DISCLAIMER: GPG Noob
I just sent my master key and two of my three subkeys to a Yubikey without knowing they would be removed from my keyring and replaced by a stub.
After that I tried to get my subkeys back in case they were still around.
I can see my key and subkeys in GPG Keychain OSX app.
When listing with gpg -k and gpg -K, I get all the public keys associated with my master and subkeys but only the secrets for my master key and one of the subkeys (the one I didnt exported to the yubikey).
Trying to debug more, I decided to use a newer version of gpg to merge keys and so on hoping I can get the secrets back (I guess at this point it was already impossible but I kept trying)
Using gpg (GnuPG/MacGPG2) 2.0.30, it tells me I have one master secret key and two secret subkeys.
gpg -K
/Users/john/.gnupg/secring.gpg
------------------------------------
sec 4096R/XXXXXXXX 2016-07-07 [expires: 2020-07-07]
uid John Doe <john#doe.com>
ssb 4096R/YYYYYYYY 2016-12-28
ssb 4096R/ZZZZZZZZ 2017-09-16
Using gpg (GnuPG) 2.1.20 in a container with the same keyring (mounted as a volume), it tells me I have one master secret and three secret subkeys.
gpg -K
/root/.gnupg/pubring.gpg
------------------------
sec rsa4096 2016-07-07 [SC] [expires: 2020-07-07]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid [ultimate] John Doe <john#doe.com>
ssb rsa4096 2016-07-07 [E] [expires: 2020-07-07]
ssb rsa4096 2016-12-28 [S] [expires: 2020-07-07]
ssb rsa4096 2017-09-16 [A] [expires: 2020-07-06]
If I export my secret keys from the second, remove the secret keys from my keyring and import the exported secret keys (hoping to get the missing secret subkey), all I got are ?stubs?
If I open and split the exported secret keys, I can see some key files are 1.8K and others just 0.5K which seems they dont really contain a secret.
Why the second and newer version of GPG does not tell me all it has are stubs?
Why the secrets are not listed as stubs while exporting+importing does?
Is there a way of recovering my secrets? (I guess no)
Why the second and newer version of GPG does not tell me all it has are stubs? Why the secrets are not listed as stubs while exporting+importing does?
You're using gpg 2.0. I have gpg 2.1 and here's what my gpg -K output looks like (uppercase K, i.e. --list-secret-keys):
sec# rsa4096/0xB1349B0B4B8B7600 2017-10-20 [SC] [expires: 2018-10-20]
Key fingerprint = 0F4C 3317 9224 ACA4 C601 A8FB B134 9B0B 4B8B 7600
uid [ultimate] Rouben Tchakhmakhtchian <rouben#rouben.net>
uid [ultimate] Rouben Tchakhmakhtchian <rouben#rouben.ca>
uid [ultimate] Rouben Tchakhmakhtchian <rouben.tchakhmakhtchian#utoronto.ca>
ssb> rsa4096/0x8032EA4BFC7DEEC0 2017-10-20 [S] [expires: 2018-10-20]
ssb> rsa4096/0xEE1E4539902F8149 2017-10-20 [E] [expires: 2018-10-20]
ssb> rsa4096/0x9812857C9C2436E1 2017-10-20 [A] [expires: 2018-10-20]
Is there a way of recovering my secrets? (I guess no)
Check ~/.gnupg/private-keys-v1.d hopefully your secret keys will be there... if anything, if you set up your key like I did (only my subkeys are on the YubiKey, the master key is on an offline encrypted backup medium), you can still use the master key to edit the keys (master and subkeys) as you see fit.
Related
I want to download and verify TortoiseGit-2.8.0.0-64bit.msi
I use gnupg2 (in Cygwin)
The TortoiseGit download page provides these files:
TortoiseGit-2.8.0.0-64bit.msi
TortoiseGit-2.8.0.0-64bit.msi.rsa.asc
I did the below to verify a download (but got: No public key):
$ gpg2 --auto-key-locate keyserver --keyserver-options auto-key-retrieve --
verify TortoiseGit-2.8.0.0-64bit.msi.rsa.asc TortoiseGit-2.8.0.0-64bit.msi
gpg: Signature made Thu, Feb 28, 2019 4:34:13 PM EST
gpg: using RSA key 74A21AE301B3CA5BD8072F5EF7F17B3F9DD9539E
gpg: requesting key F7F17B3F9DD9539E from hkp server keys.gnupg.net
gpg: Can't check signature: No public key
Since I don't have a .sig I tried and got:
$ gpg2 --import TortoiseGit-2.8.0.0-64bit.msi.rsa.asc
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
I can't understand how then to properly verify this download -- if anyone can show the correct method it would be greatly appreciated!
