Unable to import PGP certificate into Keychain

Adam Wasserman's Avatar

Adam Wasserman

21 Nov, 2012 02:02 PM


  • Software name and version: (e.g. GPGMail 2.0a4 or GPG Keychain Access 1.0b3)
  • OS X version: (e.g. 10.7.2)
  • GPGTools Installer date:

The following two commands were issued on the attached certificate with both public and private keys. Output follows:

gpg2 --verbose :

sec 2048R/B78DA703 2012-11-21 Carmina Brusk [email blocked]
sig B78DA703 2012-11-21 [selfsig]
ssb 2048R/134151E6 2012-11-21
sig B78DA703 2012-11-21 [keybind]

gpg2 --verbose --import Carmina_Brusk.asc:

gpg: key B78DA703: secret key imported
gpg: pub 2048R/B78DA703 2012-11-21 Carmina Brusk [email blocked]
gpg: key B78DA703: invalid self-signature on user ID "Carmina Brusk [email blocked]"
gpg: key B78DA703: invalid subkey binding
gpg: key B78DA703: skipped user ID "Carmina Brusk [email blocked]"
gpg: key B78DA703: skipped subkey
gpg: key B78DA703: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg: w/o user IDs: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1

Seems that the signatures are not being validated.

However, I am able to upload the public portion of this certificate to a keyserver (you will find it at http://pool.sks-keyservers.net/) and I can successfully import it into APG (Android Privacy Guard) on my Samsung Galaxy S I.

I am writing the software that has produced this certificate. I don't expect you to debug my program. I would just like to know on what grounds GPG Keychain is not accepting the certificate.

Also, just a minor observation: I've noticed that if the signature revoking a subkey comes after the subkey binding signature, GPG Keychain fails to recognize the subkey as revoked.

I prematurely created an issue in Lighthouse for this problem of mine. Sorry for jumping the gun! The link is here: http://gpgtools.lighthouseapp.com/projects/65684/tickets/146-unable...

many thanks,

  1. Support Staff 1 Posted by Luke Le on 21 Nov, 2012 02:25 PM

    Luke Le's Avatar

    Hi Adam,

    after a little research I found a solution for your problem and possibly the reason for it as well.

    To force gnupg to import your key simply use the option --allow-non-selfsigned-uid

    According to gnupg's man this is not recommended since non self-signed user ids are easy to forge.

    More on that here: http://www.gnupg.org/gph/en/pgp2x/x58.html

  2. 2 Posted by Adam Wasserman on 21 Nov, 2012 03:35 PM

    Adam Wasserman's Avatar

    Hi Luke,

    Thanks for your reply.

    But there are signatures in the certificate. And they pass whatever checks APG has, as well as the key server I uploaded it to. Not to mention my own checks, but they don't count since they come from the same software that generated the certificate.


  3. Support Staff 3 Posted by Luke Le on 21 Nov, 2012 03:38 PM

    Luke Le's Avatar

    Hi Adam,

    not entirely sure about the internal details of gnupg. Does the option I told you about work?

  4. 4 Posted by Adam Wasserman on 21 Nov, 2012 04:03 PM

    Adam Wasserman's Avatar

    Hi Luke,

    It very well might, but it's not a good option for me. I wish to only produce and handle well-formed, safe certificates. As you said, without the self-signing, the whole trust model is out the window.

  5. Support Staff 5 Posted by Luke Le on 21 Nov, 2012 04:15 PM

    Luke Le's Avatar

    In that case I think you might have to look into the implementation details of gnupg. I assume APG is using their own implementation of OpenPGP and might not check for this detail. The same goes for key servers which probably leave the choice to the uploading user. (They don't even implement any means of automatically scraping public keys as far as I know, go figure...)

  6. Support Staff 6 Posted by Luke Le on 21 Nov, 2012 04:16 PM

    Luke Le's Avatar

    Any particular reason you don't wanna use gnupg? Rolling your own OpenPGP solution for embedded? (iOS?)

  7. 7 Posted by Adam Wasserman on 21 Nov, 2012 05:37 PM

    Adam Wasserman's Avatar

    I'm creating an app for Android called KeyRing that implements the PGP trust model. I'm using Bouncycastle and whatever knowledge I can glean from RFC 4880. I use APG and GPG Keychain to confirm my app's behavior.

    I realize that implementations of an RFC can differ. But not validating a signature is really odd.

    Another datum I discovered today: if I produce the certificate using the same software on my old Galaxy S I, GPG Keychain rejects it. But if I produce it on an IBM Thinkpad using a more modern operating system, it will.

    Naturally, this leads me to wonder: what's the difference?

    I can't imagine APG doesn't validate signatures. But I should check. Their source code is available. On Mac, you guys are the best there is!

  8. Support Staff 8 Posted by Luke Le on 21 Nov, 2012 07:27 PM

    Luke Le's Avatar

    Ha... now that's seriously buffling. So based on which system you create the key with the same software it's either thrown out or imported correctly?

    Difference between 32-bit and 64bit?

    Thanks for the kind words. We're just getting started :)

  9. Support Staff 9 Posted by Luke Le on 21 Nov, 2012 07:38 PM

    Luke Le's Avatar

    Also, since Android doesn't have App Stores strict guidelines, why roll your own solution as well and not simply compile gnupg 1.x for Android? Did it once for iOS, was pretty straight forward. Is that a performance/battery hog?

  10. Steve closed this discussion on 20 Jan, 2013 07:45 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac