Werner Koch writes:
> I appreciated the opportunity to meet the GPG Tools developers, who
> are very dedicated to make GnuPG working well on OS X. I stressed the
> importance to actively participate on the GnuPG mailing list to keep
> information in sync. One example may illustrate this
"Neal H. Walfield" writes:
> Hi Simon,
>
> We've documented the problem at http://wiki.gnupg.org/GnomeKeyring .
Thanks -- another workaround, alas.
> The solution is to fix Gnome Keyring :). I've spoken with Stef, the
> main developer of GKR, and he confirmed that the only reason GKR MITMs
> G
I want to setup a secur...@example.com contact email address that should
accept OpenPGP encrypted emails. The purpose is to notify us of
security incidents. The decryption key needs to be shared by several
people who are authorized to read and reply to such emails. Naturally I
don't want soft ke
Daniel Kahn Gillmor writes:
> Hi Simon--
>
> Thanks for the interesting use case.
>
> On Tue 2015-06-09 09:21:08 -0400, Simon Josefsson wrote:
>> My current idea is to generate a secur...@example.com master PGP key and
>> keep that offline, and to generate one decryp
NIIBE Yutaka writes:
> Gpg frontend certainly works well for --sign, --decrypt after you
> remove your token and insert it again. Please try:
>
> (1) Insert token
> (2) Run "gpg --card-status"
> (3) Remove token
> (4) Run "gpg --sign" or "gpg --decrypt"
>
> SSH authentication also works well aft
"Lance R. Vick" writes:
> I only ever tried this on 2.0.0 as far as older versions go, and that was
> similarly broken. I didn't bother documenting as I saw there were some
> smartcard updates in 2.1.4 so I upgraded.
>
> Just now had another variation (on 2.1.4):
>
> 1. start gpg-agent
> 2. popul
Dongsheng Song writes:
> Hi all,
>
> When I create new master/sub key, in the following 2 choice, I'm
> wondering which is better?
>
> 1) master key have SCEA capabilities
>
> sec rsa4096/A19676A1
> created: 2015-08-20 expires: never usage: SCEA
> trust: ultimate validity:
Glenn Rempe writes:
> I recently setup my own Mac w/ gnupg 2.1.10, and I am using a Yubikey to
> manage my gpg private keys and I am using that key for SSH auth. I have it
> all up and running but I ran into some issues as well so I wrote up a blog
> post. I'd appreciate any suggestions for imp
> > Why do you add the keygrip to the sshcontrol file? I have never
> > needed that step. For me it uses the right key directly. Is it
> > because you have another (revoked) A subkey? It sounds somewhat of
> > sub-optimal behaviour for gpg-agent's SSH support to use a revoked
> > key instead of
Werner Koch writes:
> On Tue, 29 Sep 2009 09:46, si...@josefsson.org said:
>> Hi! Before I spend time testing it, can the OpenPGP card support
>> RSA-SHA2 signatures?
>
> The v2 cards support any hash agorithm as long as they fit into pkcs#1.
When I attempt to generate a new key on the card wit
Has anyone managed to get this combination working?
There is a Putty extension but is appears to be non-free:
http://smartcard-auth.de/ssh-en.html
There is a free smartcard-enabled Putty:
http://www.joebar.ch/puttysc/
But it requires a PKCS#11 module -- I see on scute.org that
it is possible to b
Werner Koch writes:
> On Mon, 5 Oct 2009 15:54, si...@josefsson.org said:
>
>> But it requires a PKCS#11 module -- I see on scute.org that
>> it is possible to build for Windows, but are there any
>> pre-compiled binaries available?
>
> Scute is part of gpg4win 2.0.
Great.
I'm trying to use it
Dmitri Minaev writes:
> On Thu, Jan 7, 2010 at 9:08 PM, Mario Castelán Castro
> wrote:
>
>> I think the WoT and in general the cryptography is not widely used
>> because few people really care about their privacity.
