Re: failed to convert unprotected openpgp key: Checksum error

[Daniel Kahn Gillmor]

On Mon 2018-01-22 15:37:37 -0500, Phil Pennock wrote:
> So at this point, it looks to me like it really is an incorrect
> checksum, exposing unfortunate edge-case handling in GnuPG.

Thanks for the diagnosis, Phil and Simon.

Please file a bug report about this at https://dev.gnupg.org/ so that
this edge-case doesn't get lost!

 --dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: failed to convert unprotected openpgp key: Checksum error

[Phil Pennock]

On 2018-01-19 at 19:57 +1100, Simon Kissane wrote:
> However, when I try to decrypt data encrypted with the private key, I
> get a "failed to convert unprotected openpgp key: Checksum error"

Simpler check:

% gpg --export-secret-key
gpg: key 4252EB6983CE74C44F549B6F8666715904EE61F2: error receiving key from 
agent: Checksum error - skipped
gpg: WARNING: nothing exported

If I use `gpg --expert --full-generate-key` to make an SCEA RSA/4096
key, then it looks almost identical in structure to yours.

If I just `gpg --import` a dearmored version of the key, then I get a
checksum error at that time:
gpg: key 68F870F8C0FAA42B: public key 
"root:testGpg:key_54503F79_3794_456C_8725_8977A68B71C1" imported
gpg: key 68F870F8C0FAA42B/68F870F8C0FAA42B: error sending to agent: Checksum 
error

so something in the scripted setup you created suppressed that error
message, which is Unfortunate by GnuPG.  The key still ends up added to
the keyring in the above, even with the error, but it's unusable.
This might be a bug in GnuPG: IMO if it's broken and will never be
usable, then it should not be added and gpg should exit false.

So at this point, it looks to me like it really is an incorrect
checksum, exposing unfortunate edge-case handling in GnuPG.

-Phil

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [OT] Re: failed to convert unprotected openpgp key: Checksum error

[Daniele Nicolodi]

On 1/22/18 12:30 PM, Kristian Fiskerstrand wrote:
> On 01/22/2018 06:31 PM, Daniele Nicolodi wrote:
>> On 1/22/18 5:31 AM, Kristian Fiskerstrand wrote:
>>> On 01/22/2018 08:33 AM, Werner Koch wrote:
 That is an acceptable user-id.  I would have used a dot as delimiter but
 that is a personal taste.
>>>
>>> Dot is a permitted part of username in POSIX though, while : is not :)
>>
>> Uh? As far as I know, the only characters not allowed are / and null.
> 
> http://pubs.opengroup.org/onlinepubs/95399/basedefs/xbd_chap03.html#tag_03_426
> 
>  3.426 User Name

Sorry, I should not be writing email before my morning coffee: I read
filenames instead than usernames.

Cheers,
Daniele

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [OT] Re: failed to convert unprotected openpgp key: Checksum error

[Daniele Nicolodi]

On 1/22/18 5:31 AM, Kristian Fiskerstrand wrote:
> On 01/22/2018 08:33 AM, Werner Koch wrote:
>> That is an acceptable user-id.  I would have used a dot as delimiter but
>> that is a personal taste.
> 
> Dot is a permitted part of username in POSIX though, while : is not :)

Uh? As far as I know, the only characters not allowed are / and null.

Cheers,
Daniele

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[OT] Re: failed to convert unprotected openpgp key: Checksum error

[Kristian Fiskerstrand]

On 01/22/2018 08:33 AM, Werner Koch wrote:
> That is an acceptable user-id.  I would have used a dot as delimiter but
> that is a personal taste.

Dot is a permitted part of username in POSIX though, while : is not :)

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

"Don't be afraid to go out on a limb. That's where the fruit is."
(H. Jackson Browne)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: failed to convert unprotected openpgp key: Checksum error

[Werner Koch]

On Mon, 22 Jan 2018 03:40, skiss...@medallia.com said:

> showing that problem (whatever it is) isn't the User ID. (My reading of 
> RFC4880
> section 5.11 is that having an email in the User ID is just a convention not
> mandatory, so software should be robust in the face of User IDs breaking that

Correct.

