Mailing List Archive

On Sat 2018-12-15 16:18:30 -0500, fsantiago@deviltracks.net wrote:

> I’m setting up (or trying to) wks on my email server, which is Ubuntu
> 18.04 using postfix / dovecot with procmail. I think I’m close but
> keep getting an error in my procmail output when I test it from
> another machine using the command line client test noted in the GnuPG
> docs. The 2nd machine is also Ubuntu but using its stock gpg (older
> rev as you can see in the log output below). The email server has been
> setup with the current gpg as noted in the instructions:

It looks to me like you're mixing versions of gpg -- one is the stock
version shipping in ubuntu, and the other is some slightly-more-recent
(but not fully current) locally-built copy (the one in
/home/webkey/bin/gpg).

have you tried just installing the gpg-wks-server package directly in
ubuntu, rather than trying to build your own local copy?

> gpg-wks-server: gpg: uncompressing failed: Unknown compression algorithm
> gpg-wks-server: error running '/home/webkey/bin/gpg': exit status 2

this looks like your self-built copy of gpg doesn't enable the expected
compression algorithm.

can you compare the output of:

gpg --version | grep ^Compression:

against:

/home/webkey/bin/gpg --version | grep ^Compression:

?

that might help to understand some of what's going on at least.

--dkg

On Mon, 17 Dec 2018 20:56, dkg@fifthhorseman.net said:

> this looks like your self-built copy of gpg doesn't enable the expected
> compression algorithm.

Indeed. We can easily make this more robust by disabling compression -
the data is anyway small. Different compression algorithms are pretty
common because these are implemented by external libraries - in contrast
to the cipher algos which are from Libgcrypt and that library is always
required.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

On 2018-12-17 14:56, Daniel Kahn Gillmor wrote:
> On Sat 2018-12-15 16:18:30 -0500, fsantiago@deviltracks.net wrote:
>
>> I’m setting up (or trying to) wks on my email server, which is Ubuntu
>> 18.04 using postfix / dovecot with procmail. I think I’m close but
>> keep getting an error in my procmail output when I test it from
>> another machine using the command line client test noted in the GnuPG
>> docs. The 2nd machine is also Ubuntu but using its stock gpg (older
>> rev as you can see in the log output below). The email server has been
>> setup with the current gpg as noted in the instructions:
>
> It looks to me like you're mixing versions of gpg -- one is the stock
> version shipping in ubuntu, and the other is some slightly-more-recent
> (but not fully current) locally-built copy (the one in
> /home/webkey/bin/gpg).
>
> have you tried just installing the gpg-wks-server package directly in
> ubuntu, rather than trying to build your own local copy?
>
>> gpg-wks-server: gpg: uncompressing failed: Unknown compression
>> algorithm
>> gpg-wks-server: error running '/home/webkey/bin/gpg': exit status 2
>
> this looks like your self-built copy of gpg doesn't enable the expected
> compression algorithm.
>
> can you compare the output of:
>
> gpg --version | grep ^Compression:
>
> against:
>
> /home/webkey/bin/gpg --version | grep ^Compression:
>
> ?
>
> that might help to understand some of what's going on at least.
>
> --dkg

that's probably it:

root@mail:~# gpg --version | grep ^Compression:
Compression: Uncompressed, ZIP, ZLIB, BZIP2
root@mail:~# /home/webkey/bin/gpg --version | grep ^Compression:
Compression: Uncompressed


so this was produced following the online instructions for setting up
WKS (as far as building your own current gpg). should i not do that? or
what can i do to enable or disable compression? Thanks for your help.

--
--

Thanks,

Fabian S.

OpenPGP: 0xE05BF5EEFDD6549DAD3EDF64AE4E3D03B4F2DF29

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On Tue, 18 Dec 2018 23:38, fsantiago@deviltracks.net said:

> so this was produced following the online instructions for setting up
> WKS (as far as building your own current gpg). should i not do that?
> or what can i do to enable or disable compression? Thanks for your

The configure scripts detects whether the required libs are available and
depending on this includes support for these compression algorithms. IF
you created the encryption key for the server using that very version
everything should be fine. It might be easiest to simply create a new
key using the version w/o the compression support.

Or you build again but first install the packages /zlibg1-dev/ and
/libbz2-dev/. If you build using the speedo Makefile copies of those
libearies should have been downloaded and used during the speedo build
process.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

On 2018-12-19 03:40, Werner Koch wrote:
> On Tue, 18 Dec 2018 23:38, fsantiago@deviltracks.net said:
>
>> so this was produced following the online instructions for setting up
>> WKS (as far as building your own current gpg). should i not do that?
>> or what can i do to enable or disable compression? Thanks for your
>
> The configure scripts detects whether the required libs are available
> and
> depending on this includes support for these compression algorithms.
> IF
> you created the encryption key for the server using that very version
> everything should be fine. It might be easiest to simply create a new
> key using the version w/o the compression support.
>
> Or you build again but first install the packages /zlibg1-dev/ and
> /libbz2-dev/. If you build using the speedo Makefile copies of those
> libearies should have been downloaded and used during the speedo build
> process.
>
>
> Salam-Shalom,
>
> Werner

i did use speedo....so?