>
> IMHO, there's another problem, an entry barrier to the WoT. The
> practice o
I've installed GPG4Win and it recognizes my OpenPGP smartcards without
problem (via a gpg-agent process which appears to be auto-started
somehow?). However, I'd like to enable SSH agent support in gpg-agent
too, so that Cygwin ssh can make use of it. Is this possible, if so
how?
/Simon
Werner Koch writes:
> On Fri, 29 Jan 2010 14:03, si...@josefsson.org said:
>
>> I've installed GPG4Win and it recognizes my OpenPGP smartcards without
>> problem (via a gpg-agent process which appears to be auto-started
>> somehow?). However, I'd like to enable SSH agent support in gpg-agent
>
>
Werner Koch writes:
> On Fri, 29 Jan 2010 01:22, jcr...@gmail.com said:
>
>> $ killall -u scdaemon #usually has to be entered 2-3x to
>> kill it
>
> FWIW,
>
> gpgconf --reload scdaemon
>
> does the same in a well defined manner.
The --reload parameter doesn't appear to be documented. Is
Hauke Laging writes:
> Hello,
>
> I am surprised that gpg asks for the smartcard PIN via the keyboard
> when it is to be changed. Do I misunderstand anything? Can I make gpg
> use the card reader keypad for that instead? IMHO an important part of
> smartcard security is that the PC does NOT know
Hauke Laging writes:
> Am Montag 07 Juni 2010 08:22:07 schrieb Simon Josefsson:
>
>> I'm using the keyboard on my smartcard reader to enter the PIN and it
>> works fine with GnuPG. I'm using a SCM SPR-532. Maybe your reader
>> isn't supported?
>
> I
Paul Richard Ramer writes:
> Hi,
>
> I am using an OpenPGP v2 card with an SCM SPR-532 smartcard reader, and
> I can't get GPG to take a PIN from the pinpad instead of the keyboard.
> When I run "gpg --card-edit" followed by any command that requires a PIN
> or Admin PIN, I get a password dialog
Aaron Toponce writes:
> I've added it with "my_hdr OpenPGP id=${pgp_sign_as}\;url=...". The only
> question remaining, for me, is whether or not it should be "X-OpenPGP" or
> "OpenPGP" as the header field name. I've heard various positions on this,
> but nothing definitive.
No X-OpenPGP please.
Olav Seyfarth writes:
> Hi list,
>
> I use my OpenPGP SmartCard in my laptop (W7+Linux) with a PCMCIA reader.
>
> I think about buying a new laptop. Unfortunately, new models often only
> ExpressCard/54 slot is available today (if at all).
>
> After having had trouble with built-in SmartCard read
"Roberts, David M [ITSYS]" writes:
> I've got a batch script that signs and encrypts files using GnuPG1.2.6
> running on a REHL4 system. We are upgrading the system to RHEL6 which
> comes with Gnupg2.0.14 and the scripts no longer run correctly.
>
> gpg -u "signing-key" -r "receiving_pub-key" -s
Guillaume Lanquepin-Chesnais writes:
> Hello,
>
> I've just bought a Gemalto USB Shell Token V2 and openGPG smartcard. I
> successfully get it work on Ubuntu 12.04 (gnupgp 2.0.17) without any
> problem. However, I
> can't store a x509 certificate on the smartcard.
I thought OpenPGP cards didn't
Hi. I want to use ed25519/curve25519, but right now I have an offline
master RSA key with three subkeys. Does it work well to add new subkeys
for Ed25519/Curve25519? What is the user experience in various
applications? I'm thinking MUAs, SSH, git, gpg itself, and also more
exotic approaches lik
Guilhem Moulin writes:
> Hi Simon,
>
> On Mon, 01 Jan 2018 at 14:28:34 +0100, Simon Josefsson wrote:
>> I want to use ed25519/curve25519, but right now I have an offline
>> master RSA key with three subkeys. Does it work well to add new
>> subkeys for Ed25519/Cu
Werner Koch <[EMAIL PROTECTED]> writes:
> On Mon, 8 Aug 2005 09:37:10 +0200, Bernd Jendrissek said:
>
>> Do these TXT records support having multiple keys associated with the
>> same email address? For example, I use D7CBA633 for "everyday" signing
>> and encryption, and 24EEB426 for tin foil hat
et key for
user: “Simon Josefsson <[EMAIL PROTECTED]>”
1280-bit RSA key, ID B565716F, created 2002-05-05
gpg: can't put notation data into v3 (PGP 2.x style) signatures
[EMAIL PROTECTED]:~$
Is my key unusable with this scheme?
