Mailing List Archive

* Werner Koch via Gnupg-users:

> This is a quick announcement that a new GnuPG release for 2.2 is
> available.

GnuPG for OS X / macOS version 2.2.36 is now available via the URL
https://sourceforge.net/projects/gpgosx/files/ .

This is the first relase since Patrick Brunschwig passed stewardship of
the project to me, so please note the following changes:

1.) Starting today, disk images (*.dmg) are signed with a new ed25519
key (EAB0FE4FF793D9E7028EC8E2FD56297D9833FF7F). This key has been
uploaded to pgp.mit.edu today, but the site is once again very sluggish
and it might take a while to sync the key to other pool members. For
this reason, I'll include the public key here:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEYsY2JRYJKwYBBAHaRw8BAQdAHRCBW5+Dhmt7pdtksvpIkk3/SY8oULxLR6hs
xg0yT/+0K1JhbHBoIFNlaWNodGVyIChHbnVQRyBmb3IgT1MgWCBzaWduaW5nIGtl
eSmIlgQTFgoAPhYhBOqw/k/3k9nnAo7I4v1WKX2YM/9/BQJixjYlAhsDBQkJZgGA
BQsJCAcDBRUKCQgLBRYDAgEAAh4FAheAAAoJEP1WKX2YM/9/HN8BAOcfzou/g9KI
YRXA4ePZlVGSZrKCwfE4LL23YfikJr5jAQDKQRW4IQnYPHvlyHAHpcxDD/U/c1VO
MylkSvfkkSBmBw==
=MgmS
-----END PGP PUBLIC KEY BLOCK-----

2.) The Install.pkg file included in the disk image is unsigned, because
I have not subscribed to Apple's developer program. I am not sure yet if
I will do so in the future. Thus, it might be necessary to right-click
on Install.pkg and using the popup menu instead of double-clicking,
depending on the version of macOS you are using.

Should you wish to contact me off-list regarding the GnuPG for OS X
project, please send mail to "gpgosx ~AT~ seichter ~DOT~ de".

-Ralph

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

> On 7 Jul 2022, at 04:47, Ralph Seichter via Gnupg-users <gnupg-users@gnupg.org> wrote:
>
> 1.) Starting today, disk images (*.dmg) are signed with a new ed25519
> key (EAB0FE4FF793D9E7028EC8E2FD56297D9833FF7F). This key has been
> uploaded to pgp.mit.edu today, but the site is once again very sluggish
> and it might take a while to sync the key to other pool members. For
> this reason, I'll include the public key here:

As of 2130Z today this key still had not reached pgpkeys.eu, so I have just uploaded it there by hand; most other syncing servers should have it within the hour. I can see it is also available on keys.openpgp.org.

Sadly, I would recommend against the use of pgp.mit.edu, as it is one of the most consistently unreliable keyservers. The graphs at https://spider.pgpkeys.eu/graphs now show a crude “N nines” reliability estimate for each available keyserver - this is based on an hourly poll and is only capable of resolving up to three nines, but it should give you a rough guide to which keyservers have a track record of responsiveness.

A
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

* Andrew Gallagher:

> As of 2130Z today this key still had not reached pgpkeys.eu, so I have
> just uploaded it there by hand; most other syncing servers should have
> it within the hour.

Thanks, Andrew. For possible future key uploads, I'll keep in mind that
pgp.mit.edu is not the most viable choice these days. Using it has been
my habit for so many years that I forgot the server pool has changed
considerably.

-Ralph

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On Wed, Jul 06, 2022 at 08:38:04PM +0200, Werner Koch via Gnupg-users wrote:
> Hi!
>
> This is a quick announcement that a new GnuPG release for 2.2 is
> available. We will also preprare a 2.3 release in the next days but due
> to summer holidays things are a bit delayed.

Hello:

I'm trying to verify swdb.lst.sig, but I can't:

$ gpg --verify swdb.lst.sig
gpg: assuming signed data in 'swdb.lst'
gpg: Signature made Wed 06 Jul 2022 02:26:07 PM EDT
gpg: using ECDSA key 02F38DFF731FF97CB039A1DA549E695E905BA208
gpg: Can't check signature: No public key

That key doesn't appear to be provided via https://gnupg.org/signature_key.asc.

-K

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On Freitag, 8. Juli 2022 22:55:07 CEST Konstantin Ryabitsev via Gnupg-users
wrote:
> I'm trying to verify swdb.lst.sig, but I can't:
>
> $ gpg --verify swdb.lst.sig
> gpg: assuming signed data in 'swdb.lst'
> gpg: Signature made Wed 06 Jul 2022 02:26:07 PM EDT
> gpg: using ECDSA key 02F38DFF731FF97CB039A1DA549E695E905BA208
> gpg: Can't check signature: No public key
>
> That key doesn't appear to be provided via
> https://gnupg.org/signature_key.asc.

