(10 replies, posted in Bugs & problems)

Ive gotten this behaivor before also.  I dont know what causes it.  I just restarted Firefox and it started working again for me, but obviously there is a bug somewhere now that someone else has confirmed this behaivor.

Why do you want a clearsigned attachment?

I must stress I am addressing the situation where sign is the only option chosen -- not sign+encrypt.  If I choose sign only (no encryption), shouldn't it default to clearsign?

As I read the man page:

Sign = Letter signature which may contain binary code
Sign + Ascii = Letter Signature which is purely ascii armored
Clearsign = Append the Signature to the Original letter but keep the contents of the letter legible

So if I just wanted to sign a letter -- but not encrypt it, wouldn't I want to just clearsign the letter?  This would keep the letter readable by those who did not use gpg/pgp.  If Im not mistaken I believe enigmail works this way by clearsigning the document.  I'm asking only for the situation where sign is chosen, not sign+encrypted.  But wouldn't it be possible to clearsign and encrypt too, although I guess it really wouldn't matter in this case. 

From the gpg man pages:
Commands to select the type of operation


     -s     Make a signature. This command may be  combined  with  --encrypt
            (for  a signed and encrypted message), --symmetric (for a signed
            and symmetrically encrypted message), or --encrypt and --symmet-
            ric  together  (for a signed message that may be decrypted via a
            secret key or a passphrase).

            Make a clear text signature. The content in a clear text  signa-
            ture  is readable without any special software. OpenPGP software
            is only needed to verify the signature.  Clear  text  signatures
            may  modify end-of-line whitespace for platform independence and
            are not intended to be reversible.


     -b     Make a detached signature.

Wouldn't clear sign be the default preference because in this case only OpenGPG is needed to verify the signature if sign is only chosen as an option?

Can you explain the three parts of the letter specifically with the mechanism currently in place.
The contents of the letter represent = ?
Noname = ?
Encrypted.asc = ?

Should all these parts be appended if I just elect to use sign?

I'll report this as a bug.  Thanks for the link

So does Firegpg ignore the possible value of personal-digest-preferences if included in the gpg.conf file?

With the way gmail is set up to store conversations, why does firegpg try to continuously decrypt email sent by me to a recipient if I click on that particular letter.  I keep continuously getting a popup box showing that the decryption failed.  My response to that is that its always going to fail since I don't have the recipient's private key.  Isn't there a way for firegpg to detect if I sent the message and somehow avoid trying to automatically decrypt the message if it originated from me?

Ok a long discussion has been had on the gnupg mailing list about what preferences are used and what order.  Does firegpg at all make use of the sections personal-cipher-preferences and personal-digest-preferences as contained in the gpg.conf file?

Reading more up on the subject - I actually prefer clearsign to sign, however that may just be me.  Is there a way an option can be added to firegpg, to differentiate what sign means?  Meaning either generating a totally binary output or ascii output (if the -a option is used -- which I assume is the default behaivor), or an option which generates a clear signature where the data is left to be human readable and the signature is appended in ascii format.


(7 replies, posted in Misc)

Probably a valid point on most modern computers, however I'm just saying if you are using a DSA key or DSA2 key there needs to be a distinction.  Only DSA keys can use RIPEMD-160 or SHA1.  DSA2 keys can use all combinations, however you are not gaining anything with SHA512 since the resultant is rounded to 256 bits.  Only RSA keys can take full advantage of SHA512.  This may bother some users however is there really an advantage today of using SHA512 vs SHA256?  Not in my opinion as it stands today.

Excuse my ignorance, but things are not working the way I expect them to.

Using the new gmail interface, I select sign and encrypt.

After sending the mail, I see the ciphertext, but also two attachments at the bottom called:


I suppose this isnt the exact behaivor I was looking for.  What I was expecting was for the document to be clearsigned, and then encrypted leaving a result letter with no attachments.  Am I wrong about this?  And isnt the default action of sign supposed to be clearsign in the first place?


(7 replies, posted in Misc)

The only negative facts by using SHA512 is that it takes longer to create the hashes (more than twice as long), and with DSA2 3092 bit keys (the longest keys you can make currently) - the 256 leftmost bits of the 512 bit hash product are taken to end up with a resultant 256 bit hash.  So hence you wasted processing time to end up with a 256 bit hash when simply computing a 256 bit hash would have been faster and ended up with a resultant that would be just as "secure" to collision. 

Again if using RSA signing, you can use SHA512 as well as SHA256 and respectively get 512 and 256 bit hashes.

A little off topic, but when SHA3 is named in 2010 or 2011, this entire topic will be a mute point, since the algorithm will be completely different than the classic SHA "family".


(5 replies, posted in Requests)

Any reason you want to use GnuPG 2.0?  The difference between 1.0.x and 2.0.x are that the 2.0.x libraries are compiled as dll files where as in the 1.0.x they are compiled statically.  In terms of functionality, the 2.0.x product offers no difference at this time compared to the 1.0.x product.  1.0.x is more universally used.


(7 replies, posted in Misc)

Do to the way signatures are created, and the signing algorithm used (either RSA or DSA), SHA512 may not be better than SHA256.  Let me explain:

To use any algorithm above SHA1 (which is a 160 bits hash), you need to have a DSA2 or RSA signing key generated.  Old DSA style keys will always default to SHA1.

