Hi, Julien invited me to join news.admin.hierarchies.

As administrator for nl.* I'm still using PGP-2 and that doesn't seem to
do its work anymore on a modern Fedora 40 system without 32-bit libraries.
$ file /usr/local/bin/pgp
/usr/local/bin/pgp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, stripped
$ readelf -a /usr/local/bin/pgp | grep NEEDED
0x00000001 (NEEDED) Shared library: [libc.so.6]
$ rpm -qa | grep i686 | wc -l
0
$ dnf provides /lib/libc.so.6 | grep x86_64
glibc32-2.39-8.fc40.x86_64 : The GNU libc libraries (32-bit)

In the past I've compiled PGP-2.6.3is myself and configured 'signcontrol' for the nl-hierarchy. It doesn't compile anymore, not necessarily a disaster, as we will see.

Now I could go ahead and install the necessary compatible libraries for PGP, but there's also the option of moving to a more modern approach and the use of GnuPG:
$ rpm -q gnupg2
gnupg2-2.4.4-1.fc40.x86_64

Before I can use GPG in the Usenet-hierarchy 'nl' I need to register its key and this is probably the first thing that I should do. Where do I do that? Before registering I also need to generate the new key. How do I do that?

A step-by-step-approach works best for me as I don't want to make any fatal mistakes.

The next thing to do is probably configuring a new 'signcontrol' (Perl) and getting that new 'signcontrol' to work. Julien already pointed me to https://ftp.isc.org/pub/pgpcontrol/signcontrol and there's much resemblance
to my version from 1998. I've made some local changes there to accommodate
a few particular needs for nl.* (in 2002). The version from 1998 is v1.6.

From 1.9: "# -- Fix error reporting around lock files with PGP." - was that
the error that I fixed in 2002? :-) [variable $lock vs. $pgplock]

Adri

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Adding to my previous message:

When asked by GnuPG during the generation of the key, put the e-mail
address from which you will send control articles in the key ID (the
real name field)

Hmm, as your current PGP-2 key uses "nl.newsgroups" as key ID, and it is
also your current control.ctl entry ("verify-nl.newsgroups"), just keep
that for your new key and do not use an e-mail adress.

I said that because some other control.ctl entries use an e-mail, but
that's not the case for nl.*.

--
Julien ÉLIE

« – Quel a été votre plus beau jour ?
– Une nuit. » (Brigitte Bardot)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Adri,

Now I could go ahead and install the necessary compatible libraries for PGP, but there's also the option of moving to a more modern approach and the use of
GnuPG:
$ rpm -q gnupg2
gnupg2-2.4.4-1.fc40.x86_64

The last control article sent with your PGP-2 key dates back to 2017
(changing the description of nl.scientology).

I also reckon that moving to a more modern approach is the right thing
to do, in a long-term perspective.
It implies a change of key. As it seems that you won't be sending
control articles in double (signed with both the old PGP-2 key and the
new one), the drawback is that only the news servers that have imported
your new public key will honour your control articles from now on.
It's not critical as it may well happen that the current PGP-2 key is
already not recognized by some (not saying most) servers carrying nl.*!

Before I can use GPG in the Usenet-hierarchy 'nl' I need to register its key and this is probably the first thing that I should do. Where do I do that? Before registering I also need to generate the new key. How do I do that?

A step-by-step-approach works best for me as I don't want to make any fatal mistakes.

About the registration of the new key in PGPKEYS at <https://ftp.isc.org/pub/pgpcontrol/> so that the subsequent control
articles are taken into account in the ftp.isc.org active and newsgroups
file at <https://ftp.isc.org/pub/usenet/CONFIG/>, just advertising it
here will be enough. Russ will do the necessary stuff to integrate it
into the software which generates the ftp.isc.org files.

It is also time to ask for an update, if needed, of the control.ctl
information (contact, URL) related to your hierarchy:
http://usenet.trigofacile.com/hierarchies/nl.html


About the generation of the new key, I would suggest a 3072-bit or
4096-bit RSA key which *never expires*.
(RSA is widely supported by GnuPG versions in wild, contrary to ECDSA
which may not be recognized by a bit older versions.)

When asked by GnuPG during the generation of the key, put the e-mail
address from which you will send control articles in the key ID (the
real name field), and leave the other fields blank, for better
compatibility with Usenet software.

The command I used to generate the key for fr.* is "gpg
--full-generate-key --allow-freeform-uid", and then answer the questions
with the above recommendations in mind.

After having generated the private and public keys, you should export
your PUBLIC key and make it available from the web site of your
hierarchy, and also announce it in news.admin.hierarchies.

The next thing to do is probably configuring a new 'signcontrol' (Perl) and getting that new 'signcontrol' to work. Julien already pointed me to https://ftp.isc.org/pub/pgpcontrol/signcontrol and there's much resemblance to my version from 1998.

Sure, feel free to use this Perl version of signcontrol :)

--
Julien ÉLIE

« Je ne suis ni pour ni contre, bien au contraire ! » (Coluche)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Julien, thanks for answering. After reading your response, I spotted:

After having generated the private and public keys, you should export
your PUBLIC key and make it available from the web site of your
hierarchy, and also announce it in news.admin.hierarchies.

There's a small problem, the website that we used (http://nl.news-admin.org/) exists, but it is out of date and I think there is nobody who has the keys as far as I can tell, also I don't know what happened to it, since I'm wondering what "ausadmin" and a proposal for "aus.radio.amateur.dstar" is doing there, and when you click that last proposal you'll get: "Software error:
Expected /home/ausadmin/vote/aus.radio.amateur.dstar/vote_start.cfg at
/home/ausadmin/perllib/Vote.pm line 125.
For help, please send mail to the webmaster ([no address given]), giving this
^^^^^^^^^^^^^^^^^^
error message and the time and date of the error."

To give you an idea why the list of newsgroups there is somewhat out of date: "nl.actueel" is missing (created in 2015), nl.erotiek.* was removed in 2009.

At some point in time (2011) we decided to create e-mailaddresses at stack.nl instead of nic.surfnet.nl, to administrate the nl-hierarchy, but they seem to be revoked ("<nl-admin@stack.nl>: Recipient address rejected: User unknown").

At this moment I guess we (the administrators of nl.*) don't have an official e-mailaddress, that is what can be concluded. The administrative role, named nl-admin, consisted of two persons since 2007, Adri Verhoef (=me) & Johan van Selst; later on, a council was added called 'nl-raad', that consisted of five persons, including nl-admin. This was reduced to four persons in early 2022, when Bart Dinnissen stepped down for health reasons; he died later that year. Johan has an e-mailaddress at stack.nl, obviously he was involved in creation of the administrative e-mailaddresses at stack.nl, amongst them were nl-admin and nl-raad, see http://lists.stack.nl/hyperkitty/ - deselect 'Hide inactive'
- they are archived.

UPDATE: Right now I am in contact with Johan again!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Julien,

At the moment I'm testing my scripts; I've successfully configured GnuPG
(at least I think so).

I've added some small improvements in version 1.9 of 'signcontrol':

106c106
< # $use_or_add{'Oranization'} = 'YOUR_ORGANIZATION';
---

# $use_or_add{'Organization'} = 'YOUR_ORGANIZATION';

150c150
< # set to match only hierarchies you will use it on
---

# set to match only hierarchies you will use it on.

Apart from that, I used: my $id_host = `cat ~/mailname`; in my configuration. Also, I've been playing around with signcontrol-1.9, configuring it some more, then was unsuccessful getting it to work:

Most probably there was a need for me to add a variable "$pgphomedir" to point to the correct directory with the secret key, else I would get:
gpg: skipped "nl.newsgroups": No secret key

This is what I've added:

my $pgp = "/usr/bin/gpg";
# From the directory where signcontrol is called we need to find the secret key # if that key isn't situated in the homedirectory of the caller.
my $pgphomedir = ".gnupg"; # absolute path or directory relative to current one


However, this wasn't enough. My 'gpg' on Fedora 40, gnupg2-2.4.4-1.fc40.x86_64,
doesn't accept the "--pgp2" parameter: gpg: invalid option "--pgp2"

Hi Adri,

I've added some small improvements in version 1.9 of 'signcontrol':

That sounds gound. Hopefully it will be helpful to other news admins
who will set it up in the future.

So, this is what I have now in my version of the code of 'signcontrol':

} elsif ($pgpstyle eq 'GPG') {
if ($pgphomedir) {
# we need a way to add some extra arguments
@command = ($pgp, qw/--detach-sign --armor --textmode -u/, $keyid,
qw/--debug-level advanced/,
qw/--homedir/, $pgphomedir,
qw/--force-v3-sigs/);
} else {
@command = ($pgp, qw/--detach-sign --armor --textmode -u/, $keyid,
qw/--force-v3-sigs --pgp2/);
}
} else {

Looking at the flags used by signcontrol.py, it also has:
--emit-version --no-comments --no-escape-from-lines --no-throw-keyids

You may wish to also use them. At least the first one (--emit-version)
solves one of your subsequent question.

| To solve the problem, you need to enable loopback pinentry mode. Add this to ~/.gnupg/gpg.conf:
|
| use-agent
| pinentry-mode loopback
|
| And add this to ~/.gnupg/gpg-agent.conf, creating the file if it doesn't already exist:
|
| allow-loopback-pinentry
|
| Then restart the agent with echo RELOADAGENT | gpg-connect-agent and you should be good to go!