--
--

Thanks,

Fabian S.

OpenPGP: 0xE05BF5EEFDD6549DAD3EDF64AE4E3D03B4F2DF29

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On 2018-12-19 08:49, Fabian A. Santiago wrote:
> On 2018-12-19 03:40, Werner Koch wrote:
>> On Tue, 18 Dec 2018 23:38, fsantiago@deviltracks.net said:
>>
>>> so this was produced following the online instructions for setting up
>>> WKS (as far as building your own current gpg). should i not do that?
>>> or what can i do to enable or disable compression? Thanks for your
>>
>> The configure scripts detects whether the required libs are available
>> and
>> depending on this includes support for these compression algorithms.
>> IF
>> you created the encryption key for the server using that very version
>> everything should be fine. It might be easiest to simply create a new
>> key using the version w/o the compression support.
>>
>> Or you build again but first install the packages /zlibg1-dev/ and
>> /libbz2-dev/. If you build using the speedo Makefile copies of those
>> libearies should have been downloaded and used during the speedo build
>> process.
>>
>>
>> Salam-Shalom,
>>
>> Werner
>
> i did use speedo....so?

ok, so i edited my procmailrc file to use the system's own version of
gpg-wks-server and now it parses the test email but is awaiting a
confirmation and since i tested it from the command line and with an
invalid address I'm not sure how to give it the confirmation it seeks. i
did receive it's confirmation email to my catchall inbox but unsure
where to go from here to continue testing it without simply using a
legitimate key and email client. how do i pass it the confirmation it
seeks via command line? Thanks.
--
--

Thanks,

Fabian S.

OpenPGP: 0xE05BF5EEFDD6549DAD3EDF64AE4E3D03B4F2DF29

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On 2018-12-19 10:29, Fabian A. Santiago wrote:
> On 2018-12-19 08:49, Fabian A. Santiago wrote:
>> On 2018-12-19 03:40, Werner Koch wrote:
>>> On Tue, 18 Dec 2018 23:38, fsantiago@deviltracks.net said:
>>>
>>>> so this was produced following the online instructions for setting
>>>> up
>>>> WKS (as far as building your own current gpg). should i not do that?
>>>> or what can i do to enable or disable compression? Thanks for your
>>>
>>> The configure scripts detects whether the required libs are available
>>> and
>>> depending on this includes support for these compression algorithms.
>>> IF
>>> you created the encryption key for the server using that very version
>>> everything should be fine. It might be easiest to simply create a
>>> new
>>> key using the version w/o the compression support.
>>>
>>> Or you build again but first install the packages /zlibg1-dev/ and
>>> /libbz2-dev/. If you build using the speedo Makefile copies of those
>>> libearies should have been downloaded and used during the speedo
>>> build
>>> process.
>>>
>>>
>>> Salam-Shalom,
>>>
>>> Werner
>>
>> i did use speedo....so?
>
> ok, so i edited my procmailrc file to use the system's own version of
> gpg-wks-server and now it parses the test email but is awaiting a
> confirmation and since i tested it from the command line and with an
> invalid address I'm not sure how to give it the confirmation it seeks.
> i did receive it's confirmation email to my catchall inbox but unsure
> where to go from here to continue testing it without simply using a
> legitimate key and email client. how do i pass it the confirmation it
> seeks via command line? Thanks.

so i've switched to using the gnupg built into my system and can get as
far as receiving the confirmation email as previously stated. when i use
the command line client to process this confirmation (I think, unless
i've misunderstood something), i get:

root@deviltracks:~# /usr/lib/gnupg/gpg-wks-client --receive --send <
sample2.txt
gpg-wks-client: t2body for level 0
gpg-wks-client: t2body for level 1
gpg-wks-client: t2body for level 2
gpg-wks-client: t2body for level 2
gpg-wks-client: new 'application/vnd.gnupg.wks' message part
gpg-wks-client: t2body for level 1
gpg-wks-client: gpg: Signature made Wed Dec 19 14:52:36 2018 EST
gpg-wks-client: gpg: using RSA key
A6E176009FC6EBE8537D4FB72FEB4BBFE6F2B8FD
gpg-wks-client: gpg: issuer
"key-submission@deviltracks.net"
gpg-wks-client: gpg: Good signature from
"key-submission@deviltracks.net" [unknown]
gpg-wks-client: gpg: WARNING: Using untrusted key!
gpg-wks-client: DBG: Fixme: Verification result is not used
gpg-wks-client: wkd data found
gpg-wks-client: draft version 2 requested
gpg-wks-client: gpg: decryption failed: No secret key
gpg-wks-client: error running '/usr/bin/gpg': exit status 2
gpg-wks-client: decryption failed: General error
gpg-wks-client: decryption failed: General error
gpg-wks-client: processing mail failed: General error

I feel like i must likely be doing something wrong but i'm unsure where
to go from here. thanks for your help everyone.

