I am on Ubuntu 24.04 with
gpgsm --version
gpgsm (GnuPG) 2.4.4
libgcrypt 1.10.3
libksba 1.6.6
I have been using X509 generated by the Spanish FNMT sucessfully over
the last 10 years and imported them without problems into gpgsm.
However when I today received a new one,
gpgsm --import Cert.p12 gave the following error.
--8<---------------cut here---------------start------------->8---
gpgsm: parse_shrouded_key_bag(shrouded_key_bag.pkcs5PBES2-params): lvl=18
(tlv_expect_sequence): Invalid object - General error
gpgsm: parse_bag_data(data.oid): lvl=18 (tlv_expect_sequence): Invalid object -
General error
gpgsm: p12_parse(bag.data): @0133 lvl=18 tlv_expect_sequence: Invalid object -
General error
gpgsm: error parsing or decrypting the PKCS#12 file
gpgsm: total number processed: 0
secmem usage: 0/16384 bytes in 0 blocks
--8<---------------cut here---------------end--------------->8---
ChatGTP proposed the following fix
--8<---------------cut here---------------start------------->8---
openssl pkcs12 -in Cert.p12 -out aux.pem -nodes
openssl pkcs12 -export -in aux.pem -out fixed-cert.p12 -certpbe
PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1
--8<---------------cut here---------------end--------------->8---
Indeed
ggpsm --import fixed-cert.p12 worked
--8<---------------cut here---------------start------------->8---
```
gpgsm: DBG: chan_4 <- INQUIRE PINENTRY_LAUNCHED 2157662 gnome3 1.2.1 /dev/pts/5
xterm :0 20600/1000/5 1000/1000 -
gpgsm: DBG: chan_4 -> END
gpgsm: DBG: chan_4 <- OK
gpgsm: total number processed: 4
gpgsm: unchanged: 3
gpgsm: secret keys read: 1
gpgsm: secret keys imported: 1
secmem usage: 0/16384 bytes in 0 blocks
but then
--8<---------------cut here---------------end--------------->8---
gpgconf --launch gpg-agent
gpgsm --list-secret-keys --with-keygrip
--8<---------------cut here---------------start------------->8---
shows
validity: 2026-02-17 09:49:30 through 2028-12-31 22:59:59
key type: rsa2048
keygrip: 507DB71D232AD938C7ADC69DA2C918F4C7B8D0B6
gpgsm: DBG: chan_4 -> HAVEKEY D73925535FE8FE641A63607EC09A9B1A4962A3B1
gpgsm: DBG: chan_4 <- ERR 67108881 No secret key <GPG Agent>
--8<---------------cut here---------------end--------------->8---
Another proposal was to use
--8<---------------cut here---------------start------------->8---
openssl pkcs12 -in orignal.p12 -nocerts -nodes -out key.pem
openssl pkcs12 -in orignal.p12 -nokeys -out certs.pem
openssl pkcs12 -export -in certs.pem -inkey key.pem -out final.p12 -certpbe
PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1
--8<---------------cut here---------------end--------------->8---
But it did not work neither.
Chatgpt claims that is a problem only present in gpgsm 2.4 and should work in
gpgsm 2.3
Root cause
FNMT certificates are PKCS#12 with RSA 2048 keys.
gpgsm only supports certain encodings of private keys in PKCS#12. Even
though your two-step OpenSSL trick gets the key past the import,
gpg-agent 2.4+ cannot load it properly if it uses the default
keyEncipherment/PBE algorithm. The keygrip mismatch you see (507DB… vs
D7392…) is exactly this: the agent is trying to find a key matching its
expectations, but the key on disk doesn’t match its internal format.
Killing/relaunching the agent doesn’t help, because the format itself is
incompatible with gpg-agent’s PKCS#12 loader.
Any ideas what to do? I am using gpgsm mostly with emacs to sign and
encrypt my mails.
Regards
Uwe Brauer
_______________________________________________
Gnupg-users mailing list
[email protected]
https://lists.gnupg.org/mailman/listinfo/gnupg-users
