recentpopularlog in

kme : gpg   43

SKS Keyservers: Overview of the pools
p80.pool.sks-keyservers.net

This is a pool containing only servers available on port 80 (needs to be used as hkp://p80.pool.sks-keyservers.net:80)
hkps.pool.sks-keyservers.net

This is a pool containing only servers available using hkps. Regular A and AAAA and SRV records are included for port 443 servers, and a lookup is performed for _pgpkey-https._tcp on the individual servers to determine if a hkps enabled service is listening on another port. At this point, however, servers not running on port 443 are not included.

This pool only include servers that have been certified by the sks-keyservers.net CA, of which the certificate can be found at https://sks-keyservers.net/sks-keyservers.netCA.pem [OpenPGP signature] [CRL].

For GnuPG 1.4 and 2.0 installations this can be used by using the following parameters in gpg.conf:
<code class="language-ini"># ~/.gnupg/gpg.conf:
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem
</code>

GnuPG 2.1 users prior to version 2.1.11 (starting with this version the certificate is enabled by default for this pool) want to add the following in dirmngr.conf:
<code class="language-ini"># ~/.gnupg/dirmngr.conf:
hkp-cacert /path/to/CA/sks-keyservers.netCA.pem
</code>

Keyserver operators wanting to be included in this pool will have to send an OpenPGP signed message containing a CSR to a UserID of 0x94CBAFDD30345109561835AA0B7F8B60E3EDFAE3.
gpg  keyserver  maybesolution  reference 
december 2019 by kme
OpenPGP Keyserver
Provided as a "public service." Okay?
keyserver  gpg  pgp  searchengine 
november 2019 by kme
The Monkeysphere Project | http://web.monkeysphere.info/
Frequent users of ssh are familiar with the prompt given the first time you log in to a new server, asking if you want to trust the server's key by verifying the key fingerprint. Unfortunately, unless you have access to the server's key fingerprint through a secure out-of-band channel, there is no way to verify that the fingerprint you are presented with is in fact that of the server you're really trying to connect to.
pki  gpg  ssh  cacert  security  crypto 
february 2019 by kme
How to sign a file on Linux with GPG - TechRepublic | https://www.techrepublic.com/
You might be asking yourself this question, "What's to stop anyone from generating a gpg key with my information and then sending bogus data to a client?" Truth is, not much. However, I do have one very easy "work around" for this. What I do is create a new signing key that lasts only a day, and then in the comment section during the creation, enter a unique phrase. When I send the file to the recipient, I will have them verify the file and have them repeat the comment. If the comment is correct, I will give them the go-ahead to decrypt and use the file. If the comment isn't correct, they have a bogus file on their hands.
gpg  crypto  security  howto  newbie  tipsandtricks 
january 2018 by kme
How to install gpg keys from behind a firewall? - Server Fault | https://serverfault.com/
Some key servers answer to port 80 as well. You probably want to use the "port 80" pool as your default keyserver, which can be set in ~/.gnupg/gpg.conf (keyserver pool.sks-keyservers.net:80).

<code class="language-bash">
gpg --keyserver wwwkeys.de.pgp.net:80 --recv-keys 0A5174AF
</code>

And since hkp relies on http, you should be able to use it trough a web proxy too.
gpg  pgp  keyserver  firewall  httpproxy  solution 
january 2018 by kme
gpg - What happens when you verify a detached signature? - Unix & Linux Stack Exchange | https://unix.stackexchange.com/
This will give you the full length key, because it seems nowadays I can't fetch keys with just the abbreviated one anymore (the one that 'gpg --verify' shows you if you don't have it in your ring).
You can use the --list-packets option to get a dump of what's in a gpg file. The description of the file format is RFC 4880 (OpenPGP standard).
gpg  keyverification  crypto  solution 
october 2017 by kme
encryption - Can't check signature: public key not found - Stack Overflow
You get that error because you don't have the public key of the person who signed the message.

gpg should have given you a message containing the ID of the key that was used to sign it. Obtain the public key from the person who encrypted the file or from a public key server and import it into your keyring; you should be able to verify the signature after that.
gpg  pgp  errormessage  dammitbrain  solution 
march 2016 by kme
apt - How do I fix the GPG error "NO_PUBKEY"? - Ask Ubuntu
Update your software list and install Y-PPA-Manager:

sudo apt-get update
sudo apt-get install y-ppa-manager

Run y-ppa-manager (i.e. type y-ppa-manager then press enter key).

When the main y-ppa-manager window appears, click on "Advanced."

From the list of advanced tasks, select "Try to import all missing GPG keys" and click OK.
gpg  apt-get  packagemanagement  ubuntu  errormessage  annoyance  maybesolution 
october 2015 by kme
Making and verifying signatures
<code>gpg -v --keyserver pgp.mit.edu --recv-keys KEYHEXID
gpg --verify doc.sig doc</code>
This is true of Git releases as well (https://mirrors.edge.kernel.org/pub/software/scm/git/), except the "detached signature" has a '.sign' extension, and the uncompressed tarball is signed, rather than the .tar.gz and .tar.xz separately, which seems like an unnecessary "optimization" (lazy).
Both the document and detached signature are needed to verify the signature. The --verify option can be to check the signature.
<code>blake% gpg --verify doc.sig doc
gpg: Signature made Fri Jun 4 12:38:46 1999 CDT using DSA key ID BB7576AC
gpg: Good signature from "Alice (Judge) <alice@cyb.org>"</code>

Another common problem: the signature is just distributed as a .asc file without the usual "wrapper" that helps you download the original signing key. You can fix that with this bit of magic (sourced from https://help.ubuntu.com/community/VerifyIsoHowto)
gpg -v --keyserver pgp.mit.edu --recv-keys 0xKEYHEXID

Where KEYHEXID is what 'gpg --verify' will spit out for you if you try to verify a signed file without having the public key in your keyring. After obtaining the public key from the MIT PGP server (or another public keyserver), you can repeat the 'gpg --verify' step and it will still work (with the warning about "no ultimately trusted signer" or some such thing).
dammitbrain  gpg  signature  sysadmin  security  solution  crypto 
october 2015 by kme
GnuPG Commands - Examples
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

Solution: in the example we're looking at, though, has a "good signature." The problem with this signature is that it was produced with a key that is not "trusted."

Another common problem: the signature is just distributed as a .asc file without the usual "wrapper" that helps you download the original signing key. You can fix that with this bit of magic (sourced from https://help.ubuntu.com/community/VerifyIsoHowto)
gpg -v --keyserver pgp.mit.edu --recv-keys 0xKEYHEXID


Where KEYHEXID is what 'gpg --verify' will spit out for you if you try to verify a signed file without having the public key in your keyring.
solution  pgp  gpg  cryptography  encryption  security  reference  quickref 
june 2012 by kme

Copy this bookmark:





to read