Hmm, as your current PGP-2 key uses "nl.newsgroups" as key ID, and it is
also your current control.ctl entry ("verify-nl.newsgroups"), just keep
that for your new key and do not use an e-mail adress.

I said that because some other control.ctl entries use an e-mail, but
that's not the case for nl.*.

There's a small problem, the website that we used (http://nl.news-admin.org/)
exists, but it is out of date and I think there is nobody who has the keys as
far as I can tell, also I don't know what happened to it, since I'm wondering
what "ausadmin" and a proposal for "aus.radio.amateur.dstar" is doing there,
and when you click that last proposal you'll get: "Software error:
Expected /home/ausadmin/vote/aus.radio.amateur.dstar/vote_start.cfg at
/home/ausadmin/perllib/Vote.pm line 125.
For help, please send mail to the webmaster ([no address given]), giving this
^^^^^^^^^^^^^^^^^^
error message and the time and date of the error."

To give you an idea why the list of newsgroups there is somewhat out of date:
"nl.actueel" is missing (created in 2015), nl.erotiek.* was removed in 2009.

At some point in time (2011) we decided to create e-mailaddresses at stack.nl
instead of nic.surfnet.nl, to administrate the nl-hierarchy, but they seem to
be revoked ("<nl-***@stack.nl>: Recipient address rejected: User unknown").

At this moment I guess we (the administrators of nl.*) don't have an official
e-mailaddress, that is what can be concluded. The administrative role, named
nl-admin, consisted of two persons since 2007, Adri Verhoef (=me) & Johan van
Selst; later on, a council was added called 'nl-raad', that consisted of five
persons, including nl-admin. This was reduced to four persons in early 2022,
when Bart Dinnissen stepped down for health reasons; he died later that year.
Johan has an e-mailaddress at stack.nl, obviously he was involved in creation
of the administrative e-mailaddresses at stack.nl, amongst them were nl-admin
and nl-raad, see http://lists.stack.nl/hyperkitty/ - deselect 'Hide inactive'
- they are archived.

UPDATE: Right now I am in contact with Johan again!

Julien,

At the moment I'm testing my scripts; I've successfully configured GnuPG
(at least I think so).

I've added some small improvements in version 1.9 of 'signcontrol':

106c106
< # $use_or_add{'Oranization'} = 'YOUR_ORGANIZATION';
---
150c150
< # set to match only hierarchies you will use it on
---
Apart from that, I used: my $id_host = `cat ~/mailname`; in my configuration.
Also, I've been playing around with signcontrol-1.9, configuring it some more,
then was unsuccessful getting it to work:

Most probably there was a need for me to add a variable "$pgphomedir" to point
to the correct directory with the secret key, else I would get:
gpg: skipped "nl.newsgroups": No secret key

This is what I've added:

my $pgp = "/usr/bin/gpg";
# From the directory where signcontrol is called we need to find the secret key
# if that key isn't situated in the homedirectory of the caller.
my $pgphomedir = ".gnupg"; # absolute path or directory relative to current one


However, this wasn't enough. My 'gpg' on Fedora 40, gnupg2-2.4.4-1.fc40.x86_64,
doesn't accept the "--pgp2" parameter: gpg: invalid option "--pgp2"

Furthermore, I'm getting: gpg: signing failed: Inappropriate ioctl for device

So, this is what I have now in my version of the code of 'signcontrol':

} elsif ($pgpstyle eq 'GPG') {
if ($pgphomedir) {
# we need a way to add some extra arguments
@command = ($pgp, qw/--detach-sign --armor --textmode -u/, $keyid,
qw/--debug-level advanced/,
qw/--homedir/, $pgphomedir,
qw/--force-v3-sigs/);
} else {
@command = ($pgp, qw/--detach-sign --armor --textmode -u/, $keyid,
qw/--force-v3-sigs --pgp2/);
}
} else {


When I run "./checkgroups -t nl | head" I get:

Newsgroups: nl.newsgroups
Subject: cmsg checkgroups
Control: checkgroups

nl.actueel Discussie over nieuws met grote maatschappelijke impact.
(etc.)

