7gwKWQ5f3Z5s > F20WPXhNIxnHF+UnIY4T829pSim4TQiIdQQBEQgAHRYhBPnEu3YOeD8N7BCmimuO > s6Blz7qpBQJZIyipAAoJEGuOs6Blz7qpeN0A/R8IwSrOQreTFVB4gga79xz6XIKA > MdBvmMhXY8LSuUhNAP0Z8bv/rQWSOtf7dGPTEDYPKRCs1kYguHULVlhs/Bcc3Q== > =MOy5 > -END PGP SIGNATURE- piping the above mail to gpg2 (2.1.19) gives: If I had to guess, Id say the sender of those messages is using ECC keys. They are only supported in GnuPG 2.1. In fact, Im using such a key to sign this message (but my key also has a DSA subkey, so gpg 2.0 should still verify the signature). So, you may see the warning on this message. gpg: Signature made Mon May 22 20:06:33 2017 CEST gpg:using EDDSA key EED0158013DC2E6D6E001EA437B9507ACFF2016E gpg: Can't check signature: No public key gpg: Signature made Mon May 22 20:06:33 2017 CEST gpg:using DSA key F9C4BB760E783F0DEC10A68A6B8EB3A065CFBAA9 gpg: Can't check signature: No public key matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
about how the MUA mutt signs mails
Hello, When I send signed mails to me with the MUA mutt (just for test) the received mail is verified fine in mutt, i.e. it says in mutt: [-- Begin signature information --] Good signature from: Matthias Apitz (GnuPG CCID) created: Wed May 31 21:40:19 2017 [-- End signature information --] [-- The following data is signed --] hello [-- End of signed data --] but when I save the signature part into a file 'signature.asc' and the ASCII content of the mail as a file 'data' from the menu in mutt: q:Exit s:Save |:Pipe p:Print ?:Help I 1 [text/plain, 7bit, utf-8, 0.1K] I 2 signature.asc [applica/pgp-signat, 7bit, 0.8K] and run: $ gpg2 --verify signature.asc data gpg: Signature made Wed May 31 21:40:19 2017 CEST gpg:using RSA key 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11 gpg: BAD signature from "Matthias Apitz (GnuPG CCID) " [ultimate] it says 'BAD signature'. Why the file 'data' has BAD signature? The file 'data' after saving from mutt from the above menu just contains: $ cat data hello $ od -c data 000h e l l o \n \n 007 I digged into this trussing the mutt-gpg2 process chain and it turned out that the netto data which verifies mutt is: $ od -c data.asc 000C o n t e n t - T y p e : t e 020x t / p l a i n ; c h a r s e 040t = u t f - 8 \r \n C o n t e n t 060- D i s p o s i t i o n : i n 100l i n e \r \n \r \n h e l l o \r \n \r 120 \n 121 i.e. containes as well some mail header line about the content and charset and esp. as well \r\n line terminators. If I modify the file to this it is fine: $ gpg2 --verify signature.asc data.asc gpg: Signature made Wed May 31 21:40:19 2017 CEST gpg:using RSA key 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11 gpg: Good signature from "Matthias Apitz (GnuPG CCID) " [ultimate] Is this correct how mutt signs such mail bodies? matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: about how the MUA mutt signs mails
El día Thursday, June 01, 2017 a las 10:00:12AM +0100, Darac Marjal escribió: > >Is this correct how mutt signs such mail bodies? > > This is "PGP-MIME" format, as refined in > <https://tools.ietf.org/html/rfc3156>. Section 5 of that clearly states: > > ... Darac, Thank you very much for your enlightened explanation and ... > -- > For more information, please reread. ... and for your nice signature. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
setting GnuPG card to 'not forces' does not let sign
Hello, I was tired of having always enter the PIN when sending mails to sign them and switched the card to 'not forces': Signature PIN : not forced After this (without withdrawing the card, i.e. the PIN was already entered around 10 times and the card unlocked), the signing says: $ echo bla > test.doc $ LANG=C $ gpg2 --armor --output test.doc.signed --sign test.doc gpg: signing failed: Bad PIN gpg: signing failed: Bad PIN The bad PIN counter in the card is not decremented. Switching the card back to 'forced' makes signing with PIN working again. What do I wrong? matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: RE: setting GnuPG card to 'not forces' does not let sign
Every time I write to gnupg-users@gnupg.org I get this crap from a robot or from Sarah about dating. Can someone do anything that he/she/it is not triggered. Sarah, I have no intention to click on the URL and much less to click on you. Crap. matthias - Forwarded message from Sarah - Date: Thu, 8 Jun 2017 06:41:21 -0400 From: Sarah To: g...@unixarea.de Subject: RE: setting GnuPG card to 'not forces' does not let sign X-Mailer: JAS STD Have you finally got my pix? Let's meet tomorrow! Write me only here: http://free-new-dating.online/?&s=35&:uni:2g-17&Profile=Sarah212 On Jun 08, 2017, at 10:29 AM, Matthias Apitz wrote: > >--k1lZvvs/B4yU6o8G >Content-Type: text/plain; charset=utf-8 >Content-Disposition: inline >Content-Transfer-Encoding: quoted-printable > > >Hello, > >I was tired of having always enter the PIN when sending mails to sign them >and switched the card to 'not forces': > >Signature PIN : not forced > >After this (without withdrawing the card, i.e. the PIN was already >entered around 10 times and the card unlocked), the signing says: > >$ echo bla > test.doc >$ LANG=3DC >$ gpg2 --armor --output test.doc.signed --sign test.doc >gpg: signing failed: Bad PIN >gpg: signing failed: Bad PIN > >The bad PIN counter in the card is not decremented. Switching the card >back to 'forced' makes signing with PIN working again. > >What do I wrong? > > matthias > > >--=20 >Matthias Apitz, =E2=9C=89 g...@unixarea.de, =E2=8C=82 http://www.unixarea.d= >e/ =E2=98=8E +49-176-38902045 >Public GnuPG key: http://www.unixarea.de/key.pub >8. Mai 1945: Wer nicht feiert hat den Krieg verloren. >8 de mayo de 1945: Quien no festeja perdi=C3=B3 la Guerra. >May 8, 1945: Who does not celebrate lost the War. > >--k1lZvvs/B4yU6o8G >Content-Type: application/pgp-signature; name="signature.asc" > >-BEGIN PGP SIGNATURE- > >iQIzBAABCAAdFiEEXmn7rBYYViyzy/vBR8z35Hb+nREFAlk5JxMACgkQR8z35Hb+ >nRG0Pg//XxtBaoPPQN3uinfxxExnoNQcScfx/Eycxr1kDZjFQxp6LVIK1KZy+Dht >V5Sx+ssn0lids22szU5uZlT60dqbaUAASzsBo74FPxsvJ03BishsCIvCCqArpj5S >kZLe/iUExNj+hq4XRUh0Ia0MllI20rzjEF1sC0EC2r1YfYv2ePdFzgQtD8HvDMqo >v0vPISHoPF7Xsswu9q3TFQGbiim6HEoOLgQlYGMB1egP4NS66RGWU/s3fVVXqEw5 >c8btka/S64hNVMiFEzNl573csiQDLdT/OHk9DvDpHDqzcSCZVuutCznj4sDmMIEx >7GKZsfv4xLJT4CuKHDedm7AOctRw9fV2GqFCeIlc/sdELxg4MX+pYpmd6gN79Dno >wDe5oCXXSmUvodvGS5iSfVYCmoJZ+Ww1oxWFG2YHl6kAGZP6h3Lam6GjOhoaoXLJ >P4MD+4EG9GAs8cMpCtiCjbqW27eV6KeglGu2RCLhSp3pWGTXFxuXW2X4fMbhZrNC >3pc2X3QTClcbmPaRActZ3Kt5KqxbHS7iAAWJr/Rna+SRsCxFpCQYnl+m6BOdJs9X >rx86Ca/NAZBOtWbrnVlT5yCgUAZ2gNaQPVDXhKRNUmosdwC8RKG1y+JyEav8CmKc >UbJa6pIIYknZQ+UGTbIuuZX/VM2PR+86Tr3FihuDKt/VA9IBpq4= >=EM3I >-END PGP SIGNATURE- > >--k1lZvvs/B4yU6o8G-- > > - End forwarded message - -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: RE: setting GnuPG card to 'not forces' does not let sign
El día jueves, junio 08, 2017 a las 01:18:35p. m. +0200, Peter Lebbing escribió: > On 08/06/17 12:48, Matthias Apitz wrote: > > Every time I write to gnupg-users@gnupg.org I get this crap from a robot > > or from Sarah about dating. Can someone do anything that he/she/it is not > > triggered. > > Yes, same here. I thought it was rather funny that she told me: > > > Hello again! My boyfriend can read my email! > > It is not secure. > > and later: > > > Honey, I've told you, email is not secure enough! > > How a spambot can be oddly on-topic for this mailing list... Perhaps, when the spambot sees part of his 1st message in the incoming mail, it reacts on this. I have it blacklisted now in my spamassassin config. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: RE: setting GnuPG card to 'not forces' does not let sign
El día viernes, junio 09, 2017 a las 08:06:50a. m. +0200, Werner Koch escribió:
> On Thu, 8 Jun 2017 12:48, g...@unixarea.de said:
> > Every time I write to gnupg-users@gnupg.org I get this crap from a robot
> > or from Sarah about dating. Can someone do anything that he/she/it is not
>
> That bot is subscribed. I enabled the moderation flag and disabled
> delivery.
>
Thanks for this.
Re/ the issue itself, it seems that a complete restart of the chain
gpg-agent -- scdaemon -- /usr/local/sbin/pcscd
fixed the issue. It asks now once for the PIN for signing and then not
again until reboot.
Thanks as well for the nice hint about X-message-flag: header line.
