Article <sDuJAC.1oJ2o@a3.nl.invalid>

Deutsch English Français Italiano
<sDuJAC.1oJ2o@a3.nl.invalid>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: ...!news.nobody.at!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: a3@a3.nl.invalid (Adri Verhoef)
Newsgroups: news.admin.hierarchies
Subject: Re: Upgrading/changing from PGP to GnuPG for nl.*
Date: Tue, 21 May 2024 17:30:12 GMT
Organization: A3, The Netherlands
Lines: 102
Message-ID: <sDuJAC.1oJ2o@a3.nl.invalid>
References: <sCIsAw.qvz0@a3.nl.invalid> <v0fv1o$62di$1@news.trigofacile.com> <sCnK64.wwA3@a3.nl.invalid> <v0o2j7$bvvl$1@news.trigofacile.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 21 May 2024 20:09:02 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="12dd47c2e7b7bb45222c169aab032764";
	logging-data="762815"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX18kCYJUcNpfxgQm1/yBOfBAbTUPTPpckM4="
Cancel-Lock: sha1:HXAVVg4gGK9h7tAyi2HrNQJ0FVk=
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
X-Editor: Vim
Bytes: 5184

Julien:

>Looking at the flags used by signcontrol.py, it also has:
>   --emit-version --no-comments --no-escape-from-lines --no-throw-keyids
>
>You may wish to also use them.  At least the first one (--emit-version) 
>solves one of your subsequent question.

This works indeed, thanks.  No "0.stub" needed anymore. :-)

>> | To solve the problem, you need to enable loopback pinentry mode.
>
>Indeed, this is a necessary setup if you run the script non 
>interactively.  Maybe you'll also need:
>   --no-tty --passphrase "xxx"
>
>Matija Nalis, the former administrator of hr.* (Croatia), once asked for 
>these flags.  I don't know whether they are still required by current 
>GnuPG versions.

Thanks, it worked without these flags. :-)

>> X-Info: https://ftp.isc.org/pub/pgpcontrol/README.html
>> 	https://ftp.isc.org/pub/pgpcontrol/README
>
>You may want to keep one, and replace the other one with the URL of the 
>website of the hierarchy.

Once 'our' website is reinstated, of course. :-)

>> The URL-part isn't correct yet; this is what I have now in my control.ctl:
>> 
>> ## NL (Netherlands)
>> # Contact: nl-admin@stack.nl
>> # URL: http://nl.news-admin.org/info/nladmin.html
>> # Admin group: nl.newsgroups
>> # Key fingerprint: 45 20 0B D5 A1 21 EA 7C  EF B2 95 6C 25 75 4D 27
>> # *PGP*   See comment at top of file.
>> newgroup:*:nl.*:drop
>> rmgroup:*:nl.*:drop
>> checkgroups:nl-admin@stack.nl:nl.*:verify-nl.newsgroups
>> newgroup:nl-admin@stack.nl:nl.*:verify-nl.newsgroups
>> rmgroup:nl-admin@stack.nl:nl.*:verify-nl.newsgroups
>
>The official control.ctl entry will then need being updated with these 
>new information (stack.nl instead of nic.surfnet.nl).
>Also, the new key fingerprint is:
>   66FB E84C 80E3 72D4 547F  E921 D2F2 595D DA5A C504

I have updated this new key fingerprint in my local control.ctl.

>> BTW, I'm running C News. :-)
>
>For C News, from what I heard, it uses a file named controlperm.  Does 
>it also handle the control.ctl syntax?  Do you confirm a valid syntax 
>for controlperm would now be:
>
>nl any n nq
>nl any r nq
>nl nl-admin@stack.nl c pv nl.newsgroups
>nl nl-admin@stack.nl n pv nl.newsgroups
>nl nl-admin@stack.nl r pv nl.newsgroups

It is correct that it uses a file named controlperm.

I have only one line in controlperm:

nl		nl-admin@stack.nl		nrc	p	nl.newsgroups

Regarding this,
this is what I found in /var/news/bin/ctl/{checkgroups,{new,rm}group}:

# subject to $NEWSCTL/controlperm:  four fields per line, first
# a newsgroup pattern, second an author name (or "any"), third a set of
# operations ("n" newgroup, "r" rmgroup, "c" checkgroups), and fourth a set of
# flags ("p" do it iff poster's identity is pgpverified, 
# "y" do it, "n" don't, "q" don't report at all, "v" include
# entire control message in report) (default "yv"); the "p" and "n" flags may
# be followed by the ID of the person permitted to pgpverify;
# the pgpverify program (not supplied) is presumed to be in $NEWSBIN

In the meantime, I've downloaded the latest version of pgpverify (1.30) from
https://ftp.isc.org/pub/pgpcontrol/pgpverify, but the version that goes with
my operating system (Fedora 40), /usr/libexec/news/pgpverify from INN-2.7.1,
says it is version 1.31.  So what is going on here?

They are dated:
# Version 1.30, 2018-01-21
# Version 1.31, 2022-06-12                                                                                           

# Changes from 1.30 -> 1.31
# -- Add a $gpg_has_allow_weak_digest_algos_flag variable to specify whether
#    gpg supports the --allow-weak-digest-algos flag.  This variable will
#    be overriden by INN::Config, if used.  GnuPG 1.4.20 and 2.0.23 introduced
#    this flag, necessary to verify the signatures of old PGP keys still in
#    use for some hierarchies.
# -- Using at least GnuPG 1.4.20 or 2.1.0 is no longer required; this version
#    of pgpverify will still work with previous versions of GnuPG.  However,
#    only GnuPG 1.x and 2.0.x will be able to validate signatures made with
#    old PGP keys.

Adri