Hi,

I recently determined that I should resume issuing regular checkgroup
control messages for eternal-september.* and also give signcontrol.py
a try, so I downloaded signcontrol.py V 1.5.1 and create a signcontrol.conf
for the Eternal-September environment. Unfortunately, signcontrol.py complained about being unable to find the secret key for ID "=[email protected]",
which was correct as the actual ID contained in secring.gpg and configured in signcontrol.conf is "[email protected]" (without the equal sign).

In signcontrol.py, I found the origin of the stray "=" prepended to the key ID:

| if passphrase:
| os.system(
| config["PROGRAM_GPG"]
| + " --emit-version --no-comments --no-escape-from-lines"
| ' --no-throw-keyids --armor --detach-sign --local-user "='
| + config["ID"] ^^^^^^^^^^^^^^^^
| + '" --no-tty --passphrase "'
| + passphrase
| + '" --output '
| + file_message
| + ".pgp "
| + flag
| + " "
| + file_message
| + ".txt"
| )
| else:
| os.system(
| config["PROGRAM_GPG"]
| + " --emit-version --no-comments --no-escape-from-lines"
| ' --no-throw-keyids --armor --detach-sign --local-user "='
| + config["ID"] ^^^^^^^^^^^^^^^^
| + '" --output '
| + file_message
| + ".pgp "
| + flag
| + " "
| + file_message
| + ".txt"
| )

The same problem exists in signcontrol,py V 1.5.0

I checked the man pages for all versions of GnuPG that exist on the Eternal-September and --local-user is documented as an option in all
of them, i.e. "--local-user [email protected]".

Is there actually a version of GnuPG that understands "--local-user=[email protected]"
or is this just a typo that went unnoticed until now?

Are there any other users of signcontrol.py except Julien Èlie for fr.*
and what PGP/GPG versions do you use?

TIA

--
Пу́тін — хуйло́
https://www.eternal-september.org

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Op 16-7-2025 om 19:28 schreef Ray Banana:

Are there any other users of signcontrol.py except Julien Èlie for fr.*
and what PGP/GPG versions do you use?

TIA

Just tested it and here signcontrol.py works fine.

ctjacobs@AcervanChris:~$ gpg --version
gpg (GnuPG) 2.4.4
libgcrypt 1.10.3
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/ctjacobs/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Ray Banana <[email protected]> writes:

In signcontrol.py, I found the origin of the stray "=" prepended to the key ID:

| if passphrase:
| os.system(
| config["PROGRAM_GPG"]
| + " --emit-version --no-comments --no-escape-from-lines"
| ' --no-throw-keyids --armor --detach-sign --local-user "='
| + config["ID"] ^^^^^^^^^^^^^^^^
| + '" --no-tty --passphrase "'
| + passphrase
| + '" --output '
| + file_message
| + ".pgp "
| + flag
| + " "
| + file_message
| + ".txt"
| )
| else:
| os.system(
| config["PROGRAM_GPG"]
| + " --emit-version --no-comments --no-escape-from-lines"
| ' --no-throw-keyids --armor --detach-sign --local-user "='
| + config["ID"] ^^^^^^^^^^^^^^^^
| + '" --output '
| + file_message
| + ".pgp "
| + flag
| + " "
| + file_message
| + ".txt"
| )

The same problem exists in signcontrol,py V 1.5.0

I checked the man pages for all versions of GnuPG that exist on the Eternal-September and --local-user is documented as an option in all
of them, i.e. "--local-user [email protected]".

Is there actually a version of GnuPG that understands "--local-user=[email protected]"
or is this just a typo that went unnoticed until now?

The problem is the combination of ‘=’ and ‘ ‘. Either will work, but not
both.

The bug was introduced in commit d59c843f3259. The change was from
‘-u ID’ to ‘--local-user =ID’, when it should be either ‘--local=user=ID’ or ‘--local-user ID’.

--
https://www.greenend.org.uk/rjk/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Ray,

I recently determined that I should resume issuing regular checkgroup
control messages for eternal-september.* and also give signcontrol.py
a try, so I downloaded signcontrol.py V 1.5.1 and create a signcontrol.conf for the Eternal-September environment. Unfortunately, signcontrol.py complained
about being unable to find the secret key for ID "=[email protected]",
which was correct as the actual ID contained in secring.gpg and configured in signcontrol.conf is "[email protected]" (without the equal sign).

