On 2011.08.22. 15:18, yyy wrote: > On 2011.08.22. 15:03, Werner Koch wrote: >> On Mon, 22 Aug 2011 11:07, y...@yyy.id.lv said: >> >>> How to verify if a certificate (in keyring) is valid? >> gpgsm -k --with-validation USERID >> >> without USERID all certifciates are validated. In case you want to skip >> CRL checks, add the option --disable-crl-checks. > This produced error: > [certificate is bad: No value] > Rest of data about certificate, were fine (ID, S/N, Issuer, Subject, > validity, key type, chain length, fingerprint) > > What does it means? Attempts to encrypt to this USERID also produced > error "No value" Few more updates.
If using gpgsm -k --with-validation (without providing an USERID), it also provides fingerprint: 81:4A:73:CC:AB:BC:41:Dgpgsm: dirmngr cache-only key lookup failed : Not found 3:D7:99:0F:A3:C0:75:AB:E0:D5:6C:AE:DD That certificate is a self signed certificate and it seems, that gpgsm is trying to find it in some external file (not in keyring) In addition to --with-validation, used --disable-crl-checks, --disable-policy-checks, but these did not change anything Also, searching google for "[certificate is bad: No value]", produced one result from this list, from 2006 http://lists.gnupg.org/pipermail/gnupg-devel/2006-September/023160.html (google result) further in that thread, there were a message http://lists.gnupg.org/pipermail/gnupg-devel/2006-September/023175.html This certificate does not have BasicConstraints, maybe this is a cause of error? Imported another root certificate, this had BasicConstraints set, import of it went differently, there were popup asking if i want to trust it (when importing first certificate, it did not ask anything) For that certificate, gpgsm -k --with-validation --disable-crl-checks went without errors Encryption using such IDs, worked. So, the main problem seems to be (lack of) presence of BasicConstraints in certificate. Is it possible to override check for BasicConstraints? Is it a bug? --ignore-cert-extensions <> cannot be used, because the problem is lack of presence of extension, not presence of extension. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users