decryption trouble - primary/subkey confusion, maybe version issues?
mhannemann at meperia.com
Mon Jun 18 21:37:27 CEST 2012
I've searched the FAQ and the mailing list archives, and I don't see an answer to this question, so I will ask it here...
I'm having trouble sending an encrypted file to a collaborator -- even though they've sent me files that I've been able to decrypt.
Here's what they see, with their keys replaced -- TsTs = their subkey, TpTp = their primary key.
pub 2048R/F7A48B98 2012-05-22 usage: SC
sub 2048R/BE7A105E 2012-05-22 usage: E
And my collaborator:
pub 1024D/TpTpTpTp 1999-04-08 usage: SCA
sub 2048g/TsTstsTs 1999-04-08 usage: E
gpg: public key is TsTsTsTs
[GNUPG:] ENC_TO xxxxxx--TsTsTsTs 16 0
gpg: using subkey TsTsTsTs instead of primary key TpTpTpTp
gpg: encrypted with 2048-bit ELG-E key, ID TsTsTsTs, created 1999-04-08
[GNUPG:] NO_SECKEY xxxxxx--TsTsTsTs
gpg: decryption failed: secret key not available [GNUPG:] END_DECRYPTION
My question is ... what is going on here? Why can't they decrypt this file, when they were able to send me a file that I could decrypt?
Their technical guy wrote me to say that when sending files, I should be using primary key ID TpTpTpTp. But, so far as I can tell, everything here is working as designed, and there's no way I *can* specifically say "use TpTpTpTp". However, they say they haven't had any problems with anyone else, and the system has been working for years.
Data I've gathered:
1. Using --edit-key, I did compare fingerprints and have validated the fingerprint they sent me.
2. Early on, it appears that they had somehow used the wrong key for me. I don't know where that came from, but once identified, I resent my key and they processed it, and I've been able to decrypt files they've sent to me since then.
3. I have a suspicion there are two pathways for them -- an automated system which picks up files & decrypts them, and their IT group trying to debug issues on the other side of the connection.
4. When they sent me their key, I noticed it was exported with GnuPG 1.0.6 (SunOS). I'm using 1.4.12 on Mac and 1.4.10 on Ubuntu.
5. I accepted the default (RSA + RSA) version for key generation. Is that a problem with an older GnuPG variant? I wouldn't think that's the issue.
What questions can I ask them which will help shed light on this situation? Is it possible that I'm doing something wrong? I've created a test account with its own gpg keys, and have successfully sent files both directions on my own machine.
More information about the Gnupg-users