Are you sure the ID is [email protected] and not [email protected] as mentioned in https://www.eternal-september.org/control/pgpkey.txt?

control.ctl entries also use [email protected]:

newgroup:*:eternal-september.*:drop
rmgroup:*:eternal-september.*:drop checkgroups:[email protected]:eternal-september.*:[email protected]
newgroup:[email protected]:eternal-september.*:[email protected]
rmgroup:[email protected]:eternal-september.*:[email protected]

In signcontrol.py, I found the origin of the stray "=" prepended to the key ID

Yes, that's normal. See my response to Richard.

Are there any other users of signcontrol.py except Julien Èlie for fr.*
and what PGP/GPG versions do you use?

I know that rocksolid.* used to use it, as well as dictator.*,
grisbi.*., hispagatos.*, hr.*, openwatcom.*, triangle.* and redatomik.*.
Most of them are no longer active...

--
Julien ÉLIE

« I had some words with my wife, and she had some paragraphs with me. »
(Sigmund Freud)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Julien ÉLIE wrote:

Are you sure the ID is [email protected] and not [email protected] as mentioned in https://www.eternal-september.org/control/pgpkey.txt?

_________________________________________________________
/
| Type Bits/KeyID Date User ID
| pub 1024/E7AF34AD 2010/01/02 [email protected]
|
| -----BEGIN PGP PUBLIC KEY BLOCK-----
| Version: 2.6.3ia
\________________________________________________________

I wasn't aware of this old file :-(

control.ctl entries also use [email protected]:

newgroup:*:eternal-september.*:drop
rmgroup:*:eternal-september.*:drop checkgroups:[email protected]:eternal-september.*:[email protected]
newgroup:[email protected]:eternal-september.*:[email protected]
rmgroup:[email protected]:eternal-september.*:[email protected]

Where did you get the link to the key and the control.ctl entry from?
The new PGP keys use GnuPG 2.x and there are separate keys for different purposes
(NoCem, control messages).

Thanks to your detailed explanations in your reply to Richard I was able to sort things out and now signcontrol works as expected.

--
Пу́тін — хуйло́
https://www.eternal-september.org

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Wolfgang,

Where did you get the link to the key and the control.ctl entry from?
The new PGP keys use GnuPG 2.x and there are separate keys for different purposes
(NoCem, control messages).

It was added in January 2010:

https://github.com/rra/control-archive/commit/4781fd1587147bea2a22bf7bfdd4b7fe63de298f


Looking at what happened near that time in news.admin.hierarchies, I
found out:
https://groups.google.com/g/news.admin.hierarchies/c/hCFUMgU4s3M

There's a message from you on January, 2nd in that thread :-)



Should your new key be declared in control.ctl and PGPKEYS?

https://www.eternal-september.org/control-eternal-september.asc

pub rsa4096 2025-07-16 [SC]
17A7E98E3038BE35428F30E4F53C21EEF3D2EA49
uid [ inconnue] Control <[email protected]>

Thanks to your detailed explanations in your reply to Richard I was able to sort things out and now signcontrol works as expected.

Looks like the expected flag was "=Control <[email protected]>".

Beware that modern versions of INN cope with UIDs containing spaces but
other legacy news servers may not.
Rationale in Section 3 of:
https://www.eyrie.org/~eagle/faqs/usenet-hier.html

--
Julien ÉLIE

« Love is blind but marriage is an eye-opener. »

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 17 Jul 2025 20:23:57 +0200, Julien �LIE <[email protected]d> wrote:

Hi Wolfgang,

Where did you get the link to the key and the control.ctl entry from?
The new PGP keys use GnuPG 2.x and there are separate keys for different purposes
(NoCem, control messages).

