Re: How to join pubring.kbx and pubring.gpg?

[Juan Miguel Navarro Martínez]

On 2017-06-14 at 16:04, Binarus wrote:

> 1) gpgsm seems to be the only tool which can be used to extract public
> keys or convert certificates from the .p7b format to the format needed
> by GPG. Fortunately, gpgsm is included in the gpg4win package, so I
> could use it on my system.
> 
As far as I know, GPGSM is a GPG tool to use X.509 certificates. That's
not the OpenPGP protocol. With this said...

> 2) But whatever I did, I could not see the new public keys in the key
> list gpg shows. So I tracked the issue further down and noticed:
> 
> gpg -k correctly lists the keys I have currently in use, but not the
> new, imported key.
> 
> gpgsm -k correctly lists the new key, but not the keys I have currently
> in use.
> 
... even if your GnuPG installation used .kbx format -which mine does-,
gpg will still show only OpenPGP keys while gpgsm will show x509 keys.

> 3) [...]
> 
> So I closed Thunderbird and deleted pubring.gpg for testing purposes.
> According to the post mentioned above, GPG then should have used
> pubring.kbx instead of pubring.gpg, so I expected to see the new,
> imported key when issuing gpg -k.
> 
> But instead, gpg -k generated a new (empty) pubring.gpg instead of using
> pubring.kbx.
> 
> 4) I have found no way to make GPG use pubring.kbx although I have
> double checked that I am using the most recent version of gpg4win,
> meaning that I am using gpg2. I also have double checked the
> installation directory; there is no gpg.exe, but there is gpg2.exe (and
> gpgv2.exe, whatever that might be). So it should use pubring.kbx,
> shouldn't it?
> 

For GnuPG to use KBX format, you must have the modern branch which is
2.1 and later. For that, you need to use the experimental version of
Gpg4Win:

https://files.gpg4win.org/Beta/current/

It should be very stable both with Kleopatra and gnupg in command line,
but if you find an error or bug please inform to the respective channel.

More info on how and where to report bugs here:
https://www.gpg4win.org/reporting-bugs.html

> 5) I have found no way to convert pubring.kbx to pubring.gpg, or to join
> them.
> 

After you download the experimental version, you must do the follow:

1. The first time you use gpg -K (and maybe gpg -k), GnuPG will
automatically convert the keys in secring.gpg to the new format which is
storing the secret parts in individual files in
%AppData%\gnupg\private-keys-v1.d (if you changed GNUPGHOME then this
may differ and it should be in %GNUPGHOME%\private-keys-v1.d\).
You can then delete your secring.gpg file if the secret keys conversion
has been successful as it won't be used anymore. This is only for
OpenPGP keys as x509 secret keys as far as I know have always used the
private-keys-v1.d folder and pubring.kbx file.

2. As you imported the x509 key and so you have a pubring.kbx, you won't
be able to see the OpenPGP stored in pubring.gpg as it will prefer the
.kbx format over the .gpg. To import those keys, you should be able to
execute gpg --import X:\Path\To\pubring.gpg and it should start
importing the keys to the new format.
Renaming pubring.gpg to publickeys and then using gpg --import
publickeys is also a good idea if you didn't have a pubring.kbx to begin
with.

I must remind you that your partner's key will still be a X.509 key and
so you'll still need to use GPGSM to list, verify messages from and
encrypt message to that key but now both public OpenPGP and X.509 keys
will be stored in pubring.kbx.

-- 
Juan Miguel Navarro Martínez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How to join pubring.kbx and pubring.gpg?

[Binarus]

Dear experts,

I am running Thunderbird, Enigmail and gpg4win on Windows 7. All
components are up to date, and I am using this combination successfully
since several years for signing, encrypting and decrypting email messages.

Now, for the first time, a new communication partner won't provide his
public GPG key directly, but only in form of a .p7b certificate. Since
several hours, I am having a remarkably hard time trying to import his
public key into the setup mentioned above.

1) gpgsm seems to be the only tool which can be used to extract public
keys or convert certificates from the .p7b format to the format needed
by GPG. Fortunately, gpgsm is included in the gpg4win package, so I
could use it on my system.

2) But whatever I did, I could not see the new public keys in the key
list gpg shows. So I tracked the issue further down and noticed:

gpg -k correctly lists the keys I have currently in use, but not the
new, imported key.

gpgsm -k correctly lists the new key, but not the keys I have currently
in use.

