GPG cannot import public key

David Shaw dshaw at
Thu Apr 24 19:55:07 CEST 2014

On Apr 24, 2014, at 9:15 AM, helices <gpg at> wrote:

> Thank you, for your response.
> [1] 
> Version: Encryption Desktop 10.3.0 (Build 8741)



Interesting!  This definitely has a selfsig, but the key itself is very odd.  It's an RSA sign-only key, which is deprecated in OpenPGP.  The subkey is similarly odd - a RSA encrypt-only key, also deprecated.  The header says it came from "Encryption Desktop", which is a Symantec product (well, it is now).  I don't know why that key is using deprecated key types, but certainly something is odd there.

RFC-4880 (published back in 2007) says:

   RSA Encrypt-Only (2) and RSA Sign-Only are deprecated and SHOULD NOT be
   generated, but may be interpreted.

Weirder, the selfsig says it's a RSA signature (not RSA_S), so you have the odd situation of a key (RSA_S) and its self-sig (RSA) being from different algorithms.

So, it's legal for GPG to not accept this key (using deprecated algorithms), though the error message you got seems misleading to me.

> [2] Interestingly enough, importing this key with "gpg (GnuPG) 1.4.5" is successful:
> # gpg --import /tmp/imps.asc
> gpg: key 845F5188: public key "Concerto Support Key < at>" imported
> gpg: Total number processed: 1
> gpg:               imported: 1  (RSA: 1)

GPG 1.4.5 treats RSA_S and RSA_E as identical to RSA for existing keys, but does not allow generating them.  This is legal as per the spec (i.e. don't generate them, but it's optional to use them).

I'm afraid I don't have immediate access to the GPG 2.x code base to check, but I wonder if your problem is simply that 2.x doesn't accept RSA_S and RSA_E keys?


More information about the Gnupg-users mailing list