Failure to import home-brewn public key file

David Shaw dshaw at jabberwocky.com
Mon Feb 1 21:59:08 CET 2016 

On Feb 1, 2016, at 11:38 AM, Rick van Rein <rick at openfortress.nl> wrote:
> 
> Hello,
> 
> I'm trying to generate public keys from PKCS #11 private keys using
> https://github.com/arpa2/tlspool/blob/master/tool/pgp11_genkey.c
> 
> The public key files look good, but they don't import into GnuPG 1.4.12.
> 
> I've compared the file syntax with a freshly created key, and it looks
> very similar.  I've double-checked the data that feeds into the
> signature, and it seems to conform to RFC 4880.  Do you have any
> suggestions on how to resolve this?
> 
> Below is output on what I've tried.  Just let me know if you'd like to
> see a generated public key.
> 
> 
> Thanks for any suggestions!
> 
> -Rick
> 
> 
> The signed subpacket data in the UserID-signature contained:
> 
> 05 02 56 af 26 f6  (timestamp)
> 02 1b 21           (key flags)
> 
> while the User ID packet looks like
> 
> 00000110  cd 2f 4f 70 65 6e 50 47  50 20 54 65 73 74 20 43  |  OpenPGP
> Test C|
> 00000120  6c 69 65 6e 74 20 3c 74  65 73 74 63 6c 69 40 74  |lient
> <testcli at t|
> 00000130  6c 73 70 6f 6f 6c 2e 61  72 70 61 32 2e 6c 61 62 
> |lspool.arpa2.lab|
> 00000140  3e                                               
> |>               |
> 
> 
> GnuPG is ignoring the self-made key, stating:
> 
> gpg: key 3257A80C: no valid user IDs
> gpg: this may be caused by a missing self-signature
> gpg: Total number processed: 1
> gpg:           w/o user IDs: 1

GnuPG requires each user ID to have a self-signature to prove that the user ID wasn't added by someone other than the key owner (the self-signature also carries some useful information like cipher choices).  The user ID on this key doesn't have a self-signature - there's a signature there on the user ID, but it's not issued by the key itself:

:public key packet:
	version 4, algo 1, created 1454319350, expires 0
	pkey[0]: [2048 bits]
	pkey[1]: [0 bits]
	keyid: F25CA9043257A80C
:user ID packet: "OpenPGP Test Client <testcli at tlspool.arpa2.lab>"
:signature packet: algo 1, keyid 56EA25ACD215439F
	version 4, created 1454319350, md5len 0, sigclass 0x10
	digest algo 8, begin of digest cd d9
	hashed subpkt 2 len 4 (sig created 2016-02-01)
	hashed subpkt 27 len 1 (key flags: 21)
	subpkt 16 len 8 (issuer key ID 56EA25ACD215439F)
	data: [2048 bits]

So the key is F25CA9043257A80C, but the signature was made by 56EA25ACD215439F.

You can override the self-signature check (---allow-non-selfsigned-uid) but this is not recommended as such a user ID is easy to forge.

David

More information about the Gnupg-devel mailing list