Hi,
first, a happy new year 2025 to everybody!
Am 02.10.24 09:19 schrieb(en) Werner Koch:
[snip]
Thus libksba does not see the actual signature but only the
certificates. The data is handled as a kind of certs-only message but
that's of course wrong. I'll get back to you as soon as I have had
Hi!
On Tue, 1 Oct 2024 17:40, Albrecht Dreß said:
> and Thunderbird is also able to verify the massage and to display the
> signature info.
Running it with --audit-log FILE puts this info into FILE:
* Data verification succeeded: No
* Data available: Yes
* Signature availab
Hi all,
I stumbled over a S/MIME signed message where gpgsm seems to be unable to
extract the signers and to verify the signature. Using the attached signature
blob and a dummy “message” part, gpgsm says just
$ gpgsm --debug-level basic --verify SIG.bin dummy.txt
gpgsm: enabled debug flags
>>> "EB" == Eva Bolten writes:
Hi
> Hi,
> try the following:
> Export the certificate from firefox or chrome into a new file and try
> to import the certificate from that file with gpgsm.
Thanks.
Meanwhile I found out the culprit might have been a someho
Hi
I upgraded yesterday from Ubuntu 16 to 24 and have now gpgsm 2.4.4 installed.
I imported an official p12 certificate without any probblems into firefox and
google chrome
However when I run
,
| gpgsm --import Brauer.p12
`
Type the password, I recive
--8<---
Hi
updating libksba is not enough. You also need to update gpgsm. Maybe
you can try GnuPG 2.5.0 which we released on Friday.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
openpgp-digital-signature.asc
Hello!
This is related to:
https://lists.gnupg.org/pipermail/gnupg-users/2024-June/067180.html
https://dev.gnupg.org/T7171
When I try to send mail via Claws Mail, I get the following error
messages in kwatchgnupg:
4 - 2024-07-02 11:46:32 gpgsm[7782]: DBG: adding certificates at level -8
4
Hi,
On 2023-12-14 19:43, Werner Koch wrote:
On Thu, 14 Dec 2023 16:19, Jakob Bohm said:
zcat ${infl} |
faketime "${DSTAMP}" gpgsm --verify --validation-model shell
--assume-binary --status-fd 3 --output - - 3>${wrkdir}/sigdec.status
|| :
gpgsm: ksba_cms_parse f
Hi!
On Thu, 14 Dec 2023 16:19, Jakob Bohm said:
> zcat ${infl} |
> faketime "${DSTAMP}" gpgsm --verify --validation-model shell
> --assume-binary --status-fd 3 --output - - 3>${wrkdir}/sigdec.status
> || :
> gpgsm: ksba_cms_parse failed: Broken pipe
gpgs
Dear list,
I am using gpgsm in a script for its ability to efficiently process CMS
format messages larger than available memory. However after a recent
script change, it now fails every time on previously accepted data with
error messages that are essentialy gpg implementation internals
Hi Simon,
Am Dienstag 11 April 2023 15:13:12 schrieb Simon Josefsson via Gnupg-users:
> >> Are there well-maintained debian packages for GnuPG 2.4 anywhere?
> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022702#10
> only took an hour or so to build bullseye packages for 2.2.40 and 2.4.0
vuori writes:
> On Tue, Apr 11, 2023 at 10:50:39AM +0200, Simon Josefsson via Gnupg-users
> wrote:
>> Are there well-maintained debian packages for GnuPG 2.4 anywhere? I
>> recently ran into yet another bug that has been fixed in later versions
>> that Debian/Trisquel doesn't ship, so wondered
On Tue, Apr 11, 2023 at 10:50:39AM +0200, Simon Josefsson via Gnupg-users wrote:
> Are there well-maintained debian packages for GnuPG 2.4 anywhere? I
> recently ran into yet another bug that has been fixed in later versions
> that Debian/Trisquel doesn't ship, so wondered this recently as well.
>
Werner Koch via Gnupg-users writes:
> I am sorry, for the Debian troubles - we actually had 2.3 in Sid already
> 2 years ago. AFAICS the problem is that the Debian maintainer seems to
> be in a conflict between being Sequoia contributor and maintainer,
> OpenPGP WG Chair and also long time GnuPG
On Sun, 9 Apr 2023 19:13, John Scott said:
> You're a genius! I actually had a hard time getting Scute 1.7.0 to
> compile, so I built it from Git instead and everything worked
> flawlessly! I was even able to sign a PDF :)
FWIW, we are even working on Poppler to integrate GnuPG without the need
On Sunday, 9 April 2023 20:13:46 BST John Scott via Gnupg-users wrote:
> You're a genius!
Hardly. :D
> I actually had a hard time getting Scute 1.7.0 to compile, so I built it from
> Git instead
If you have some time to spare I’d be interested to know which problem(s) you
ran into when trying
On Sun, 2023-04-09 at 12:09 +0100, Damien Goutte-Gattat wrote:
> If you don’t mind compiling and installing GnuPG ≥ 2.3 yourself you should
> also try installing Scute 1.7.0.
You're a genius! I actually had a hard time getting Scute 1.7.0 to compile, so
I built it from Git instead and everything
Hi,
On Sunday, 9 April 2023 03:35:18 BST John Scott via Gnupg-users wrote:
> Note that GnuPG 2.3 is not available in Debian, not even in Debian
> experimental yet, but as soon as the packagers provide it I will give it a
> try. Perhaps I'll install GnuPG 2.3 myself in /usr/local
Note also that
Hi,
I'm using Debian Bookworm (Testing) with GnuPG, gpgsm, and Scute. My motivation
for using this trio of tools is a little elaborate, so allow me to explain. For
just the technical stuff, skip to the end.
I use OpenPGP for a variety of reasons, including for my own email securit
nodes -out /tmp/temp.pem
>
> In the PEM file, I can see four certificates (my own and the
> chain) and the private key. But importing the .p12 file into
> gpgsm fails:
With GnuPG 2.2.36, this problem is indeed gone. Thank you!
Regards,
Torsten Bronger.
--
Torsten Bronger
sm
Jacob Bachmeyer wrote:
> Gilberto F da Silva via Gnupg-users wrote:
>> Slackware64 15
>>
>> slack15@darkstar:~/.config$ gpg --version
>> gpg (GnuPG) 1.4.23
>> [...]
>
>
> I may be misunderstanding, but I do not think that GPG 1.4.x ever even
> supported X.509 at all. Maybe you also have a gpg2
On Tue, 14 Jun 2022 08:38, Torsten Bronger said:
> Hallöchen!
>
> Werner Koch writes:
>
>> please let us known your GnuPG versions and your OS.
>
> gpgsm (GnuPG) 2.2.27
Please update to 2.2.35 which
* gpgsm: Fix parsing of certain PKCS#12 files. [T5793]
See https://d
Hallöchen!
Werner Koch writes:
> please let us known your GnuPG versions and your OS.
gpgsm (GnuPG) 2.2.27
libgcrypt 1.9.4
libksba 1.6.0-unknown
…
Supported algorithms:
Cipher: 3DES, AES128, AES192, AES256, SERPENT128, SERPENT192, SERPENT256, SEED,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Pub
Hallöchen!
ckeader via Gnupg-users writes:
> [...]
>
>> How can I successfully import the certificates and the key into
>> gpgsm?
>
> FWIW, I've never been able to import the S/MIME cert from $WORK
> into gnupg/gpgsm straight. I've had to go via thunderbird
Gilberto F da Silva via Gnupg-users wrote:
Slackware64 15
slack15@darkstar:~/.config$ gpg --version
gpg (GnuPG) 1.4.23
[...]
I may be misunderstanding, but I do not think that GPG 1.4.x ever even
supported X.509 at all. Maybe you also have a gpg2 command? Maybe
there is another gpg so
Hi!
please let us known your GnuPG versions and your OS.
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
signature.asc
Description: PGP signature
___
Gnupg-users mai
> One source said that gpg and gpgsm share the same database at least
> for private keys. But I get an import error trying to import the
> PEM file with only the key into gpg.
>
> How can I successfully import the certificates and the key into
> gpgsm?
