Search
Items tagged with: GnuPG
that look small at first sight, but can be decisive
if you have the use case. Like one additional NFC reader (ACR-122U)
and one ECC card from D-Trust are supported. Or getting pubkeys
from behind a proxy is fixed. Details: https://dev.gnupg.org/T6960
MacOS build: https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066993.html
#endtoendcrypto #FreeSoftware
#Gpg4win v4.3.0 <- freshly announced.
New is that encrypted files with email structure from disk can be shown.
Kleopatra and the Outlook Add-in gain features and resilience for less common situations (like Apple mail attachments or unreliable S/MIME CRLs).
Includes #GnuPG v2.4.4 and its many improvements.
https://lists.wald.intevation.org/pipermail/gpg4win-announce/2024/000104.html
https://lists.gnupg.org/pipermail/gnupg-devel/2024-January/035480.html
https://lists.gnupg.org/pipermail/gnupg-announce/2024q1/000481.html (Which links the #Gpg4win v4.3.0 download before the webside does. đ )
Coming to fosdem this year? Do you use #gnupg? Want to #sign your key? Good news, I'm organizing a key signing party (https://en.wikipedia.org/wiki/Key_signing_party).
details are at https://ludovic.hirlimann.net/2024/01/key-signing-party-at-fosdem-2024.html
please boost or share, so people come and attend.
Folks who created a #Smartcard or #Yubikey on the command line with #GnuPG 2.4.2, 2.4.3, or 2.2.42 please read:
https://gnupg.org/blog/20240125-smartcard-backup-key.html
Smartcard key generation keeps an unprotected backup key on disk
GnuPG is a free implementation of OpenPGPThe People of the GnuPG Project
Iâm not really new here since my first message on the #Fediverse was in⊠2011 (!), but in more than 10 years I never actually introduced myself properly, so as many new people are joining these days, it seems like a good time for an #introduction.
Professionally, I am a #biologist. I was for a long time a wet lab scientist, but I have left the bench and am now a #Drosophila #biocurator and #ontology engineer. I work for the University of Cambridge (UK), where I am one of the biocurators behind the FlyBase.org website. (Usual disclaimer: Views expressed here are my own, not those of FlyBase or of the University of Cambridge, etc.)
Personally, some would say I am a geek, and I probably cannot deny it. Iâve been using #Linux #Slackware for the past 20 years or so, I have contributed to several #freesoftware projects and I develop a few of my own. I care about digital #privacy, am a contributor to the #GnuPG project and an #OpenPGP evangelist, and before the Covid pandemic was a regular speaker at London #CryptoParties.
I am also the proud dad of the most beautiful cat of the Fediverse, according to all the users of my (mono-user) #Friendica instance. Also, I like to believe I am funny, even though I am most likely not.
GnuPG 2.3 is coming.
Modern GnuPG on Slackware-14.2
Unfortunately, the latest stable release of #Slackware (14.2), which was released in 2016, still comes with GnuPG 2.0.x. Patrick Volkerding switched to GnuPG 2.2.x in the -current branch (the future Slackware 15.0), but not in the 14.2 release, which is thus stuck with GnuPG 2.0.31.
For Slackers who would want to switch to GnuPG 2.2.x (and benefit from the new features of modern GnuPG, such as support for ECC keys) without switching to the -current branch, I maintain #SlackBuilds to build GnuPG 2.2.x (currently 2.2.23) and its associated dependencies for Slackware-14.2. I also provide pre-built binary packages (but only for the x86_64 architecture).
GnuPG 2.2 is intended to be a stable, long-term support branch, while new development will occur on the 2.3 branch. I will probably follow the development branch (so the next version provided by my SlackBuild will be GnuPG 2.3.0, not GnuPG 2.2.1).
This is a bugfix release (sort of), the only change from 0.4.3 is that the newly introduced helper script for #GnuPG now recognizes gpg binaries with a version of 2.1 or higher (instead of recognizing only 2.1). This is to make sure the script is ready for the upcoming release of #GnuPG 2.2.0.
Here is the tarball of the 0.4.4 release, and the corresponding signature.
A helper script to facilitate the splitting of a #GnuPG private primary key is also bundled with this release.
Here is the tarball of the 0.4.3 release, and the corresponding signature.
Scute 1.5.0 released
The first release since 2010, Scute 1.5.0 brings support for 4096-bit RSA keys, TLS 1.2 client authentication, S/MIME signing, and works with the latest GnuPG versions from the 2.1 âmodernâ branch.
Download the release tarball and the corresponding signature. The latest source code is also available in a Git repository at git://git.gnupg.org/scute.git and may be browsed on the GnuPG projectâs Git Viewer.
LĂ , jâai quand mĂȘme un «âŻcrypto-terroriste auto-radicalisĂ©âŻÂ» qui me dit sans rire quâil prĂ©fĂšre compliquer la tĂąche de tous les nouveaux utilisateurs aujourdâhui (en leur demandant de faire des rĂ©glages totalement inutiles pour quiconque utilise une version pas trop vieille de GnuPG) pour le cas trĂšs hypothĂ©tique oĂč il y aurait dans lâassistance une personne utilisant encore une version de GnuPG sortie avant 2010.
Avec des amis comme ça, GnuPG nâa pas besoin dâennemisâŠ
Que ce soit clair : quelquâun qui en 2017 prĂ©tend que les paramĂštres par dĂ©faut de GnuPG doivent impĂ©rativement ĂȘtre modifiĂ©s par lâutilisateur, ou qui parle encore de GnuPG 1.4, nâest pas crĂ©dible pour conseiller des dĂ©butants.
