Mailing List Archive

Hi!

On 10/07/2020 23:47, Ayoub Misherghi via Gnupg-users wrote:
> ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys

Could you do

$ gpg --with-subkey-fingerprint --list-secret-keys

and

$ gpg --version

please?

And do you get a popup asking for your passphrase or is what you post
all the interaction that you get? If that is where the problem lies,
it's good to know your operating system/distribution, your desktop
environment, and stuff like that.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

Hi,


On 7/11/2020 3:34 AM, Peter Lebbing wrote:

Hi! On 10/07/2020 23:47, Ayoub Misherghi via Gnupg-users wrote:

ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys

Could you do $ gpg --with-subkey-fingerprint --list-secret-keys

ayoub@vboxpwfl:$ gpg --with-subkey-fingerprint --list-secret-keys
/home/ayoub/.gnupg/pubring.kbx
------------------------------
sec   ed25519 2020-07-09 [SC] [expires: 2020-07-19]
      3C5B212A55B966881E2D2718A45398B520BEE91E
uid           [ultimate] sentry
ssb   cv25519 2020-07-09 [E] [expires: 2020-07-19]
      F2A76096E857E2AF607DD144D17AA44F49BB5A08

sec   ed25519 2020-07-09 [SC] [expires: 2021-07-09]
      7A675D7F52BC905C22F8249091556BC29D4C595E
uid           [ultimate] develop1
ssb   cv25519 2020-07-09 [E] [expires: 2021-07-09]
      BFF08DC8259E2E9FBAF92AC1367BD2210D4E904D

and $ gpg --version

ayoub@vboxpwfl:~/sentry/trunk$ gpg --version
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html"]<https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/ayoub/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

please? And do you get a popup asking for your passphrase or is what you post all the interaction that you get? If that is where the problem lies, it's good to know your operating system/distribution, your desktop environment, and stuff like that. HTH, Peter.

ayoub@vboxpwfl:~/sentry/trunk$ uname -a
Linux vboxpwfl 5.4.0-40-generic #44-Ubuntu SMP Tue Jun 23 00:01:04 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux





Ubuntu 19.04 running inside VirtualBox on Windows 10








This lists gpg.conf (I have removed all commented lines except two that I show)


ayoub@vboxpwfl:~/sentry/trunk$ cat ~/.gnupg/gpg.conf
batch
pinentry-mode loopback
require-secmem
no-greeting
expert
#--passphrase-file file
#passphrase-file /home/ayoub/.gnupg/output.png




I am not asked for pass phrase even though I have the "passphrase-file" in the gpg.conf commented out.




Thanks

Hi,

On 11/07/2020 19:58, Ayoub Misherghi wrote:
> ayoub@vboxpwfl:~/sentry/trunk$ cat ~/.gnupg/gpg.conf
> batch
> pinentry-mode loopback

Ah yes. Those two options have no place in your gpg.conf. They are
options that you might want to specify as part of the command line on
occasion, but unless you have a very unusual setup they should not be
there. You should remove both. The pinentry-mode is probably what is
preventing you being asked for the passphrase.

> expert

I'd recommend dropping this as well.

> #--passphrase-file file
> #passphrase-file /home/ayoub/.gnupg/output.png

These commented out lines are probably why the pinentry-mode line was
there in the first place. Do you know why these lines, both the
uncommented and the commented ones, are in your gpg.conf?

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

On 12/07/2020 17:45, Ayoub Misherghi wrote:
> Sorry for going off list and messing everybody up. Now I disserve
> punishment.

Heh :-). It's just that if I reply off-list, it only helps you, but if
it is on-list, other people can find it in a search engine when they're
facing something similar.

On 11/07/2020 21:07, Ayoub Misherghi wrote:
> My current intended usage is in non-interactive mode, completely.
> I can remove them from the gpg.conf but I would have to issue them
> every time. My understanding is that non-interactive mode requires
> those commands.

Well, in that case, you should supply --no-batch when you're using it
interactively; I'll show why further down.

My personal choice would be to have my scripts and programs supply the
--batch on invocation rather than put it in the config file, because you
only need to write that command invocation in the script once (as you're
writing the script), whereas you'll be writing the --no-batch every time
you /do/ use it from an interactive shell.

> I selected "expert" mode because I am using ED2599 incrpytion that is
> available only in this mode (I know, I am newbie)

You only need the --expert on commands creating or adding keys for that.
Once you have the key, you no longer need --expert to just use it.

> All the config lines I showed are in my user config.
> A few days ago, my set up, which is still in development phase,
> worked until my short lived gpg keys expired. I fell in deep ***** when
> I created new keys. It all worked, with the passphrase-file option and
> without, before I fell. Can you pull this dumb newbie out?

I think the combination that worked might have been

--8<---------------cut here---------------start------------->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---------------cut here---------------end--------------->8---

but once you commented out the passphrase-file entry, GnuPG had no way
to get the passphrase. Normally you should use the pinentry (so comment
out the pinentry-mode line as well), but you force it to use the
loopback pinentry-mode. gpg _could_ ask for your passphrase that way.
But, you also specify --batch. --batch tells GnuPG that the human is
currently unavailable and it needn't bother trying to interact with it.
So it has no way to get the passphrase and gives up.

It will ask you for the passphrase when you comment out --batch, but I
recommend also commenting out the --pinentry-mode line so it'll just
launch a pinentry like it wants to do.

Now about this configuration:

--8<---------------cut here---------------start------------->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---------------cut here---------------end--------------->8---

If this file is stored with the same access conditions as
~/.gnupg/private-keys-v1.d/, it serves no good purpose. You should then
just use a key without a passphrase. With a key without a passphrase, an
attacker would just need the file

~/.gnupg/private-keys-v1.d/[...].key

and they're good to go. With your passphrase-file, they need two files:

~/.gnupg/private-keys-v1.d/[...].key
~/.gnupg/output.png

and once again they're good to go, they have your private key. Why would
it be more difficult to get a hold of two files rather than one? Just
drop the passphrase, and all your problems magically disappear :-).

But given its name, I suppose output.png is generated by some unlocking
process. Suppose you did it like this before:

$ my-unlocker >~/.gnupg/output.png

You can actually unlock keys the way GnuPG intends to do that with:

$ my-unlocker | /usr/lib/gnupg/gpg-preset-passphrase --preset <keygrip>

You can find the keygrip for your keys with:

$ gpg --with-keygrip --list-secret-keys

You do need it for every subkey you want to use like this separately,
and also, it does not verify whether the passphrase was correct. Also,
put

allow-preset-passphrase
max-cache-ttl <seconds>

in ~/.gnupg/gpg-agent.conf

and issue

$ gpgconf --kill gpg-agent

to reload. <seconds> is how long you want the passphrase to stay
available after gpg-preset-passphrase, and it defaults to a mere 2
hours. You could set it to 4294967295 to specify a lifetime of 136
years, i.e., infinitely for all practical purposes.

Watch out that my-unlocker doesn't leak the passphrase in any way. I
thought it was unhelfpul that you can't use the pinentry with
gpg-preset-passphrase and I proposed a hack more than two years ago:

https://lists.gnupg.org/pipermail/gnupg-users/2018-February/059917.html

It's pretty hacky, but it does seem to work.

You could actually just unlock your key by using it once when you start
up your system, and then use the caching feature to keep it available
for non-interactive use for the rest of the time. Then you don't use
gpg-preset-passphrase, but put, e.g., this in your gpg-agent.conf

default-cache-ttl 4294967295
max-cache-ttl 4294967295

and unlock your key by doing one decryption:

$ echo Open Sesame | gpg -r develop1 -e | gpg -d

This will pop up a pinentry for your passphrase, and since you set the
cache-ttl to infinity, it will never popup a pinentry again on
decryptions until you restart gpg-agent. It's a pretty good workflow
that uses all parts as they were intended.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

Thanks. This exposes to me how little I know and it will take me time to
absorb it. None of this information is in anything I read. Nothing comes
close. I will not come to grips with it with the kind of reading
material I have. Can you please suggest some good tutorial and reference
material preferably free (probably mutually exclusive requirements) that
will bring me up to your level or close to it please.


