unusable public key?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Jun 29 17:19:58 CEST 2009

Hi Debbie--

On 06/29/2009 09:12 AM, Deborah.Mitchell at uticanational.com wrote:
> We have imported a public key from a business partner but when trying to 
> use it to encrypt a file we receive an error, "unusable public key" 
> When I list the keys I see the pub and uid but no sub for this key.  Can 
> someone help me figure out what needs to be done to correct this? 

There are a couple different possible reasons why the key might be
unusable.  Without knowing about the specific key in question, we
probably can't give you specific advice.  But here are a few likely

 * the public key is marked as being only valid for signing and
certification, but not encryption.  (you can see this by doing:
   "gpg --edit-key $KEYID", which will show you something like this:

pub  2048R/ABCD1234  created: 2007-06-02  expires: 2012-05-31  usage: SC
                     trust: unknown       validity: full

(you can type "quit" at the "Command>" prompt to get out of this gpg mode)

the "usage: SC" (at the end of the top line means "signing and
certification only".  If this is the case, your correspondent will need
to create an encryption-capable subkey and bind it to their primary key.
 They can do this with "gpg --edit-key $KEYID", and then use the
"addkey" subcommand, which will walk them through the necessary steps to
create an encryption-capable subkey.

Once they've done this, they should get their updated key to you.  the
easiest way to do this is to publish the updated key to the keyserver.
so they would do:

  gpg --keyserver keys.gnupg.net --send $KEYID

and you (after waiting about 10 minutes for the key to propagate across
the entire keyserver pool) would then do:

  gpg --keyserver keys.gnupg.net --recv $KEYID

If they don't want their key on the keyserver, they can export their key
to a file and mail it to you:

  gpg --armor --export $KEYID

and paste the output into an e-mail.

When you receive that e-mail, just save it to a file, and feed it into
"gpg --import" (e.g. "gpg --import saved-file.txt")

 * another possibility is that the key or its subkeys are expired.  In
this case, the keyholder may need to update the expiration date on their
key (if it's still secure), or they may want to generate a new key and
send it to you (preferably certified by the old key), so you can verify it.

hope this helps,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090629/2f4cc18a/attachment.pgp>

More information about the Gnupg-users mailing list