gpgsm and Kmail and X509 certificates

Graeme Nichols gnichols at tpg.com.au
Sat Sep 22 07:32:05 CEST 2007 

Werner Koch wrote:
> On Fri, 21 Sep 2007 04:47, gnichols at tpg.com.au said:
> 
>> [graeme at barney ~]$ gpgsm --import My_Certificate120308.p12
>> gpgsm: gpgsm: GPG_TTY has not been set - using maybe bogus default
>> gpgsm: gpg-protect-tool: canceled by user
> 
> You system is not correctly installed.  The QT based pinentry might work
> even without knowing the tty, but I am not sure about this.  The GTK and
> curses based pinentries definitely need to know the tty.  Thus you
> should put this into your .bashrc or whatever sets up the environment
> for a session (gpg-agent does not need to known GPG_TTY):
> 
>  GPG_TTY=`tty`
>  export GPG_TTY
> 
> 
>> No. there are no files in the ~/.gnupg/private-keys-v1.d/ directory.
> 
> Obvious if the p12 file import failed and you didn't create a
> certificate requests with gpgsm.

I ran gpgsm-gencert.sh script and selected 2. Existing key thinking that 
I could use my existing x509 cert. I was then asked for Keygrip. I 
entered that and then asked for Name (DN) and this is where my ignorance 
really shows. What is the DN? Is it a Domain Name? The script failed 
with the wrong info for DN (I tried my email address and name)

Now this is the strange and confusing part, gnichols at tpg.com.au.crt 
*did* install OK. It is also listed in Kleopatra's key listing. See 
following:

[graeme at barney ~]$ gpgsm --import gnichols at tpg.com.au.crt
gpgsm: certificate is good
gpgsm: total number processed: 1
gpgsm:              unchanged: 1
secmem usage: 0/16384 bytes in 0 blocks

Certificate imported OK.

[graeme at barney ~]$ gpgsm --list-secret-keys
/home/graeme/.gnupg/pubring.kbx
-------------------------------
gpgsm: DBG: connection to agent established
secmem usage: 0/16384 bytes in 0 blocks
[graeme at barney ~]$

No certificate listed :-(

Kleopatra's key listing is in the attachment.

> 
>> Does not work as you can see above. Is the backup of my certificate from 
>> Mozilla in *.p12 format the same as getting it from CACert in *.p12 format?
> 
> Yes. 
> 
> PKCS#12 is a weird format and it is possible that GnuPG will not be able
> to parse it.  However, currently I have no open bugs on this so it
> should work.  The error message would be different from what the one you
> got.

[graeme at barney ~]$ GPG_TTY="tty"
[graeme at barney ~]$ export GPG_TTY
[graeme at barney ~]$ gpgsm --import My_Certificate120308.p12
gpgsm: gpg-protect-tool: canceled by user
gpgsm: gpg-protect-tool: cancelled
gpgsm: total number processed: 0
secmem usage: 0/16384 bytes in 0 blocks
[graeme at barney ~]$

I have followed the instructions in the 
http://kontact.kde.org/kmail/kmail-pgpmime-howto.php HowTo and I still 
get errors. e.g., the command echo "test" | gpg -ase -r 0xDD3AAA7D | gpg 
which should open a graphical password dialog two times. First for 
signing (gpg -ase) and then for decryption (| gpg) gives the following 
error;

[graeme at barney .gnupg]$ echo "test" | gpg -ase -r 0xDD3AAA7D | gpg
gpg: NOTE: old default options file `/home/graeme/.gnupg/options' ignored
gpg: NOTE: old default options file `/home/graeme/.gnupg/options' ignored

You need a passphrase to unlock the secret key for
user: "Graeme Nichols (Graeme) <gnichols at tpg.com.au>"
1024-bit DSA key, ID DD3AAA7D, created 2002-11-08

gpg: cancelled by user
gpg: no default secret key: bad passphrase
gpg: [stdin]: sign+encrypt failed: bad passphrase
gpg: processing message failed: eof
[graeme at barney .gnupg]$

The pinentry file is /usr/bin/pinentry. This doesn't seem to work at all.

Also, what config files should I have in ~/.gnupg? There is a whole heap 
of config files most of which I think are not necessary. Left over from 
earlier versions of gpg.

I am beginning to think that I should remove gpg and kdepim and 
re-install to ensure that all dependencies are met. If I do this what 
gpg packages do I need to re-install for X509 support?

Another problem that I just thought of that could be causing problems is 
that my earlier versions fo gpg were built from a tarball. The Fedora 7 
gpg files have been installed from an rpm binary package. Maybe there 
are old gpg files lying about causing problems. If that could be the 
case where should I look for old gpg files?

Thanks again for your patience.

-- 

----------------------------------------------------------------------
Kind regards,

Graeme.
----------------------------------------------------------------------
Download my GnuPG public key from:-
http://www.users.tpg.com.au/gnichols/graemenichols.pub
----------------------------------------------------------------------

One monk said to the other, "The fish has flopped out of the net! How 
will it live?" The other said, "When you have got out of the net, I'll 
tell you."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Kleopatra-keylisting1.png.gz
Type: application/x-gzip
Size: 40063 bytes
Desc: not available
Url : /pipermail/attachments/20070922/bff07661/attachment-0001.bin

More information about the Gnupg-users mailing list