FWIW, I've never
four certificates (my own and the chain)
and the private key. But importing the .p12 file into gpgsm fails:
$ gpgsm --import TorstenBronger.p12
gpgsm: data error at "data.objectidentifier", offset 67
gpgsm: error at "bag-sequence", offset 49
gpgsm: error parsi
On Sonntag, 6. Februar 2022 08:07:21 CET Borden via Gnupg-users wrote:
> According to dev.gnupg.org <https://dev.gnupg.org/T4092>, EC support has
> been in gpgsm for a while now. However, I cannot import an EC
> certificate/key pair (generated by CPanel via COMODO) into gpgsm . Thi
Good morning,
According to dev.gnupg.org <https://dev.gnupg.org/T4092>, EC support has been
in gpgsm for a while now. However, I cannot import an EC certificate/key pair
(generated by CPanel via COMODO) into gpgsm . This is a bummer because
Kleopatra is basically a gpgsm frontend.
The
>>> "UBvG" == Uwe Brauer via Gnupg-users writes:
> Hi
> I am on Ubuntu 16.04 running
> gpgsm (GnuPG) 2.1.11
> libgcrypt 1.6.5
> libksba 1.3.3-unknown
> I am also a die hard user of emacs and use it for encrypting and
> decrypting my mails.
>
On Sun, 26 Dec 2021 09:20, Uwe Brauer said:
> gpgsm (GnuPG) 2.1.11
Please get a decent version. The LTS branch is currently at 2.2.33.
Your version is 5 years old!
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description:
Hi
I am on Ubuntu 16.04 running
gpgsm (GnuPG) 2.1.11
libgcrypt 1.6.5
libksba 1.3.3-unknown
I am also a die hard user of emacs and use it for encrypting and
decrypting my mails.
I received a smime message from a colleague (with his public key
embedded of course).
When I tried to send him a
Hi,
On Mon, Nov 08, 2021 at 02:45:53PM +1000, Stuart Longland via Gnupg-users wrote:
The HTTP request I need to perform is this one:
https://www.vaultproject.io/docs/auth/cert#via-the-api
I tried using Firefox, it can see the certificate presented by `scute`,
but it seems Vault isn't designed t
Hi all,
I'm trying to get 2FA HTTP client authentication working with a YubiKey
5 hardware token at my workplace.
I currently already have the YubiKey working successfully with GnuPG
2.2 in OpenPGP mode for two-factor SSH authentication and git code
signing. Aside from a few niggles (like not be
Hi
My main machine is a X1 running Ubuntu 16.04. I have to use a macbook as
well for which I currently installed fink.
I mostly signing and encrypting with smime and emacs+gpgsm work nicely
on my Ubuntu machine.
Does anybody know, whether I can install gpgsm on fink or ports? (Or
homebrew as
On Monday, May 18, 2020 2:53:55 AM EDT Werner Koch wrote:
> On Sat, 16 May 2020 23:24, John Scott said:
>> Looking up recipients with both dirmngr-client and
>> gpgsm --verbose --list-external-keys [recipient]
>> are fruitless whether I drop the ads\ from my username or no
On Sat, 16 May 2020 23:24, John Scott said:
> Looking up recipients with both dirmngr-client and
> gpgsm --verbose --list-external-keys [recipient]
> are fruitless whether I drop the ads\ from my username or not. I've bumped
> the
> ldaptimeout to 25. Still
Hi,
I'm stumped getting gpgsm to lookup S/MIME certificates in my organization.
I've got a temporary working solution with ldapsearch after logging into my
VPN with NetworkManager+OpenConnect:
ldapsearch -Wt -b OU=Accounts,DC=ads,DC=foo,DC=com -D
CN=jscott,OU=Accounts,DC=ads,DC=
Dear Werner,
Thank you for your prompt reaction.
I did a test an despite the error I see indeed the file is correctly decrypted.
So the conclusion is that when a file is encrypted with two recipients - when
the file is received by the second recipient it is sufficient that he has the
correspond
On Thu, 28 Nov 2019 10:57, Yves T said:
> 1. is B able to decrypt the file if he has not the secret key from A
Yes. As long as the secret key (aka private key) is available
Quick test:
$ fortune | gpgsm -ev -r 0xE297583E -r 0xCA89261C >/tmp/testenc
The first -r ist for s/n 1A
Sender A:
To recapitulate : sender A uses gpgsm with 2 recipients:
gpgsm --recipient --recipient --encrypt file.txt >
encryptedfile.gpg
Receiver B:
The receiving end B has his own correct secret key available but not the secret
key from B and gets an error when decrypting the file:
gp
On 2019-11-26 at 17:51 +, Yves T via Gnupg-users wrote:
> Dears,
>
> A client uses gpgsm with multiple recipient options. The first option
> refers to his own certificate, the second option to the recipients
> certificate.
