How to join pubring.kbx and pubring.gpg?

Juan Miguel Navarro Martínez juanmi.3000 at
Wed Jun 14 19:21:00 CEST 2017

On 2017-06-14 at 16:04, Binarus wrote:

> 1) gpgsm seems to be the only tool which can be used to extract public
> keys or convert certificates from the .p7b format to the format needed
> by GPG. Fortunately, gpgsm is included in the gpg4win package, so I
> could use it on my system.
As far as I know, GPGSM is a GPG tool to use X.509 certificates. That's
not the OpenPGP protocol. With this said...

> 2) But whatever I did, I could not see the new public keys in the key
> list gpg shows. So I tracked the issue further down and noticed:
> gpg -k correctly lists the keys I have currently in use, but not the
> new, imported key.
> gpgsm -k correctly lists the new key, but not the keys I have currently
> in use.
... even if your GnuPG installation used .kbx format -which mine does-,
gpg will still show only OpenPGP keys while gpgsm will show x509 keys.

> 3) [...]
> So I closed Thunderbird and deleted pubring.gpg for testing purposes.
> According to the post mentioned above, GPG then should have used
> pubring.kbx instead of pubring.gpg, so I expected to see the new,
> imported key when issuing gpg -k.
> But instead, gpg -k generated a new (empty) pubring.gpg instead of using
> pubring.kbx.
> 4) I have found no way to make GPG use pubring.kbx although I have
> double checked that I am using the most recent version of gpg4win,
> meaning that I am using gpg2. I also have double checked the
> installation directory; there is no gpg.exe, but there is gpg2.exe (and
> gpgv2.exe, whatever that might be). So it should use pubring.kbx,
> shouldn't it?

For GnuPG to use KBX format, you must have the modern branch which is
2.1 and later. For that, you need to use the experimental version of

It should be very stable both with Kleopatra and gnupg in command line,
but if you find an error or bug please inform to the respective channel.

More info on how and where to report bugs here:

> 5) I have found no way to convert pubring.kbx to pubring.gpg, or to join
> them.

After you download the experimental version, you must do the follow:

1. The first time you use gpg -K (and maybe gpg -k), GnuPG will
automatically convert the keys in secring.gpg to the new format which is
storing the secret parts in individual files in
%AppData%\gnupg\private-keys-v1.d (if you changed GNUPGHOME then this
may differ and it should be in %GNUPGHOME%\private-keys-v1.d\).
You can then delete your secring.gpg file if the secret keys conversion
has been successful as it won't be used anymore. This is only for
OpenPGP keys as x509 secret keys as far as I know have always used the
private-keys-v1.d folder and pubring.kbx file.

2. As you imported the x509 key and so you have a pubring.kbx, you won't
be able to see the OpenPGP stored in pubring.gpg as it will prefer the
.kbx format over the .gpg. To import those keys, you should be able to
execute gpg --import X:\Path\To\pubring.gpg and it should start
importing the keys to the new format.
Renaming pubring.gpg to publickeys and then using gpg --import
publickeys is also a good idea if you didn't have a pubring.kbx to begin

I must remind you that your partner's key will still be a X.509 key and
so you'll still need to use GPGSM to list, verify messages from and
encrypt message to that key but now both public OpenPGP and X.509 keys
will be stored in pubring.kbx.

Juan Miguel Navarro Martínez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170614/14c7a393/attachment.sig>

More information about the Gnupg-users mailing list