Indeed, this is a necessary setup if you run the script non
interactively. Maybe you'll also need:
--no-tty --passphrase "xxx"

Matija Nalis, the former administrator of hr.* (Croatia), once asked for
these flags. I don't know whether they are still required by current
GnuPG versions.

X-Info: https://ftp.isc.org/pub/pgpcontrol/README.html
https://ftp.isc.org/pub/pgpcontrol/README

You may want to keep one, and replace the other one with the URL of the
website of the hierarchy.

Did I do this correctly?

I think so.

The URL-part isn't correct yet; this is what I have now in my control.ctl:

## NL (Netherlands)
# Contact: nl-admin@stack.nl
# URL: http://nl.news-admin.org/info/nladmin.html
# Admin group: nl.newsgroups
# Key fingerprint: 45 20 0B D5 A1 21 EA 7C EF B2 95 6C 25 75 4D 27
# *PGP* See comment at top of file.
newgroup:*:nl.*:drop
rmgroup:*:nl.*:drop
checkgroups:nl-admin@stack.nl:nl.*:verify-nl.newsgroups newgroup:nl-admin@stack.nl:nl.*:verify-nl.newsgroups rmgroup:nl-admin@stack.nl:nl.*:verify-nl.newsgroups

The official control.ctl entry will then need being updated with these
new information (stack.nl instead of nic.surfnet.nl).
Also, the new key fingerprint is:
66FB E84C 80E3 72D4 547F E921 D2F2 595D DA5A C504

BTW, I'm running C News. :-)

For C News, from what I heard, it uses a file named controlperm. Does
it also handle the control.ctl syntax? Do you confirm a valid syntax
for controlperm would now be:

nl any n nq
nl any r nq
nl nl-admin@stack.nl c pv nl.newsgroups
nl nl-admin@stack.nl n pv nl.newsgroups
nl nl-admin@stack.nl r pv nl.newsgroups

Hopefully I've done all this correctly.

The technical part is now done.
What will now takes (a long) time is the update of the configuration of
news servers carrying nl.*. It may be worthwhile contacting the news
admins of the most used servers for article postings in the nl.* hierarchy.
It is what we did for the fr.* hierarchy, after having done some stats
about that (from the Path header fields of posts in fr.*).

--
Julien ÉLIE

« Omnia uincit Amor et nos cedamus Amori. » (Virgile)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Thanks for answering, Julien.
For now, things have to wait.
Last weekend was a busy one and I will be away for about a week or two.
See you later! Thanks again.
I have to catch my train. :-)

Adri

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Last month I wrote:

At some point in time (2011) we decided to create e-mailaddresses at stack.nl >instead of nic.surfnet.nl, to administrate the nl-hierarchy, but they seem to >be revoked ("<nl-admin@stack.nl>: Recipient address rejected: User unknown").

The official e-mailaddress has been reinstated, thanks to Johan van Selst (co- nl-admin, the administrative role of nl.*).

Adri

PS
Sometimes it takes a few weeks before I can read news.admin.hierarchies again.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Julien:

Looking at the flags used by signcontrol.py, it also has:
--emit-version --no-comments --no-escape-from-lines --no-throw-keyids

You may wish to also use them. At least the first one (--emit-version) >solves one of your subsequent question.

This works indeed, thanks. No "0.stub" needed anymore. :-)

| To solve the problem, you need to enable loopback pinentry mode.

Indeed, this is a necessary setup if you run the script non
interactively. Maybe you'll also need:
--no-tty --passphrase "xxx"

Matija Nalis, the former administrator of hr.* (Croatia), once asked for >these flags. I don't know whether they are still required by current
GnuPG versions.

Thanks, it worked without these flags. :-)

X-Info: https://ftp.isc.org/pub/pgpcontrol/README.html
https://ftp.isc.org/pub/pgpcontrol/README

You may want to keep one, and replace the other one with the URL of the >website of the hierarchy.

Once 'our' website is reinstated, of course. :-)

The URL-part isn't correct yet; this is what I have now in my control.ctl: >>
## NL (Netherlands)
# Contact: nl-admin@stack.nl
# URL: http://nl.news-admin.org/info/nladmin.html
# Admin group: nl.newsgroups
# Key fingerprint: 45 20 0B D5 A1 21 EA 7C EF B2 95 6C 25 75 4D 27
# *PGP* See comment at top of file.
newgroup:*:nl.*:drop
rmgroup:*:nl.*:drop
checkgroups:nl-admin@stack.nl:nl.*:verify-nl.newsgroups
newgroup:nl-admin@stack.nl:nl.*:verify-nl.newsgroups
rmgroup:nl-admin@stack.nl:nl.*:verify-nl.newsgroups

The official control.ctl entry will then need being updated with these
new information (stack.nl instead of nic.surfnet.nl).
Also, the new key fingerprint is:
66FB E84C 80E3 72D4 547F E921 D2F2 595D DA5A C504

I have updated this new key fingerprint in my local control.ctl.