> The receiving end has trouble decrypting the fil
Dears,
A client uses gpgsm with multiple recipient options. The first option refers to
his own certificate, the second option to the recipients certificate.
The receiving end has trouble decrypting the file. Output mentions
gpgsm: error decrypting session key: No secret key
gpgsm: decrypting
Am Tue, 30 Jul 2019 13:28:32 +0200
schrieb "Dr. Thomas Orgis" :
> And even with it present, is it
> correct behaviour for gpgsm to consider the chain invalid instead of
> just the cross-signature? It _does_ trust the new root cert already …
> no need for any further signatur
to this situation? I now simply deleted the
offending cross-certificate via
gpgsm --delete-key 0x61A8CF44
and now gpgsm happily accepts the new root cert. So, removal of an
expired signature makes the chain valid.
Shouldn't gnupg the just ignore the expired signature?
I went furthe
Am Sat, 20 Jul 2019 20:07:37 +0200
schrieb "Dr. Thomas Orgis" :
> The issue I see is that
> these certs are not even supposed to be in the chain!
> the presence of the old certificates stirs things up. When I create a
> fresh user and import the new key with its certs
erein Certification Authority 2 signed by T-TeleSec GlobalRoot Class 2
> 1. T-TeleSec GlobalRoot Class 2 signed by T-TeleSec GlobalRoot Class 2 (root)
>
> Compared to what gpgsm sees/shows:
>
> 4. Thomas Orgis (me) signed by DFN-Verein Global Issuing CA
> 3. DFN-Verein G
Hi,
thanks for looking at this …
am Sat, 20 Jul 2019 11:01:49 +0200
schrieb Dirk Gottschalk :
> This is the issue here. These two certs of DTAG (Telekom) are exired
> and that's the reason why gpgsm is complaining correctly.
Please check again my original post, though. The issue I
sche Telekom AG/C=DE
> Subject: /CN=Deutsche Telekom Root CA 2/OU=T-TeleSec Trust
> Center/O=Deutsche Telekom AG/C=DE
> validity: 1999-07-09 12:11:00 through 2019-07-09 23:59:00
> chain length: 5
This is the issue here. These two certs of DTAG (Telekom) are exired
and that
Hi,
I'm trying to switch to my third S/MIME cert after two earlier expired
ones in gpgsm. The private key and the certificate are valid into the
year 2022, but gpgsm (version 2.2.15) tells me this:
shell$ LANG=C gpgsm --sign -u 0x310C60AF
[…]
gpgsm: certificate is good
gpgsm: interme
opt/libgcrypt/include/ -L/opt/readline/lib/
> -L/opt/libiconv/lib/ -L/opt/libgcrypt/lib/ -L/opt/readline//lib -o asschk
> asschk.o
> srcdir=. GNUPGHOME=`/bin/pwd` GPG_AGENT_INFO= LC_ALL=C GPGSM=../sm/gpgsm
> ./runtest ./inittests
> ../sm/gpgsm: error while loading shared libra
See also https://bugs.debian.org/888025 for a mutt+gpgsm example of this
kind of frustration. (i'm cc'ing that bug report since it has seen no
decisive action; perhaps this discussion will help move things along
there)
The current behavior is:
The user sees "do you ultimately trus
;s tedious.
Therefore I would like to integrate certificates provided by
debians ca-certificates package with gpgsm, but the only way I
found to do so, would be to manually import all those
certificates.
Isn't there an option to read in those certs from /etc/ssl... at
start-up
rtifcates for the same email address. In
>thunderbird I can import them both and select which I want to use.
>
>I hesitate to import the second one to gpgsm since it is not clear to
>me
>which will then be chosen by gnus/emacs/epa.
>
>I will also ask in the emacs mailin
Hi
I now posses 2 valid X509 certifcates for the same email address. In
thunderbird I can import them both and select which I want to use.
I hesitate to import the second one to gpgsm since it is not clear to me
which will then be chosen by gnus/emacs/epa.
