gpgsm and Kmail and X509 certificates
Graeme Nichols
gnichols at tpg.com.au
Sat Sep 22 07:32:05 CEST 2007
Werner Koch wrote:
> On Fri, 21 Sep 2007 04:47, gnichols at tpg.com.au said:
>
>> [graeme at barney ~]$ gpgsm --import My_Certificate120308.p12
>> gpgsm: gpgsm: GPG_TTY has not been set - using maybe bogus default
>> gpgsm: gpg-protect-tool: canceled by user
>
> You system is not correctly installed. The QT based pinentry might work
> even without knowing the tty, but I am not sure about this. The GTK and
> curses based pinentries definitely need to know the tty. Thus you
> should put this into your .bashrc or whatever sets up the environment
> for a session (gpg-agent does not need to known GPG_TTY):
>
> GPG_TTY=`tty`
> export GPG_TTY
>
>
>> No. there are no files in the ~/.gnupg/private-keys-v1.d/ directory.
>
> Obvious if the p12 file import failed and you didn't create a
> certificate requests with gpgsm.
I ran gpgsm-gencert.sh script and selected 2. Existing key thinking that
I could use my existing x509 cert. I was then asked for Keygrip. I
entered that and then asked for Name (DN) and this is where my ignorance
really shows. What is the DN? Is it a Domain Name? The script failed
with the wrong info for DN (I tried my email address and name)
Now this is the strange and confusing part, gnichols at tpg.com.au.crt
*did* install OK. It is also listed in Kleopatra's key listing. See
following:
[graeme at barney ~]$ gpgsm --import gnichols at tpg.com.au.crt
gpgsm: certificate is good
gpgsm: total number processed: 1
gpgsm: unchanged: 1
secmem usage: 0/16384 bytes in 0 blocks
Certificate imported OK.
[graeme at barney ~]$ gpgsm --list-secret-keys
/home/graeme/.gnupg/pubring.kbx
-------------------------------
gpgsm: DBG: connection to agent established
secmem usage: 0/16384 bytes in 0 blocks
[graeme at barney ~]$
No certificate listed :-(
Kleopatra's key listing is in the attachment.
>
>> Does not work as you can see above. Is the backup of my certificate from
>> Mozilla in *.p12 format the same as getting it from CACert in *.p12 format?
>
> Yes.
>
> PKCS#12 is a weird format and it is possible that GnuPG will not be able
> to parse it. However, currently I have no open bugs on this so it
> should work. The error message would be different from what the one you
> got.
[graeme at barney ~]$ GPG_TTY="tty"
[graeme at barney ~]$ export GPG_TTY
[graeme at barney ~]$ gpgsm --import My_Certificate120308.p12
gpgsm: gpg-protect-tool: canceled by user
gpgsm: gpg-protect-tool: cancelled
gpgsm: total number processed: 0
secmem usage: 0/16384 bytes in 0 blocks
[graeme at barney ~]$
I have followed the instructions in the
http://kontact.kde.org/kmail/kmail-pgpmime-howto.php HowTo and I still
get errors. e.g., the command echo "test" | gpg -ase -r 0xDD3AAA7D | gpg
which should open a graphical password dialog two times. First for
signing (gpg -ase) and then for decryption (| gpg) gives the following
error;
[graeme at barney .gnupg]$ echo "test" | gpg -ase -r 0xDD3AAA7D | gpg
gpg: NOTE: old default options file `/home/graeme/.gnupg/options' ignored
gpg: NOTE: old default options file `/home/graeme/.gnupg/options' ignored
You need a passphrase to unlock the secret key for
user: "Graeme Nichols (Graeme) <gnichols at tpg.com.au>"
1024-bit DSA key, ID DD3AAA7D, created 2002-11-08
gpg: cancelled by user
gpg: no default secret key: bad passphrase
gpg: [stdin]: sign+encrypt failed: bad passphrase
gpg: processing message failed: eof
[graeme at barney .gnupg]$
The pinentry file is /usr/bin/pinentry. This doesn't seem to work at all.
Also, what config files should I have in ~/.gnupg? There is a whole heap
of config files most of which I think are not necessary. Left over from
earlier versions of gpg.
I am beginning to think that I should remove gpg and kdepim and
re-install to ensure that all dependencies are met. If I do this what
gpg packages do I need to re-install for X509 support?
Another problem that I just thought of that could be causing problems is
that my earlier versions fo gpg were built from a tarball. The Fedora 7
gpg files have been installed from an rpm binary package. Maybe there
are old gpg files lying about causing problems. If that could be the
case where should I look for old gpg files?
Thanks again for your patience.
--
----------------------------------------------------------------------
Kind regards,
Graeme.
----------------------------------------------------------------------
Download my GnuPG public key from:-
http://www.users.tpg.com.au/gnichols/graemenichols.pub
----------------------------------------------------------------------
One monk said to the other, "The fish has flopped out of the net! How
will it live?" The other said, "When you have got out of the net, I'll
tell you."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Kleopatra-keylisting1.png.gz
Type: application/x-gzip
Size: 40063 bytes
Desc: not available
Url : /pipermail/attachments/20070922/bff07661/attachment-0001.bin
More information about the Gnupg-users
mailing list