GPG cannot import public key

helices gpg at mdsresource.net
Thu Apr 24 20:59:22 CEST 2014


Thank you, David

For now, they have agreed to move forward with the new key pair that they
created yesterday, using that same "Encryption Desktop 10.3.0 (Build 8741)"
PGP is Symantec for several years now ...

It is strange to me that the newly created public key breezed through our
import processes without incident.

I cannot be sure how their original key pair was originally created - they
say that they have been using it for quite awhile. It would be nice - for
them now and for me in the future - if their original key can be "fixed."

Mostly, I'm not certain how much of this GPG and how much whatever is on
their side.


On Thu, Apr 24, 2014 at 12:55 PM, David Shaw <dshaw at jabberwocky.com> wrote:

> On Apr 24, 2014, at 9:15 AM, helices <gpg at mdsresource.net> wrote:
>
> > Thank you, for your response.
> >
> > [1]
> > -----BEGIN PGP PUBLIC KEY BLOCK-----
> > Version: Encryption Desktop 10.3.0 (Build 8741)
>
> [..]
>
> > -----END PGP PUBLIC KEY BLOCK-----
>
> Interesting!  This definitely has a selfsig, but the key itself is very
> odd.  It's an RSA sign-only key, which is deprecated in OpenPGP.  The
> subkey is similarly odd - a RSA encrypt-only key, also deprecated.  The
> header says it came from "Encryption Desktop", which is a Symantec product
> (well, it is now).  I don't know why that key is using deprecated key
> types, but certainly something is odd there.
>
> RFC-4880 (published back in 2007) says:
>
>    RSA Encrypt-Only (2) and RSA Sign-Only are deprecated and SHOULD NOT be
>    generated, but may be interpreted.
>
> Weirder, the selfsig says it's a RSA signature (not RSA_S), so you have
> the odd situation of a key (RSA_S) and its self-sig (RSA) being from
> different algorithms.
>
> So, it's legal for GPG to not accept this key (using deprecated
> algorithms), though the error message you got seems misleading to me.
>
> > [2] Interestingly enough, importing this key with "gpg (GnuPG) 1.4.5" is
> successful:
> > # gpg --import /tmp/imps.asc
> > gpg: key 845F5188: public key "Concerto Support Key <
> concerto.support at impact-ps.com>" imported
> > gpg: Total number processed: 1
> > gpg:               imported: 1  (RSA: 1)
>
> GPG 1.4.5 treats RSA_S and RSA_E as identical to RSA for existing keys,
> but does not allow generating them.  This is legal as per the spec (i.e.
> don't generate them, but it's optional to use them).
>
> I'm afraid I don't have immediate access to the GPG 2.x code base to
> check, but I wonder if your problem is simply that 2.x doesn't accept RSA_S
> and RSA_E keys?
>
> David
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140424/7eb39a80/attachment.html>


More information about the Gnupg-users mailing list