I will also ask in the emacs mailing
Am 02.05.18 um 07:35 schrieb Werner Koch:
On Tue, 1 May 2018 10:55, stefan.cl...@posteo.de said:
openssl cms -verify -in original.eml > message.txt && \
openssl cms -cmsout -in original.eml | \
sed "1,4d" | base64 -d > file.sig && \
gpgsm --verify file.sig mess
Hi,
Am 02. Mai 2018 um 07:29 Uhr +0200 schrieb Werner Koch:
> Dirmngr (the network access component of GnuPG) got an DNS error; that
> is it can't find the IP of the requested server with the CRL.
Ah, thanks. That's something I can work with.
> As a possible workaround you can try to add
>
> s
Am 02.05.18 um 07:35 schrieb Werner Koch:
On Tue, 1 May 2018 10:55, stefan.cl...@posteo.de said:
openssl cms -verify -in original.eml > message.txt && \
openssl cms -cmsout -in original.eml | \
sed "1,4d" | base64 -d > file.sig && \
gpgsm --verify file.sig mess
On Tue, 1 May 2018 10:55, stefan.cl...@posteo.de said:
> openssl cms -verify -in original.eml > message.txt && \
> openssl cms -cmsout -in original.eml | \
> sed "1,4d" | base64 -d > file.sig && \
> gpgsm --verify file.sig message.txt
Adding --
On Sun, 29 Apr 2018 22:27, m-guel...@phoenixmail.de said:
> gpgsm: checking the CRL failed: Server indicated a failure
> gpgsm: error creating signature: Server indicated a failure
Dirmngr (the network access component of GnuPG) got an DNS error; that
is it can't find th
Am 23.04.18 um 08:50 schrieb Stefan Claas:
Am 23.04.18 um 08:36 schrieb Werner Koch:
On Sun, 22 Apr 2018 20:26, stefan.cl...@posteo.de said:
i was wondering when receiving an S/MIME
message created with Thunderbird, how do
i properly verify the message with gpgsm?
You need to de-compose the
make valid
certificates so that it's really my bank or fsfe.org. Somebody chose
that trust for us because we normal people can't judge.
So I thought that gpgsm would be the same: some root CA's would be
automatically valid and trusted to certify others and gpgsm would just
work like
On 2018-04-28, Teemu Likonen wrote:
> When verifying an S/MIME message gpgsm (I think) asks whether I
> ultimately trust some certificate authority to certify others and then
> asks me to verify that a displayed fingerprint belongs to the authority.
> How do I know? (So far I have
Hi everyone,
I'm trying to set up S/MIME signing with mutt using gpgsm on Debian
Stable (Stretch). I've successfully imported the PKCS#12
certificate/private key bundle into gpgsm, but it won't let me sign
anything. It fails with an error message as shown below:
$ gpgsm --
I read email with Gnus (Emacs) and from time to time someone has signed
his mail with S/MIME (X.509) system. My Gnus tries to verify signatures
automatically and it works nicely with PGP/MIME but S/MIME is more
difficult.
When verifying an S/MIME message gpgsm (I think) asks whether I
ultimately
Hi,
I'm using GnuPG to sign 'swupdate' update images. They are verified on the
target using openssl:
gpgsm -o sw-description.sig -sb sw-description
swupdate links against the openssl, but the equivalent cmd line is:
openssl cms -verify -in sw-description.sig -inform
Am 23.04.18 um 08:36 schrieb Werner Koch:
On Sun, 22 Apr 2018 20:26, stefan.cl...@posteo.de said:
i was wondering when receiving an S/MIME
message created with Thunderbird, how do
i properly verify the message with gpgsm?
You need to de-compose the S/MIME message to get the CMS objects
On Sun, 22 Apr 2018 20:26, stefan.cl...@posteo.de said:
> i was wondering when receiving an S/MIME
> message created with Thunderbird, how do
> i properly verify the message with gpgsm?
You need to de-compose the S/MIME message to get the CMS objects.
Despit ethe name, gpgsm does not kn
Am 22.04.18 um 20:26 schrieb Stefan Claas:
Hi all,
i was wondering when receiving an S/MIME
message created with Thunderbird, how do
i properly verify the message with gpgsm?
As an example i sign now this message
and would appreciate any tips!
P.S. when i do a verify on a Thunderbird
S/MIME
Hi all,
i was wondering when receiving an S/MIME
message created with Thunderbird, how do
i properly verify the message with gpgsm?
As an example i sign now this message
and would appreciate any tips!