Yes, it is.

```
$ curl https://gnupg.org/signature_key.asc | gpg --import
[...]
gpg: key 549E695E905BA208: 1 signature not checked due to a missing key
gpg: key 549E695E905BA208: public key "GnuPG.com (Release Signing Key 2021)"
imported
gpg: Total number processed: 4
gpg: imported: 4

$ gpg -k 02F38DFF731FF97CB039A1DA549E695E905BA208
pub brainpoolP256r1/549E695E905BA208 2021-10-15 [SC] [expires: 2029-12-31]
02F38DFF731FF97CB039A1DA549E695E905BA208
uid [ unknown] GnuPG.com (Release Signing Key 2021)
```

See https://dev.gnupg.org/T5949#159890 for why it doesn't work for you.

Regards,
Ingo

On Fri, Jul 08, 2022 at 11:07:36PM +0200, Ingo Klöcker wrote:
> > That key doesn't appear to be provided via
> > https://gnupg.org/signature_key.asc.
>
> Yes, it is.
>
> ```
> $ curl https://gnupg.org/signature_key.asc | gpg --import
> [...]
> gpg: key 549E695E905BA208: 1 signature not checked due to a missing key
> gpg: key 549E695E905BA208: public key "GnuPG.com (Release Signing Key 2021)"
> imported
> gpg: Total number processed: 4
> gpg: imported: 4
>
> $ gpg -k 02F38DFF731FF97CB039A1DA549E695E905BA208
> pub brainpoolP256r1/549E695E905BA208 2021-10-15 [SC] [expires: 2029-12-31]
> 02F38DFF731FF97CB039A1DA549E695E905BA208
> uid [ unknown] GnuPG.com (Release Signing Key 2021)
> ```
>
> See https://dev.gnupg.org/T5949#159890 for why it doesn't work for you.

Ah, okay, that's unfortunate. I guess I'll skip this release, since I can't
verify it without building gnupg from scratch (without verifying it first).

-K

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Montag 11 Juli 2022 14:50:24 schrieb Konstantin Ryabitsev via Gnupg-users:
> > See https://dev.gnupg.org/T5949#159890 for why it doesn't work for you.
>
> Ah, okay, that's unfortunate. I guess I'll skip this release, since I can't
> verify it without building gnupg from scratch (without verifying it first).

Maybe it helps to report the problem of missing crypto algorithms to your
GNU/Linux distribution.


--
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter

Hi Ralf,

Am Donnerstag 07 Juli 2022 05:35:57 schrieb Ralph Seichter via Gnupg-users:
> GnuPG for OS X / macOS version 2.2.36 is now available via the URL
> https://sourceforge.net/projects/gpgosx/files/ .
>
> This is the first relase since Patrick Brunschwig passed stewardship of
> the project to me,

thanks for maintaining the package!

(And many thanks to Patrick for having done so before!)

Best Regards,
Bernhard

--
https://intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter

Bernhard Reiter wrote:
> Am Montag 11 Juli 2022 14:50:24 schrieb Konstantin Ryabitsev via Gnupg-users:
>>> See https://dev.gnupg.org/T5949#159890 for why it doesn't work for you.
>>
>> Ah, okay, that's unfortunate. I guess I'll skip this release, since I can't
>> verify it without building gnupg from scratch (without verifying it first).
>
> Maybe it helps to report the problem of missing crypto algorithms to your
> GNU/Linux distribution.

They aren't really missing but rather intentionally removed
due to legal issues on Fedora/Red Hat. This came up not so
long ago:

https://lists.gnupg.org/pipermail/gnupg-users/2022-May/066054.html

With the current Fedora (36), it's possible to enable these
ciphers via '--with brainpool' when building the libgcrypt
srpm.

Hopefully the legal issues will be cleared sometime soon and
Fedora will stop stripping brainpool.

It's frustrating that the releases are signed with a cipher
that cannot be verified on a reasonably popular distro.

--
Todd

Todd Zullinger via Gnupg-users <gnupg-users@gnupg.org> wrote:
> It's frustrating that the releases are signed with a cipher that cannot
> be verified on a reasonably popular distro.

At least, multiple signatures could be made.

--
Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide

On Wed, Jul 13, 2022 at 09:22:36AM -0400, Todd Zullinger via Gnupg-users wrote:
> > Maybe it helps to report the problem of missing crypto algorithms to your
> > GNU/Linux distribution.
>
> They aren't really missing but rather intentionally removed
> due to legal issues on Fedora/Red Hat. This came up not so
> long ago:
>
> https://lists.gnupg.org/pipermail/gnupg-users/2022-May/066054.html

Correct. RH considers Brainpool curves potentially patent-encumbered.

> With the current Fedora (36), it's possible to enable these
> ciphers via '--with brainpool' when building the libgcrypt
> srpm.
>
> Hopefully the legal issues will be cleared sometime soon and
> Fedora will stop stripping brainpool.
>
> It's frustrating that the releases are signed with a cipher
> that cannot be verified on a reasonably popular distro.

Indeed! For now, I worked around by verifying the signature on the swdb.lst
file on a system where I have gnupg22-static installed, so I was able to build
updated packages for my copr repos.

Thanks,
-Konstantin