I have been using pass (cli pw manager) for a couple of years now, and I just started using yubikeys. I have (2) YKs which I configured as duplicates of each other, transferring the same gpg subkeys (S, E, and A) to each one. I added the YK gpg-key id to my ~/.password-store/.gpg-id file, and re-initialized the store to re-encrypt the entries using the new key. I can now use pass with either of my YKs to open a password-store entry using pass, however, when I try either to edit an existing entry or to add a new one, I am met with:

$pass add test
Enter password for test: 
Retype password for test: 
gpg: B7C0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1BB7: skipped: No public key
gpg: [stdin]: encryption failed: No public key
Password encryption aborted.

A check on the key returns:

$gpg -K YUBI
sec#  rsa4096/289xxxxxxxxxx8B5 2024-11-01 [SC] [expires: 2034-10-30]
      Key fingerprint = 8C6B xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 58B5
      Keygrip = E7608xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx37AFD
uid                 [ultimate] Fname Lname (YUBIKEY) 
ssb>  rsa4096/130xxxxxxxxxxA7D 2024-11-01 [S] [expires: 2034-10-30]
      Keygrip = 18DD9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1599B
ssb>  rsa4096/A39xxxxxxxxxxEBD 2024-11-01 [E] [expires: 2034-10-30]
      Keygrip = 5BD06xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8B9FD
ssb>  rsa4096/779xxxxxxxxxxBAA 2024-11-01 [A] [expires: 2034-10-30]
      Keygrip = 0A10BxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAFA2F

and

gpg -k YUBI
pub   rsa4096/289xxxxxxxxxx8B5 2024-11-01 [SC] [expires: 2034-10-30]
      Key fingerprint = 8C6B xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 58B5
      Keygrip = E7608xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx37AFD
uid                 [ultimate] Fname Lname (YUBIKEY) 
ssb>  rsa4096/130xxxxxxxxxxA7D 2024-11-01 [S] [expires: 2034-10-30]
      Keygrip = 18DD9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1599B
ssb>  rsa4096/A39xxxxxxxxxxEBD 2024-11-01 [E] [expires: 2034-10-30]
      Keygrip = 5BD06xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8B9FD
ssb>  rsa4096/779xxxxxxxxxxBAA 2024-11-01 [A] [expires: 2034-10-30]
      Keygrip = 0A10BxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAFA2F

Trying to re-import the **pub** made no changes, as expected. Encrypting a file like: $ gpg -r YUBIKEY -e file then decrypting it with: $ gpg -d file.gpg works as expected. I am prompted for the passphrase and file contents are listed afterward. Now I am confused and unsure what the issue is. If anyone has any suggs or advice I would sure appreciate it. Thks.

I have a Yubikey with my GPG private keys on it, and public keys in my gpg keyring. I made sure that private keys are not present on my system by running gpg --export-secret-key -a which returned nothing but gpg --export -a printed my public key. Next after setting up my ` for signing I noticed that I still get a private key printed on --export-secret-key` after unlocking my card and using it to sign something. This baffled me because I wasn't expecting anything to be printed on --export-secret-key so I am curious what this key is? To be sure I have also tried deleting this private key --delete-secret-keys but using the smartcard again, populates the private key for this ``.

When I create a keypair with gpg, then it stores the secret key inside of ~/.gnupg/private-keys-v1.d It stores the public-key inside of a keyring-file - I can name it or it uses the default-location. If I have a look (*--list-public-keys* and *--list-secret-keys*) at my public and secret-keys I can see what pair matches. The 40 character string/hash in the output is the same for both. The file of the secret-key is different to this string. It is also 40 chars long, but different. How do I find out what secret-key file matches my public-key?? Using gpg 2.2.40 on Debian 12.

I have generated keys using GPG, by executing the following command gpg --gen-key Now I need to export the key pair to a file; i.e., private and public keys to private.pgp and public.pgp, respectively.  How do I do it?

Ubuntu 22.04.1 LTS When I do a git push REMOTE after a reboot, after a few seconds it comes up with a dialog box:

+---------------------------------------------------------------+
| Please enter the passphrase to unlock the OpenPGP secret key: |
| "user"                                                        |
| 3072-bit RSA key, ID FF3B0094D97228,                          |
| created 2023-09-22 (main key ID 9BD967C9E4EC49).              |
|                                                               |
|                                                               |
| Passphrase: _________________________________________________ |
|                                                               |
|                                                   |
+---------------------------------------------------------------+

How can I automate entering this passphrase via a script so I do not have to do it manually? I tried this which does not work:

git push REMOTE 
sleep 10  # Waits 10 seconds.
KEY

Thanks!

I am trying to apt update on my WSL sudo apt-get update but getting this error.

Err:6 https://linux.qmk.fm  focal InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B748CC185DF5DA1

I tried out the below command as this post suggests and tried different urls for --keyserver gpg --recv-keys --keyserver hkp://pgp.mit.edu 8B748CC185DF5DA1 and looked up openpgp https://keys.openpgp.org/search?q=8B748CC185DF5DA1 but no luck there. Is this something you can help me with please? Should I raise this as a qmk_firmware issue?

so I spent many hours on this now and I hope someone can give me any useful input. I want to export an encrypted secret key from GPG (which lies in ~/.gnupg/private-keys-v1.d) but I do not have the passphrase. So the normal gpg --armor --export-secret-keys does not work for me. My goal is to get that encrypted private key into the armored OpenPGP format (while still being encrypted). Just a change of format without any decryption happening. So I dove into the RFC 4880 standard to understand how the packet structure works but that doesn't lead me anywhere. I hope this is understable. Is it even possible to do this manually or is the key decrypted and reencrypted a different way during gpg's export function?

I like to sign my git commits with my PGP key, so I was quite alarmed when I went to git commit -S but instead of prompting for my PGP key passphrase, git just started hanging. I haven't made a change to my GPG setup in several months and have made many commits since then with no problem. Additionally, when I attempt to view my private keys with gpg -K, gpg hangs. However, when I run gpg -k to view my public keys, it returns the list like normal. Hopefully someone will have some idea of what is causing this problem and how to fix it.

When I try to add any repository I have this error:

root@Hacknonimous:~# sudo add-apt-repository ppa:agornostal/ulauncher  
 Application launcher for Linux
 More info: https://launchpad.net/~agornostal/+archive/ubuntu/ulauncher 
Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keybox '/tmp/tmpb55cnwbo/pubring.gpg' created  
gpg: /tmp/tmpb55cnwbo/trustdb.gpg: trustdb created  
gpg: key FAF1020699503176: public key "Launchpad PPA for Aleksandr Gornostal" imported  
gpg: Total number processed: 1  
gpg:               imported: 1  
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).  
**gpg: no valid OpenPGP data found**.

root@Hacknonimous:~# apt update  
Hit:1 http://packages.microsoft.com/repos/vscode  stable InRelease  
Ign:2 http://ppa.launchpad.net/agornostal/ulauncher/ubuntu  hirsute InRelease                                                                 
Hit:4 http://ftp.debian.org/debian  stable InRelease                                                          
Hit:3 http://kali.cs.nctu.edu.tw/kali  kali-rolling InRelease               
Err:6 http://ppa.launchpad.net/agornostal/ulauncher/ubuntu  hirsute Release  
  404  Not Found [IP: 91.189.95.85 80]  
Hit:5 http://kali.cs.nctu.edu.tw/kali  kali-last-snapshot InRelease    
Hit:7 http://kali.cs.nctu.edu.tw/kali  kali-experimental InRelease  
Reading package lists... Done  
**E**: The repository 'http://ppa.launchpad.net/agornostal/ulauncher/ubuntu  hirsute Release' does not have a Release file.  
**N**: Updating from such a repository can't be done securely, and is therefore disabled by default.  
**N**: See apt-secure(8) manpage for repository creation and user configuration details.  
**W**: Target Packages (non-free/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target Packages (non-free/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target Translations (non-free/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target Translations (non-free/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target DEP-11 (non-free/dep11/Components-amd64.yml) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target DEP-11 (non-free/dep11/Components-all.yml) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target DEP-11-icons-small (non-free/dep11/icons-48x48.tar) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target DEP-11-icons (non-free/dep11/icons-64x64.tar) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target Packages (non-free/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target Packages (non-free/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target Translations (non-free/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target Translations (non-free/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target DEP-11 (non-free/dep11/Components-amd64.yml) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target DEP-11 (non-free/dep11/Components-all.yml) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target DEP-11-icons-small (non-free/dep11/icons-48x48.tar) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3  
**W**: Target DEP-11-icons (non-free/dep11/icons-64x64.tar) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:3

