Julien,
At the moment I'm testing my scripts; I've successfully configured GnuPG
(at least I think so).
I've added some small improvements in version 1.9 of 'signcontrol':
106c106
< # $use_or_add{'Oranization'} = 'YOUR_ORGANIZATION';
---
# $use_or_add{'Organization'} = 'YOUR_ORGANIZATION';
150c150
< # set to match only hierarchies you will use it on
---
# set to match only hierarchies you will use it on.
Apart from that, I used: my $id_host = `cat ~/mailname`; in my configuration.
Also, I've been playing around with signcontrol-1.9, configuring it some more,
then was unsuccessful getting it to work:
Most probably there was a need for me to add a variable "$pgphomedir" to point
to the correct directory with the secret key, else I would get:
gpg: skipped "nl.newsgroups": No secret key
This is what I've added:
my $pgp = "/usr/bin/gpg";
# From the directory where signcontrol is called we need to find the secret key
# if that key isn't situated in the homedirectory of the caller.
my $pgphomedir = ".gnupg"; # absolute path or directory relative to current one
However, this wasn't enough. My 'gpg' on Fedora 40, gnupg2-2.4.4-1.fc40.x86_64,
doesn't accept the "--pgp2" parameter: gpg: invalid option "--pgp2"
Furthermore, I'm getting: gpg: signing failed: Inappropriate ioctl for device
So, this is what I have now in my version of the code of 'signcontrol':
} elsif ($pgpstyle eq 'GPG') {
if ($pgphomedir) {
# we need a way to add some extra arguments
@command = ($pgp, qw/--detach-sign --armor --textmode -u/, $keyid,
qw/--debug-level advanced/,
qw/--homedir/, $pgphomedir,
qw/--force-v3-sigs/);
} else {
@command = ($pgp, qw/--detach-sign --armor --textmode -u/, $keyid,
qw/--force-v3-sigs --pgp2/);
}
} else {
When I run "./checkgroups -t nl | head" I get:
Newsgroups: nl.newsgroups
Subject: cmsg checkgroups
Control: checkgroups
nl.actueel Discussie over nieuws met grote maatschappelijke impact.
(etc.)
This is fine for now, but when I run "./checkgroups -t nl | head |./signcontrol"
I get:
gpg: enabled debug flags: memstat trust extprog
gpg: enabled compatibility flags:
gpg: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg: waiting for the agent to come up ... (5s)
gpg: connection to the agent established
gpg: writing to stdout
gpg: pinentry launched (1480141 gnome3:curses 1.3.0-unknown - xterm-256color :0.0 - 9/13 0)
gpg: signing failed: Inappropriate ioctl for device
gpg: signing failed: Inappropriate ioctl for device
gpg: keydb: handles=1 locks=0 parse=1 get=1
gpg: build=0 update=0 insert=0 delete=0
gpg: reset=0 found=1 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=2 cached=0 good=0 bad=0
gpg: objcache: keys=2/2/0 chains=381,1..1 buckets=383/20 attic=254
gpg: objcache: uids=1/1/0 chains=106,1..1 buckets=107/20
gpg: random usage: poolsize=600 mixed=1 polls=0/3 added=18/720
outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: secmem usage: 1568/65536 bytes in 3 blocks
/usr/bin/gpg returned exit status 512
signcontrol: could not generate signature
According to
https://github.com/keybase/keybase-issues/issues/2798 inserting
"export GPG_TTY=$(tty)" is the solution, but when I do that I get 'not a tty':
$ ./checkgroups -t nl | head | GPG_TTY=$(tty) ./signcontrol
gpg: enabled debug flags: memstat trust extprog
gpg: enabled compatibility flags:
gpg: writing to stdout
gpg: pinentry launched (1519899 gnome3:curses 1.3.0-unknown not a tty xterm-256color :0.0 ? 9/13 0)
gpg: signing failed: No such file or directory
gpg: signing failed: No such file or directory
gpg: keydb: handles=1 locks=0 parse=1 get=1
gpg: build=0 update=0 insert=0 delete=0
gpg: reset=0 found=1 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=2 cached=0 good=0 bad=0
gpg: objcache: keys=2/2/0 chains=381,1..1 buckets=383/20 attic=254
gpg: objcache: uids=1/1/0 chains=106,1..1 buckets=107/20
gpg: random usage: poolsize=600 mixed=1 polls=0/3 added=18/720
outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: secmem usage: 1568/65536 bytes in 3 blocks
/usr/bin/gpg returned exit status 512
signcontrol: could not generate signature
In my configuration, signcontrol needs to be run from crontab in the night,
I don't do that by hand.
Another solution from
https://github.com/keybase/keybase-issues/issues/2798 is
pointing to
https://d.sb/2016/11/gpg-inappropriate-ioctl-for-device-errors:
| To solve the problem, you need to enable loopback pinentry mode. Add this to ~/.gnupg/gpg.conf:
|
| use-agent
| pinentry-mode loopback
|
| And add this to ~/.gnupg/gpg-agent.conf, creating the file if it doesn't already exist:
|
| allow-loopback-pinentry
|
| Then restart the agent with echo RELOADAGENT | gpg-connect-agent and you should be good to go!
In my case I needed to restart the agent with:
echo RELOADAGENT | gpg-connect-agent --homedir [full_path_to_directory/.gnupg]
Now there is a little bit of a big success!
$ ./checkgroups -t nl | head | ./signcontrol
Use of uninitialized value $version in pattern match (m//) at ./signcontrol line 552.
Use of uninitialized value $version in concatenation (.) or string at ./signcontrol line 556.
Path: bounce-back
From:
nl-admin@stack.nlNewsgroups: nl.newsgroups
Subject: cmsg checkgroups
Control: checkgroups
Approved:
nl-admin@stack.nlMessage-ID: <
1714299176.1522958@a3.nl.invalid>
Date: Sun, 28 Apr 2024 10:12:56 -0000
Lines: 6
X-Info:
https://ftp.isc.org/pub/pgpcontrol/README.html https://ftp.isc.org/pub/pgpcontrol/READMEX-PGP-Sig: Subject,Control,Message-ID,Date,From,Sender
iQIzBAEBCAAdFiEEZvvoTIDjctRUf+kh0vJZXdpaxQQFAmYuISgACgkQ0vJZXdpa
xQT5mRAAlpYTP6ZUSqnojH/kJmhdc+9EGprF/D56XFQ/zB9IRyHvFPPCyso/TAhm
5RyeGlz/9JKyQLXEKeE+Qko5SXA03jcMBsTKqa6XpP5DFhy+1aqJIyhYpiLXklaf
SJc5wV75lQ4Aub6BRJJj4wh2ZjCF8EpaKWl1B4rkeV4A1ffIWDSP/q0uEExGiFkS
EXbP48Mi5nEqSn+pJryD+POHhe+GKvQ+B/oSS9d9bcMe8+/wy+VlMyVGVLnwgr3e
bvAHAtFADDjTiXiTSloM/uQYxyMabo0O2pCH11iG7Ggb7u1VHexMZhbL37CDn3or
Z/PUHcTBef6QMrMu6UY7Vosz7DAcjjSBtPHf2SsiBhaDTZG0kD2Z46NPeSBjS11/
FxtHJmCWsrXqabMYgxmNMAgiZbGTARJAPVCz/32dtQb9rm0jBVJSImKUXnhwgs76
JaFB9xZyF2C2RW6TMXEN1Eg44+BnBJrkzcNSneLiXX5WoaO/rVCbbB6Nzn3hnAhV
oji7+avuCloUi8nwVtL8o9a54usYF4Ej4omDovK5+RJM+/olpJdMfJCh6sZwYYwe
Of4yEsvqeTe6ArRlsR1eN29QacQoDGWuJgEQ0ANm/sapD6d8gr1tu7RuDVhwdgUZ
KyUaveIgyaoWntgL9fYVG/ODtNq/k+xKA+pIIx2MEIhTuKZ2sf0=
=u+UU
nl.actueel Discussie over nieuws met grote maatschappelijke impact.
nl.announce Aankondigingen conferenties, cursussen, enz. (Moderated)
nl.auto Aankondigingen, modellen, techniek, tips en discussie.
nl.burgerrechten Informatiemaatschappij en burgerbelangen.
nl.comp.3d-printen Alles over 3D-printen.
nl.comp.dvd-branden Over het maken en branden van dvd's.
