-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On the one hand, yes, it was a gpg-agent problem. It turned out that seahorse-daemon was running and screwing up the whole thing. - --list-secret-keys started working once I unset GPG_AGENT_INFO. It still complained that there was no gpg-agent running, though. Does gpgsm require a gpg-agent running? I don't recall gpg2 requiring it.
Anyway, I got a gpg-agent up and running and tried again. This is what happened: $ gpgsm --sign somefile dirmngr[4522]: error opening `/home/psmay/.gnupg/dirmngr_ldapservers.conf': No such file or directory dirmngr[4522]: permanently loaded certificates: 0 dirmngr[4522]: runtime cached certificates: 0 dirmngr[4522]: no CRL available for issuer id <clipped> dirmngr[4522]: crl_fetch via issuer failed: Configuration error dirmngr[4522]: command ISVALID failed: Configuration error gpgsm: certificate #<clipped>/CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA gpgsm: checking the CRL failed: Configuration error gpgsm: error creating signature: Configuration error <Dirmngr> I figured that this was a sign that I should disable some checking--it's my own private key, so there shouldn't be any trust issues, right? So I tried this: $ gpgsm --verbose --disable-crl-checks --disable-ocsp --sign somefile gpgsm: no key usage specified - assuming all usages gpgsm: no key usage specified - assuming all usages gpgsm: certificate is good gpgsm: certificate is good gpgsm: checking the trust list failed: No such file or directory gpgsm: error creating signature: No such file or directory <GPG Agent> The agent log says this: 2007-03-14 09:21:28 gpg-agent[5376] handler 0x808c820 for fd 7 started gpg-agent[5376.7] DBG: -> OK Pleased to meet you gpg-agent[5376.7] DBG: <- RESET gpg-agent[5376.7] DBG: -> OK gpg-agent[5376.7] DBG: <- OPTION display=:0.0 gpg-agent[5376.7] DBG: -> OK gpg-agent[5376.7] DBG: <- OPTION ttyname=/dev/pts/0 gpg-agent[5376.7] DBG: -> OK gpg-agent[5376.7] DBG: <- OPTION ttytype=xterm gpg-agent[5376.7] DBG: -> OK gpg-agent[5376.7] DBG: <- OPTION lc-ctype=en_US.UTF-8 gpg-agent[5376.7] DBG: -> OK gpg-agent[5376.7] DBG: <- OPTION lc-messages=en_US.UTF-8 gpg-agent[5376.7] DBG: -> OK gpg-agent[5376.7] DBG: <- HAVEKEY <clipped> gpg-agent[5376.7] DBG: -> OK gpg-agent[5376.7] DBG: <- ISTRUSTED <clipped> 2007-03-14 09:21:28 gpg-agent[5376] error opening `/usr/local/etc/gnupg/trustlist.txt': No such file or directory 2007-03-14 09:21:28 gpg-agent[5376] error reading list of trusted root certificates 2007-03-14 09:21:28 gpg-agent[5376] command is_trusted failed: No such file or directory gpg-agent[5376.7] DBG: -> ERR 67141713 No such file or directory <GPG Agent> gpg-agent[5376.7] DBG: <- [EOF] 2007-03-14 09:21:28 gpg-agent[5376] handler 0x808c820 for fd 7 terminated Not knowing what to put in trustlist.txt, I gave it a touch just to see what would happen. $ gpgsm --verbose --disable-crl-checks --disable-ocsp --sign somefile gpgsm: no key usage specified - assuming all usages gpgsm: no key usage specified - assuming all usages gpgsm: certificate is good gpgsm: certificate is good gpgsm: root certificate is not marked trusted gpgsm: fingerprint=20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85 gpgsm: DBG: BEGIN Certificate `issuer': gpgsm: DBG: serial: 00 gpgsm: DBG: notBefore: 1996-01-01 00:00:00 gpgsm: DBG: notAfter: 2020-12-31 23:59:59 gpgsm: DBG: issuer: 1.2.840.113549.1.9.1=#<clipped>,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA gpgsm: DBG: subject: 1.2.840.113549.1.9.1=#<clipped>,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA gpgsm: DBG: hash algo: 1.2.840.113549.1.1.4 gpgsm: DBG: SHA1 Fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85 gpgsm: DBG: END Certificate gpgsm: after checking the fingerprint, you may want to add it manually to the list of trusted certificates. gpgsm: interactive marking as trusted not enabled in gpg-agent gpgsm: error creating signature: Not trusted <GPG Agent> I added that fingerprint as a line to trustlist.txt, fixed the gpg-agent config (apparently it didn't have a default pinentry), restarted gpg-agent (kill -HUP pid didn't do the trick), and suddenly everything worked. All this said, here are my questions: * Why does gpgsm do all of this trust checking just to use a private key? Why don't private keys already have (the S/MIME equivalent to) ultimate trust? * Why didn't I already have a trustlist.txt? Shouldn't the source install process at least touch the file? * Is gpg-agent actually necessary for all this? What's wrong with accepting my passphrase at the console if it's not running? (All right, I've already gathered that gpg-agent does way more than password caching, in which case the real question is, why is so much of this functionality in gpg-agent instead of gpgsm?) * Is there a user trustlist.txt that can be used instead, or do I need to edit trustlist.txt as root every time a change needs to be made? In the meantime, I guess I should figure out how to configure dirmngr, though it seems a little superfluous. Yet another reason I'll always prefer OpenPGP to S/MIME, I guess... Thanks PSM Werner Koch wrote: > On Tue, 13 Mar 2007 23:41, [EMAIL PROTECTED] said: > >> $ gpgsm --list-secret-keys >> /home/psmay/.gnupg/pubring.kbx >> ---------------------------- >> $ > > There might be a problem with the gpg-agent. Make sure that gpg-agent > is running and add > > verbose > debug 1024 > log-file /for/bar/agent.log > > to gpg-agent.conf. Give a running gpg-agent a HUP or start it again. > You may also use > > gpg-agent --daemon sh > > and do your test within this shell. You should see lines like > > > DBG: <- HAVEKEY D6B7B913F20010E8A68DC14B7B72C296C79C773A > DBG: -> ERR 67108881 No secret key <GPG Agent> > DBG: <- HAVEKEY 0DEB2ED35B879151B1EDA067B0F290116C7915EB > DBG: -> OK > > No OK lines? Run > > gpgsm --dump-keys > > which will show you the keygrip. The keygrip is what you see in the > gpg-agent requests and they are also the basenames of the files below > private-keys-v1.d/ > > > Salam-Shalom, > > Werner > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF9/4wei6R+3iF2vwRChc3AKCAK//p7THk6fIBE26AMIGTdRQhlwCfRWqP sSpy7w2sMerPOUr/qWrVPic= =50DP -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users