gnupg: How to revoke a GPG key and load it on the GPG server?

As far as I know, if the key is compromised, then I can revoke the key using the revocation certificate.

Yes, but as long as you have the real private key (if it is compromised but not destroyed), you can always use it to revoke it. That is, you can always generate new revocation certificates "on the fly".

Instead, the pregenerated revocation certificate exists for situations where the private key is completely lost, not only when engaged. It is something to store on a USB stick in a friend's house.

(Of course, you should always keep a private key backup offsite as well. But the big difference is that a private key backup is much more sensitive, since if it is stolen it can be used to make anything under his name, while the & # 39; revocation certificate & # 39; can only be used to do a very specific thing).

Can anyone suggest me how to revoke my password with the revocation certificate?

It should be enough to to import the relaunch on your PGP keychain: it is essentially a key signature ("self-certification" in GnuPG) that is attached to your primary public key in the same way that you can have other people sign your key and import those signatures.

As soon as it is imported, the program should show the key as revoked and you should publish the updated public key in standard locations (key server, etc.)

Also one more doubt is, after revoking the keys, should I load on any GPG Key server?

Yes, you should. The publication of keys (and key updates) is what the key servers are for.

If no load is required on the key server, how can my client revoke the verification key or not?

You can (re) manually export the revoked key to a file and give it directly (or publish it in Keybase or on your website, if you expect the customer to recheck it daily …) But you certainly will not magically know what happens inside your computer . That is why there are key servers.

encryption: why GPG: the recipient only chooses a key (arbitrary) for identical names, instead of all?

I have a recipient with four hardware keys (HK) that they use interchangeably. These HK contain different GPG keys that all have been generated inside and have never left the HK, which results in four different public keys belonging to the same person.

The keys are labeled so that the name, email and identification strings match exactly. Something similar to:

      97E85C8F5ABDC912F2FF8D25EB4D503782686E20
uid           (  full  ) Reci Pient (Comment) 
...
      57CFDEB0ABB5809023F7A37FDF5EB221E3D9D8E5
uid           (  full  ) Reci Pient (Comment) 
...
      B107855A39FA59C7D8FF37617A8F30918D67D1BE
uid           (  full  ) Reci Pient (Comment) 
...
      E97A982270E2090E25393D82DED36993F1DD52A3
uid           (  full  ) Reci Pient (Comment) 

Now comes the time when I need to communicate safely with Reci Pient, perhaps to tell them that the food is ready and that they should go down.

To encrypt the message to Reci, one would write something like:

echo Food! | gpg --encrypt --armor --recipient "reci.pient@domain.tld" > secret.gpg

or even

echo Food! | gpg --encrypt --armor --recipient "Reci Pient" > secret.gpg

Now you might think that this encrypts the message in ALL Reci keys, which means that Reci can use ANY of those keys to decrypt the message.

This is not the case. GPG seems to choose an arbitrary key and use it to encrypt the message. We can see this by doing:

%~ cat secret.gpg | gpg -v  
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: encrypted with 2048-bit RSA key, ID 89FEABD93D8E9286, created 2019-12-12
      "Reci Pient (Comment) "

Imagine the scenario in which Reci just stepped on one of his HK and broke in half. They should be able to use their other HK to decrypt messages intended for Reci Pient or reci.pient@domain.tld.
Now, it is entirely possible for Reci to destroy one of its HKs and lose access to "some" of its encrypted messages, whichever is arbitrarily chosen by the senders by this command.

The "correct" way to do this in GPG would seem to explicitly set Reci's keys as the recipient's keys:

echo Food! | gpg --encrypt --armor 
                 --recipient "97E85C8F5ABDC912F2FF8D25EB4D503782686E20" 
                 --recipient "57CFDEB0ABB5809023F7A37FDF5EB221E3D9D8E5" 
                 --recipient "B107855A39FA59C7D8FF37617A8F30918D67D1BE" 
                 --recipient "E97A982270E2090E25393D82DED36993F1DD52A3" 
             > secret.gpg

Looking at the encryption, we see all the keys we would expect.

%~ cat secret.gpg | gpg -v
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: encrypted with 2048-bit RSA key, ID 89FEABD93D8E9286, created 2019-12-12
      "Reci Pient (Comment) "
gpg: encrypted with 2048-bit RSA key, ID B420F45883152A53, created 2019-12-12
      "Reci Pient (Comment) "
gpg: encrypted with 2048-bit RSA key, ID 251885E708C55D81, created 2019-12-12
      "Reci Pient (Comment) "
gpg: encrypted with 2048-bit RSA key, ID 6138956F73CF0ACB, created 2019-12-12
      "Reci Pient (Comment) "

But this seems terribly inconvenient for anyone who wants to send a message to Reci; After all, why would they mind the possibility of Reci stepping on his HK, just want to send a message?

