Re: How to join pubring.kbx and pubring.gpg?
On 2017-06-14 at 16:04, Binarus wrote: > 1) gpgsm seems to be the only tool which can be used to extract public > keys or convert certificates from the .p7b format to the format needed > by GPG. Fortunately, gpgsm is included in the gpg4win package, so I > could use it on my system. > As far as I know, GPGSM is a GPG tool to use X.509 certificates. That's not the OpenPGP protocol. With this said... > 2) But whatever I did, I could not see the new public keys in the key > list gpg shows. So I tracked the issue further down and noticed: > > gpg -k correctly lists the keys I have currently in use, but not the > new, imported key. > > gpgsm -k correctly lists the new key, but not the keys I have currently > in use. > ... even if your GnuPG installation used .kbx format -which mine does-, gpg will still show only OpenPGP keys while gpgsm will show x509 keys. > 3) [...] > > So I closed Thunderbird and deleted pubring.gpg for testing purposes. > According to the post mentioned above, GPG then should have used > pubring.kbx instead of pubring.gpg, so I expected to see the new, > imported key when issuing gpg -k. > > But instead, gpg -k generated a new (empty) pubring.gpg instead of using > pubring.kbx. > > 4) I have found no way to make GPG use pubring.kbx although I have > double checked that I am using the most recent version of gpg4win, > meaning that I am using gpg2. I also have double checked the > installation directory; there is no gpg.exe, but there is gpg2.exe (and > gpgv2.exe, whatever that might be). So it should use pubring.kbx, > shouldn't it? > For GnuPG to use KBX format, you must have the modern branch which is 2.1 and later. For that, you need to use the experimental version of Gpg4Win: https://files.gpg4win.org/Beta/current/ It should be very stable both with Kleopatra and gnupg in command line, but if you find an error or bug please inform to the respective channel. More info on how and where to report bugs here: https://www.gpg4win.org/reporting-bugs.html > 5) I have found no way to convert pubring.kbx to pubring.gpg, or to join > them. > After you download the experimental version, you must do the follow: 1. The first time you use gpg -K (and maybe gpg -k), GnuPG will automatically convert the keys in secring.gpg to the new format which is storing the secret parts in individual files in %AppData%\gnupg\private-keys-v1.d (if you changed GNUPGHOME then this may differ and it should be in %GNUPGHOME%\private-keys-v1.d\). You can then delete your secring.gpg file if the secret keys conversion has been successful as it won't be used anymore. This is only for OpenPGP keys as x509 secret keys as far as I know have always used the private-keys-v1.d folder and pubring.kbx file. 2. As you imported the x509 key and so you have a pubring.kbx, you won't be able to see the OpenPGP stored in pubring.gpg as it will prefer the .kbx format over the .gpg. To import those keys, you should be able to execute gpg --import X:\Path\To\pubring.gpg and it should start importing the keys to the new format. Renaming pubring.gpg to publickeys and then using gpg --import publickeys is also a good idea if you didn't have a pubring.kbx to begin with. I must remind you that your partner's key will still be a X.509 key and so you'll still need to use GPGSM to list, verify messages from and encrypt message to that key but now both public OpenPGP and X.509 keys will be stored in pubring.kbx. -- Juan Miguel Navarro MartÃnez GPG Keyfingerprint: 5A91 90D4 CF27 9D52 D62A BC58 88E2 947F 9BC6 B3CF signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to join pubring.kbx and pubring.gpg?