Un dĂ©butant, je lui dis dâinstaller GnuPG 2.1 et de faire gpg --quick-gen-key alice@example.org. Ăa nâa aucune raison dâĂȘtre plus compliquĂ© que ça. Il est plus important de leur expliquer comment bien utiliser GnuPG que de vouloir les impressionner en leur prĂ©sentant une procĂ©dure de gĂ©nĂ©ration de clefs en 23 Ă©tapes.
Il est grand temps de passer ĂÂ GnuPG 2.1
GnuPG 2.1.0 est sorti en novembre 2014, on en est aujourdâhui Ă GnuPG 2.1.16. Il est grand temps de mettre tant les distributions que les tutos Ă jour, les gensâŠ
- Useless warning about SHA-1, which is not the preferred hashing algorithm in any version of GnuPG published since 2009.
- Systematic use of the biggest key sizes available.
- Suggestion to create a revocation certificate, even though recent GnuPG versions do that already (either the author is not aware of that, or he uses an obsolete versionâeither way, itâs bad).
- Reckless advice to delete the master private key, without any discussion of the pros and cons.
Please, do not send beginners to tutorials like this. It may be fine for experienced users, but not for first-timers.
âOpenPGP Best Practicesâ Considered Harmful
GnuPG versions
While the document recommends to âkeep [the software] up to dateâ, it actually says nothing about the version of GnuPG to use. This is, in my opinion, the single most important advice: use the latest GnuPG version. This means: use GnuPG 2.1. At the very least, if your distribution does not provide GnuPG 2.1 yet, use the latest version from the 2.0 branch. But you should not use GnuPG 1.x anymore.
Seriously: the 1.x branch is deprecated on a modern desktop. The developers maintain it only for some old systems on which the 2.x branch cannot be built, or for those who need to handle messages and/or keys generated sometimes in the ĂąâŹâą90s. All the interesting new features (including: elliptic curve cryptography, the TOFU trust model, DANE and TOR support, etc) are only added to the 2.1 branch.
On keyservers
The document recommends to âuse the sks keyserver pool instead of one specific serverâ. While it is a sound advice, it should be noted that the keyserver proposed by default, keys.gnupg.net, is not a âsingle serverâ, but actually⊠an alias for the very same sks keyserver pool. It also recommends to download the poolâs root certificate, something that is not needed anymore since this certificate is now bundled and automatically used by GnuPG.
Another unneeded advice is the suggestion to use the no-honor-keyserver-url option, to always use the configured key server instead of the key server specified in the key to refresh. This is already the default behavior, one has to use the honor-key-server option instead to overcome it.
The advice to use Parcimonie to refresh keys through the Tor network is doubly obsolete: the provided link to the tool is dead, and GnuPG can now use Tor directly, no third-party tool is required.
One last note: all options regarding key servers should go in ~/.gnupg/dirmngr.conf (the configuration file for the dirmngr daemon) instead of ~/.gnupg/gpg.conf.
On keys and key generation
All the advices regarding key generation are only useful for users who have generated their keys a long time ago. New users, or long-time users wishing to generate a new keypair, can safely ignore them, as GnuPG already does The Right Thingâą.
Specifically, you do not have to
- generate a revocation certificate: GnuPG automatically creates one in ~/.gnupg/openpgp-revocs.d;
- generate a separate subkey for encryption: this has been the default setup for a long time now;
- âmake sure the key is OpenPGPv4â: no current version of GnuPG will ever generate a v3 key;
- check that self-signatures do not use the MD5 hash algorithm: seriously, this is 2016, you have nothing to do to prevent GnuPG from using MD5, it will never do that;
- check that self-signatures do not use the SHA-1 hash algorithm: although many people seem unaware of that, GnuPG uses the SHA-256 algorithm for self-signatures since version 2.0.13, back in 2009.
For key generation, the document refers to another howto, which is also obsolete (for example, it explains how to manually create an encryption subkey, ignoring that GnuPG already does that).
Like many other similar pages, the âbest practicesâ also suggest to tweak the default preferred algorithms⊠completely ignoring what the current defaults are. Their proposed list is actually almost the same as the GnuPG default, except that GnuPG prioritizes SHA-256 over SHA-512 (which should be fine with everybodyâthere is no weakness in SHA-256). Consequently, all the steps regarding the default preferences are completely unneeded and can be skipped.
Conclusion
Any âbest practiceâ document can only be useful if it is kept up to date. At the very least, the date of the last revision should always appear, so that the reader may know he is reading an old document.
New users should not be directed toward this kind of tutorials. Long lists of unneeded steps and warnings about obsolete algorithms that are not used anymore in the default configuration can only confuse the beginner and let him think that GnuPG is more complicated than it already is.
The two most important advices I would give to new users are: â use the âmodernâ branch of GnuPG (2.1), ⥠stick to the default settings, they were selected as the defaults for a good reason.
RĂ©capitulatif de mes Ă©crits sur OpenPGP/GnuPG
- PrĂ©sentation de la carte OpenPGP (version PDF et source DocBook â aussi publiĂ© sur LinuxFR.org)
- Utilisation de GnuPG pour lâauthentification SSH (en anglais)
- Mettre sa clef privée primaire OpenPGP hors-ligne (en anglais)
- Quelques remarques sur la gestion des clefs OpenPGP, sur LinuxFR.org
- Quelques brĂšves sur OpenPGP, sur LinuxFR.org