Monday, January 18, 2016

Fix for Unable to verify GPG Signatures

I've used GPG in some capacity for many years, but not enough to ever really be comfortable with it at the command line. Recently, I've had a rough time getting trust configured properly so I could  verify some file signatures, and found the solution to an issue that has haunted me for some time.

After moving to a new PC and importing my existing keys, even after verifying fingerprints, trusting, and signing the public key I needed to verify a signature with, GPG just would not verify signatures. Below I'm trying to verify the signature of the latest PuTTY release as of this post:

C:\test>gpg --verify
gpg: Signature made 11/07/15 05:28:00 Eastern Standard Time using RSA key ID B43434E4
gpg: Good signature from "PuTTY Releases " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0054 DDAA 8ADA 15D2 768A  6DE7 9DFE 2648 B434 34E4

But I trust it! I signed it! I tediously verified the fingerprint from multiple sources! Why do you still not know it belongs to them?!

  A look at gpg --list-keys has the answer:

C:\test>gpg --list-keys
pub   2048R/D34D1337 2011-09-21 [expires: 2018-06-13]
uid       [ unknown] Joshua McKinnon

pub   4096R/29C17558 2013-12-29
uid       [ unknown] Steffen Land (Apache Lounge)
sub   4096R/BC11F6FE 2013-12-29

pub   2048R/B43434E4 2015-08-31 [expires: 2018-08-30]
uid       [ unknown] PuTTY Releases
That's not right! My own key is unknown, even though it's the first key I imported, has a matching private key and everything. I was so focused on the other certs I wanted to trust, I didn't see that GPG didn't even trust my _OWN_ cert. The chain of unknown -> something else stays unknown. Now, I don't know why this happened (aside from a possible BUG), but the circumstances have occurred on 2 or more computers. I manage and import my certificates with Kleopatra on Windows, so it's possible that when you re-import your existing private key on a new computer, it does not set trust even though it should - it certainly appears this way, but I have not tried to reproduce this again yet. Creating a new key does set trust of that key to ultimate, as expected. (If you don't trust yourself, you've got bigger problems ;)

Let's fix it:

C:\test>gpg --edit-key
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/D34D1337 created: 2011-09-21  expires: 2018-06-13  usage: SCE
                     trust: unknown       validity: unknown
[ unknown] (1). Joshua McKinnon

gpg> trust
pub  2048R/D34D1337 created: 2011-09-21  expires: 2018-06-13  usage: SCE
                     trust: unknown       validity: unknown
[ unknown] (1). Joshua McKinnon

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

Now let's look at it again:

C:\test>gpg --verify
gpg: Signature made 11/07/15 05:28:00 Eastern Standard Time using RSA key ID B43434E4
gpg: Good signature from "PuTTY Releases " [full]

That's more like it. Now that my own key is trusted, the chain of trust from me verifying and signing other certificates is properly passed down. Now I can extract and begin using this version of PuTTY.

This could also be fixed in the Kleopatra GUI, and in fact, if you right click your own Certificate and choose "Change Owner Trust", in the situation I found myself in, _nothing_ was select, despite the only valid option being "This is my certificate". That's what I noticed before I saw the "unknown" in my own cert at the command line, which I had glazed over initially. This probably re-affirms that this is a bug.

Hopefully this post helps at least 1 person figure out how to properly verify a GPG signature...even if that person is a just a future version of me.

Tuesday, March 4, 2014

Enabling Remote Volume Management with PowerShell

I run a build server that's fully virtualized using Microsoft Hyper-V Server 2012 Standalone, and I'm in the process of upgrading to Hyper-V 2012 R2.

One step I've always had to do is to enable Remote Volume Management. I could probably do this in AD, but old habits die hard.

I went into "netsh advfirewall" on the new server and it gave me a message:

In future versions of Windows, Microsoft might remove the Netsh functionality
for Windows Firewall with Advanced Security.

Microsoft recommends that you transition to Windows PowerShell if you currently
use netsh to configure and manage Windows Firewall with Advanced Security.

Type Get-Command -Module NetSecurity at the Windows PowerShell prompt to view
a list of commands to manage Windows Firewall with Advanced Security.

Visit for additional information
about PowerShell commands for Windows Firewall with Advanced Security.

Certainly, there must be a way to do this with PowerShell.

