Those are stub keys, which contain no secret data. The stubs are only a map to tell gpg where to find the actual keys.
https://www.gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html
keytocard
Transfer the selected secret subkey (or the primary key if no subkey has been selected) to a smartcard. The secret key in the keyring will be replaced by a stub if the key could be stored successfully on the card and you use the save command later. Only certain key types may be transferred to the card. A sub menu allows you to select on what card to store the key. Note that it is not possible to get that key back from the card - if the card gets broken your secret key will be lost unless you have a backup somewhere.
I've always thought to myself that at some point a critical mass of posted keys will accumulate and popular mail clients will start integrating with GPG, but the track record is looking pretty poor. Keybase might breathe some fresh air into the effort by integrating with social media.
Facebook's encrypted mail feature is another change that gives me a ghost of hope.
OpenKeychain, as posted by /u/hpka, integrates quite well with K9 for email.
If you specifically want that key to work with Text Apps, I think you will have to copy/paste from OpenKeychain.
Otherwise, use an encrypted Text App like WhatsApp
I would not create a key on an android device. I would create it on an offline air-gapped machine. I would create a master key pair that will never be on an online device and create sub-keys for every day usage. That subkey can be revoked if it ever gets lost or compromised, in order to do that you also need to create a revocation certificate. That way you don't lose all your trust / signatures on your main key just because a sub-key was lost / compromised.
You can then just copy one of your everyday sub-keys to your android device.
Here is a tutorial: https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key
A direct link if anyone would like to donate.
Another project which had run into similar problems is OpenSSH, one of the most unsexy yet crucial applications I use on a daily basis.
>Why does GPA ask for a name and email when I create a password?
It's just a convention. Depending on what you are using the PGP key for, you may want use a fake name and fake email address.
>when I should set up a secure email specifically for this purpose?
Depending on what you plan to use PGP encryption for, you might want to set up a darknet email account using a fake name first and then use that fake name and real darknet email address on the PGP key.
SIGAINT offers free webmail accounts:
http://sigaintevyh2rzvw.onion/
You will need to download and install the Tor Browser Bundle to access onion sites:
Not totally sure. This question suggests that GPG should be able to decrypt.
GPG is free, so before I spent money on PGP I would certainly give it a try; you have nothing to lose but a few minutes of time.
My preference:
I really do know all the gpg command line stuff, but it's so much easier using thunderbird :)
Screenshots and guide: https://www.enigmail.net/documentation/screenshots.php
Ultimately you will want to understand the straightforward underlaying OpenPGP message format which can be found in RFC-4880[1]. When using GnuPG from another program you would want to use GPGME[2]
The thing you will have to learn is practical cryptograpy as applied to public key cryptography and cryptographic signatures. There are many books devoted to that/those subject(s).
can you expand a little on what you did prior to attempting to verify? also, may want to re-download the installer and the signature and try again.
$ gpg --verify npp.7.7.1.Installer.x64.exe.sig npp.7.7.1.Installer.x64.exe gpg: Signature made Wed 19 Jun 2019 05:47:38 PM MDT gpg: using RSA key 14BCE4362749B2B51F8C71226C429F1D8D84F46E gpg: Good signature from "Notepad++ <>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 14BC E436 2749 B2B5 1F8C 7122 6C42 9F1D 8D84 F46E
As for the Marginals
, that is a level of trust that you would assign to the key "Notepad++ <[email protected]>"
. Levels of trust are Unknown (-), ? (q), None (n), Marginal (m), Full (f), Ultimate (u). ^I ^can't ^find ^a ^source ^for ^the ^q
^level ^of ^trust. Ultimate is reserved for keys you personally control.
In your case, since you have not signed or assigned trust to the NP++ key, it has a [unknown]
trust level. That will have no effect on actually verifying the .sig on the .exe, and GPG is just letting you know that you have not yet verified and signed the NP++ key.
Thank you all for your replies.
