gnupg: Common Problems
13.3 Commonly Seen Problems
===========================
* Error code 'Not supported' from Dirmngr
Most likely the option 'enable-ocsp' is active for gpgsm but
Dirmngr's OCSP feature has not been enabled using 'allow-ocsp' in
'dirmngr.conf'.
* The Curses based Pinentry does not work
The far most common reason for this is that the environment
variable 'GPG_TTY' has not been set correctly. Make sure that it
has been set to a real tty device and not just to '/dev/tty'; i.e.
'GPG_TTY=tty' is plainly wrong; what you want is 'GPG_TTY=`tty`' --
note the back ticks. Also make sure that this environment variable
gets exported, that is you should follow up the setting with an
'export GPG_TTY' (assuming a Bourne style shell). Even for GUI
based Pinentries; you should have set 'GPG_TTY'. See the section
on installing the 'gpg-agent' on how to do it.
* SSH hangs while a popping up pinentry was expected
SSH has no way to tell the gpg-agent what terminal or X display it
is running on. So when remotely logging into a box where a
gpg-agent with SSH support is running, the pinentry will get popped
up on whatever display the gpg-agent has been started. To solve
this problem you may issue the command
echo UPDATESTARTUPTTY | gpg-connect-agent
and the next pinentry will pop up on your display or screen.
However, you need to kill the running pinentry first because only
one pinentry may be running at once. If you plan to use ssh on a
new display you should issue the above command before invoking ssh
or any other service making use of ssh.
* Exporting a secret key without a certificate
It may happen that you have created a certificate request using
'gpgsm' but not yet received and imported the certificate from the
CA. However, you want to export the secret key to another machine
right now to import the certificate over there then. You can do
this with a little trick but it requires that you know the
approximate time you created the signing request. By running the
command
ls -ltr ~/.gnupg/private-keys-v1.d
you get a listing of all private keys under control of 'gpg-agent'.
Pick the key which best matches the creation time and run the
command
/usr/lib/gnupg/gpg-protect-tool --p12-export \
~/.gnupg/private-keys-v1.d/FOO >FOO.p12
(Please adjust the path to 'gpg-protect-tool' to the appropriate
location). FOO is the name of the key file you picked (it should
have the suffix '.key'). A Pinentry box will pop up and ask you
for the current passphrase of the key and a new passphrase to
protect it in the pkcs#12 file.
To import the created file on the machine you use this command:
/usr/lib/gnupg/gpg-protect-tool --p12-import --store FOO.p12
You will be asked for the pkcs#12 passphrase and a new passphrase
to protect the imported private key at its new location.
Note that there is no easy way to match existing certificates with
stored private keys because some private keys are used for Secure
Shell or other purposes and don't have a corresponding certificate.
* A root certificate does not verify
A common problem is that the root certificate misses the required
basicConstraints attribute and thus 'gpgsm' rejects this
certificate. An error message indicating "no value" is a sign for
such a certificate. You may use the 'relax' flag in
'trustlist.txt' to accept the certificate anyway. Note that the
fingerprint and this flag may only be added manually to
'trustlist.txt'.
* Error message: "digest algorithm N has not been enabled"
The signature is broken. You may try the option
'--extra-digest-algo SHA256' to workaround the problem. The number
N is the internal algorithm identifier; for example 8 refers to
SHA-256.
* The Windows version does not work under Wine
When running the W32 version of 'gpg' under Wine you may get an
error messages like:
gpg: fatal: WriteConsole failed: Access denied
The solution is to use the command 'wineconsole'.
Some operations like '--generate-key' really want to talk to the
console directly for increased security (for example to prevent the
passphrase from appearing on the screen). So, you should use
'wineconsole' instead of 'wine', which will launch a windows
console that implements those additional features.
* Why does GPG's -search-key list weird keys?
For performance reasons the keyservers do not check the keys the
same way 'gpg' does. It may happen that the listing of keys
available on the keyservers shows keys with wrong user IDs or with
user Ids from other keys. If you try to import this key, the bad
keys or bad user ids won't get imported, though. This is a bit
unfortunate but we can't do anything about it without actually
downloading the keys.