This is fine for now, but when I run "./checkgroups -t nl | head |./signcontrol"
I get:

gpg: enabled debug flags: memstat trust extprog
gpg: enabled compatibility flags:
gpg: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg: waiting for the agent to come up ... (5s)
gpg: connection to the agent established
gpg: writing to stdout
gpg: pinentry launched (1480141 gnome3:curses 1.3.0-unknown - xterm-256color :0.0 - 9/13 0)
gpg: signing failed: Inappropriate ioctl for device
gpg: signing failed: Inappropriate ioctl for device
gpg: keydb: handles=1 locks=0 parse=1 get=1
gpg: build=0 update=0 insert=0 delete=0
gpg: reset=0 found=1 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=2 cached=0 good=0 bad=0
gpg: objcache: keys=2/2/0 chains=381,1..1 buckets=383/20 attic=254
gpg: objcache: uids=1/1/0 chains=106,1..1 buckets=107/20
gpg: random usage: poolsize=600 mixed=1 polls=0/3 added=18/720
outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: secmem usage: 1568/65536 bytes in 3 blocks
/usr/bin/gpg returned exit status 512

signcontrol: could not generate signature


According to https://github.com/keybase/keybase-issues/issues/2798 inserting
"export GPG_TTY=$(tty)" is the solution, but when I do that I get 'not a tty':

$ ./checkgroups -t nl | head | GPG_TTY=$(tty) ./signcontrol
gpg: enabled debug flags: memstat trust extprog
gpg: enabled compatibility flags:
gpg: writing to stdout
gpg: pinentry launched (1519899 gnome3:curses 1.3.0-unknown not a tty xterm-256color :0.0 ? 9/13 0)
gpg: signing failed: No such file or directory
gpg: signing failed: No such file or directory
gpg: keydb: handles=1 locks=0 parse=1 get=1
gpg: build=0 update=0 insert=0 delete=0
gpg: reset=0 found=1 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=2 cached=0 good=0 bad=0
gpg: objcache: keys=2/2/0 chains=381,1..1 buckets=383/20 attic=254
gpg: objcache: uids=1/1/0 chains=106,1..1 buckets=107/20
gpg: random usage: poolsize=600 mixed=1 polls=0/3 added=18/720
outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: secmem usage: 1568/65536 bytes in 3 blocks
/usr/bin/gpg returned exit status 512

signcontrol: could not generate signature


In my configuration, signcontrol needs to be run from crontab in the night,
I don't do that by hand.

Another solution from https://github.com/keybase/keybase-issues/issues/2798 is
pointing to https://d.sb/2016/11/gpg-inappropriate-ioctl-for-device-errors:

| To solve the problem, you need to enable loopback pinentry mode. Add this to ~/.gnupg/gpg.conf:
|
| use-agent
| pinentry-mode loopback
|
| And add this to ~/.gnupg/gpg-agent.conf, creating the file if it doesn't already exist:
|
| allow-loopback-pinentry
|
| Then restart the agent with echo RELOADAGENT | gpg-connect-agent and you should be good to go!

In my case I needed to restart the agent with:
echo RELOADAGENT | gpg-connect-agent --homedir [full_path_to_directory/.gnupg]

Now there is a little bit of a big success!

$ ./checkgroups -t nl | head | ./signcontrol
Use of uninitialized value $version in pattern match (m//) at ./signcontrol line 552.
Use of uninitialized value $version in concatenation (.) or string at ./signcontrol line 556.
Path: bounce-back
From: nl-***@stack.nl
Newsgroups: nl.newsgroups
Subject: cmsg checkgroups
Control: checkgroups
Approved: nl-***@stack.nl
Message-ID: <***@a3.nl.invalid>
Date: Sun, 28 Apr 2024 10:12:56 -0000
Lines: 6
X-Info: https://ftp.isc.org/pub/pgpcontrol/README.html
https://ftp.isc.org/pub/pgpcontrol/README
X-PGP-Sig: Subject,Control,Message-ID,Date,From,Sender
iQIzBAEBCAAdFiEEZvvoTIDjctRUf+kh0vJZXdpaxQQFAmYuISgACgkQ0vJZXdpa
xQT5mRAAlpYTP6ZUSqnojH/kJmhdc+9EGprF/D56XFQ/zB9IRyHvFPPCyso/TAhm
5RyeGlz/9JKyQLXEKeE+Qko5SXA03jcMBsTKqa6XpP5DFhy+1aqJIyhYpiLXklaf
SJc5wV75lQ4Aub6BRJJj4wh2ZjCF8EpaKWl1B4rkeV4A1ffIWDSP/q0uEExGiFkS
EXbP48Mi5nEqSn+pJryD+POHhe+GKvQ+B/oSS9d9bcMe8+/wy+VlMyVGVLnwgr3e
bvAHAtFADDjTiXiTSloM/uQYxyMabo0O2pCH11iG7Ggb7u1VHexMZhbL37CDn3or
Z/PUHcTBef6QMrMu6UY7Vosz7DAcjjSBtPHf2SsiBhaDTZG0kD2Z46NPeSBjS11/
FxtHJmCWsrXqabMYgxmNMAgiZbGTARJAPVCz/32dtQb9rm0jBVJSImKUXnhwgs76
JaFB9xZyF2C2RW6TMXEN1Eg44+BnBJrkzcNSneLiXX5WoaO/rVCbbB6Nzn3hnAhV
oji7+avuCloUi8nwVtL8o9a54usYF4Ej4omDovK5+RJM+/olpJdMfJCh6sZwYYwe
Of4yEsvqeTe6ArRlsR1eN29QacQoDGWuJgEQ0ANm/sapD6d8gr1tu7RuDVhwdgUZ
KyUaveIgyaoWntgL9fYVG/ODtNq/k+xKA+pIIx2MEIhTuKZ2sf0=
=u+UU