Taking your feedback, I've decided I want to start double encrypting my files like so:
File -> GPG (Serpent256 + SHA512 + Symmetric) -> GPGFile1 | GPGFile1 -> GPG (AES256 + SHA512 + Symmetric) -> GPGFile2
My only question is, how do I start using Serpent. On the page of Available Ciphers it says that Serpent256 is an option, but when I go and try to use: gpg -c --cipher-algo SERPENT256 it returns that that isn't a option.
Thank you all again for your feedback.
I would guess that they would be somewhat less safe in Mailvelope, because some sort of browser exploit might be able to get to the unencrypted keys in memory.
Some security reviews of Mailvelope:
You already solved it, but:
you don't --import
fingerprints or key ids. You import the entire key. Either from a file, shell direction, or running gpg --import
and pasting it onto the terminal and ending with Ctrl+D.
On the last box, you could have just followed the instructions to "Enter number(s)" and it will basically --recv-keys
the key for you.
Of course, for people you don't really know like free software developers, you'll want to search the fingerprint from gpg --fingerprint
online to see what comes up like:
>"2D3D 2D03 910C 6504 C121 0C65 EE60 C0C8 EE72 56A8"
That's the master key from https://geti2p.net/en/get-involved/develop/release-signing-key. But you should not rely on one source, but cross-verify the fingerprint from multiple sources. Ideally you would use the web of trust to verify the key, or an in-person meeting or phone call, but that's not always reasonable for developers you don't know.
There's no harm in importing keys. If you're interested in historical proofs of keys that build over time, you might want to check out https://keybase.io. (This isn't the same thing as actually verifying a key, though! I would use keybase.io to find a key for someone I have no connection with, but I wouldn't sign that person's key based on keybase.io.) I have invites; if you're interested send me a PM with your email.
My expectation is that owertrust is never set until I have verified the key with the person through an offline verification. For example, getting a key from a "pretty reputable source" is not the same as verifying with Alice that the key is actually hers. Given the interception and deception capabilities of law enforcement and intelligence agencies, I would never sign a key based on it's source online. The biggest reason I consider this best practice is that doing otherwise undermines the web of trust. By setting owner trust on a key you haven't verified, you're effectively trusting anonymous sources to vouch for other keys. Obviously a bad idea.
If you want to separate your personas, you must use completely separate keys, not just identities on one key. I think /u/sostratus covered this pretty well.
Try adding a new line after "-----BEGIN PGP MESSAGE-----" and before "-----END PGP MESSAGE-----" (better: copy it with new lines intact, if possible).
Additionally, I'd suggest using K-9 as your email app and Thunderbird with Enigmail on your Windows machine as they both support PGP/Inline and should simplify the process of decrypting considerably.
Edit: And while your switching Apps, have a look at OpenKeychain, an APG fork.
I am not sure how trustworthy the random number generation is on an Android device.
With that said, you can also try OpenKeychain. It supports up to 8192 bits.
https://f-droid.org/repository/browse/?fdfilter=gpg&fdid=org.sufficientlysecure.keychain
No worry about asking for more details, I am here to learn too.
You are in the right direction with that latest copy of the NIST Guide which shows, beside 256-bit ECC, that a 512 bit ECC is indeed comparable to RSA-15360. ECC have different curves which you can choose from, e.g. in GnuPG, you can choose NIST P-521 which will be even stronger than RSA-16384.
You can also refer to GnuPG's site that "elliptical-curve cryptography.. bring a level of safety comparable to RSA-16384."
> The key has been used to verify several uids and I'm not sure how this will influence the web of trust
Just a guess, but I doubt these keys are still taken into account in the WoT. According to GPG 2.1 release notes, they require the use of md5, which is totally insecure, which makes me think no client (should) trust these signatures anyway. But that's just a guess.
Looks like an interesting tool. At first I thought its like an EtherPad, but with e2e encryption. Would make a good project, too :D
I saw, that you directly call gpg2 from console, you should consider using the official gpg api GpgMe https://www.gnupg.org/%28es%29/related_software/gpgme/index.html - Using the API ensures that the program is working with every version of gpg available.