Actually, specifying a mail address with -r or --locate-key changes
GnuPG's behaviour in that it tries to find the key in a configured
online directory (by default WKD).

>> "root:testGpg:key_54503F79_3794_456C_8725_8977A68B71C1"

That is an acceptable user-id.  I would have used a dot as delimiter but
that is a personal taste.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpl_lUmolmKo.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: failed to convert unprotected openpgp key: Checksum error

[Simon Kissane]

On Mon, Jan 22, 2018 at 11:36 AM, Zechariah Seth
 wrote:
> Simon Kissane wrote:
>> (This is just a test key generated for testing purposes, so it is fine
>> to share it publicly.)
>
> Interesting "User ID" on that key:
> "root:testGpg:key_54503F79_3794_456C_8725_8977A68B71C1"
>
> I hope no one is foolish enough to import your key and run your script.
Hi Zechariah, thank you for taking the time to have a look at this for me. It
sounds like you are concerned that running my script may import some strange
key into your GPG home. If you read the script, you will see that it creates
two new GPG homes under a temporary directory, so no odd keys are going to be
imported into your day-to-day GPG config.

I realise the User ID is weird. To explain, in the use case I am working on we
are only using GPG for file encryption/decryption using keys pre-agreed out
of band. As such, we aren't actually using any of the PGP "web-of-trust"
functionality, and the actual User IDs are rather irrelevant. Maybe we should
just use S/MIME or CMS instead (and I'm looking into that option), but since
we are already using GPG for this I was looking at how to possibly integrate
our existing usage of GPG with an external key management system.

That said, I have changed my key generation code to generate more normal
looking User IDs, as you can see with this key:

https://gist.github.com/skissane/a64756f32e62fbc5b51ee1f4eef22575

which has User ID:
  Test Key 123 


And, if you run the new key against my script, you get the same error,
showing that problem (whatever it is) isn't the User ID. (My reading of RFC4880
section 5.11 is that having an email in the User ID is just a convention not
mandatory, so software should be robust in the face of User IDs breaking that
convention.)

Thank you
Simon

On Mon, Jan 22, 2018 at 11:36 AM, Zechariah Seth
 wrote:
> Simon Kissane wrote:
>> (This is just a test key generated for testing purposes, so it is fine
>> to share it publicly.)
>
> Interesting "User ID" on that key:
> "root:testGpg:key_54503F79_3794_456C_8725_8977A68B71C1"
>
> I hope no one is foolish enough to import your key and run your script.
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: failed to convert unprotected openpgp key: Checksum error

[Zechariah Seth]

Simon Kissane wrote:
> (This is just a test key generated for testing purposes, so it is fine
> to share it publicly.)

Interesting "User ID" on that key:
"root:testGpg:key_54503F79_3794_456C_8725_8977A68B71C1"

I hope no one is foolish enough to import your key and run your script.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

failed to convert unprotected openpgp key: Checksum error

[Simon Kissane]

Hi

I have written some code in Java to generate private/public keys, and
export them in OpenPGP format (using BouncyCastle's OpenPGP classes).

However, when I try to decrypt data encrypted with the private key, I
get a "failed to convert unprotected openpgp key: Checksum error"

I presume there is something about the key file that GPG doesn't like?
But can anyone tell me what it is?

I am using GnuPG 2.2.4 on macOS 10.12.6.

Here is my private key:
https://gist.github.com/skissane/3d1109708be0d4167d8cf16db5fa2e3c

(This is just a test key generated for testing purposes, so it is fine
to share it publicly.)

Now, run this script against that private key file:
https://gist.github.com/skissane/d8291e9719d43bfb5eee58ee579c76fb

Like so: ./testGpg.sh testPrivateKey.asc

You will note the errors from gpg-agent:

gpg-agent[29270]: failed to convert unprotected openpgp key: Checksum error
gpg-agent[29270]: failed to read the secret key
gpg-agent[29270]: command 'PKDECRYPT' failed: Checksum error
gpg-agent[29270]: DBG: chan_7 -> ERR 67108874 Checksum error 

What confuses me is the key imports into the GPG home fine, the error
only happens when I try to use it to perform decryption. If the key
format was wrong, I would have thought the error would have happened
when I tried to import it.

Thanks
Simon

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users