User loginFollow & Connect With Us     What is a portable app?
Find out on the What is a portable app? page.
Sponsored Links |
portable GnuPG and GPG Shelljps - December 27, 2007 - 4:43pm
The thunderbird and enigmail bundle is nice. But there are some function limitations. You can`t download files from the internet and then check if the signature matches the downloaded file. For non portable use gpg4win works fine. But there is no portable version and making portable is hard. Many frontends are out. Any that could be used portable? ( categories: )
|
Silence. No one using
Silence.
No one using pgp?
No portable gui at all?
Nope
Don't use PGP or any other file encryption anymore. If I did need to use encryption, 256-bit AES in 7-Zip is all I would probably need anyways.
Cancer Survivors -- Remember the fight, celebrate the victory!
Help control the rugrat population -- have yourself spayed or neutered!
I also prefer 7-Zip or
I also prefer 7-Zip or TrueCrypt for file encryption.
But many people sign their files with OpenPGP. I need some portable gui to verify the integrity of the file.
Due to the lack of response
Due to the lack of response to this thread, sounds like you need to learn NSIS scripting to make a GUI portable yourself. Good luck!
Cancer Survivors -- Remember the fight, celebrate the victory!
Help control the rugrat population -- have yourself spayed or neutered!
The solution. Portable GPG.
PGP is a commercial program and, AFAIK, is not (lawfully) available as a portable app. Gnu Privacy Guard (GPG) is the free open source alternative and the requirements for a portable GPG app for Windows are well known. These are:
From an installed version of GnuPG 1.49 or 1.4.10 (http://www.gnupg.org/download/) extract to a folder the (minimum required) files gpg.exe and iconv.dll. Add to these files an (optional) options file gpg.conf and (optional) manual gpg.man renamed to gpgman.txt. Add keyrings secring.gpg pubring.gpg and trustdb.gpg.
USE: (winXP) Add a batch file called local.bat
setlocal
set GNUPGHOME=.
cmd.exe
endlocal
Run the local.bat file. It will use the local files and keyrings. "gpg --version" command and "gpg --list-keys" may be used to test the install.
WARNING0: Think about what you are doing. You want to use someone else's Windows computer to encrypt and decrypt sensitive information? Are you crazy??? Just food for thought. If the FBI, CIA, NSA, or KGB or Chinese government aren't after you, well I suppose you might chance it. Human rights workers in hostile territory, God bless and please be careful.
WARNING1. The loss of a usb presumptively compromises for all purposes all private keys in secring.gpg (mainly because everyone uses ludicrously insecure passwords). Thus, it is unwise to keep high value private keys on a portable device. If you simply MUST.. symmetric encrypt them with "gpg -c filename" using a
STRONG password. Then decrypt when needed. Alternatively use (thoughtfully) a throwaway usbkey. Note that you may encrypt to others, even to yourself, using only public keys, which are not secret (the ids might still be confidential). Still, maybe that's all you need in a portable app.
WARNING2. GPGShell is a nifty program (gpg4win is also coming along nicely), but is designed for an installation. I've tried to make it portable, because it is quite nifty. But it automatically resets config settings and doesn't always use the local files. Sorry. You should also beware those who glibly tell you it works portably. You can still do what you need from the command line.
==common commands (use the local.bat first)
gpg --version (check version)
gpg --list-keys (list keys on keyrings)
gpg -c --cipher-algo S7 filename (symmetric encrypt filename using AES)
gpg - e filename (rem public key encrypt file to key (request key))
gpg -o outfile -d filename (decrypt filename to outfile)
salute
Additional comment
GPG is opensource (GPL) and may be freely used for all purposes. PGP has a freeware version of their program for personal use, but any commercial use requires a license. PGP is a registered trademark of PGP Corporation, located in California USA. Misuse and unauthorized appropriation of trademarks can have serious consequences.
The earlier mentioned portable GPG is a minimum configuration for Windows which may be run from any portable USB device, with or without administrative privileges It uses the command line. Additional GPG files may be added if desired. GPG v2 from gpg4win may also be used as portable, but requires additional files from the distro to be installed on the USB.