--
--

Thanks,

Fabian S.

OpenPGP: 0xE05BF5EEFDD6549DAD3EDF64AE4E3D03B4F2DF29

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On Tue 2018-12-18 17:38:12 -0500, Fabian A. Santiago wrote:
> so this was produced following the online instructions for setting up
> WKS (as far as building your own current gpg). should i not do that? or
> what can i do to enable or disable compression? Thanks for your help.

unless you have a plan in place for maintaining and upgrading your own
GnuPG installation, i recommend sticking with your distro's version of
GnuPG. it is a non-trivial amount of work. (full disclaimer, i'm one
of the people who works on maintaining GnuPG in debian)

--dkg

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On 2018-12-19 18:29, Daniel Kahn Gillmor wrote:
> On Tue 2018-12-18 17:38:12 -0500, Fabian A. Santiago wrote:
>> so this was produced following the online instructions for setting up
>> WKS (as far as building your own current gpg). should i not do that?
>> or
>> what can i do to enable or disable compression? Thanks for your help.
>
> unless you have a plan in place for maintaining and upgrading your own
> GnuPG installation, i recommend sticking with your distro's version of
> GnuPG. it is a non-trivial amount of work. (full disclaimer, i'm one
> of the people who works on maintaining GnuPG in debian)
>
> --dkg

alright, so as i think i stated before, i'm currently stuck here:

/usr/lib/gnupg/gpg-wks-client --receive --send < sample2.txt
gpg-wks-client: t2body for level 0
gpg-wks-client: t2body for level 1
gpg-wks-client: t2body for level 2
gpg-wks-client: t2body for level 2
gpg-wks-client: new 'application/vnd.gnupg.wks' message part
gpg-wks-client: t2body for level 1
gpg-wks-client: gpg: Signature made Thu Dec 20 09:41:21 2018 EST
gpg-wks-client: gpg: using RSA key
672DC8471CEA6025761161FE05C53C82C753F2B6
gpg-wks-client: gpg: issuer
"key-submission@deviltracks.net"
gpg-wks-client: gpg: Good signature from
"key-submission@deviltracks.net" [unknown]
gpg-wks-client: gpg: WARNING: Using untrusted key!
gpg-wks-client: DBG: Fixme: Verification result is not used
gpg-wks-client: wkd data found
gpg-wks-client: draft version 2 requested
gpg-wks-client: gpg: decryption failed: No secret key
gpg-wks-client: error running '/usr/bin/gpg': exit status 2
gpg-wks-client: decryption failed: General error
gpg-wks-client: decryption failed: General error
gpg-wks-client: processing mail failed: General error

this is me trying to feed in the email confirmation via command line to
the client. no secret key? and I've now since reverted to using my
distro's default gpg version. thanks.

--
--

Thanks,

Fabian S.

OpenPGP: 0xE05BF5EEFDD6549DAD3EDF64AE4E3D03B4F2DF29

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On Thu 2018-12-20 09:47:30 -0500, Fabian A. Santiago wrote:
> /usr/lib/gnupg/gpg-wks-client --receive --send < sample2.txt
> gpg-wks-client: t2body for level 0
> gpg-wks-client: t2body for level 1
> gpg-wks-client: t2body for level 2
> gpg-wks-client: t2body for level 2
> gpg-wks-client: new 'application/vnd.gnupg.wks' message part
> gpg-wks-client: t2body for level 1
> gpg-wks-client: gpg: Signature made Thu Dec 20 09:41:21 2018 EST
> gpg-wks-client: gpg: using RSA key 672DC8471CEA6025761161FE05C53C82C753F2B6
> gpg-wks-client: gpg: issuer "key-submission@deviltracks.net"
> gpg-wks-client: gpg: Good signature from "key-submission@deviltracks.net" [unknown]
> gpg-wks-client: gpg: WARNING: Using untrusted key!
> gpg-wks-client: DBG: Fixme: Verification result is not used
> gpg-wks-client: wkd data found
> gpg-wks-client: draft version 2 requested
> gpg-wks-client: gpg: decryption failed: No secret key
> gpg-wks-client: error running '/usr/bin/gpg': exit status 2
> gpg-wks-client: decryption failed: General error
> gpg-wks-client: decryption failed: General error
> gpg-wks-client: processing mail failed: General error
>
> this is me trying to feed in the email confirmation via command line to
> the client. no secret key? and I've now since reverted to using my
> distro's default gpg version. thanks.

Can you report more info about sample2.txt, or share it here? I would
want to know what its internal structure looks like, if possible, and to
know whether the key(s?) that its inner part is encrypted to are keys
that you have listed when you run gpg --list-secret-keys .

Also, what version is your local gpg where you're running
gpg-wks-client? Is it possible that you're mixing gpg 2.1.x and gpg
1.4.x on your local system?

