Problems with gpgsm/dirmngr in gnupg-2.1.0-beta751
Jens Lechtenboerger
lechten at wi.uni-muenster.de
Tue Jul 8 19:41:09 CEST 2014
Hi there,
I'm failing to use gpgsm in gnupg-2.1.0-beta751. (I'm able to use
gpgsm-2.0.14 as part of my distribution.)
To make sure that my configuration is OK I renamed ~/.gnupg and
killed gpg-agent (which uses a socket under ~/.gnupg).
Importing certificates failed then:
gpgsm: Die "Keybox" `/home/lechten/.gnupg/pubring.kbx' konnte nicht erstellt werden: Datei oder Verzeichnis nicht gefunden
That message could be more helpful by stating that the directory is
missing; maybe the directory could even be created automatically.
Anyways, I created ~/.gnupg (/etc/gnupg is empty as well).
Import of my certificate chain succeeded then.
However, encryption to my certificate fails:
$ gpgsm -vv --encrypt --recipient F7:A5:12:A2:56:F0:12:AA:59:E9:96:62:A2:B4:51:CF:3A:4E:47:E7 test.txt > test.gpgsm
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
gpgsm: certificate's policy list: 1.3.6.1.4.1.22177.300.1.1.4.3.1:N:
1.3.6.1.4.1.22177.300.2.1.4.3.1:N:
gpgsm: Datei `/home/lechten/.gnupg/policies.txt' kann nicht geöffnet werden: Datei oder Verzeichnis nicht gefunden
gpgsm: Notiz: Die unkritische Zertifikatsrichtlinie ist nicht erlaubt
gpgsm: asking dirmngr about F7:A5:12:A2:56:F0:12:AA:59:E9:96:62:A2:B4:51:CF:3A:4E:47:E7
gpgsm: response of dirmngr: Dateiende
gpgsm: certificate #16EC9481CC8496/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: Die CRL konnte nicht geprüft werden: Dateiende
gpgsm: Benutztes Gültigkeitsmodell: Schale
gpgsm: can't encrypt to 'F7:A5:12:A2:56:F0:12:AA:59:E9:96:62:A2:B4:51:CF:3A:4E:47:E7': Dateiende
I retried the previous command with ~/.gnupg/dirmngr.conf as
follows:
log-file /tmp/dirmngr.log
debug-all
debug-level guru
The resulting logfile contains:
2014-07-08 18:15:12 dirmngr[7432.0] Es wird auf Socket `/home/lechten/.gnupg/S.dirmngr' gehört
2014-07-08 18:15:12 dirmngr[7433.0] Fehler beim Zugriff auf das Verzeichnis `/home/lechten/.gnupg/trusted-certs': Datei oder Verzeichnis nicht gefunden
2014-07-08 18:15:12 dirmngr[7433.0] Fehler beim Zugriff auf das Verzeichnis `/home/lechten/.gnupg/extra-certs': Datei oder Verzeichnis nicht gefunden
2014-07-08 18:15:12 dirmngr[7433.0] dauerhaft geladene Zertifikate: 0
2014-07-08 18:15:12 dirmngr[7433.0] zur Laufzeit zwischengespeicherte Zertifikate: 0
2014-07-08 18:15:13 dirmngr[7433.0] Handhabungsroutine für fd 0 gestartet
2014-07-08 18:15:13 dirmngr[7433.0] DBG: chan_0 -> # Home: /home/lechten/.gnupg
2014-07-08 18:15:13 dirmngr[7433.0] DBG: chan_0 -> # Config: /home/lechten/.gnupg/dirmngr.conf
2014-07-08 18:15:13 dirmngr[7433.0] DBG: chan_0 -> OK Dirmngr 2.1.0-beta751 at your service
2014-07-08 18:15:13 dirmngr[7433.0] connection from process 7430 (1000:1000)
2014-07-08 18:15:13 dirmngr[7433.0] DBG: chan_0 <- OPTION audit-events=1
2014-07-08 18:15:13 dirmngr[7433.0] DBG: chan_0 -> OK
2014-07-08 18:15:13 dirmngr[7433.0] DBG: chan_0 <- ISVALID A52EFAEFBC86EF98C5E9AA92B3ECEC4101080F0A.16EC9481CC8496
2014-07-08 18:15:13 dirmngr[7433.0] Es ist keine CRL für den Issuer mit der ID A52EFAEFBC86EF98C5E9AA92B3ECEC4101080F0A vorhanden
2014-07-08 18:15:13 dirmngr[7433.0] DBG: chan_0 -> INQUIRE SENDCERT
2014-07-08 18:15:13 dirmngr[7433.0] DBG: chan_0 <- [ 44 20 30 82 05 e6 30 82 04 ce a0 03 02 01 02 02 ...(982 byte(s) skipped) ]
2014-07-08 18:15:13 dirmngr[7433.0] DBG: chan_0 <- [ 44 20 55 1d 1f 04 74 30 72 30 37 a0 35 a0 33 86 ...(544 byte(s) skipped) ]
2014-07-08 18:15:13 dirmngr[7433.0] DBG: chan_0 <- END
2014-07-08 18:15:13 dirmngr[7433.0] checking distribution points
2014-07-08 18:15:13 dirmngr[7433.0] fetching CRL from 'http://cdp1.pca.dfn.de/wwu-ca/pub/crl/g_cacrl.crl'
I don't see any network traffic on my machine, which I find
surprising in view of the final log line. So I downloaded that CRL
and tried to import it:
$ dirmngr-client --load-crl g_cacrl.crl
dirmngr-client: Verbindung zum Dirmngr nicht möglich: IPC "connect" Aufruf fehlgeschlagen
strace shows ECONNREFUSED (Connection refused) on
~/.gnupg/S.dirmngr, which appears to be a leftover from one of the
previous commands. Removing that socket and invoking dirmngr-client
again then leads to ENOENT (No such file or directory) on
~/.gnupg/S.dirmngr.
(The man page of dirmngr-client suggests that dirmngr should be
started automatically if it is not running. This does not seem to
be the case; at least no messages appear in /tmp/dirmngr.log.)
Now I'm stuck.
Any hints?
Best wishes
Jens
More information about the Gnupg-devel
mailing list