Re: Upgrading/changing from PGP to GnuPG for nl.*

Julien:

Looking at the flags used by signcontrol.py, it also has:
  --emit-version --no-comments --no-escape-from-lines --no-throw-keyids
>
You may wish to also use them.  At least the first one (--emit-version)
solves one of your subsequent question.

This works indeed, thanks.  No "0.stub" needed anymore. :-)

| To solve the problem, you need to enable loopback pinentry mode.

>
Indeed, this is a necessary setup if you run the script non
interactively.  Maybe you'll also need:
  --no-tty --passphrase "xxx"
>
Matija Nalis, the former administrator of hr.* (Croatia), once asked for
these flags.  I don't know whether they are still required by current
GnuPG versions.

Thanks, it worked without these flags. :-)

X-Info: https://ftp.isc.org/pub/pgpcontrol/README.html
https://ftp.isc.org/pub/pgpcontrol/README

>
You may want to keep one, and replace the other one with the URL of the
website of the hierarchy.

Once 'our' website is reinstated, of course. :-)

The URL-part isn't correct yet; this is what I have now in my control.ctl:
 
## NL (Netherlands)
# Contact: nl-admin@stack.nl
# URL: http://nl.news-admin.org/info/nladmin.html
# Admin group: nl.newsgroups
# Key fingerprint: 45 20 0B D5 A1 21 EA 7C  EF B2 95 6C 25 75 4D 27
# *PGP*   See comment at top of file.
newgroup:*:nl.*:drop
rmgroup:*:nl.*:drop
checkgroups:nl-admin@stack.nl:nl.*:verify-nl.newsgroups
newgroup:nl-admin@stack.nl:nl.*:verify-nl.newsgroups
rmgroup:nl-admin@stack.nl:nl.*:verify-nl.newsgroups

>
The official control.ctl entry will then need being updated with these
new information (stack.nl instead of nic.surfnet.nl).
Also, the new key fingerprint is:
  66FB E84C 80E3 72D4 547F  E921 D2F2 595D DA5A C504

I have updated this new key fingerprint in my local control.ctl.

BTW, I'm running C News. :-)

>
For C News, from what I heard, it uses a file named controlperm.  Does
it also handle the control.ctl syntax?  Do you confirm a valid syntax
for controlperm would now be:
>
nl any n nq
nl any r nq
nl nl-admin@stack.nl c pv nl.newsgroups
nl nl-admin@stack.nl n pv nl.newsgroups
nl nl-admin@stack.nl r pv nl.newsgroups

It is correct that it uses a file named controlperm.

I have only one line in controlperm:

nl nl-admin@stack.nl nrc p nl.newsgroups

Regarding this,
this is what I found in /var/news/bin/ctl/{checkgroups,{new,rm}group}:

# subject to $NEWSCTL/controlperm:  four fields per line, first
# a newsgroup pattern, second an author name (or "any"), third a set of
# operations ("n" newgroup, "r" rmgroup, "c" checkgroups), and fourth a set of
# flags ("p" do it iff poster's identity is pgpverified,
# "y" do it, "n" don't, "q" don't report at all, "v" include
# entire control message in report) (default "yv"); the "p" and "n" flags may
# be followed by the ID of the person permitted to pgpverify;
# the pgpverify program (not supplied) is presumed to be in $NEWSBIN

In the meantime, I've downloaded the latest version of pgpverify (1.30) from
https://ftp.isc.org/pub/pgpcontrol/pgpverify, but the version that goes with
my operating system (Fedora 40), /usr/libexec/news/pgpverify from INN-2.7.1,
says it is version 1.31.  So what is going on here?

They are dated:
# Version 1.30, 2018-01-21
# Version 1.31, 2022-06-12                                                                                          

# Changes from 1.30 -> 1.31
# -- Add a $gpg_has_allow_weak_digest_algos_flag variable to specify whether
#    gpg supports the --allow-weak-digest-algos flag.  This variable will
#    be overriden by INN::Config, if used.  GnuPG 1.4.20 and 2.0.23 introduced
#    this flag, necessary to verify the signatures of old PGP keys still in
#    use for some hierarchies.
# -- Using at least GnuPG 1.4.20 or 2.1.0 is no longer required; this version
#    of pgpverify will still work with previous versions of GnuPG.  However,
#    only GnuPG 1.x and 2.0.x will be able to validate signatures made with
#    old PGP keys.

Adri