Failure to sign with gpgsm

Pedro Pessoa pessoa at
Mon Nov 20 00:47:42 CET 2006

Fixed. Details ahead.

On Thursday 16 November 2006 07:27, Werner Koch wrote:
> On Thu, 16 Nov 2006 01:15, pessoa at said:
> > Nope, still the same error:
> > gpgsm: error creating signature: No value <KSBA>
> It would be helpfukl to see the actual output.  If you don't want that
> to appear on a public list, send it me by private mail.

After showing the certification chain to Werner, the error source was 
identified (gpgsm --dump-chain YOUR_KEY_ID).

The root CA I'm using is bogus because its missing a basic contraint:
  chainLength: [none]
However this did not showed up on gpgsm --dump-cert --with-validation. I said 
certificate was good.

The workaround is to look up the fingerprint (sha1_fpr) of the offending key.
In the case of /CN=GTE CyberTrust Global Root/OU=GTE CyberTrust Solutions, 
Inc./O=GTE Corporation/C=US the fingerprint is 

And the making sure that ~/.gnupg/trustlist.txt contains this line:
97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74 S relax
which tells to ignore the fact that chainLength is not a number nor 
"unlimited" like it should.

BTW, this does not work with gnupg <= 1.9.16. In fact, I went through to 
version 2.0.0. There it works!

Just a side note, I had to use just one character for my passphrase that 
protects the imported certificate, because anything longer would fail the 
check afterwards during retrieval. I didn't gave it too much attention yet...

Werner, thanks a lot for your help!


Angulo Sólido - Tecnologias de Informação

More information about the Gnupg-users mailing list