The warning looks really nice in the crappy MS OutLook.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: setting GnuPG card to 'not forces' does not let sign
El día viernes, junio 09, 2017 a las 08:09:12a. m. +0200, Werner Koch escribió: > > > The bad PIN counter in the card is not decremented. Switching the card > > back to 'forced' makes signing with PIN working again. > > Interesting. Did you also try to reset the card (i.e. re-insert) whit > non-forced set? As I wrote in the last mail, it works now like it should and for signing as for SSH I only have to enter the PIN once. I have one last remaining issue with this GnuPG card and/or my USB device HID Global OMNIKEY 6121 Smart Card Reader and/or FreeBSD, i.e. its totally unclear at the moment what is causing it: Sometimes (let's say in 50% of the cases) the USB device is not seen by the FreeBSD kernel on power-on boot, even if the OMNIKEY is already inserted before power-on. When it is not seen on boot, it is not seen on withdraw and re-insert. When it is seen, it is always seen, i.e. one can re-insert as much as you want, it always works. Sometimes not even a re-boot helps, it takes 2-3 re-boots to get the OMNIKEY seen. I know, this is not a GnuPG issue, but I wanted to mention it here to ask if others has similar experiences, even on Linux or other OS, or if it worth to get a new OMNIKEY device or even another device. Comments? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
changing the passphrase of the secret key stored in the GnuPG card
How could I change the passphrase I have entered while generating the keys on the GnuPG card? I tried with no success: $ LANG=C gpg2 --edit-key Matthias passwd gpg (GnuPG) 2.1.19; Copyright (C) 2017 Free Software Foundation, Inc. ... Secret key is available. sec rsa4096/47CCF7E476FE9D11 created: 2017-05-14 expires: never usage: SC card-no: 0005 532B trust: ultimate validity: ultimate ssb rsa4096/6AA5C5C451A1CD1C created: 2017-05-14 expires: never usage: A card-no: 0005 532B ssb rsa4096/61F1ECB625C9A6C3 created: 2017-05-14 expires: never usage: E card-no: 0005 532B [ultimate] (1). Matthias Apitz (GnuPG CCID) Key has only stub or on-card key items - no passphrase to change. gpg> Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: changing the passphrase of the secret key stored in the GnuPG card
El día domingo, junio 11, 2017 a las 08:51:58p. m. +0200, Werner Koch escribió:
> On Sun, 11 Jun 2017 20:07, g...@unixarea.de said:
> > How could I change the passphrase I have entered while generating the
> > keys on the GnuPG card? I tried with no success:
>
> To change the PINs on the card you need to use
>
> gpg --card-edit
I know, but I want to change the passphrase, not the PIN.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: changing the passphrase of the secret key stored in the GnuPG card
El día domingo, junio 11, 2017 a las 09:37:51p. m. +0200, Peter Lebbing escribió: > On 11/06/17 21:05, Matthias Apitz wrote: > > I know, but I want to change the passphrase, not the PIN. > > They are the same thing, it's just a choice of terminology. Since user > authentication to a smartcard is traditionally done using numerics only > and card readers with PINpads also usually only use numerics, the term > PIN has become commonly used (Personal Identification Number[1]). But > under GnuPG, you can use alphanumerics and symbols, and it is more > correct to call it a passphrase. I have the feeling, we talk about different things. When I generated the keys on the card, the following part of the dialog appeared in my recording: ... This key (or subkey) is not protected with a passphrase. Please enter a new passphrase to export it. Passphrase: Repeat: gpg: Note: backup of card key saved to '/home/guru/.gnupg/sk_61F1ECB625C9A6C3.gpg' gpg: /home/guru/.gnupg/trustdb.gpg: trustdb created gpg: key 47CCF7E476FE9D11 marked as ultimately trusted gpg: directory '/home/guru/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/guru/.gnupg/openpgp-revocs.d/5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11.rev' public and secret key created and signed. ... My question remains: How can I change (or verify) the above Passphrase I have used? matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: changing the passphrase of the secret key stored in the GnuPG card
El día domingo, junio 11, 2017 a las 10:00:00p. m. +0200, Peter Lebbing escribió: > On 11/06/17 21:48, Matthias Apitz wrote: > > My question remains: How can I change (or verify) the above Passphrase I > > have used? > > Ah! That's the encryption of the backup key, not of the secret key > stored in the smart card. Well, it's ultimately the same key, but it's > not the copy of it stored in the smart card but rather the copy stored > in the backup file. > > That's actually a difficult question, since AFAIK, the backups are not > complete OpenPGP messages but just the relevant parts of an OpenPGP > secret key message. I actually can't think of the answer to your > question. I'd know how to use packet surgery to reconstruct a normal > on-disk secret key from that partial message, and subsequently change > the passphrase on that key. I could also subsequently extract the > fragment again. But this is all not normal use of GnuPG, it's "Look, I > can make it do this as well!". Hopefully somebody else can answer if it > is possible, and how. Now we are on track with my question. The background is/was: what exactly I have todo with this backup key, for example in case the GnuPG card gets lost or stolen? How can I simulate this and check if the passphrase works correctly. Thx matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: setting GnuPG card to 'not forces' does not let sign
El día domingo, junio 11, 2017 a las 08:59:37p. m. +0200, Werner Koch escribió: > On Fri, 9 Jun 2017 08:39, g...@unixarea.de said: > > > I know, this is not a GnuPG issue, but I wanted to mention it here to > > ask if others has similar experiences, even on Linux or other OS, or if > > it worth to get a new OMNIKEY device or even another device. > > You better avoid everything with an Omnikey chip in it. I had only > trouble with it and they never responded to questions. Well, it works > on Windows because they fix their hardware with their Windows driver. Do you know of any other CCID reader for ID-000 size cards? matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: changing the passphrase of the secret key stored in the GnuPG card
El día lunes, junio 12, 2017 a las 01:28:28p. m. +0200, Damien Goutte-Gattat escribió: > On 06/12/2017 07:31 AM, Matthias Apitz wrote: > > Now we are on track with my question. The background is/was: what > > exactly I have todo with this backup key, for example in case the GnuPG > > card gets lost or stolen? > > You would have to import your backup key into your private keyring using > gpg's --import command. > > First, remove the private key stubs: > >$ rm ~/.gnupg/private-keys-v1.d/*.key > > Then, import your backup: > >$ gpg2 --import backup.gpg > > You will then be prompted for the passphrase you choose when the backup > was created. I did what you suggested, but: $ pwd /home/guru/.gnupg-test $ rm -f private-keys-v1.d/*.key $ GNUPGHOME=/home/guru/.gnupg-test export GNUPGHOME gpg2 --import sk_61F1ECB625C9A6C3.gpg gpg: key 61F1ECB625C9A6C3: no user ID gpg: Total number processed: 1 gpg: secret keys read: 1 $ ls -l sk_61F1ECB625C9A6C3.gpg -r 1 guru wheel 1865 May 14 20:29 sk_61F1ECB625C9A6C3.gpg the file is what was swritte as backup on May 14. Any idea what I do wrong? matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG card && using the backup secret key
Please note: I have changed the Subject: of the thread to match better the real problem. During generating the keys on the GnuPG card, one can (and should) create some backup of the secret key into a file. It is totally unclear to me how to make something usefull out of this file, for example import it into a "normal" secret keyring to use it in case of the GnuPG acrd gots lost. I followed some hints of Damien Goutte-Gattat (thanks) and did: > > First, remove the private key stubs: > > > >$ rm ~/.gnupg/private-keys-v1.d/*.key > > > > Then, import your backup: > > > >$ gpg2 --import backup.gpg > > > > You will then be prompted for the passphrase you choose when the backup > > was created. > > I did what you suggested, but: > > $ pwd > /home/guru/.gnupg-test > $ rm -f private-keys-v1.d/*.key > $ GNUPGHOME=/home/guru/.gnupg-test export GNUPGHOME > $ gpg2 --import sk_61F1ECB625C9A6C3.gpg > gpg: key 61F1ECB625C9A6C3: no user ID > gpg: Total number processed: 1 > gpg: secret keys read: 1 > $ ls -l sk_61F1ECB625C9A6C3.gpg > -r 1 guru wheel 1865 May 14 20:29 sk_61F1ECB625C9A6C3.gpg > > the file is what was swritte as backup on May 14. > With Don Google I found this older thread in this mailing list here: https://lists.gt.net/gnupg/users/40851 where Werner said after some (today outdated) hints: «... Put a "disable-scdaemon" into gpg-agent.conf, give gpg-agent a HUP and check that no scdaemon is running anymore (you may just kill it). Then use "gpg --no-use-agent --edit-key". The command "bkuptocard" may then be used to store a backup key on a card. Yes, we really need a howto on recovering smartcard keys. ...» Was such a howto ever written? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG card && using the backup secret key
El día martes, junio 13, 2017 a las 11:52:46a. m. +0200, Thomas Jarosch escribió: > > Please note: I have changed the Subject: of the thread to match better > > the real problem. > > > > During generating the keys on the GnuPG card, one can (and should) > > create some backup of the secret key into a file. It is totally unclear > > to me how to make something usefull out of this file, for example import > > it into a "normal" secret keyring to use it in case of the GnuPG acrd > > gots lost. > > AFAIK the "backup process" during key creation for the OpenPGP smartcard > is a bit different: There is no interface / function on the card to > export a key. Therefore, if you decide to create a backup, a key is > first created on the host and *then* transferred onto the card. > At least that's my understanding of it. Hi Thomas, Thanks for your posting, but now I'm really confused. The howto about the card in https://gnupg.org/howtos/card-howto/en/smartcard-howto-single.html says: ... 3.3.2. Generating keys To generate a key on the card enter generate. You will be asked if you would like to make an off-card copy of the encryption key. It is useful to say yes here. Note Without a backup you will not be able to access any data you encrypted with the card if it gets lost or damaged. ... and as well in the dialog of the key creation on the card it said: ... Please enter a new passphrase to export it. Frase contraseña: Repeat: gpg: Note: backup of card key saved to '/home/guru/.gnupg/sk_61F1ECB625C9A6C3.gpg' gpg: /home/guru/.gnupg/trustdb.gpg: trustdb created gpg: key 47CCF7E476FE9D11 marked as ultimately trusted gpg: directory '/home/guru/.gnupg/openpgp-revocs.d' created gnupg-card.txtgpg: revocation certificate stored as '/home/guru/.gnupg/openpgp-revocs.d/5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11.rev' public and secret key created and signed. gpg/card> quit ... > > When we developed the paper backup tool > (https://github.com/intra2net/paperbackup/blob/master/README.md) > we created several keys on the host machine, transferred the key > to the card and created a backup on paper. > I will have a look into the paper backup tool; sounds handy. Thx matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG card && using the backup secret key
El día martes, junio 13, 2017 a las 11:58:51a. m. +0200, Werner Koch escribió: > On Mon, 12 Jun 2017 20:12, g...@unixarea.de said: > > > create some backup of the secret key into a file. It is totally unclear > > to me how to make something usefull out of this file, for example import > > it into a "normal" secret keyring to use it in case of the GnuPG acrd > > To try it you best insert a new or scratch card. Make sure your > _public key_ exists. Then run > > gpg --edit-key YOURKEY > > and at the prompt enter > > bkuptocard FILENAME > > the FILENAME is the sk_foo file. You will then be asked where to store > the key on the card (Signing, encryption, or authentication key). > I tried (~/.gnupg-test is a copy of my normal GNUPGHOME): $ cd .gnupg-test/ $ GNUPGHOME=`pwd` $ env | grep GNU GNUPGHOME=/home/guru/.gnupg-test $ ls -l sk_61F1ECB625C9A6C3.gpg -r 1 guru wheel 1865 May 14 20:29 sk_61F1ECB625C9A6C3.gpg $ gpg2 --edit-key sk_61F1ECB625C9A6C3.gpg gpg (GnuPG) 2.1.19; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: key "sk_61F1ECB625C9A6C3.gpg" not found: No public key $ gpg2 --import ../GnuPG/ccid--export-key-guru.pub gpg: key 47CCF7E476FE9D11: "Matthias Apitz (GnuPG CCID) " not changed gpg: Total number processed: 1 gpg: unchanged: 1 The file "ccid--export-key-guru.pub" was created from the card with: $ gpg2 --export --armor > ccid--export-key-guru.pub matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG card && using the backup secret key
El día martes, junio 13, 2017 a las 02:30:05p. m. +0300, Teemu Likonen escribió: > Matthias Apitz [2017-06-13 12:51:01+02] wrote: > > > $ gpg2 --edit-key sk_61F1ECB625C9A6C3.gpg > > Command --edit-key edits a key in your keyring. I'd guess that you want I did 1:1 what Werner suggested; > to import keys: > > gpg2 --import sk_61F1ECB625C9A6C3.gpg This is not working as I said yesterday: $ gpg2 --import sk_61F1ECB625C9A6C3.gpg gpg: key 61F1ECB625C9A6C3: no user ID gpg: Total number processed: 1 gpg: secret keys read: 1 Btw: the publickey is there: gpg2 --list-keys /home/guru/.gnupg-test/pubring.kbx -- pub rsa4096 2017-05-14 [SC] 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11 uid [ultimate] Matthias Apitz (GnuPG CCID) sub rsa4096 2017-05-14 [A] sub rsa4096 2017-05-14 [E] ... -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: setting GnuPG card to 'not forces' does not let sign
El día lunes, junio 12, 2017 a las 12:58:23p. m. +0200, Werner Koch escribió: > On Mon, 12 Jun 2017 12:38, g...@unixarea.de said: > > > Do you know of any other CCID reader for ID-000 size cards? > > I have a sample of the Gemalto Shell Token here. It has been around for > quite some time and the kernelconcept folks that it works nicely. See > > https://www.floss-shop.de/en/security-privacy/ > > On that page you also find the a bit more expensive uTrust token which > would be my preferred choice. I used it for many years until it broke due > to my fault. In fact I recycled the case for my gnuk token. I bought the uTrust token in the above mentioned FLOSS-shop and it arrived today. It shows in my netbook the same problem as the other one from Omnikey: it is not always detected at power-on boot: In the boot at 14:17:02 it is seen, while later it takes three boot to be seen by the kernel: Jun 16 14:17:02 c720-r314251 syslogd: kernel boot file is /boot/kernel/kernel Jun 16 14:17:02 c720-r314251 kernel: ugen0.2: at usbus0 Jun 16 20:20:48 c720-r314251 syslogd: kernel boot file is /boot/kernel/kernel Jun 16 20:23:28 c720-r314251 syslogd: kernel boot file is /boot/kernel/kernel Jun 16 20:25:49 c720-r314251 syslogd: kernel boot file is /boot/kernel/kernel Jun 16 20:25:49 c720-r314251 kernel: ugen0.4: at usbus0 Perhaps, it is more a netbook's (Acer C720) or FreeBSD issue. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
about CCID USB readers (Re: setting GnuPG card to 'not forces' does not let sign)
El día lunes, junio 12, 2017 a las 12:58:23p. m. +0200, Werner Koch escribió: > On Mon, 12 Jun 2017 12:38, g...@unixarea.de said: > > > Do you know of any other CCID reader for ID-000 size cards? > > I have a sample of the Gemalto Shell Token here. It has been around for > quite some time and the kernelconcept folks that it works nicely. See > > https://www.floss-shop.de/en/security-privacy/ > > On that page you also find the a bit more expensive uTrust token which > would be my preferred choice. I used it for many years until it broke due > to my fault. In fact I recycled the case for my gnuk token. Some days ago I acquired this uTrust token. And surprise, surprise, it showed the same symptoms as the other one, the HID Global OMNIKEY 6121 Smart Card Reader: My operating system does not always recognises the USB device, not even when plug'ed in before power-on. This smells somehow as a hardware issue in the Acer C720 or in the kernel of the FreeBSD (and I do run CURRENT on it, i.e. compiled directly from SVN). Here is the bug issue I filed against our beloved FreeBSD: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220127 Only if someone has similar experiences. I tested a lot with this issue and now have some trick which seems to make it at least less often fail: I insert the uTrust token before power-on, start the laptop but hold the boot in the moment when you can modify certain boot options, i.e. the device is powered on but awaiting a keyboard input to continue loading the kernel. Only a few seconds. Then the booting kernel sees the device as: ugen0.2: at usbus0 Is there something in the cards firmware which needs some time to come up? matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: about CCID USB readers (Re: setting GnuPG card to 'not forces' does not let sign)
El día jueves, junio 22, 2017 a las 08:28:57a. m. +0200, Matthias Apitz escribió: > Some days ago I acquired this uTrust token. And surprise, surprise, it > showed the same symptoms as the other one, the HID Global OMNIKEY 6121 > Smart Card Reader: My operating system does not always recognises the > USB device, not even when plug'ed in before power-on. This smells > somehow as a hardware issue in the Acer C720 or in the kernel of the > FreeBSD (and I do run CURRENT on it, i.e. compiled directly from SVN). > Here is the bug issue I filed against our beloved FreeBSD: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220127 > Only if someone has similar experiences. > > ... At the end of the day it turned out that this was an issue in the FreeBSD' drivers and/or some raise conditions or electrical problem. I removed some of the drivers which were searching the USB bus for devices and now have only the XHCI driver in the kernel (disabled UHCI, OHCI and EHCI) and with this, the detection of both cards (uTrust and Omnikey) is fine. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
using GnuPG card for Firefox master password
Hi, I have a bunch of saved logins in Firefox, protected by some so called master password. Is there a way for using the GnuPG card as the master password, maybe some plug-in for FF? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
scdaemon does not "see" card insertion
Hello, I have now the GnuPG card working fine for signing mails, SSH access and even for using GnuPG crypted credentials in Firefox. The last issue I'm struggling with is the use of card removal and card insert via the 'scd-event' to lock and unlock the KDE desktop. The script 'scd-event' is only invoked on card removal (I do just en echo of the args): scd-event --reader-port 0 --old-code 0x0007 --new-code 0x --status NOCARD A card insert is only seen *after* some agent requires something, for example the SSH client needs access to the secret key on the card; than it says: scd-event --reader-port 0 --old-code 0x --new-code 0x0007 --status USABLE On the UNIX system level the card insert triggers via devd(8) the start of /usr/local/sbin/pcscd and the card removal triggers a 'killall pcscd'. This is working fine, i.e. an inserted card is useable immediately, requesting the PIN entry. I created a file scdaemon.conf to get debug information, here is the resulting log: ... 2017-07-04 11:33:51 scdaemon[4945.802016000] DBG: enter: apdu_get_status: slot=0 hang=0 2017-07-04 11:33:51 scdaemon[4945.802016000] DBG: leave: apdu_get_status => sw=0x0 status=7 2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: enter: apdu_get_status: slot=0 hang=0 now the card is removed and /usr/local/sbin/pcscd is killed 2017-07-04 11:33:52 scdaemon[4945.802016000] pcsc_get_status_change failed: no service (0x8010001d) 2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: leave: apdu_get_status => sw=0x1000c status=0 2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: Removal of a card: 0 2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: enter: apdu_close_reader: slot=0 2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: enter: apdu_disconnect: slot=0 2017-07-04 11:33:52 scdaemon[4945.802016000] pcsc_disconnect failed: no service (0x8010001d) 2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: leave: apdu_disconnect => sw=0x1000a 2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: apdu_close_reader => 0x1000a (apdu_disconnect) 2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: leave: apdu_close_reader => 0x0 (close_reader) now scdaemon sits there, the card was already inserted again, nothing happens now SSH needs the key, this awakes scdaemon again and it sees the card: 2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: chan_7 <- SERIALNO 2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: enter: apdu_open_reader: portstr=(null) 2017-07-04 11:34:28 scdaemon[4945.802017900] detected reader 'Identiv uTrust 3512 SAM slot Token (55511514602745) 00 00' 2017-07-04 11:34:28 scdaemon[4945.802017900] detected reader '' 2017-07-04 11:34:28 scdaemon[4945.802017900] reader slot 0: not connected 2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: leave: apdu_open_reader => slot=0 [pc/sc] 2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: enter: apdu_connect: slot=0 2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: feature: code=12, len=4, v=42330012 2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: TLV properties: tag=01, len=2, v= 2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: TLV properties: tag=03, len=1, v= What should be changed too let scdaemon see the card insertion? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scdaemon does not "see" card insertion
El día miércoles, julio 05, 2017 a las 09:23:06a. m. +0900, NIIBE Yutaka
escribió:
> Hello,
>
> Matthias Apitz wrote:
> > The script 'scd-event' is only invoked on card removal (I do just en
> > echo of the args):
> [...]
