Mailing List Archive

Markus Gruber <Markus.Gruber@ilo.baynet.de> writes:

> 1) gpg-pgp5 interoperation.
> - I generated a "DSA and ElGamal (default)" key, which is the PGP5 compatzible
> one (am I right?). GPG uses this key for all actions (encrypt, encrypt-sign

Yes, but ...

PGP Inc will not support the new algorithm identifier 20 for ElGamal
keys which maybe used for signing too. PGP 5.x is a properitary
product so it is up to them - and now that I know the fee you have to
pay for PGP 5.x, I understand why they don't want any compatibility
with other products - we will see ;-)

The next version of GNUPG will use algorithm identifier 16 to overcome
this problem. What you can do, is to delete your ElGamal subkey (Is it
yet possible?) and add a new one (--add-key) and select encryption
only key.

> Key ring: 'hugo.pgp'
> Type Bits KeyID Created Expires Algorithm Use
> pub 1024 0xA0643A55 1998-07-22 ---------- DSS Sign only <--
> sub 1024 0xA268D25C 1998-07-22 ---------- Diffie-Hellman
> uid Markus Gruber (This is me) <markus.gruber@ilo.baynet.de>

I wonder why PGP knows that this is a Diffie-Hellman key (and they
should chnage this to read ElGamal!). If they don't know about
algorithm 20 , tsss. Which version is it?

> markus@poro:/opt/home/markus > pgpe -r 0xA0643A55 test
> No encryption keys found for: 0xA0643A55

Okay PGP does not know how to locate this key.

> When I sign the test file with "gpg --sign -a test", and pass it thru pgp5, I
>
> ---------------------------------------------------------
> markus@poro:/opt/home/markus > pgpv test.asc
> Opening file "/dev/null" type text.
> ---------------------------------------------------------

For now use "-z 0" to sign. Two reasons:

- PGP 5 does not know how to handle compress algorithm 2
- May be it is not valid to pack all stuff in a compressed packet at
all (I have to check this)

> Am I doing something wrong?
> How need things to be setup to get full interoperation (encrypt, encrypt-sign,

As soon as we have preferences work it should be much easier.
You may add "--compress-algo 1" to your ~/.gnupg/options

> I hope I haven't bored you with this potentially stupid question.

No. I need these bug reports. Thanks.

> 2) A passphrase argument
> It would be nice, if the passphrase can be passed to gpg as a commandline
> argument in batchmode (like pgps ... -z <passphrase>).
> I did not found the possibility yet. It would be easier then to integrate gpg
> into a mailer like exmh.

NO! Try this:

ps -aw

and everyone can see the passphrase.

I suggest you do this:

echo "Secret and geheime Passphrase" | pgp --passphrase-fd 0 ...




Werner

Werner Koch wrote:
> NO! Try this:
>
> ps -aw
>
> and everyone can see the passphrase.
>
> I suggest you do this:
>
> echo "Secret and geheime Passphrase" | pgp --passphrase-fd 0 ...

Thanks for all the answers and the suggestion with the passphrase. Thats the
way I would like with pgp5 too, because I integrated pgp5 into exmh and used
the -z. It's some sort of security hole, I was too naive to think about it.

That's not a gpg question, sorry, but is there a way to securely pass a
passphrase to pgp5 in batchmode?

Thanks,
Markus

Markus Gruber <Markus.Gruber@ilo.baynet.de> writes:

> That's not a gpg question, sorry, but is there a way to securely pass a
> passphrase to pgp5 in batchmode?

Yes. Mutt does it this way:

PGPPASSFD=0; export PGPPASSFD; \
cat - name_of_input_file | pgps +batchmode -f

and pipe the passphrase in



Werner

Hi,
Pardon, I forgot answering your question

> I wonder why PGP knows that this is a Diffie-Hellman key (and they
> should chnage this to read ElGamal!). If they don't know about
> algorithm 20 , tsss. Which version is it?

It's PGP 5.0i for UNIX , which is distributed by www.pgpi.com as C-source.

> PGPPASSFD=0; export PGPPASSFD; \
> cat - name_of_input_file | pgps +batchmode -f

Ahh, thanks

Bye,
Markus

"Werner Koch" wrote:
> > 2) A passphrase argument
> > It would be nice, if the passphrase can be passed to gpg as a commandline
> > argument in batchmode (like pgps ... -z <passphrase>).
> > I did not found the possibility yet. It would be easier then to integrate gpg
> > into a mailer like exmh.
>
> NO! Try this:
>
> ps -aw
>
> and everyone can see the passphrase.
>
> I suggest you do this:
>
> echo "Secret and geheime Passphrase" | pgp --passphrase-fd 0 ...

This exposes the passphrase as well (as long as the echo process is
running), I'm afraid. Better put the passphrase into a sufficiently
well-protected(*) file and 'cat filename | gpg --passphrase-fd 0 ...'.

