Re: failed to convert unprotected openpgp key: Checksum error
On Mon 2018-01-22 15:37:37 -0500, Phil Pennock wrote: > So at this point, it looks to me like it really is an incorrect > checksum, exposing unfortunate edge-case handling in GnuPG. Thanks for the diagnosis, Phil and Simon. Please file a bug report about this at https://dev.gnupg.org/ so that this edge-case doesn't get lost! --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: failed to convert unprotected openpgp key: Checksum error
On 2018-01-19 at 19:57 +1100, Simon Kissane wrote: > However, when I try to decrypt data encrypted with the private key, I > get a "failed to convert unprotected openpgp key: Checksum error" Simpler check: % gpg --export-secret-key gpg: key 4252EB6983CE74C44F549B6F8666715904EE61F2: error receiving key from agent: Checksum error - skipped gpg: WARNING: nothing exported If I use `gpg --expert --full-generate-key` to make an SCEA RSA/4096 key, then it looks almost identical in structure to yours. If I just `gpg --import` a dearmored version of the key, then I get a checksum error at that time: gpg: key 68F870F8C0FAA42B: public key "root:testGpg:key_54503F79_3794_456C_8725_8977A68B71C1" imported gpg: key 68F870F8C0FAA42B/68F870F8C0FAA42B: error sending to agent: Checksum error so something in the scripted setup you created suppressed that error message, which is Unfortunate by GnuPG. The key still ends up added to the keyring in the above, even with the error, but it's unusable. This might be a bug in GnuPG: IMO if it's broken and will never be usable, then it should not be added and gpg should exit false. So at this point, it looks to me like it really is an incorrect checksum, exposing unfortunate edge-case handling in GnuPG. -Phil ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [OT] Re: failed to convert unprotected openpgp key: Checksum error
On 1/22/18 12:30 PM, Kristian Fiskerstrand wrote: > On 01/22/2018 06:31 PM, Daniele Nicolodi wrote: >> On 1/22/18 5:31 AM, Kristian Fiskerstrand wrote: >>> On 01/22/2018 08:33 AM, Werner Koch wrote: That is an acceptable user-id. I would have used a dot as delimiter but that is a personal taste. >>> >>> Dot is a permitted part of username in POSIX though, while : is not :) >> >> Uh? As far as I know, the only characters not allowed are / and null. > > http://pubs.opengroup.org/onlinepubs/95399/basedefs/xbd_chap03.html#tag_03_426 > > 3.426 User Name Sorry, I should not be writing email before my morning coffee: I read filenames instead than usernames. Cheers, Daniele ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [OT] Re: failed to convert unprotected openpgp key: Checksum error
On 01/22/2018 06:31 PM, Daniele Nicolodi wrote: > On 1/22/18 5:31 AM, Kristian Fiskerstrand wrote: >> On 01/22/2018 08:33 AM, Werner Koch wrote: >>> That is an acceptable user-id. I would have used a dot as delimiter but >>> that is a personal taste. >> >> Dot is a permitted part of username in POSIX though, while : is not :) > > Uh? As far as I know, the only characters not allowed are / and null. http://pubs.opengroup.org/onlinepubs/95399/basedefs/xbd_chap03.html#tag_03_426 3.426 User Name A string that is used to identify a user; see also User Database. To be portable across systems conforming to IEEE Std 1003.1-2001, the value is composed of characters from the portable filename character set. The hyphen should not be used as the first character of a portable user name. http://pubs.opengroup.org/onlinepubs/95399/basedefs/xbd_chap03.html#tag_03_276 The set of characters from which portable filenames are constructed. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 . _ - -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Cogito ergo sum I think, therefore I am signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [OT] Re: failed to convert unprotected openpgp key: Checksum error
On 1/22/18 5:31 AM, Kristian Fiskerstrand wrote: > On 01/22/2018 08:33 AM, Werner Koch wrote: >> That is an acceptable user-id. I would have used a dot as delimiter but >> that is a personal taste. > > Dot is a permitted part of username in POSIX though, while : is not :) Uh? As far as I know, the only characters not allowed are / and null. Cheers, Daniele ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[OT] Re: failed to convert unprotected openpgp key: Checksum error
On 01/22/2018 08:33 AM, Werner Koch wrote: > That is an acceptable user-id. I would have used a dot as delimiter but > that is a personal taste. Dot is a permitted part of username in POSIX though, while : is not :) -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 "Don't be afraid to go out on a limb. That's where the fruit is." (H. Jackson Browne) signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: failed to convert unprotected openpgp key: Checksum error
