Encrypting using gpgsm and self-signed certificates

Daniel Farina drfarina at acm.org
Sun Dec 25 01:23:45 CET 2011


Hello list,

I've been integrating GPG into a backup utility, and while OpenPGP
works as expected, I'm having some trouble with trying to also enable
self-signed x509 certs via gpgsm as a mechanism for encryption.
Unfortunately all I get back from gpgsm is "No Value".  The output of
a gpgsm invocation without an agent running (as so all output is in
one set of output) is as follows:

$ gpgsm -v --debug-level=guru -r
'A17951D33720CCE03E1065ABB7BBC16CC11CCBB9' -e < /dev/urandom
gpgsm: enabled debug flags: x509 mpi crypto memory cache memstat hashing assuan
gpgsm: no key usage specified - assuming all usages
gpgsm: DBG: BEGIN Certificate `target':
gpgsm: DBG:      serial: 00A5BAF1300BFAC1B8
gpgsm: DBG:   notBefore: 2010-02-04 03:35:35
gpgsm: DBG:    notAfter: 2020-02-02 03:35:35
gpgsm: DBG:      issuer: CN=ubuntu
gpgsm: DBG:     subject: CN=ubuntu
gpgsm: DBG:   hash algo: 1.2.840.113549.1.1.5
gpgsm: DBG:   SHA1 Fingerprint:
A1:79:51:D3:37:20:CC:E0:3E:10:65:AB:B7:BB:C1:6C:C1:1C:CB:B9
gpgsm: DBG: END Certificate
gpgsm: can't connect to the agent - trying fall back
gpgsm: no running gpg-agent - starting one
gpgsm: DBG: connection to agent established
gpgsm: validation model used: shell
gpgsm: can't encrypt to `A17951D33720CCE03E1065ABB7BBC16CC11CCBB9': No value
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 0/16384 bytes in 0 blocks

It looks like I'm not the only one who has been scratching his head
when happening upon this error condition, although I think my
situation appears slightly different:

http://lists.gnupg.org/pipermail/gnupg-devel/2009-April/024937.html

I also tried to make use of
http://lists.gnupg.org/pipermail/gnupg-users/2004-September/023247.html,
but somehow I feel there is a gap in documentation here for the really
simple case of: "I have a self signed certificate.  I trust it.
Encrypt with it", and doing the most obvious thing (--import-key,
--encrypt --recipient $FINGERPRINT) fails.  By contrast, it's more or
less straightforward to generate an OpenPGP key, trust it, and then
encrypt an archive with it, and that works as expected.

Cheers,

--
fdr



More information about the Gnupg-users mailing list