Failure to import home-brewn public key file
dshaw at jabberwocky.com
Mon Feb 1 21:59:08 CET 2016
On Feb 1, 2016, at 11:38 AM, Rick van Rein <rick at openfortress.nl> wrote:
> I'm trying to generate public keys from PKCS #11 private keys using
> The public key files look good, but they don't import into GnuPG 1.4.12.
> I've compared the file syntax with a freshly created key, and it looks
> very similar. I've double-checked the data that feeds into the
> signature, and it seems to conform to RFC 4880. Do you have any
> suggestions on how to resolve this?
> Below is output on what I've tried. Just let me know if you'd like to
> see a generated public key.
> Thanks for any suggestions!
> The signed subpacket data in the UserID-signature contained:
> 05 02 56 af 26 f6 (timestamp)
> 02 1b 21 (key flags)
> while the User ID packet looks like
> 00000110 cd 2f 4f 70 65 6e 50 47 50 20 54 65 73 74 20 43 | OpenPGP
> Test C|
> 00000120 6c 69 65 6e 74 20 3c 74 65 73 74 63 6c 69 40 74 |lient
> <testcli at t|
> 00000130 6c 73 70 6f 6f 6c 2e 61 72 70 61 32 2e 6c 61 62
> 00000140 3e
> |> |
> GnuPG is ignoring the self-made key, stating:
> gpg: key 3257A80C: no valid user IDs
> gpg: this may be caused by a missing self-signature
> gpg: Total number processed: 1
> gpg: w/o user IDs: 1
GnuPG requires each user ID to have a self-signature to prove that the user ID wasn't added by someone other than the key owner (the self-signature also carries some useful information like cipher choices). The user ID on this key doesn't have a self-signature - there's a signature there on the user ID, but it's not issued by the key itself:
:public key packet:
version 4, algo 1, created 1454319350, expires 0
pkey: [2048 bits]
pkey: [0 bits]
:user ID packet: "OpenPGP Test Client <testcli at tlspool.arpa2.lab>"
:signature packet: algo 1, keyid 56EA25ACD215439F
version 4, created 1454319350, md5len 0, sigclass 0x10
digest algo 8, begin of digest cd d9
hashed subpkt 2 len 4 (sig created 2016-02-01)
hashed subpkt 27 len 1 (key flags: 21)
subpkt 16 len 8 (issuer key ID 56EA25ACD215439F)
data: [2048 bits]
So the key is F25CA9043257A80C, but the signature was made by 56EA25ACD215439F.
You can override the self-signature check (---allow-non-selfsigned-uid) but this is not recommended as such a user ID is easy to forge.
More information about the Gnupg-devel