gpgsm and Kmail and X509 certificates

Graeme Nichols gnichols at tpg.com.au
Sun Sep 23 04:20:21 CEST 2007


Werner Koch wrote:
> On Fri, 21 Sep 2007 04:47, gnichols at tpg.com.au said:
<snip>
> Obvious if the p12 file import failed and you didn't create a
> certificate requests with gpgsm.

I ran gpgsm-gencert.sh script and selected 2. Existing key thinking that
I could use my existing x509 cert. I was then asked for Keygrip. I
entered that and then asked for Name (DN) and this is where my ignorance
really shows. What is the DN? Is it a Domain Name? The script failed
with the wrong info for DN (I tried my email address and name)

Now this is the strange and confusing part, gnichols at tpg.com.au.crt
*did* install OK. It is also listed in Kleopatra's key listing. See
following:

[graeme at barney ~]$ gpgsm --import gnichols at tpg.com.au.crt
gpgsm: certificate is good
gpgsm: total number processed: 1
gpgsm:              unchanged: 1
secmem usage: 0/16384 bytes in 0 blocks

Certificate imported OK.

[graeme at barney ~]$ gpgsm --list-secret-keys
/home/graeme/.gnupg/pubring.kbx
-------------------------------
gpgsm: DBG: connection to agent established
secmem usage: 0/16384 bytes in 0 blocks
[graeme at barney ~]$

No certificate listed :-(

> PKCS#12 is a weird format and it is possible that GnuPG will not be able
> to parse it.  However, currently I have no open bugs on this so it
> should work.  The error message would be different from what the one you
> got.

[graeme at barney ~]$ GPG_TTY="tty"
[graeme at barney ~]$ export GPG_TTY
[graeme at barney ~]$ gpgsm --import My_Certificate120308.p12
gpgsm: gpg-protect-tool: canceled by user
gpgsm: gpg-protect-tool: cancelled
gpgsm: total number processed: 0
secmem usage: 0/16384 bytes in 0 blocks
[graeme at barney ~]$

I have followed the instructions in the
http://kontact.kde.org/kmail/kmail-pgpmime-howto.php HowTo and I still
get errors. e.g., the command echo "test" | gpg -ase -r 0xDD3AAA7D | gpg
which should open a graphical password dialog two times. First for
signing (gpg -ase) and then for decryption (| gpg) gives the following
error;

[graeme at barney .gnupg]$ echo "test" | gpg -ase -r 0xDD3AAA7D | gpg
gpg: NOTE: old default options file `/home/graeme/.gnupg/options' ignored
gpg: NOTE: old default options file `/home/graeme/.gnupg/options' ignored

You need a passphrase to unlock the secret key for
user: "Graeme Nichols (Graeme) <gnichols at tpg.com.au>"
1024-bit DSA key, ID DD3AAA7D, created 2002-11-08

gpg: cancelled by user
gpg: no default secret key: bad passphrase
gpg: [stdin]: sign+encrypt failed: bad passphrase
gpg: processing message failed: eof
[graeme at barney .gnupg]$

The pinentry file is /usr/bin/pinentry. This doesn't seem to work at all.

Also, what config files should I have in ~/.gnupg? There is a whole heap
of config files most of which I think are not necessary. Left over from
earlier versions of gpg.

I am beginning to think that I should remove gpg and kdepim and
re-install to ensure that all dependencies are met. If I do this what
gpg packages do I need to re-install for X509 support?

Another problem that I just thought of that could be causing problems is
that my earlier versions fo gpg were built from a tarball. The Fedora 7
gpg files have been installed from an rpm binary package. Maybe there
are old gpg files lying about causing problems. If that could be the
case where should I look for old gpg files?

Thanks again for your patience.

-- 

----------------------------------------------------------------------
Kind regards,

Graeme.






More information about the Gnupg-users mailing list