Encrypting using gpgsm and self-signed certificates

Werner Koch wk at gnupg.org
Mon Dec 26 14:57:15 CET 2011

On Sun, 25 Dec 2011 01:23, drfarina at acm.org said:

> self-signed x509 certs via gpgsm as a mechanism for encryption.
> Unfortunately all I get back from gpgsm is "No Value".  The output of

That is a misleading error message.  You should also enable gpg-agent
logging in gpg-agent.conf to see the real problem.

> $ gpgsm -v --debug-level=guru -r
> 'A17951D33720CCE03E1065ABB7BBC16CC11CCBB9' -e < /dev/urandom

Surely you are joking, Daniel.  Encrypting an endless random stream is
not very practical ;-).

> --encrypt --recipient $FINGERPRINT) fails.  By contrast, it's more or
> less straightforward to generate an OpenPGP key, trust it, and then
> encrypt an archive with it, and that works as expected.

Welcome to the world of X.509.  More seriously, the problem is that you
need to trust a given certificate and X.509 requires a PKI for it.  Thus
you need some kind of root certificate which is flagged as trusted.
With the proper options (gpg-agent's --allow-mark-trusted) you can do
that for a self-signed certificate.  In theory we could add a validation
model to gpgsm which always trusts a certificate.  In 2.1beta3, we added
the validation model "seed" which does something like this.  It trusts
all root certificates with a special attribute.  If you add this this
attribute to your certificate you are done.  However, the actual idea
behind that feature is, that you use a well known private key and
certifciate to issue your certificates (dubbed, the STEED Self-Signing
Nonthority).  In the end it is the same as a self-signed certificate.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list