Problems importing public key
linux at codehelp.co.uk
Wed Apr 14 22:16:42 CEST 2004
On Wednesday 14 Apr 2004 7:15, Graeme Nichols wrote:
> Hello Folks,
> I was sent a public key by a fellow so that I could encrypt a file to
> him. The name of the file, for what it is worth is: 0xF94BBB03.asc which
You might be able to trust this file, but why should GnuPG? You've just
imported a public key that has no relation to your own key, there is nothing
for GnuPG to use to work out whether to trust the key. You comment that this
is for sensitive data yet you seem prepared to take the key at face value.
> happens to be the DSA key ID of his key used to sign his emails. It
So all you really know about this key is that the email address matches the
keyID. Is that enough? Can't be particularly sensitive data for encryption!
> imports OK into my gnupg V1.2.3 but when I click on the lock icon in
> Evolution (so I can test the public key) I get the following error:
> gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
> gpg: Signature made Sat 03 Apr 2004 09:54:31 EST using DSA key ID
> gpg: BAD signature from "Benoit Grégoire (Serveur télématique des
Oops. You've got the right key but something is wrong with the email.
> étudiants de Polytechnique) <bock at step.polymtl.ca>"
> gpg: textmode signature, digest algorithm SHA1
> What have I done wrong?
Nothing, necessarily. There may be something wrong with the signed email
> I have another public key that I imported from a keyserver that works OK
If you import a new copy of the same key, it'll simply overwrite the old one.
The only differences that will make any odds here are things like extra
subkeys, extra signatures, extra UID's. If GnuPG accepts these two keys as
the same, the public key in both copies is the same.
> if I click the lock icon on Evolution yet if I fire up seahorse and
> click on the Key Manager icon to list the keys I have under the 'trust'
> column both the public keys I have imported show 'ERROR'. Mine naturally
> shows 'ultimate'
This is the separate trust issue. GnuPG cannot trust this key because you
haven't verified the key. You would need to follow the keysigning procedure
and then sign the key for GnuPG to be able to trust this key.
> I really need to find out if I have done something wrong so I can
No, just that there is something that you haven't yet done.
> rectify the problem as Benoit is waiting for the file he needs me to
> send him and I am not going to send it if something is wrong as the file
> has some very private data in it and I don't want it to fall into the
> wrong hands.
Then you MUST verify the key properly. Usually, this involves meeting
face-to-face to exchange GnuPG fingerprints and verify proof of photo ID AS
WELL as verifying that the email address in the key is the right destination.
GnuPG cannot be expected to encrypt sensitive data if there no way of knowing
if you are encrypting to the right person.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Url : /pipermail/attachments/20040414/f7a54b06/attachment.bin
More information about the Gnupg-users