On Mon, 22 Jan 2018 03:40, skiss...@medallia.com said: > showing that problem (whatever it is) isn't the User ID. (My reading of > RFC4880 > section 5.11 is that having an email in the User ID is just a convention not > mandatory, so software should be robust in the face of User IDs breaking that Correct. Actually, specifying a mail address with -r or --locate-key changes GnuPG's behaviour in that it tries to find the key in a configured online directory (by default WKD). >> "root:testGpg:key_54503F79_3794_456C_8725_8977A68B71C1" That is an acceptable user-id. I would have used a dot as delimiter but that is a personal taste. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpl_lUmolmKo.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: failed to convert unprotected openpgp key: Checksum error
On Mon, Jan 22, 2018 at 11:36 AM, Zechariah Seth wrote: > Simon Kissane wrote: >> (This is just a test key generated for testing purposes, so it is fine >> to share it publicly.) > > Interesting "User ID" on that key: > "root:testGpg:key_54503F79_3794_456C_8725_8977A68B71C1" > > I hope no one is foolish enough to import your key and run your script. Hi Zechariah, thank you for taking the time to have a look at this for me. It sounds like you are concerned that running my script may import some strange key into your GPG home. If you read the script, you will see that it creates two new GPG homes under a temporary directory, so no odd keys are going to be imported into your day-to-day GPG config. I realise the User ID is weird. To explain, in the use case I am working on we are only using GPG for file encryption/decryption using keys pre-agreed out of band. As such, we aren't actually using any of the PGP "web-of-trust" functionality, and the actual User IDs are rather irrelevant. Maybe we should just use S/MIME or CMS instead (and I'm looking into that option), but since we are already using GPG for this I was looking at how to possibly integrate our existing usage of GPG with an external key management system. That said, I have changed my key generation code to generate more normal looking User IDs, as you can see with this key: https://gist.github.com/skissane/a64756f32e62fbc5b51ee1f4eef22575 which has User ID: Test Key 123 And, if you run the new key against my script, you get the same error, showing that problem (whatever it is) isn't the User ID. (My reading of RFC4880 section 5.11 is that having an email in the User ID is just a convention not mandatory, so software should be robust in the face of User IDs breaking that convention.) Thank you Simon On Mon, Jan 22, 2018 at 11:36 AM, Zechariah Seth wrote: > Simon Kissane wrote: >> (This is just a test key generated for testing purposes, so it is fine >> to share it publicly.) > > Interesting "User ID" on that key: > "root:testGpg:key_54503F79_3794_456C_8725_8977A68B71C1" > > I hope no one is foolish enough to import your key and run your script. > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: failed to convert unprotected openpgp key: Checksum error
Simon Kissane wrote: > (This is just a test key generated for testing purposes, so it is fine > to share it publicly.) Interesting "User ID" on that key: "root:testGpg:key_54503F79_3794_456C_8725_8977A68B71C1" I hope no one is foolish enough to import your key and run your script. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
failed to convert unprotected openpgp key: Checksum error
Hi I have written some code in Java to generate private/public keys, and export them in OpenPGP format (using BouncyCastle's OpenPGP classes). However, when I try to decrypt data encrypted with the private key, I get a "failed to convert unprotected openpgp key: Checksum error" I presume there is something about the key file that GPG doesn't like? But can anyone tell me what it is? I am using GnuPG 2.2.4 on macOS 10.12.6. Here is my private key: https://gist.github.com/skissane/3d1109708be0d4167d8cf16db5fa2e3c (This is just a test key generated for testing purposes, so it is fine to share it publicly.) Now, run this script against that private key file: https://gist.github.com/skissane/d8291e9719d43bfb5eee58ee579c76fb Like so: ./testGpg.sh testPrivateKey.asc You will note the errors from gpg-agent: gpg-agent[29270]: failed to convert unprotected openpgp key: Checksum error gpg-agent[29270]: failed to read the secret key gpg-agent[29270]: command 'PKDECRYPT' failed: Checksum error gpg-agent[29270]: DBG: chan_7 -> ERR 67108874 Checksum error What confuses me is the key imports into the GPG home fine, the error only happens when I try to use it to perform decryption. If the key format was wrong, I would have thought the error would have happened when I tried to import it. Thanks Simon ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