The material I come across is just like silly preschool stuff with 1/4
truth which keeps you ill informed and miss informed and throws you off
track. They over simplify and drain education out of you making you zombie.


Thanks,


Ayoub


On 7/12/2020 9:15 AM, Peter Lebbing wrote:
> On 12/07/2020 17:45, Ayoub Misherghi wrote:
>> Sorry for going off list and messing everybody up. Now I disserve
>> punishment.
> Heh :-). It's just that if I reply off-list, it only helps you, but if
> it is on-list, other people can find it in a search engine when they're
> facing something similar.
>
> On 11/07/2020 21:07, Ayoub Misherghi wrote:
>> My current intended usage is in non-interactive mode, completely.
>> I can remove them from the gpg.conf but I would have to issue them
>> every time. My understanding is that non-interactive mode requires
>> those commands.
> Well, in that case, you should supply --no-batch when you're using it
> interactively; I'll show why further down.
>
> My personal choice would be to have my scripts and programs supply the
> --batch on invocation rather than put it in the config file, because you
> only need to write that command invocation in the script once (as you're
> writing the script), whereas you'll be writing the --no-batch every time
> you /do/ use it from an interactive shell.
>
>> I selected "expert" mode because I am using ED2599 incrpytion that is
>> available only in this mode (I know, I am newbie)
> You only need the --expert on commands creating or adding keys for that.
> Once you have the key, you no longer need --expert to just use it.
>
>> All the config lines I showed are in my user config.
>> A few days ago, my set up, which is still in development phase,
>> worked until my short lived gpg keys expired. I fell in deep ***** when
>> I created new keys. It all worked, with the passphrase-file option and
>> without, before I fell. Can you pull this dumb newbie out?
> I think the combination that worked might have been
>
> --8<---------------cut here---------------start------------->8---
> pinentry-mode loopback
> passphrase-file /home/ayoub/.gnupg/output.png
> --8<---------------cut here---------------end--------------->8---
>
> but once you commented out the passphrase-file entry, GnuPG had no way
> to get the passphrase. Normally you should use the pinentry (so comment
> out the pinentry-mode line as well), but you force it to use the
> loopback pinentry-mode. gpg _could_ ask for your passphrase that way.
> But, you also specify --batch. --batch tells GnuPG that the human is
> currently unavailable and it needn't bother trying to interact with it.
> So it has no way to get the passphrase and gives up.
>
> It will ask you for the passphrase when you comment out --batch, but I
> recommend also commenting out the --pinentry-mode line so it'll just
> launch a pinentry like it wants to do.
>
> Now about this configuration:
>
> --8<---------------cut here---------------start------------->8---
> pinentry-mode loopback
> passphrase-file /home/ayoub/.gnupg/output.png
> --8<---------------cut here---------------end--------------->8---
>
> If this file is stored with the same access conditions as
> ~/.gnupg/private-keys-v1.d/, it serves no good purpose. You should then
> just use a key without a passphrase. With a key without a passphrase, an
> attacker would just need the file
>
> ~/.gnupg/private-keys-v1.d/[...].key
>
> and they're good to go. With your passphrase-file, they need two files:
>
> ~/.gnupg/private-keys-v1.d/[...].key
> ~/.gnupg/output.png
>
> and once again they're good to go, they have your private key. Why would
> it be more difficult to get a hold of two files rather than one? Just
> drop the passphrase, and all your problems magically disappear :-).
>
> But given its name, I suppose output.png is generated by some unlocking
> process. Suppose you did it like this before:
>
> $ my-unlocker >~/.gnupg/output.png
>
> You can actually unlock keys the way GnuPG intends to do that with:
>
> $ my-unlocker | /usr/lib/gnupg/gpg-preset-passphrase --preset <keygrip>
>
> You can find the keygrip for your keys with:
>
> $ gpg --with-keygrip --list-secret-keys
>
> You do need it for every subkey you want to use like this separately,
> and also, it does not verify whether the passphrase was correct. Also,
> put
>
> allow-preset-passphrase
> max-cache-ttl <seconds>
>
> in ~/.gnupg/gpg-agent.conf
>
> and issue
>
> $ gpgconf --kill gpg-agent
>
> to reload. <seconds> is how long you want the passphrase to stay
> available after gpg-preset-passphrase, and it defaults to a mere 2
> hours. You could set it to 4294967295 to specify a lifetime of 136
> years, i.e., infinitely for all practical purposes.
>
> Watch out that my-unlocker doesn't leak the passphrase in any way. I
> thought it was unhelfpul that you can't use the pinentry with
> gpg-preset-passphrase and I proposed a hack more than two years ago:
>
> https://lists.gnupg.org/pipermail/gnupg-users/2018-February/059917.html
>
> It's pretty hacky, but it does seem to work.
>
> You could actually just unlock your key by using it once when you start
> up your system, and then use the caching feature to keep it available
> for non-interactive use for the rest of the time. Then you don't use
> gpg-preset-passphrase, but put, e.g., this in your gpg-agent.conf
>
> default-cache-ttl 4294967295
> max-cache-ttl 4294967295
>
> and unlock your key by doing one decryption:
>
> $ echo Open Sesame | gpg -r develop1 -e | gpg -d
>
> This will pop up a pinentry for your passphrase, and since you set the
> cache-ttl to infinity, it will never popup a pinentry again on
> decryptions until you restart gpg-agent. It's a pretty good workflow
> that uses all parts as they were intended.
>
> HTH,
>
> Peter.
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Sorry for splitting Peter and Philihp  into two threads.





