gpgsm doesn't recognize certs are related to secret keys)

Peter S. May me at psmay.com
Wed Mar 14 14:52:52 CET 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On the one hand, yes, it was a gpg-agent problem.  It turned out that
seahorse-daemon was running and screwing up the whole thing.
- --list-secret-keys started working once I unset GPG_AGENT_INFO.  It
still complained that there was no gpg-agent running, though.  Does
gpgsm require a gpg-agent running?  I don't recall gpg2 requiring it.

Anyway, I got a gpg-agent up and running and tried again.  This is what
happened:

$ gpgsm --sign somefile
dirmngr[4522]: error opening
`/home/psmay/.gnupg/dirmngr_ldapservers.conf': No such file or directory
dirmngr[4522]: permanently loaded certificates: 0
dirmngr[4522]:     runtime cached certificates: 0
dirmngr[4522]: no CRL available for issuer id <clipped>
dirmngr[4522]: crl_fetch via issuer failed: Configuration error
dirmngr[4522]: command ISVALID failed: Configuration error
gpgsm: certificate #<clipped>/CN=Thawte Personal Freemail Issuing
CA,O=Thawte Consulting (Pty) Ltd.,C=ZA
gpgsm: checking the CRL failed: Configuration error
gpgsm: error creating signature: Configuration error <Dirmngr>

I figured that this was a sign that I should disable some checking--it's
my own private key, so there shouldn't be any trust issues, right?  So I
tried this:

$ gpgsm --verbose --disable-crl-checks --disable-ocsp --sign somefile
gpgsm: no key usage specified - assuming all usages
gpgsm: no key usage specified - assuming all usages
gpgsm: certificate is good
gpgsm: certificate is good
gpgsm: checking the trust list failed: No such file or directory
gpgsm: error creating signature: No such file or directory <GPG Agent>

The agent log says this:

2007-03-14 09:21:28 gpg-agent[5376] handler 0x808c820 for fd 7 started
gpg-agent[5376.7] DBG: -> OK Pleased to meet you
gpg-agent[5376.7] DBG: <- RESET
gpg-agent[5376.7] DBG: -> OK
gpg-agent[5376.7] DBG: <- OPTION display=:0.0
gpg-agent[5376.7] DBG: -> OK
gpg-agent[5376.7] DBG: <- OPTION ttyname=/dev/pts/0
gpg-agent[5376.7] DBG: -> OK
gpg-agent[5376.7] DBG: <- OPTION ttytype=xterm
gpg-agent[5376.7] DBG: -> OK
gpg-agent[5376.7] DBG: <- OPTION lc-ctype=en_US.UTF-8
gpg-agent[5376.7] DBG: -> OK
gpg-agent[5376.7] DBG: <- OPTION lc-messages=en_US.UTF-8
gpg-agent[5376.7] DBG: -> OK
gpg-agent[5376.7] DBG: <- HAVEKEY <clipped>
gpg-agent[5376.7] DBG: -> OK
gpg-agent[5376.7] DBG: <- ISTRUSTED <clipped>
2007-03-14 09:21:28 gpg-agent[5376] error opening
`/usr/local/etc/gnupg/trustlist.txt': No such file or directory
2007-03-14 09:21:28 gpg-agent[5376] error reading list of trusted root
certificates
2007-03-14 09:21:28 gpg-agent[5376] command is_trusted failed: No such
file or directory
gpg-agent[5376.7] DBG: -> ERR 67141713 No such file or directory <GPG Agent>
gpg-agent[5376.7] DBG: <- [EOF]
2007-03-14 09:21:28 gpg-agent[5376] handler 0x808c820 for fd 7 terminated

Not knowing what to put in trustlist.txt, I gave it a touch just to see
what would happen.

