Re: keys retrieved from keyserver (keys.openpgp.org) are unusable
On Tue, Jul 27, 2021 at 02:34:28PM +0200, Ingo Klöcker wrote: > On Dienstag, 27. Juli 2021 01:32:53 CEST root wrote: > > Long story short, when the public key is downloaded to my PC as a plain text > > .asc file, and later imported using the function > > gpgme_op_keylist_from_data_start() and gpgme_op_keylist_new(), the > > key->can_encrypt, key->sign_certify, and can_sign are all 0x01. > > gpgme_op_keylist_from_data_start() does _not_ import any keys. All it does is > retrieve the meta data of the keys passed to it as data. Those keys cannot be > used for any crypto operations like signing, encrypting, etc. because the > public key data has _not_ been imported. The keys have just been listed. This > is very similar to listing the keys on a keyserver without actually > retrieving > the public keys from the keyserver. > > > Alternatively, if I do gpgme_op_keylist_start() using an email address with > > GPGME_KEYLIST_MODE_EXTERN, the key->can_encrypt, key->can_certify and > > key->can_sign are all 0x00. I've tried several email addresses found on > > keys.opengpg.org, and the result is the same. > > Using gpgme_op_keylist_start() with GPGME_KEYLIST_MODE_EXTERN does a remote > lookup on the keyserver. It does _not_ import the found keys. That's why > can_encrypt, etc. are all 0x00. You need to download and import the keys if > you want to use them. > This makes sense now. I will look into the sample codes and manual to see how I can download and import the keys after listing it. Any suggestion on where to look for them ? Hopefully, it'll be straight forward. > Alternatively, you may want to use the auto-key-locate option of gpg which > automatically locates and retrieves keys when encrypting to an email address. The codes that I am developing is actually a DLL used by another C#/C++ written in .Net framwork. Thus, the binary developed has to be portable. I will look into the auto-key-locate option for sure. > > Don't reinvent the wheel using gpgme if you can simply use what gpg provides > out of the box. Of course, you can still use gpgme for doing the encryption, > but don't try to retrieve the keys yourself if gpg can do it for you. I am new to GnuPG and this is a great tool in programming. I am not sure how to use gpg commands directly in C/C++ codes though. I thought gpgme is providing the interface to use gpg ? Thanks again, Eric > > Regards, > Ingo > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: used key is not marked for encryption use.
On Fri, 23 Jul 2021 20:00, Jonathan Kaczynski said: > I'm trying to understand the scenario in which we see the log message, > "gpg: used key is not marked for encryption use." I haven't been able to > find any mentions of the phrase on the web, so I turned to the source code. This is a warning that the encryption tool used a key which it should not have used for encryption (ie. a signing signing key). Proper OpenPGP implementation won't allow to encrypt to such a key but some implementations have bugs. Technically the keys can be used for both purposes but out of crypto hygiene this should not be done. No immediate risk, though. For S/MIME is is quite common to use the same key for encryption and signing. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
keys retrieved from keyserver (keys.openpgp.org) are unusable
Hi, all I've posted this question on stackoverflow.com a few days ago, and I am still waiting for someone to comment. https://stackoverflow.com/questions/68490051/key-retrieved-from-keyserver-keys-openpgp-org-cant-be-used-gpgme Long story short, when the public key is downloaded to my PC as a plain text .asc file, and later imported using the function gpgme_op_keylist_from_data_start() and gpgme_op_keylist_new(), the key->can_encrypt, key->sign_certify, and can_sign are all 0x01. Alternatively, if I do gpgme_op_keylist_start() using an email address with GPGME_KEYLIST_MODE_EXTERN, the key->can_encrypt, key->can_certify and key->can_sign are all 0x00. I've tried several email addresses found on keys.opengpg.org, and the result is the same. Either way, I can't use this key to even encrypt data. For the key downloaded as a .asc file, if I manually "certify" the key first using Kleopatra prior to gpgme_op_keylist_from_data_start(), it then can be used to encrypt the data. But my purpose is to use the public key downloaded remotely with GPGME_KEYLIST_MODE_EXTERN only, and without Kleopatra of course. The trust-model has been set to "ALWAYS", or "always" using gpgme_set_ctx_flag(). The crypto protocol used is OpenPGP. I can't find good hints using the sample codes in https://github.com/gpg/gpgme.git either. Any comment/suggestion is welcome. Eric ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys retrieved from keyserver (keys.openpgp.org) are unusable
On Dienstag, 27. Juli 2021 01:32:53 CEST root wrote: > Long story short, when the public key is downloaded to my PC as a plain text > .asc file, and later imported using the function > gpgme_op_keylist_from_data_start() and gpgme_op_keylist_new(), the > key->can_encrypt, key->sign_certify, and can_sign are all 0x01. gpgme_op_keylist_from_data_start() does _not_ import any keys. All it does is retrieve the meta data of the keys passed to it as data. Those keys cannot be used for any crypto operations like signing, encrypting, etc. because the public key data has _not_ been imported. The keys have just been listed. This is very similar to listing the keys on a keyserver without actually retrieving the public keys from the keyserver. > Alternatively, if I do gpgme_op_keylist_start() using an email address with > GPGME_KEYLIST_MODE_EXTERN, the key->can_encrypt, key->can_certify and > key->can_sign are all 0x00. I've tried several email addresses found on > keys.opengpg.org, and the result is the same. Using gpgme_op_keylist_start() with GPGME_KEYLIST_MODE_EXTERN does a remote lookup on the keyserver. It does _not_ import the found keys. That's why can_encrypt, etc. are all 0x00. You need to download and import the keys if you want to use them. Alternatively, you may want to use the auto-key-locate option of gpg which automatically locates and retrieves keys when encrypting to an email address. Don't reinvent the wheel using gpgme if you can simply use what gpg provides out of the box. Of course, you can still use gpgme for doing the encryption, but don't try to retrieve the keys yourself if gpg can do it for you. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users