Thank you for the detailed response. I'm probably frustrating you at this point, or at least I am now, cause it's not working. The -vv thing just created a pubring and secring, and after that it won't do anything. The --list-packets just gives me a spoopy message saying "Go ahead and type your message..."
It doesn't matter if I typed the location to the file or put it in the same folder as the exe. I don't know what I'm doing wrong.
CryptSync uses these commands (I can't change them without recompiling the source):
--batch --yes -c -a --passphrase
Then -o and the destination
I put these commands in gpg.conf:
compress-algo BZIP2 bzip2-compress-level 9 no-emit-version s2k-digest-algo SHA512 s2k-mode 3 s2k-count 65011712 s2k-cipher-algo AES256 digest-algo SHA512
Will that cover everything? or do I need to put cipher-algo AES256
as well on my end? Do I need to remove disgest-algo SHA512
?
I've read around here, here, and some other sites, and the explanations vary a bit, so that's why I'm not sure if I'm even doing anything right. I'm just not experienced enough to be able to determine what is out of date or inaccurate.
I just need to encrypt these files properly. I've spent days and days reading about this stuff, and I'm posting here just trying to be sure that I'm doing everything right, so that 5 years later I don't hate myself.
I'm fine with -a, it might take up a little more space, but these are personal documents, pictures, and audio files. The most they'd increase by seems to be around 10%, and plus I've realised I can actually print out the files and then use OCR to convert it back to text LOL. I'm not sure if it will be reliable, but it's working so far, just something fun and not how I intend to store the files.
so for gpg4win i have the exe and the sig file, and when i try to verify it says "can't check signature: no public key" does that mean i need the public key of the gpg developers? b/c i do : https://www.gnupg.org/signature_key.html
Thank you for your reply. This has been turning out to be rather stressful. So I think it's working, but I don't know how to test the file... I tried to use -vv while decrypting, but I don't even know how to decrypt properly from the command prompt... it just keeps telling me "usage: gpg [options] -decrypt [filename]"
From what you're saying, I need to include both digest commands? Like this:
compress-algo BZIP2 bzip2-compress-level 9 no-emit-version s2k-digest-algo SHA512 s2k-mode 3 s2k-count 65011712 s2k-cipher-algo AES256 digest-algo SHA512
I left the count at the maximum and it seems to only slow the job by a couple seconds per file, so I guess I'll just leave it maxed. I used SHA512 instead of SHA256, because some people told me that SHA512 slows down GPU attacks a little bit.
I'm only doing file encryption right now, so these commands only need to work for file encryption right now (I don't think I'm ready yet to do email properly). I'm using CryptSync to save time, as it handles all the other commands for me, except I don't really want -a, but I don't want to mess with the source code and mess it up to remove that part out. Some people have told me that leaving armor on means a little more work for an attacker, but that's probably not true? At least it means I can store stuff as text if needed.
Anyway, I need to know some way I can see how it was encrypted as I decrypt it. Is this possible? I thought -vv would do the trick
Thank you for your time.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
You can try GnuPG for Windows -- http://www.gpg4win.org/
The UX probably isn't as clean as PGP Desktop, but it's free and actively developed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEcBAEBAgAGBQJU6o08AAoJEKtJwDCg2HMhW1oH/jHyaL+MlnqkHDT8yt45u7uy oztrp6MDevhJYeReKIsISR+qdqKjndkZ+s14GDqU/dx3by6uuXMqZzG0RveBpDdM cP4UcbMA8V5hVVEo2qr9OOaynf7SlPluM2tzNGeskKrHq1e8jHERJ6VHjdbgfC2Y ft7onFf4nCJaRdWg3q8zle5e76SgyWpaVj9H+iI7iwiY4Q2uld5uqGnk3hBikTud ZaQ+/ANGoX4Ne6OwDw7Zda0e/jChqqBb5wHIqVpQq1SROHC01V7xvLZWUbG+pkPu 6sHlP2g6uRixZbH/DEEuHY5GeiHIuJsWKd6B2863xuDzczDIxyIItfNj10+9IO0= =cYnh -----END PGP SIGNATURE-----
You might try installing GPA from the gpg4win and then importing your secret key from gpg4usb into GPA.