In this part, $version doesn't get assigned with GnuPG's version:
while ($signature[0] ne "\n" && @signature) {
$version = $1 if ((shift @signature) =~ /^Version:\s+(.*?)\s*$/);
}
But 'gpg' does report its version. Here is some of my output if that helps:
$ gpg --version
gpg (GnuPG) 2.4.4
libgcrypt 1.10.3-unknown
Copyright (C) 2024 g10 Code GmbH
To get rid of the 'uninitialized value' I used a stub: my $version = "0.stub";
Unless someone has a (better) fix for this ...
In finishing, I've changed the part where $pgphomedir is studied, using #DEBUG#,
and also omitted --pgp2:
if ($pgphomedir) {
# we need a way to add some extra arguments
@command = ($pgp, qw/--detach-sign --armor --textmode -u/, $keyid,
##DEBUG## qw/--debug-level advanced/,
qw/--homedir/, $pgphomedir,
qw/--force-v3-sigs/);
} else {
About the registration of the new key in PGPKEYS at
<https://ftp.isc.org/pub/pgpcontrol/> so that the subsequent control
articles are taken into account in the ftp.isc.org active and newsgroups
file at <https://ftp.isc.org/pub/usenet/CONFIG/>, just advertising it
here will be enough. Russ will do the necessary stuff to integrate it
into the software which generates the ftp.isc.org files.
As I haven't advertised it yet, I'm gonna go ahead right now:
$ gpg --homedir .gnupg --dry-run --list-keys
.../news/.gnupg/pubring.kbx
------------------------------------
pub rsa4096 2024-04-27 [SC]
66FBE84C80E372D4547FE921D2F2595DDA5AC504
uid [ultimate] nl.newsgroups
sub rsa4096 2024-04-27 [E]
$ gpg --homedir .gnupg --dry-run --list-keys --fingerprint
.../news/.gnupg/pubring.kbx
------------------------------------
pub rsa4096 2024-04-27 [SC]
66FB E84C 80E3 72D4 547F E921 D2F2 595D DA5A C504
uid [ultimate] nl.newsgroups
sub rsa4096 2024-04-27 [E]
$ gpg --homedir .gnupg --dry-run --send-keys 66FBE84C80E372D4547FE921D2F2595DDA5AC504
gpg: sending key D2F2595DDA5AC504 to hkps://keyserver.ubuntu.com
$ gpg --homedir .gnupg --send-keys 66FBE84C80E372D4547FE921D2F2595DDA5AC504
gpg: sending key D2F2595DDA5AC504 to hkps://keyserver.ubuntu.com
Did I do this correctly?
It is also time to ask for an update, if needed, of the control.ctl
information (contact, URL) related to your hierarchy:
http://usenet.trigofacile.com/hierarchies/nl.html
The URL-part isn't correct yet; this is what I have now in my control.ctl:
## NL (Netherlands)
# Contact:
nl-admin@stack.nl# URL:
http://nl.news-admin.org/info/nladmin.html# Admin group: nl.newsgroups
# Key fingerprint: 45 20 0B D5 A1 21 EA 7C EF B2 95 6C 25 75 4D 27
# *PGP* See comment at top of file.
newgroup:*:nl.*:drop
rmgroup:*:nl.*:drop
checkgroups:
nl-admin@stack.nl:nl.*:verify-nl.newsgroups
newgroup:
nl-admin@stack.nl:nl.*:verify-nl.newsgroups
rmgroup:
nl-admin@stack.nl:nl.*:verify-nl.newsgroups
BTW, I'm running C News. :-)
After having generated the private and public keys, you should export
your PUBLIC key and make it available from the web site of your
hierarchy, and also announce it in news.admin.hierarchies.
Hopefully I've done all this correctly.
Thank you very much for helping me out so far, Julien!
Adri
PS NOTE: the Contact address
nl-admin@stack.nl doesn't work yet.
Upgrading/changing from PGP to GnuPG for nl.*
Re: Upgrading/changing from PGP to GnuPG for nl.*