$ gpgsm --verbose --disable-crl-checks --disable-ocsp --sign somefile
gpgsm: no key usage specified - assuming all usages
gpgsm: no key usage specified - assuming all usages
gpgsm: certificate is good
gpgsm: certificate is good
gpgsm: root certificate is not marked trusted
gpgsm:
fingerprint=20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85
gpgsm: DBG: BEGIN Certificate `issuer':
gpgsm: DBG:      serial: 00
gpgsm: DBG:   notBefore: 1996-01-01 00:00:00
gpgsm: DBG:    notAfter: 2020-12-31 23:59:59
gpgsm: DBG:      issuer: 1.2.840.113549.1.9.1=#<clipped>,CN=Thawte
Personal Freemail CA,OU=Certification Services Division,O=Thawte
Consulting,L=Cape Town,ST=Western Cape,C=ZA
gpgsm: DBG:     subject: 1.2.840.113549.1.9.1=#<clipped>,CN=Thawte
Personal Freemail CA,OU=Certification Services Division,O=Thawte
Consulting,L=Cape Town,ST=Western Cape,C=ZA
gpgsm: DBG:   hash algo: 1.2.840.113549.1.1.4
gpgsm: DBG:   SHA1 Fingerprint:
20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85
gpgsm: DBG: END Certificate
gpgsm: after checking the fingerprint, you may want to add it manually
to the list of trusted certificates.
gpgsm: interactive marking as trusted not enabled in gpg-agent
gpgsm: error creating signature: Not trusted <GPG Agent>

I added that fingerprint as a line to trustlist.txt, fixed the gpg-agent
config (apparently it didn't have a default pinentry), restarted
gpg-agent (kill -HUP pid didn't do the trick), and suddenly everything
worked.

All this said, here are my questions:
* Why does gpgsm do all of this trust checking just to use a private
key?  Why don't private keys already have (the S/MIME equivalent to)
ultimate trust?
* Why didn't I already have a trustlist.txt?  Shouldn't the source
install process at least touch the file?
* Is gpg-agent actually necessary for all this?  What's wrong with
accepting my passphrase at the console if it's not running?  (All right,
I've already gathered that gpg-agent does way more than password
caching, in which case the real question is, why is so much of this
functionality in gpg-agent instead of gpgsm?)
* Is there a user trustlist.txt that can be used instead, or do I need
to edit trustlist.txt as root every time a change needs to be made?

In the meantime, I guess I should figure out how to configure dirmngr,
though it seems a little superfluous.  Yet another reason I'll always
prefer OpenPGP to S/MIME, I guess...

Thanks
PSM

Werner Koch wrote:
> On Tue, 13 Mar 2007 23:41, me at psmay.com said:
> 
>> $ gpgsm --list-secret-keys
>> /home/psmay/.gnupg/pubring.kbx
>> ----------------------------
>> $
> 
> There might be a problem with the gpg-agent.  Make sure that gpg-agent
> is running and add 
> 
> verbose
> debug 1024
> log-file /for/bar/agent.log
> 
> to gpg-agent.conf.  Give a running gpg-agent a HUP or start it again.
> You may also use
> 
>   gpg-agent --daemon  sh
> 
> and do your test within this shell.  You should see lines like
> 
> 
>   DBG: <- HAVEKEY D6B7B913F20010E8A68DC14B7B72C296C79C773A
>   DBG: -> ERR 67108881 No secret key <GPG Agent>
>   DBG: <- HAVEKEY 0DEB2ED35B879151B1EDA067B0F290116C7915EB
>   DBG: -> OK
> 
> No OK lines?  Run 
> 
>   gpgsm  --dump-keys 
> 
> which will show you the keygrip. The keygrip is what you see in the
> gpg-agent requests and they are also the basenames of the files below
> private-keys-v1.d/
> 
> 
> Salam-Shalom,
> 
>    Werner
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF9/4wei6R+3iF2vwRChc3AKCAK//p7THk6fIBE26AMIGTdRQhlwCfRWqP
sSpy7w2sMerPOUr/qWrVPic=
=50DP
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list