I just tested it and the keys are compatible between the two clients. I was able to successfully use a key with a password that I generated with gpg4win on GPA.
There's no way to strip or reset the password from a key. The private key is encrypted with the password.
Your only other option is to try cracking it using something like this software:
http://www.openwall.com/passwords/pgp-secret-keys-disks-archives
I think this depends on the "novelty" of you MacBook. Old AirPort cards are most likely supported, newer ones not. You can use the build in Bugreporting tool to report, that WiFi isn't working in your setup and eventually, the support will come in following versions: https://tails.boum.org/doc/first_steps/bug_reporting/index.en.html
Linux is one of those things you learn bit by bit, as you run into problems like the one you just did.
However, all that stuff I just wrote, is definitely necessary for you to understand since a whole lot of problems can and will arise from bad file permissions.
This looks pretty good:
https://www.digitalocean.com/community/tutorials/an-introduction-to-linux-permissions
Once you understand this, by the way, it's trivial (it looks a lot more complicated than it is.)
-rw------- 1 ralf ralf 102235 Mar 21 11:02 pubring.gpg
That looks good; that's how it should look.
I don't know if that's a standard feature; afaik the Banner
option in sshd_config that you mentioned is set on the server to display a message on the client machine, and it should work the same way regardless of whether the client is using ssh-agent or gpg to manage their keys.
But if you want to display a standard warning pre-connection attempt, regardless of which server you're connecting to, I think that's harder and I don't know if there's a real way to do it universally. With git specifically you might be able to do something with client-side hooks (maybe pre-push
?), and I guess you could potentially do something like this for ssh
:
alias ssh="echo Please insert Yubikey >&2; while ! ykinfo -s &>/dev/null; do sleep 1; done && ssh"
But doing it that way seems pretty janky, to say the least. Maybe there's a better way I just don't know about.
>Do I have to use persistence
Not necessarily. You could export the secret key to an encrypted volume on a separate device:
https://tails.boum.org/doc/encryption_and_privacy/encrypted_volumes/index.en.html
>do I only check the GnuPG button?
Yes, if you only need your PGP keys to be persisted.
You should leave "Personal Data" enabled as well, so that you have a general area to save other files to the persistent volume.
>Persistence also says that it will take effect after restarting tails, so does that mean the key I made before I enabled persistence will not be saved?
Correct, unless you export it to another device before rebooting.
>So you want me to give you all of my banking information?
No. We use Stripe to process card payments, and we store only last four digits of the card number, name on the card, exp date, and country.
What about signing your commit instead? (https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) .
​
Also, proving date-of-publication is somewhat handled by the gist date -- you don't have control of that system so it can be reasonably relied upon to be accurate.
>Did I fuck up by deleting everything in kleopatra?
A little bit.
If the Tails signing key is not listed in the main window, then you will need to re-download it, re-import it and re-sign it with your own key:
https://tails.boum.org/tails-signing.key
Go through this procedure again to make the signing key trusted:
https://www.reddit.com/r/GnuPG/comments/3lekqf/gpg_installation_issues_with_windows/cv6f9od
Try downloading the ISO file via torrent. That will usually overcome any networking problems that are causing your file download to be truncated:
https://tails.boum.org/torrents/files/tails-i386-1.5.1.torrent
What size are you getting for the file?
Firstly, welcome to the world of GPG :)
Next, don't be discouraged, frustrated, or annoyed. In regards to Tails, you probably already have, but take the time to really read their Getting started section. Take it slow, for me, verifying Tails was a small hassle, but not a massive hurdle. Once you're on Tails and still having issues there you might want to check out /r/Tails.
I'm still new to this as well, but I have a strong feeling you'll get good answers here or on /r/Tails depending where the issue is stemming from. In my mind I would start a whole new subreddit dedicated to GPG on Tails...if that's already a thing then somebody let us know!
You don't import that file. You import the Tor project's key then use that signature to verify the exe you've just downloaded.