I have probably put my gpg environment/program in a state it cannot come out of. I want to do what cowards do. I want to uninstall gpg and start all over again, escaping from the mess I put my self into somehow. With the advice you gave me I should do better next the time, and hopefully  stay out of trouble.





I have not given anybody any of the IDs yet. And besides, the intended application is non interactive and also does not communicate anything. It hides everything and itself from ever body and ever thing, let alone the keys (or at least that is the intention if a manage to keep me out of trouble. I am a ASIC hardware guy venturing to do what I should not; obviously.)





How do I ensure I uninstall without leaving any history or state that could affect a new install please? Sorry for the head ache I am giving you. If I manage to make money and not go bankrupt I will remember my friends.





On 7/12/2020 11:01 AM, Ayoub Misherghi wrote:

Thanks. This exposes to me how little I know and it will take me time to absorb it. None of this information is in anything I read. Nothing comes close. I will not come to grips with it with the kind of reading material I have. Can you please suggest some good tutorial and reference material preferably free (probably mutually exclusive requirements) that will bring me up to your level or close to it please.


The material I come across is just like silly preschool stuff with 1/4 truth which keeps you ill informed and miss informed and throws you off track. They over simplify and drain education out of you making you zombie.


Thanks,


Ayoub


On 7/12/2020 9:15 AM, Peter Lebbing wrote:

On 12/07/2020 17:45, Ayoub Misherghi wrote:

Sorry for going off list and messing everybody up. Now I disserve
punishment.

Heh :-). It's just that if I reply off-list, it only helps you, but if
it is on-list, other people can find it in a search engine when they're
facing something similar.

On 11/07/2020 21:07, Ayoub Misherghi wrote:

My current intended usage is in non-interactive mode, completely.
I can remove them from the gpg.conf but I would have to issue them
every time. My understanding is that non-interactive mode requires
those commands.

Well, in that case, you should supply --no-batch when you're using it
interactively; I'll show why further down.

My personal choice would be to have my scripts and programs supply the
--batch on invocation rather than put it in the config file, because you
only need to write that command invocation in the script once (as you're
writing the script), whereas you'll be writing the --no-batch every time
you /do/ use it from an interactive shell.

I selected "expert" mode because I am using ED2599 incrpytion that is
available only in this mode (I know, I am newbie)

You only need the --expert on commands creating or adding keys for that.
Once you have the key, you no longer need --expert to just use it.

All the config lines I showed are in my user config.
A few days ago, my set up, which is still in development phase,
worked until my short lived gpg keys expired. I fell in deep ***** when
I created new keys. It all worked, with the passphrase-file option and
without, before I fell. Can you pull this dumb newbie out?

I think the combination that worked might have been

--8<---------------cut here---------------start------------->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---------------cut here---------------end--------------->8---

but once you commented out the passphrase-file entry, GnuPG had no way
to get the passphrase. Normally you should use the pinentry (so comment
out the pinentry-mode line as well), but you force it to use the
loopback pinentry-mode. gpg _could_ ask for your passphrase that way.
But, you also specify --batch. --batch tells GnuPG that the human is
currently unavailable and it needn't bother trying to interact with it.
So it has no way to get the passphrase and gives up.

It will ask you for the passphrase when you comment out --batch, but I
recommend also commenting out the --pinentry-mode line so it'll just
launch a pinentry like it wants to do.

Now about this configuration:

--8<---------------cut here---------------start------------->8---
pinentry-mode loopback
passphrase-file /home/ayoub/.gnupg/output.png
--8<---------------cut here---------------end--------------->8---

If this file is stored with the same access conditions as
~/.gnupg/private-keys-v1.d/, it serves no good purpose. You should then
just use a key without a passphrase. With a key without a passphrase, an
attacker would just need the file

~/.gnupg/private-keys-v1.d/[..].key

and they're good to go. With your passphrase-file, they need two files:

~/.gnupg/private-keys-v1.d/[..].key
~/.gnupg/output.png

and once again they're good to go, they have your private key. Why would
it be more difficult to get a hold of two files rather than one? Just
drop the passphrase, and all your problems magically disappear :-).

But given its name, I suppose output.png is generated by some unlocking
process. Suppose you did it like this before:

$ my-unlocker >~/.gnupg/output.png

You can actually unlock keys the way GnuPG intends to do that with:

$ my-unlocker | /usr/lib/gnupg/gpg-preset-passphrase --preset <keygrip>

You can find the keygrip for your keys with:

$ gpg --with-keygrip --list-secret-keys

You do need it for every subkey you want to use like this separately,
and also, it does not verify whether the passphrase was correct. Also,
put

allow-preset-passphrase
max-cache-ttl <seconds>

in ~/.gnupg/gpg-agent.conf

and issue

$ gpgconf --kill gpg-agent

to reload. <seconds> is how long you want the passphrase to stay
available after gpg-preset-passphrase, and it defaults to a mere 2
hours. You could set it to 4294967295 to specify a lifetime of 136
years, i.e., infinitely for all practical purposes.

Watch out that my-unlocker doesn't leak the passphrase in any way. I
thought it was unhelfpul that you can't use the pinentry with
gpg-preset-passphrase and I proposed a hack more than two years ago:

https://lists.gnupg.org/pipermail/gnupg-users/2018-February/059917.html"]https://lists.gnupg.org/pipermail/gnupg-users/2018-February/059917.html

It's pretty hacky, but it does seem to work.

You could actually just unlock your key by using it once when you start
up your system, and then use the caching feature to keep it available
for non-interactive use for the rest of the time. Then you don't use
gpg-preset-passphrase, but put, e.g., this in your gpg-agent.conf

default-cache-ttl 4294967295
max-cache-ttl 4294967295

and unlock your key by doing one decryption:

$ echo Open Sesame | gpg -r develop1 -e | gpg -d

This will pop up a pinentry for your passphrase, and since you set the
cache-ttl to infinity, it will never popup a pinentry again on
decryptions until you restart gpg-agent. It's a pretty good workflow
that uses all parts as they were intended.

HTH,

Peter.

I am re-sending this text only. I made the mistake of sending it html
previously.

--------------------------------------------------------

Sorry for splitting Peter and Philihp  into two threads.


I have probably put my gpg environment/program in a state it cannot come
out of. I want to do what cowards do. I want to uninstall gpg and start
all over again, escaping from the mess I put my self into somehow. With
the advice you gave me I should do better next the time, and hopefully 
stay out of trouble.


I have not given anybody any of the IDs yet. And besides, the intended
application is non interactive and also does not communicate anything.
It hides everything and itself from ever body and ever thing, let alone
the keys (or at least that is the intention if a manage to keep me out
of trouble. I am a ASIC hardware guy venturing to do what I should not;
obviously.)


How do I ensure I uninstall without leaving any history or state that
could affect a new install please? Sorry for the head ache I am giving
you. If I manage to make money and not go bankrupt I will remember my
friends.


On 7/12/2020 11:01 AM, Ayoub Misherghi wrote:
>
> Thanks. This exposes to me how little I know and it will take me time
> to absorb it. None of this information is in anything I read. Nothing
> comes close. I will not come to grips with it with the kind of reading
> material I have. Can you please suggest some good tutorial and
> reference material preferably free (probably mutually exclusive
> requirements) that will bring me up to your level or close to it please.
>
>
> The material I come across is just like silly preschool stuff with 1/4
> truth which keeps you ill informed and miss informed and throws you
> off track. They over simplify and drain education out of you making
> you zombie.
>
>
> Thanks,
>
>
> Ayoub
>
>
> On 7/12/2020 9:15 AM, Peter Lebbing wrote:
>> On 12/07/2020 17:45, Ayoub Misherghi wrote:
>>> Sorry for going off list and messing everybody up. Now I disserve
>>> punishment.
>> Heh :-). It's just that if I reply off-list, it only helps you, but if
>> it is on-list, other people can find it in a search engine when they're
>> facing something similar.
>>
>> On 11/07/2020 21:07, Ayoub Misherghi wrote:
>>> My current intended usage is in non-interactive mode, completely.
>>> I can remove them from the gpg.conf but I would have to issue them
>>> every time. My understanding is that non-interactive mode requires
>>> those commands.
>> Well, in that case, you should supply --no-batch when you're using it
>> interactively; I'll show why further down.
>>
>> My personal choice would be to have my scripts and programs supply the
>> --batch on invocation rather than put it in the config file, because you
>> only need to write that command invocation in the script once (as you're
>> writing the script), whereas you'll be writing the --no-batch every time
>> you /do/ use it from an interactive shell.
>>
>>> I selected "expert" mode because I am using ED2599 incrpytion that is
>>> available only in this mode (I know, I am newbie)
>> You only need the --expert on commands creating or adding keys for that.
>> Once you have the key, you no longer need --expert to just use it.
>>
>>> All the config lines I showed are in my user config.
>>> A few days ago, my set up, which is still in development phase,
>>> worked until my short lived gpg keys expired. I fell in deep ***** when
>>> I created new keys. It all worked, with the passphrase-file option and
>>> without, before I fell. Can you pull this dumb newbie out?
>> I think the combination that worked might have been
>>
>> --8<---------------cut here---------------start------------->8---
>> pinentry-mode loopback
>> passphrase-file /home/ayoub/.gnupg/output.png
>> --8<---------------cut here---------------end--------------->8---
>>
>> but once you commented out the passphrase-file entry, GnuPG had no way
>> to get the passphrase. Normally you should use the pinentry (so comment
>> out the pinentry-mode line as well), but you force it to use the
>> loopback pinentry-mode. gpg _could_ ask for your passphrase that way.
>> But, you also specify --batch. --batch tells GnuPG that the human is
>> currently unavailable and it needn't bother trying to interact with it.
>> So it has no way to get the passphrase and gives up.
>>
>> It will ask you for the passphrase when you comment out --batch, but I
>> recommend also commenting out the --pinentry-mode line so it'll just
>> launch a pinentry like it wants to do.
>>
>> Now about this configuration:
>>
>> --8<---------------cut here---------------start------------->8---
>> pinentry-mode loopback
>> passphrase-file /home/ayoub/.gnupg/output.png
>> --8<---------------cut here---------------end--------------->8---
>>
>> If this file is stored with the same access conditions as
>> ~/.gnupg/private-keys-v1.d/, it serves no good purpose. You should then
>> just use a key without a passphrase. With a key without a passphrase, an
>> attacker would just need the file
>>
>> ~/.gnupg/private-keys-v1.d/[...].key
>>
>> and they're good to go. With your passphrase-file, they need two files:
>>
>> ~/.gnupg/private-keys-v1.d/[...].key
>> ~/.gnupg/output.png
>>
>> and once again they're good to go, they have your private key. Why would
>> it be more difficult to get a hold of two files rather than one? Just
>> drop the passphrase, and all your problems magically disappear :-).
>>
>> But given its name, I suppose output.png is generated by some unlocking
>> process. Suppose you did it like this before:
>>
>> $ my-unlocker >~/.gnupg/output.png
>>
>> You can actually unlock keys the way GnuPG intends to do that with:
>>
>> $ my-unlocker | /usr/lib/gnupg/gpg-preset-passphrase --preset <keygrip>
>>
>> You can find the keygrip for your keys with:
>>
>> $ gpg --with-keygrip --list-secret-keys
>>
>> You do need it for every subkey you want to use like this separately,
>> and also, it does not verify whether the passphrase was correct. Also,
>> put
>>
>> allow-preset-passphrase
>> max-cache-ttl <seconds>
>>
>> in ~/.gnupg/gpg-agent.conf
>>
>> and issue
>>
>> $ gpgconf --kill gpg-agent
>>
>> to reload. <seconds> is how long you want the passphrase to stay
>> available after gpg-preset-passphrase, and it defaults to a mere 2
>> hours. You could set it to 4294967295 to specify a lifetime of 136
>> years, i.e., infinitely for all practical purposes.
>>
>> Watch out that my-unlocker doesn't leak the passphrase in any way. I
>> thought it was unhelfpul that you can't use the pinentry with
>> gpg-preset-passphrase and I proposed a hack more than two years ago:
>>
>> https://lists.gnupg.org/pipermail/gnupg-users/2018-February/059917.html
>>
>> It's pretty hacky, but it does seem to work.
>>
>> You could actually just unlock your key by using it once when you start
>> up your system, and then use the caching feature to keep it available
>> for non-interactive use for the rest of the time. Then you don't use
>> gpg-preset-passphrase, but put, e.g., this in your gpg-agent.conf
>>
>> default-cache-ttl 4294967295
>> max-cache-ttl 4294967295
>>
>> and unlock your key by doing one decryption:
>>
>> $ echo Open Sesame | gpg -r develop1 -e | gpg -d
>>
>> This will pop up a pinentry for your passphrase, and since you set the
>> cache-ttl to infinity, it will never popup a pinentry again on
>> decryptions until you restart gpg-agent. It's a pretty good workflow
>> that uses all parts as they were intended.
>>
>> HTH,
>>
>> Peter.
>>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

It is working now. The problem was in gpg-agent.conf that I forgot about. I did not do a re-install.


I learned from this list. Thanks.

On 12/07/2020 20:01, Ayoub Misherghi wrote:
> Can you please suggest some good tutorial and reference material
> preferably free (probably mutually exclusive requirements) that will
> bring me up to your level or close to it please.

No, I think the available documentation is lacking in quality. And
on the other hand there's a lot of bad advice on websites. It's an
unfortunate situation, but few people enjoy writing good documentation.
It is a very laborious process.

Sorry I can't be of better assistance.

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

How about collective and cooperative effort in a wiki, or cloud funding
pledges or donations? Those who contribute (money or effort) get
privilege of some kind.


On 7/26/2020 2:48 AM, Peter Lebbing wrote:
> On 12/07/2020 20:01, Ayoub Misherghi wrote:
>> Can you please suggest some good tutorial and reference material
>> preferably free (probably mutually exclusive requirements) that will
>> bring me up to your level or close to it please.
> No, I think the available documentation is lacking in quality. And
> on the other hand there's a lot of bad advice on websites. It's an
> unfortunate situation, but few people enjoy writing good documentation.
> It is a very laborious process.
>
> Sorry I can't be of better assistance.
>
> Peter.
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> How about collective and cooperative effort in a wiki, or cloud funding
> pledges or donations? Those who contribute (money or effort) get
> privilege of some kind.

I am very pessimistic about the idea of collective effort. What
experience has taught me from working on the FAQ is that a small number
of people with extreme ideas speak up the loudest, and the vast majority
of users who are calm and reasonable speak up barely at all.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

I understand it can be frustrating, especially if nobody has a deciding
vote or Vito power or moderator power. Someone should have have veto
power and anybody with other ideas can always fork and do his own thing.
That way it may probably work. A tyrant can stay on course and others
fork and be their own tyrant and are free to produce something better.


The moderators on this list (I do not know who they are) have been
tyrannical excluding some of my posts; I am not bitter or resentful. I
have to live up to standard and my posts have to be kind and gentle so
as not to burden those trying to help me for free; and amenable to
support by helping whoever is helping me. If there was no tyrant I could
have caused nuisance. Documentation needs a tyrant too.


On 7/26/2020 12:01 PM, Robert J. Hansen wrote:
>> How about collective and cooperative effort in a wiki, or cloud funding
>> pledges or donations? Those who contribute (money or effort) get
>> privilege of some kind.
> I am very pessimistic about the idea of collective effort. What
> experience has taught me from working on the FAQ is that a small number
> of people with extreme ideas speak up the loudest, and the vast majority
> of users who are calm and reasonable speak up barely at all.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Sun, 26 Jul 2020 12:59, Ayoub Misherghi said:

> The moderators on this list (I do not know who they are) have been
> tyrannical excluding some of my posts; I am not bitter or resentful. I

This mailing list is not moderated and thus your post are not excluded
by any moderated. The only automatic rejection we have are for too long
posts. In some very rare cases we set the moderation flag for a
specific user but that is announced on the list. I just checked that
it is not the case for you.

What our helpful moderators are mainly doing is to allow posts from
non-subscribers.

Please calm down and don't spread unjustified accusations.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Sorry for seeming to be "spreading unjustified accusations". What I said
was meant to encourage that sort of "benign tyranny", I was not
complaining; or at least that was not my intention.


Thank you for explaining how the list works.


Ayoub


On 7/27/2020 2:08 AM, Werner Koch wrote:
> On Sun, 26 Jul 2020 12:59, Ayoub Misherghi said:
>
>> The moderators on this list (I do not know who they are) have been
>> tyrannical excluding some of my posts; I am not bitter or resentful. I
> This mailing list is not moderated and thus your post are not excluded
> by any moderated. The only automatic rejection we have are for too long
> posts. In some very rare cases we set the moderation flag for a
> specific user but that is announced on the list. I just checked that
> it is not the case for you.
>
> What our helpful moderators are mainly doing is to allow posts from
> non-subscribers.
>
> Please calm down and don't spread unjustified accusations.
>
>
> Salam-Shalom,
>
> Werner
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

* Ayoub Misherghi via Gnupg-users:

> How about collective and cooperative effort in a wiki, or cloud
> funding pledges or donations? Those who contribute (money or effort)
> get privilege of some kind.

From what I observed over the years, a majority of Wikis only really
work within closely knit groups of people where contributions are
limited to a select few who genuinely know what they are writing about.

I do not want amateurs, be it well-meaning or malicious, write about
security related subjects in a Wiki, because that might (in the eyes of
casual visitors and search-engines) cause their scribblings to be
confused with facts. The amount of BS that can be found on Wikipedia is
case in point.

A Wiki about encryption with write access limited to people who
demonstrably understand the math sounds like a good thing to me, but a
"Community Wiki" does not. Community usually (and sadly) means too many
loud-mouthed, attention-seeking bozos.

-Ralph

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 28-07-2020 14:42, Ralph Seichter via Gnupg-users wrote:

> confused with facts. The amount of BS that can be found on Wikipedia is
> case in point.

Do you have examples of this for security related subjects? I know there
are issues with politically sensitive subjects but that has usually
other reasons.

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

* Johan Wevers:

> Do you have examples of this for security related subjects?

I try not to rely on Wikipedia, in particular when searching for
sensitive subjects. Besides, if that was unclear, I mentioned Wikipedia
as a general example of the good concept of a Wiki colliding with
humanity, not for any particular subject matter. Too many cooks, and
some without training or taste buds.

Used to be that compiling an encyclopedia took a huge number of
competent researchers and authors. No wonder the things were so damn
expensive.

-Ralph

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users