(http://img24.imageshack.us/img24/4981/r9br.jpg)
I hate, hate, hate Linux to the point of rage due to it being an example of not learning from history. Normally I would say learn from the Unix Wars, but it is too late for that. History has once again repeated itself due to willful ignorance. (http://homepage.cs.uri.edu/~thenry/resources/unix_art/ch17s02.html) This is a problem because in order to have a fair comparison of GPG I have to use multiple versions of Linux.
For example, GPG (Gpg4win, version 2.1.1 (2013-05-28)) is crap because:
You have to fuck around with root certificates in the year 2013.
(To use S/MIME certificates for sign and encrypt, you have to define the trustability of X.509 root certificates.)
A root certificate (root CA) is used to check the validity of all child certificates. If you trust the root certificate there by you trust also all underlying certificates.
To avoid that each user must search and install the required root certificates, and also check and authenticate the trustworthiness of the same, it is useful to install a system-wide default of the most important root certificates:
1. Store the root certificates
Copy root certificate file to:
[Windows XP]:
C:\Documents and settings\All Users\Application data\GNU\etc\
dirmngr\trusted-certs\
[Windows Vista/7]:
C:\ProgramData\GNU\etc\dirmngr\trusted-certs
The corresponding root certificates must be available as files in DER format in the above file folder, with the file extension .crt or .der.
You get the root certificates from the respective CA administrators. CA operators often provide their root certificates also on websites for download.
If the above folder is not visible?
Please read the reference note to the view options [1].
2. Set ultimate trusted
a) Open the following file with a text editor:
[Windows XP]:
C:\Documents and settings\All Users\Application data\GNU\etc\
gnupg\trustlist.txt
[Windows Vista/7]:
C:\ProgramData\GNU\etc\gnupg\trustlist.txt
b) Create a new line per root certificate with the corresponding
fingerprint, such as:
<FINGERPRINT> S
You get the fingerprint from the CA operators (often available from the website where you can download the root certificate). Alternatively, you can get the fingerprint also via the command line tool "sha1sum" from the binary root certificate file (those files usually have a suffix of ".crt:, ".bin", ".cert" or ".cer"):
sha1sum < <ROOT-CERTIFICATE-FILE>
A row that begins with # will be treated as a comment and ignored. The end of the file must be followed by an empty row.
Example of two entries with comments:
# CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
A6935DD34EF3087973C706FC311AA2CCF733765B S
# CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE
DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S
In some cases it is useful to reduce the criteria for checking the root certificate. To do this, you can set an additional flag relax after the S:
<FINGERPRINT> S relax
3. Complete Gpg4win installation and restart computer
a) Enable the option "Root certificate defined or skip configuration".
b) Complete the Gpg4win installation wizard regular.
c) Restart your computer! (Required because the DirMngr have to
read your root certificates from step (1).)
Now, you have finished your S/MIME configuration successfully.
4. Review later in Kleopatra: Import and check certificate chains
Open Kleopatra and import your X.509 certificate chains. The imported certificate chains should appear under the tab "Trusted Certificates". Gpg4win recognizes your imported root certificates as trusted.
Problems? Kleopatra doesn't shows your root certificate as trusted? Solutions:
* Click on the "Redisplay" button in Kleopatra to update the certificate view.
* Add "relax" after the relevant root certificate in the trustlist.txt - see step (2).
--
You will find this S/MIME configuration instruction in the Gpg4win
start menu "Documentation".
For more information, see the Gpg4win Compendium, chapter 22:
http://gpg4win.org/doc/en/gpg4win-compendium_28.html
[1] Note to view options in Windows Explorer:
Ensure that you have enabled the folder option "Show hidden files
and folders". You find this option under:
[Windows XP]: Tools > Folder Options > View
[Windows Vista/7]: Organize > Folder and Search Options > Ansicht
64 bit incompatibility in the year 2013
- Using GpgEX with 64 bit versions Windows:
* In some cases sign/encrypt or decrypt/verify via GpgEX doesn't work
correctly (Kleopatra freezed). Then you should kill Kleopatra via
task manager and run the file crypto operation directly in Kleopatra
(see file menu).
* Problems with Windows x64:
GpgEX is a (32bit) plugin for the (32bit) Windows
Explorer and it does _not_ run in a 64bit Explorer
(= default for a Windows 64bit system).
Workaround: Run the 32bit Explorer to use GpgEX.
Click "Start" -> "Run", type the following in the box, and then
click OK:
C:\windows\syswow64\explorer.exe /separate
Note: Adjust the path to your x64-based version of Windows if
necessary.
This 'separate' command seems to be currently broken in Windows7/64bit.
Alternatively you can use the file crypto operations of GpgEX
directly via the file menu of Kleopatra.
But wait it gets worse!
GPG 2.X is unable to generate 4096 bit RSA keys, 3072 is the limit.
Signature strength capped as SHA-2 256.
The possibility that GPG was better on Linux existed and I needed to test it for the sake of fairness. Multiple Linux operating systems were installed as VMWare virtual machines. VMWare is used because effort is enacted to try and support Linux broadly, my deepest sympathies for those unfortunate bastards. Unsurprisingly, it all those problems seen in the Windows version of GPG exist and are worse on Linux too! Examples:
openSUSE12.3 64bit
Segfault, generated key lost. Aaawwww I wanted to see what horror was spawned from my attempt to generate 4096 DSS/DH key :(. Because that is an option despite DSS/DH not working that way. Of course any attempt to generate any key causes a segfault.
http://www.youtube.com/watch?v=Z-6YuLbbvms
Linux Mint 15 "Olivia" Cinnamon 64bit
Same as above. (http://img834.imageshack.us/img834/2627/ivhp.png)
I tried Ubuntu 13.04 Desktop (64-bit), the fucking comedy option, but it would not install and boot properly.
http://www.youtube.com/watch?v=qVaWniu1w1U