> > A card insert is only seen *after* some agent requires something, for
> > example the SSH client needs access to the secret key on the card;
>
> Right. Scdaemon only watches the event of card removal and card reader
> removal.
>
> ...
Hello,
Thanks for all explanations. For now I implemented the scd-event script
as:
...
DISPLAY=:0 export DISPLAY
if [ x$status = xNOCARD ]; then
nohup /usr/local/lib/kde4/libexec/kscreenlocker_greet --immediateLock &
while true; do
# Signature key : 5E69 FBAC ...
gpg2 --card-status | grep '5E69 FBAC' >> /tmp/scd-event.log && {
killall kscreenlocker_greet
break
}
sleep 1
done
fi
which works nice: on card removal it locks the screen and on card insert
it unlocks it fine.
> > On the UNIX system level the card insert triggers via devd(8) the start
> > of /usr/local/sbin/pcscd and the card removal triggers a 'killall pcscd'.
> > This is working fine, i.e. an inserted card is useable immediately,
> > requesting
> > the PIN entry.
>
> IIUC, system level service like devd can only handle the event of card
> reader insertion, not card insertion. I may be wrong here.
No, you are correct, I was inprecise.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
storing PINs of credit / EC cards with GnuPG
Hello, This question is perhaps only for German users of GnuPG. In the past German banks and credit institutes prohibited the storing of PIN numbers etc. on personal computer systems, even claiming that in the case of storing they would not have been responsible anymore for the abuse of stolen credit cards. What is the current situation about this issue in the German law if such PIN numbers are stored ciphered with GnuPG? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing PINs of German bank card
El día lunes, julio 10, 2017 a las 11:42:12p. m. +0800, Guan Xin escribió:
> This is probably a general question --
>
> I have never seen a German bank that allows changing the PIN of a card.
> So I wonder if it is because using a fixed (non-changeable) 4-digit PIN
> mailed in clear text really safer than using a 4 to 6 digit variable length
> PIN that never explicitly appears anywhere.
Nowadays some German banks allow changing the PIN in the Teller
Machines. I saw it today in an ATM of the Sparkasse. Amex allows (or
allowed) requesting a new personal PIN by fax.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing PINs of German bank card
El día martes, julio 11, 2017 a las 07:38:08p. m. +0100, MFPA escribió: > On Tuesday 11 July 2017 at 8:44:48 AM, in > , Binarus wrote:- > > > > I am not sure if this is an intentional limitation of > > the cards (to > > prevent users from choosing idiotic pins like 1234 or > > their birthday). > > > Surely things like 1234 can be prevented by software. Why 1234 is an idiotic PIN? What are idiotic PINs? Of course, idiotic is any PIN which has in your pocket hints about this (like a sticker attached or your birthday). But remember, you normally have 3 tries only to test all "idiotic" PINs. 1234 is same idiotic as 2345 or as 3456 or .... or as , or , or ... matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
use policy of the GnuPG-card
Hello, I'm using the GnuPG card for signing, SSH, password-store (Firefox web passwords) and locking un-locking the KDE desktop on card-insert or withdraw. After resolving some technical (FreeBSD) issues, I now have it on daily usage on my netbook and my workstation in the office. One problem comes obviously in mind: Someone with priv access to your workstation, for example IT personal, could relatively easy steal your passwords, just setting your environment and waiting for the moment that you have unlocked the card with the PIN; than he/she could run as root: # GNUPGHOME=/home/guru/.gnupg-ccid export GNUPGHOME # PASSWORD_STORE_DIR=/home/guru/.password-store export PASSWORD_STORE_DIR # pass Business/cheese-whiz-factory gpg: WARNING: unsafe ownership on homedir '/home/guru/.gnupg-ccid' cheese It would also not help to just withdraw the card after any short usage, for example to fire up a SSH session. The attacker could just sit in background waiting for this short moment, which is long enough to copy all your passwords in to clear mode and send them away. How is this supposed to be managed? matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing PINs of German bank card
On Saturday, 15 July 2017 11:17:18 CEST, Andy Ruddock wrote: Just as a point of interest I am not sure if this is an intentional limitation of the cards (to prevent users from choosing idiotic pins like 1234 or their birthday). I know of somebody who had 1234 issued as their PIN for a UK bank account (it IS as random a selection as any other 4-digit number). One of every 10.000 will get this number, you need only luck to get ro know someone, as you had. matthias -- Sent from my Ubuntu phone http://www.unixarea.de/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: use policy of the GnuPG-card
El día jueves, julio 13, 2017 a las 03:57:47p. m. +0200, Werner Koch escribió: > ... > > For the signing key we have a signature counter and if you can memorize > the count and the number of signatures you did, you have a way to detect > malicious use of that key. Better malware could of course also present > you a different count - checking on a clean machine would detect that, > though. Why we only have a counter for the signing key? matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Extraction of decryption session key without copying complete encrypted file
El día viernes, agosto 04, 2017 a las 01:59:57p. m. +0200, Werner Koch escribió: > On Wed, 2 Aug 2017 15:52, roman.fied...@ait.ac.at said: > > > How to decrypt large files, e.g. gpg-encrypted backups, without copying > > them to the machine with the GPG private key? > > With GnuPG 2.1 this is easy: You use ssh's socket forwarding feature to > forward gpg-agent's restricted remote socket, for example > > /run/user/1000/gnupg/S.gpg-agent.extra > > to the host and there you run gpg which will then connect back to the > agent on your desktop. For details see > > https://wiki.gnupg.org/AgentForwarding But this implies that everyone with priv access on the remote host could abuse your secret key on your localhost, especially when a GnuPG-card is used and you entered the PIN to unlock the secret key. I'm wrong? matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OT: Which smartphone would you use
On Monday, 18 September 2017 17:32:51 CEST, Thomas Hejze wrote: Hello everyone, I know this is off-topic, but since it is related to IT security and therefore more or less to GNUPG, I hope that I get some helping answers, though. Having been objecting to smartphones for a long time I fear that the time has come that I get one for myself. The question is which one. IPhone is not an option, Android probably not, due to security considerations. ... I'm using for more than two years an Ubuntu phone BQ E4.5. The project was driven by Canonical and BQ as the hardware OEM. The project died in March of this year, but is now moved to a community of OpenSource entusiast. The software novadays is mostly Ubuntu 15.04, with some Android blobs in the kernel for the hardware access. Check https://forums.ubports.com/ matthias -- Sent from my Ubuntu phone http://www.unixarea.de/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OT: Which smartphone would you use
On Monday, 18 September 2017 20:07:38 CEST, Mauricio Tavares wrote: I'm using for more than two years an Ubuntu phone BQ E4.5. The project was driven by Canonical and BQ as the hardware OEM. The project died in March of this year, but is now moved to a community of OpenSource entusiast. The software novadays is mostly Ubuntu 15.04, with some Android blobs in the kernel for the hardware access. Wasn't there also at least one company in Europe selling the Ubuntu phones? Yes, as I said BQ.com -- Sent from my Ubuntu phone http://www.unixarea.de/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OT: Which smartphone would you use
El día jueves, septiembre 21, 2017 a las 07:09:01p. m. +0200, Thomas Hejze escribió: > Am Montag, 18. September 2017, 20:13:14 CEST schrieb Matthias Apitz: > > >> I'm using for more than two years an Ubuntu phone BQ E4.5. The > > >> project was > > >> driven by Canonical and BQ as the hardware OEM. The project > > >> died in March of > > >> this year, but is now moved to a community of OpenSource entusiast. > > > > Wasn't there also at least one company in Europe selling the > > > > > > Ubuntu phones? > > > > Yes, as I said BQ.com > > Unfortunately their hardware dos not seem to support Ubuntu any more. I found > the "Ubuntu Edition" under "obsolete models", even a cyanogen edition, but > all > their current models run on Android. The rest of their homepage is all > marketing gibberish as it is the use, nowadays. Look for second hand devices of the BQ "Ubuntu Edition" (BQ does not produce nor sell them anymore). Such devices you could reflash to the software available at ubports.com matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OT: Which smartphone would you use
El día jueves, septiembre 21, 2017 a las 06:54:43p. m. +0200, Thomas Hejze escribió: > Hi Dotan, > > > Am Montag, 18. September 2017, 19:55:49 CEST schrieb Dotan Cohen: > > The answer pretty much depends on what smartphone features you are > > looking for. Do you need to run a web browser? Email integration? > > > well first of all I would like to make phone calls. > > I use kdepim for contacts, calendar and email, so kdepim should run on it or > at least be syncable. > > And gnupg should run on it. And yes, a secure browser, too. I have ported gpg2 and the password storage manger 'pass' to my Ubuntu phone BQ E4.5. I'm still working on the pcscd daemon to get the GnuPG-card working in the phone. The tricky part is that you normally can not install or compile additional software in the root file system of the device (because it's mounted for good reasons read-only). You must setup an additional complete system and chroot to it. If you later want to run such compiled/installed software from outside the chroot, you must set LD_IBRARY_PATH (...) so the software can find its stuff, for example in a small shell wrapper script: cat gpg2.sh #!/bin/sh LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/phablet/myRoot/usr/lib/arm-linux-gnueabihf export LD_LIBRARY_PATH /home/phablet/myRoot/usr/bin/gpg-agent --homedir /home/phablet/.gnupg \ --use-standard-socket --daemon \ --pinentry-program /home/phablet/myRoot/usr/bin/pinentry-curses /home/phablet/myRoot/usr/bin/gpg-connect-agent /bye PATH=$PATH:myRoot/usr/bin export PATH /home/phablet/myRoot/usr/bin/gpg2 $* This way I have gpg2 and pass working. I can SSH into the phone (or do the same on the terminal-app) and run: $ ssh phablet@ubphone Welcome to Ubuntu 15.04 (GNU/Linux 3.4.67 armv7l) phablet@ubuntu-phablet-bq:~$ phablet@ubuntu-phablet-bq:~$ ls -l .password-store/web/bla.gpg -rw--- 1 phablet phablet 356 Sep 20 12:58 .password-store/web/bla.gpg phablet@ubuntu-phablet-bq:~$ phablet@ubuntu-phablet-bq:~$ ./pass.sh web/bla ┌┐ │ Please enter the passphrase to unlock the secret key for the OpenPGP certificate: │ │ "Matthias Apitz " │ │ 2048-bit RSA key, ID 76254069, │ │ created 2017-09-20 (main key ID CBE83911). │ │ │ │ │ │ Passphrase ___ │ │ │ │ │ └────┘ abc123 Username: g...@unixarea.de -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg 2.1.19 fails to generate key pair
