I am running Kleopatra 3.0.1 on Windows 10. I am trying import a public PGP key and the import result dialog says:
Total number processed: 1
Imported: 0
I tried importing this key into GPA, but got the same result.
What could be the reason for this? How can I resolve this?
Just to start clean I uninstalled Gpg4Win from my computer and removed the %APPDATA%\GnuPG directory with all the keys.
Then I reinstalled Gpg4Win and tried to import the PGP cert in Kleopatra. There were no keys in Kleopatra and I had two options to create a new pair or import a key. Importing the Public PGP key gave me the same result - Imported 0.
Then I tried importing from the command line with --debug-all option. No key was imported and from the debug output it looks like no bytes were received in the buffer.
At this point I am not sure what I can do to resolve this.
I was beginning to doubt the public key file myself too although it is from a bank. So, to eliminate this possibility, I installed a trial version of the PGP Desktop and was able to import the key in it.
So the key itself must be OK. The type of the key is reported as RSA Legacy. I don’t know if this could be the stumbling block for Kleopatra.
Does this key happen to be one provided by JP Morgan Chase H2H? If so, I am experiencing the same problem importing the key into my gpg keychain. It will not import via Kleopatra or via command line.
Attempts to import via command line provide a bit more clarity in the output messages:
C:\Users\XXXXXXX\Documents\Sync\Work\Keys\PGP\JPMC\Originals>gpg --import jpmch2hpgpprod.asc
gpg: Total number processed: 1
gpg: skipped PGP-2 keys: 1
From what I can tell the problem is that the bank has chosen to use patented PGP-2.x algorithms in the creation of this key and our friends at gpg do not support patented encryption algorithms by design in keeping the spirit of free software.
The article details a way to make gpg support these algorithms, however, I am not sure that gpg4win supports these methods or if they are even valid on a Windows system. If anyone here knows how to help gpg4win support PGP 2.x algorithms that would be super.
I am happy you’re calling. I called too and was told that despite what Kleopatra says the key is fine. I don’t like it at all because it is our procedure to certify all 3rd party public keys by signing them with our own keys and because of this I cannot follow my own best practices.
Note that https://www.gnupg.org/gph/en/pgp2x.html is a historical
document from 1999 and outdated now. See the very bottom. As the patents have expired,
GnuPG comes with RSA and IDEA by default. (Check by running gpg --version on
the command line.)
So calling your bank is a good idea about the security properies of their pubkey…
I am guessing that if I use an older version of Gpg4Win, I might be able to import this key. correct? I just need to get a version before the PGP-2 support was dropped.
Thank you for the input, Bernhard. So far the bank does not seem interested in generating a new key and suggests the following command:
gpg --allow-non-selfsigned-uid --import
This does not work in the gpg4win implementation, however, it does work on a Linux implementation to which I have access. I have imported the key there, signed it with my keys and exported the public key again for import into my Windows keychain. I had hoped that by signing the key with my ultimately trusted key the gpg4win implementation would let it import, but still no bueno.
I’ve passed on to the bank the information provided by you detailing the security concerns surrounding the ancient PGP version they’ve chosen to use. I don’t expect them to change anything until this key expires in two years as they’ve already released it into the wild and I doubt they’ll want to be bothered with retracting it and trying to get all of their customers to grab another new key. We shall see.
If you have GnuPG 2.0 on your GNU/Linux system or an elder 2.1, it may have worked.
I don’t know if there is an easy creative way to re-export the key material with a newer format and use it. You’d probably would need further options like --allow-weak-digest-algos .
Your best options right now is to use GnuPG 1.4 on Windows on the command line.
MD5 really is broken, so you cannot trust signatures.