--dkg

On 2018-12-20 14:36, Daniel Kahn Gillmor wrote:
> On Thu 2018-12-20 09:47:30 -0500, Fabian A. Santiago wrote:
>> /usr/lib/gnupg/gpg-wks-client --receive --send < sample2.txt
>> gpg-wks-client: t2body for level 0
>> gpg-wks-client: t2body for level 1
>> gpg-wks-client: t2body for level 2
>> gpg-wks-client: t2body for level 2
>> gpg-wks-client: new 'application/vnd.gnupg.wks' message part
>> gpg-wks-client: t2body for level 1
>> gpg-wks-client: gpg: Signature made Thu Dec 20 09:41:21 2018 EST
>> gpg-wks-client: gpg: using RSA key
>> 672DC8471CEA6025761161FE05C53C82C753F2B6
>> gpg-wks-client: gpg: issuer
>> "key-submission@deviltracks.net"
>> gpg-wks-client: gpg: Good signature from
>> "key-submission@deviltracks.net" [unknown]
>> gpg-wks-client: gpg: WARNING: Using untrusted key!
>> gpg-wks-client: DBG: Fixme: Verification result is not used
>> gpg-wks-client: wkd data found
>> gpg-wks-client: draft version 2 requested
>> gpg-wks-client: gpg: decryption failed: No secret key
>> gpg-wks-client: error running '/usr/bin/gpg': exit status 2
>> gpg-wks-client: decryption failed: General error
>> gpg-wks-client: decryption failed: General error
>> gpg-wks-client: processing mail failed: General error
>>
>> this is me trying to feed in the email confirmation via command line
>> to
>> the client. no secret key? and I've now since reverted to using my
>> distro's default gpg version. thanks.
>
> Can you report more info about sample2.txt, or share it here? I would
> want to know what its internal structure looks like, if possible, and
> to
> know whether the key(s?) that its inner part is encrypted to are keys
> that you have listed when you run gpg --list-secret-keys .
>
> Also, what version is your local gpg where you're running
> gpg-wks-client? Is it possible that you're mixing gpg 2.1.x and gpg
> 1.4.x on your local system?
>
> --dkg

sure,

gpg --version:

gpg (GnuPG) 2.2.4
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

***

root@mail:~# /usr/lib/gnupg/gpg-wks-client --version
gpg-wks-client (GnuPG) 2.2.4
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

***

and see my attached sample.txt (which is the confirmation email received
when submitting a new key).
--
--

Thanks,

Fabian S.

OpenPGP: 0xE05BF5EEFDD6549DAD3EDF64AE4E3D03B4F2DF29

On Thu 2018-12-20 14:58:33 -0500, Fabian A. Santiago wrote:
> gpg --version:
>
> gpg (GnuPG) 2.2.4
[…]
>
> Home: /root/.gnupg

This looks like you're running it as root.

> root@mail:~# /usr/lib/gnupg/gpg-wks-client --version
> gpg-wks-client (GnuPG) 2.2.4
> Copyright (C) 2017 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <https://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> ***
>
> and see my attached sample.txt (which is the confirmation email received
> when submitting a new key).

thanks! that shows that the message is encrypted to the public key with
keyid 0xFAD6496868B818DD. are you running gpg-wks-client as root as
well? does root control the secret key for this e-mail address
test123@deviltracks.net?

what is the output of:

gpg --list-secret-keys 0xFAD6496868B818DD

--dkg

On 2018-12-20 15:08, Daniel Kahn Gillmor wrote:
> On Thu 2018-12-20 14:58:33 -0500, Fabian A. Santiago wrote:
>> gpg --version:
>>
>> gpg (GnuPG) 2.2.4
> […]
>>
>> Home: /root/.gnupg
>
> This looks like you're running it as root.
>
>> root@mail:~# /usr/lib/gnupg/gpg-wks-client --version
>> gpg-wks-client (GnuPG) 2.2.4
>> Copyright (C) 2017 Free Software Foundation, Inc.
>> License GPLv3+: GNU GPL version 3 or later
>> <https://gnu.org/licenses/gpl.html>
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.
>>
>> ***
>>
>> and see my attached sample.txt (which is the confirmation email
>> received
>> when submitting a new key).
>
> thanks! that shows that the message is encrypted to the public key
> with
> keyid 0xFAD6496868B818DD. are you running gpg-wks-client as root as
> well? does root control the secret key for this e-mail address
> test123@deviltracks.net?
>
> what is the output of:
>
> gpg --list-secret-keys 0xFAD6496868B818DD
>
> --dkg

output of your requested command:

sec rsa3072 2018-12-14 [SC] [expires: 2020-12-13]
89CFCD21743DBDD5EB5ABC973879E79EC3420092
uid [ultimate] test123 <test123@deviltracks.net>
ssb rsa3072 2018-12-14 [E] [expires: 2020-12-13]


yes i am (running as root). this is from the "client" PC submitting the
key itself. on the email server side this is all being processed as a
local user / not root.

--
--

Thanks,

Fabian S.

OpenPGP: 0xE05BF5EEFDD6549DAD3EDF64AE4E3D03B4F2DF29

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On Thu 2018-12-20 15:38:04 -0500, Fabian A. Santiago wrote:
> On 2018-12-20 15:08, Daniel Kahn Gillmor wrote:
>> what is the output of:
>>
>> gpg --list-secret-keys 0xFAD6496868B818DD
>
> output of your requested command:
>
> sec rsa3072 2018-12-14 [SC] [expires: 2020-12-13]
> 89CFCD21743DBDD5EB5ABC973879E79EC3420092
> uid [ultimate] test123 <test123@deviltracks.net>
> ssb rsa3072 2018-12-14 [E] [expires: 2020-12-13]
>
>
> yes i am (running as root). this is from the "client" PC submitting the
> key itself. on the email server side this is all being processed as a
> local user / not root.

It's a little bit odd for the root user to be running a local e-mail
account. i'm fine to continue debugging like this, but i would
generally advise you to only check (and interact with) mail from a
non-root account.

I'm perplexed. I don't know how to square that with your earlier report
of:

/usr/lib/gnupg/gpg-wks-client --receive --send < sample2.txt
gpg-wks-client: t2body for level 0
gpg-wks-client: t2body for level 1
gpg-wks-client: t2body for level 2
gpg-wks-client: t2body for level 2
gpg-wks-client: new 'application/vnd.gnupg.wks' message part
gpg-wks-client: t2body for level 1
gpg-wks-client: gpg: Signature made Thu Dec 20 09:41:21 2018 EST
gpg-wks-client: gpg: using RSA key 672DC8471CEA6025761161FE05C53C82C753F2B6
gpg-wks-client: gpg: issuer "key-submission@deviltracks.net"
gpg-wks-client: gpg: Good signature from "key-submission@deviltracks.net" [unknown]
gpg-wks-client: gpg: WARNING: Using untrusted key!
gpg-wks-client: DBG: Fixme: Verification result is not used
gpg-wks-client: wkd data found
gpg-wks-client: draft version 2 requested
gpg-wks-client: gpg: decryption failed: No secret key
gpg-wks-client: error running '/usr/bin/gpg': exit status 2
gpg-wks-client: decryption failed: General error
gpg-wks-client: decryption failed: General error
gpg-wks-client: processing mail failed: General error

Can you try to extract text from the application/vnd.gnupg.wks part of
sample2.txt -- starting at the "BEGIN PGP MESSAGE" line and going
through the "END PGP MESSAGE" line (inclusive!) -- and save it to a file
ciphertext.wks ? Then do:

gpg --output cleartext.wks --decrypt ciphertext.wks

does that work? If not, are there specific errors? full transcripts
(including the commands run, shell prompts, error messages, etc) are
always helpful.

Sorry to not have any clearer answers for you immediately.

If you're up for giving me an account on the system i can try to
replicate the problem you're describing and see whether i can make it
happen myself. Feel free to mail me offlist about credentials if that's
the case.

--dkg

On 2018-12-20 16:19, Daniel Kahn Gillmor wrote:
> On Thu 2018-12-20 15:38:04 -0500, Fabian A. Santiago wrote:
>> On 2018-12-20 15:08, Daniel Kahn Gillmor wrote:
>>> what is the output of:
>>>
>>> gpg --list-secret-keys 0xFAD6496868B818DD
>>
>> output of your requested command:
>>
>> sec rsa3072 2018-12-14 [SC] [expires: 2020-12-13]
>> 89CFCD21743DBDD5EB5ABC973879E79EC3420092
>> uid [ultimate] test123 <test123@deviltracks.net>
>> ssb rsa3072 2018-12-14 [E] [expires: 2020-12-13]
>>
>>
>> yes i am (running as root). this is from the "client" PC submitting
>> the
>> key itself. on the email server side this is all being processed as a
>> local user / not root.
>
> It's a little bit odd for the root user to be running a local e-mail
> account. i'm fine to continue debugging like this, but i would
> generally advise you to only check (and interact with) mail from a
> non-root account.
>
> I'm perplexed. I don't know how to square that with your earlier
> report
> of:
>
> /usr/lib/gnupg/gpg-wks-client --receive --send < sample2.txt
> gpg-wks-client: t2body for level 0
> gpg-wks-client: t2body for level 1
> gpg-wks-client: t2body for level 2
> gpg-wks-client: t2body for level 2
> gpg-wks-client: new 'application/vnd.gnupg.wks' message part
> gpg-wks-client: t2body for level 1
> gpg-wks-client: gpg: Signature made Thu Dec 20 09:41:21 2018 EST
> gpg-wks-client: gpg: using RSA key
> 672DC8471CEA6025761161FE05C53C82C753F2B6
> gpg-wks-client: gpg: issuer
> "key-submission@deviltracks.net"
> gpg-wks-client: gpg: Good signature from
> "key-submission@deviltracks.net" [unknown]
> gpg-wks-client: gpg: WARNING: Using untrusted key!
> gpg-wks-client: DBG: Fixme: Verification result is not used
> gpg-wks-client: wkd data found
> gpg-wks-client: draft version 2 requested
> gpg-wks-client: gpg: decryption failed: No secret key
> gpg-wks-client: error running '/usr/bin/gpg': exit status 2
> gpg-wks-client: decryption failed: General error
> gpg-wks-client: decryption failed: General error
> gpg-wks-client: processing mail failed: General error
>
> Can you try to extract text from the application/vnd.gnupg.wks part of
> sample2.txt -- starting at the "BEGIN PGP MESSAGE" line and going
> through the "END PGP MESSAGE" line (inclusive!) -- and save it to a
> file
> ciphertext.wks ? Then do:
>
> gpg --output cleartext.wks --decrypt ciphertext.wks
>
> does that work? If not, are there specific errors? full transcripts
> (including the commands run, shell prompts, error messages, etc) are
> always helpful.
>
> Sorry to not have any clearer answers for you immediately.
>
> If you're up for giving me an account on the system i can try to
> replicate the problem you're describing and see whether i can make it
> happen myself. Feel free to mail me offlist about credentials if
> that's
> the case.
>
> --dkg