= :+c5f805b24c36a4b1d0c65d73c3b156dac637c5d7e97b65a623e25d81d46418b8 \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: 3f10dff24eee59bea7e73f176de3a189912935edde7b37abd44bdfa4a1e91444 \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: 91a79cc263b02aa2e602e1a41db4709d7226b9bece6cb6e70429b1a151de371b \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: b27ed9eb762cb88890a9bf29bc3b75a3168f84b38b29c918c25bd12a269a9d56 \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: 05156f32358c1bd9196e5df4c73c05e7fea0e57275f716873b04198770db812e \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: f23e8089e24ed64a959c5fe2db5be0f04ea17804c6bd4a74c7a8a650c647 \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: c0a62c4431df2a5fc4044512f04e74cf69ce1ae8cf551258b29565c6ed729d0a \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: 621b074013e8fad687028343147d8deae1de815b1c767a1646c7a649601c0441 2017-09-22 16:51:21 gpg-agent[15166] DBG: e= :+010001 2017-09-22 16:51:21 gpg-agent[15166] DBG: d= :+266b12bdee74e742972cad5437c1069911bbac2b9e871ead220cdd391ca3 \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: fad72d42a2873662ddc62e73ff471ed4e9d707c874f5d010b8470e2c6ea06326 \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: c86670f13773db5e5809449d3b078698436c18fd5aa575dc40ae4fb2b906c906 \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: 86bdffcfe653d8eee5b60f6b4bc47538945aff3b719d0711d73c06cc29883552 \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: 815cce3d275f8b678f08fe1bfcc96eab0179a85ab01f67cf7a95ad4d8cbe9b8a \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: e07df9687bfb16e786bc7825cb55d304eb17db4c5058851dbd2753c8ddd7fa4d \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: 37348da093cc894fe52c368cc9d9b1d5b15f280dd59a50bb5dae12d9da0e0bad \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: d9e45924bebff8ff007f0fefc43916d87b587beca31fb7807a659a337f57d2ed 2017-09-22 16:51:21 gpg-agent[15166] DBG: u= :+0338a9db6d7bd87e4293cec0b4c2e73b842a6df53d8279417fc97036f8bd7e4d \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: a3b68dd0daa2bac2ee1a656dc1a2c528e2bdb9cefc43b181495e302c3cf6c2df \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: 73afc1853abcc24d21db6335b636cc973a9da8face1780ff2bb55abc8e2deb8e \ 2017-09-22 16:51:21 gpg-agent[15166] DBG: b4004a3d7ee48aab59b5a22f15702fed255b4c8bb97ff22c95a9ac2c1b6c4b4c 2017-09-22 16:51:22 gpg-agent[15166] DBG: storing private key 2017-09-22 16:51:25 gpg-agent[15166] S2K calibration: 2466816 -> 100ms 2017-09-22 16:51:25 gpg-agent[15166] DBG: agent_put_cache '72C072DF8E8A7E956E83631D' (mode 5) requested ttl=900 2017-09-22 16:51:25 gpg-agent[15166] DBG: chan_9 -> S CACHE_NONCE 72C072DF8E8A7E956E83631D 2017-09-22 16:51:25 gpg-agent[15166] DBG: returning public key 2017-09-22 16:51:25 gpg-agent[15166] DBG: chan_9 -> [ 44 20 28 31 30 3a 70 75 62 6c 69 63 2d 6b 65 79 ...(286 byte(s) skipped) ] 2017-09-22 16:51:25 gpg-agent[15166] DBG: chan_9 -> OK 2017-09-22 16:51:25 gpg-agent[15166] DBG: chan_9 <- RESET 2017-09-22 16:51:25 gpg-agent[15166] DBG: chan_9 -> OK 2017-09-22 16:51:25 gpg-agent[15166] DBG: chan_9 <- SIGKEY 7A4385DA9EB9353BB10B23B473A005546A5DAE36 2017-09-22 16:51:25 gpg-agent[15166] DBG: chan_9 -> OK 2017-09-22 16:51:25 gpg-agent[15166] DBG: chan_9 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22[User+ID+not+found]%22%0A2048-bit+RSA+key,+ID+E63AE41B03128A87,%0Acreated+2017-09-22.%0A 2017-09-22 16:51:25 gpg-agent[15166] DBG: chan_9 -> OK 2017-09-22 16:51:25 gpg-agent[15166] DBG: chan_9 <- SETHASH 8 C32083165BB1A88A814A1BB2F62984D2B521AEAB1210B9B32648E0FAEC28F206 2017-09-22 16:51:25 gpg-agent[15166] DBG: chan_9 -> OK 2017-09-22 16:51:25 gpg-agent[15166] DBG: chan_9 <- PKSIGN -- 72C072DF8E8A7E956E83631D 2017-09-22 16:51:25 gpg-agent[15166] DBG: agent_get_cache '72C072DF8E8A7E956E83631D' (mode 5) ... 2017-09-22 16:51:25 gpg-agent[15166] DBG: ... hit -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg 2.1.19 fails to generate key pair
El día viernes, septiembre 22, 2017 a las 08:19:14p. m. +0200, Werner Koch escribió: > On Fri, 22 Sep 2017 17:24, g...@unixarea.de said: > > > I instructed via gpg-agent.conf the gpg-agent to do a debug log which > > follows. The proc gpg-agent crashes with SIG_BUS. > > That is why you see and EOF error from gpg. > I can imagine. That's why I attached the log of the gpg-agent. > We did a few more release after 2.1.19, which was released on March 1. > Not all fixed bugs are noted in the NEWS and it is also possible that > the SIGBUS comes from Libgcrypt. (run gpg-agent --version to see the > version of Libgcrypt). > > Please first try to build with a recent version (2.2.1 is current but > 2.1.23 should be okay) and the latest version of the respective > Libgcrypt branch. That would be easier for us than to try to figure out > a bug we might have already fixed. Ok. I will update to the most recent version. Btw: libcrypt is 1.7.0. > What OS and which platform are you using? I assume it is a BSD (or > Plan-9 ;-). No, wrong guess in this case. It is: phablet@ubuntu-phablet-bq:~$ uname -a Linux ubuntu-phablet 3.4.67 #1 SMP PREEMPT Mon Jun 6 12:04:40 UTC 2016 b75400e armv7l armv7l armv7l GNU/Linux an Ubuntu based smartphone. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg 2.1.19 fails to generate key pair
it works with: phablet@ubuntu-phablet-bq:~$ ./gpg2.sh --version gpg-agent[28499]: enabled debug flags: mpi crypto memory cache memstat hashing ipc gpg-agent: a gpg-agent is already running - not starting a new one gpg-agent: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg-agent: secmem usage: 0/32768 bytes in 0 blocks gpg (GnuPG) 2.2.1 libgcrypt 1.8.1 ... phablet@ubuntu-phablet-bq:~$ ~/gpg2.sh --full-generate-key ... ┌──┐ │ Please re-enter this passphrase │ │ │ │ Passphrase: ***_ │ │ │ │ │ └──┘ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /home/phablet/.gnupg/trustdb.gpg: trustdb created gpg: key 3FECB79DDDA409E4 marked as ultimately trusted gpg: directory '/home/phablet/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/phablet/.gnupg/openpgp-revocs.d/41E0B3688FDD76C9337ECD873FECB79DDDA409E4.rev' public and secret key created and signed. pub rsa2048 2017-09-22 [SC] 41E0B3688FDD76C9337ECD873FECB79DDDA409E4 uid Matthias Apitz (test) sub rsa2048 2017-09-22 [E] -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG-card works in the Ubuntu smartphone
I have the GnuPG-card working in the Ubuntu smartphone BQ E4.5, details here: https://forums.ubports.com/topic/554/support-for-gnupg-smartcard/3 I could post a small how-to to some place because due to the nature of the phone (read-only mounted root file system) the installation needs some tricks. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG-card works in the Ubuntu smartphone
El día domingo, septiembre 24, 2017 a las 08:56:56a. m. +0200, Werner Koch escribió: > On Sat, 23 Sep 2017 10:47, g...@unixarea.de said: > > I have the GnuPG-card working in the Ubuntu smartphone BQ E4.5, details > > here: https://forums.ubports.com/topic/554/support-for-gnupg-smartcard/3 > > Cool. > > > I could post a small how-to to some place because due to the nature of > > Would you like to write a blog entry for gnupg.org? Needs to be done in > org-mode formaty but I can offer to copyedit it for you. One or two > picture would also be nice. I would be happy to write something in this blog, but I never wrote something in 'org-mode' format, any pointer to some guide? I'm attaching below a text version of the write-up. A photo is here: http://www.unixarea.de/UbuntuPhone-GnuPG-card.jpg If it should be og better quality, I have to look for some equipment. For the connection between the USB token and the phone, I used some OTG (USB On-The-Go) cable. I own as well a small connector receiving on one end the token and to be plugged in into the phones port, but this connection is very unstable, with the cable it's fine. matthias Using GnuPG-card in the UbuntuPhone BQ E4.5: phablet@ubuntu-phablet-bq:~$ phablet@ubuntu-phablet-bq:~$ sudo chroot myRoot/ ... root@ubuntu-phablet:/# apt-get install pinentry-curses root@ubuntu-phablet:/# apt-get install pass root@ubuntu-phablet:/# apt-get install libudev-dev Installing GnuPG 2.2.1 into the 'myRoot' system compile in ~phablet (in myRoot) the following pieces: libassuan-2.4.3 libgpg-error-1.27 libksba-1.3.5 npth-1.5 libgcrypt-1.8.1 gnupg-2.2.1 always with ./configure && make && sudo make install; the software ends up below /usr/local (i.e. /home/phablet/myRoot/usr/local when one looks from outside the chroot'ed phone system); note: 'gpg2' is /usr/local/bin/gpg Now from the phone system configure: $ mkdir ~/.gnupg $ cat .gnupg/gpg.conf # agent-program /home/phablet/myRoot/usr/local/bin/gpg-agent $ cat .gnupg/gpg-agent.conf pinentry-program /home/phablet/myRoot/usr/bin/pinentry-curses scdaemon-program /home/phablet/myRoot/usr/local/libexec/scdaemon log-file /home/phablet/gpg-agent.log log-file /dev/null debug-level guru Due to the nature of the installation in the chrooted system we need small wrapper scripts to set PATH, LD_LIBRARY_PATH, ... and other stuff; $ cat ~/gpg.sh #!/bin/sh LD_LIBRARY_PATH=/home/phablet/myRoot/usr/local/lib export LD_LIBRARY_PATH PATH=/home/phablet/myRoot/usr/local/bin:$PATH export PATH GNUPGHOME=/home/phablet/.gnupgexport GNUPGHOME GPG_TTY=$(tty)export GPG_TTY /home/phablet/myRoot/usr/local/bin/gpg-agent\ --homedir /home/phablet/.gnupg \ --daemon\ --pinentry-program /home/phablet/myRoot/usr/bin/pinentry-curses /home/phablet/myRoot/usr/local/bin/gpg-connect-agent /bye /home/phablet/myRoot/usr/local/bin/gpg $* run and create for test a keypair (later we want to use the GnuPG-card for this) $ ~/gpg.sh --full-generate-key gpg-agent[2973]: enabled debug flags: mpi crypto memory cache memstat hashing ipc gpg (GnuPG) 2.2.1; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? ... This starts the gpg-agent as: $ ps ax | grep gpg-a 2974 ?Ss 0:00 /home/phablet/myRoot/usr/local/bin/gpg-agent --homedir /home/phablet/.gnupg --daemon --pinentry-program /home/phablet/myRoot/usr/bin/pinentry-curses Now we can use the the 'pass' command we installed in the chroot'es system with $ cat pass.sh #!/bin/sh LD_LIBRARY_PATH=/home/phablet/myRoot/usr/local/lib export LD_LIBRARY_PATH PATH=/home/phablet/myRoot/usr/local/bin:$PATH export PATH GNUPGHOME=/home/phablet/.gnupgexport GNUPGHOME GPG_TTY=$(tty)export GPG_TTY unset GPG_AGENT_INFO /home/phablet/myRoot/usr/bin/pass $* Init the pass storage as: $ ./pass.sh init Matthias ┌────┐ │ Please enter the passphrase to unlock the OpenPGP secret key: │ │ "Matthias Apitz (test) " │ │ 2048-bit RSA key, ID 93A6FBF52FA76DB0, │ │ created 2017-09-22 (main key ID 3FECB79DDDA409E4). │ │
Re: GnuPG-card works in the Ubuntu smartphone
El día domingo, septiembre 24, 2017 a las 05:31:56p. m. +0200, Werner Koch escribió: > On Sun, 24 Sep 2017 10:59, g...@unixarea.de said: > > > I would be happy to write something in this blog, but I never wrote > > something in 'org-mode' format, any pointer to some guide? I'm attaching > > If you are on Emacs it is already included and part of Emacs help > system. It's website is org-mode.org. The markup is easy: I'm not on Emacs, but vim. But, with the example you gave and looking on some sources in the blog at gnupg.org I think I can do it. Groff was more challenging in the past :-) I will look for some slot next week. I will have to send it to you as I don't see a way to create an account in the blog... matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard not seen when reinserted
El día domingo, octubre 01, 2017 a las 06:37:46p. m. +0200, Franck Routier escribió: > Hi, > > I have a problem where my OpenPGP smartcard is not recognized when I > remove it from the reader and reinsert it. > > Moreover I like to remove the card and reinsert it when needed, as when > used for authentication with Poldi, I'm only asked for the PIN once, and > then the PIN is cached (at the smardcard level if I am to believe this > https://security.stackexchange.com/questions/147267/gpg-agent-keeps-saving-pin-for-a-smartcard/168312) > > ... I'm using a GnuPG-card for SSH and signing. I do not think, that it would be a good idea, that the secre on the card remain unlocked after withdraw (power reset) of the card, and mine does not cash it. It works like this: card insert ssh server --> PIN requested ssh server --> no PIN requested gpg2 ... --sign ... --> no PIN requested gpg2 ... --decrypt --> no PIN requested card remove card insert gpg2 ... --sign ... --> PIN requested ssh server --> PIN requested ssh server --> no PIN requested i.e. it seems that unlocking the SSH key unlocks the signing key as well, but not the other way around. Imagine you pull-out the card in your office/restaurant, loose the card, someone finds it before you note the lost and insert the card in your system... No, that a card "survives" unlocked a withdraw is not a good idea. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard not seen when reinserted
El día lunes, octubre 02, 2017 a las 01:35:16p. m. +0200, Franck Routier
escribió:
> My problem, in addition to the pin being cached "forever" (as long as
> the card is inserted, with no time limit), is that when I remove and
> reinsert the card, it is not recognized unless I restart gpg-agent.
