Why is "--allow-non-selfsigned-uid" needed to import this key?

Steve Strobel steve.strobel at link-comm.com
Mon May 16 19:32:15 CEST 2011 

I am using gnupg to encrypt and sign a file transferred from a 
server to an embedded client.  I generated a 2048 bit RSA keypair on 
the server (using gpg V1.4.6) with "gpg --gen-key" and got the output:


        gpg: key CBF38289 marked as ultimately trusted
        public and secret key created and signed.


I exported it with "
gpg --output test-key.gpg --export --armor 
CBF38289", transferred the file to the client and tried to import it 
using gpg V1.4.11 (the embedded device doesn't have a real-time clock):


        root:~> gpg --import test-key.gpg
        gpg: key CBF38289 was created 137948617 seconds in the future (time warp or clock problem)
        gpg: key CBF38289 was created 137948617 seconds in the future (time warp or clock problem)
        gpg: key CBF38289: no valid user IDs
        gpg: this may be caused by a missing self-signature
        gpg: Total number processed: 1
        gpg:           w/o user IDs: 1

I can import it using the "--allow-non-selfsigned-uid" option:

        root:~> gpg --import --allow-non-selfsigned-uid test-key.gpg
        gpg: key CBF38289 was created 137948550 seconds in the future (time warp or clock problem)
        gpg: key CBF38289 was created 137948550 seconds in the future (time warp or clock problem)
        gpg: key CBF38289: accepted non self-signed user ID "Test User (do not use) <test_user at gmail.com>"
        gpg: key CBF38289 was created 137948550 seconds in the future (time warp or clock problem)
        gpg: key CBF38289: public key "Test User (do not use) <test_user at gmail.com>" imported
        gpg: Total number processed: 1
        gpg:               imported: 1  (RSA: 1)

I have tried a variety of things but been unable to get import to 
work without using "--allow-non-selfsigned-uid".  When the key was 
created, the output indicated it was signed.  When I edit it, the 
output looks like this:

        Secret key is available.

        pub  2048R/CBF38289  created: 2011-05-16  expires: never       usage: SC
                             trust: ultimate      validity: ultimate
        [ultimate] (1). Test User (do not use) <test_user at gmail.com>

What am I missing?  I presume that there security implications of using 
"--allow-non-selfsigned-uid"?  Thanks for any suggestions.

Steve



---
Steve Strobel
Link Communications, Inc.
1035 Cerise Rd
Billings, MT 59101-7378
(406) 245-5002 ext 102
(406) 245-4889 (fax)
WWW: http://www.link-comm.com
MailTo:steve.strobel at link-comm.com

More information about the Gnupg-users mailing list