gpg-agent unknown value for WHAT
Hi there, I'm attempting to generate a 4096bit RSA key using gnupg 2.0.12 and gpg-agent 2.0.11 but I'm getting an error message prior to entering the passphrase: gpg: problem with the agent: Not supported Having done a little digging I decided to enable --debug-all to see if this would shed any light on the problem - unfortunately the error message means very little on first inspection - hence this mail. gpg-agent[66760.6] DBG: - ERR 67109144 parameter conflict - unknown value for WHAT I've included the full session output below with certain fields X'd out... _Environment_info_ Mac OS X 10.5.8 gnupg2 installed via darwin ports _Non_standard_entries_in_~/.gnupg/gpg.conf_ personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed Any help or suggestions of where to look further appreciated. Regards, Dave Session output... bash-3.2$ gpg-agent --daemon --debug-all /bin/bash gpg-agent[66759]: NOTE: no default option file `/Users//.gnupg/gpg-agent.conf' gpg-agent[66759]: listening on socket `/tmp//S.gpg-agent' bash-3.2$ gpg2 --gen-key gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire n = key expires in n days nw = key expires in n weeks nm = key expires in n months ny = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: X Email address: XX Comment: CODE SIGNING KEY You selected this USER-ID: XXX (CODE SIGNING KEY) Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. gpg-agent[66760]: handler 0x302780 for fd 6 started gpg-agent[66760.6] DBG: - OK Pleased to meet you gpg-agent[66760.6] DBG: - RESET gpg-agent[66760.6] DBG: - OK gpg-agent[66760.6] DBG: - OPTION display=/tmp/launch-JBTxKt/:0 gpg-agent[66760.6] DBG: - OK gpg-agent[66760.6] DBG: - OPTION ttyname=/dev/ttys002 gpg-agent[66760.6] DBG: - OK gpg-agent[66760.6] DBG: - OPTION ttytype=xterm gpg-agent[66760.6] DBG: - OK gpg-agent[66760.6] DBG: - OPTION lc-ctype=en_GB.UTF-8 gpg-agent[66760.6] DBG: - OK gpg-agent[66760.6] DBG: - OPTION lc-messages=en_GB.UTF-8 gpg-agent[66760.6] DBG: - OK gpg-agent[66760.6] DBG: - OPTION allow-pinentry-notify gpg-agent[66760.6] DBG: - OK gpg-agent[66760.6] DBG: - GETINFO cmd_has_option GET_PASSPHRASE repeat gpg-agent[66760.6] DBG: - ERR 67109144 parameter conflict - unknown value for WHAT gpg: problem with the agent: Not supported gpg: Key generation canceled. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unknown value for WHAT
On Tue, 20 Oct 2009 16:41, david.sav...@paremus.com said: I'm attempting to generate a 4096bit RSA key using gnupg 2.0.12 and gpg-agent 2.0.11 but I'm getting an error message prior to entering That does not work. You have to update gpg-agent. The conflict is an attempt to minimize such dependencies in the future. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unknown value for WHAT
David Savage wrote the following on 10/20/09 10:41 AM: Hi there, I'm attempting to generate a 4096bit RSA key using gnupg 2.0.12 and gpg-agent 2.0.11 but I'm getting an error message prior to entering the passphrase: gpg: problem with the agent: Not supported Hi David, IMO, the problems resides with your installation of gnupg2 via Darwin Ports. Darwin Ports installs a version of pinentry (required for gpg-agent to function) that is not compatible with MacOSX. If you want to install a functioning gnupg2 for MacOSX, with a Mac native pinentry.app, you might want to try MacGPG2 2.0.12 http://sourceforge.net/projects/macgpg2/ http://lists.gnupg.org/pipermail/gnupg-users/2009-June/036724.html, that can be downloaded from: http://sourceforge.net/projects/macgpg2/files/macgpg2/ Having done a little digging I decided to enable --debug-all to see if this would shed any light on the problem - unfortunately the error message means very little on first inspection - hence this mail. gpg-agent[66760.6] DBG: - ERR 67109144 parameter conflict - unknown value for WHAT I've included the full session output below with certain fields X'd out... _Environment_info_ Mac OS X 10.5.8 gnupg2 installed via darwin ports That should be the problem. _Non_standard_entries_in_~/.gnupg/gpg.conf_ personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed Any help or suggestions of where to look further appreciated. Please see above. [...] gpg: problem with the agent: Not supported Ditto, Darwin Ports does not install gpg-agent with the required pinentry that will function under MacOSX Charly MacOSX 10.6.1 32bits MacBook5,1 - Gnupg 1.4.10 - MacGPG2 2.0.12 - Running Enigmail version 0.97a (20091019-2108), with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.4pre) Gecko/20090915 Thunderbird/3.0b4 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unknown value for WHAT
Firstly, thx for the quick replies. I'm in the process of updating gpg using the urls Charly forwarded in the previous email - I guess I could try to just update the gpg-agent in use on my machine from that release then stick with the mac port version of gpg? Just one less variable to tidy up? Sound's like a patch is needed to mac ports in any case. I'll try pinging a mail over there and see if there's any chance they can update. Regards, Dave On Tue, Oct 20, 2009 at 6:31 PM, Werner Koch w...@gnupg.org wrote: On Tue, 20 Oct 2009 16:41, david.sav...@paremus.com said: I'm attempting to generate a 4096bit RSA key using gnupg 2.0.12 and gpg-agent 2.0.11 but I'm getting an error message prior to entering That does not work. You have to update gpg-agent. The conflict is an attempt to minimize such dependencies in the future. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unknown value for WHAT