It was added in January 2010: >https://github.com/rra/control-archive/commit/4781fd1587147bea2a22bf7bfdd4b7fe63de298f
Looking at what happened near that time in news.admin.hierarchies, I
found out:
https://groups.google.com/g/news.admin.hierarchies/c/hCFUMgU4s3M
There's a message from you on January, 2nd in that thread :-)

<[email protected]> (for those who prefer using nntp servers)

nothing to do with your technical discussion, but since this is an unmoderated usenet newsgroup where anyone could be reading, i was only browsing this group out of curiosity (most groups tend to be either fairly quiet, or troll-flooded, or both, many are for trolls-only)...but i did notice this recent announcement:

From: Colin Macleod <[email protected]d>
Newsgroups: rocksolid.nodes.help,news.admin.peering
Subject: Re: ** ANNOUNCEMENT: First go-pugleaf Node Online **
Date: Wed, 16 Jul 2025 16:32:55 GMT
Message-ID: <[email protected]>
...
You might like to know that I'm currently working on improving the archive >search facility of my newsgrouper.org site so that you will be able to
send links to articles/threads found via search to other people. These
will be viewable without registration.

don't know, but maybe something like the "howardknight" message id look-up?

https://al.howardknight.net/ http://al.howardknight.net/?STYPE=msgid&MSGI=<[email protected]>

too old for h.k.? but blueworld goes back ~21 years, so newsgrouper has it:

https://newsgrouper.org/
https://newsgrouper.org/msgid

From: Ray Banana <[email protected]>
Newsgroups: news.admin.hierarchies
Subject: Re: control-archive 1.2.0 released
Date: Sat, 02 Jan 2010 11:47:10 +0100

hopefully, newsgrouper (which works great, by the way) will enable this direct-link style for message id reference ("google" was a comic strip)

also, could this new "pugleaf.net" become more like the old "rocksolid",
but maybe even better, with expanded newsgroups, and more functionality?

http://al.howardknight.net/?STYPE=msgid&MSGI=<[email protected]>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Thus spake Julien ÉLIE <[email protected]d>

[...]

Should your new key be declared in control.ctl and PGPKEYS?

https://www.eternal-september.org/control-eternal-september.asc

pub rsa4096 2025-07-16 [SC]
17A7E98E3038BE35428F30E4F53C21EEF3D2EA49
uid [ inconnue] Control <[email protected]>

Yes, please.

Thanks to your detailed explanations in your reply to Richard I was able to >> sort things out and now signcontrol works as expected.

Looks like the expected flag was "=Control <[email protected]>".

What confused me was the unexpected "=" strict match indicator that is
always added by signcontrol.py ;-)

Beware that modern versions of INN cope with UIDs containing spaces
but other legacy news servers may not.
Rationale in Section 3 of:
https://www.eyrie.org/~eagle/faqs/usenet-hier.html

The most noteworthy information in this FAQ should also be included in
the signcontrol README:

"If you're using GnuPG, in order to not get any spaces into the user ID,
you need to use gpg --gen-key --allow-freeform-uid, enter the desired
^^^^^^^^^^^^^^^^^
user ID as the name, and then press Enter when asked for an e-mail ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
address or comment. The recommended user ID is the e-mail address of the ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ sender, but it has to be entered as the name or GnuPG will not generate ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
the right user ID. A later version of pgpverify will hopefully make this ^^^^^^^^^^^^^^^^^^
unnecessary, but older versions will be around for quite some time."

This caveat also applies to signcontrol.py's

"Manage my PGP keys (generate/import/export/remove/revoke)"

function.

--
Пу́тін — хуйло́
https://www.eternal-september.org

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Wolfgang,

Should your new key be declared in control.ctl and PGPKEYS?

https://www.eternal-september.org/control-eternal-september.asc

pub rsa4096 2025-07-16 [SC]
17A7E98E3038BE35428F30E4F53C21EEF3D2EA49
uid [ inconnue] Control <[email protected]>

Yes, please.

The information will normally be updated in the next control-archive
release by Russ. I have opened a issue to remember that:
https://github.com/rra/control-archive/issues/9

Looks like the expected flag was "=Control <[email protected]>".

What confused me was the unexpected "=" strict match indicator that is
always added by signcontrol.py ;-)

You're right, I'll add a comment in the code about that equal sign.

"If you're using GnuPG, in order to not get any spaces into the user ID,
you need to use gpg --gen-key --allow-freeform-uid, enter the desired
^^^^^^^^^^^^^^^^^
user ID as the name, and then press Enter when asked for an e-mail ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
address or comment. The recommended user ID is the e-mail address of the ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ sender, but it has to be entered as the name or GnuPG will not generate ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
the right user ID. A later version of pgpverify will hopefully make this ^^^^^^^^^^^^^^^^^^
unnecessary, but older versions will be around for quite some time."

This caveat also applies to signcontrol.py's

"Manage my PGP keys (generate/import/export/remove/revoke)"

Isn't the current wording when running that function enough? I do not
see more information to add, unless I am mistaken?