(*) whatever that means ... you won't protect anything against root;
command arguments, however, are visible to anybody who's logged in.

Detlef

lannert@uni-duesseldorf.de writes:

> > echo "Secret and geheime Passphrase" | pgp --passphrase-fd 0 ...
>
> This exposes the passphrase as well (as long as the echo process is

Ah yes, sure. I wrote this to demonstrate that feature. Most shells
have "echo" build in so it is not a different process and the
commandline history is another source of unsecurity ;-). Mutt does it
correct by writing the password to a pipe - A better solution is a
kind of password agent like the ssh-agent which can provide the
passphrase in a shared locked memory page. I'll do this kind of stuff
to integrate gnupg with GnomePGP.


Werner

Hi,

I now tried key generation as you described it and it worked (identifier 16
instead of 20).
I put my gpg public key on pgp5's public key ring and vice versa.
I signed and encrypted a message with pgp5 to gpg and gpg was able to read
and verify it.

Then I signed a message with gpg to pgp5 following your suggestion...

> For now use "-z 0" to sign. Two reasons:
>
> - PGP 5 does not know how to handle compress algorithm 2
> - May be it is not valid to pack all stuff in a compressed packet at
> all (I have to check this)

Pgp5 was not able to read it.

----------------------------------------------------
markus@poro:/opt/home/markus > gpg -z 0 -sa testfile
gpg (GNUPG) 0.3.2; Copyright (C) 1998 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: Warning: using insecure memory!

You need a passphrase to unlock the secret key for
user: "Markus Gruber (This is me) <markus.gruber@ilo.baynet.de>"
(1024-bit DSA key, ID 9B8F1000, created 1998-07-23)

markus@poro:/opt/home/markus > pgpv testfile.asc
Opening file "/dev/null" type text.
markus@poro:/opt/home/markus > [This information en mass means pgpv failed]
-----------------------------------------------------

> As soon as we have preferences work it should be much easier.
> You may add "--compress-algo 1" to your ~/.gnupg/options

Has gpg compress-algo 1 (ZIP) implemented yet or does is there only ZLIB?

I also tried the following:
gpg --compress-algo 1 -eat testfile

The same ascetic fault message with pgpv as above.

Another thing I did: I signed the pgp5 public key on the gpg-keyring. The
signature got added, as I could see with gpgm --list-sigs, but the key didn't
get trusted. What can I do to have gpg trust the key by default?

Bye,
Markus

On Thu, 23 Jul 1998, Markus Gruber wrote:

> Another thing I did: I signed the pgp5 public key on the gpg-keyring. The
> signature got added, as I could see with gpgm --list-sigs, but the key didn't
> get trusted. What can I do to have gpg trust the key by default?

Once before I had a problem where after signing a key it didn't get
trusted. I've done it a dozen times in the past three days with test keys
as I experiment with gpg and only once did I have this problem. A comment
made by someone earlier that gpg re-computes the trust every time made me
think to try simply deleting the trustdb.gpg file (well, renaming it
actually) and that seemed to work. I don't know if this is a bad
thing(tm) as I was only working with a keyring containing those two keys.

C=)

--------------------------------------------------------------------------
"Wish not to seem, but to be, the best." -- Aeschylus
--------------------------------------------------------------------------
Caskey <caskey*technocage.com> /// pager.818.698.2306
TechnoCage Inc. ///| PGP Key ID:0x7BBD08DC
--------------------------------------------------------------------------
Maybe everyone's driving a minivan with ego in the front seat,
inadequacy fighting in the back seat and nobody really paying
attention to the road. -- Bradt

Markus Gruber <Markus.Gruber@ilo.baynet.de> writes:

> Has gpg compress-algo 1 (ZIP) implemented yet or does is there only ZLIB?

That should work.

> I also tried the following:
> gpg --compress-algo 1 -eat testfile
>
> The same ascetic fault message with pgpv as above.

Did you try "--no-comment" ? There was so mnuch trouble with
the commet packets: Reuse of an other packet, got another id
assigned, has been removed completly and the current situation is that
I use a packet id which is resevered for experimentation.
--no-comment disables comment packets.



Werner

"Caskey L. Dickson" <caskey@technocage.com> writes:

> Once before I had a problem where after signing a key it didn't get
> trusted. I've done it a dozen times in the past three days with test keys
> as I experiment with gpg and only once did I have this problem. A comment

Interesting.

> actually) and that seemed to work. I don't know if this is a bad
> thing(tm) as I was only working with a keyring containing those two keys.

You can do so but you will loose the assigned owner trust values; next
version will have a backup system for this. The trustdb stores lists
of valid key signatures because the verification process is very time
consuming.



Werner

If I already sent this, I apologise for the duplicate, I found it in my
outbox but thought I had finished it.

