Problems importing public key

Graeme Nichols gnichols at
Fri Apr 16 08:59:23 CEST 2004

On Thu, 2004-04-15 at 06:16, Neil Williams wrote:
> On Wednesday 14 Apr 2004 7:15, Graeme Nichols wrote:
> > Hello Folks,
> >
> > I was sent a public key by a fellow so that I could encrypt a file to
> > him. The name of the file, for what it is worth is: 0xF94BBB03.asc which
> You might be able to trust this file, but why should GnuPG? You've just 
> imported a public key that has no relation to your own key, there is nothing 
> for GnuPG to use to work out whether to trust the key. You comment that this 
> is for sensitive data yet you seem prepared to take the key at face value. 
> > happens to be the DSA key ID of his key used to sign his emails. It
> So all you really know about this key is that the email address matches the 
> keyID. Is that enough? Can't be particularly sensitive data for encryption!
> > imports OK into my gnupg V1.2.3 but when I click on the lock icon in
> > Evolution (so I can test the public key) I get the following error:
> >
> > gpg: armor header: Version: GnuPG v1.2.4 (GNU/Linux)
> > gpg: Signature made Sat 03 Apr 2004 09:54:31 EST using DSA key ID
> > F94BBB03
> > gpg: BAD signature from "Benoit Grégoire (Serveur télématique des
> Oops. You've got the right key but something is wrong with the email.
> > étudiants de Polytechnique) <bock at>"
> > gpg: textmode signature, digest algorithm SHA1
> >
> > What have I done wrong?
> Nothing, necessarily. There may be something wrong with the signed email 
> though.
> > I have another public key that I imported from a keyserver that works OK
> If you import a new copy of the same key, it'll simply overwrite the old one. 
> The only differences that will make any odds here are things like extra 
> subkeys, extra signatures, extra UID's. If GnuPG accepts these two keys as 
> the same, the public key in both copies is the same.
> > if I click the lock icon on Evolution yet if I fire up seahorse and
> > click on the Key Manager icon to list the keys I have under the 'trust'
> > column both the public keys I have imported show 'ERROR'. Mine naturally
> > shows 'ultimate'
> This is the separate trust issue. GnuPG cannot trust this key because you 
> haven't verified the key. You would need to follow the keysigning procedure 
> and then sign the key for GnuPG to be able to trust this key.
> > I really need to find out if I have done something wrong so I can
> No, just that there is something that you haven't yet done.
> > rectify the problem as Benoit is waiting for the file he needs me to
> > send him and I am not going to send it if something is wrong as the file
> > has some very private data in it and I don't want it to fall into the
> > wrong hands.
> Then you MUST verify the key properly. Usually, this involves meeting 
> face-to-face to exchange GnuPG fingerprints and verify proof of photo ID AS 
> WELL as verifying that the email address in the key is the right destination.
> GnuPG cannot be expected to encrypt sensitive data if there no way of knowing 
> if you are encrypting to the right person.

Thanks for the info Neil. I can encrypt the sensitive data file OK using
the public key provided, but, as you say, I have no idea whether I can
trust this key. I have never met the gentleman in question (who is as
honest as the day is long, I'm sure) but I have no way of knowing if
someone is impersonating him thus my concern when ALL his signed emails
fail to authenticate properly with the key he provided.

As I am no expert on this topic can you tell me how I could attempt to
download his public key from a keyserver? The only public key I have
downloaded so far had foolproof instructions in the form of a url in the
comment field and then foolproof instructions when one connected to that
url. It was the key for Dennis Patrick Lamb Jr., very cleverly done.


Kind regards,

Graeme Nichols

Politics, as a practice, whatever its professions, has always been the
systematic organisation of hatreds.
		-- Henry Adams, "The Education of Henry Adams"

- IMPORTANT.                                                         -
- The contents of this email and any attachments, which may be con-  -  
- fidential, are sent for the personal attention of the addressee/s  -
- only. If you receive this email and are not the intended addressee -
- please inform the sender and delete this email immediately. Use,   -
- copying, disclosure or forwarding of the contents of this email    -
- and/or any attachment/s is not authourised.                        -

More information about the Gnupg-users mailing list