What do you want to do?
-----------------------
1. See the current installed keys
2. Generate a new pair of secret/public keys
3. Export a public key
4. Export a secret key
5. Import a secret key
6. Remove a pair of secret/public keys
7. Revoke a secret key
8. Quit

Your choice (1-8): 2


-----------------------------------------------------------------------
Please put the e-mail address from which you will send control articles
in the key ID (the real name field). And leave the other fields blank,
for better compatibility with Usenet software.
Choose a 3072-bit or 4096-bit RSA key which *never expires*.
You should also provide a strong passphrase, for security reasons.
There is no need to edit the key after it has been generated.

Please note that the key generation may not finish if it is launched
on a remote server, owing to a lack of enough entropy. Use your own
computer instead and import the key on the remote one afterwards. -----------------------------------------------------------------------





There's no more fields to complete as far as I see:


gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Sélectionnez le type de clef désiré :
(1) RSA et RSA (par défaut)
(2) DSA et Elgamal
(3) DSA (signature seule)
(4) RSA (signature seule)
(14) Existing key from card
Quel est votre choix ? 1
les clefs RSA peuvent faire une taille comprise entre 1024 et 4096 bits. Quelle taille de clef désirez-vous ? (3072)
La taille demandée est 3072 bits
Veuillez indiquer le temps pendant lequel cette clef devrait être valable.
0 = la clef n'expire pas
<n> = la clef expire dans n jours
<n>w = la clef expire dans n semaines
<n>m = la clef expire dans n mois
<n>y = la clef expire dans n ans
Pendant combien de temps la clef est-elle valable ? (0)
La clef n'expire pas du tout
Est-ce correct ? (o/N) o

GnuPG doit construire une identité pour identifier la clef.

Nom réel : [email protected]
Adresse électronique :
Commentaire :
Vous avez sélectionné cette identité :
« [email protected] »

Changer le (N)om, le (C)ommentaire, l'(A)dresse électronique
ou (O)ui/(Q)uitter ? o
De nombreux octets aléatoires doivent être générés. Vous devriez faire autre chose (taper au clavier, déplacer la souris, utiliser les disques) pendant la génération de nombres premiers ; cela donne au générateur de nombres aléatoires une meilleure chance d'obtenir suffisamment d'entropie. gpg: revocation certificate stored as '/home/news/.gnupg/openpgp-revocs.d/40AF678E1D6B09E8B8A58C1E70C80795F8821D07.rev'
les clefs publique et secrète ont été créées et signées.

pub rsa3072 2025-07-18 [SC]
40AF678E1D6B09E8B8A58C1E70C80795F8821D07
uid [email protected]
sub rsa3072 2025-07-18 [E]


After having generated these keys, you should export your PUBLIC key
and make it public (in the web site of your hierarchy, along with
a current checkgroups, and also announce it in news.admin.hierarchies).
You can also export your PRIVATE key for backup only.

--
Julien ÉLIE

« Love is blind but marriage is an eye-opener. »

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Thus spake Julien ÉLIE <[email protected]d>

Should your new key be declared in control.ctl and PGPKEYS?
https://www.eternal-september.org/control-eternal-september.asc
pub rsa4096 2025-07-16 [SC]
17A7E98E3038BE35428F30E4F53C21EEF3D2EA49
uid [ inconnue] Control <[email protected]>

Yes, please.

The information will normally be updated in the next control-archive
release by Russ. I have opened a issue to remember that:
https://github.com/rra/control-archive/issues/9

Thanks very much.

[...]

Isn't the current wording when running that function enough? I do not
see more information to add, unless I am mistaken?

[...]

----------------------------------------------------------------------- Please put the e-mail address from which you will send control articles
in the key ID (the real name field). And leave the other fields blank,
for better compatibility with Usenet software.
Choose a 3072-bit or 4096-bit RSA key which *never expires*.
You should also provide a strong passphrase, for security reasons.
There is no need to edit the key after it has been generated.

Please note that the key generation may not finish if it is launched
on a remote server, owing to a lack of enough entropy. Use your own
computer instead and import the key on the remote one afterwards. -----------------------------------------------------------------------

After changing the background color of my xterm I have to agree with
you.

My bad. I rest my case.

--
Пу́тін — хуйло́
https://www.eternal-september.org

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)