Even ignoring the inconvenience, when encrypted to reci.pient@domain.tld, Why does GPG not complain about multiple keys, but instead choose a seemingly arbitrary key? (which is not always the first) This seems confusing and most of the time it is not what people would want to do. Why would GPG not encrypt all the public keys that match? reci.pient@domain.tld? Is it a security concern to encrypt the wrong message in any way? reci.pient@domain.tld?

Maybe I'm misinterpreting the way GPG wants to work here (it wouldn't be the first time), or maybe Reci Pient is doing something wrong with his multiple public keys of his hardware keys (they spent a small fortune on that). I would be very grateful if some light could be shed on than it's getting bad and how This is supposed to be done.

gnupg: How to move the legacy git repository to Gitlab that requires a GPG sign?

Currently, the company I am working for has a legacy git repository that hosts elsewhere and all commitments are not signed by GPG. The project is getting bigger and there are more people working for the same project, so he moved to Gitlab and now he will need all commitment GPGs signed.

The problem is that the legacy project received some commitments made by a former employee. After they left the company, even the email of the company they used in the confirmation disappeared. There is no way to apply the correct GPG sign to those commits. An easy solution would be to copy the current code to a new folder and make a new initial confirmation. However, if I do not want to discard the previous confirmation history, is there any way GPG can sign those confirmations that I have not done? (Or is there another solution? I am not the administrator, but I can ask the administrator to make the changes if the instruction is clear)

passwords – gpg: what defaults can be improved, when performance is not a problem?

gpg It has some default settings, which I assume were selected as a compromise between speed and security. I understand that these are good enough for most people.

But, in a situation where speed / performance was not a problem, what defaults could be modified to gpg use stronger parameters and use even stronger encryption?

For example, I have read discussions about the s2k-count The default value is not enough. I really don't care if my gpg operation takes 50 milliseconds or 200 milliseconds. I prefer to err on the side of security, even if it is excessive.

Specifically, I would like to use the strongest possible values ​​to:

1) password hashing iterations
2) asymmetric wrench size
3) algorithm for symmetric key

What else can be changed from the default values, to do gpg safer ?

I'm using gpg (GnuPG) 2.2.12 in Debian Buster.

What guarantees does GPG offer by signing a git commit?

It is quite clear that the GPG signature and the ssh keys of GitHub have different purposes

But what good are GPG signature confirmations? Is it just that you know that commitment? abcd1234 Was it signed by Alice's key? Is there anything else for which GPG signing a confirmation is useful?

key management: why the GPG firm is not considered to be performed by a reliable key

When I verify the signature of a file, the following warning appears:

$ gpg --verify file.sig
gpg: Signature made So 01 Dez 2019 10:08:27 CET
gpg:                using RSA key 
gpg: Good signature from "Pierre " (unknown)
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 

I signed Pierre's key (with a certificate level verification 1):

$ gpg --list-signatures pierre@example.com | grep andrew
sig 1        5E091391A98EBD4E 2019-10-22  Andrew 'raindev' Barchuk 

And my own key is marked as finally reliable:

$ gpg --list-keys 5E091391A98EBD4E
pub   rsa2048 2017-10-19 (SC) (expires: 2021-10-21)
      0954F96BC41612E2299383945E091391A98EBD4E
      uid           (ultimate) Andrew 'raindev' Barchuk 
      sub   rsa2048 2017-10-19 (E) (expires: 2021-10-21)
      sub   rsa2048 2017-10-19 (S) (expires: 2021-10-21)

As I understand it, it is safe to trust the signature, since it is made with a password that I have signed. Why do I get the warning and how do I get rid of it?

passwords – GPG – Synchronization between the machine and the problem "No secret key"

I am running "pass: the standard unix password manager" v1.7.3 in Fedora 31.

I create a password for "mysite" through

$ pass generate mysite

Create an entry in my .password-store folder: mysite.gpg, which is the encrypted password.

But somehow, I can't decrypt this file:

$ pass mysite

gpg: decryption failed: No secret key

or

$ gpg -d mysite.gpg

gpg: encrypted with 2048-bit RSA key, ID 4B***********AD, created 2019-10-08
      "User1 "
gpg: decryption failed: No secret key

Here is more information:

$ gpg –list-secret-keys

/home/user/.gnupg/pubring.kbx
--------------------------------
sec   rsa2048 2019-11-29 [SC]
      DF2*************************************B3D
uid           [ultimate] User2 
ssb   rsa2048 2019-11-29 [E]

$ gpg –list-keys

/home/user/.gnupg/pubring.kbx
--------------------------------
pub   rsa2048 2019-11-29 [SC]
      DF2***************************************B3D
uid           [ultimate] User2 
sub   rsa2048 2019-11-29 [E]

pub   rsa2048 2019-08-17 [SC]
      6A2***************************************18D
uid           [ultimate] User3 
sub   rsa2048 2019-08-17 [E]

pub   rsa2048 2019-10-08 [SC] [expires: 2021-10-07]
      759***************************************6C0
uid           [ultimate] User1 
sub   rsa2048 2019-10-08 [E] [expires: 2021-10-07]

In addition, initially, the .password-store The folder was created on another machine. I simply type "pass generate mysite" and "no secret keys" on my current machine.