___
Gnupg-user
ad of primary key B565716F
gpg: writing to stdout
gpg: using subkey AABB1F7B instead of primary key B565716F
gpg: RSA/SHA1 signature from: "AABB1F7B Simon Josefsson <[EMAIL PROTECTED]>"
-BEGIN PGP MESSAGE-
Version: GnuP
t the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N)
Btw, DNS CERT retrieval work fine, see:
[EMAIL PROTECTED]:~$ gpg -a -e -r [EMAIL PROTECTED]
gpg: key B565716F: public key "Si
Alphax <[EMAIL PROTECTED]> writes:
>> gpg: [EMAIL PROTECTED]: skipped: unusable public key
>> gpg: [stdin]: encryption failed: unusable public key
>> [EMAIL PROTECTED]:~/src/gnupg$ gpg -a -e -r [EMAIL PROTECTED]
>> gpg: 1643B926: There is no assurance this key belongs to the named user
>>
>> pub
Werner Koch <[EMAIL PROTECTED]> writes:
> On Mon, 7 Aug 2006 04:39, Rubis Paul said:
>
>> a. Is there any function in Libgrypt or Libksba to generate certificates ?
>
> Not yet. We don't have a need for it right now. For CA software you
> need more than just the ability to create a certificate.
Hi! I'm trying to get Scute working in Mozilla (as a first step
towards making GnuTLS also use it as a PKCS#11 module). I imported my
newly generated certificate into gpgsm as follows:
[EMAIL PROTECTED]:~$ gpgsm --import .gnupg/test-key.pem
gpgsm: issuer certificate {E93C1CFBAD926EE606A4562CA2E1
Werner Koch <[EMAIL PROTECTED]> writes:
> Thus we have an extra NULL and that is the reason that it does not
> verify. I am too tired to read pkcs#1 know; will do that tomorrow.
> Anyway it is the first case that I noticed such a pkcs#1 encoding.
Ah, I see. Whether the parameters should be NULL
Werner Koch <[EMAIL PROTECTED]> writes:
>> Although it may be argued that RFC 4055 only applies to RSA-PSS,
>> although this particular section is not clear that it only applies to
>> RSA-PSS.
>
> The problem is that allowing for different encodings will require a
> complete DER (or well for some
Werner Koch <[EMAIL PROTECTED]> writes:
> On Wed, 18 Apr 2007 14:11, [EMAIL PROTECTED] said:
>
>> It is possible to avoid a DER/BER decoder if you generate two
>> structures, one with NULL parameters and one with absent parameters,
>> and compare both against what's in the decrypted signatures.
>
Alternatively, how can I tell gpgsm/dirmngr to not check any CRL?
Thanks,
Simon
[EMAIL PROTECTED]:~$ gpgsm -K
/home/jas/.gnupg/pubring.kbx
Serial number: 4628A165
Issuer: /CN=GnuTLS test CA
Subject: /CN=Test Key/O=Simon Josefsson
aka: (dn
Simon Josefsson <[EMAIL PROTECTED]> writes:
> I'm trying to sign something using gpgsm and a smartcard, but here is
> what happens:
...
> Where do I put the CRL that will be checked?
>
> Alternatively, how can I tell gpgsm/dirmngr to not check any CRL?
