gpgsm documentation (2nd attempt)
Borden
borden_c at tutanota.com
Fri Nov 28 10:43:02 CET 2025
26 Nov 2025, 05:00 by wk at gnupg.org:
> However, when exporting in pkcs#12 or pcks#8 format, gpgsm recomputes the parameters to get them into OpenSSL format.
>
I must be using either gpgsm or openssl incorrectly. When I run:
gpgsm --output secret-key.pkcs12 --export-secret-key-p12 $cert_id_goes_here
openssl pkcs12 -in secret-key.pkcs12 -info -noout # copied straight from the openssl manpage
I get:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
40B7E82EE87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
However, when I run:
gpgsm --output secret-key.pkcs8 --export-secret-key-p8 $cert_id_goes_hereopenssl pkcs8 -in secret-key.pkcs8 -topk8 -nocrypt -out pkcs8-secret-key.pem
That seems to execute if I explicitly state -topk8, and it fails otherwise. I guess that means I need to get the openssl people to explain their documentation to me.
Incidentally, the gpgsm manpage puts --export-secret-key-raw & --export-secret-key-p8 together. Before reading more closely and learning that -raw exports in PKCS#1 format, I thought they were synonymous. Consider breaking the two parameters up to make the distinction obvious.
With thanks,
More information about the Gnupg-users
mailing list