On Thu, 23 Jul 1998, Werner Koch wrote:
> "Caskey L. Dickson" <caskey@technocage.com> writes:
> > Once before I had a problem where after signing a key it didn't get
> > trusted. I've done it a dozen times in the past three days with test keys
> > as I experiment with gpg and only once did I have this problem. A comment
>
> Interesting.

It happened the second time I went about creating a set of keys. It
happened to be the time I was documenting my process and so my page on it
has the messages pasted in before and after.

> > actually) and that seemed to work. I don't know if this is a bad
> > thing(tm) as I was only working with a keyring containing those two keys.
>
> You can do so but you will loose the assigned owner trust values; next
> version will have a backup system for this. The trustdb stores lists
> of valid key signatures because the verification process is very time
> consuming.

My experiments have just reached the point where they include 3 keys and I
discovered the need to assign trust levels for indirectly known keys. It
would definately be a loss if you had to revert to deleting your trust
database.

I'm not skillful enough to do anything with it, but I still have my copy
of the trust database that wouldn't work (i.e. existed immediately after
signing) and the one that did work when I moved the non-functional one
away. If anyone wants them to dissect you're welcome to them. Here's the
results of swapping them back and forth...

1) encrypt with working trust database --> works
2) swap trust database with broken one
3) encrypt with old, broken trust database --> fails
4) remove signature from key with --edit-key
5) attempt encryption again --> fails (like it should)
6) sign key
7) attempt encryption again --> fails (???)
8) delete trust database
9) attempt encryption again --> FDF99707.5: inserted into trustdb

*************************************************************************

[caskey@polo sender]$ echo hi | gpg --homedir . --encrypt --armor -r
recipient --no-greeting
*works*
[caskey@polo sender]$ cp trustdb.gpg.broken trustdb.gpg
[caskey@polo sender]$ echo hi | gpg --homedir . --encrypt --armor -r
recipient --no-greeting
Could not find a valid trust path to the key. Let's see whether we
can assign some missing owner trust values.

No ownertrust values changed.
[caskey@polo sender]$ gpg --homedir . --edit-key recipient
Remove this signature? y
Do you really want to remove the selected signatures? y
[caskey@polo sender]$ echo hi | gpg --homedir . --encrypt --armor -r
recipient --no-greeting
Could not find a valid trust path to the key. Let's see whether we
can assign some missing owner trust values.

No ownertrust values changed.
[caskey@polo sender]$ gpg --homedir . --sign-key recipient
Are you really sure that you want to sign this key:
Sign this key? y
[caskey@polo sender]$ echo hi | gpg --homedir . --encrypt --armor -r
recipient --no-greeting
Could not find a valid trust path to the key. Let's see whether we
can assign some missing owner trust values.

No ownertrust values changed.
[caskey@polo sender]$ rm trustdb.gpg
[caskey@polo sender]$ echo hi | gpg --homedir . --encrypt --armor -r
recipient --no-greeting
gpg: key FDF99707.5: inserted into trustdb
(encrypted output)
**************************************************************************

--------------------------------------------------------------------------
"Wish not to seem, but to be, the best." -- Aeschylus
--------------------------------------------------------------------------
Caskey <caskey*technocage.com> /// pager.818.698.2306
TechnoCage Inc. ///| gpg: 1024D/7BBB1485
--------------------------------------------------------------------------
Maybe everyone's driving a minivan with ego in the front seat,
inadequacy fighting in the back seat and nobody really paying
attention to the road. -- Bradt

> > I also tried the following:
> > gpg --compress-algo 1 -eat testfile
> >
> > The same ascetic fault message with pgpv as above.
>
> Did you try "--no-comment" ? There was so mnuch trouble with
> the commet packets: Reuse of an other packet, got another id
> assigned, has been removed completly and the current situation is that
> I use a packet id which is resevered for experimentation.
> --no-comment disables comment packets.

I tried it:
gpg --compress-algo 1 --no-comment -eat testfile

The same with pgpv. I tried to increase verbosity of pgpv:

markus@poro:/opt/home/markus > pgpv +VERBOSE=1 testfile.asc
Opening file "/dev/null" type text.
markus@poro:/opt/home/markus > pgpv +VERBOSE=2 testfile.asc
Reading secret keyring "/home/markus/.pgp/secring.skr"
Reading public keyring "/home/markus/.pgp/pubring.pkr"
Opening file "/dev/null" type text.
markus@poro:/opt/home/markus > pgpv +VERBOSE=100 testfile.asc
Reading secret keyring "/home/markus/.pgp/secring.skr"
Reading public keyring "/home/markus/.pgp/pubring.pkr"
Opening file "/dev/null" type text.
markus@poro:/opt/home/markus >

That's all the info to get out of pgpv.

Bye,
Markus