I solved this m
Werner Koch <[EMAIL PROTECTED]> writes:
> On Fri, 20 Apr 2007 14:03, [EMAIL PROTECTED] said:
>
>> Use --disable-crl-checks to disable CRL checks. Also, you must put
>> the CA fingerprint in your trustlist.txt:
>
> Or use --allow-mark-trusted in gpg-agent.conf so that the agent will ask
> you whet
Does this command work? I see that Scute does not use gpg-agent or
scdaemon to get the certificates, but it invokes 'gpgsm --server' and
uses DUMPKEYS. That works, but I'd rather talk to only gpg-agent and
not also gpgsm in GnuTLS.
This is what I tried:
[EMAIL PROTECTED]:~$ gpg-connect-agent
SC
"Robert J. Hansen" <[EMAIL PROTECTED]> writes:
>> What prevents the keylogger in your first example to snarf the PIN
>> code
>> for the OpenPGP card and send decryption requests to the OpenPGP card,
>> using the PIN code, in the background, possibly remotely controlled
>> over
>> the network?
"Robert J. Hansen" <[EMAIL PROTECTED]> writes:
>> I've been considering getting an OpenPGP Card, but there are three
>> reasons I'm reluctant to. The main one is that I want something that
>> will only do one signature or decryption at a time. That way if my
>> machine is compromised, I'll only su
"Steven E. Harris" <[EMAIL PROTECTED]> writes:
> Werner Koch <[EMAIL PROTECTED]> writes:
>
>> Well, the X prefix is not anymore required for user defined headers.
>
> Was there some change in this prescription? If so, from where? I hadn't
> heard about "X-" falling from use.
In RFC 822 there was
"Vlad \"SATtva\" Miller" <[EMAIL PROTECTED]> writes:
> While I understand that this place isn't the best for PKS bug reports,
> I'm still not sure of what's happening (except it's quite weird). My key
> 0x8443620A consists of a main certification key and two subkeys: one for
> encryption and one f
Hi.
When I SSH with gpg-agent's ssh-agent emulation, this happens:
jas@kaka ~$ ssh root@192.168.10.186
sign_and_send_pubkey: signing failed for ED25519 "cardno:FFFE 42315277" from
agent: agent refused operation
root@192.168.10.186: Permission denied (publickey).
jas@kaka ~$
Tracking it down, i
Never mind -- I realized this was a duplicate of this bug report:
https://dev.gnupg.org/T5935
I will try to work on getting a newer GnuPG into Guix as a solution.
/Simon
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-user
Werner Koch via Gnupg-users writes:
> I am sorry, for the Debian troubles - we actually had 2.3 in Sid already
> 2 years ago. AFAICS the problem is that the Debian maintainer seems to
> be in a conflict between being Sequoia contributor and maintainer,
> OpenPGP WG Chair and also long time GnuPG
vuori writes:
> On Tue, Apr 11, 2023 at 10:50:39AM +0200, Simon Josefsson via Gnupg-users
> wrote:
>> Are there well-maintained debian packages for GnuPG 2.4 anywhere? I
>> recently ran into yet another bug that has been fixed in later versions
>> that Debian/Trisquel d
Werner Koch via Gnupg-users writes:
> Hi!
>
> while talking about gpgv, let me remind you about the new
> --assert-signer option which can be used as a replacement for gpgv.
>
> --assert-signer fpr_or_file
>
> This option checks whether at least one valid signature on file has
> be
Werner Koch via Gnupg-users writes:
> If you are interested in smartcard support I would suggest to use a
> smartcard with an ECC algorithm and an on-disk Kyber key. GnuPG 2.5.5
> already supports this by allowing to specify the keys used for a new
> OpenPGP certificate using two keygrips: At th
Damien Goutte-Gattat via Gnupg-users writes:
> On Tuesday, 13 May 2025 09:10:35 BST Werner Koch via Gnupg-users wrote:
>> On Thu, 8 May 2025 10:43, Simon Josefsson said:
>> > Oh! Is there a step-by-step instruction how to create a key like
>> > this?
>>
50 matches
Mail list logo