>
> So here is what happens:
>
> card inserted
> pam_poldi.so called (sudo) --> PIN requested
> pam_poldi.so called (sudo) --> no PIN requested
> pam_poldi.so called (sudo) --> no PIN requested
> card removed (I don't like to let my card inserted, with no PIN
> validation needed !)
> card inserted--> card not seen (card error,
> OpenPGP card unavailable)
> gpgconf --kill gpg-agent --> card seen
> pam_poldi.so called (sudo) --> PIN requested
> pam_poldi.so called (sudo) --> no PIN requested
> etc...
>
> Hence my questions:
> 1) can I force PIN for authentication each time I use it (it seems that
> the forcesig option is for signature only, not for authentication)
> 2) what can I do to have my card recognized on reinsert, without
> ressorting to killing gpg-agent
> --> probably with some scd-event magic that's beyond my know-how for
> now...
I'm using the attach 'scd-event' script to lock my display on card
removal and to unlock it on card-insert. The real work in the script is
at line 107++
Maybe it can serve you a bit.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
#!/bin/sh
#
# this script must be placed into GNUPGHOME dir and named 'scd-event';
# it is triggered by the scdaemon on card removal with the arg 'NOCARD'
# it will also run delayd after card insertion and *after* the first access to
the card
#
# we use this to lock the KDE screen on card removal and run a loop of
# 'gpg2 --card-status' to unlock the screen after card insertion
#
# g...@unxarea.de, July 2017
echo $0 $* >> /tmp/scd-event.log
PGM=scd-event
reader_port=
old_code=0x
new_code=0x
status=
tick='`'
prev=
while [ $# -gt 0 ]; do
arg="$1"
case $arg in
-*=*) optarg=$(echo "X$arg" | sed -e '1s/^X//' -e 's/[-_a-zA-Z0-9]*=//')
;;
*) optarg=
;;
esac
if [ -n "$prev" ]; then
eval "$prev=\$arg"
prev=
shift
continue
fi
case $arg in
--help|-h)
cat <&2
exit 1
;;
*)
break
;;
esac
shift
done
if [ -n "$prev" ]; then
echo "$PGM: argument missing for option $tick$prev'" >&2
exit 1
fi
cat <> /tmp/scd-event.log
port: $reader_port
old-code: $old_code
new-code: $new_code
status: $status
EOF
DISPLAY=:0 export DISPLAY
if [ x$status = xNOCARD ]; then
echo DISPLAY: $DISPLAY >> /tmp/scd-event.log
echo /usr/local/lib/kde4/libexec/kscreenlocker_greet --immediateLock >>
/tmp/scd-event.log
nohup /usr/local/lib/kde4/libexec/kscreenlocker_greet --immediateLock &
pid=$!
echo ${pid} > /tmp/scd-event.pid
echo locked by PID ${pid} >> /tmp/scd-event.log
echo killing fetchmail >> /tmp/scd-event.log
fetchmail -q
while true; do
# is the kscreenlocker_greet still running? user might have unlocked it
with PAM
/bin/kill -0 ${pid} || {
echo kscreenlocker_greet ${pid} disappeared >> /tmp/scd-event.log
break
}
# gpg2 --card-status >> /tmp/scd-event.log 2>> /tmp/scd-event.log
# Signature key : 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11
gpg2 --card-status | grep '5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE
9D11' >> /tmp/scd-event.log && {
# OK, key is fine unlocking the movies
echo OK, key is fine unlocking the movies, killall kscreenlocker_greet
>> /tmp/scd-event.log
killall kscreenlocker_greet
fetchmail
break
}
sleep 1
done
fi
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is there some writeable memory on the OpenPGP-card
Hello, I often switch at work with my OpenPGP-card among the workstations I'm using. Some of them do not have (for security reasons) any network connection between and it would be nice transfer some small files together with the USB OpenPGP-card. Is there some memory for read/write on them, maybe with some commands of the card daemon? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OT: FAQ and GNU
El día viernes, octubre 13, 2017 a las 09:05:52a. m. -0500, Mario Castelán Castro escribió: > Your argument is unsound, because the inference is unjustified. The > possibilities that a language is regulated by an official body or > defined by majority usage are not exhaustive. > > ... Could you please discuss this off-list. Thanks. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 20171005-gnupg-ccid-card-daemon-UbuntuPhone
El día viernes, octubre 13, 2017 a las 12:44:01p. m. -0400, Daniel Villarreal escribió: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > re: > https://www.gnupg.org/blog/20171005-gnupg-ccid-card-daemon-UbuntuPhone.h > tml > > Matthias, I appreciate your doing this tutorial. You put a lot of > effort into it. I'm wanting to make some suggestions. Please forgive > me if I'm misunderstanding anything. > > Cheers, > Daniel Villarreal Daniel, Thanks for your comments and the suggested changes. I can't change the blog page due to missing write access there. The suggested changes are fine with me if someone is in the position to do them. Re/ your question: > Now we can use the 'pass' command we installed in the chroot'es system > with > > could be perhaps... > > Now we can use the 'pass' command we installed in the chrooted system > with > > Question: Why is there an asterisk after the prompt at the end of > pass.sh ? The '$' sign there is not a prompt. 'pass.sh' is a small shell script and in this the expression '$*' passes all arguments given to 'pass.sh' to the called command. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using the OpenPGP Card on Unix && Win7
Hello, I'm using the OpenPGP Card on Unix (FreeBSD) and on my Ubuntu mobile phone (see https://gnupg.org/blog/20171005-gnupg-ccid-card-daemon-UbuntuPhone.html) mostly for storing credentials with the password manager 'pass' and using them from the browser, and as well for signing mails. At work I have to use a Win7 desktop and OutLook for the company mails and FreeBSD with GnuPG must run in a Vbox, which works fine with the OpenPGP Card too. I'd like to use the same Card with OutLook (please don't blame me :-)) and have already installed gpg4win-3.0.0.exe which seems to work together with OutLook. Before digging into all the details by my own and esp. because in Windows I'm only a DAU(*), is there some step by step guide to configure the OpenPGP Card in Windows and using the files from the GNUPGHOME on FreeBSD in Windows? Thanks matthias DAU(*): This is German spelled for "Dümmster Anzunehmender User" (the most stupid imaginable user) -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the OpenPGP Card on Unix && Win7
El día miércoles, noviembre 15, 2017 a las 12:19:30p. m. +0100, Werner Koch escribió: > On Wed, 15 Nov 2017 09:06, g...@unixarea.de said: > > > Before digging into all the details by my own and esp. because in Windows > > I'm only a > > DAU(*), is there some step by step guide to configure the OpenPGP Card in > > Windows and using the files from the GNUPGHOME on FreeBSD in Windows? > > Actually you could copy the entire GNUPGHOME to the respective Windows > directory. The name of the lock files and some temporary files are > different but that does matter. "gpg --version" (or "gpgconf > --list-dirs") shows you the standard home directory on Windows. > > If you only want to copy some keys, you can use the same procedure you > would use between Unix boxes. > > Kleopatra's card manager is pretty basics. If you don't like it you can > use the one in gpa (which can optionally be installed), or just resort > to the command line. I copied over GNUPGHOME and gpa and OutLook can see/use the pub key. To get access to the Card, I need some driver in Win7. Do you know any reliable place to fetch from. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the OpenPGP Card on Unix && Win7
El día jueves, noviembre 16, 2017 a las 07:23:03p. m. +0100, Werner Koch
escribió:
> Usually the Windows hardware detection (a menu item like "Install new
> hardware", ot a small icon in the taskbar) can locate all common reader
> types and their drivers. It not, you need to check the website of the
> reder's vendor.
Hi,
It seems that the USB token is fine, but the Card is not (see
http://www.unixarea.de/SnipToolPlusImg.jpg )
I installed some driver and after this the the problem symbol (!) is away,
but neither GPA nor Kleopatra can use the Card.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the OpenPGP Card on Unix && Win7
El día jueves, noviembre 16, 2017 a las 07:23:03p. m. +0100, Werner Koch
escribió:
> Usually the Windows hardware detection (a menu item like "Install new
> hardware", ot a small icon in the taskbar) can locate all common reader
> types and their drivers. It not, you need to check the website of the
> reder's vendor.
Hi,
It seems that the USB token is fine, but the Card is not (see
attachment).
