Why is "--allow-non-selfsigned-uid" needed to import this key?
steve.strobel at link-comm.com
Mon May 16 22:12:42 CEST 2011
At 12:50 PM 5/16/2011, Robert J. Hansen wrote:
>On Mon, 16 May 2011 11:32:15 -0600, Steve Strobel
><steve.strobel at link-comm.com> wrote:
> > root:~> gpg --import test-key.gpg
> > gpg: key CBF38289 was created 137948617 seconds in the future
> > (time warp or clock problem)
>This is exactly what it sounds like: according to your certificate, it was
>created about five and a half months from now. To GnuPG, that sounds
>like something's hinky and it refuses to allow it to be imported. You've
>managed to get around it by telling GnuPG, "listen, fine, strip off the
>hinky signature: /now/ will you accept it?"
>And in that case, sure, GnuPG will: but the consequence of it is you've
>got a UID that's missing a signature. Hence, "allow-nonselfsigned-uid"
>must be passed on the command line.
Thanks for the tip. Just setting the date on the embedded device
before importing the key made it work without "--allow-non-selfsigned-uid".
That still leaves me without a straightforward solution, though. The
embedded device doesn't have a battery-backed clock and doesn't need
one. It will sometimes have Internet access and could potentially
use NTP when available to set the date. That seems like a lot of
extra complexity just to import a key. The user interface doesn't
make it easy to ask the user for the date. What would the security
implications be of just setting the clock to a fixed future date
before importing the key?
 As an undergraduate Prof. Hill once mused to me, "Math is funny. You
>tell someone how many seconds are in a year, they forget it immediately.
>You tell them that accurate to half a percent there are pi seconds in a
>nanocentury and they remember it for life." He was right, I've never
>forgotten, and that's made it easy to remember there are 31.4 million (3.14
>* 10**7) seconds in a year. 13.8 million / 31.4 million = 137/314 = 0.44
>of a year, * 12 = five and a half months, more or less. Not really
>relevant to GnuPG, but a handy factoid for timestamp calculations, if you
>ever need to do them in a hurry.
That is a great way to remember. Now if remembering names was just as easy...
Link Communications, Inc.
1035 Cerise Rd
Billings, MT 59101-7378
(406) 245-5002 ext 102
(406) 245-4889 (fax)
MailTo:steve.strobel at link-comm.com
More information about the Gnupg-users