Select different certificate when decrypting

chicagoclubs · February 11, 2025, 8:34pm

I created a key pair for SFP process with company A. Decryption works like a charm.
Created a new pair for company B. However when attempting to decrypt their files I don’t have an option with the console to select the second cert. Essentially every decryption attempt is defaulting to first the secret key…Passphrase:
BTW: This is setup on a windows 20223 server. Is there an option to select the other key?

cklassen · February 11, 2025, 9:20pm

Hi!

Which version of GnuPG are you using and how exactly do you decrypt the files? Usually, if the correct private key is in your keyring gpg chooses that one automatically. Did you check this with gpg --list-secret-keys?

What you could try to force the usage of all keys is this command: gpg --decrypt --try-all-secrets <file>. The parameter --try-all-secrets tells you already that gpg will try to decrypt the file with every private key you have.

There is also the option --try-secret-key (you can find the options in a manual) but I couldn’t make it work.

chicagoclubs · February 11, 2025, 10:01pm

Version = 2.4.5
I attempted using the console…Decrypt/Verify, select file - I’m then asked to enter in passphrase for the 1st key(should be the second key here).
Running gpg --list-secret-keys I see both keys in there.
I also ran the gpg from cmd - as a test I used the 1st secret (entered in passphrase) and it decrypted the file. I’m somewhat confused as to why it would have worked.

chicagoclubs · February 12, 2025, 9:43pm

Is the fact that both keys were generated on the same server, same keyring have anything to do with this?

eebb · February 13, 2025, 8:09am

Because the file was encrypted to that key. Either only to that key or to both your keys.
If a file was encrypted to several keys and you have both, gpg will pick one of them for decryption.

No.

chicagoclubs · February 13, 2025, 6:54pm

If the first key was created and public key was shared with Company A and second key was created and public key was shared with Company B - how can the first key be used to decrypt files from Company B?

eebb · February 14, 2025, 2:40pm

Somehow company B must have gotten hold of the public key you wanted to use with company A only.

Possibilities for this are:

you shared the wrong key by mistake, chose the wrong file as attachment or similar
your mail program is configured to include your public key in every mail and here key A is configured
company A sent the public key to company B

To check which keys a file was encrypted to, you only have to look at the output of gpg, for example:

% gpg -o test.txt -d test.txt.gpg
gpg: encrypted with rsa3072 key, ID 037BFD4B2C571A9E, created 2023-03-08
      "Edward Tester <Edward.Tester@demo.gnupg.com>"
gpg: encrypted with RSA key, ID DEFF048EA881E03F
gpg: encrypted with rsa2048 key, ID BA9A98374E6575EF, created 2023-03-08
      "Rita-RSA2048"
gpg: Signature made 02/14/25 15:00:08 W. Europe Standard Time
gpg:                using RSA key 11A9C6D06717C4E284960BA906E28F5FB5297489
gpg: Good signature from "Edward Tester <Edward.Tester@demo.gnupg.com>" [ultimate]

This file was encrypted to and signed with my own key “Edward Tester” and additionally encrypted for “Rita-RSA2048” and for a key which is not in the keyring with the ID DEFF048EA881E03F