tmsr - Search: from:mirc from:ascii gpg

600+ entries in 0.231s

asciilifeform: currently max query output is wired to 10k, e.g. http://phuctor.nosuchlabs.com/search?q=GPG

asciilifeform: iirc 'macports' at least has option of gpg.

asciilifeform: 'The security researcher also recommended we consider using GPG signing for Homebrew/homebrew-core. The Homebrew project leadership committee took a vote on this and it was rejected non-unanimously due to workflow concerns.' ☟︎

asciilifeform: mircea_popescu: i'll do it, plox to gpg.

asciilifeform: jurov: any gpg bug , even in the sad 2.x , is potentially very interesting. i'd like to learn what happened .

asciilifeform: jurov: what do you get if you try and verify by hand with that same gpg ? ( and incidentally, which gpg is it )

mircea_popescu: possibly have a file with all the stuff you want to send people (because this process of -- think of it -- do something about it! has a lot of merit to it). but if you just >> alf.txt and then once a day or once a week or w/e >> gpg -aer alf and >> p.bvulpes.com then you get it all.

asciilifeform: ( all of the older vtrons, mine, mod6's , pass the .sig straight to gpg, which doesn't care whether uuencoded )

mircea_popescu: as we're contemplating an eulora client rewrite, i am contemplating the following code release paradigm : client author a) releases code encrypted to l1, signed and deeded (so basically, gpg -aer asciilifeform -r ave1 -r etc) ; b) releases precompiled binaries for allcomers. ☟︎☟︎☟︎

asciilifeform: ( for all i know, they're already in, dressed up as gpg keys by somebody or other... )

asciilifeform: phf: indeed there were a great many ports without even a heathen gpg sig

asciilifeform: ( the gpg-derived coad -- will. but as for the rest, i do not know )

mircea_popescu: you know, EXACTLY HOW KOCH GPG WORKS ?

asciilifeform: gpg bit that apple when it went along with the rfc2440 crapola

mircea_popescu: "extension scripts", fancy that wonder. koch put ethereum in gpg before ethereum was even "a thing"

asciilifeform: in other lulz, 'The signature verification routine in Enigmail 2.0.6.1, GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6 with a “--status-fd 2” option, which allows remote attackers to spoof arbitrary signatures via the embedded “filename” parameter in OpenPGP literal data packets, if the user has the verbose option set in their gpg.conf file.'

asciilifeform: lol maybe he read our mega-thread re how gpg expiration is bogus

asciilifeform: this doesn't do anything for us. but do consider !!register'ing a gpg key.

asciilifeform: nor will anyone attempt to communicate in confidence with you, without gpg pubkey.

asciilifeform: you do not have to use your meatspace name, or anything of the kind. simply need gpg key, one that you won't lose.

asciilifeform: swiftgeek: if you register a gpg key with deedbot, you will be able to voice yourself

asciilifeform: |\n: ideally, you go and register gpg key with deedbot. then , let's say i rate you, and then you can speak whenever you have something to say.

asciilifeform: and then get yerself a proper nick, and register gpg key with deedbot , and become a person

asciilifeform: ( $nooseitem is not a gcrypt 0day, but gpg particular )

asciilifeform: right but eucrypt is not a gpg-riding proggy.

asciilifeform: iirc errybody's gpg-using items, callout.

asciilifeform: status messages are parsed by programs to get information from gpg about the validity of a signature and an other parameters. Status messages are created with the option "--status-fd N" where N is a file descriptor. Now if N is 2 the status messages and the regular diagnostic messages share the stderr output channel. By using a made up file name in the message it is possible to fake status messages.'

asciilifeform: 'The OpenPGP protocol allows to include the file name of the original input file into a signed or encrypted message. During decryption and verification the GPG tool can display a notice with that file name. The displayed file name is not sanitized and as such may include line feeds or other control characters. This can be used inject terminal control sequences into the out and, worse, to fake the so-called status messages. These

asciilifeform: !Q later tell trinque might be worth testing whether koch's latest lul affects deedbot's gpg hose

asciilifeform: the interesting bit is that he could not have used stock gpg ( which won't crank out anything bigger than 8kbit )

mircea_popescu: what gpg tried to do is somehow kludge a whole working republic into their early prototype key "ecosystem". it didn't work in practice, but that aside, it's not actually useful.

asciilifeform: also the term 'self signature' as used in kochiana/rfc2440/4880 world , is misleading : if all that were signed were a modulus, one could trivially produce 'self sig' for any modulus/exponent that satisfy the rsa equation, incl. ones generated on the spot. 'self sig' in gpg world is simply attempt to tie commentstrings to keys.

mircea_popescu: ~possibly~ the solution is to take gpg-only submissions via webform and any-key submissions via an eventual #trilema bot. ☟︎

asciilifeform: http://btcbase.org/log/2018-05-11#1812141 << phuctor was written very tightly around indexing pgp keys, and demands that all keys be indexable in the same ways ( by e.g. gpg-compat fingerprint ) . additionally , it demands that all keys have a human-readable legend, and ssh key format does not give any field for such. ☝︎☟︎

mircea_popescu: asciilifeform, btw, can the form accept ssh format besides gpg format ? ☟︎

mircea_popescu: in other lulz, phuctor acts as a de facto ssh to gpg bridge now, can download the gpg style keys.