I read here
https://stackoverflow.com/questions/28321712/gpg-decryption-fails-with-no-secret-key-error
I should import some secret keys but I don't know which and on what machine.

Any help to debug this problem?

Note that the command:

$ pass generate essai2

still working but

$ pass essai2

It produces the same error: "No secret key".

ps: I really need the password stored in "mysite.gpg", is it possible that the clear password is lost?

passwords – GPG – Synchronization between machine and "No secret key"

I am running "pass: the standard unix password manager" v1.7.3 in Fedora 31.

I create a password for "mysite" through

$ pass generate mysite

Create an entry in my .password-store folder: mysite.gpg, which is the encrypted password.

But somehow, I can't decrypt this file:

$ pass mysite

gpg: decryption failed: No secret key

or

$ gpg -d mysite.gpg

gpg: encrypted with 2048-bit RSA key, ID 4B***********AD, created 2019-10-08
      "User1 "
gpg: decryption failed: No secret key

Here is more information:

$ gpg –list-secret-keys

/home/user/.gnupg/pubring.kbx
--------------------------------
sec   rsa2048 2019-11-29 [SC]
      DF2*************************************B3D
uid           [ultimate] User2 
ssb   rsa2048 2019-11-29 [E]

$ gpg –list-keys

/home/user/.gnupg/pubring.kbx
--------------------------------
pub   rsa2048 2019-11-29 [SC]
      DF2***************************************B3D
uid           [ultimate] User2 
sub   rsa2048 2019-11-29 [E]

pub   rsa2048 2019-08-17 [SC]
      6A2***************************************18D
uid           [ultimate] User3 
sub   rsa2048 2019-08-17 [E]

pub   rsa2048 2019-10-08 [SC] [expires: 2021-10-07]
      759***************************************6C0
uid           [ultimate] User1 
sub   rsa2048 2019-10-08 [E] [expires: 2021-10-07]

In addition, initially, the .password-store The folder was created on another machine. I simply type "pass generate mysite" and "no secret keys" on my current machine.

I read here
https://stackoverflow.com/questions/28321712/gpg-decryption-fails-with-no-secret-key-error
I should import some secret keys but I don't know which and on what machine.

Any help to debug this problem?

Note that the command:

$ pass generate essai2

still working but

$ pass essai2

It produces the same error: "No secret key".

ps: I really need the password stored in "mysite.gpg", is it possible that the clear password is lost?

gnupg: on MacOS, gpg shows the error "the random seed file is empty" after I run out of space for an encryption process.

I tried to encrypt a file on MacOS with gpg, and it turned out that I didn't have enough hard disk space to do it. Then, he came out with an error:

gpg: can't write '/Users/myname/.gnupg/random_seed': No space left on device

Then, I created enough space for the encryption file. However, when running gpg Every time I receive the message:

gpg: note: random_seed file is empty

BUT, the file can be created.

It seems that perhaps running out of space rewrote the random_seed file and that left him in limbo. Am I presenting a security issue here? Thank you.

gnupg – Information on setting up gpg on MacOS

In Mac OS Mojave

▶ gpg --list-keys
Warning: Failed to set locale category LC_NUMERIC to en_GR.
Warning: Failed to set locale category LC_TIME to en_GR.
Warning: Failed to set locale category LC_COLLATE to en_GR.
Warning: Failed to set locale category LC_MONETARY to en_GR.
Warning: Failed to set locale category LC_MESSAGES to en_GR.
/Users/pkaramol/.gnupg/pubring.kbx
----------------------------------------------
pub   rsa2048 2019-07-04 [SC] [expires: 2021-07-03]
      1DA2A2434A38D1192A3EA4523FEF5E3944A2F025
uid           [ultimate] pkaramol 
sub   rsa2048 2019-07-04 [E] [expires: 2021-07-03]


~/Desktop
▶ ls ~/.gnupg
openpgp-revocs.d  private-keys-v1.d pubring.kbx       pubring.kbx~      trustdb.gpg

From what I understand, the public key is: /Users/pkaramol/.gnupg/pubring.kbx

How can I find out what the correspondent Private key?