here you go:

root@deviltracks:~# /usr/lib/gnupg/gpg-wks-client --receive --send <
pgp_snippet.txt
gpg-wks-client: t2body for level 0
gpg-wks-client: processing mail failed: Unexpected message


that doesn't seem to work when i cut out just the pgp message portion.
also see attached snippet file.

i understand about the root thing. in production root isn't used.

as for you having an account, would you be needing it on the test
"client", email server, or both? i will contact you later after i'm off
my day job and we can set something up if you wish. i should also state
this is by no means critical. i'm just experimenting for my own personal
use. so any help is greatly appreciated and i don't really mind how long
it takes.

--
--

Thanks,

Fabian S.

OpenPGP: 0xE05BF5EEFDD6549DAD3EDF64AE4E3D03B4F2DF29

On Thu 2018-12-20 16:35:43 -0500, Fabian A. Santiago wrote:
> On 2018-12-20 16:19, Daniel Kahn Gillmor wrote:
>> save it to a file ciphertext.wks ? Then do:
>>
>> gpg --output cleartext.wks --decrypt ciphertext.wks
[…]
> here you go:
>
> root@deviltracks:~# /usr/lib/gnupg/gpg-wks-client --receive --send <
> pgp_snippet.txt
> gpg-wks-client: t2body for level 0
> gpg-wks-client: processing mail failed: Unexpected message

this isn't the command i was trying to ask you to run. can you try the
original suggestion?

> as for you having an account, would you be needing it on the test
> "client", email server, or both? i will contact you later after i'm off
> my day job and we can set something up if you wish. i should also state
> this is by no means critical. i'm just experimenting for my own personal
> use. so any help is greatly appreciated and i don't really mind how long
> it takes.

It would just be an e-mail account on that mailserver. if you've gotten
the gpg-wks-server side of things sorted, then i ought to be able to use
the tools from my side to register a key.

your work in debugging this publicly will likely help other people who
stumble into whatever this problem is in the future and end up reading
the archives. so thanks for your persistence!

--dkg

On 2018-12-20 16:42, Daniel Kahn Gillmor wrote:
> On Thu 2018-12-20 16:35:43 -0500, Fabian A. Santiago wrote:
>> On 2018-12-20 16:19, Daniel Kahn Gillmor wrote:
>>> save it to a file ciphertext.wks ? Then do:
>>>
>>> gpg --output cleartext.wks --decrypt ciphertext.wks
> […]
>> here you go:
>>
>> root@deviltracks:~# /usr/lib/gnupg/gpg-wks-client --receive --send <
>> pgp_snippet.txt
>> gpg-wks-client: t2body for level 0
>> gpg-wks-client: processing mail failed: Unexpected message
>
> this isn't the command i was trying to ask you to run. can you try the
> original suggestion?
>
>> as for you having an account, would you be needing it on the test
>> "client", email server, or both? i will contact you later after i'm
>> off
>> my day job and we can set something up if you wish. i should also
>> state
>> this is by no means critical. i'm just experimenting for my own
>> personal
>> use. so any help is greatly appreciated and i don't really mind how
>> long
>> it takes.
>
> It would just be an e-mail account on that mailserver. if you've
> gotten
> the gpg-wks-server side of things sorted, then i ought to be able to
> use
> the tools from my side to register a key.
>
> your work in debugging this publicly will likely help other people who
> stumble into whatever this problem is in the future and end up reading
> the archives. so thanks for your persistence!
>
> --dkg
my apologies, i can be a bit of a tool sometimes. here you are:

root@deviltracks:~# gpg --output clear_snippet.txt --decrypt
pgp_snippet.txt
gpg: encrypted with 3072-bit RSA key, ID FAD6496868B818DD, created
2018-12-14
"test123 <test123@deviltracks.net>"

and the clear text is:

root@deviltracks:~# cat clear_snippet.txt
type: confirmation-request
sender: key-submission@deviltracks.net
address: test123@deviltracks.net
fingerprint: 89CFCD21743DBDD5EB5ABC973879E79EC3420092
nonce: <redacted>

--
--

Thanks,

Fabian S.