Due to the FIPS specification, even DSA2 key are limited to 256 bit hashes. 

Ive tried to explain some of the misconceptions here in this unfinished work.


Although this work could be updated know that RSA is preferred over DSA, the principles discussed in this work still hold.  I encourage everyone seriously using GnuPG to take a look at this work.  It took me days to find and confirm this information with the GnuPG mailing list.  I wanted to take principles and examples I had seen vaguely discussed and distill them down to a level which everyone could understand.

Where do I download and install the Console debugging application?


(19 replies, posted in Requests)

I have tried this solution but it does run at the command prompt in XP


This evals to the current directory.

So say you had a subdirectory in the current directory:

cd %0\..\<subdirectory>

Another way to do it with xp in a bat file would be to do this

set Current_Drive=%~d0
set Current_Path=%~dp0

echo Current Drive=%Current_Drive%
echo Current Path=%Current_Path%

Not sure if this help you at all?


(2 replies, posted in Bugs & problems)

Have you tried saving it to a file and then using gpg to decrypt it on the command line?

gpg -v -d <filename>

Good idea -- I didn't think of this option, however at least someone was thinking


(2 replies, posted in Requests)

I set the path and everything is working -- Just curious because this is now effecting people on all platforms (Win/MAC/linux).  There used to be no problems with this feature in the past!


(2 replies, posted in Requests)

Just upgraded to 0.6.1 revision 469.  SVN version no longer displayed in GUI as it once was.

Also I do not have FireFTP installed but had to manually specify path to GPG executable (WinXP).  It worked after I did this, but I haven't had to do this in prior versions


(4 replies, posted in Bugs & problems)

What OS are you running?  Can you list the output of your environment variables?  set at the command line if its windows.


(2 replies, posted in Requests)

I believe the preferred algorithm for gnupg to use is contained in the gpg.conf file.  Usually the preferred cipher and digest (signature) algorithms are chosen via the personal-cipher-preferences and personal-digest-preferences as explained below:

--personal-cipher-preferences string
    Set the list of personal cipher preferences to string. Use gpg2 --version to get a list of available algorithms, and use none to set no preference at all. This allows the user to factor in their own preferred algorithms when algorithms are chosen via recipient key preferences. The most highly ranked cipher in this list is also used for the --symmetric encryption command.
--personal-digest-preferences string
    Set the list of personal digest preferences to string. Use gpg2 --version to get a list of available algorithms, and use none to set no preference at all. This allows the user to factor in their own preferred algorithms when algorithms are chosen via recipient key preferences. The most highly ranked digest algorithm in this list is algo used when signing without encryption (e.g. --clearsign or --sign). The default value is SHA-1.

With each of these choices the string is a comma separated list using either the Sx or Hx notation as specified below (note you can generate this list with your own gpg version by typing at the command line gpg -v --version:

Cipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8),
        AES256 (S9), TWOFISH (S10), CAMELLIA128 (S11), CAMELLIA192 (S12),
        CAMELLIA256 (S13)
Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9),
      SHA512 (H10), SHA224 (H11)

So for example to set the cipher preferences I would add the following within the gpg.conf file:
--personal-cipher-preferences S9,S8,S7,S10,S4,S1,S2

Always include 3DES -> This is considered the default cipher

SHA1 is considered the default hash

Please note the Camellia ciphers are considered experimental, and unless you have compiled your gpg version from source, neither the IDEA or Camellia ciphers will be available in the "stock" installation.  Camellia ciphers are likely to be added to the "stock" installation, once Camellia is officially recognized by the OpenGPG committee (unsure on the time-table of this decision).


(2 replies, posted in Bugs & problems)

Thanks -- that worked smile


(2 replies, posted in Bugs & problems)

Recently my profile folder was corrupted using Firefox so I had to delete the entire folder.  Now for some reason I cant get Firegpg svn to work.  Mozilla simply will not start.

Windows Vista
FireGpg svn revision 453

SVN files located:

Vista Profile Located: C:\Users\klal\AppData\Roaming\Mozilla\Firefox\Profiles\jp7szq9u.default

Made file called firegpg@firegpg.team

Inside the named file there is one line:

Placed the firegpg@firegpg.team file here:

Restarted Mozilla:
Mozilla never starts meaning its shown in the process list but the actual GUI never starts. 

Is there something I am missing??

Currently you offer a radio box that states Display FireGPG website address in the GPG comment field -- The option is basically yes or no.  Can you make this easier by allowing a selection whereby you could manually edit the field?  (Yes I understand I could do this by altering the svn source, however I'm just trying to make it easier)!

Sorry for bothering you once again -- just wanted to pass along some info and ask some questions

Using SVN version 414, cygwin gpg, windows vista

1. SVN version being displayed in menu is 413, although within svn from command line firegpg svn version is 414

2. Buttons Being Displayed that are not selected
I have the following buttons within Gmail (Sign, Sign and Send, Encrypt, Encrypt and Send, Sign and Encrypt), although within the GUI I only have the following options checked under the Gmail Heading: Gmail Support, Buttons to Show: Sign, Encrypt, Sign and Encrypt.

3. By selecting integrate with Gmail from the Gmail Submenu -- is the autosave feature disabled?  This would be what I would want be default.  If for example half of the letter I am composing is saved prior to encryption,  what is the point??? Really any letter I would like to encrypt I don't want unencrypted copies stored on Gmail servers.