My provider code in init.tf is as below : provider "aws" { shared_credentials_file = "~/.aws/credentials" region = "us-east-1" } Terraform version I am using is : 0.11.14 I am getting error as below while doing terraform init: Error installing provider "aws": openpgp: signature made by unknown entity. Terraform analyses the configuration and state and automatically downloads plugins for the providers used. However, when attempting to download this plugin an unexpected error occured. This may be caused if for some reason Terraform is unable to reach the plugin repository. The repository may be unreachable if access is blocked by a firewall. If automatic installation is not possible or desirable in your environment, you may alternatively manually install plugins by downloading a suitable distribution package and placing the plugin's executable file in the following directory: terraform.d/plugins/windows_amd64

I want to use the signed-by option on all the repositories of my /etc/apt/sources.list.d/debian.sources, point to the keys in /usr/share/keyrings instead of /etc/apt/trusted.gpg.d before disabling this directory, as I have understood, this old way of doing is insecure. I don't know if this only apply to third-party repositories but better be safe than sorry. However, when adding the signed-by option, I found myself unable to know which key to link to which repo, seeing that the key's names don't match the repos: > debian-archive-bullseye-automatic.gpg debian-archive-bullseye-security-automatic.gpg debian-archive-bullseye-stable.gpg debian-archive-buster-automatic.gpg debian-archive-buster-security-automatic.gpg debian-archive-buster-stable.gpg debian-archive-keyring.gpg debian-archive-removed-keys.gpg debian-archive-stretch-automatic.gpg debian-archive-stretch-security-automatic.gpg debian-archive-stretch-stable.gpg My /etc/apt/sources.list.d/debian.sources looking like this: > Types: deb URIs: https://deb.debian.org/debian/ Suites: buster Components: main Signed-By: /usr/share/keyrings/debian-archive-buster-stable.gpg > > Types: deb-src URIs: https://deb.debian.org/debian/ Suites: buster Components: main Signed-By: /usr/share/keyrings/debian-archive-buster-stable.gpg > > > Types: deb URIs: https://security.debian.org/debian-security Suites: buster/updates Components: main Signed-By: /usr/share/keyrings/debian-archive-buster-security-automatic.gpg > > Types: deb-src URIs: https://security.debian.org/debian-security Suites: buster/updates Components: main Signed-By: /usr/share/keyrings/debian-archive-buster-security-automatic.gpg > > > Types: deb URIs: https://deb.debian.org/debian/ Suites: buster-updates Components: main Signed-By: /usr/share/keyrings/debian-archive-buster-automatic.gpg > > Types: deb-src URIs: https://deb.debian.org/debian/ Suites: buster-updates Components: main Signed-By: /usr/share/keyrings/debian-archive-buster-automatic.gpg > > > Types: deb URIs: https://deb.debian.org/debian Suites: buster-backports Components: main Signed-By: /usr/share/keyrings/debian-archive-buster-automatic.gpg This doesn't throw me any error when doing apt update and I can install software but I would like to know a method to know for sure which key I should append to the signed-by option for each repo without having to do guesswork, and be left with doubts. I know of apt-key list but the information are pretty much the same, how does "Debian Security Archive Automatic Signing Key" is supposed to tell us that it signs buster-updates AND buster-backports? Is it normal that one key can sign multiple suites? I would have expected one key per suite. Also, the opposite: how do I know what a key signs? How do I know I don't have useless keys in /usr/share/keyrings or that they are signing malicious repositories?