Please don't add confusion
PGP is asymmetric encryption. AES, DES, 3DES etc are symmetric encryption.
http://www.suse.de/~garloff/Writings/mutt_gpg/node3.html
They serve 2 needs for encryption.
winpt
winpt portable is on my stick , I think search here in forum might give you some result.
The lates version of winpt works nice as portable.
Otherwise gpg4win works too.
Nice is also portable pgp (search here or google). This is nice java app which is also prepared so that it will work with the java exported in common files in portable apps.
all those work fine.
And for pure mail, enigma adon for thunderbird is useful too.
Otto Sykora
Basel, Switzerland
thank you.
I am a longtime user of WinPT. However, the developer Timo Schulz has recently discontinued the project ( http://winpt.gnupt.de/int/?p=200 ), and the project has been dropped from gpg4win. But please be good to post your method of making the WinPT program portable. Include where to get WinPT and any configuration. Test it on a machine that does not have GPG already installed. Thank you.
Portable PGP is a java program under early development. It also appears to be using its own encryption code. Impressive, but... does it work reliably and is it crypto safe to use? (Its name might also draw some legal criticism.)
I am also a longtime user of enigmail. The portable enigmail/thunderbird combination provides a specific GPG distribution http://portableapps.com/support/thunderbird_portable#encryption . If you are using that on a USB, and trust the distro, you can also use that GPG as a portable app in the manner I earlier described.
GPG v2 is still relatively new and under development. However the project gpg4win develops it and has the requisite expertise, so I regard these as usable. To use GPG v2 portably from the command line use GPG v2 files from the gpg4win distribution, and include all distro flles on the usb. Not all are needed but many are. Just copy them all. These provide roughly the same functionality as ver 1.
People have had ten years or more to develop a simple, easy to use GUI front end for GPG. There have been several successes (GPGShell, WinPT, GPA) but getting them to work reliably and securely as portable apps on Windows has been problematic. My advice is if you have only occasional need, the command line with a short text cheat (help) sheet of commands, is keeping it simple. KISS.
portable pgp first
ok, for the name I have no idea, but the name pgp alone is used widely since beginning, so I dont hink it is real problem.
Then to the encryption. Yes it is fully compatible to open pgp standard. (yes you see also this is called pgp)
I did many tests personally before the first release, discovered some incompatibilities and the authors did clear those very fast.
Some small incompatibilities with let say old pgp263 remained, but those are also within the open pgp standard so.
It is not an early beta, it is developed long time ago and works portably very well. Since pure java, you can runit under linux or macos on sun workstation if you like.
The encryption libs the guys did use are nothing exotic, they are generic parts and the guys built with it also other more commercial things like smart card apps and similar.
I am not able to review the functions and security of the libs, but it is all open source and used for other things as well.
The compatibility is given in the current release, any opene pgp compatible software like gnupg is also compatible with this.
I dont know where the paf compatible launcher get lost from the portable pgp site on SF, I will ask the authors to place it somewhere so all can get it.
Otherwise if you want just try get it from my archive:
http://www.box.net/shared/402l6p4lml
Otto Sykora
Basel, Switzerland
now winpt
ok, initially I got pafed one from here :
http://portableapps.com/node/11404
then downloaded the latest version from timo schulz and copied it into the the paf structure, I think made few corrections in in may be, dont remamber so much. But it works very fine this way, could not discover any incompatibility with it , running gpg either in thunderbird folder or in in common files on my pa stick, both works well. Have also IDEA algo enabled in gpg, all works with it as well.
And no gpg installed on any of my machines, all runs from stick. Simply install gpg portable, or you can use also enigma plugin to your thunderbird and point winpt to use that executables and conf files of gpg. (gpg.exe and gpg.conf and key rings)
and because there was not much work done for some time does not mean all is dead.
http://winpt.gnupt.de/int/?p=137
will tell you that some new versions are underway.
Otto Sykora
Basel, Switzerland
thank you for your replys
"portable pgp" is interesting. Thank you for bringing it to my attention.
Initially I thought you were one of the developers.