David Savage wrote the following on 10/20/09 2:04 PM: I'm in the process of updating gpg using the urls Charly forwarded in the previous email - I guess I could try to just update the gpg-agent in use on my machine from that release then stick with the mac port version of gpg? Just one less variable to tidy up? I don't remember whether using the MacGPG2 2.0.12 installer will simply overwrite your Darwin Ports installation. If it does, you will have a working MacGPG2 2.0.12, complete with gpg-agent and Mac native pinentry.app. If it doesn't, you might still have some problems with the remnants of the previous install. Sound's like a patch is needed to mac ports in any case. Yes. I'll try pinging a mail over there and see if there's any chance they can update. Wish you luck. Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A lot of questions about CERT, PKA and make-dns-cert
On Thu, 15 Oct 2009, David Shaw wrote: On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote: I'm running: echo foo | gpg -v -v --auto-key-locate cert --recipient gu...@gushi.org --encrypt -a And get gpg: error retrieving `gu...@gushi.org' via DNS CERT: No fingerprint I exported my key with: gpg --export --export-options minimal file; and make-dns-cert -n gushi.gushi.org -f file It works fine for me. What version of GPG are you using? I tried this again, after I nuked the fingerprint cert record. Oddly, running on gpg2 on an older debian system, I get: # echo foo | gpg2 -v -v --auto-key-locate cert --encrypt -r gu...@gushi.org gpg: no keyserver known (use option --keyserver) gpg: error retrieving `gu...@gushi.org' via DNS CERT: General error gpg: gu...@gushi.org: skipped: General error gpg: [stdin]: encryption failed: General error That first line specifically makes me scratch my head a bit. (The gpg manpage also appears to be a bit corrupted on this system). On my bsd system, I get what you see at http://www.gushi.org/gpg.txt. It retrieves the key, but complains of no fingerprint, however it actually DOES import the key, so it works a second time. If you require a shell to play with this, let me know and I'll provide one. With the demise of thawte's free cert offering, I'd really like to do what I can to increase awareness of this stuff. On my ubuntu desktop, it works fine. I suspect strongly that this feature doesn't get the most broad platform testing. Let me know if you'd like to help. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A lot of questions about CERT, PKA and make-dns-cert
On Oct 20, 2009, at 10:55 PM, Dan Mahoney, System Admin wrote: On Thu, 15 Oct 2009, David Shaw wrote: On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote: I'm running: echo foo | gpg -v -v --auto-key-locate cert --recipient gu...@gushi.org --encrypt -a And get gpg: error retrieving `gu...@gushi.org' via DNS CERT: No fingerprint I exported my key with: gpg --export --export-options minimal file; and make-dns-cert -n gushi.gushi.org -f file It works fine for me. What version of GPG are you using? I tried this again, after I nuked the fingerprint cert record. Oddly, running on gpg2 on an older debian system, I get: # echo foo | gpg2 -v -v --auto-key-locate cert --encrypt -r gu...@gushi.org gpg: no keyserver known (use option --keyserver) gpg: error retrieving `gu...@gushi.org' via DNS CERT: General error gpg: gu...@gushi.org: skipped: General error gpg: [stdin]: encryption failed: General error That first line specifically makes me scratch my head a bit. You didn't give an actual version number (run gpg2 --version), so I can only make an educated guess, but I do think I see your problem. You don't have one key in your CERT - you have two (309C17C5 and 624BB249) combined into one DNS record. That doesn't work - it's a one-name-one-key mapping. We should give a better error message in this case. Can you try again with a single key in your CERT? Alternately, if you want both of your keys, you could use 2 different CERT records for the gushi.gushi.org. name, each with one of your keys (rather than 1 CERT record with a payload containing two keys). Note that this will usually result in round-robining for those people who don't have your key, which may or may not be what you want. At least using gpg 2.0.13, and a single key in the CERT, this works properly for me. I can't speak for an earlier version. All of that said, I think it's worth pointing out that IPGP (the fingerprint+URL variation of CERT) is far more useful that PGP (the full key). Not all systems are going to be able to pass a 1718-byte DNS message, as yours is. I suspect strongly that this feature doesn't get the most broad platform testing. Let me know if you'd like to help. Please do! More testing is always welcome. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users