You can't import that as a key, because it isn't a key, it's just a signature.
I tried both GPA and GPG4USB and they both gave the error "No Keys Were Found" when I tried to import the .asc file. Can you try to import it and see it it works? It can be found here. Thx.
Yeah, it should play nice as Mailvelope also supports reading keys from Autocrypt headers.
Mailvelope can be a little bit tricky because it works by accessing the page directly. You can try https://flowcrypt.com/ as this is similar but uses Gmail API (instead of hijacking the page).
By selecting that option in pinentry then your password is probably stored in your user keyring that is encrypted with your user login password*. You can use Seahorse to view stored passwords.
* It is possible to create a keyring that has not password and no crypto but that is not default.
>If someone gets my secring.gpg do they have all my private keys?
Yes, if they crack the password you used when you created the keys.
If you used the password "password1", they will be able to instantly crack your private key and decrypt any messages they have that were encrypted to you.
I have no clue, but if I had to guess, make sure your whole ~/.gnupg directory is owned by you/your local user. A lot of times people will install gnupg or packages with sudo, and the whole directories permissions are not correct.
see if this helps. https://www.gnupg.org/documentation/manuals/gnupg/Dirmngr-Configuration.html
The assumption is that your local machine should be safe.
You can change the gpg-agent
cache timeout in the config file (~/.gpg/gpg.conf
). If you set the ttl to 0, that should disable the cache.
https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
> --default-cache-ttl n
>
>..... Set the time a cache entry is valid to n seconds. The default is 600 seconds. Each time a cache entry is accessed, the entry’s timer is reset. To set an entry’s maximum lifetime, use max-cache-ttl. Note that a cached passphrase may not evicted immediately from memory if no client requests a cache operation. This is due to an internal housekeeping function which is only run every few seconds.
>
> --max-cache-ttl n
>
>..... Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently or has been set using gpg-preset-passphrase. The default is 2 hours (7200 seconds).
>
Quickly adding UID is possible with --quick-add-uid
(see: https://www.gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html) but there is no quick remove (you could achieve that with copying the key and editing a copy).
$ gpg --symmetric --armor --output test.asc temp.txt
Produces this message... Password is testing
$ cat test.asc -----BEGIN PGP MESSAGE-----
jA0ECQMCYMN1GGadRnbw0ncBXOWSchwfmVY6N9o99WstXkoWTKcWVpEQLzDqnIWw XmKW2AkVFMpV5I5CkEaXuuOWlmVQRlqN8ujc+EXhckLzKiabhKu/hSHZyu0A4XfQ 66BaCCQn9ea6eXHf+TxxPDX8qT6Wbt6s5MJFbJm+jIciHaghM1UPrA== =r9Fp -----END PGP MESSAGE-----
Aaaahhh I see, yes that's confusing if you're not familiar with it. TL;DR: if the ending matches then you're good.
Slightly longer explanation:
There are several ways to identify a key. A super short ID is usually used locally when looking up keys you've already added to your system. They look like this: 234567C4
or like 0x234567C4
I don't know for certain, but I believe the 0x
is basically just saying "hey the following code is in hex". Either way it's not actually part of the ID and should be left out when searching for keys.
The "normal" short form of a key ID looks like 234AABBCC34567C4
or 0x234AABBCC34567C4
The full form of a key is probably what you were looking for and looks like 0E12343434343434343434EAB3484343434343434
or 0x0E12343434343434343434EAB3484343434343434
I've basically just summarised what's in the gpg manual, but you can read it here: https://www.gnupg.org/gph/de/manual/r1023.html#AEN1789
> I would like to encrypt files using AES-256 with a program that is open source
https://www.gnupg.org/gph/en/manual/x110.html
gpg --output doc.gpg --symmetric doc
doc
is the file to be encrypted. doc.gpg
is the output encrypted file to be created.
The --symmetric
option makes it so no public key cryptography like RSA is used at all.
> --enable-large-rsa --disable-large-rsa With --generate-key and --batch, enable the creation of RSA secret keys as large as 8192 bit. Note: 8192 bit is more than is generally recommended. These large keys don't significantly improve security, but they are more expensive to use, and their signatures and certifications are larger. This option is only available if the binary was build with large-secmem support.
I can't see these words in this (https://www.gnupg.org/documentation/manpage.html) webpage.
Thank you - I was sure it was something simple and conceptual.
Is there a better page spelling out the commands better than the one I used: https://www.gnupg.org/documentation/manpage.en.html ?
That page implies "--with-fingerprint" is a command and I don't see the "-d" you mentioned.
And thanks.
That would work, but you are doing a lot of extra work to make the hashes, and then to verify them on the other end. GPG will do that for you.
A gpg signature provides the same data verification that the hashes provide, so when you hash, then sign the hash, it is redundant. Plus, a disadvantage to your script is the encryption is not signed. Did you do the encryption, or someone else? Yes, you did sign the hashes, but not the whole blob.
If you take out the find ...
and the gpg
line immediately after, you can reduce your steps to only the last two (tar
then gpg
), and make your use case a bit more secure/verifiable.
Make sure you add the --sign
option to your last line, also:
# ================================= # GPG Sign + Encrypt multiple files # =================================
FOLDER=~/Documents/ RECIPIENT=John
cd "$FOLDER"/
# zip files + sha512sum file + signature of the sha512sum tar -c * -f zipped.tar
# encrypt the zipped file in to a .gpg file gpg --output zipped.tar.gpg --recipient $RECIPIENT --user [YOUR KEY] --sign --encrypt zipped.tar
So, I found this. It's really (too) short, but it means that the following regex (here in Emacs rx
format):
(rx line-start "[GNUPG:] GOODSIG " (group (one-or-more hex-digit)) " " (group (one-or-more any)) line-end)
should not produce false positives.
Best thing would be to decrease the time asking between two pinentries in the GnuPGAgent.
To do so, decrease the value "default-cache-ttl" in your "~/.gnupg/gpg-agent.conf" to something like 10. This means, if you entered your password correctly, it will be only cached for 10 seconds.
But please keep in mind to restart your agent after you done the change. The change has no direct effect on your setup.
You can also check the documentation for this feature: https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
But this helps only in case you didn't want anyone to sign and encrypt stuff for you, after you left your computer unlocked. There is no easy way or build-in way to make a pinentry, wenn you enter "gpg -k". In addition, thats not how the Web of Trust works; which is, until now, the broad supported way to use OpenPGP encryption. (And one of the big critic points, because it shows a social graph).
The quick batch generation option does work in the current GPG v1.4.18 but only up to 8192 bit RSA keys with the stock version. No source code modifications are needed.
See for more details about the commands at https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html Note this only generates the primary key so you want to edit it and create subkeys and setup a password as well.
Make a plain text file with the following:
Key-Type: RSA Key-Length: 8192 Name-Real: First Last Name Name-Email: Expire-Date: 1y Preferences: SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES TWOFISH CAST5 BZIP2 ZLIB ZIP Uncompressed
Then run gpg with
gpg --gen-key --batch --enable-large-rsa <filename you created above>
That generates a 8192-bit key in about a minute. Larger sizes don't work.
Both tools are closed source. Threema is also expensive. There are great open source alternatives out there:
Lastpass alternatives: https://www.privacytools.io/#pw
Threema alternatives: https://www.privacytools.io/#im
Thanks, that worked, but not well: it's still guessing what I want, and it guessed right. Here's the session result:
$ gpg /home/<myname>/VeraCrypt_PGP_public_key.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2014-06-27 [SCE]
993B7D7E8E413809828F0F29EB559C7C54DDD393
uid VeraCrypt Team <>
That is the fingerprint from: https://www.veracrypt.fr/en/Home.html
You can skip all the cruft and just do GPG on the command line on Windows if you want. Look for the "simple installer" for Windows here:
You could try Mailvelope with or without GnuPG which, for better or worse, runs in the browser.
Well, the idea behind keybase.io is:
You publish evidence of your key ownership on websites and social media accounts using a special "proof" that's machine readable.
