Kleopatra declined to load an updated vertificate from a keyserver.

Using Windows7 64 bit and Gpg4win 2.2.1

I found that one of the gpg certificates I use to check content from a source had just become out of date. Using Kleopatra, I did a “lookup certificate on server” for the key id concerned.

Kleopatra found the certificate and I checked its details and it had been renewed by its owner so I clicked to import. Kleopatra seemed to go through the motions but the result was ‘0 keys imported’.

I retried several times and ended up using the key manager in enigmail for Thunderbird.

It seems a little strange that Kleopatra would not import an updated version of a key which I already had on the keyring.

When I was updating a number of keys from the server I ran into a similar issue with Kleopatra. When that happened I would use GPA instead.

Hi, thanks for your feedback!

The next step would be to try to make this reproducable for
developers, so they can fix it. Ideally this results in a problem report
in a tracker. This is the place the developers will look for unresolved issues first.

Maybe you still know which certificate it was (to check if this defect depends on a certain attribute.)
Did you check if the important had happened?
Because sometimes only a new subkey is imported. Because GPA and Kleo are likely to use the same import mechanism, it may be a reporting issue.

Best Regards,
Bernhard
(Flattr Gpg4win at https://flattr.com/thing/2053326 if you appreciate my response.)

Bernard, the certificate in question is not expired now because at the time when Kleopatra wouldn’t import the update, I updated it using enigmail’s key manager. (in Thunderbird)
When Kleopatra found the certificate on the keyserver, I used the ‘details’ button on the lookup dialog to check whether the certificate life had been renewed. It had, so I clicked ‘import’.
Then Kleopatra produced the ‘Certificate Import Result - Kleopatra’ dialogue in which it declared :
‘Detailed results of importing OpenPGP Certificate Server’
Total number processed : 0
Imported:0

I repeated the operation a couple of times with same result and I checked that the certificate I had on the keyring was still out of date. Then I went to enigmail’s keyserver because Thunderbird was already open and running.

I only have 1 other expired certificate on the public keyring. I have tried the same procedure and nothing is imported. But in this case it might be correct because the certificate on the keyserver is still expired.

I get exactly the same results from Kleopatra if I look up a valid public key and try to re-import it. But maybe that is the way Kleopatra works for valid certs ?

It may be that the problem is of a more general nature because when Kleopatra ‘refuses’ to re-import a certificate, if I then use enigmail’s key manager to look up the same certificate (using their ‘refresh’ function for the single key) it downloads and reports whatever updated information it finds.

Since I cannot reproduce exactly the same conditions (expired key on my pc - renewed key available on the server), do you still think it worthwhile that I report this on the tracker ?

Philip,
thanks for the additional details.

Yes, I think it makes sense to create a problem report in the tracker.
To make sure that the issue is not forgotten.

Technically it is true that a certificate that is already in, does not get imported again,
but then it should say: processed 1, important 0. Or so.

Best Regards,
Bernhard
(Flattr Gpg4win at https://flattr.com/thing/2053326 if you appreciate my response.)

Hi,
there was an incompatibility between gpgme (used by kleopatra) and some newer keyservers.

https://bugs.g10code.com/gnupg/issue1685

This should be fixed in gpg4win-2.2.2