[Gpg4win-users-en] GPG Encryption Fails When Called From Oracle Enterprise Manager

Kent Hurtig kent_hurtig at friends.edu
Tue Aug 4 00:33:03 CEST 2015 

Hi Werner,

Thanks for your advice.  I can't seem to get the show-usage option to work.  Here is what I entered on the command line with responses:

E:\Program Files\GnuPG>gpg --list-options show-usage -k 21CBF00F
gpg: unknown option 'show-usage'
gpg: invalid list options

E:\Program Files\GnuPG>gpg --list-keys --list-options show-usage -k 21CBF00F 
gpg: unknown option 'show-usage'
gpg: invalid list options

E:\Program Files\GnuPG>gpg --list-keys --list-options show-uid-validity
Gpg: Note: signatures using the MD5 algorithm are rejected
C:/Users/fr_ecsi/AppData/Roaming/gnupg/pubring.gpg
--------------------------------------------------------------------
pub     2048R/8E811817 2014-10-23
uid               [ultimate] Kent Hurtig <1st Certificate> <kent_hurtig at friends.edu>

pub     1024R/21CBF00F 2002-12-05
uid               [ultimate] Educational Computer Systems Inc <admin at ecsi.net>

E:\Program Files\GnuPG>gpg --list-keys --list-options show-keyring
Gpg: Note: signatures using the MD5 algorithm are rejected
C:/Users/fr_ecsi/AppData/Roaming/gnupg/pubring.gpg
--------------------------------------------------------------------
pub     2048R/8E811817 2014-10-23
uid               [ultimate] Kent Hurtig <1st Certificate> <kent_hurtig at friends.edu>

pub     1024R/21CBF00F 2002-12-05
uid               [ultimate] Educational Computer Systems Inc <admin at ecsi.net>

For some reason I cannot get the show-usage option to work.  Regarding the reply from Bernhard who suggested running the gpg2 --list-keys command in batch mode to see if I could view any certifications.  Here is the output from the batch job ran on our Windows 2012 server:

E:\Test\ECSI_Perkins_Loan_Test\Scripts>gpg2 --list-keys --batch -vv 
gpg: C:/Windows/system32/config/systemprofile/AppData/Roaming/gnupg/trustdb.gpg: trustdb created
gpg: using PGP trust model

E:\Test\ECSI_Perkins_Loan_Test\Scripts>gpg2 -vv --batch --default-recipient 21CBF00F --encrypt E:\Test

\ECSI_Perkins_Loan_Test\TESTbldpromIG.csv  
gpg: unknown default recipient "21CBF00F"
gpg: E:\\Test\\ECSI_Perkins_Loan_Test\\TESTbldpromIG.csv: encryption failed: No public key

Here is the output from the batch job ran on our Windows 2003 server:

E:\sftproot\perkins_loan>gpg2 --list-keys --batch -vv 
gpg: using PGP trust model
gpg: key 8E811817: accepted as trusted key
C:/Documents and Settings/Default User/Application Data/gnupg/pubring.gpg
-------------------------------------------------------------------------
pub   2048R/8E811817 2014-10-23
uid       [ultimate] Kent Hurtig (1st Certificate) <kent_hurtig at friends.edu>

pub   1024R/21CBF00F 2002-12-05
uid       [  full  ] Educational Computer Systems Inc <admin at ecsi.net>


E:\sftproot\perkins_loan>gpg2 -v --debug-all --batch --default-recipient 21CBF00F --encrypt E:\sftproot

\perkins_loan\TESTbldpromIG.csv 
gpg: reading options from `C:/Documents and Settings/Default User/Application Data/gnupg/gpg.conf'
gpg: reading from `E:\\sftproot\\perkins_loan\\TESTbldpromIG.csv'
gpg: writing to `E:\\sftproot\\perkins_loan\\TESTbldpromIG.csv.gpg'
gpg: Note: key 21CBF00F has no preference for AES
gpg: Note: key 21CBF00F has no MDC feature
gpg: RSA/3DES encrypted for: "21CBF00F Educational Computer Systems Inc <admin at ecsi.net>"