P.S. when i do a verify on a Thunderbird
S/MIME message i always get:
gpgsm: enabled debug
On 28/02/18 20:59, Werner Koch wrote:
> But that is about gpg and not about gpgsm.
Currently, it's not that easy to get the keygrip for an OpenPGP
smartcard key.
For keys for which the public part is available, it's:
$ gpg --card-status
Note desired KEYID
$ gpg --with-keygrip -k $K
On Wed, 28 Feb 2018 18:57, andr...@andrewg.com said:
> Is there any support for using gpgsm as a certificate authority?
There is some basic support to create certificates:
The format of the parameter file is described in the manual under
"Unattended Usage".
[...]
T
Le 2018-02-28 15:35, Werner Koch a écrit :
On Fri, 23 Feb 2018 19:21, j...@netbsd.org said:
ATM (with gpgsm (GnuPG) 2.2.4) , due to [1], gpgsm cannot sign
certificate for which a public key has been imported but without an
associated private key to it (disregarding the self-signing
What you
> Hi, all.
>
> Is there any support for using gpgsm as a certificate authority?
Hi,
FWIW I have put up a guide recently on how I achieved this with gpgsm +
an OpenPGP card for private key handling. You can drop the card thing if
you don't intend using and keep the private key i
On Wed, 28 Feb 2018 16:30, thomas.jaro...@intra2net.com said:
> what do you think about Peter's idea:
>
> $ gpg --with-keygrip --card-status
If you use that with --with-colons you can also script this.
But that is about gpg and not about gpgsm. gpgsm has no external card
interfa
Hi, all.
Is there any support for using gpgsm as a certificate authority?
--
Andrew Gallagher
signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg
On Wednesday, 28 February 2018 14:50:39 CET Werner Koch wrote:
> If you need this information a small tool to present an enhanced menu
> could be written. That tool would then utilize gpgsm and gpg. GPA
> might be a candidate to implement this.
what do you think about Peter'
On Fri, 23 Feb 2018 19:21, j...@netbsd.org said:
> ATM (with gpgsm (GnuPG) 2.2.4) , due to [1], gpgsm cannot sign
> certificate for which a public key has been imported but without an
> associated private key to it (disregarding the self-signing
What you here is to create CSR (Ce
On Wed, 28 Feb 2018 10:56, thomas.jaro...@intra2net.com said:
> When using a smartcard, what about showing the openpgp key IDs
> in the "Available keys" menu?
gpgsm does and shall not know anything about OpenPGP. Thus it can't
display OpenPGP information. In theory
On 28/02/18 10:56, Thomas Jarosch wrote:
> When using a smartcard, what about showing the openpgp key IDs
> in the "Available keys" menu?
I don't think that's possible: keygrips are "protocol" agnostic, but key
IDs are not. So while the keygrip is the same for S/MIME and OpenPGP,
key ID's are inhe
Hi.
Am Mittwoch, den 28.02.2018, 10:56 +0100 schrieb Thomas Jarosch:
> To me it seems it shows the 'keygrip' instead of the smartcard key
> IDs?
Yes, that's correct.
> When using a smartcard, what about showing the openpgp key IDs
> in the "Available keys" menu?
I think this is not neccessary,
Hello together,
gpgsm can be used to create X.509 certificates
for existing secret keys on a openpgp smartcard.
"gpg2 --card-status" looks like this:
*
..
Signature key : E642 8DAC 275A 3247 5B59 A16F A3E9 1268 663A 9918
created
Hi everyone,
(please CC on reply, as I am not yet subscribed)
I am currently using gpgsm as somekind of PKI CA. It allows me to keep
the CA private key stored on a smartcard, and create/sign different
X.509 end-entity certs through the --gen-key --batch mode.
ATM (with gpgsm (GnuPG) 2.2.4
;> ..’.
>
> Thanks for the suggestion. However there is a gug in gpgsm which does
> not print the keygrip in --with-colon mode as described. A workaround
> is to use --with-key-data but that may eventually print even more
> stuff. I justed fixed it for the next release.
Lovely -
On Sun, 30 Jul 2017 14:52, di...@webweaving.org said:
> Replying to my own question — the man page of of gpg-preset-passphrase
> should perhaps suggest to use ‘gpg —with-keygrip ..’ or ‘gpg —with-colons ..’.