Others can then use the keybase tools to automate the process of verifying that the key mentioned on your website, twitter, gitub, etc. all match the proof you published on those sites.
Other people can also "track" you, which builds a historical record testifying that at the time they started tracking you, your proofs online were valid.
The net result is that people who have been tracked by a large number of users for a long time have a substantial history of their online identity being tied to that key. It also provides a way to identify when an impersonation attack started (roughly) because you can see when through history their proofs were valid (i.e. before someone started impersonating them).
They have a page that explains it in more detail if you're interested. https://keybase.io/docs/tracking
-----BEGIN PGP MESSAGE----- Version: GnuPG v1
hQEMA63TYp1uNB8YAQf/TensdpmgGKh7XDrMzgoRRZud/VAsfWPlWC7w6bQpyeDJ vFrPWgrIsckiDQIKUQlFAUuZ0G+kucn6wbNYsAsrdI0MyEhTZAcdjO7qVG7IGwlo qdJAu7u8H5xTHyPPNA4YAf7I97l0R/Vc9d6tZjACjv+PTPMn3v7gnS7a2Zh9+dT8 UkNQQpFaNBESVzbhcxEURzv8Z9wdVU24JgpKYryaHRV5qQTs3szkrPGiERpzgG/V yNTEFQsaHOs2hjzh9olIFSBSAz7KsNxZxz3C0TlrshfhN6NWGJwTbok1rMLdWXTS ewK7sUW1fvj1uJWgB5ZoP+IyODdrF/ssoigm+7EgIdLpASrQEAMKs2ZmgiUkj7qY /8odP8uMAAtujQH0Gjv8opNGNjihtfBB/1lI+CFAwdaprsDsJXZq2ric3jjz30R7 InBSSMfSBgvjnBrFSe9oqwYWTveWS7E4ckwxxIi2rYbZf+FbYsN+6qOIm17K4kJF xW+ovk1yblKyOR8h4tps30vcu5gBSGY1VlcvVldltT9s7tL+gwZBxcwUqXQV6WKk XlQlMCXHgvxFSpteUqv/5BO0M9tDQg8MEpasLCvVhiV3dkBL4Fz9PYo3555dOji3 LJFnagVwV4WnKw66gzM4S9P3b4RqsGfAGNWaoctSU6Dc+bjYhqifEJKXAvnLbmKS etFvQNid7orxgWZo7Mtiu9zK/zcpb30aG4OZPHIU/hsyXGm6dKQz75bAy6LxjtXM 4zutsPUbiAH0TA66WNxdoIwYTs3YKNrj8ZsM7T0eji4gZatiZS8ZCoctRWNeWGbG JxfdXMBL5EiDGF5ZBfbpLmtGgdNuAetQk/mYMpp4hGTftmfxI57lXkZkuN0cYg86 fHXPrF09PWGZWbjovGvKGZIAtbkf7ROe5eWuX5uv9+LdLMZYjQc/0jDqPrtlCj9a JtCXbaZexbmMPTigIZqNeHCbINq78t0FWSZkCiXvhs4MIs/YKagybRnCr3Nh+J0m DOdSA8B9EKWS9H2PhmdA5s3Ag56sPQMYcZxqvj8RPUODHbp8imToCUqteRcZfJi2 IaylKm9MflAGRikwFssjzEgd9eF6jTBnRo7hUf3xFz8Xm/wIdV51F5krX/1gzyg0 CuDKvTW0AARur3XWzG8BlrU5e052a/VnkG2hMNXSEOijIQ9MBJS08iZEoFL21TFH UdQOzvD2hyeRrJRcwMNMU9XB9p6igKwHEXg6r6bDuocPH6Vy+3ghohNV53F9QOWj +uKhBUiA5V4eCXptoxf5Gd/FQQD9JHvku/n7tFJpMFTjIKGvDxPh0HbD+v41rUGP dHoXorNnFt/aXswVlz0IvShFfXTxNGBT5W+3BSZB2bcev1B/tU2TmJvaHGLSKM2p J3ZFcYCBJrGfScEfUOpox3Y0b9JEHa4nXId7BdtGuwuOZ2OqnVMRs2i7+A5BSFvT +UAwnCzo =sB3t -----END PGP MESSAGE-----
My key is available on Keybase. And by the way, when you post your key, you should make sure that the formatting doesn’t mess it up (in the case of Reddit, put it in a code block).
