software recommendation – Starting with gpg under macOS

I’m a Linux/Windows user but in the near future, I might have to support users running macOS on questions related to file encryption/decryption using GPG. I have to provide support without having my own macOS to try… I don’t need to know the details, but I would appreciate it if someone could throw a few program names to help me get started on my reading. Of course, Google returned some options, but I can’t tell based on a web page if that is “the” most common way for macOS users.

My understanding so far is that within macOS’ terminal, I can run the gpg command which is part of OpenPGP. Is this standard on any “recent” Mac or does a specific software package have to be installed?

I came across the GPG Suite which is commercial with a 30-day trial. It seems that this is gpg with a GUI interface, GPG keychain, etc. How is this option? Is it common? It seems equivalent in functionality to the Gpg4win for Windows.

So far, these are the two options for users that I have found. Have I missed anything? And would this be the recommended options for GPG under macOS or am I completely off? Thank you!

key management – How can I store and manage my GPG key pair securely?

I’ve taken measures and thoughts on how to securely store and manage my key pair. In the process of it a few questions arose, which I’m not capable of answering yet. My key pair will be used to encrypt passwords and documents of banks, insurances, invoices, photos and the like. All this data is not publicly available. It is stored in a cloud with password restricted access. I’m evaluating right now, which one fits best.

This is how I set up my key pair:

# Generated a key pair in the past, following general tutorials
gpg> list
sec rsa2048/9AB628FC04C23871
    created: 2019-02-29 expires: 2022-02-29 usage: SC
    trust: ultimate    validity: ultimate
ssb rsa2048/17832C40CF826BA9
    created: 2019-02-29 expires: 2022-02-29 usage: E
( ultimate ) (1). Thomas Kelly <Tkelly@ua-corp.com>

> gpg --list-keys --with-fingerprint Tkelly@ua-corp.com
pub    rsa2048 2019-02-29 (SC) (expires: 2022-02-29)
       B69A 8371 FC28 402C C204 82CF 7138 A96B B8F4 C87A
uid         ( ultimate ) Thomas Kelly <Tkelly@ua-corp.com>
sub    rsa2048 2019-02-29 (E) (expires: 2022-02-29)

> fdisk /dev/sdb # n, 2048, +2G, w
> cryptsetup open --type plain -d /dev/urandom /dev/sdb1 data
> dd if=/dev/zero of=/dev/mapper/data status=progress bs=1M
> cryptsetup close data
> cryptsetup luksFormat /dev/sdb1 # pw ...
> sudo cryptsetup open /dev/sdb1 data
> mkfs.ext4 /dev/mapper/data

Then I went on and exported my keys towards this device, I’ve created. After I got used to it, that private keys are always a little bit different from another and you can’t export your sub-public key, the following questions remained:

  1. Are both of the following commands returning the ssb key (17832C40CF826BA9)?
gpg --export-secret-keys 17832C40CF826BA9
gpg --export-secret-subkeys 9AB628FC04C23871
  1. Is it fine to remove the key 9AB628FC04C23871 from my system, after I backed it up on the drive, created above?

  2. Should I save a revocation certificate with it?

  3. This key pair once expired and I changed the expire date. I can’t remember correctly, but I’ve found two additional certificates lying around that seem to be these old expires certificates. I’ve read that the process of changing the expiring value creates new certificates. Can you confirm this?

  4. I want to have two certificate stores like this on different locations. I’d renew the key on a yearly base. Should I use paperkey or the same digital method above?

gpg – pinentry-mac: disable Keychain storage

I’m using pinentry-mac with openfortivpn, to prompt for passwords and tokens. I installed both using Homebrew.

However, there’s a button in the pinentry dialog to save to the keychain, and it’s checked by default. I’d like to disable this, or at least make it unchecked by default.

Based on this and this and the source, I’ve tried both of these:

defaults write org.gpgtools.common DisableKeychain -bool yes
defaults write org.gpgtools.common UseKeychain false

But neither had any effect. Anything else I can do?

digital signature – gnu gcc source archives signed with expired GPG key?

The pedantic answer to your question is: when gcc-9.3.0 was released, the key was not yet expired:

$ gpg --verify gcc-9.3.0.tar.gz.sig gcc-9.3.0.tar.gz
gpg: Signature made Thu 12 Mar 2020 07:32:47 AM EDT
gpg:                using DSA key A328C3A2C3C45C06 

The signature was made in March 2020, but the key expired in September 2020:

gpg --list-keys A328C3A2C3C45C06
pub   dsa1024/A328C3A2C3C45C06 2004-04-21 [SC] [expired: 2020-09-10]
      33C235A34C46AA3FFB293709A328C3A2C3C45C06

So, the fact that it’s expired now is not a cause for concern.