I just installed Kali NetHunter and I'm trying to do a simple apt update but it looks like a public key is missing

 
root@kali:~# apt-get update
 0% [Waiting for headers] [Connected to packages.microsoft.com (13.8Get:2 https://packages.microsoft.com/repos/microsoft-debian-stretch-prod  stretch InRelease [3232 B]
 Hit:1 http://kali.download/kali  kali-rolling InRelease
 Err:2 https://packages.microsoft.com/repos/microsoft-debian-stretch-prod  stretch InRelease
   The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EB3E94ADBE1229CF
 Reading package lists... Done
 W: GPG error: https://packages.microsoft.com/repos/microsoft-debian-stretch-prod  stretch InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EB3E94ADBE1229CF
 E: The repository 'https://packages.microsoft.com/repos/microsoft-debian-stretch-prod  stretch InRelease' is not signed.
 N: Updating from such a repository can't be done securely, and is therefore disabled by default.
 N: See apt-secure(8) manpage for repository creation and user configuration details.

I tried

curl -s https://packages.microsoft.com/repos/microsoft-debian-stretch-prod/dists/stretch/Release.gpg  | apt-key add -

and

wget --no-check-certificate https://packages.microsoft.com/repos/microsoft-debian-stretch-prod/dists/stretch/Release.gpg  | apt-key add -

And the result was gpg: no valid OpenPGP data found for both

I recently needed to publish my PGP key. However the export is veeery long:

$ gpg2 --list-secret-keys --keyid-format LONG
/home/user/.gnupg/pubring.kbx
-----------------------------
sec   rsa4096/51DAE9B7C1AE9161 2015-06-17 [SCA] [expires: 2023-04-21]
      97312D5EB9D7AE7D0BD4307351DAE9B7C1AE9161
uid                 [ultimate] NicoHood 
uid                 [ultimate] N 
uid                 [ultimate] NNNNN 
uid                 [ultimate] NNNNN 
uid                 [ultimate] _____ 
uid                 [ultimate] NicoHood 
uid                 [ultimate] NicoHood 
uid                 [ultimate] _____ 
uid                 [ultimate] _____ 
uid                 [ultimate] NNNNN 
uid                 [ultimate] NicoHood 
uid                 [ultimate] NicoHood 
uid                 [ultimate] NicoHood 
ssb   rsa4096/E441069FE948D07A 2015-06-17 [E] [expires: 2023-04-21]

$ gpg2 --armor --export 97312D5EB9D7AE7D0BD4307351DAE9B7C1AE9161 | wc -l
583

* Is there an option to only output the key with one identity? * Is it possible to shorten the output to less than those ~500 lines? (maybe with or without the idea above) * How can I fix those ugly names?

I have: 1. A file 1. A detached PGP signature of that file in ASCII armor format and 1. A 40-character (long-format) fingerprint identifying the one key that must have a valid signature What is the correct way to write a BASH script to verify that the given signature is valid (only for the given fingerprint) for the given file using the gpg command on *nix? > Note: The solution ideally would not just parse STDOUT from gpg--such that the BASH script in the solution provided wouldn't break if the words or format of the output are slightly changed in the future. > > And, especially important, detached signatures can be signed by multiple keys. So this solution should fail if, for example, an attacker took the file and its detached signature and edited the file while adding their own signature to the detached signature. Note that, with this attack, there would be a BAD signature present from the key whose fingerprint we're pinning in our script and a GOOD signature from the attacker's key, which is irrelevant. In this case, the solution must fail. For example, consider the following: 1. https://files.pythonhosted.org/packages/cb/85/8a1588a04172e0853352ecfe214264c65a62ab35374d9ad9c569cf94c2a3/python_gnupg-0.4.6-py2.py3-none-any.whl 1. https://files.pythonhosted.org/packages/cb/85/8a1588a04172e0853352ecfe214264c65a62ab35374d9ad9c569cf94c2a3/python_gnupg-0.4.6-py2.py3-none-any.whl.asc 1. CA749061914EAC138E66EADB9147B477339A9B86 Currently I have the following in my BASH script

#!/bin/bash

ONLY_TRUST_THIS_FINGERPRINT='CA749061914EAC138E66EADB9147B477339A9B86'

tmpDir="mktemp -d" || exit 1
pushd "${tmpDir}"

wget https://files.pythonhosted.org/packages/cb/85/8a1588a04172e0853352ecfe214264c65a62ab35374d9ad9c569cf94c2a3/python_gnupg-0.4.6-py2.py3-none-any.whl 
wget https://files.pythonhosted.org/packages/cb/85/8a1588a04172e0853352ecfe214264c65a62ab35374d9ad9c569cf94c2a3/python_gnupg-0.4.6-py2.py3-none-any.whl.asc 
wget https://keys.openpgp.org/vks/v1/by-fingerprint/CA749061914EAC138E66EADB9147B477339A9B86 

mkdir gnupg
gpg --homedir "${tmpDir}/gnupg" --import CA749061914EAC138E66EADB9147B477339A9B86

What command(s) should follow in the script above to safely confirm that the file has a valid signature from the private key matching our pinned fingerprint? EDIT: Here's an example output of a simple gpg --verify ... that has a GOOD signature by an attacker and a BAD signature from the actual developer; it should fail.

user@disp2952:/tmp/tmp.nUmxfwbwfK$ gpg --homedir gnupg/ --verify python_gnupg-0.4.6-py2.py3-none-any.whl.asc
gpg: WARNING: unsafe permissions on homedir '/tmp/tmp.nUmxfwbwfK/gnupg'
gpg: assuming signed data in 'python_gnupg-0.4.6-py2.py3-none-any.whl'
gpg: Signature made Sat 29 Aug 2020 10:04:03 PM +0545
gpg:                using RSA key 2DA3BAD0DB41087CA7E5E4C1F93C17B957F73F5A
gpg: Good signature from "Mallory " [unknown]
gpg: Signature made Fri 17 Apr 2020 07:54:23 PM +0545
gpg:                using RSA key 9147B477339A9B86
gpg: BAD signature from "Vinay Sajip (CODE SIGNING KEY) " [unknown]
user@disp2952:/tmp/tmp.nUmxfwbwfK$ echo $?
1
user@disp2952:/tmp/tmp.nUmxfwbwfK$

I'm trying to change the passphrase of my GPG's secret key. I actually changed it using seahorse (Also tried gpg --edit-keys and passwd, but when I tried to export my private key it asks me for two passphrase now (Both new and old one) and uses the old one for sub secret key. Now I have to remember two complicated password! What is the correct way to change the passphrase of GPG's secret key?

I am trying to use Mutt with GPG to encrypt emails. Whenever I try to encrypt, I am asked to "Enter keyID for user@domain". No matter what I enter, it asks me to enter the value. I definitely have the key in my keystore. I have entered the full key ID, the 32-bit ID, prefixed it with 0x, added the email, etc, but nothing works. I can also confirm that I definitely have relevant keys in my local store. I do not see an error message. My ~/.muttrc at this point just has the standard gpg.rc that comes with Ubuntu. Am I doing something wrong? Or is this a bug in Mutt? Thanks

I have a GPG key which I use to sign and submit packages to Launchpad. Is it possible to reuse that key in another installation, or do I always have to create a new key for the new installation of a GNU/Linux operating system?

XDG defines ~/.config, ~/.cache and other shell-agnostic locations for user configuration files. Some applications define their own locations for user secrets, like ~/.ssh and ~/.gpg. Is there an XDG-defined location for user secrets? For example, ~/.secret?

So I've never used gpg (2.0.14) before this week and I'm no cryptography pro, but the results I've been getting with gpg seem odd. When I import keys (e.g. gpg --import public.key) that were generated by OpenPGP, gpg seems to process them successfully and reports no errors. However, when I then export those keys and compare with the originals, they are ***not*** the same. I assume this is why gpg fails to decrypt messages created [elsewhere] with the original public key. Steps to reproduce: use a tool like https://sela.io/pgp/ to generate a key set, import into gpg, export from gpg, compare. Incompatibility? Missed a step? Software gods continuing to plot against me with a series of minor nuisances?

I'm trying to use an Android smartcard emulator (to see if a smartcard can fit into my workflow) with GnuPG on Debian Sid. I have libNFC configured with a pn532 breakout that can see the applet on the phone. I have spent a literal hour googling this and turned up no relevant results other than "Android supports NFC OpenPGP smartcards!" and "Yubikey NEO supports NFC!"