Comments on: GnuPG Up And Close

By: Anonymous

Anonymous — Wed, 21 Nov 2012 17:29:00 +0000

So helpful, thank you.

By: hhhobbit

hhhobbit — Wed, 26 May 2010 06:36:12 +0000

Matt: Precisely what do you mean by a clear-sign of a file? Do you mean the –clearsign or a –detach-sign (-b)? I am assuming the first. In cases where GnuPG can not determine who the recipient is (use of the clear-sign without using either –recipient or –default-recipient) it defaults to the lowest common denominator. When the recipient is known (you are specifying the recipient key) then it follows their list of preferences until it finds one your software can do. Example. I do detached sigs on the files distributed on my web-site. I don’t know who is going to use those detached sig files in advance. Here is my digest list (and at one time I had SHA1 first to avoid problems but I REALLY did not like it!):

SHA512, SHA384, SHA256, SHA1

Okay, let me sign the gpg2.1 man page (formatted so I can find things):
I actually have scripts to do a lot of this so here is the actual command in the script:

${GPG} –default-key ${KEYID} –output ${FILE}.sig –detach-sign $FILE

Here are the scripts:

http://www.SecureMecca.com/public/GnuPG-Scripts.7z
http://www.SecureMecca.com/public/GnuPG-Scripts.zip

The scripts saves on typing. Okay, what HASH did I use? Since the default is I am using MY key I don’t care what somebody else can handle (nobody has complained but in reality for a long time I have had it as SHA1 first just to avoid the complaints):

$ gpg2 -v –verify gpg2.1.sig
gpg: assuming signed data in `gpg2.1′
gpg: Signature made Wed 26 May 2010 06:15:36 AM UTC using RSA key ID 954D820D
gpg: using PGP trust model
gpg: Good signature from “Henry Hertz Hobbit ”
gpg: aka “Henry Hertz Hobbit ”
gpg: aka “Henry Hertz Hobbit ”
gpg: binary signature, digest algorithm SHA512

It is done this way in the example you gave because when you are signing a message sent to you it follows what you asked for. You want SHA-512 first so that is what it gave you. You can over-ride it with an explicit –digest-algo but I would not do it because it violates the OpenPGP standard. Give the actual command you use to clear-sign a file and people (others, not me) will better be able to help you. I assume you already answered this for yourself by now.

By: Matt

Matt — Sat, 08 May 2010 05:17:43 +0000

Thanks for this post. It’s been helpful. However, I cannot determine why SHA1 is used when I clear-sign a file even though SHA1 is listed last in my preferences. What’s even stranger is that when I send a signed email, SHA512 is used as expected. What am I missing? My pasted my preferences below. Thanks!

default-preference-list TWOFISH AES256 AES192 AES BLOWFISH 3DES SHA512 SHA384 SHA256 SHA224 SHA1 BZIP2 ZLIB ZIP Uncompressed
personal-cipher-preferences TWOFISH AES256 AES192 AES BLOWFISH 3DES
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 SHA1
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512

showpref
Cipher: TWOFISH, AES256, AES192, AES, BLOWFISH, 3DES
Digest: SHA512, SHA384, SHA256, SHA224, SHA1
Compression: BZIP2, ZLIB, ZIP, Uncompressed
Features: MDC, Keyserver no-modify

By: maryanna

maryanna — Wed, 19 Aug 2009 20:42:17 +0000

Aaron, now that I’ve actually been able to peruse the site, I can see it is very well done and quite informative. Also, your prompt and thorough response to my comment is appreciated.

I didn’t consider the virus/malware possibility and didn’t have the time for more than a cursory glance at the source at the point when it occurred.

This popup is new to me, and it only appears on your site (thus far), although I’ve heard that Silverlight sites produce similar notifications. You’d think Microsoft wouldn’t link to everyone else’s browsers, though, if they were the source. The screenshot is available, since it is IE 6 we’re running, just tell me where you want it sent.

Thank you for the details on Chrome, I’ll credit you when I send the request.

By: Aaron

Aaron — Tue, 18 Aug 2009 20:02:45 +0000

@maryanna I don’t have any popups for any browser that comes to my site. Check the source, and you’ll find that the only JavaScript running on my site is for community polls in posts (no popups), UserAgent string detection for comments (no popups) and StatCounter for tracking visitors (again, no popups). If you’re using IE, and getting popups, I’m afraid you might have a virus or some other form of malware that is hijacking your browser. Maybe you could provide a screenshot of the popup message you’re experiencing while browsing my site? I can’t produce it with IE 7 or IE 8. Unfortunately, I don’t have access to an IE 6 install.

Further, while I strive for standards as much as possible with this site, I make no guarantees that it will work in any browser, including text-based. However, just pulling up links2 in my terminal, and browsing the site, it seems to render rather well, and is quite readable and navigational.

Lastly, Chrome is using the rendering agent from Safari, namely KHTML. The UserAgent string identifies itself as Safari running on a Macintosh, not Google Chrome running on Windows. If this bothers you, I would suggest getting in touch with the Google Chrome development team, and submit a feature request for getting the UserAgent string changed.

By: maryanna

maryanna — Tue, 18 Aug 2009 19:39:51 +0000

FYI, not everyone that visits your site is concerned with the “best” experience, so you might want to offer a way to get past that extremely annoying popup with the download links. I happened to be at work, where there are policies regarding which versions are used, when I got to your site from a search on gpg. I took the time to get to another environment to comment because I really wanted to see the information, but was quite irritated by not being able to get past the admonishing message while using IE. Not to mention that there might be folks interested in the content that are using, GASP!, text-based browsers. Oh, and, P.S.: this was generated using Chrome 2.0.172 on WinXP, not Safari 530.5 on Mac OS X.

By: TSn

TSn — Wed, 01 Jul 2009 13:43:08 +0000

Thank you for sharing! Even as a beginner in GnuPG this tutorial helped me much more than others.

By: KevDog

KevDog — Tue, 23 Jun 2009 04:57:06 +0000

Great info. However I think you should explain that the value set for default-preference-list is actually only used in the creation for new keys — it sets the defaults for any new keys created with the gpg –gen-key command. The topic of key creation was really covered in this blog, so I think to reference this command without explaining its use is a little misleading.

Beyond that the blog was really good.

I think however gpg recently changed the way they decide on what cipher and hash to use. I think actually the personal-cipher-preference and personal-hash-preference are given priority over the recipients preferences embedded in their keys. (Please note I believe the old style way was to give priority to the preferences contained in the keys and then cross-reference the priorities with personal preferences when available.) Also note this process is much more complicated than described above, particularly if you are sending mail for example to 3 recipients each with different algorithms specified in their keys. You may actually want to discuss how this conundrum is handled since I find it interesting (however it might bore many users).

By: shahryar ghazi

shahryar ghazi — Tue, 09 Jun 2009 12:25:34 +0000

thanks for sharing