manpagez: man pages & more
info gnupg
Home | html | info | man 

File: gnupg.info,  Node: Common Problems,  Next: Architecture Details,  Prev: Debugging_Hints.php">Debugging Hints,  Up: Debugging

14.3 Commonly Seen Problems
===========================

   * Error code 'Not supported' from Dirmngr

     Most likely the option 'enable-ocsp' is active for gpgsm but
     Dirmngr's OCSP feature has not been enabled using 'allow-ocsp' in
     'dirmngr.conf'.

   * The Curses based Pinentry does not work

     The far most common reason for this is that the environment
     variable 'GPG_TTY' has not been set correctly.  Make sure that it
     has been set to a real tty device and not just to '/dev/tty'; i.e.
     'GPG_TTY=tty' is plainly wrong; what you want is 'GPG_TTY=`tty`' --
     note the back ticks.  Also make sure that this environment variable
     gets exported, that is you should follow up the setting with an
     'export GPG_TTY' (assuming a Bourne style shell).  Even for GUI
     based Pinentries; you should have set 'GPG_TTY'.  See the section
     on installing the 'gpg-agent' on how to do it.

   * SSH hangs while a popping up pinentry was expected

     SSH has no way to tell the gpg-agent what terminal or X display it
     is running on.  So when remotely logging into a box where a
     gpg-agent with SSH support is running, the pinentry will get popped
     up on whatever display the gpg-agent has been started.  To solve
     this problem you may issue the command

          echo UPDATESTARTUPTTY | gpg-connect-agent

     and the next pinentry will pop up on your display or screen.
     However, you need to kill the running pinentry first because only
     one pinentry may be running at once.  If you plan to use ssh on a
     new display you should issue the above command before invoking ssh
     or any other service making use of ssh.

   * Exporting a secret key without a certificate

     It may happen that you have created a certificate request using
     'gpgsm' but not yet received and imported the certificate from the
     CA. However, you want to export the secret key to another machine
     right now to import the certificate over there then.  You can do
     this with a little trick but it requires that you know the
     approximate time you created the signing request.  By running the
     command

            ls -ltr ~/.gnupg/private-keys-v1.d

     you get a listing of all private keys under control of 'gpg-agent'.
     Pick the key which best matches the creation time and run the
     command

            /usr/local/libexec/gpg-protect-tool --p12-export \
               ~/.gnupg/private-keys-v1.d/FOO >FOO.p12

     (Please adjust the path to 'gpg-protect-tool' to the appropriate
     location).  FOO is the name of the key file you picked (it should
     have the suffix '.key').  A Pinentry box will pop up and ask you
     for the current passphrase of the key and a new passphrase to
     protect it in the pkcs#12 file.

     To import the created file on the machine you use this command:

            /usr/local/libexec/gpg-protect-tool --p12-import --store  FOO.p12

     You will be asked for the pkcs#12 passphrase and a new passphrase
     to protect the imported private key at its new location.

     Note that there is no easy way to match existing certificates with
     stored private keys because some private keys are used for Secure
     Shell or other purposes and don't have a corresponding certificate.

   * A root certificate does not verify

     A common problem is that the root certificate misses the required
     basicConstraints attribute and thus 'gpgsm' rejects this
     certificate.  An error message indicating "no value" is a sign for
     such a certificate.  You may use the 'relax' flag in
     'trustlist.txt' to accept the certificate anyway.  Note that the
     fingerprint and this flag may only be added manually to
     'trustlist.txt'.

   * Error message: "digest algorithm N has not been enabled"

     The signature is broken.  You may try the option
     '--extra-digest-algo SHA256' to workaround the problem.  The number
     N is the internal algorithm identifier; for example 8 refers to
     SHA-256.

   * The Windows version does not work under Wine

     When running the W32 version of 'gpg' under Wine you may get an
     error messages like:

          gpg: fatal: WriteConsole failed: Access denied

     The solution is to use the command 'wineconsole'.

     Some operations like '--generate-key' really want to talk to the
     console directly for increased security (for example to prevent the
     passphrase from appearing on the screen).  So, you should use
     'wineconsole' instead of 'wine', which will launch a windows
     console that implements those additional features.

   * Why does GPG's -search-key list weird keys?

     For performance reasons the keyservers do not check the keys the
     same way 'gpg' does.  It may happen that the listing of keys
     available on the keyservers shows keys with wrong user IDs or with
     user Ids from other keys.  If you try to import this key, the bad
     keys or bad user ids won't get imported, though.  This is a bit
     unfortunate but we can't do anything about it without actually
     downloading the keys.


© manpagez.com 2000-2025
Individual documents may contain additional copyright information.