Thanks for the suggestion. However there is a gug in gpgsm which does
not pri
> On 30 Jul 2017, at 12:39, Dirk-Willem van Gulik wrote:
>
> Tools such as
>
> gpg-preset-passphrase
>
> require the 40 character keygrip. The manpage of gpg-preset-passphrase(1)
> suggest that this is best extracted from
>
> gpgsm
>
> and
Tools such as
gpg-preset-passphrase
require the 40 character keygrip. The manpage of gpg-preset-passphrase(1)
suggest that this is best extracted from
gpgsm
and that works nicely
gpgsm --dump-secret-key | grep keygrip:
keygrip
Am Fri, 9 Jun 2017 14:17:24 +0200
schrieb "Dr. Thomas Orgis" :
> But after that, claws-mail as well as gpgsm complain about
> the keys being ambiguous. Clearly, the call
No takers? I am the only one getting a fresh S/MIME cert? I now
modified claws-mail to add preferences to e
Hi,
I recently got into trouble with S/MIME signing and encryption in
claws-mail, which uses gpgme. My old (first) S/MIME certificate is
about to expire, so I got a new one. I added the new one to gpgsm's
keystore. But after that, claws-mail as well as gpgsm complain about
the keys
Hi,
I would like to use gpgsm to create x509 certificates for HTTPS client
authentication.
Currently I follow these steps:
1. create RSA key
$ gpgsm --gen-key --batch < Key-Type: RSA
> Key-Length: 2048
> Name-DN: CN=temporary to create key
> EOF
2. determine keygrip
Love gnupg.
Recently discovered it can create X.509 certificates.
However, I’m running into difficulties.
>gpgsm --generate-key --batch cert.gpgsm
gpgsm: line 2: error getting signing key by keygrip '(null)': IPC parameter
error
gpgsm: error creating certificate request: IPC pa
Hello!
On 22. 11. 2016 08:06, Werner Koch wrote:
> That is unfortunate because all modern implementations use the
> indirect signing method (using the attribute 1.2.840.113549.1.9.4).
> GPGSM is able to verify the old direct signing method but it can't
> create such an old
Hi,
Jernej Kos:
> Hello!
>
> Not sure about what you mean with the OpenPGP card not supporting
> signing? I have set gpgsm to use the signing key on the OpenPGP card (in
> key slot 1) for generating X509 certificates and CMS (S/MIME) signatures
> by doing:
>
> gpgs
t signing method (using the attribute 1.2.840.113549.1.9.4).
GPGSM is able to verify the old direct signing method but it can't
create such an old signature.
To change this we need to extend libksba, which I believe can be done
without updating the API. Also we need to add an option to gp
Hello!
Not sure about what you mean with the OpenPGP card not supporting
signing? I have set gpgsm to use the signing key on the OpenPGP card (in
key slot 1) for generating X509 certificates and CMS (S/MIME) signatures
by doing:
gpgsm --learn-card
gpgsm --gen-key
And selecting an existing
Hi,
I forgot to include the links to the docs.
[1] http://g10code.com/docs/openpgp-card-2.1.pdf
[2] http://g10code.com/docs/openpgp-card-3.0.pdf
Stephan Beck:
> Hi Jerney,
>
> Jernej Kos:
>> Hello!
>>
>> I would like to use GPGSM to sign a Linux kernel module with a
Hi Jerney,
Jernej Kos:
> Hello!
>
> I would like to use GPGSM to sign a Linux kernel module with a private
> key stored on an OpenPGP smartcard.
As to the OpenPGP card 2.1 [1] specification, you can store the private
key of an X.509 certificate on card (Data Object Cardholder Cert
Hello!
I would like to use GPGSM to sign a Linux kernel module with a private
key stored on an OpenPGP smartcard.
The original signing tool uses OpenSSL to sign the kernel module using a
detached CMS signature. The kernel requires that the CMS does not
contain any authenticated attributes and it
On Tue, 18 Oct 2016 15:09, meno.ab...@adviser.com said:
> # gpgsm --batch --gen-key < gpgsm-keygen | gpgsm —verify
gpgsm create a certificate signing request (CSR) but "gpgsm --verify:
verifies CMS signed data - these are entirely different things. The CSR
must be given to a CA so
1 - 100 of 311 matches
Mail list logo