3) Further research lead me to this post:

https://lists.gnupg.org/pipermail/gnupg-users/2015-December/054881.html

This at least gave me a vague idea about what might be going on.
Obviously, gpgsm had imported the new key into pubring.kbx, but not into
pubring.gpg (note: This seems to be expected behavior as I have found
out in the meantime).

So I closed Thunderbird and deleted pubring.gpg for testing purposes.
According to the post mentioned above, GPG then should have used
pubring.kbx instead of pubring.gpg, so I expected to see the new,
imported key when issuing gpg -k.

But instead, gpg -k generated a new (empty) pubring.gpg instead of using
pubring.kbx.

4) I have found no way to make GPG use pubring.kbx although I have
double checked that I am using the most recent version of gpg4win,
meaning that I am using gpg2. I also have double checked the
installation directory; there is no gpg.exe, but there is gpg2.exe (and
gpgv2.exe, whatever that might be). So it should use pubring.kbx,
shouldn't it?

5) I have found no way to convert pubring.kbx to pubring.gpg, or to join
them.

To summarize: I have a .pb7 certificate with a public PGP key. I can
import it to pubring.kbx. I can't import it to pubring.gpg. I can't use
it because gpg4win uses pubring.gpg. I can't convert pubring.kbx to
pubring.gpg. I can't join pubring.kbx with pubring.gpg.

Does anybody have an idea how I could get out of this? I have access to
full-blown Linux systems, so I could perform all conversions or import
steps on Linux if necessary. But I still have to use the end results
under Windows with the setup mentioned at the beginning of this post.

Thank you very much,

Binarus


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot choose specific signing key with option --default-key

[Kristian Fiskerstrand]

On 06/14/2017 07:38 AM, Yanzhe Lee wrote:
> Maybe there was a priority when sign files with RSA and ECC keys? How
> can I override it?

Try adding a "!" suffix to the fingerprint specification of the subkey

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

"Be a yardstick of quality. Some people aren't used to an environment
where excellence is expected."
(Steve Jobs)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Cannot choose specific signing key with option --default-key

[Yanzhe Lee]

GPG Version: gpg (GnuPG) 2.1.21 libgcrypt 1.7.6
Operate System: macOS sierra 10.12.5

I have these keys with private key

pub brainpoolP512r1/3EA647C79FDA9CD1
created: 2017-01-08 expires: 2032-01-05 usage: SCA
trust: ultimate validity: ultimate

ssb brainpoolP512r1/2D8801CE07BCC5B5
created: 2017-01-08 expires: 2032-01-05 usage: S

ssb brainpoolP512r1/C78A6E620F55
created: 2017-01-08 expires: 2032-01-05 usage: E

ssb nistp521/D97F950D0F500332
created: 2017-02-04 expires: 2027-02-02 usage: A

ssb rsa4096/5BE7F1861B56E399
created: 2017-02-09 expires: 2025-02-07 usage: S
card-no: 0006 04175643

ssb rsa4096/9149FF3E60054D0C
created: 2017-02-09 expires: 2025-02-07 usage: E
card-no: 0006 04175643

ssb rsa4096/8C31540043B61A0A
created: 2017-02-09 expires: 2025-02-07 usage: A
card-no: 0006 04175643

[ultimate] (1). TEST (Local) 
[ultimate] (2) TEST (Online) 

RSA private keys are stored in a yubikey smart card
ECC private keys are stored in keyring.

When I use the command to specify using ECC key 2D8801CE07BCC5B to sign a
file

gpg2 -v -u 2D8801CE07BCC5B5 -a -s test.jpg

It prompt me to insert my smart card. After I insert it and input my pin,
it outputs:

gpg: using subkey 5BE7F1861B56E399 instead of primary key 3EA647C79FDA9CD1
gpg: writing to 'test.jpg.asc'
gpg: RSA/SHA512 signature from: "5BE7F1861B56E399 TEST "

So when I verify the signature file, it was signed by my RSA key which was
not what I specified.
It was supposed not to prompt me to insert my smart card because the
private key of my ECC key was not in the card.
The key 2D8801CE07BCC5B5 was not my primary key, so gpg shouldn't change
the signature key with a subkey.

I tried other options as follows, and the result was same.
gpg2 -v --default-key 2D8801CE07BCC5B5 -a -s test.jpg
gpg2 -v --local-user 2D8801CE07BCC5B5 -a -s test.jpg

However, if I delete the RSA subkey, it will sign my file with correct ECC
key.

Maybe there was a priority when sign files with RSA and ECC keys? How can I
override it?


-- 

Best regards!

LI YANZHE
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users