My translation of the trusty:
netsh firewall advfirewall set rule group="Remote Volume Management" new enable=yes

Is the following:

Get-NetFirewallRule -DisplayGroup "Remote Volume Management" | Set-NetFirewallRule -Enabled True

Wednesday, November 6, 2013

PowerShell script for finding iOS 6.1 devices using ActiveSync your Exchange server

NOTE: I originally wrote but never finished this entry back in February, when iOS 6.1 came out.

iOS 6.1, released earlier this month (in February) (and also 6.1.1), had a fairly severe bug in how it interacts with Exchange 2010 SP1 and later.This is documented by both Apple and Microsoft.This caused Exchange logs to grow very quickly, as well as additional CPU load and memory use.

My Exchange deployment is fairly small, 75 users.Even still, I took a look and was surprised just how fast our logs were growing. About 1/2 GB per hour with only 10-15 devices on iOS 6.1, and I'm not even sure all of them were causing the problem.

I decided to take this opportunity to see if I could use PowerShell to find a list of users with iOS devices running version 6.1. A quick search, and some simple filtering, and here's a one-liner that can be run from the Exchange Management Shell (EMS) in Exchange 2010. Note this cmdlet will not work in Exchange 2007.

Get-ActiveSyncDevice | Where-Object -FilterScript {$_.DeviceUserAgent -like "Apple*" -and $_.DeviceOS -like
"iOS 6.1 *"} | Sort-Object UserDisplayName | Format-Table DeviceType,DeviceOS,FriendlyName,UserDisplayName -AutoSize

I chose to sort by UserDisplayName, the best user-identifying field I could find on an Object returned by Get-ActiveSyncDevice, since some users have an iPad and iPhone. I'm sure someone with better PowerShell-fu could pipe this to something that would spit out a list of email addresses, or maybe even send out an email to upgrade.

This allowed me to inform only those users causing the problem, rather than the whole company. It also enabled me to easily verify once everyone had updated.

PowerShell rocks. Haven't used it? I strongly suggest checking out the following on Microsoft Virtual Academy:
- Getting Started With PowerShell 3.0 Jump Start
- Advanced Tools Scripting with PowerShell 3.0 Jump Start

The first series starts off a little slow for experienced command shell users, but these videos are well worth your time (as is learning PowerShell).

Tuesday, March 27, 2012

A quick openvpn "oops" moment

I learned a quick, silly lesson today. I run some servers that tunnel using openvpn to facilitate our single sign on. I've migrated one before, and at the time, I foolishly did not create a new certificate/key pair for the new server and re-used the old one. During the point of the migration where I had both servers online at once, the two openvpn clients kept fighting - one connected, the other disconnected, and so forth, until I figured it out.

This time - I did things right - I generated a new certificate. HOWEVER, The subjects of the certificates were still the same, so they were being assigned the same IP address. This caused basically the same situation. Fortunately this time I was a bit quicker to realize. Make sure you differentiate your subject names when using openvpn. In general, you would already be doing this, but in the case of moving a server hosting a given domain from one box to another, since the domain name being served is the same there is an inclination to just type the same domain name in...don't do it. Make sure it's unique. Thanks for the forum post which lead to my answer, Jan Just Keijser!

I'm not sure if just the OU or CN must be different, or if both should be different. I erred on the side of caution and made sure both were distinct. I falsely assumed only the certificate itself had to be unique, but that's not the case.

This is a self-reminder blog post / post of shame. DOH!

Tuesday, March 20, 2012

World Time Buddy - an awesome timezone website

As the company I work for grows and has more users in remote areas of the globe, knowing what time it is for everyone gets tricky. We're in the US on the East Coast, but have employees in California, Hawaii, Germany, France, India, Ukraine, and other locations. A very simple site I found that does the best job I've seen is - hands down.

 Here is a sample of one I configured in around a minute and then bookmarked and shared:

 I couldn't get a larger image to work well in this theme so to see this for yourself use this link.

It may not have the fanciest name or super sleek graphics, but its display of information is amazing. Above we see that:
  • It displays current times clearly for all timezones I care about in an easy to read/compare way. 
    • Everything is vertically aligned with readable values for easy comparison
    • I see whole-hour times for a 24 hour period
    • I see current exact times
    • I see offsets (+4, -6, etc) from my home time zone
    • It shows the current date in each time zone in an easy to follow way
    • It shows business hours, night hours, and late night hours in different colors
  • It alerts me to upcoming time changes - in this case, Europe's daylight savings equivalent happens 4 days from now
  • I can remove a timezone I no longer need with one mouseclick
  • I can change my home timezone with one mouseclick
  • Not visible in the above screenshot, but visible with the mouse cursor is the ability to drag and drop re-order timezones in any way I choose. I put mine in ascending order, but that isn't enforced, it was my preference. 
  • I can click link icon in the top right corner to get a link to the site containing my customizations, easily bookmarkable and shareable with coworkers.
  • New timezones can be added by using an autocompletable field (just start typing a city or country name)
I love the simple yet useful way it displays the timezones.If there is one area for improvement it would be a customized interface for mobile devices - you get the same, full webpage from a mobile device. It's still usable but the hover-able timeline does not work. Since it displays all of the hours it isn't strictly necessary, as you can still see the same information it just doesn't give it that extra focus if you want to pick a time for a meeting for people in vastly different timezones.