To be usable the program should be (1) available, (2) easy to install (3) kind to the user's machine, and above all (4) accepted by the crypto community. It seems far enough along that it would be nice to see a few experts review what has been done so far.
A different name might also be considered for the program.
PGP is a registered trademark of PGP Corporation. PGP Corp has long been a strong supporter of Open Source development of encryption software based on PGP. We might still doubt that their generosity extends to an appropriation of their product name and trademark.
Portable WinPT, regretfully, has various problems too numerous to mention. For me it did not accept GPG 1.4.7 installed with thunderbird and required an upgrade to version 1.4.9. This dependency on GPG version is both inconvenient and concerning. Even more seriously, its method of acquiring its working preferences (locations) is seriously flawed, actually dangerous. It specifically failed to encrypt to keys in the selected preference location and instead picked up a keyring from another location and tried to use that.. while still pointing at the original selected location. We can't have that. It also kept wanting to pick up my machine gpg install, a further serious concern for portable users. Closing and re-running WinPT or a change in disk assignment for the USB starts the whole selection problem anew. Other bugs. I cannot recommend portable WinPT for the serious user while it is in this condition. No disrespect intended to Timo.
GPG 1 was intended as a command line program, period. It is magnificent for what it is and does. The GPG4Win crew has now taken things in another direction to accommodate GUI development and incorporation in small devices. It is hard to know whether to cheer their vision of a brave new world, or fear it, but it appears the inevitable future.
ok my notes
>Initially I thought you were one of the developers.<
no, I am not, I was just doing lot of testing , mainly usability and compatibility tests, simply tried to screw the thing up if possible. We spent some heavy work nights and the guys cleared all problems I did found.
>To be usable the program should be (1) available, <
well it is avaiable, on sourceforge, only somehow the launcher made almost compatible to paf is somehow missing at present, will ask the authors to place it next to the pure file.
>(2) easy to install<
ok, it should have paf installer today, it has not, it is just a copy/paste version.
>(3) kind to the user's machine, and above all <
this is, it will use java where ever found, actually the launcher version will take jave from the common files folder when present before looking for other places.
>(4) accepted by the crypto community. It seems far enough along that it would be nice to see a few experts review what has been done so far.<
this is getting more and more difficult now. It was simple when original pgp 2.62 was around, single exe, everybody could study it.
Today this is getting more complex, graphical interfaces are getting part of all and reviews probably more complex.
So later pgp versions were also not reviewed the same way as it used to be earlier.
>A different name might also be considered for the program.
PGP is a registered trademark of PGP Corporation. PGP Corp has long been a strong supporter of Open Source development of encryption software based on PGP.<
this is not big deal, there is something called 'open pgp standard' and this is a standard and is widely known and accepted, have never heard of any disputes with current pgp.com
>Portable WinPT, regretfully, has various problems too numerous to mention. For me it did not accept GPG 1.4.7 installed with thunderbird and required an upgrade to version 1.4.9. <
Strange, I was using it with 147 and found no problems. Only problems found were on some mixed up interpretation of charsets when using the capture feature, but this was some years ago. I have reported it to Timo, and he clearad it very fast. I was , and I am using winpt portable on my stick, never found problems you are describing.
In fact when using winpt in portable way, it is assumed the gpg is also portable and settings can be done stright in the gpg.conf for most relevant things.
I think I have still some sticks around with gpg147 on it, others 149 and later with 1.4.10, and all still works.
> Closing and re-running WinPT or a change in disk assignment for the USB starts the whole selection problem anew. <
But, do you use the launcher or do you try to run winpt as it comes?
You can also try the GPA, well the known GUI used for gpg in Linux. Exists for win too and is also portable, or the portable version of gpg4win, I think they call it gpg4usb, so it says on my stick at least.
>GPG 1 was intended as a command line program, period. <
yes, but so where is the problem? it reads strings, it delivers others. Not much more different as original pgp was. I have still dozens of GUI for it, under w3.x there was no other solution. And all was fine then too.
