DBG: armor-keys-failed

Michael's Avatar

Michael

29 Mar, 2015 06:45 AM

I started receiving this error after installing a new version of GPGTools:

gpg: DBG: armor-keys-failed

After that error I also receive three of the following:

gpg: Note: signatures using the MD5 algorithm are rejected

  1. 1 Posted by Michael on 29 Mar, 2015 06:46 AM

    Michael's Avatar

    I forgot to mention I receive the errors when trying to refresh my keys.

    Thanks.

  2. Support Staff 2 Posted by Steve on 29 Mar, 2015 12:30 PM

    Steve's Avatar

    Hi Michael,

    thanks for the report. MacGPG2 2.0.27 brought some changes to the way weak keys are handled. MD5 is broken and keys using MD5 are considered weak and should no longer be used.

    While the above is somewhat a nifty feature, the way this is currently presented to the user and some other behavior is far from ideal. We are still investigating why this is happening and how to improve the situation.

    We have a ticket for this problem. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you'll receive a notification. Feel free to open a new discussions should you run into further problems or need assistance.

    All the best,
    steve

  3. Support Staff 3 Posted by Steve on 31 Mar, 2015 12:16 PM

    Steve's Avatar

    Hi Michael,

    this issue has been fixed in Libmacgpg. If you want to test the fix, please download our latest nightly GPG Suite. That page also has sig and SHA1 to verify the download.

    if you have allow-weak-digest-algosin your gpg.conf, please remove it.

    Best, steve

    Disclaimer: This is a development version which has not been thoroughly tested yet, so bugs or crashes are to be expected. Thanks for helping us test this fix.

  4. 4 Posted by kinnla on 09 Apr, 2015 04:19 PM

    kinnla's Avatar

    I had a similar problem with a MD5 self-signed key:
    - I couldn't import a new UID for a key already in my keychain - then I forced the import with the option allow-non-selfsigned-uid - the fingerprint of the key was displayed as 0000 0000 ... 0000

    Now I installed the nightly build, and the fingerprint is displayed correctly. But I can not use the key to encrypt emails (the lock button in the Apple-Mail window is disabled).

    Is there any way to enable MD5 self-signed keys for encryption?

    Best

  5. Support Staff 5 Posted by Steve on 10 Apr, 2015 06:54 PM

    Steve's Avatar

    Kinnla, MD5 keys are considered weak and should not be used anymore. The best idea is to create a stronger key.

    Comment 3 mentions how to modify the gpg.conf and allow weak digest algos. But this lowers overall security and is totally not recommended to be used.

  6. 6 Posted by kinnla on 10 Apr, 2015 10:10 PM

    kinnla's Avatar

    Thx, Steve! This option works for me.
    My friend will update her key when there is a chance (she is not an expert). But for now it's good we found a workaround, so we can continue our secure communication.

  7. Support Staff 7 Posted by Steve on 12 Apr, 2015 11:46 AM

    Steve's Avatar

    ok, thanks for the feedback. Well the communication isn't really secure if weak keys are used.

    Maybe you can assist your friend with the key transition. Here's our KB-article covering that: https://gpgtools.tenderapp.com/kb/gpg-keychain-faq/add-self-signatu...

  8. 8 Posted by Michael on 15 Apr, 2015 02:09 AM

    Michael's Avatar

    I've updated to the latest nightly build (1317n) but I still receive the error:

    gpg: Note: signatures using the MD5 algorithm are rejected

    The error occurs when refreshing my keychain and is not associated with my key pair, but other's.

    Is there a way to quickly identify keys using the MD5 algorithm?

    Thanks for the help!

  9. 9 Posted by Cody on 15 Apr, 2015 09:51 PM

    Cody's Avatar

    I get this error on Windows

    C:\Users\ccook\AppData\Roaming\gnupg>gpg --version
    gpg (GnuPG) 2.0.27 (Gpg4win 2.2.4)
    libgcrypt 1.6.3
    [...] Home: C:/Users/ccook/AppData/Roaming/gnupg
    Supported algorithms:
    Pubkey: RSA, RSA, RSA, ELG, DSA
    Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
    CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
    Compression: Uncompressed, ZIP, ZLIB, BZIP2

    I'm not using md5.

    gpg/card> fetch
    gpg: requesting key 1010D2A0 from https server codycook.us
    gpg: DBG: armor-keys-failed (KEY 0xF540DB52FCF5143FF3CB270DEB6932081010XXXX BEGIN
    ) ->0 gpg: DBG: armor-keys-failed (KEY 0xF540DB52FCF5143FF3CB270DEB6932081010XXXX FAILED 1
    ) ->1 gpg: no valid OpenPGP data found.
    gpg: Total number processed: 0
    gpg: keyserver communications error: keyserver helper internal error
    gpg: keyserver communications error: General error

  10. 10 Posted by Cody on 15 Apr, 2015 09:53 PM

    Cody's Avatar

    I think I know my problem though, so nevermind. I think I saw it right as I hit comment.

  11. Support Staff 11 Posted by Mento on 13 May, 2015 11:11 AM

    Mento's Avatar

    To identify keys using md5 you can run the following command:

    gpg2 --fingerprint
    

    Every key which a fingerprint only consisting zeros, is a weak key.
    This works only, if you haven't set allow-weak-digest-algos in your gpg.conf.

  12. Support Staff 12 Posted by Steve on 25 May, 2015 03:25 PM

    Steve's Avatar

    Are issues persisting for anybody using the latest nightly build?

    Michael where you able to identify the problematic key?

    All the best, steve

    Disclaimer: This is a development version which has not been thoroughly tested yet - bugs or crashes are to be expected. Thanks for helping us test.

  13. 13 Posted by hcb on 18 Jul, 2015 03:17 PM

    hcb's Avatar

    I had the same problem when receiving keys using the 2015.06 release, but the 1382n nightly seems to have fixed the problem.

  14. Support Staff 14 Posted by Steve on 20 Jul, 2015 10:36 PM

    Steve's Avatar

    Hi hcb,

    there were several issues with key import and the nightly GPG Suite has become a lot more tolerant, when it comes to odd formatted public keys.

    Thanks for your feedback and glad things did work out fine using the nightly build.

    I'm closing this discussion. If you need further assistance or have questions you can re-open this discussion here or open a new one any time.

    Best, steve

  15. Steve closed this discussion on 20 Jul, 2015 10:36 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac