--export-options export-reset-subkey-passwd

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

--export-options export-reset-subkey-passwd

Daniele Nicolodi
Hello,

I have a workflow were I use this option to reset the subkey passphrase
during export to a remote system where the subkey is used for unattended
signing.  This option has been removed in GnuPG 2.1, and I haven't found
a way to obtain the same result.

Does anyone have any tip?

Thanks! Cheers,
Daniele

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: --export-options export-reset-subkey-passwd

Daniele Nicolodi
On 12/08/17 20:15, Daniele Nicolodi wrote:
> Hello,
>
> I have a workflow were I use this option to reset the subkey passphrase
> during export to a remote system where the subkey is used for unattended
> signing.  This option has been removed in GnuPG 2.1, and I haven't found
> a way to obtain the same result.

Digging a bit more, it seems that the functionality got dropped because
with GnuPG 2.x all key manipulations go through gpg-agent and it does
not (yet?) support password reset on expert.

Is there any plan to bring back this functionality?  I'm willing to
contribute code, but I would need guidance on the foreseen way to
implement this.

Cheers,
Daniele

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: --export-options export-reset-subkey-passwd

Werner Koch
On Sun, 13 Aug 2017 08:17, [hidden email] said:

> Digging a bit more, it seems that the functionality got dropped because
> with GnuPG 2.x all key manipulations go through gpg-agent and it does
> not (yet?) support password reset on expert.

Unfortunately this is still an open bug:

  https://dev.gnupg.org/T1753

we won't be able to fix it for 2.2.0 but given that it is marked as a
bug it can and should be fixed in the soon to be release 2.2 series.


Shalom-Salam,

   Werner


--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: --export-options export-reset-subkey-passwd

Daniele Nicolodi
Hello Werner,

On 8/23/17 11:59 PM, Werner Koch wrote:

> On Sun, 13 Aug 2017 08:17, [hidden email] said:
>
>> Digging a bit more, it seems that the functionality got dropped because
>> with GnuPG 2.x all key manipulations go through gpg-agent and it does
>> not (yet?) support password reset on expert.
>
> Unfortunately this is still an open bug:
>
>   https://dev.gnupg.org/T1753
>
> we won't be able to fix it for 2.2.0 but given that it is marked as a
> bug it can and should be fixed in the soon to be release 2.2 series.

I would like to help get this fix. What is the plan to implement it?

Thanks. Cheers,
Daniele



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: --export-options export-reset-subkey-passwd

Daniele Nicolodi
In reply to this post by Werner Koch
On 23/08/2017 23:59, Werner Koch wrote:

> On Sun, 13 Aug 2017 08:17, [hidden email] said:
>
>> Digging a bit more, it seems that the functionality got dropped because
>> with GnuPG 2.x all key manipulations go through gpg-agent and it does
>> not (yet?) support password reset on expert.
>
> Unfortunately this is still an open bug:
>
>   https://dev.gnupg.org/T1753
>
> we won't be able to fix it for 2.2.0 but given that it is marked as a
> bug it can and should be fixed in the soon to be release 2.2 series.

As a work around I come up with this simple script, which has the sole
problem of asking the secret subkey passphrase a few times too much, and
to require to explicitly enter an empty passphrase.

Let me know if it is excessively dummy or if there is a better way.

Cheers,
Daniele


#!/bin/sh

set -e

KEY="$1"
shift

# make sure to have a "!" at the end of the key fingerprint to export
# exclusively the corresponding subkey and not the primary key
if [ "$KEY" == "${KEY%\!}" ]
then
    KEY="$KEY"\!
fi

umask 0077
TMPDIR=$(mktemp -d)
trap "rm -r $TMPDIR; exit" 0 1 2 3 15

gpg --export-secret-subkey "$KEY" | gpg --home $TMPDIR --import
gpg --home $TMPDIR --change-passphrase "$KEY"
gpg --home $TMPDIR --armor "$@" --export-secret-subkey "$KEY"


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: --export-options export-reset-subkey-passwd

Miroslav Rovis
Regarding my Devuan forums topic:
Safe GnuPG setup (with offlined master secret key)
https://dev1galaxy.org/viewtopic.php?id=1929
I've only found this email recenty on Gnupg Users ML that actually helped me a
lot to get my hands-on tentative/tutorial right.

This email that I'm replying to, but vaguely, below.

On 180128-17:37-0700, Daniele Nicolodi wrote:

> On 23/08/2017 23:59, Werner Koch wrote:
> > On Sun, 13 Aug 2017 08:17, [hidden email] said:
> >
> >> Digging a bit more, it seems that the functionality got dropped because
> >> with GnuPG 2.x all key manipulations go through gpg-agent and it does
> >> not (yet?) support password reset on expert.
> >
> > Unfortunately this is still an open bug:
> >
> >   https://dev.gnupg.org/T1753
> >
> > we won't be able to fix it for 2.2.0 but given that it is marked as a
> > bug it can and should be fixed in the soon to be release 2.2 series.
>
> As a work around I come up with this simple script, which has the sole
> problem of asking the secret subkey passphrase a few times too much, and
> to require to explicitly enter an empty passphrase.
>
> Let me know if it is excessively dummy or if there is a better way.
>
> Cheers,
> Daniele
>
>
> #!/bin/sh
>
> set -e
>
> KEY="$1"
> shift
>
> # make sure to have a "!" at the end of the key fingerprint to export
> # exclusively the corresponding subkey and not the primary key
> if [ "$KEY" == "${KEY%\!}" ]
> then
>     KEY="$KEY"\!
> fi
>
> umask 0077
> TMPDIR=$(mktemp -d)
> trap "rm -r $TMPDIR; exit" 0 1 2 3 15
>
> gpg --export-secret-subkey "$KEY" | gpg --home $TMPDIR --import
> gpg --home $TMPDIR --change-passphrase "$KEY"
> gpg --home $TMPDIR --armor "$@" --export-secret-subkey "$KEY"
>
I only now, on umptieth read, much better understand this script. Too late to
include it in my already mostly finished tentative/tutorial.

In this post:
https://dev1galaxy.org/viewtopic.php?id=1929#p7915
I linked to the web-location of this email:
https://lists.gnupg.org/pipermail/gnupg-users/2018-January/059887.html
(that I'm replying to from my maibox).

I think my setup (and I had longed for a couple of years to accomplish it!; I'm
a slow learner) works for me fine already I believe, and is safe [1].

And I hoped I'd mostly just thank the developers for this really great tool in
the first place.

OTOH, the FAQ entry that I found some tips at the onset of this days-long GnuPG
setup rework of mine, I believe should be updated:

8.20. How can I use GnuPG in an automated environment?
https://gnupg.org/faq/gnupg-faq.html#automated_use

I'd help, but firstly, I had already stolen too much time from other work of
mine, and secondly, my understanding is not sufficiently clear on these matters
at this time.

Best regards!

---
[1] I set up a good password for both my subkeys, and will probably mostly go
offline, and try to quickly ascertain my system status --logs are most always
"tail -f"-ed on top in real time for me, and will often go offline, physically
disconnecting from the internet, for just the time to type the password to do
the encryption/signing.

So maybe a question to advanced users/devs. Any tips on protection from the
dangers to my subkeys (and subkeys of those who will come along from my
tutorial pages) from the bad place called internet? On defence from keyloggers,
from meltdown/spectre exploits big or small users (ah, I know; kernel with all
the mitigations and updated microcode, but maybe the gentle readers can tell
more yet), and such?
--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (673 bytes) Download Attachment