Re: Why is --allow-non-selfsigned-uid needed to import this key?
On Mon, 16 May 2011 19:32, steve.stro...@link-comm.com said: root:~ gpg --import test-key.gpg gpg: key CBF38289 was created 137948617 seconds in the future (time warp or clock problem) Try the option --ignore-time-conflict . Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is --allow-non-selfsigned-uid needed to import this key?
On Mon, 16 May 2011 22:12, steve.stro...@link-comm.com said: easy to ask the user for the date. What would the security implications be of just setting the clock to a fixed future date before importing the key? I can see no problems from GnuPG's perspective. I suggest to start with a fixed date way before 2038. There is also an option --ignore-valid-drom which pertains to the selection of subkeys. Check the man page. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is --allow-non-selfsigned-uid needed to import this key?
Werner Koch 8762p9qsg4@vigenere.g10code.de wrote on 5/17/11 5:04:27 PM: I can see no problems from GnuPG's perspective. I suggest to start with a fixed date way before 2038. There is also an option --ignore-valid-drom which pertains to the selection of subkeys. Check the man page. Did you mean (copy-paste from the man page): --ignore-valid-from GnuPG normally does not select and use subkeys created in the future. This option allows the use of such keys and thus exhibits the pre-1.0.7 behaviour. You should not use this option unless you there is some clock problem. See also --ignore-time-conflict for timestamp issues with signatures. Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why is --allow-non-selfsigned-uid needed to import this key?
I am using gnupg to encrypt and sign a file transferred from a server to an embedded client. I generated a 2048 bit RSA keypair on the server (using gpg V1.4.6) with gpg --gen-key and got the output: gpg: key CBF38289 marked as ultimately trusted public and secret key created and signed. I exported it with gpg --output test-key.gpg --export --armor CBF38289, transferred the file to the client and tried to import it using gpg V1.4.11 (the embedded device doesn't have a real-time clock): root:~ gpg --import test-key.gpg gpg: key CBF38289 was created 137948617 seconds in the future (time warp or clock problem) gpg: key CBF38289 was created 137948617 seconds in the future (time warp or clock problem) gpg: key CBF38289: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 I can import it using the --allow-non-selfsigned-uid option: root:~ gpg --import --allow-non-selfsigned-uid test-key.gpg gpg: key CBF38289 was created 137948550 seconds in the future (time warp or clock problem) gpg: key CBF38289 was created 137948550 seconds in the future (time warp or clock problem) gpg: key CBF38289: accepted non self-signed user ID Test User (do not use) test_u...@gmail.com gpg: key CBF38289 was created 137948550 seconds in the future (time warp or clock problem) gpg: key CBF38289: public key Test User (do not use) test_u...@gmail.com imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) I have tried a variety of things but been unable to get import to work without using --allow-non-selfsigned-uid. When the key was created, the output indicated it was signed. When I edit it, the output looks like this: Secret key is available. pub 2048R/CBF38289 created: 2011-05-16 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1). Test User (do not use) test_u...@gmail.com What am I missing? I presume that there security implications of using --allow-non-selfsigned-uid? Thanks for any suggestions. Steve --- Steve Strobel Link Communications, Inc. 1035 Cerise Rd Billings, MT 59101-7378 (406) 245-5002 ext 102 (406) 245-4889 (fax) WWW: http://www.link-comm.com MailTo:steve.stro...@link-comm.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is --allow-non-selfsigned-uid needed to import this key?
On Mon, 16 May 2011 11:32:15 -0600, Steve Strobel steve.stro...@link-comm.com wrote: root:~ gpg --import test-key.gpg gpg: key CBF38289 was created 137948617 seconds in the future (time warp or clock problem) This is exactly what it sounds like: according to your certificate, it was created about five and a half months from now.[1] To GnuPG, that sounds like something's hinky and it refuses to allow it to be imported. You've managed to get around it by telling GnuPG, listen, fine, strip off the hinky signature: /now/ will you accept it? And in that case, sure, GnuPG will: but the consequence of it is you've got a UID that's missing a signature. Hence, allow-nonselfsigned-uid must be passed on the command line. [1] As an undergraduate Prof. Hill once mused to me, Math is funny. You tell someone how many seconds are in a year, they forget it immediately. You tell them that accurate to half a percent there are pi seconds in a nanocentury and they remember it for life. He was right, I've never forgotten, and that's made it easy to remember there are 31.4 million (3.14 * 10**7) seconds in a year. 13.8 million / 31.4 million = 137/314 = 0.44 of a year, * 12 = five and a half months, more or less. Not really relevant to GnuPG, but a handy factoid for timestamp calculations, if you ever need to do them in a hurry. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users