OpenPGP: 0xE05BF5EEFDD6549DAD3EDF64AE4E3D03B4F2DF29

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On Thu 2018-12-20 16:47:46 -0500, Fabian A. Santiago wrote:
> root@deviltracks:~# gpg --output clear_snippet.txt --decrypt pgp_snippet.txt
> gpg: encrypted with 3072-bit RSA key, ID FAD6496868B818DD, created 2018-12-14
> "test123 <test123@deviltracks.net>"
>
> and the clear text is:
>
> root@deviltracks:~# cat clear_snippet.txt
> type: confirmation-request
> sender: key-submission@deviltracks.net
> address: test123@deviltracks.net
> fingerprint: 89CFCD21743DBDD5EB5ABC973879E79EC3420092
> nonce: <redacted>

OK, so gpg is working fine, and the relevant secret key is available.
that's good!

But (i think) it narrows down the problem to your implemetation of
gpg-wks-client.

Perhaps Werner or someone more well-versed in WKD can weigh in here?
Without access to an environment to replicate the problem, i'm at a bit
of a dead end.

--dkg

On Thu, 20 Dec 2018 15:47, fsantiago@deviltracks.net said:

> /usr/lib/gnupg/gpg-wks-client --receive --send < sample2.txt

> gpg-wks-client: draft version 2 requested
> gpg-wks-client: gpg: decryption failed: No secret key
> gpg-wks-client: error running '/usr/bin/gpg': exit status 2
> gpg-wks-client: decryption failed: General error

Can you please add

--verbose --debug crypto

to the invocation. This shows diagnostics from gpg and is better than
the General Error.


Shalom-Salam,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

On 2018-12-21 08:23, Werner Koch wrote:
> On Thu, 20 Dec 2018 15:47, fsantiago@deviltracks.net said:
>
>> /usr/lib/gnupg/gpg-wks-client --receive --send < sample2.txt
>
>> gpg-wks-client: draft version 2 requested
>> gpg-wks-client: gpg: decryption failed: No secret key
>> gpg-wks-client: error running '/usr/bin/gpg': exit status 2
>> gpg-wks-client: decryption failed: General error
>
> Can you please add
>
> --verbose --debug crypto
>
> to the invocation. This shows diagnostics from gpg and is better than
> the General Error.
>
>
> Shalom-Salam,
>
> Werner

ok,

here is your requested debug output:

webkey@mail:/var/vmail/procmail$ /usr/lib/gnupg/gpg-wks-client --verbose
--debug crypto --receive --send < sample2.txt
gpg-wks-client: t2body for level 0
gpg-wks-client: t2body for level 1
gpg-wks-client: t2body for level 2
gpg-wks-client: t2body for level 2
gpg-wks-client: new 'application/vnd.gnupg.wks' message part
gpg-wks-client: t2body for level 1
gpg-wks-client: DBG: gpg status: NEWSIG key-submission@deviltracks.net
gpg-wks-client: gpg: Signature made Thu Dec 20 09:41:21 2018 EST
gpg-wks-client: gpg: using RSA key
672DC8471CEA6025761161FE05C53C82C753F2B6
gpg-wks-client: gpg: issuer
"key-submission@deviltracks.net"
gpg-wks-client: DBG: gpg status: KEY_CONSIDERED
672DC8471CEA6025761161FE05C53C82C753F2B6 0
gpg-wks-client: DBG: gpg status: SIG_ID ofQS0AUZIFSt31WutH8lEdQ75Yk
2018-12-20 1545316881
gpg-wks-client: DBG: gpg status: KEY_CONSIDERED
672DC8471CEA6025761161FE05C53C82C753F2B6 0
gpg-wks-client: DBG: gpg status: GOODSIG 05C53C82C753F2B6
key-submission@deviltracks.net
gpg-wks-client: gpg: Good signature from
"key-submission@deviltracks.net" [unknown]
gpg-wks-client: DBG: gpg status: VALIDSIG
672DC8471CEA6025761161FE05C53C82C753F2B6 2018-12-20 1545316881 0 4 0 1
10 00 672DC8471CEA6025761161FE05C53C82C753F2B6
gpg-wks-client: gpg: WARNING: Using untrusted key!
gpg-wks-client: gpg: binary signature, digest algorithm SHA512, key
algorithm rsa3072
gpg-wks-client: DBG: gpg status: VERIFICATION_COMPLIANCE_MODE 23
gpg-wks-client: DBG: Fixme: Verification result is not used
gpg-wks-client: wkd data found
gpg-wks-client: draft version 2 requested
gpg-wks-client: DBG: gpg status: ENC_TO FAD6496868B818DD 1 0
gpg-wks-client: gpg: encrypted with RSA key, ID FAD6496868B818DD
gpg-wks-client: DBG: gpg status: NO_SECKEY FAD6496868B818DD
gpg-wks-client: DBG: gpg status: BEGIN_DECRYPTION
gpg-wks-client: DBG: gpg status: DECRYPTION_FAILED
gpg-wks-client: gpg: decryption failed: No secret key
gpg-wks-client: DBG: gpg status: END_DECRYPTION
gpg-wks-client: error running '/usr/bin/gpg': exit status 2
gpg-wks-client: decryption failed: General error
gpg-wks-client: decryption failed: General error
gpg-wks-client: processing mail failed: General error