If you deal with multiple time zones a lot, definitely check out World Time Buddy.

Thursday, January 26, 2012

How to Ruin a Perfectly Good Evening

Open your brand new SSD (Samsung 830 series 128GB)

Marvel with excitement at the iPhone-like packaging and eagerly image your old drive (Intel 80GB G1 SSD) onto the new one with Clonezilla - 15 mins and booted into Windows 7 on the new SSD. This is where I should have stopped - oh what a fool I was to continue.

Side-track to find out why PC basically hangs for 1-2 mins after login and discover it is Microsoft Security Essentials misbehaving - story for another day - 20 mins ...

Everything has gone smoothly so far - run AS SSD and ogle the new benchmark numbers. Uh oh. offset 31K bad? Great. I recall that I never fixed this on my Intel SSD and that is why, so I foolishly decide to try and fix it. I find an answer at lifehacker.

Download GParted and install on my trusty multiboot USB drive - I actually already had a GParted livecd on there but decided to throw Parted Magic on there to see what that was like.

Create a Windows 7 Repair Disc (directly from my copy of Windows 7 Home Premium I'm running at home). Wait, no, side-track and test out lightscribe to make a fun label for it first.

Discover that lightscribe software service needs to update. Do that. Find a label maker software - oh, already had one in some software suite - great. Hmm, it won't let me select my CDRW as my lightscribe will apparently only accept the lowest lettered optical disc drive. Wow. That's good engineering (Cyberlink LabelPrint). Re-map drive names so DVDRW drive comes first. Burn lightscribe label - remember why I haven't burned a lightscribe label in 6 years - because it takes way too long. Finally, let Windows create/burn a windows 7 repair disc.

Boot into Parted Magic and shift my partition forward a few MB, wait 15 mins, then shift back 1 MB, per Lifehacker instructions. Success - now, Windows will no longer boot because it's confused. (This is expected)

Boot up my freshly burned Windows 7 repair disc. I'm greeted with the following:

The windows recovery disc I burned from the copy of windows I am trying to repairing is incompatible with itself. Yes, that's right - incompatible with itself.

Do some quick searches and come up short. Decide screw it - I'll just reinstall Windows 7 on my SSD. Insert my Windows 7 Upgrade DVD (Family Pack - likely the source of all my pain!) Format the drive, select it - realize that Windows 7 RTM does not create "100MB" partition which has possible side-effect of aligning partition properly (same issue w/ original SSD install I think...). Decide to try and manually create partitions back in GParted and then let Windows 7 try to install.

Nope - Windows 7 will not install on it. Error 80300024. Excellent. No real useful info found.

Remove fancy new SSD and put back in old Intel one. Admit defeat for now.

4 hours after I started - blog about it, back at square one.

Thursday, November 3, 2011

20 Years of VIM

VIM has now been out for 20 years. Ars has a nice article on it. It is my editor of choice on *nix based systems, but things weren't always that way. I remember when I first used vim (it may have even been an earlier clone, but probably not vi itself) , I hated it - it didn't make any sense. I was in highschool at the time, probably 14 years old. At the time I used pico since it was similar to MSDOS' EDIT.

It wasn't until I was in college that I truly got an appreciation for vim. I saw one of my professors using it to write code, and he was so incredibly fast it amazed me. It got me interested in how to use vim. Once you take the time to learn a few things about how it works, it's very useful. I still am a vim novice, I know enough to "miss" certain features when I am not using vim, but not enough to be a jedi master of vim (I'm a long ways away from that).

I'm going to take this anniversary as an opportunity to learn some new tricks in VIM. I wouldn't be surprised if I sum up some of the most frequent commands I use in a future post.

While I don't think software should generally have a steep learning curve, in the context of an editor for highly technical users, it makes sense to invest your time really learning an editor. The Pragmatic Programmer tells us to Use A Single Editor Well for a reason - there are real productivity benefits. I'm curious how many users take the time to learn an advanced editor like vim, emacs, or the ins and outs of something like Textmate. 

I think being under active development after 20 years is a pretty awesome accomplishment in software. How many projects have that kind of life span these days? A toast to you, VIM! To another 20 years of active development!