I installed some driver and after this the the problem symbol is away,
but neither GPA nor Kleopatra can use the Card.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the OpenPGP Card on Unix && Win7
El día domingo, noviembre 19, 2017 a las 03:20:16p. m. +0100, Peter Lebbing escribió: > On 17/11/17 16:09, Matthias Apitz wrote: > > It seems that the USB token is fine, but the Card is not (see > > attachment). > > I don't use Windows myself, but AFAIK, this is normal and not a problem. > > AFAIK, the exclamation mark triangle on the smartcard means that the OS > has no driver to work with that specific smartcard. But GnuPG > communicates directly with the smartcard; the "driver" so to speak is > inside GnuPG. In fact, if you found another OS-level driver that is > happy to work with your smartcard, you are probably /creating/ an issue > since it will keep a lock on the smartcard so GnuPG no longer can get > access to it. While shared access to a smartcard is not impossible per > se, often you'll find that programs want exclusive access, and you can't > use two programs with the same smartcard at the same time. > > An exclamation mark triangle on the /reader/ would probably indicate an > issue, but an exclamation mark triangle on the /smartcard/ is probably > for the best. > > Still, I've only used different types of smartcards on Windows, and only > very sporadically, so I don't think I can be of much further help. Hello, Thanks for your feedback, Peter. I killed a running SmartCard Service on Win7 and tested GnuPG on a Cygwin command line. It says: $ uname -a CYGWIN_NT-6.1 APITZM-LTOH 2.7.0(0.306/5/3) 2017-02-12 13:18 x86_64 Cygwin $ gpg --version gpg (GnuPG) 2.2.1 libgcrypt 1.8.1 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: C:/Users/apitzm/AppData/Roaming/gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 $ gpg --card-status --debug-all --debug-level guru gpg: reading options from 'C:/Users/apitzm/AppData/Roaming/gnupg/gpg.conf' gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog gpg: DBG: [not enabled in the source] start gpg: DBG: chan_0x00d8 <- OK Pleased to meet you gpg: DBG: connection to agent established gpg: DBG: chan_0x00d8 -> RESET gpg: DBG: chan_0x00d8 <- OK gpg: DBG: chan_0x00d8 -> OPTION ttytype=xterm gpg: DBG: chan_0x00d8 <- OK gpg: DBG: chan_0x00d8 -> GETINFO version gpg: DBG: chan_0x00d8 <- D 2.2.1 gpg: DBG: chan_0x00d8 <- OK gpg: DBG: chan_0x00d8 -> OPTION allow-pinentry-notify gpg: DBG: chan_0x00d8 <- OK gpg: DBG: chan_0x00d8 -> OPTION agent-awareness=2.1.0 gpg: DBG: chan_0x00d8 <- OK gpg: DBG: chan_0x00d8 -> SCD GETINFO version gpg: DBG: chan_0x00d8 <- D 2.2.1 gpg: DBG: chan_0x00d8 <- OK gpg: DBG: chan_0x00d8 -> SCD SERIALNO openpgp gpg: DBG: chan_0x00d8 <- ERR 100696144 No such device gpg: selecting openpgp failed: No such device gpg: OpenPGP card not available: No such device gpg: DBG: [not enabled in the source] stop gpg: keydb: handles=0 locks=0 parse=0 get=0 gpg:build=0 update=0 insert=0 delete=0 gpg:reset=0 found=0 not=0 cache=0 not=0 gpg: kid_not_found_cache: count=0 peak=0 flushes=0 gpg: sig_cache: total=0 cached=0 good=0 bad=0 gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: rndjent stat: collector=0x calls=0 bytes=0 gpg: secmem usage: 0/32768 bytes in 0 blocks It does not make any difference, if I also start the scdaemon with $ scdaemon --daemon & or not. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the OpenPGP Card on Unix && Win7
El día lunes, noviembre 20, 2017 a las 03:07:44p. m. +0100, Peter Lebbing escribió: > On 20/11/17 08:56, Matthias Apitz wrote: > > I killed a running SmartCard Service on Win7 and tested GnuPG on a > > Cygwin command line. > > Involving Cygwin is yet another non-trivial hurdle to take. I think it's > best if you get it working on Windows first, and only then try to > involve another layer in the form of Cygwin. > > You can see what happens when you use gpg.exe from the Windows command > prompt. If that works out, see what happens in the GUI manager(s) > included with gpg4win-3.0.0.exe. Assuming it does include GUI software :-). This gives the same output as from Cygwin: C:\Users\apitzm\vb\GnuPG\bin>gpg.exe --card-status --debug-all --debug-level guru gpg: Optionen werden aus 'C:/Users/apitzm/AppData/Roaming/gnupg/gpg.conf' gelesen gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog gpg: DBG: [not enabled in the source] start gpg: DBG: chan_0x00d0 <- OK Pleased to meet you gpg: DBG: connection to agent established gpg: DBG: chan_0x00d0 -> RESET gpg: DBG: chan_0x00d0 <- OK gpg: DBG: chan_0x00d0 -> GETINFO version gpg: DBG: chan_0x00d0 <- D 2.2.1 gpg: DBG: chan_0x00d0 <- OK gpg: DBG: chan_0x00d0 -> OPTION allow-pinentry-notify gpg: DBG: chan_0x00d0 <- OK gpg: DBG: chan_0x00d0 -> OPTION agent-awareness=2.1.0 gpg: DBG: chan_0x00d0 <- OK gpg: DBG: chan_0x00d0 -> SCD GETINFO version gpg: DBG: chan_0x00d0 <- D 2.2.1 gpg: DBG: chan_0x00d0 <- OK gpg: DBG: chan_0x00d0 -> SCD SERIALNO openpgp gpg: DBG: chan_0x00d0 <- ERR 100696144 No such device gpg: selecting openpgp failed: No such device gpg: OpenPGP Karte ist nicht vorhanden: No such device gpg: DBG: [not enabled in the source] stop gpg: keydb: handles=0 locks=0 parse=0 get=0 gpg:build=0 update=0 insert=0 delete=0 gpg:reset=0 found=0 not=0 cache=0 not=0 gpg: kid_not_found_cache: count=0 peak=0 flushes=0 gpg: sig_cache: total=0 cached=0 good=0 bad=0 gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: rndjent stat: collector=0x calls=0 bytes=0 gpg: secmem usage: 0/32768 bytes in 0 blocks C:\Users\apitzm\vb\GnuPG\bin> I saw the next mail from Werner, and will try to follow this. Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the OpenPGP Card on Unix && Win7
on[3868.2] DBG: chan_0x00b0 -> # END
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # HELP
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # SERIALNO
[--demand=] []
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # LEARN [--force]
[--keypairinfo]
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # READCERT
|
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # READKEY
[--advanced]
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # SETDATA
[--append]
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # PKSIGN
[--hash=[rmd160|sha{1,224,256,384,512}|md5]]
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # PKAUTH
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # PKDECRYPT
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # INPUT
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # OUTPUT
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # GETATTR
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # SETATTR
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # WRITECERT
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # WRITEKEY
[--force]
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # GENKEY [--force]
[--timestamp=]
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # RANDOM
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # PASSWD [--reset]
[--nullpin]
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # CHECKPIN
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # LOCK [--wait]
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # UNLOCK
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # GETINFO
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # RESTART
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # DISCONNECT
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # APDU
[--[dump-]atr] [--more] [--exlen[=N]] [hexstring]
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> # KILLSCD
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x00b0 -> OK
2017-11-21 08:27:09 scdaemon[3868.2] DBG: chan_0x00b0 <- restart
2017-11-21 08:27:09 scdaemon[3868.2] DBG: chan_0x00b0 -> OK
2017-11-21 08:28:18 scdaemon[3868.2] DBG: chan_0x00b0 <- RESTART
2017-11-21 08:28:18 scdaemon[3868.2] DBG: chan_0x00b0 -> OK
2017-11-21 08:29:15 scdaemon[3868.2] DBG: chan_0x00b0 <- serialno
2017-11-21 08:29:15 scdaemon[3868.2] DBG: enter: apdu_open_reader:
portstr=(null)
2017-11-21 08:29:15 scdaemon[3868.2] detected reader 'Broadcom Corp Contacted
SmartCard 0'
2017-11-21 08:29:15 scdaemon[3868.2] detected reader 'Broadcom Corp Contactless
SmartCard 0'
2017-11-21 08:29:15 scdaemon[3868.2] detected reader 'BROADCOM NFC Smartcard
Reader 1'
2017-11-21 08:29:15 scdaemon[3868.2] detected reader 'Identiv uTrust 3512 SAM
slot Token 0'
2017-11-21 08:29:15 scdaemon[3868.2] detected reader ''
2017-11-21 08:29:15 scdaemon[3868.2] reader slot 0: not connected
2017-11-21 08:29:15 scdaemon[3868.2] DBG: leave: apdu_open_reader => slot=0
[pc/sc]
2017-11-21 08:29:15 scdaemon[3868.2] DBG: enter: apdu_connect: slot=0
2017-11-21 08:29:15 scdaemon[3868.2] pcsc_connect failed: removed card
(0x80100069)
2017-11-21 08:29:15 scdaemon[3868.2] reader slot 0: not connected
2017-11-21 08:29:15 scdaemon[3868.2] DBG: leave: apdu_connect => sw=0x10008
2017-11-21 08:29:15 scdaemon[3868.2] DBG: enter: apdu_close_reader: slot=0
2017-11-21 08:29:15 scdaemon[3868.2] DBG: enter: apdu_disconnect: slot=0
2017-11-21 08:29:15 scdaemon[3868.2] DBG: leave: apdu_disconnect => sw=0x0
2017-11-21 08:29:15 scdaemon[3868.2] DBG: leave: apdu_close_reader => 0x0
(close_reader)
2017-11-21 08:29:15 scdaemon[3868.2] DBG: chan_0x00b0 -> ERR 100696144 No
such device
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the OpenPGP Card on Unix && Win7
El día martes, noviembre 21, 2017 a las 06:50:18p. m. +0900, NIIBE Yutaka escribió: > Matthias Apitz wrote: > > The produced log is: > > > > $ cat ../AppData/Local/VirtualStore/Windows/SysWOW64/scdaemon.log > [...] > > 2017-11-21 08:24:04 scdaemon[3868.2] DBG: enter: apdu_open_reader: > > portstr=(null) > > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Broadcom Corp > > Contacted SmartCard 0' > > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Broadcom Corp > > Contactless SmartCard 0' > > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'BROADCOM NFC > > Smartcard Reader 1' > > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Identiv uTrust 3512 > > SAM slot Token 0' > > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader '' > > 2017-11-21 08:24:04 scdaemon[3868.2] reader slot 0: not connected > > You have five card readers (the last one looks strange, though). > > GnuPG's scdaemon select the first one as default. IIUC, you want to use > 'Identiv uTrust 3512 SAM slot Token 0'. > > In .gnupg/scdaemon.conf, you should have something like: > === > reader-port "Identiv uTrust 3512 SAM slot Token" > === > > ... to select the token. Thanks! Adding the above line to GNUPGHOME/scdaemon.conf makes it all work, even the GPA and other GUI tools. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the OpenPGP Card on Unix && Win7
One last question on this. The gpg4win-3.0.0.exe installs among others an
OutLook plugin (GpgOl DLL) which let you encrypt and sign mails in
OutLook. Ofc, my keypair I'm using with the OpenPGP Card was built for
'Matthias Apitz ' and not for my company mail addr
matthias.ap...@oclc.org; this brings always on signing up a Window like this
http://www.unixarea.de/kleo3.jpg of Kleopatra because it can not choose
by its own the correct certificate. Is there a way to configure this
within Kleopatra or GpgOl?
Thanks
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SHA1 collision found
On Saturday, 25 November 2017 14:24:29 CET, Jerry wrote: On Fri, 24 Nov 2017 00:10:44 -0800, Brent Small stated: What’s up up ADVERB ... Maybe the OP wanted to sent this to What's Ape. matthias -- Sent from my Ubuntu phone http://www.unixarea.de/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
pinentry fails with gpg-agent for ssh, but works for gpg
Hello,
A bit triggered by the last thread "Why exactly does pinentry fails with
gpg-agent and ssh support?" I want to report a similar issue which I do not
understand.
I have the 'pinentry' in /usr/local/bin/pinentry as a sym-link to the qt5
version:
$ ls -l /usr/local/bin/pinentry
lrwxr-xr-x 1 root wheel 27 15 may. 2017 /usr/local/bin/pinentry ->
/usr/local/bin/pinentry-qt5
Most of the time I work within the KDE desktop and when the PIN is required to
unlock the keys on the OpenPGP card, it pops up a small Qt5 window asking for
it.
Sometimes I work in the alpha console where `tty` gives /dev/ttyv0 (and
GPG_TTY env var is set to this). What I do not get to understand is:
$ gpg2 -d file
pops up some curses window asking for the PIN, i.e. /usr/local/bin/pinentry-qt5
falls back to this at the end because has no DISPLAY to connect to.
$ ssh some-host
fails to ask for the PIN.
Why, or what could I do?
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Etoken pro windows 10
El día lunes, enero 29, 2018 a las 01:45:24p. m. +, kip papa via Gnupg-users escribió: > Hi, everybody has anyone been able to use etoken pro gpg with windows 10. Is > there any guide about it; > gpg: selecting openpgp failed: No such device > gpg: OpenPGP card not available: No such device > thank you. Hi, Check this thread 'Using the OpenPGP Card on Unix && Win7' in the list's archives. I have had a similar issue and have had to configure which of the devices should be used. HIH matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱 +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card && exporting secret keys
Hello,
I'm using an OpenPGP card and gnupg 2.1.19 on my FreeBSD workstations
and my Ubuntu mobile device to store crypted passwords (tool: password-store),
to lock/unlock desktop sessions and to sign emails. This is all working
fine and without any hick-ups.
What makes me worry, is that single point of failure: the OpenPGP card.
While I do backups of alls the encrypted password files, they would be
all useless in case of lost/teft of the token or hardware fault of the SIM
card.
What I do at the moment is something like:
$ find ~/.password-store -name '*.gpg' -exec printf "%s:\n" {} \;
-and -exec gpg2 -d {} 2> /dev/null \;
-and -exec echo \; > /tmp/clear-password-store.txt
$ GNUPGHOME=...
$ gpg -ea /tmp/clear-password-store.txt
$ mv /tmp/clear-password-store.txt.asc $GNUPGHOME
$ rm -P /tmp/clear-password-store.txt
where the other GNUPGHOME contains secret and pub-keys created for this
special purpose and living outside (i.e. without) the OpenPGP card.
ANd in case of lost/teft of the token I could recover at least all
passwords again...
Is there any way to export the secret keys from the OpenPGP card to use
them directly (with a passphrase) and without the OpenPGP card?
Thanks
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
Thanks to the Soviet Army for the Victory in Stalingrad! -- Победа в
Сталинградской битве!
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
problems sending to the list
Hello,
Sometimes I do SSH into my server of my ISP and send email to the list
from there. This always failes with the message below.
Can some list admin please check, why? Thanks
matthias
- Forwarded message from Mail Delivery System
-
Date: Fri, 09 Feb 2018 11:14:13 +0100
From: Mail Delivery System
To: ftp51246-2575...@sh4-5.1blu.de
Subject: Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
gnupg-users@gnupg.org
host kerckhoffs.g10code.com [217.69.77.222]
SMTP error from remote mail server after RCPT TO::
451 Could not complete sender verify callout:
retry timeout exceeded
Reporting-MTA: dns; sh4-5.1blu.de
Action: failed
Final-Recipient: rfc822;gnupg-users@gnupg.org
Status: 5.0.0
Remote-MTA: dns; kerckhoffs.g10code.com
Diagnostic-Code: smtp; 451 Could not complete sender verify callout: retry
timeout exceeded
Date: Mon, 5 Feb 2018 11:12:12 +0100
From: Matthias Apitz
To: gnupg-users@gnupg.org
Subject: OpenPGP card && exporting secret keys
Hello,
I'm using an OpenPGP card and gnupg 2.1.19 on my FreeBSD workstations
and my Ubuntu mobile device to store crypted passwords (tool: password-store),
to lock/unlock desktop sessions and to sign emails. This is all working
fine and without any hick-ups.
What makes me worry, is that single point of failure: the OpenPGP card.
While I do backups of alls the encrypted password files, they would be
all useless in case of lost/teft of the token or hardware fault of the SIM
card.
What I do at the moment is something like:
$ find ~/.password-store -name '*.gpg' -exec printf "%s:\n" {} \;
-and -exec gpg2 -d {} 2> /dev/null \;
-and -exec echo \; > /tmp/clear-password-store.txt
$ GNUPGHOME=...