I have for example still pgp2.6.3 on my old Psion. It is just recompiled exe and suitable GUI operating it. It would be very helpful, if we had one universal, rather simple to review source for the engine and this could be the ported to almost any system (mobile gadgets for example) and just get the proper GUI there depending on the system.
Otto Sykora
Basel, Switzerland
thanks for the information
Just to clear up a few things,
A) I'm not a developer or beta tester.
I also do not recommend programs with serious flaws, inadequate documentation, difficult to install or chaotic in response, or which fail to meet basic requirements for programs of their type. Acceptance by the crypto community is a particularly critical requirement for any crypto software, and to be adequately reviewed it will normally need to be open source.
gpg4usb however appears quite interesting. It is not adequately described at their site but its a zip with no install and appears to provide a front end for GPG. I substituted my GNU distribution GPG 1.4.9 (described above) and it seemed to work fine, thus eliminating security objections about gpg sourcing. It is 10 MB, which seem large for its function. Why? It emphasizes text encryption, which is easy to do and useful, and will do files (one at a time, asc armored only). I consider the file encryption options inadequate. Key management (minimum capabilities) is present. All features are limited, web description inadequate, claims to be GP but source code has not been made available for download. Conclusion: This program might be a limited version of a commercial project. Just an opinion, for what its worth. Text encryption seems to work ok. I mainly do file encryption, so.. I'll personally pass on it. Others may wish to consider it.
B) I'm familiar with US Trademark and Copyright law in the US and I am aware Switzerland has similar laws. It appears from your statements you are not fully familiar with either of these laws. Therefore, I offer the gentle suggestion, for the third time, that your associates doing "portable pgp" get some legal advice before proceeding with that project name.
C) I know of no program called "java pgp". There is a "java openpgp library" for java programmers. Please provide a url for the "java pgp".
keep calm
>I also do not recommend programs with serious flaws, inadequate documentation, difficult to install or chaotic in response, or which fail to meet basic requirements for programs of their type.<
well why not to recommend something what works and does the job? So far I could not find any serious flaws.
And well all the things we discussed here are open source, so where is the problem?
gpg4usb however appears quite interesting.
well it is side product of the gpg4win, just adapted for the portability
But yes, the functionality is very basic, that is why I rather use the winpt if needed.
>B) I'm familiar with US Trademark and Copyright law in the US and I am aware Switzerland has similar laws. It appears from your statements you are not fully familiar with either of these laws. Therefore, I offer the gentle suggestion, for the third time, that your associates doing "portable pgp" get some legal advice before proceeding with that project name.<
Yes I thing you are little bit exadurating too many things. I said there is a standard named open pgp and this is nothing the current pgp.com has property of. This is open standard and after all everybody has to know what we are talking about , so when we talk about certain encryption standard, we talk about pgp encryption, so dont search for worms where it is not necessary.
>C) I know of no program called "java pgp". There is a "java openpgp library" for java programmers. <
)
(BTW, you see how they call it?
What I mean when I talk abt java pgp is this portable pgp, which is a java application, thus works very portable, even on systems where no java is present, it can carry its own java in its own folder or installed on stick etc.
Therefore it is a nice attempt to find a portable solution for encryption.
Otto Sykora
Basel, Switzerland
Summing up. The 10% solution.
Ah, so there is no "java pgp", you just made that up in order to bolster a different mistake? OK. So now you explain, as near as I can interpret, that you were really talking about programs based on the "Java OpenPGP Library", that some folks are working on. Excellent, well that's great news.
Anyway, returning to the subject at hand, I'll do the sum up for us.
THE TEN PERCENT SOLUTION
To paraphrase Ted Sturgeon: Ninety percent of cryptography programs are crap. Of course, some love to wallow in crap, while others seek the elusive ten percent. Still others are merely trying to stay alive in a dangerous world. To each his own.
At present, having reviewed the current field 2009, I have no recommendations for PORTABLE front ends for GPG. A competent advocate might alter my view, but alas, Sturgeon's Law.
For Windows desktops I do recommend and use PGP (commercial), GPG4Win (GPL), and Axcrypt (GPL). For portable apps I use the minimal GPG (1.4.10) (see above "The solution. Portable GPG") and Axcrypt2go. These work and won't break the host machine.