The key on the Windows 2003 server has a valid fingerprint:

C:\Program Files\GNU\GnuPG>gpg --fingerprint
C:/Documents and Settings/aunt_bee/Application Data/gnupg/pubring.gpg
--------------------------------------------------------------------------------------------
pub     2048R/8E811817 2014-10-23
             Key fingerprint = 8F17 789F 703E CF06 1F74 A98D 1F2E EF48 8E81 1817
uid       [ultimate] Kent Hurtig (1st Certificate) <kent_hurtig at friends.edu>

pub   1024R/21CBF00F 2002-12-05
           Key fingerprint = F2 2B 3E 5C 85 3F 0D C7 22 f* 60 D0 70 A9 F1 75
uid       [  full  ] Educational Computer Systems Inc <admin at ecsi.net>

The key on the Windows 2012 server displays all zeros:

E:\Program Files\GnuPG>gpg --fingerprint
Gpg: Note: signatures using the MD5 algorithm are rejected
C:/Users/fr_ecsi/AppData/Roaming/gnupg/pubring.gpg
--------------------------------------------------------------------
pub     2048R/8E811817 2014-10-23
             Key fingerprint = 8F17 789F 703E CF06 1F74 A98D 1F2E EF48 8E81 1817
uid               [ultimate] Kent Hurtig <1st Certificate> <kent_hurtig at friends.edu>

pub     1024R/21CBF00F 2002-12-05
             Key fingerprint = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
uid               [ultimate] Educational Computer Systems Inc <admin at ecsi.net>

How can I get the key to display the correct fingerprint?  

Best regards,

Kent

-----Original Message-----
From: Werner Koch [mailto:wk at gnupg.org] 
Sent: Friday, July 31, 2015 8:41 AM
To: Kent Hurtig
Cc: 'Andre Heinecke'; gpg4win-users-en at wald.intevation.org; Roger Scales
Subject: Re: [Gpg4win-users-en] GPG Encryption Fails When Called From Oracle Enterprise Manager

On Fri, 24 Jul 2015 16:35, kent_hurtig at friends.edu said:

> gpg: DBG: finish_lookup: checking key 21CBF00F (all)(req_usage=2)
> gpg: DBG: 	no suitable subkeys found - trying primary
> gpg: DBG: 	primary key not valid
> gpg: DBG: 	no suitable key found -  giving up

Well, you have no valid encryption key.

> pub   1024R/21CBF00F 2002-12-05
> uid       [  full  ] Educational Computer Systems Inc <admin at ecsi.net>

Right, there is no subkey (would be indicated by a line with the tag "sub").  Usually the primary key (indcated by the tag "pub") is not capabale of encryption.

> gpg: DBG: finish_lookup: checking key 21CBF00F <all><req_usage=2>
> gpg: DBG:       no suitable subkeys found - trying primary
> gpg: DBG:       primary key may be used
> gpg: DBG:       using key 21CBF00F
> DBG: rsq_encrypt     => Success
> gpg: RSA/3DES encrypted for: "21CBF00F Educational Computer Systems Inc <admin at csi.net>"

Here you used a different copy of the key.  It also has no subkey but the primary key is capable of encryption.  The capabilities of a key are stored in the so-called self-signature and may in theory be changed which could be an explanation why it works with one copy of a key but not with the other.  To see the capabilities it is probably best to run

  gpg --list-options show-usage -k 21CBF00F

which will result in an output like this

  pub   dsa2048/F2AD85AC1E42B367 2007-12-31 [SC] [expires: 2018-12-31]
  uid               [ultimate] Werner Koch <wk at gnupg.org>
  sub   dsa1024/4F0540D577F95F95 2011-11-02 [S]
  sub   rsa2048/1E0FE11D664D7444 2014-01-02 [E] [expires: 2016-12-31]

The S, C, E in brackets indicate the capabilities.  You need an [E] capability for encryption.


Salam-Shalom,

   Werner


--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gpg4win-users-en mailing list