$ gpg -ea /tmp/clear-password-store.txt
$ mv /tmp/clear-password-store.txt.asc $GNUPGHOME
$ rm -P /tmp/clear-password-store.txt
where the other GNUPGHOME contains secret and pub-keys created for this
special purpose and living outside (i.e. without) the OpenPGP card.
ANd in case of lost/teft of the token I could recover at least all
passwords again...
Is there any way to export the secret keys from the OpenPGP card to use
them directly (with a passphrase) and without the OpenPGP card?
Thanks
matthias
- End forwarded message -
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
Thanks to the Soviet Army for the Victory in Stalingrad! -- Победа в
Сталинградской битве!
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: problems sending to the list
El día domingo, febrero 11, 2018 a las 12:56:40p. m. +0100, Peter Lebbing
escribió:
> I think you're not setting the "envelope from" correctly. While the
> e-mail itself has your normal e-mail address, the bounce is going to the
> address I quoted above, so apparently that is the envelope sender.
Yes. This was the issue. The MUA in question is mutt which uses sendmail to
send the
mail. There was (I don't know why) the -f ... missing.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
Thanks to the Soviet Army for the Victory in Stalingrad! -- Победа в
Сталинградской битве!
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: gnupg SmartCard V3.3
El día Thursday, March 01, 2018 a las 09:14:15AM +0900, NIIBE Yutaka escribió: > Hello, > > Werner Koch wrote: > > @gniibe: Do you have any more up to date information on macOS and > > smartcard readers? > > If possible, I recommend to use GnuPG's in-stock driver to access > smartcard. It is direct access by libusb, not using PC/SC service. > > For GNU/Linux, if you don't have any other use of PC/SC service, please > uninstall it, or disable the service, and try again with GnuPG's > in-stock driver. > > For the driver, I maintain this list: > > https://wiki.debian.org/GnuPG/CCID_Driver > > For macOS, I think that it still uses old PC/SC and libccid library. > I'm afraid that new readers (with new features like pinpad support) > don't work well, or don't work at all. > Hello, I do yous the following USB token ond FreeBSD-12 CURRENT and the 'pcscd' is configured to be started by devd on device attach: Mar 1 08:00:56 r314251-amd64 kernel: ugen0.2: at usbus0 Mar 1 08:00:56 r314251-amd64 root: CCID uTrust, type: ATTACH, system: USB, subsystem: INTERFACE Mar 1 08:00:56 r314251-amd64 root: /usr/local/sbin/pcscd Mar 1 08:00:56 r314251-amd64 root: Unknown USB device: vendor 0x04e6 product 0x5816 bus uhub0 The OpenPGP card works fine as: $ gpg2 --card-status Reader ...: Identiv uTrust 3512 SAM slot Token (55511514602745) 00 00 Application ID ...: D2760001240102010005532B0000 Version ..: 2.1 Manufacturer .: ZeitControl Serial number : 532B Name of cardholder: Matthias Apitz ... Do I have any chance to use the USB token and the card directly without 'pcscd'? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱 +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
using the SSH secret key fails sometimes
Hello, This is on FreeBSD with: $ gpg2 --version gpg (GnuPG) 2.1.19 libgcrypt 1.7.6 $ ps ax | egrep 'gnu|pcs' 1034 - Ss 0:00,59 gpg-agent --homedir /home/guru/.gnupg-ccid --use-standard-socket 1036 - S 0:02,24 scdaemon --multi-server --homedir /home/guru/.gnupg-ccid 3844 - S 0:01,04 /usr/local/sbin/pcscd From time to time (let's say 1-2 times a day) the access to the SSH secret on the OpenPGP card fails. The card is already unlocked in this moment because the unlocking the KDE desktop has asked for the PIN. Initializing a SSH session produces the attached error in the scdaemon's log file. It helps to withdraw the card and insert it again (which starts a new proc /usr/local/sbin/pcscd). Any idea where to look? Thanks matthias 2018-03-05 10:53:40 scdaemon[1036.802017e00] manejador del descriptor 13 iniciado 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK GNU Privacy Guard's Smartcard server ready 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- SERIALNO 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> S SERIALNO D2760001240102010005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- GETINFO card_list 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> S SERIALNO D2760001240102010005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- SERIALNO --demand=D2760001240102010005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> S SERIALNO D2760001240102010005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- GETATTR $AUTHKEYID 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> S $AUTHKEYID OPENPGP.3 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- GETATTR SERIALNO 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> S SERIALNO D2760001240102010005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- READKEY OPENPGP.3 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> [ 44 20 28 31 30 3a 70 75 62 6c 69 63 2d 6b 65 79 ...(548 byte(s) skipped) ] 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- GETATTR $DISPSERIALNO 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> S $DISPSERIALNO 0005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- SERIALNO --demand=D2760001240102010005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> S SERIALNO D2760001240102010005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- SETDATA 3021300906052B0E03021A05000414579704ECB5FC67E700FAD99C8080277E86DCAD94 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- PKAUTH OPENPGP.3 2018-03-05 10:53:40 scdaemon[1036.802017e00] pcsc_transmit failed: not transacted (0x80100016) 2018-03-05 10:53:40 scdaemon[1036.802017e00] apdu_send_simple(0) failed: general error 2018-03-05 10:53:40 scdaemon[1036.802017e00] operation auth result: General error 2018-03-05 10:53:40 scdaemon[1036.802017e00] app_auth failed: General error 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> ERR 100663297 General error 2018-03-05 10:54:04 scdaemon[1036.802017e00] DBG: chan_13 <- BYE 2018-03-05 10:54:04 scdaemon[1036.802017e00] DBG: chan_13 -> OK closing connection 2018-03-05 10:54:04 scdaemon[1036.802017e00] manejador del descriptor 13 terminado -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱 +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card bricked
c:379:IFDHGetCapabilities() tag: 0xFB1, usb:04e6/5816:libusb-1.0:0:2:0 (lun: 0) 0012 ifdhandler.c:379:IFDHGetCapabilities() tag: 0xFB2, usb:04e6/5816:libusb-1.0:0:2:0 (lun: 0) 0011 eventhandler.c:201:EHDestroyEventHandler() Request stopping of polling thread 0011 ifdhandler.c:344:IFDHStopPolling() usb:04e6/5816:libusb-1.0:0:2:0 (lun: 0) 00401709 eventhandler.c:502:EHStatusHandlerThread() Die 0177 eventhandler.c:216:EHDestroyEventHandler() Thread stomped. 0019 readerfactory.c:1130:RFUnInitializeReader() Attempting shutdown of Identiv uTrust 3512 SAM slot Token (55511514602745) 00 00. 0025 ifdhandler.c:282:IFDHCloseChannel() usb:04e6/5816:libusb-1.0:0:2:0 (lun: 0) 9467 ccid_usb.c:189:close_libusb_if_needed() libusb_exit 0089 readerfactory.c:991:RFUnloadReader() Unloading reader driver. 0133 winscard_svc.c:152:ContextsDeinitialize() remaining threads: 0 0059 pcscdaemon.c:781:at_exit() cleaning /var/run/pcscd -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱 +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Thanks to the Soviet Army for the Victory in Stalingrad! -- Победа в Сталинградской битве! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card bricked
El día martes, marzo 13, 2018 a las 06:54:25p. m. +0900, NIIBE Yutaka escribió: > > > What can I do? > [...] > > Identiv uTrust 3512 SAM slot Token > > I believe that GnuPG's in-stock driver just works fine with this reader, > because it runs at TPDU level exchange. > > Please try without PC/SC-lite, and see how it goes. > > With following ~/.gnupg/scdaemon.conf, you can get debug log. > > ~/.gnupg/scdaemon.conf > verbose > verbose > debug-level guru > debug-all > debug-ccid-driver > log-file /some/where/scdaemon-debug.log > I moved the /usr/local/sbin/pcscd out of the way. The scdaemon writes the following log: 2018-03-13 15:28:10 scdaemon[2508.802016000] listening on socket '/home/guru/.gnupg-ccid/S.scdaemon' 2018-03-13 15:28:10 scdaemon[2508.802017900] manejador del descriptor -1 iniciado 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 <- GETINFO socket_name 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 -> D /home/guru/.gnupg-ccid/S.scdaemon 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 -> OK 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 <- OPTION event-signal=31 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 -> OK 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 <- SERIALNO 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: enter: apdu_open_reader: portstr=(null) 2018-03-13 15:28:10 scdaemon[2508.802017900] pcsc_establish_context failed: no service (0x8010001d) 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: leave: apdu_open_reader => slot=-1 [pc/sc] 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 -> ERR 100696144 Operation not supported by device 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 <- RESTART 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 -> OK Is there some config missing so that scdaemon opens directly the reader? What does 'pcsc_establish_context failed' mean? Thanks for your help matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱 +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card bricked
El día martes, marzo 13, 2018 a las 04:00:04p. m. +0100, Peter Lebbing escribió: > On 13/03/18 15:34, Matthias Apitz wrote: > > Is there some config missing so that scdaemon opens directly the reader? > > What does 'pcsc_establish_context failed' mean? > > A notable difference between the built-in CCID driver and pcscd is probably > the > user credentials that open the USB device. Make sure you have write access to > the character device in /dev/bus/usb that corresponds to your smartcard: Please note, this is not Linux but FreeBSD. But you pointed in the correct direction: missing rw perms in /dev/usb/* device files; I'm in the group operator, but they have had only 0600 perms; I fixed this to: # ls -l /dev/usb total 0 crw-rw 1 root operator 0x2c 13 mar. 15:17 0.1.0 crw-rw 1 root operator 0x3d 13 mar. 15:17 0.1.1 crw-rw 1 root operator 0x40 13 mar. 15:17 0.2.0 crw-rw 1 root operator 0x42 13 mar. 15:17 0.2.1 crw-rw 1 root operator 0x43 13 mar. 15:17 0.2.7 crw-rw 1 root operator 0x44 13 mar. 15:17 0.3.0 crw-rw 1 root operator 0x46 13 mar. 15:17 0.3.1 crw-rw 1 root operator 0x47 13 mar. 15:17 0.3.2 crw-rw 1 root operator 0x48 13 mar. 15:17 0.3.3 crw-rw 1 root operator 0x7e 13 mar. 15:26 0.4.0 crw-rw 1 root operator 0x80 13 mar. 15:26 0.4.1 crw-rw 1 root operator 0x81 13 mar. 15:26 0.4.2 crw-rw 1 root operator 0x82 13 mar. 15:26 0.4.3 and this gives more log; see below; > Also, if I were you, I'd clean the smartcard contacts with isopropyl alcohol. > I'm not sure what other cleaning agents would work well, I just use that one. > > It could be that your card has just died. Smartcards are not the most robust > devices, and they are subjected to stress usually. Thanks for this hint too. 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: chan_7 <- GETINFO version 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: chan_7 -> D 2.1.19 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: chan_7 -> OK 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: chan_7 <- SERIALNO openpgp 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: apdu_open_reader: BAI=400 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: apdu_open_reader: new device=400 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: using CCID reader 0 (ID=04E6:5816:55511514602745:0) 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: idVendor: 04E6 idProduct: 5816 bcdDevice: 0202 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: ChipCard Interface Descriptor: 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: bLength 54 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: bDescriptorType33 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: bcdCCID 1.10 (Warning: Only accurate for version 1.0) 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: nMaxSlotIndex 0 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: bVoltageSupport 7 ? 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwProtocols 3 T=0 T=1 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwDefaultClock 4800 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwMaxiumumClock 16000 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: bNumClockSupported 0 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwDataRate 12903 bps 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwMaxDataRate 60 bps 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: bNumDataRatesSupp. 0 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwMaxIFSD 252 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwSyncProtocols 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwMechanical 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwFeatures 000100BA 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: Auto configuration based on ATR (assumes auto voltage) 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: Auto voltage selection 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: Auto clock change 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: Auto baud rate change 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: Auto PPS made by CCID 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: TPDU level exchange 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwMaxCCIDMsgLen 271 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: bClassGetResponseecho 2018-03-13 16:23:16 scdaemon[
Re: OpenPGP card bricked
o_PC_DataBlock: 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: dwLength ..: 0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bSlot .: 0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bSeq ..: 4 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bStatus ...: 65 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bError : 254 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: leave: apdu_reset => sw=0x10009 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: leave: apdu_connect => sw=0x10009 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: enter: apdu_close_reader: slot=0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: enter: apdu_disconnect: slot=0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: leave: apdu_disconnect => sw=0x0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: PC_to_RDR_IccPowerOff: 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: dwLength ..: 0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bSlot .: 0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bSeq ..: 5 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: [0007] 00 00 00 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: RDR_to_PC_SlotStatus: 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: dwLength ..: 0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bSlot .: 0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bSeq ..: 5 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bStatus ...: 1 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bClockStatus ..: 0x01 (stopped-L) 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: libusb_cancel_transfer 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: libusb_handle_events_completed 2018-03-14 16:33:10 scdaemon[2735.802280a00] DBG: ccid-driver: CCID: interrupt callback 3 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: leave: apdu_close_reader => 0x0 (close_reader) 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: enter: apdu_open_reader: portstr=(null) 2018-03-14 16:33:10 scdaemon[2735.802017900] pcsc_establish_context failed: no service (0x8010001d) 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: leave: apdu_open_reader => slot=-1 [pc/sc] 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: chan_7 -> ERR 100696144 Operation not supported by device 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: chan_7 <- RESTART 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: chan_7 -> OK -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱 +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD planned for Purism's laptops and Librem 5 phone