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
It's awesome to see someone else using clearsigning for comments finally :) https://keybase.io/scuba323 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBAgAGBQJU2pBSAAoJEOhAqlqrUQWOorgQAKmpQ9r6xTA7oSkgW6jCXK69 msC0nZ6k/lRlUYoyJPd3mRiGVBjs2+BZz9M4C4lUCfNitkQKWnw8ZCeXpuJcdoIo ZPsajk3iuQtpIISGkWRyD4+1RUvVjsQVErB4Am+DMH7bXap+i8yn7fRlDzjzUPrb B+5PPzmxW2oftob1TsPvJFCvOmI2YjmJbHqhVWJ7c9v52bfw/QOUxWvWIDx32Y2j KNBUA+lxl0vuRT7oM/41397XkQ85+29psimxCb8HSIlisOPQq+NpS5cosuIlZAna PUfAh6v9l3f5voeq7SFyvOx1HJv94Tn+IyNMx0TIFMrTPJrPbWCzuQO8iJOHGJcy 2NSgHOehlUkFdI7FoVgMrUI/Qv2l92OdCPpHrhiZjetsCo+xbZCm1GcawRdLDNNn CpywR4O4PfLfZqL8GPALYIIg8bTqAt5jvqGlZmaN32KAiNoDZ7ZfVX5lvMiRsqWH ZMHf7yRfnCLzQw1F91+GjaDa5KpyVEs7irPEpvYrMhk5Gcd1d8Aw57XFxC6Wiatk js7LemnUZKQ8AjKj5KcauDgKR0n4dID5s56QedU0P8tpWCmN+lEUl4UcoZXrcVMn FqsXNdKOzLHyFiT0pbmnZFZXmmGuVleNUCPgyXBeRnhvKEWe8os/X2GLgoiaFndt tp9aoMLyh9KS9TU2z1OJ =Zi6u -----END PGP SIGNATURE-----
Weird. I tried the exact same test and it worked fine for me. I just tested it with a pdf document and it worked without problem.
There must be some option that we have set differently.
Do you have GPA installed from the Gpg4win package?
You should be able to decrypt the file and save it using GPA.
Make sure you select GPA during the installation. It's not selected by default.
Maybe it's that particular keyserver having a problem? I get this error when I tried to send my own key:
baltakatei@mycomputer:~$ gpg --keyserver pgp.mit.edu --send-keys a0a295abdc3469c9 gpg: sending key 0xA0A295ABDC3469C9 to hkp://pgp.mit.edu gpg: keyserver send failed: No data gpg: keyserver send failed: No data
But this command completed with no error:
$ gpg --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys a0a295abdc3469c9
I have had this following line in my gpg.conf
file and it seems to make sure I can send to a keyserver without specifying it with the --keyserver
option:
keyserver hkps://pool.sks-keyservers.net
This is part of a gpg.conf
file that I copied from https://riseup.net/en/security/message-security/openpgp/best-practices#putting-it-all-together
https://www.reddit.com/r/ProtonVPN/comments/oju5qs/trouble_with_gpg_verify_proton_deb_package/
​
Maybe you can help me with this question. Thanks! I think I need another key from protonvpn.
​
I guess it works like this.
gpg --import [public_key.asc]
gpg --verify [detached_signed_key.asc] [document.whatever]
Then I get the output I got with the GnuPG package. THANKS!
I found GPG4usb a bit simpler and easier to use then gpg4win. Also check out OpenKeychain: Easy PGP for android.
You can also use OpenKeychain which allows you to write to and encrypt the clipboard and then auto open the contents in an email. It works with either K-9 or the native android email client.
I would suggest using a different private key for the device as phones can be compromised, or lost.