PGP-2 pubkeys unsupported: Kleopatra - keys imported 0

I am running Kleopatra 3.0.1 on Windows 10. I am trying import a public PGP key and the import result dialog says:
Total number processed: 1
Imported: 0

I tried importing this key into GPA, but got the same result.

What could be the reason for this? How can I resolve this?

Hi Stoil,

maybe the pubkey is already imported.

Or there is a problem when importing the pubkey.

Try on the command line, see https://wiki.gnupg.org/TroubleShooting

Best Regards,
Bernhard

Thanks for your answer, Bernard.

Just to start clean I uninstalled Gpg4Win from my computer and removed the %APPDATA%\GnuPG directory with all the keys.
Then I reinstalled Gpg4Win and tried to import the PGP cert in Kleopatra. There were no keys in Kleopatra and I had two options to create a new pair or import a key. Importing the Public PGP key gave me the same result - Imported 0.
Then I tried importing from the command line with --debug-all option. No key was imported and from the debug output it looks like no bytes were received in the buffer.

At this point I am not sure what I can do to resolve this.

Hi Stoil,
check the contents of the file. Does is actually contain a pubkey?

Bernhard

I was beginning to doubt the public key file myself too although it is from a bank. So, to eliminate this possibility, I installed a trial version of the PGP Desktop and was able to import the key in it.

So the key itself must be OK. The type of the key is reported as RSA Legacy. I don’t know if this could be the stumbling block for Kleopatra.

Does this key happen to be one provided by JP Morgan Chase H2H? If so, I am experiencing the same problem importing the key into my gpg keychain. It will not import via Kleopatra or via command line.

Attempts to import via command line provide a bit more clarity in the output messages:

C:\Users\XXXXXXX\Documents\Sync\Work\Keys\PGP\JPMC\Originals>gpg --import jpmch2hpgpprod.asc
gpg: Total number processed: 1
gpg: skipped PGP-2 keys: 1

From what I can tell the problem is that the bank has chosen to use patented PGP-2.x algorithms in the creation of this key and our friends at gpg do not support patented encryption algorithms by design in keeping the spirit of free software.

You can read more here: https://www.gnupg.org/gph/en/pgp2x.html

The article details a way to make gpg support these algorithms, however, I am not sure that gpg4win supports these methods or if they are even valid on a Windows system. If anyone here knows how to help gpg4win support PGP 2.x algorithms that would be super.

Hi Micheal,

That is the key, from JP Morgan Chase.
Thanks for the explanation. It makes sense now.

I have a case with their support and I will call them to tell them what the problem is. I doubt they will change it though :).

I am happy you’re calling. I called too and was told that despite what Kleopatra says the key is fine. I don’t like it at all because it is our procedure to certify all 3rd party public keys by signing them with our own keys and because of this I cannot follow my own best practices.

Dear Stoil,

if you are getting the same messages as Michael, I’ll answer there.

Hi Michael, Hi Stoil,

the message “skipped PGP-2 keys: 1” gives it away:
Support PGP-2 keys has been dropped for security reasons,
see https://gnupg.org/faq/whats-new-in-2.1.html#nopgp2

Especially the used MD5 digest algorithms is broken.
(E.g. see https://en.wikipedia.org/wiki/MD5)

Note that https://www.gnupg.org/gph/en/pgp2x.html is a historical
document from 1999 and outdated now. See the very bottom. As the patents have expired,
GnuPG comes with RSA and IDEA by default. (Check by running gpg --version on
the command line.) :slight_smile:

So calling your bank is a good idea about the security properies of their pubkey… :slight_smile:

Best Regards,
Bernhard

Thanks, Bernhard.

I am guessing that if I use an older version of Gpg4Win, I might be able to import this key. correct? I just need to get a version before the PGP-2 support was dropped.

Now that I have read the information from your first link, I see that version GnuPG 1.4 supports the PGP-2 keys.

Thanks again, Bernhard.

Thank you for the input, Bernhard. So far the bank does not seem interested in generating a new key and suggests the following command:

gpg --allow-non-selfsigned-uid --import

This does not work in the gpg4win implementation, however, it does work on a Linux implementation to which I have access. I have imported the key there, signed it with my keys and exported the public key again for import into my Windows keychain. I had hoped that by signing the key with my ultimately trusted key the gpg4win implementation would let it import, but still no bueno.

I’ve passed on to the bank the information provided by you detailing the security concerns surrounding the ancient PGP version they’ve chosen to use. I don’t expect them to change anything until this key expires in two years as they’ve already released it into the wild and I doubt they’ll want to be bothered with retracting it and trying to get all of their customers to grab another new key. We shall see.

Correct GnuPG 1.4 should work (on the command line).

Elder Gpg4win 2.3.4 might also work (with the --allow-weak-digest-algos or --pgp2 switch).

As you can see from https://gnupg.org/faq/whats-new-in-2.1.html#nopgp2
the full support for pgp-2 format has been removed with GnuPG 2.2.

If you have GnuPG 2.0 on your GNU/Linux system or an elder 2.1, it may have worked.

I don’t know if there is an easy creative way to re-export the key material with a newer format and use it. You’d probably would need further options like --allow-weak-digest-algos .
Your best options right now is to use GnuPG 1.4 on Windows on the command line.

MD5 really is broken, so you cannot trust signatures.