Axcrypt - http://www.axantum.com/AxCrypt/
GPG4Win - http://www.gpg4win.org/
Once the above functionality is provided some additional features and various PORTABLE front-ends may be considered for the portable GPG. If you are serious about what you do, build from a solid core, and test carefully.
Good luck.
i di d not make it up
>
Ah, so there is no "java pgp", you just made that up in order to bolster a different mistake? OK. So now you explain, as near as I can interpret, that you were really talking about programs based on the "Java OpenPGP Library", that some folks are working on. Excellent, well that's great news.<
The portable pgp, in fact called ppgp, = java pgp or how can I explain more?
Did you get it and test it? It is available for long time for download on sourceforge.net, so I don't know what is the problem?
I think you might test it yourself , just for the sake of testing it, as you say, in the crypto things, the more people test and try to find bugs, the better. If you find something not clear , don't hesitate and report to the authors, they will be very pleased to check or correct what ever you find. It is java app and works therefore very portable, since you can use the same app on win, linux, and any other os , since it will use java on stick if provided, if not it will use the local installed java. It is compatible with open pgp standard.
Yes there were some problems initially, but those were of same nature as with GUI for gpg. Some strings were not rad correctly, sometimes few things got mixed up when strange task sequencies were asked etc. One advantage it has however in my oppinion: when something goes wrong, it simply not produce any output, it will simply refuse to do anything instead of doing something wrong.
you can get it from:
http://ppgp.sourceforge.net/
>For Windows desktops I do recommend and use PGP (commercial),<
yes, and here you see the problem already: it is not possible to review such software completely, only parts of the sources are published, so how can teh crypto comunity tell anything abt it. While it was ver well possible earlier, with older simple dos versions to do so, it is not possble to day any more. Therefore you would have to place this also under 'unreliable' or 'unknown status ' or what ever.
>Once the above functionality is provided some additional features and various PORTABLE front-ends may be considered for the portable GPG. If you are serious about what you do, build from a solid core, and test carefully.<
Yes, sure, but the aim of it can not be that all available only to small comunity. To became some kind of standard, you have to provide it to average computer user. Yes I know, many linux users will tell you that any kind of GUI is nonsense. But then leave the field to MS and keep hiding with all the command line things. But when it comes to spreading something to become a kind of standard, then you have to have standard self-explanatory GUI for it otherwise you 'can not sell it'.
That is why so many people want have some 'plugin' or what ever for their mail client, they simply dont want to be bothered with some complex text commands, needing to remamber this and that. Look where the pgp.com arrived now. Installing full mail proxy on users PC, this is doing all the crypto job so the user does even not notice that some crypto is taking part.
So to make people use it, you have to give them a tool they can use without long phase of memorising commands. That is why GUI frontends are here, thought some of them have limited functionality. But this limited functionality can be an advantage here, since again, the average user wants install it and run it and if he can not do so, he will delete the thing and tell you crypto is BS.
So if you have time , get this java pgp and test it, let me or the authors, (Primiano is the main guy for this) .
The fuctions are also very basic, but there is key management, you can work with text or files, sign or encrypt, will use the main algos.
OK it will not use the idea algo for example, thus not be compatible to let say pgp2.6.3, but this is also not a requirement by open pgp standard.
Otto Sykora
Basel, Switzerland
java pgp
well this is also a thing used for commercial purposes, for smart cards, some cash machines or so. Here it is just packed to a gui to enable us human to use it in a way on the screen etc.
It is not an invetion of the authors as whole, those are standard cryptographic libs used for thousands other things worldwide. Nothing proprietary behind that.
It is now full compatible to open pgp standards, few things can be made full compatible, but those are not used any more today.
I mean, when you want produce some software using let say 3DES, you will also not find out how the 3DES work in detail, just pick the generic well known source from place like coders net and make your software around it. No need to discover the wheel again and again.
Otto Sykora
Basel, Switzerland
You can give look at this
You can give look at this :
http://www.gnupt.de/wp/index.php?lang=en
and it's completely portable !