Thank you!
The key is available here: https://download.tortoisegit.org/keys.
As the MSI files are also signed using AuthentiCode, there is no real need for the GPG signatures for end users. - The GPG signatures are used by the auto-updater in order to verify the integrity of the update packages (despite the fact that those are also downloaded using HTTPs).
If you need another trust root, you can call TortoiseGitProc.exe /command:pgpfp in order to display the GPG fingerprint.
wget https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.3.tar.xz
wget https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.3.tar.sign
wget https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/sha256sums.asc
shasum verified: ok
gpg --verify cryptsetup-1.7.3.tar.sign cryptsetup-1.7.3.tar.xz
the output is bad :
gpg: Signature made Sun 30 Oct 2016 01:56:01 PM UTC using RSA key ID D93E98FC
gpg: BAD signature from "Milan Broz <gmazyland#gmail.com>"
then
wget https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.3-ReleaseNotes
wget https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.3-ReleaseNotes.sign
gpg --verify v1.7.3-ReleaseNotes.sign v1.7.3-ReleaseNotes
this is good (although the warning):
gpg: Signature made Sun 30 Oct 2016 01:56:09 PM UTC using RSA key ID D93E98FC
gpg: Good signature from "Milan Broz <gmazyland#gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2A29 1824 3FDE 4664 8D06 86F9 D9B0 577B D93E 98FC
I make another test on another website:
wget https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.0.30.tar.bz2
wget https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.0.30.tar.bz2.sig
and everything is good as well.
Then I go to the author's blog (Milan Broz's blog), but the download link leads to the same website.
I tried some previous packages and had the same issue:
cryptsetup-1.7.1.tar.sign with cryptsetup-1.7.1.tar.gz & cryptsetup-1.7.1.tar.xz
cryptsetup-1.7.2.tar.sign with cryptsetup-1.7.2.tar.gz & cryptsetup-1.7.2.tar.xz
If I miss something here, plz tell me what.
otherwise, is there a place where I can have a correctly signed version of this software?
thanx folks.
is there a place where I can have a correctly signed version of this software?
Try from the official website: https://gitlab.com/cryptsetup/cryptsetup (now -- Nov. 2017, 9 months later, in 1.7.5 or 2.0-rc1)
this is good (although the warning):
The warning is expected. See "Check PGP Signature and Install Veracrypt 1.17":
The "WARNING: This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner." means that the Veracrypt public key is not signed by you or by anybody whose key you have signed, so there is no direct line of trust between you and the Veracrypt developers.
This is as expected.
I'm tring to create certificate via Visual Studio Command Prompt to meet the following requirements :
• A valid, (not expired), X.509 signing certifi cate must be used (e-mail certifi cate).
• RSA public key (signature) algorithms using key lengths of 1024 bits (or larger).
• Message Digest Algorithm must be SHA1-RSA.
• Encryption algorithm is DES3 (triple DES).
• Key usage must include digital signature (for signing fi les) and key encipherment (for encrypting
the fi les).
• Certifi cate (Public Key Only) should be exported in the following format
» .p7c (* PKCS7 cryptographic message syntax standard certifi cate)
» .cer (DER encoded binary X.509 Certifi cate)
» .cer (Base64 encoded X.509 Certifi cate)
I have tried as :
makecert.exe -sv TestCert.pvk -n “Test Cert” -a sha1 -len 1024 -sky 2 -eku 1.6.6.9.2.8.0.3.9 TestCert.cer -r
pvk2pfx.exe -pvk TestCert.pvk -spc TestCert.cer -pfx TestCert.pfx -po Test123$
I also am reading from https://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.100).aspx
but so far I have no luck. I have done someting valid one while ago but don't seem to remember how. Can someone give me some tips or example will be great.
Thanks in advance.
The algorithm is named 3DES, not DES3.
The encryption algorithm can be applied at the stage of writing the private key to the disk in some format (like PEM or PFX). It's not a part of the certificate. This is why you can't find any option to do this.