BTW, I'm running C News. :-)

For C News, from what I heard, it uses a file named controlperm. Does
it also handle the control.ctl syntax? Do you confirm a valid syntax
for controlperm would now be:

nl any n nq
nl any r nq
nl nl-admin@stack.nl c pv nl.newsgroups
nl nl-admin@stack.nl n pv nl.newsgroups
nl nl-admin@stack.nl r pv nl.newsgroups

It is correct that it uses a file named controlperm.

I have only one line in controlperm:

nl nl-admin@stack.nl nrc p nl.newsgroups

Regarding this,
this is what I found in /var/news/bin/ctl/{checkgroups,{new,rm}group}:

# subject to $NEWSCTL/controlperm: four fields per line, first
# a newsgroup pattern, second an author name (or "any"), third a set of
# operations ("n" newgroup, "r" rmgroup, "c" checkgroups), and fourth a set of # flags ("p" do it iff poster's identity is pgpverified,
# "y" do it, "n" don't, "q" don't report at all, "v" include
# entire control message in report) (default "yv"); the "p" and "n" flags may
# be followed by the ID of the person permitted to pgpverify;
# the pgpverify program (not supplied) is presumed to be in $NEWSBIN

In the meantime, I've downloaded the latest version of pgpverify (1.30) from https://ftp.isc.org/pub/pgpcontrol/pgpverify, but the version that goes with
my operating system (Fedora 40), /usr/libexec/news/pgpverify from INN-2.7.1, says it is version 1.31. So what is going on here?

They are dated:
# Version 1.30, 2018-01-21
# Version 1.31, 2022-06-12

# Changes from 1.30 -> 1.31
# -- Add a $gpg_has_allow_weak_digest_algos_flag variable to specify whether
# gpg supports the --allow-weak-digest-algos flag. This variable will
# be overriden by INN::Config, if used. GnuPG 1.4.20 and 2.0.23 introduced # this flag, necessary to verify the signatures of old PGP keys still in
# use for some hierarchies.
# -- Using at least GnuPG 1.4.20 or 2.1.0 is no longer required; this version
# of pgpverify will still work with previous versions of GnuPG. However,
# only GnuPG 1.x and 2.0.x will be able to validate signatures made with
# old PGP keys.

Adri

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Adri,

For C News, from what I heard, it uses a file named controlperm.
Do you confirm a valid syntax for controlperm would now be:

nl nl-admin@stack.nl c pv nl.newsgroups
nl nl-admin@stack.nl n pv nl.newsgroups
nl nl-admin@stack.nl r pv nl.newsgroups

I have only one line in controlperm:

nl nl-admin@stack.nl nrc p nl.newsgroups

Regarding this,
this is what I found in /var/news/bin/ctl/{checkgroups,{new,rm}group}:

# subject to $NEWSCTL/controlperm: four fields per line, first
# a newsgroup pattern, second an author name (or "any"), third a set of
# operations ("n" newgroup, "r" rmgroup, "c" checkgroups), and fourth a set of
# flags ("p" do it iff poster's identity is pgpverified,
# "y" do it, "n" don't, "q" don't report at all, "v" include
# entire control message in report) (default "yv"); the "p" and "n" flags may # be followed by the ID of the person permitted to pgpverify;
# the pgpverify program (not supplied) is presumed to be in $NEWSBIN

Thanks for this valuable information.

In the meantime, I've downloaded the latest version of pgpverify (1.30) from https://ftp.isc.org/pub/pgpcontrol/pgpverify, but the version that goes with my operating system (Fedora 40), /usr/libexec/news/pgpverify from INN-2.7.1, says it is version 1.31. So what is going on here?

They are dated:
# Version 1.30, 2018-01-21
# Version 1.31, 2022-06-12

# Changes from 1.30 -> 1.31
# -- Add a $gpg_has_allow_weak_digest_algos_flag variable to specify whether # gpg supports the --allow-weak-digest-algos flag. This variable will
# be overriden by INN::Config, if used. GnuPG 1.4.20 and 2.0.23 introduced
# this flag, necessary to verify the signatures of old PGP keys still in
# use for some hierarchies.
# -- Using at least GnuPG 1.4.20 or 2.1.0 is no longer required; this version # of pgpverify will still work with previous versions of GnuPG. However, # only GnuPG 1.x and 2.0.x will be able to validate signatures made with
# old PGP keys.

Version 1.31 included in INN 2.7.0 and 2.7.1 is the latest one. It just
had not been reflected upstream yet. It will probably be done along
with the next update of ftp.isc.org stuff with your new key for nl.* :)

--
Julien ÉLIE

« Avez-vous remarqué qu'à table les mets que l'on vous sert vous mettent
les mots à la bouche ? » (Raymond Devos)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)