asciilifeform: but really, mircea_popescu , if i find , let's say, a set of breakable pubkeys that with reasonable certainty came from gpg 1.4.10, this will not be a more interesting find than debianized ssh set ?

mircea_popescu: anyway, honestly nfi what's so magical about gpg in your mind. they're just as rsa keys as the ssh set ; and just as debian, and etcetera.

mircea_popescu: asciilifeform, so the standard here is, "a key from the sks system which my gpg at home eats and which is nevertheless not prime and excepting A50591247C8E37A64117B74F78AB527059E13694 / B01584E9F6CB9E76DEA61E2A73786CA0F4EACC4F because reasons and with a special review clause for later on left blank atm" ?

mircea_popescu: afaik this exact discussion ended in 2015 with the showing of how gpg will eat.

asciilifeform: and yes it is conceivable that the proggy that produced'em, was given name of 'gpg', somewhere, somehow.

asciilifeform: there is no known version of gpg that shits or even eats mirrorolade, it can only come out of a purpose-built mutilator, OR one of the various js pgptrons that dun check or produce selfsigs

asciilifeform: mircea_popescu: the standard is ~could have come out of a pc pgptron, e.g. gpg~

mircea_popescu: asciilifeform, i was discussing the dozen gpg generated, sks vintage keys that weren't divisible by 5.

asciilifeform: these, from 16010944 submissions ( i.e. gpg keys ) of which 12284842 were Framedragger-generated.

asciilifeform: since the debian incident, enemy stepped up the 'NOBUS' crapola; no noar '32768 possible keys, total', instead things moar in the spirit of http://qntra.net/2016/08/rng-whitening-bug-weakened-all-versions-of-gpg

asciilifeform: jurov: the way it works is, every time /rss pg is generated , we go select mods from factors order by whenfound desc limit N ( n is 20 currently ) ; call this M, it is a list of moduli affected by that factor being known. afterwards , ~each~ of these lists is tested against the set of ~gpg keys~ , in the shape of select * from gpgkeys where [the list from earlier] && mods , and this yields up a list of most-recently-popped ~keys~, w ☟︎

mircea_popescu: douchebag, aite, so do a hundred or so, gpg me the links when done, and we can talk about how to franchise it after ?

mircea_popescu: http://btcbase.org/log/2018-04-24#1805245 << if it's something i can gift to newbies and it'll allow them to gpg ; and not very expensive ; probably. ☝︎

asciilifeform: incidentally , knob won't 'break errything that isn't proper', troo champions of idiocy like gpg , will chug along without a working /dev/random ( iirc -- silently )

asciilifeform: ave1: but yes if you have updated addr plz gpg, it will go out mon or tues

asciilifeform: hey BingoBoingo , possibly i already asked this a while back and then lost -- but plox to gpg me a postage addr where you can get mail. i want to try experiment.

mircea_popescu: and that "good enough"... anyone reading through teh discussion of gpg in eucrypt comments, or in channel for that matter can readily grok just how fucking uselessly broken gpg is. yet "good enough" for everyone else.

mircea_popescu: we will evidently have a ffa-based, canonical gpg replacement. EVENTUALLY. until such an eventually, i don't feel so great recommending anyone gpg (or, heavens help us, http://btcbase.org/log/2018-01-22#1774477 -- just as i had to do, and recently). so a drop-in, eucrypt-based, "good enough" item is more than useful. ☝︎

mircea_popescu: ave1 you should ; also read through the eucrypt thing, ima (for instance) need someone to package it into a cmd line gpg replacement as soon as next wek. ☟︎☟︎☟︎

mircea_popescu: joecool im sure it is. gpg -aer bingo and p.bvulpes.com

asciilifeform: no fewer than 3 times submitted 'updated' gpg pub with new date ( finally got tired of this, put in a null date )

mircea_popescu: the sizes note the message size, which is to say how many bits to lop off the end. this has specific benefits over the (deeply inept) scheme gpg currently uses ; they'll be discussed in the usual diana_coman post on the topic.

asciilifeform: sometimes, trivial fix. ( koch's gpg had at least 1 case, iirc ) but doesn't generalize to a mechanical fixer.

asciilifeform: and i gotta wonder how he came up with it. afaik gpg , for instance, does not default to it.

asciilifeform: (i.e. an item that can be moved over the net, gpg-signed)

asciilifeform: hey laplinker , get a gpg key regged ?

asciilifeform: hey BingoBoingo , let's test fedex. gpg me an addr you can get mail at.

mircea_popescu: BingoBoingo aite ; the one thing missing from your enumeration there, is "gpgram me the story of bbisp fiat holdings ab origine." ; what this means is, i want a list showing "hey, i got $8500 (or w/e the fuck it was) and i spent x, y, z, k, l, leaving me with q". you wrote me a story, as a literary exercise, i want a numeric thing. gpg & send.