What is the cause for concern is that it’s a 1024/DSA key, which is probably not considered sufficiently strong these days. However, I can also see that the author has a newer key created in May, 2020:

pub   rsa4096/6C35B99309B5FA62 2020-05-28 [SC]
      D3A93CAD751C2AF4F8C7AD516C35B99309B5FA62

So, perhaps the next release of gcc will be signed with this key instead.

development – How to cryptographically verify the authenticity and integrity of Android Studio releases (with gpg?)

For a given Android Studio release published by Google, how can I cryptographically verify the authenticity and integrity of the .tar.gz file that I downloaded before I copy it onto a USB drive and attempt to install it on my laptop?

Today I wanted to download Android Studio, but the download page said nothing about how to cryptographically verify the integrity and authenticity of their release after download.

https://developer.android.com/studio#downloads

I expected to see a message on the download page telling me:

  1. The fingerprint of their PGP release signing key,
  2. A link to further documentation, and
  3. Links to (a) a manifest file (eg SHA256SUMS) and (b) a detached signature of that manifest file (eg SHA256SUMS.asc, SHA256SUMS.sig, SHA256SUMS.gpg, etc)

Unfortunately, the only information I found on the download page was how to verify the integrity of the tarball using a SHA-256 checksum found in a table on the same page. Obviously, this checks integrity but not authenticity. And it provides no security because it’s not out-of-band from the .tar.gz itself.

How can I preform cryptographic integrity and authenticity verification with Google’s Android Studio releases?

encryption – Copy private key from OpenKeyChain to tails GPG?

I have a private PGP key on OpenKeyChain that I’d like to move to tails.

There only seems to be one way to export from OpenKeyChain – choose to make the encrypted backup file? But I can’t get the process to work.

  • I made a backup from Android, “backup.sec.pgp” (Noting the passphrase of hyphenated numbers)
  • Transferred it to tails
  • Ran ‘gpg –decrypt backup.sec.pgp | gpg –import backup.sec.pgp’

It returns:

gpg: unknown armor header: Passphrase-Format: numeric9x4
gpg: unknown armor header: Passphrase-Begin: 96
gpg: AES256 encrypted data
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Then I enter in the long hyphenated numerical passphrase and it spits out:

gpg: encrypted with 1 passphrase
gpg: decryption failed: Bad session key

Advice would be hugely appreciated

gnupg – pinentry-mac completely disables prompt for GPG passphrase

This is weird. I am using pass and pinentry-mac to unlock my passwords. My gpg-agent.conf uses pinentry-mac as its pinentry-program.

I’m not sure if I updated some dependency recently but suddenly decrypting passwords is now possible without asking for passphrase which I find as a serious problem. This is not a problem with pass as if I try using gpg directly to decrypt my encrypted files directly in terminal session, it’s the same.

If I disable pinentry-mac then it starts working and I’m asked to put my passphrase every time. Any idea what can be the cause? I have tried restarting / killing gpg-agent and logging out of my user account (even restarting the machine) but result is the same.

command line – How to get the gpg key for a repository?

When adding a repository through add-apt-repository a new gpg key will be add.

e,g:

sudo add-apt-repository ppa:some-ppa

You will be asked to press Enter to import the gpg key. I need to get the gpg key for ppa:some-ppa without executing add-apt-repository.

Is it possible to get the gpg key before adding the repository (before executing add-apt-repository) from command line.

encryption – gpg stopped decrypting a symmetrically encrypted file

Just yesterday I decrypted this same file using a key that I have written down, but today every time I try the same key gpg returns:

gpg: decryption failed: Bad session key

I suspect that either I was typing something wrong every time I decrypted this file and didn’t notice or there’s something wrong with the characters that are being entered by my keyboard.

I used gpg -c <file_name>

Also, gpg says it is AES256.CFB encrypted data, although I don’t remember seeing this CFB anytime I decrypted something in this computer, although I might be mistaken, neither did I set this option when encrypting.

I am using Manjaro 20.2.1 and gpg 2.2.25 with libgcrypt 1.8.7

Can anyone help me?