Failure to sign with gpgsm
Pedro Pessoa
pessoa at angulosolido.pt
Mon Nov 20 00:47:42 CET 2006
Fixed. Details ahead.
On Thursday 16 November 2006 07:27, Werner Koch wrote:
> On Thu, 16 Nov 2006 01:15, pessoa at angulosolido.pt said:
> > Nope, still the same error:
> > gpgsm: error creating signature: No value <KSBA>
>
> It would be helpfukl to see the actual output. If you don't want that
> to appear on a public list, send it me by private mail.
After showing the certification chain to Werner, the error source was
identified (gpgsm --dump-chain YOUR_KEY_ID).
The root CA I'm using is bogus because its missing a basic contraint:
chainLength: [none]
However this did not showed up on gpgsm --dump-cert --with-validation. I said
certificate was good.
The workaround is to look up the fingerprint (sha1_fpr) of the offending key.
In the case of /CN=GTE CyberTrust Global Root/OU=GTE CyberTrust Solutions,
Inc./O=GTE Corporation/C=US the fingerprint is
97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
And the making sure that ~/.gnupg/trustlist.txt contains this line:
97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74 S relax
which tells to ignore the fact that chainLength is not a number nor
"unlimited" like it should.
BTW, this does not work with gnupg <= 1.9.16. In fact, I went through to
version 2.0.0. There it works!
Just a side note, I had to use just one character for my passphrase that
protects the imported certificate, because anything longer would fail the
check afterwards during retrieval. I didn't gave it too much attention yet...
Werner, thanks a lot for your help!
Pedro
--
Angulo Sólido - Tecnologias de Informação
http://angulosolido.pt
More information about the Gnupg-users
mailing list