Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
keys retrieved from keyserver (keys.openpgp.org) are unusable
root at springbeautygroup
Jul 26, 2021, 4:32 PM
Post #1 of 4 (558 views)
Permalink
Hi, all

I've posted this question on stackoverflow.com a few days ago, and I am still waiting for someone to comment.

https://stackoverflow.com/questions/68490051/key-retrieved-from-keyserver-keys-openpgp-org-cant-be-used-gpgme

Long story short, when the public key is downloaded to my PC as a plain text .asc file, and later imported using the
function gpgme_op_keylist_from_data_start() and gpgme_op_keylist_new(), the key->can_encrypt, key->sign_certify,
and can_sign are all 0x01.

Alternatively, if I do gpgme_op_keylist_start() using an email address with GPGME_KEYLIST_MODE_EXTERN, the key->can_encrypt,
key->can_certify and key->can_sign are all 0x00. I've tried several email addresses found on keys.opengpg.org, and the
result is the same.

Either way, I can't use this key to even encrypt data. For the key downloaded as a .asc file, if I manually
"certify" the key first using Kleopatra prior to gpgme_op_keylist_from_data_start(), it then can be used to encrypt the
data. But my purpose is to use the public key downloaded remotely with GPGME_KEYLIST_MODE_EXTERN only, and without
Kleopatra of course.

The trust-model has been set to "ALWAYS", or "always" using gpgme_set_ctx_flag(). The crypto protocol used is OpenPGP.

I can't find good hints using the sample codes in https://github.com/gpg/gpgme.git either.

Any comment/suggestion is welcome.

Eric

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys retrieved from keyserver (keys.openpgp.org) are unusable [ In reply to ]
kloecker at kde
Jul 27, 2021, 5:34 AM
Post #2 of 4 (558 views)
Permalink
On Dienstag, 27. Juli 2021 01:32:53 CEST root wrote:
> Long story short, when the public key is downloaded to my PC as a plain text
> .asc file, and later imported using the function
> gpgme_op_keylist_from_data_start() and gpgme_op_keylist_new(), the
> key->can_encrypt, key->sign_certify, and can_sign are all 0x01.

gpgme_op_keylist_from_data_start() does _not_ import any keys. All it does is
retrieve the meta data of the keys passed to it as data. Those keys cannot be
used for any crypto operations like signing, encrypting, etc. because the
public key data has _not_ been imported. The keys have just been listed. This
is very similar to listing the keys on a keyserver without actually retrieving
the public keys from the keyserver.

> Alternatively, if I do gpgme_op_keylist_start() using an email address with
> GPGME_KEYLIST_MODE_EXTERN, the key->can_encrypt, key->can_certify and
> key->can_sign are all 0x00. I've tried several email addresses found on
> keys.opengpg.org, and the result is the same.

Using gpgme_op_keylist_start() with GPGME_KEYLIST_MODE_EXTERN does a remote
lookup on the keyserver. It does _not_ import the found keys. That's why
can_encrypt, etc. are all 0x00. You need to download and import the keys if
you want to use them.

Alternatively, you may want to use the auto-key-locate option of gpg which
automatically locates and retrieves keys when encrypting to an email address.

Don't reinvent the wheel using gpgme if you can simply use what gpg provides
out of the box. Of course, you can still use gpgme for doing the encryption,
but don't try to retrieve the keys yourself if gpg can do it for you.

Regards,
Ingo

Attached Files:

Re: keys retrieved from keyserver (keys.openpgp.org) are unusable [ In reply to ]
root at springbeautygroup
Jul 27, 2021, 11:12 AM
Post #3 of 4 (558 views)
Permalink
On Tue, Jul 27, 2021 at 02:34:28PM +0200, Ingo Kl?cker wrote:
> On Dienstag, 27. Juli 2021 01:32:53 CEST root wrote:
> > Long story short, when the public key is downloaded to my PC as a plain text
> > .asc file, and later imported using the function
> > gpgme_op_keylist_from_data_start() and gpgme_op_keylist_new(), the
> > key->can_encrypt, key->sign_certify, and can_sign are all 0x01.
>
> gpgme_op_keylist_from_data_start() does _not_ import any keys. All it does is
> retrieve the meta data of the keys passed to it as data. Those keys cannot be
> used for any crypto operations like signing, encrypting, etc. because the
> public key data has _not_ been imported. The keys have just been listed. This
> is very similar to listing the keys on a keyserver without actually retrieving
> the public keys from the keyserver.
>
> > Alternatively, if I do gpgme_op_keylist_start() using an email address with
> > GPGME_KEYLIST_MODE_EXTERN, the key->can_encrypt, key->can_certify and
> > key->can_sign are all 0x00. I've tried several email addresses found on
> > keys.opengpg.org, and the result is the same.
>
> Using gpgme_op_keylist_start() with GPGME_KEYLIST_MODE_EXTERN does a remote
> lookup on the keyserver. It does _not_ import the found keys. That's why
> can_encrypt, etc. are all 0x00. You need to download and import the keys if
> you want to use them.
>
This makes sense now. I will look into the sample codes and manual to see how
I can download and import the keys after listing it. Any suggestion on where to
look for them ? Hopefully, it'll be straight forward.
> Alternatively, you may want to use the auto-key-locate option of gpg which
> automatically locates and retrieves keys when encrypting to an email address.
The codes that I am developing is actually a DLL used by another C#/C++ written
in .Net framwork. Thus, the binary developed has to be portable. I will look
into the auto-key-locate option for sure.
>
> Don't reinvent the wheel using gpgme if you can simply use what gpg provides
> out of the box. Of course, you can still use gpgme for doing the encryption,
> but don't try to retrieve the keys yourself if gpg can do it for you.
I am new to GnuPG and this is a great tool in programming. I am not sure how to
use gpg commands directly in C/C++ codes though. I thought gpgme is providing the
interface to use gpg ?

Thanks again,
Eric
>
> Regards,
> Ingo



> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys retrieved from keyserver (keys.openpgp.org) are unusable [ In reply to ]
gnupg-users at gnupg
Aug 4, 2021, 4:01 AM
Post #4 of 4 (554 views)
Permalink
On Tue, 27 Jul 2021 11:12, root said:

> I am new to GnuPG and this is a great tool in programming. I am not sure how to
> use gpg commands directly in C/C++ codes though. I thought gpgme is
> providing the
> interface to use gpg ?

Yes, please use GPGME or the GPGME C++ bindings


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal