oct-git focuses exclusively on ergonomic use with OpenPGP card-based signing keys
It is designed to be easy to set up, standalone (no long running processes), and entirely hands-off to use (no repeated PIN entry required, by default). It comes with desktop notifications for touch confirmation (if required)
I just released version 0.3.1 of https://crates.io/crates/rsop, a stateless #OpenPGP ("sop") card tool based on #rPGP.
rsop natively supports OpenPGP card (hardware cryptography) devices
rsop is featured in the "OpenPGP interoperability test suite" at https://tests.sequoia-pgp.org/ (under "rpgpie", which is rsop's high level OpenPGP library).
I spent a lot of time today trying to figure out #GNUPG / #GPG to encrypt and sign backups. I've used it occasionally for literally decades, but still struggle with it. I know if I used it more, I would get used to it and feel more comfortable, but I don't have the time or the need to use it more.
Is there another good open source program to symmetrically encrypt a file? But, for signing, you would still need to use key pairs, right?
This release adds the "oct admin signing-pin-validity" subcommand, to configure if a card requires User PIN presentation for each signature operation, or if User PIN presentation is valid for the full duration of a connection to the card.
Proton Mail automatically encrypts/decrypts messages between Proton Mail accounts via OpenPGP/PGP.
Proton Mail supports automatically encrypting/decrypting messages between Proton Mail accounts and external email accounts that support OpenPGP/PGP or GnuPG/GPG.
I moved to a Thinkpad w541 with coreboot so I needed to set up my email encryption on Thunderbird again.
It took me more time to reconfigure it again - as usual - so I decided to take notes this time and create a blog post about it. As this might be useful for somebody else … or me in the future :-)
This version comes with substantial updates to the openpgp-card-state dependency (which handles User PIN storage for OpenPGP card devices, see https://codeberg.org/openpgp-card/state).
It now supports selecting different PIN storage backends, including one to store the User PIN directly in the config file.
PIN verification error cases are now handled more defensively
Sie rufen von deinem e-Perso den Namen ab, du lädst deinen Public Key hoch, wählst eine der User-IDs des Keys aus (wenn du mehrere hast), und wenn der Name der UID mit dem Namen auf dem Perso übereinstimmt, bekommst du an die Mailadresse in der UID eine Signatur von 0xA4BF43D7 "Governikus OpenPGP Signaturservice (Neuer Personalausweis)".
I think it's telling that #GitHub, #GitLab, and even #Forgejo all don't have a workflow for "renew an #OpenPGP key", i.e. extend its validity before (or after) expiry. On all of them, you have to delete and re-add the key. It's as if nobody is following OpenPGP best practices and everyone is using keys without an expiry date.
This crate paves the way for convenient handling of #OpenPGP card User PINs, for users whose threat model allows persisting the PIN locally on the host computer.
If a User PIN is stored, applications can obtain it via this crate, and perform cryptographic operations without prompting the user for PIN entry.
Currently org.freedesktop.Secret is supported for storage.
What the hell happened when #GnuPG changed their disk format? Nothing works anymore without using a bunch of options (like --keyring).
Is this Debian's fault? GnuPG's? There's no date on the 2.1 release announcement, and the manpage claims it "silently migrates" keys, which is clearly not the case....
Recently released #GnuPG version (2.4.4) finally fixes #Emacs’ bug related to saving encrypted files (no more hanging on save, thus no more workarounds like falling back to previous GnuPG versions or sketchy settings leading to data loss).
Just migrated my #offline#gnupg and #ssh key setup to a new #smartcard. This only took about 8 hours whereas when I last did this in 2015, it took much longer. I guess this is a sign of process! But these things are still too painful. At least now, the software just works right out of #Debian.