Dear experts, I am running Thunderbird, Enigmail and gpg4win on Windows 7. All components are up to date, and I am using this combination successfully since several years for signing, encrypting and decrypting email messages. Now, for the first time, a new communication partner won't provide his public GPG key directly, but only in form of a .p7b certificate. Since several hours, I am having a remarkably hard time trying to import his public key into the setup mentioned above. 1) gpgsm seems to be the only tool which can be used to extract public keys or convert certificates from the .p7b format to the format needed by GPG. Fortunately, gpgsm is included in the gpg4win package, so I could use it on my system. 2) But whatever I did, I could not see the new public keys in the key list gpg shows. So I tracked the issue further down and noticed: gpg -k correctly lists the keys I have currently in use, but not the new, imported key. gpgsm -k correctly lists the new key, but not the keys I have currently in use. 3) Further research lead me to this post: https://lists.gnupg.org/pipermail/gnupg-users/2015-December/054881.html This at least gave me a vague idea about what might be going on. Obviously, gpgsm had imported the new key into pubring.kbx, but not into pubring.gpg (note: This seems to be expected behavior as I have found out in the meantime). So I closed Thunderbird and deleted pubring.gpg for testing purposes. According to the post mentioned above, GPG then should have used pubring.kbx instead of pubring.gpg, so I expected to see the new, imported key when issuing gpg -k. But instead, gpg -k generated a new (empty) pubring.gpg instead of using pubring.kbx. 4) I have found no way to make GPG use pubring.kbx although I have double checked that I am using the most recent version of gpg4win, meaning that I am using gpg2. I also have double checked the installation directory; there is no gpg.exe, but there is gpg2.exe (and gpgv2.exe, whatever that might be). So it should use pubring.kbx, shouldn't it? 5) I have found no way to convert pubring.kbx to pubring.gpg, or to join them. To summarize: I have a .pb7 certificate with a public PGP key. I can import it to pubring.kbx. I can't import it to pubring.gpg. I can't use it because gpg4win uses pubring.gpg. I can't convert pubring.kbx to pubring.gpg. I can't join pubring.kbx with pubring.gpg. Does anybody have an idea how I could get out of this? I have access to full-blown Linux systems, so I could perform all conversions or import steps on Linux if necessary. But I still have to use the end results under Windows with the setup mentioned at the beginning of this post. Thank you very much, Binarus ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Cannot choose specific signing key with option --default-key
On 06/14/2017 07:38 AM, Yanzhe Lee wrote: > Maybe there was a priority when sign files with RSA and ECC keys? How > can I override it? Try adding a "!" suffix to the fingerprint specification of the subkey -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 "Be a yardstick of quality. Some people aren't used to an environment where excellence is expected." (Steve Jobs) signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Cannot choose specific signing key with option --default-key
GPG Version: gpg (GnuPG) 2.1.21 libgcrypt 1.7.6 Operate System: macOS sierra 10.12.5 I have these keys with private key pub brainpoolP512r1/3EA647C79FDA9CD1 created: 2017-01-08 expires: 2032-01-05 usage: SCA trust: ultimate validity: ultimate ssb brainpoolP512r1/2D8801CE07BCC5B5 created: 2017-01-08 expires: 2032-01-05 usage: S ssb brainpoolP512r1/C78A6E620F55 created: 2017-01-08 expires: 2032-01-05 usage: E ssb nistp521/D97F950D0F500332 created: 2017-02-04 expires: 2027-02-02 usage: A ssb rsa4096/5BE7F1861B56E399 created: 2017-02-09 expires: 2025-02-07 usage: S card-no: 0006 04175643 ssb rsa4096/9149FF3E60054D0C created: 2017-02-09 expires: 2025-02-07 usage: E card-no: 0006 04175643 ssb rsa4096/8C31540043B61A0A created: 2017-02-09 expires: 2025-02-07 usage: A card-no: 0006 04175643 [ultimate] (1). TEST (Local)[ultimate] (2) TEST (Online) RSA private keys are stored in a yubikey smart card ECC private keys are stored in keyring. When I use the command to specify using ECC key 2D8801CE07BCC5B to sign a file gpg2 -v -u 2D8801CE07BCC5B5 -a -s test.jpg It prompt me to insert my smart card. After I insert it and input my pin, it outputs: gpg: using subkey 5BE7F1861B56E399 instead of primary key 3EA647C79FDA9CD1 gpg: writing to 'test.jpg.asc' gpg: RSA/SHA512 signature from: "5BE7F1861B56E399 TEST " So when I verify the signature file, it was signed by my RSA key which was not what I specified. It was supposed not to prompt me to insert my smart card because the private key of my ECC key was not in the card. The key 2D8801CE07BCC5B5 was not my primary key, so gpg shouldn't change the signature key with a subkey. I tried other options as follows, and the result was same. gpg2 -v --default-key 2D8801CE07BCC5B5 -a -s test.jpg gpg2 -v --local-user 2D8801CE07BCC5B5 -a -s test.jpg However, if I delete the RSA subkey, it will sign my file with correct ECC key. Maybe there was a priority when sign files with RSA and ECC keys? How can I override it? -- Best regards! LI YANZHE ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users