that key id mentioned as missing, "FAD6496868B818DD", is that of my
test123 address from my client testbed. i would have assumed it would be
encrypted to the key-submission address' key. am i wrong? is it so that
i could also read the message in my sent folder so it's encrypted to
both of us? i'm just thinking aloud. let me know what you think. thanks.
--
--

Thanks,

Fabian S.

OpenPGP: 0xE05BF5EEFDD6549DAD3EDF64AE4E3D03B4F2DF29

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On Fri, 21 Dec 2018 15:18, fsantiago@deviltracks.net said:

> webkey@mail:/var/vmail/procmail$ /usr/lib/gnupg/gpg-wks-client
> --verbose --debug crypto --receive --send < sample2.txt

> gpg-wks-client: gpg: Good signature from
> "key-submission@deviltracks.net" [unknown]

The signature from the server. The server signs the confirmation
request to allow the client to detect malicious requests before annoying
the user with a request to decrypt the challenge. All good here.

> gpg-wks-client: DBG: gpg status: ENC_TO FAD6496868B818DD 1 0
> gpg-wks-client: gpg: encrypted with RSA key, ID FAD6496868B818DD

The encrypted challenge. The client must be able to decrypt this to
confirm the publication requests he sent.

> gpg-wks-client: DBG: gpg status: NO_SECKEY FAD6496868B818DD

But for whatever reason the client does now own that private key.

> gpg-wks-client: error running '/usr/bin/gpg': exit status 2

Sure that this is the same gpg version you used to create the challenge?

> that key id mentioned as missing, "FAD6496868B818DD", is that of my
> test123 address from my client testbed. i would have assumed it would
> be encrypted to the key-submission address' key. am i wrong? is it so

No. You encrypt your publication request to the submission address
key. This is not required for the protocol but we want to encrypt as much
traffic as possible.

The server then encrypts to the key you want to have published.

> that i could also read the message in my sent folder so it's encrypted
> to both of us? i'm just thinking aloud. let me know what you

The server does not need to decrypt its own challenge again.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

On 2018-12-23 05:59, Werner Koch wrote:
> On Fri, 21 Dec 2018 15:18, fsantiago@deviltracks.net said:
>
>> webkey@mail:/var/vmail/procmail$ /usr/lib/gnupg/gpg-wks-client
>> --verbose --debug crypto --receive --send < sample2.txt
>
>> gpg-wks-client: gpg: Good signature from
>> "key-submission@deviltracks.net" [unknown]
>
> The signature from the server. The server signs the confirmation
> request to allow the client to detect malicious requests before
> annoying
> the user with a request to decrypt the challenge. All good here.
>
>> gpg-wks-client: DBG: gpg status: ENC_TO FAD6496868B818DD 1 0
>> gpg-wks-client: gpg: encrypted with RSA key, ID FAD6496868B818DD
>
> The encrypted challenge. The client must be able to decrypt this to
> confirm the publication requests he sent.
>
>> gpg-wks-client: DBG: gpg status: NO_SECKEY FAD6496868B818DD
>
> But for whatever reason the client does now own that private key.
>
>> gpg-wks-client: error running '/usr/bin/gpg': exit status 2
>
> Sure that this is the same gpg version you used to create the
> challenge?
>
>> that key id mentioned as missing, "FAD6496868B818DD", is that of my
>> test123 address from my client testbed. i would have assumed it would
>> be encrypted to the key-submission address' key. am i wrong? is it so
>
> No. You encrypt your publication request to the submission address
> key. This is not required for the protocol but we want to encrypt as
> much
> traffic as possible.
>
> The server then encrypts to the key you want to have published.
>
>> that i could also read the message in my sent folder so it's encrypted
>> to both of us? i'm just thinking aloud. let me know what you
>
> The server does not need to decrypt its own challenge again.
>
>
> Shalom-Salam,
>
> Werner

yes, confirmed same gpg version between both ends. thanks for the
explanation.

--
--

Thanks,

Fabian S.

OpenPGP: 0xE05BF5EEFDD6549DAD3EDF64AE4E3D03B4F2DF29

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel