Mailing List Archive

Stefan Claas <sac@300baud.de> wrote:
> Enigmail for Thunderbird on a fresh Ubuntu system
> when clicking on a signed message from a friend, which has properly set-up WKD Thunderbird/Enigmail can not fetch the pub key. :-(

Unfortunately, ‘can not’ is not very informative description. Does it return any error? How do you know that even tries?

> What have I to do that this works? I thought that GnuPG and Enigmail nowadays defaults to WKD too.

You mean, that you expect, that GPG should silently fetch absent keys when checking signatures out of a box? No, it does not do that:

| '--auto-key-retrieve'
| '--no-auto-key-retrieve'
| These options enable or disable the automatic retrieving of keys
| from a keyserver when verifying signatures made by keys that are
| not on the local keyring. The default is '--no-auto-key-retrieve'.
|
| If the method "wkd" is included in the list of methods given to
| 'auto-key-locate', the signer's user ID is part of the signature,
| and the option '--disable-signer-uid' is not used, the "wkd" method
| may also be used to retrieve a key.
|
| Note that this option makes a "web bug" like behavior possible.
| Keyserver or Web Key Directory operators can see which keys you
| request, so by sending you a message signed by a brand new key
| (which you naturally will not have on your local keyring), the
| operator can tell both your IP address and the time when you
| verified the signature.
— (info "(gnupg) GPG Configuration Options")

Dmitry Alexandrov wrote:

> Stefan Claas <sac@300baud.de> wrote:
> > Enigmail for Thunderbird on a fresh Ubuntu system
> > when clicking on a signed message from a friend, which has properly set-up WKD Thunderbird/Enigmail can not fetch the pub
> > key. :-(
>
> Unfortunately, ‘can not’ is not very informative description. Does it return any error? How do you know that even tries?

Sorry, for the bad description. When having a signed message in Enigmail
and you do not have the pub key in your key ring it shows a yellow bar and
ask if you like to decrypt the message. When clicking on the decrypt button
it searches key servers and not WKD.

> > What have I to do that this works? I thought that GnuPG and Enigmail nowadays defaults to WKD too.
>
> You mean, that you expect, that GPG should silently fetch absent keys when checking signatures out of a box? No, it does not
> do that:

[...]

Thanks, with auto-key-retrieve and auto-key-locate WKD etc. it works when
clicking on the decrypt button in Enigmail or the lock button in Claws-Mail

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Mon, Jul 27, 2020 at 10:00:07PM +0200, Stefan Claas wrote:
>For testing my new Nitrokey I have just install Enigmail for
>Thunderbird on a fresh Ubuntu system and when clicking on
>a signed message from a friend, which has properly set-up
>WKD Thunderbird/Enigmail can not fetch the pub key. :-(

Unless I missed something, I believe Enigmail will only attempt to
automatically fetch a key from a Web Key Directory when *composing* a
message (if there’s no key for the recipient in the local keyring), and
*not* when checking a signature on a received message.

See that excerpt from Enigmail 2.0 changelog [1]:

> Support for Web Key Directory (WKD) is implemented. Enigmail will try
> to download unavailable keys during message composition from WKD.


You can force GnuPG to try to fetch a missing key when verifying a
signature by enabling the --auto-key-retrieve option (please read the
note about the “web bug” in gpg’s man page before doing so—that option
is disabled by default for a reason.)


Regards,

- Damien


[1] https://enigmail.net/index.php/en/download/changelog

Damien Goutte-Gattat wrote:

> On Mon, Jul 27, 2020 at 10:00:07PM +0200, Stefan Claas wrote:
> >For testing my new Nitrokey I have just install Enigmail for
> >Thunderbird on a fresh Ubuntu system and when clicking on
> >a signed message from a friend, which has properly set-up
> >WKD Thunderbird/Enigmail can not fetch the pub key. :-(
>
> Unless I missed something, I believe Enigmail will only attempt to
> automatically fetch a key from a Web Key Directory when *composing* a
> message (if there’s no key for the recipient in the local keyring), and
> *not* when checking a signature on a received message.
>
> See that excerpt from Enigmail 2.0 changelog [1]:
>
> > Support for Web Key Directory (WKD) is implemented. Enigmail will try
> > to download unavailable keys during message composition from WKD.

Ah, ok, thanks. I thought it will fetch also automatically when checking
signatures.

> You can force GnuPG to try to fetch a missing key when verifying a
> signature by enabling the --auto-key-retrieve option (please read the
> note about the “web bug” in gpg’s man page before doing so—that option
> is disabled by default for a reason.)

I enabled it now and it works. :-)

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> Damien Goutte-Gattat wrote:
>
> > On Mon, Jul 27, 2020 at 10:00:07PM +0200, Stefan Claas wrote:
> > >For testing my new Nitrokey I have just install Enigmail for
> > >Thunderbird on a fresh Ubuntu system and when clicking on
> > >a signed message from a friend, which has properly set-up
> > >WKD Thunderbird/Enigmail can not fetch the pub key. :-(
> >
> > Unless I missed something, I believe Enigmail will only attempt to
> > automatically fetch a key from a Web Key Directory when *composing* a
> > message (if there’s no key for the recipient in the local keyring), and
> > *not* when checking a signature on a received message.
> >
> > See that excerpt from Enigmail 2.0 changelog [1]:
> >
> > > Support for Web Key Directory (WKD) is implemented. Enigmail will try
> > > to download unavailable keys during message composition from WKD.
>
> Ah, ok, thanks. I thought it will fetch also automatically when checking
> signatures.
>
> > You can force GnuPG to try to fetch a missing key when verifying a
> > signature by enabling the --auto-key-retrieve option (please read the
> > note about the “web bug” in gpg’s man page before doing so—that option
> > is disabled by default for a reason.)
>
> I enabled it now and it works. :-)

One more question, I tried to verify Werner's signature, from postings here
on the ML, but his signature could not be verified, due to a missing pub key
(0xFF80AE9D1DEC358D). But when looking at Wiktor's WKD checker a key is present,
but with a different Fingerprint.

https://metacode.biz/openpgp/web-key-directory

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

Stefan Claas <sac@300baud.de> wrote:
> One more question, I tried to verify Werner's signature, from postings here on the ML, but his signature could not be verified, due to a missing pub key (0xFF80AE9D1DEC358D). But when looking at Wiktor's WKD checker a key is present, but with a different Fingerprint.
>
> https://metacode.biz/openpgp/web-key-directory

Well, that?s seems to be true:

$ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url wk@gnupg.org)" | gpg --with-colons
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-:
uid:::::::::wk@gnupg.org:
sub:-:256:18:3CD7B3A055039224:1538149415:1643626805:::

I dunno why @wk@gnupg.org did that, but whatever his reasons were, the fact that he was _able_ to do that, is exactly the key reason why proper (write-only) keyserver networks (SKS- or Hockeypuck-based) are indispensable.

Use them, not WKD or proprietary keyserver services, when you want to get a key by a given fingerprint. In other words, when enabling --auto-key-retrieve, make sure that --keyserver is set to something like hkps://keyserver.ubuntu.com. IIUC, there is, unfortunately, still no way to configure multiple keyservers for retrieval (contrary to locating).


BTW, does anyone remember, how to command gpg(1) to print the above in a human-readable format? There was some incantation, IIRC, but GPG?s options are so tangled, that I have failed to find it.

On Sonntag, 2. August 2020 06:38:21 CEST Dmitry Alexandrov wrote:
> $ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url
> wk@gnupg.org)" | gpg --with-colons gpg: WARNING: no command supplied.
> Trying to guess what you mean ...
> pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-:
> uid:::::::::wk@gnupg.org:
> sub:-:256:18:3CD7B3A055039224:1538149415:1643626805:::
>
[snip]
>
> BTW, does anyone remember, how to command gpg(1) to print the above in a
> human-readable format? There was some incantation, IIRC, but GPG?s options
> are so tangled, that I have failed to find it.

Do you mean "gpg --show-key" resp. "gpg --show-key --with-subkey-fingerprint"?

Regards,
Ingo

Dmitry Alexandrov wrote:

> Stefan Claas <sac@300baud.de> wrote:
> > One more question, I tried to verify Werner's signature, from postings here on the ML, but his signature could not be
> > verified, due to a missing pub key (0xFF80AE9D1DEC358D). But when looking at Wiktor's WKD checker a key is present, but
> > with a different Fingerprint.
> >
> > https://metacode.biz/openpgp/web-key-directory
>
> Well, that?s seems to be true:
>
> $ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url wk@gnupg.org)" | gpg --with-colons
> gpg: WARNING: no command supplied. Trying to guess what you mean ...
> pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-:
> uid:::::::::wk@gnupg.org:
> sub:-:256:18:3CD7B3A055039224:1538149415:1643626805:::
>
> I dunno why @wk@gnupg.org did that, but whatever his reasons were, the fact that he was _able_ to do that, is exactly the key
> reason why proper (write-only) keyserver networks (SKS- or Hockeypuck-based) are indispensable.

Hopefully he can tell us.

> Use them, not WKD or proprietary keyserver services, when you want to get a key by a given fingerprint. In other words, when
> enabling --auto-key-retrieve, make sure that --keyserver is set to something like hkps://keyserver.ubuntu.com. IIUC, there
> is, unfortunately, still no way to configure multiple keyservers for retrieval (contrary to locating).

I have as key server keys.openpgp.org in my config, besides WKD and when I switched it to the Ubuntu key server Claws-Mail said
key for verification of this signature not available.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Ingo Klöcker <kloecker@kde.org> wrote:
> On Sonntag, 2. August 2020 06:38:21 CEST Dmitry Alexandrov wrote:
>>
>> $ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url wk@gnupg.org)" | gpg --with-colons
>> gpg: WARNING: no command supplied. Trying to guess what you mean ...
>> pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-:
>> uid:::::::::wk@gnupg.org:
>> sub:-:256:18:3CD7B3A055039224:1538149415:1643626805:::
>
>> BTW, does anyone remember, how to command gpg(1) to print the above in a human-readable format? There was some incantation, IIRC, but GPG?s options are so tangled, that I have failed to find it.
>
> Do you mean "gpg --show-key" resp. "gpg --show-key --with-subkey-fingerprint"?

Yes, exactly. Indeed, in contrast with --with-colons, --with-subkey-fingerprint alone does nothing:

$ wget -qO - ‹…› | gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub ed25519 2018-09-28 [SC] [expires: 2027-01-31]
AEA84EDCF01AD86C4701C85C63113AE866587D0A
uid wk@gnupg.org
sub cv25519 2018-09-28 [E] [expires: 2022-01-31]

$ wget -qO - ‹…› | gpg --with-subkey-fingerprint
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub ed25519 2018-09-28 [SC] [expires: 2027-01-31]
AEA84EDCF01AD86C4701C85C63113AE866587D0A
uid wk@gnupg.org
sub cv25519 2018-09-28 [E] [expires: 2022-01-31]

$ wget -qO - ‹…› | gpg --show-key --with-subkey-fingerprint
pub ed25519 2018-09-28 [SC] [expires: 2027-01-31]
AEA84EDCF01AD86C4701C85C63113AE866587D0A
uid wk@gnupg.org
sub cv25519 2018-09-28 [E] [expires: 2022-01-31]
E05BA20ED4F17768613B03C53CD7B3A055039224

Thank you.

On Sun, 2 Aug 2020 07:38, Dmitry Alexandrov said:

> I dunno why @wk@gnupg.org did that, but whatever his reasons were, the
> fact that he was _able_ to do that, is exactly the key reason why

I have a post-it on my CA laptop to add a signing subkey to my new key,
I should really do that soon.

Because ed25519 was not in widespread use when I created the key in 2018
I decided to use it only for encryption for some time and add a signing
key later.

> BTW, does anyone remember, how to command gpg(1) to print the above in
> a human-readable format? There was some incantation, IIRC, but GPG?s

gpg --locate-external-key -v foo@example.rog

looks up foo@example.org even if a key with that user id already exists.
It then imports the key and lists it with all existing user ids. The
-v is there to get information on how foo@example.org was retrieved.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Werner Koch via Gnupg-users <gnupg-users@gnupg.org> wrote:
> On Sun, 2 Aug 2020 07:38, Dmitry Alexandrov said:
>> I dunno why @wk@gnupg.org did that
>
> I have a post-it on my CA laptop to add a signing subkey to my new key, I should really do that soon.

Maybe, you would like to update an expired key in DNS as well?

By the way, it would be nice, if GPG were not interpreting locating an expired key as success, but continued with the next method instead:

$$ gpg --auto-key-locate dane,wkd --locate-key wk@gnupg.org
gpg: key F2AD85AC1E42B367: public key "Werner Koch <wk@gnupg.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
pub dsa2048 2007-12-31 [SC] [expired: 2018-12-31]
80615870F5BAD690333686D0F2AD85AC1E42B367
uid [ expired] Werner Koch <wk@gnupg.org>


>> BTW, does anyone remember, how to command gpg(1) to print the above in a human-readable format? There was some incantation, IIRC, but GPG?s
>
> gpg --locate-external-key -v foo@example.rog
>
> looks up foo@example.org even if a key with that user id already exists.

No, thanks, that?s not what I forgot, I was nonplussed by the fact, that --with-subkey-fingerprint has no any effect when --show-key is implied, while --with-colons has [<eeop6k9l.dag@gnui.org>].

@kloecker@kde.org had resolved [<1803396.a0EWGg1j7a@breq>] my confusion already.

Am Dienstag 04 August 2020 18:17:56 schrieb Dmitry Alexandrov:
> it would be nice, if GPG were not interpreting locating an
> expired key as success, but continued with the next method instead:

This is related to
https://dev.gnupg.org/T5028
(gpg --locate-key should refetch via wkd, if configured and no good pubkey
found)

Bernhard

--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner