Problems importing public key

Wed Apr 14 22:16:42 CEST 2004

On Wednesday 14 Apr 2004 7:15, Graeme Nichols wrote:
> Hello Folks,
>
> I was sent a public key by a fellow so that I could encrypt a file to
> him. The name of the file, for what it is worth is: 0xF94BBB03.asc which

You might be able to trust this file, but why should GnuPG? You've just 
imported a public key that has no relation to your own key, there is nothing 
for GnuPG to use to work out whether to trust the key. You comment that this 
is for sensitive data yet you seem prepared to take the key at face value. 

> happens to be the DSA key ID of his key used to sign his emails. It

So all you really know about this key is that the email address matches the 
keyID. Is that enough? Can't be particularly sensitive data for encryption!

> imports OK into my gnupg V1.2.3 but when I click on the lock icon in
> Evolution (so I can test the public key) I get the following error:
>
> gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
> gpg: Signature made Sat 03 Apr 2004 09:54:31 EST using DSA key ID
> F94BBB03
> gpg: BAD signature from "Benoit Grégoire (Serveur télématique des

Oops. You've got the right key but something is wrong with the email.

> étudiants de Polytechnique) <bock at step.polymtl.ca>"
> gpg: textmode signature, digest algorithm SHA1
>
> What have I done wrong?

Nothing, necessarily. There may be something wrong with the signed email 
though.

> I have another public key that I imported from a keyserver that works OK

If you import a new copy of the same key, it'll simply overwrite the old one. 
The only differences that will make any odds here are things like extra 
subkeys, extra signatures, extra UID's. If GnuPG accepts these two keys as 
the same, the public key in both copies is the same.

> if I click the lock icon on Evolution yet if I fire up seahorse and
> click on the Key Manager icon to list the keys I have under the 'trust'
> column both the public keys I have imported show 'ERROR'. Mine naturally
> shows 'ultimate'

This is the separate trust issue. GnuPG cannot trust this key because you 
haven't verified the key. You would need to follow the keysigning procedure 
and then sign the key for GnuPG to be able to trust this key.

> I really need to find out if I have done something wrong so I can

No, just that there is something that you haven't yet done.

> rectify the problem as Benoit is waiting for the file he needs me to
> send him and I am not going to send it if something is wrong as the file
> has some very private data in it and I don't want it to fall into the
> wrong hands.

Then you MUST verify the key properly. Usually, this involves meeting 
face-to-face to exchange GnuPG fingerprints and verify proof of photo ID AS 
WELL as verifying that the email address in the key is the right destination.

GnuPG cannot be expected to encrypt sensitive data if there no way of knowing 
if you are encrypting to the right person.

-- 

Neil Williams
=============
http://www.codehelp.co.uk/
http://www.dclug.org.uk/
http://www.isbn.org.uk/
http://sourceforge.net/projects/isbnsearch/

http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20040414/f7a54b06/attachment.bin