gpgsm --import of CA certificate: Bad signature?

Simon Josefsson simon at josefsson.org
Tue Apr 17 20:14:39 CEST 2007


Hi!  I'm trying to get Scute working in Mozilla (as a first step
towards making GnuTLS also use it as a PKCS#11 module).  I imported my
newly generated certificate into gpgsm as follows:

jas at mocca:~$ gpgsm --import .gnupg/test-key.pem
gpgsm: issuer certificate {E93C1CFBAD926EE606A4562CA2E1C05327C8F295} not found using authorityKeyIdentifier
gpgsm: issuer certificate (#/CN=GnuTLS test CA) not found
gpgsm: issuer certificate {E93C1CFBAD926EE606A4562CA2E1C05327C8F295} not found using authorityKeyIdentifier
gpgsm: total number processed: 1
gpgsm:              unchanged: 1
jas at mocca:~$

I guessed that it wouldn't hurt to import the CA certificate too.  But
here's what happened then:

jas at mocca:~$ gpgsm --import ~/src/www-gnutls/test-credentials/x509-ca.pem
gpgsm: self-signed certificate has a BAD signature: Bad signature
gpgsm: basic certificate checks failed - not imported
gpgsm: total number processed: 1
gpgsm:           not imported: 1
jas at mocca:~$

As far as I can tell, there is nothing wrong with this certificate.
Ideas?

You can retrieve the certificate from:
http://www.gnu.org/software/gnutls/test-credentials/x509-ca.pem

I'm using GnuPG 2.0.3.

I don't know if it is relevant, but the list of 'Supported algorithms'
seems rather short:

jas at mocca:~$ gpgsm --version
gpgsm (GnuPG) 2.0.3
Copyright (C) 2007 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
jas at mocca:~$

/Simon



More information about the Gnupg-users mailing list