tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/3178-unable-to-import-pgp-certificate-into-keychainGPGTools: Discussion 2013-01-20T19:45:36Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/212023572012-11-21T14:02:22Z2012-11-21T14:02:27ZUnable to import PGP certificate into Keychain<div><p><strong>Environment:</strong></p>
<ul>
<li>Software name and version: (e.g. GPGMail 2.0a4 or GPG Keychain
Access 1.0b3)</li>
<li>OS X version: (e.g. 10.7.2)</li>
<li>GPGTools Installer date:</li>
</ul>
<p>The following two commands were issued on the attached
certificate with both public and private keys. Output follows:</p>
<p>gpg2 --verbose :</p>
<p>Version: BCPG v@RELEASE_NAME@<br>
sec 2048R/B78DA703 2012-11-21 Carmina Brusk <a href=
"mailto:poems@foralifetime.net">poems@foralifetime.net</a><br>
sig B78DA703 2012-11-21 [selfsig]<br>
ssb 2048R/134151E6 2012-11-21<br>
sig B78DA703 2012-11-21 [keybind]</p>
<p>gpg2 --verbose --import Carmina_Brusk.asc:</p>
<p>gpg: key B78DA703: secret key imported<br>
gpg: pub 2048R/B78DA703 2012-11-21 Carmina Brusk <a href=
"mailto:poems@foralifetime.net">poems@foralifetime.net</a><br>
gpg: key B78DA703: invalid self-signature on user ID "Carmina Brusk
<a>poems@foralifetime.net</a>"<br>
gpg: key B78DA703: invalid subkey binding<br>
gpg: key B78DA703: skipped user ID "Carmina Brusk
<a>poems@foralifetime.net</a>"<br>
gpg: key B78DA703: skipped subkey<br>
gpg: key B78DA703: no valid user IDs<br>
gpg: this may be caused by a missing self-signature<br>
gpg: Total number processed: 1<br>
gpg: w/o user IDs: 1<br>
gpg: secret keys read: 1<br>
gpg: secret keys imported: 1</p>
<p>Seems that the signatures are not being validated.</p>
<p>However, I am able to upload the public portion of this
certificate to a keyserver (you will find it at <a href=
"http://pool.sks-keyservers.net/">http://pool.sks-keyservers.net/</a>)
and I can successfully import it into APG (Android Privacy Guard)
on my Samsung Galaxy S I.</p>
<p>I am writing the software that has produced this certificate. I
don't expect you to debug my program. I would just like to know on
what grounds GPG Keychain is not accepting the certificate.</p>
<p>Also, just a minor observation: I've noticed that if the
signature revoking a subkey comes <em>after</em> the subkey binding
signature, GPG Keychain fails to recognize the subkey as
revoked.</p>
<p>I prematurely created an issue in Lighthouse for this problem of
mine. Sorry for jumping the gun! The link is here: <a href=
"http://gpgtools.lighthouseapp.com/projects/65684/tickets/146-unable-to-import-certificate">
http://gpgtools.lighthouseapp.com/projects/65684/tickets/146-unable...</a></p>
<p>many thanks,<br>
Adam</p>
<ul>
<li>Have you already tried running the latest nightly of the
<a href="http://nightly.gpgtools.org/">GPGTool Installer</a>?
No</li>
</ul></div>Adam Wassermantag:gpgtools.tenderapp.com,2011-11-04:Comment/212023572012-11-21T14:25:15Z2012-11-21T14:25:37ZUnable to import PGP certificate into Keychain<div><p>Hi Adam,</p>
<p>after a little research I found a solution for your problem and
possibly the reason for it as well.</p>
<p>To force gnupg to import your key simply use the option
--allow-non-selfsigned-uid</p>
<p>According to gnupg's man this is not recommended since non
self-signed user ids are easy to forge.</p>
<p>More on that here: <a href=
"http://www.gnupg.org/gph/en/pgp2x/x58.html">http://www.gnupg.org/gph/en/pgp2x/x58.html</a></p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/212023572012-11-21T15:35:32Z2012-11-21T15:35:34ZUnable to import PGP certificate into Keychain<div><p>Hi Luke,</p>
<p>Thanks for your reply.</p>
<p>But there are signatures in the certificate. And they pass
whatever checks APG has, as well as the key server I uploaded it
to. Not to mention my own checks, but they don't count since they
come from the same software that generated the certificate.</p>
<p>Adam</p></div>Adam Wassermantag:gpgtools.tenderapp.com,2011-11-04:Comment/212023572012-11-21T15:38:51Z2012-11-21T15:38:51ZUnable to import PGP certificate into Keychain<div><p>Hi Adam,</p>
<p>not entirely sure about the internal details of gnupg. Does the
option I told you about work?</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/212023572012-11-21T16:03:49Z2012-11-21T16:03:49ZUnable to import PGP certificate into Keychain<div><p>Hi Luke,</p>
<p>It very well might, but it's not a good option for me. I wish to
only produce and handle well-formed, safe certificates. As you
said, without the self-signing, the whole trust model is out the
window.</p></div>Adam Wassermantag:gpgtools.tenderapp.com,2011-11-04:Comment/212023572012-11-21T16:15:00Z2012-11-21T16:15:00ZUnable to import PGP certificate into Keychain<div><p>In that case I think you might have to look into the
implementation details of gnupg. I assume APG is using their own
implementation of OpenPGP and might not check for this detail. The
same goes for key servers which probably leave the choice to the
uploading user. (They don't even implement any means of
automatically scraping public keys as far as I know, go
figure...)</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/212023572012-11-21T16:16:17Z2012-11-21T16:16:17ZUnable to import PGP certificate into Keychain<div><p>Any particular reason you don't wanna use gnupg? Rolling your
own OpenPGP solution for embedded? (iOS?)</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/212023572012-11-21T17:37:40Z2012-11-21T17:37:42ZUnable to import PGP certificate into Keychain<div><p>I'm creating an app for Android called KeyRing that implements
the PGP trust model. I'm using Bouncycastle and whatever knowledge
I can glean from RFC 4880. I use APG and GPG Keychain to confirm my
app's behavior.</p>
<p>I realize that implementations of an RFC can differ. But not
validating a signature is really odd.</p>
<p>Another datum I discovered today: if I produce the certificate
using the same software on my old Galaxy S I, GPG Keychain rejects
it. But if I produce it on an IBM Thinkpad using a more modern
operating system, it will.</p>
<p>Naturally, this leads me to wonder: what's the difference?</p>
<p>I can't imagine APG doesn't validate signatures. But I should
check. Their source code is available. On Mac, you guys are the
best there is!</p></div>Adam Wassermantag:gpgtools.tenderapp.com,2011-11-04:Comment/212023572012-11-21T19:27:14Z2012-11-21T19:27:14ZUnable to import PGP certificate into Keychain<div><p>Ha... now that's seriously buffling. So based on which system
you create the key with the same software it's either thrown out or
imported correctly?</p>
<p>Difference between 32-bit and 64bit?</p>
<p>Thanks for the kind words. We're just getting started :)</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/212023572012-11-21T19:38:58Z2012-11-21T19:38:58ZUnable to import PGP certificate into Keychain<div><p>Also, since Android doesn't have App Stores strict guidelines,
why roll your own solution as well and not simply compile gnupg 1.x
for Android? Did it once for iOS, was pretty straight forward. Is
that a performance/battery hog?</p></div>Luke Le