nl.actueel Discussie over nieuws met grote maatschappelijke impact.
nl.announce Aankondigingen conferenties, cursussen, enz. (Moderated)
nl.auto Aankondigingen, modellen, techniek, tips en discussie.
nl.burgerrechten Informatiemaatschappij en burgerbelangen.
nl.comp.3d-printen Alles over 3D-printen.
nl.comp.dvd-branden Over het maken en branden van dvd's.


In this part, $version doesn't get assigned with GnuPG's version:

while ($signature[0] ne "\n" && @signature) {
$version = $1 if ((shift @signature) =~ /^Version:\s+(.*?)\s*$/);
}


But 'gpg' does report its version. Here is some of my output if that helps:

$ gpg --version
gpg (GnuPG) 2.4.4
libgcrypt 1.10.3-unknown
Copyright (C) 2024 g10 Code GmbH


To get rid of the 'uninitialized value' I used a stub: my $version = "0.stub";
Unless someone has a (better) fix for this ...


In finishing, I've changed the part where $pgphomedir is studied, using #DEBUG#,
and also omitted --pgp2:

if ($pgphomedir) {
# we need a way to add some extra arguments
@command = ($pgp, qw/--detach-sign --armor --textmode -u/, $keyid,
##DEBUG## qw/--debug-level advanced/,
qw/--homedir/, $pgphomedir,
qw/--force-v3-sigs/);
} else {
As I haven't advertised it yet, I'm gonna go ahead right now:

$ gpg --homedir .gnupg --dry-run --list-keys
.../news/.gnupg/pubring.kbx
------------------------------------
pub rsa4096 2024-04-27 [SC]
66FBE84C80E372D4547FE921D2F2595DDA5AC504
uid [ultimate] nl.newsgroups
sub rsa4096 2024-04-27 [E]

$ gpg --homedir .gnupg --dry-run --list-keys --fingerprint
.../news/.gnupg/pubring.kbx
------------------------------------
pub rsa4096 2024-04-27 [SC]
66FB E84C 80E3 72D4 547F E921 D2F2 595D DA5A C504
uid [ultimate] nl.newsgroups
sub rsa4096 2024-04-27 [E]

$ gpg --homedir .gnupg --dry-run --send-keys 66FBE84C80E372D4547FE921D2F2595DDA5AC504
gpg: sending key D2F2595DDA5AC504 to hkps://keyserver.ubuntu.com
$ gpg --homedir .gnupg --send-keys 66FBE84C80E372D4547FE921D2F2595DDA5AC504
gpg: sending key D2F2595DDA5AC504 to hkps://keyserver.ubuntu.com


Did I do this correctly?
The URL-part isn't correct yet; this is what I have now in my control.ctl:

## NL (Netherlands)
# Contact: nl-***@stack.nl
# URL: http://nl.news-admin.org/info/nladmin.html
# Admin group: nl.newsgroups
# Key fingerprint: 45 20 0B D5 A1 21 EA 7C EF B2 95 6C 25 75 4D 27
# *PGP* See comment at top of file.
newgroup:*:nl.*:drop
rmgroup:*:nl.*:drop
checkgroups:nl-***@stack.nl:nl.*:verify-nl.newsgroups
newgroup:nl-***@stack.nl:nl.*:verify-nl.newsgroups
rmgroup:nl-***@stack.nl:nl.*:verify-nl.newsgroups


BTW, I'm running C News. :-)
Hopefully I've done all this correctly.

Thank you very much for helping me out so far, Julien!

Adri
PS NOTE: the Contact address nl-***@stack.nl doesn't work yet.