mircea_popescu: which explains why gpg 1 has but gpg2 has not : by the time gpg2 came out, there was an absolute lower bound firmly in place, and well... TOO BIG. "people could never handle this!"

mircea_popescu: gpg doesn't "allow" the exporting of your own damned primes because IT DOES NOT KNOW HOW TO NOTATE THEM.

asciilifeform: but yes gpg is retarded and no there isn't an easy workaround afaik other than to feed it what it wants

asciilifeform: and probably anybody else's that verifies with gpg callout

mircea_popescu: asciilifeform cuz there's no evident link from trinque to michael trinque for idiots who don't understand what gpg is, too lazy to click to your blog or read enough log to see stanislav, there's ~nothing "interesting" on mircea popescu besides a bunch of butthurt idiots complaining of ~same nonsense, and so on. ☟︎

asciilifeform: bitcoin, gpg, show every symptom of authorship by programmertards, rather than academitards -- quite different types of 'shambling walker', as far apart as typhoids and lepers

asciilifeform: hey, recall how asciilifeform tried to resurrect gpg, cut out the 'good part'...

asciilifeform: esthlos: how many instances of 'i wish i had a gui for gpg' did you count in the logs ?

asciilifeform: rather than a 'i dun fee like working on actual problems, so i'm make a microshit outlook for gpg' ??

asciilifeform: ( then can dispose of gpg for this, entirely ! )

asciilifeform: btw if somebody wants to write a py or pl scriptoid that'll generate the gpg-matching 1ffffff...blah turdoid for a given file , he will get honourable-mention in the next chapter. ☟︎

asciilifeform: hey mircea_popescu , do you remember whether gpg 1.4 ( virginal ) can be forced to dump hashpayload when verifying sigs ?

asciilifeform: in fact, if we weren't planning to take gpg behind the shed and shoot it, i'd publish my keyring-abolition patch ( gpg then DEMANDS pubkey FILE on cmdline for any op that uses one. ditto privates. )

asciilifeform: see, asciilifeform's orig trick with tmp was ~specifically~ to abolish the gpg keyring nonsense

asciilifeform: for so long as vtron uses gpg shell-out, it's stuck with the tmp dir crapola

asciilifeform: mod6: imho a good debugism would be a flag that forces the printing to stderr of all external proggy (gpg, gnupatch) invocations , and their args

mircea_popescu: which is why the whole "with mine owne eyes" screams were all about re previous pass of this, gpg-plaintext.

asciilifeform: right, oughta have similar for gpg

mircea_popescu: http://btcbase.org/log/2017-12-23#1757314 << the principal fucking problem with the rank nonsense we're using is that idiocy of "subkey". consider mine : if you encrypt to 2FB7B452 which ~is~ my key, gpg will nevertheless encrypt to 16B8E32E. because gpg will use the master as sign-only and create a "decryption" key "automatically". ☝︎

asciilifeform: http://btcbase.org/log/2017-12-23#1757275 << iirc gpg actually defaults to generating 2 moduli, sign-only an' decrypt-only ☝︎

asciilifeform: ( i cut out 10 pounds for each 1 remaining, but naturally could not cut into the living meat , principle was 'what is actually called in gpg' )

mircea_popescu: gpg: decryption failed: secret key not available << ahem

asciilifeform: afaik 2.x gpg uses wholly unrelated crapola

asciilifeform: esp. spicy considering that it is taken straight from mircea_popescu ( and prolly just about everybody else's ) gpg

mircea_popescu: the thus reconstructed p and q should be tested for whether they indeed have no true witness of compositeness as low as gpg tests.

asciilifeform: and we don't know how the shit-dust comes back together to form what gpg thought was primes

mircea_popescu: was it ever checked whether it would appear prime to koch-gpg ?

asciilifeform: so from that pov i have no access to the original p,q that gpg may have generated, for any of the keys

mircea_popescu: ie gpg is wasting its time with "oh, let's see if 2 is a witness".

asciilifeform: walk the known prime-divisors and see how many pass gpg-1.4.10's litmus

mircea_popescu: asciilifeform tell you what, m-r as found in gpg, with its "12" that are really 11 witnesses is worthlessly useless. ☟︎

asciilifeform: meanwhile, on the hannoboeck planet, https://neopg.io << usg tool marcus brinkmann proclaims 'clean rewrite of gpg' , with fanfare, spamola ( e.g. http://www.openwall.com/lists/oss-security/2017/12/08/1 ) , 'modernisms', the full shebang. ☟︎

asciilifeform: meanwhile in heathendom : http://www.openwall.com/lists/oss-security/2017/12/07/1 >> '...Debian switch from gpg1 to gpg2... After getting gpg and agent running, I noticed, that not reliably stopping the gpg-agent on initrd would introduce a private key data leak via /proc from early boot process to running system when stopping fails...' and,

mircea_popescu: asciilifeform you shouldn't put gpg clearsigned bits in a patch in the first place.