El día Thursday, March 15, 2018 a las 10:27:04AM +0100, Bernhard Reiter escribió: > https://puri.sm/posts/purism-collaboration-with-cryptography-expert-werner-koch/ > > have joined forces with leading cryptography pioneer, Werner Koch, to > integrate hardware encryption into the company’s Librem laptops and > forthcoming Librem 5 phone. > .. >to include encryption by default into its hardware, software, and services. > .. >by default into communications such as email and messaging >through a new process called Web Key Directory > > ... I have ordered in the crowd funding on October 7, 2017 one of these Librem 5 phones (~600 Euro) and I'm keen to get hands on it next year in spring. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱 +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Vulnerable clients (was: US-CERT now issuing a warning for OpenPGP-SMIME-Mail-Client-Vulnerabilities)
El día Tuesday, May 15, 2018 a las 10:44:16AM +0200, Werner Koch escribió: > On Tue, 15 May 2018 03:31, je...@seibercom.net said: > > NCCIC encourages users and administrators to review CERT/CC’s Vulnerability > > Note VU #122919. > > Doesn't CERT read the paper before produciong a report? The table of > vulnerable MUAs is easy enough to read. To better see what we are > discussing, here is the table in plain text format with the check marks > replaced by yes and no. > > --8<---cut here---start->8--- > TABLE OF VULNERABLE MAIL CLIENTS > > | OS | Client | S/MIME | PGP | > | | || -MDC | +MDC | SE | > |-+-++--+--+-| > | Windows | Outlook 2007| yes| yes | yes | no | > | | Outlook 2010| yes| no | no | no | > | | Outlook 2013| user | no | no | no | > | | Outlook 2016| user | no | no | no | > | | Win. 10 Mail| yes| –| –| – | > | | Win. Live Mail | yes| –| –| – | > | | The Bat!| user | no | no | no | > | | Postbox | yes| yes | yes | yes | > | | eM Client | yes| no | yes | no | > | | IBM Notes | yes| –| –| – | > | Linux | Thunderbird | yes| yes | yes | yes | > | | Evolution | yes| no | no | no | > | | Trojitá | yes| no | no | no | > | | KMail | user | no | no | no | > | | Claws | no | no | no | no | > | | Mutt| no | no | no | no | > | macOS | Apple Mail | yes| yes | yes | yes | > | | MailMate| yes| no | no | no | > | | Airmail | yes| yes | yes | yes | > | iOS | Mail App| yes| –| –| – | > | | Canary Mail | – | no | no | no | > | Android | K-9 Mail| – | no | no | no | > | | R2Mail2 | yes| no | yes | no | > | | MailDroid | yes| no | yes | no | > | | Nine| yes| –| –| – | > | Webmail | United Internet | – | no | no | no | > | | Mailbox.org | – | no | no | no | > | | ProtonMail | – | no | no | no | > | | Mailfence | – | no | no | no | > | | GMail | yes| –| –| – | > | Webapp | Roundcube | – | no | no | yes | > | | Horde IMP | user | no | yes | yes | > | | AfterLogic | – | no | no | no | > | | Rainloop| – | no | no | no | > | | Mailpile| – | no | no | no | > > > -= Encryption not supported > no = Not vulnerable > yes = Vulnerable > user = Vulnerable after user consent > > -MDC = with stripped MDC, +MDC = with wrong MDC, SE = SE packets > --8<---cut here---end--->8--- > > My conclusion is that S/MIME is vulnerable in most clients with the > exception of The Bat!, Kmail, Claws, Mutt and Horde IMP. I take the > requirement for a user consent as non-vulnerable. Most of the > non-vulnerable clients use GnuPG as their engine. Werner, my conclusion in addition is that the table is incorrect. Most (if not even all) of the MUA which are noted for Linux do run on nearly any other UNIX flavor, FreeBSD, OpenBSD, ... and mutt in addition runs on Canonical Ubuntu for smartphones/tablets and UBports devices. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱 +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using gnupg to crypt credentials used by application to access a database server
Hello, We have large application servers (written in C and C++), but also Perl and Java applications which all contact a Sybase database server over the network to do its work. They have to present a USER and a PASSWORD information to connect to the Sybase ASE listening on some port. As the USER and the PASSWORD are not entered by humans, at least not in the moment when the access of the application is made, they are stored in clear text in files in the UNIX (Linux, SunOS) file system. They are entered once, when the software is installed, or get modified with a text editor, when the credentials for whatever reason should be changed. Ofc, storing them in clear text was always a bad idea. Any person with access to the server and a bit of knowledge could read and misuse them, even for dropping the complete database or manipulating accountancy data. We are looking for a way to change this situation and one of the options or ideas I have, is crypt the credentials with GnuPG in some file. Any application have to decrypt this file on the flight (perhaps with a shell command) to get the USER and PASSWORD into its environment variables or internal variables to make use of them to connect to the database server, and will forget the credentials again asap. Decrypting with GnuPG needs a passphrase, normally read from /dev/tty which can not be done here in this case. My idea here is to write a special 'pinentry' program which provides the passphrase, which is crypted itself with blowfish internally in the 'pinentry' program, and the 'pinentry' will only work, if the proc which is calling GnuPG send over a socket or a file some information to authorize the access to this special 'pinentry'. Any other and better ideas for this? Thanks in advance. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱 +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using gnupg to crypt credentials used by application to access a database server
El día Monday, July 16, 2018 a las 09:06:58AM +0200, Michael Kesper escribió: > Hi all, > > Am Samstag, den 14.07.2018, 15:15 +0200 schrieb Matthias Apitz: > > We are looking for a way to change this situation and one of the > > options > > or ideas I have, is crypt the credentials with GnuPG in some file. > > I use pass [0] for this. > It uses gnupg under the hood and also has ansible integration. > Adding and removing users is a bit of hassle but it integrates much > better with git than e.g. keepass or the like. > Hi, Michael, I do use pass too for all my firefox credentials for access of webpages and services, i.e. I know how this works. I use for this GnuPG together with an OpenPGP card and to unlock the password storage I have to provide the 6 digit PIN of the card. The storage remains unlocked until card removal. This works all fine. But, I do not see how this could fit into the scene I described. When an application server starts on the UNIX host, it needs the database access credentials and there is no human to key in any PIN, for example when the server start at boot time ... How do you think, that pass could fit? Maybe I do overlook something... Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱 +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card: how to lock the card again so that PIN is required
Hello,
This is with gnupg-2.2.12 and pcsc-lite-1.8.23. After an update of the
System (FreeBSD CURRENT) the /usr/local/sbin/pcscd does no work anymore
with the OpenPGP card (HID Global OMNIKEY 6121 Smart Card Reader) after
withdraw and re-insert. It works fine after boot, I have to enter
the PIN to unlock the card and all tested functions are working.
I have to investigate this further or change the 'scdaemon' to let it
directly access the OpenPGP bypassing the 'pcscd' (comments on this are
welcome).
How can I meanwhile 'reset' the OpenPGP card so that on next request for
the secrets (decrypt, signing, ssh) the PIN is requested?
Thanks
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars,
Druschba
instead of Nazis, to live instead of to survive.
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card: how to lock the card again so that PIN is required
El día martes, enero 01, 2019 a las 06:40:56p. m. +0100, Dirk Gottschalk escribió: > Hello Matthias. > > Am Dienstag, den 01.01.2019, 08:36 +0100 schrieb Matthias Apitz: > > Hello, > > > This is with gnupg-2.2.12 and pcsc-lite-1.8.23. After an update of > > the System (FreeBSD CURRENT) the /usr/local/sbin/pcscd does no work > > anymore with the OpenPGP card (HID Global OMNIKEY 6121 Smart Card > > Reader) after withdraw and re-insert. It works fine after boot, I > > have to enter the PIN to unlock the card and all tested functions are > > working. > > Did you check the config for pcscd? Probably it was overwrittenby the > update process. There is no config file for pcscd, only for serial devices. Interestingly the pcscd started via devd at boot time works fine: $ ps ax | grep pc 536 v0- S 0:00,98 /usr/local/sbin/pcscd --debug --foreground When I disable this start at boot time and start the same command as root from the shell (to investigate/debug), this just hangs. Also system USB commands, like 'ucbconfig list', show the same problem. It looks like something in the boot process after start of the above PID damages the USB stack. > > I have to investigate this further or change the 'scdaemon' to let it > > directly access the OpenPGP bypassing the 'pcscd' (comments on this > > are welcome). > > You can use the internal ccid-reader of scdaemon. This should work with > the OmniKey readers, AFAIK. You have to disable PC/SC, oherwise this > won't work. I did so, it shows (as started after boot) the same problem. > > How can I meanwhile 'reset' the OpenPGP card so that on next request > > for the secrets (decrypt, signing, ssh) the PIN is requested? > > For the signature PIN just enable the forcepin option as admin with > --card-edit. The for the other functions you need to power cycle the > card, easiest done by removal and re-insertion. Yes, this was what I did before the update :-) Thanks for your replay anyway. mattihas -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card: how to lock the card again so that PIN is required
El día miércoles, enero 02, 2019 a las 11:36:54a. m. +0100, Werner Koch escribió: > On Tue, 1 Jan 2019 08:36, g...@unixarea.de said: > > > with the OpenPGP card (HID Global OMNIKEY 6121 Smart Card Reader) after > > Take care: Usual Omnikey problems with creating and using large keys > apply. Thanks. But I'm using this card and reader for a long time. And the same problem is with the uTrust reader. > > How can I meanwhile 'reset' the OpenPGP card so that on next request for > > the secrets (decrypt, signing, ssh) the PIN is requested? > > gpgconf --reload scdaemon > > is the easiest way. You can also use --kill as it is the same for > scdaemon. THANKS!!! This works and I now at least can disable the card when I go a way from the laptop. BTW: The CCID and the readers have no manuals how, i.e. in which directions, one has to insert the CCID. Yesterday I took pictures to have this clear now :-) matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card: how to lock the card again so that PIN is required
El día martes, enero 01, 2019 a las 06:40:56p. m. +0100, Dirk Gottschalk escribió: > Hello Matthias. > > Am Dienstag, den 01.01.2019, 08:36 +0100 schrieb Matthias Apitz: > > Hello, > > > This is with gnupg-2.2.12 and pcsc-lite-1.8.23. After an update of > > the System (FreeBSD CURRENT) the /usr/local/sbin/pcscd does no work > > anymore with the OpenPGP card (HID Global OMNIKEY 6121 Smart Card > > Reader) after withdraw and re-insert. It works fine after boot, I > > have to enter the PIN to unlock the card and all tested functions are > > working. > > Did you check the config for pcscd? Probably it was overwrittenby the > update process. To close this thread: It turned out being an issue in the USB chips in my laptop which was not correctly handeled by the USB driver in the kernel. It is fixed since yesterday with this commit: https://svnweb.freebsd.org/changeset/base/342778 matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG: Bad Passphrase (try 2 of 3)
Hello,
I've GnuPG 2.1.12 on my mobile device (without any OpenPGP card) and
generated there a new secret key to encrypt credentials I'm using on
this device. I was a bit surprised reading (after entering a bas
passphrase for testing):
┌┐
│ Please enter the passphrase to unlock the OpenPGP secret
key: │
│ "Matthias Apitz (BQ E4.5 key) "
│
│ 4096-bit RSA key, ID FA46903FD2B8E5E9,
│
│ created 2019-01-07 (main key ID 8F3E3E3C247AB779).
│
│
│
│
│
**> │ Bad Passphrase (try 2 of 3)
│
│
│
│ Passphrase:
__ │
│
│
│
│
└┘
Note: This is not with the PIN of an OpenPGP-card. What would happen
exactly after the 3rd bad value? Destroy of the key or my device? :-)
Thanks
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars,
Druschba
instead of Nazis, to live instead of to survive.
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card: reader with 2 USB connectors
Hello, I'm using an OpenPGP card in my FreeBSD laptop and my Ubuntu mobile phone (see photo http://www.unixarea.de/UbuntuPhone-GnuPG-card2.jpg ) The read is an Identiv uTrust 3512 SAM slot Token which works just fine (after solving an issue in the FreeBSD USB driver). To connect it to the mobile device one needs an small adapter or a cable. See the photo. All this is not very stable, esp. the connector in the mobile device. Are there any readers with two USB connectors like some USB memory sticks have? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please start a new thread
El día Tuesday, March 26, 2019 a las 05:00:33PM +0530, Shweta Tyagi escribió:
> Hi Peter,
> How can start a new thread? Please advise.
> if you any solution for this please help me find out the solution.
>
Hi,
This depends on your Mail User Agent. It means "start a new mail with a
new Subject" to the addr gnupg-users@gnupg.org. DO NOT reply to another
thread when you have a new issue/problem/question.
And, DO NOT top post, btw.
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars,
Druschba
instead of Nazis, to live instead of to survive.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ProtonMail and Anonymity
El día lunes, mayo 06, 2019 a las 07:15:06a. m. +0200, Stefan Claas escribió: > > > https://protonmail.com/ > > > > > > > I suppose like anything else it all comes down to whether you believe > > them or not. I do. > > [snip] > > Well, I just asked myself ... > > What is the purpose behind an unlinked hash. > > Well, I'm asking myself: What has all this thread to do with GnuPG? matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: Спаси́бо освободители! Thank you very much, Russian liberators! signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