I am new to cryptography in general, I have a question about the primary key fingerprint:
I have downloaded Apache Maven and, as they say in the download page, have verified the signature of the public key, using gpg:
user$ gpg --verify apache-maven-3.2.3-bin.tar.gz.asc apache-maven-3.2.3-bin.tar.gz
gpg: Signature made Tue Aug 12 00:59:35 2014 MSK using DSA key ID BB617866
gpg: Good signature from "Someone <email#maven.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FB11 D4BB 7B24 4678 337A AD8B C7BF 26D0 BB61 7866
Now, I read from http://www.apache.org/dev/release-signing#fingerprint that the primary key fingerprint is a digest of the key, easier to read and compare, but my question is:
How should I compare it? I mean, where should I found the counterpart against whom I should compare the fingerprint "FB11 D4BB 7B24 4678 337A AD8B C7BF 26D0 BB61 7866"?
The public keys of the Maven developers are linked on top of the download page.
It only contains the short IDs, which are not sufficient to verify keys, but help you at looking up which key was used. To do so, delete this key (it probably already was fetched from the key servers during verifying the signature):
gpg --delete-keys [keyid]
Now prepare importing this key, by copying the public key block matching to the key ID given above to a file of your choice. This file should afterwards contain:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[snip]
-----END PGP PUBLIC KEY BLOCK-----
Now import using gpg --import [file]. Now run gpg --fingerprint [keyid], it should print the same fingerprint given in the output of the signature verification.
When I download GCC, it also has a .sig file, and I think it is provided to verify downloaded file.
(I downloaded GCC from here).
But I can't figure out how should I use it. I tried gpg, but it complains about public key.
[root#localhost src]# gpg --verify gcc-4.7.2.tar.gz.sig gcc-4.7.2.tar.gz
gpg: Signature made Thu 20 Sep 2012 07:30:44 PM KST using DSA key ID C3C45C06
gpg: Can't check signature: No public key
[root#localhost src]#
How can I verify downloaded file with .sig file?
You need to import public key: C3C45C06
Can be done in three steps.
find public key ID:
$ gpg gcc-4.7.2.tar.gz.sig
gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06
gpg: Can't check signature: No public key
import the public key from key server. It's usually not needed to choose key server, but it can be done with --keyserver <server>. Keyserver examples.
$ gpg --recv-key C3C45C06
gpg: requesting key C3C45C06 from hkp server keys.gnupg.net
gpg: key C3C45C06: public key "Jakub Jelinek jakub#redhat.com" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
If the command error's out with a timeout, you may be behind a firewall that is blocking the default gpg port. Try using the `--keyserver' option with port 80 (almost all firewalls allow port 80 b/c of web browsing):
$ gpg --keyserver hkp://${HOSTNAME}:80 --recv-keys ${KEY_ID}
verify signature:
$ gpg gcc-4.7.2.tar.gz.sig
gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06
gpg: Good signature from "Jakub Jelinek jakub#redhat.com" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06
The output should say "Good signature".
gpg: WARNING: This key is not certified with a trusted signature!
Is for another question ;)
This other avenue is particularly useful for verifying GNU projects (e.g. Octave) since the key requested by their signature may not be found in any key server.
From https://ftp.gnu.org/README
There are also .sig files, which contain detached GPG signatures of
the above files, automatically signed by the same script that
generates them.
You can verify the signatures for gnu project files with the keyring
file from:
https://ftp.gnu.org/gnu/gnu-keyring.gpg
In a directory with the keyring file, the source file to verify and
the signature file, the command to use is:
$ gpg --verify --keyring ./gnu-keyring.gpg foo.tar.xz.sig
You have to search the public keyservers for the given key id: in your case ID C3C45C06
Import the found key in your local keystore and after this the verification should be OK.
I use Ubuntu 12.04 and it comes with Seahorse key management software. Before the key import I was seeing this:
~/Downloads$ gpg --verify --keyring ./gnu-keyring.gpg icecat-31.5.0.en-US.linux-x86_64.tar.bz2.sig icecat-31.5.0.en-US.linux-x86_64.tar.bz2
gpg: Signature made 9.03.2015 (пн) 22,35,52 EET using RSA key ID D7E04784
gpg: Can't check signature: public key not found
After the key import I was seeing this:
~/Downloads$ gpg --verify --keyring ./gnu-keyring.gpg icecat-31.5.0.en-US.linux-x86_64.tar.bz2.sig icecat-31.5.0.en-US.linux-x86_64.tar.bz2
gpg: Signature made 9.03.2015 (пн) 22,35,52 EET using RSA key ID D7E04784
gpg: Good signature from "Ruben Rodriguez (GNU IceCat releases key) <ruben#gnu.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A573 69A8 BABC 2542 B5A0 368C 3C76 EED7 D7E0 4784
according to this http://gcc.gnu.org/mirrors.html that should be Jakub Jelinek and valid. i don't know where you would get his public key though.