A lot of questions about CERT, PKA and make-dns-cert

Dan Mahoney, System Admin danm at prime.gushi.org
Wed Oct 21 04:55:03 CEST 2009

On Thu, 15 Oct 2009, David Shaw wrote:

> On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote:
>> I'm running:
>> echo foo | gpg -v -v --auto-key-locate cert --recipient gushi at gushi.org 
>> --encrypt -a
>> And get gpg: error retrieving `gushi at gushi.org' via DNS CERT: No 
>> fingerprint
>> I exported my key with:
>> gpg --export --export-options minimal > file; and make-dns-cert -n 
>> gushi.gushi.org -f file
> It works fine for me.  What version of GPG are you using?

I tried this again, after I nuked the "fingerprint" cert record.

Oddly, running on gpg2 on an older debian system, I get:

# echo "foo" | gpg2 -v -v --auto-key-locate cert --encrypt -r 
gushi at gushi.org
gpg: no keyserver known (use option --keyserver)
gpg: error retrieving `gushi at gushi.org' via DNS CERT: General error
gpg: gushi at gushi.org: skipped: General error
gpg: [stdin]: encryption failed: General error

That first line specifically makes me scratch my head a bit.

(The gpg manpage also appears to be a bit corrupted on this system).

On my bsd system, I get what you see at http://www.gushi.org/gpg.txt.  It 
retrieves the key, but complains of "no fingerprint", however it actually 
DOES import the key, so it works a second time.  If you require a shell to 
play with this, let me know and I'll provide one.  With the demise of 
thawte's free cert offering, I'd really like to do what I can to increase 
awareness of this stuff.

On my ubuntu desktop, it works fine.

I suspect strongly that this feature doesn't get the most broad platform 
testing.  Let me know if you'd like to help.



--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org

More information about the Gnupg-users mailing list