How to join pubring.kbx and pubring.gpg?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to join pubring.kbx and pubring.gpg?

Binarus
Dear experts,

I am running Thunderbird, Enigmail and gpg4win on Windows 7. All
components are up to date, and I am using this combination successfully
since several years for signing, encrypting and decrypting email messages.

Now, for the first time, a new communication partner won't provide his
public GPG key directly, but only in form of a .p7b certificate. Since
several hours, I am having a remarkably hard time trying to import his
public key into the setup mentioned above.

1) gpgsm seems to be the only tool which can be used to extract public
keys or convert certificates from the .p7b format to the format needed
by GPG. Fortunately, gpgsm is included in the gpg4win package, so I
could use it on my system.

2) But whatever I did, I could not see the new public keys in the key
list gpg shows. So I tracked the issue further down and noticed:

gpg -k correctly lists the keys I have currently in use, but not the
new, imported key.

gpgsm -k correctly lists the new key, but not the keys I have currently
in use.

3) Further research lead me to this post:

https://lists.gnupg.org/pipermail/gnupg-users/2015-December/054881.html

This at least gave me a vague idea about what might be going on.
Obviously, gpgsm had imported the new key into pubring.kbx, but not into
pubring.gpg (note: This seems to be expected behavior as I have found
out in the meantime).

So I closed Thunderbird and deleted pubring.gpg for testing purposes.
According to the post mentioned above, GPG then should have used
pubring.kbx instead of pubring.gpg, so I expected to see the new,
imported key when issuing gpg -k.

But instead, gpg -k generated a new (empty) pubring.gpg instead of using
pubring.kbx.

4) I have found no way to make GPG use pubring.kbx although I have
double checked that I am using the most recent version of gpg4win,
meaning that I am using gpg2. I also have double checked the
installation directory; there is no gpg.exe, but there is gpg2.exe (and
gpgv2.exe, whatever that might be). So it should use pubring.kbx,
shouldn't it?

5) I have found no way to convert pubring.kbx to pubring.gpg, or to join
them.

To summarize: I have a .pb7 certificate with a public PGP key. I can
import it to pubring.kbx. I can't import it to pubring.gpg. I can't use
it because gpg4win uses pubring.gpg. I can't convert pubring.kbx to
pubring.gpg. I can't join pubring.kbx with pubring.gpg.

Does anybody have an idea how I could get out of this? I have access to
full-blown Linux systems, so I could perform all conversions or import
steps on Linux if necessary. But I still have to use the end results
under Windows with the setup mentioned at the beginning of this post.

Thank you very much,

Binarus


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to join pubring.kbx and pubring.gpg?

Juan Miguel Navarro Martínez
On 2017-06-14 at 16:04, Binarus wrote:

> 1) gpgsm seems to be the only tool which can be used to extract public
> keys or convert certificates from the .p7b format to the format needed
> by GPG. Fortunately, gpgsm is included in the gpg4win package, so I
> could use it on my system.
>
As far as I know, GPGSM is a GPG tool to use X.509 certificates. That's
not the OpenPGP protocol. With this said...

> 2) But whatever I did, I could not see the new public keys in the key
> list gpg shows. So I tracked the issue further down and noticed:
>
> gpg -k correctly lists the keys I have currently in use, but not the
> new, imported key.
>
> gpgsm -k correctly lists the new key, but not the keys I have currently
> in use.
>
... even if your GnuPG installation used .kbx format -which mine does-,
gpg will still show only OpenPGP keys while gpgsm will show x509 keys.

> 3) [...]
>
> So I closed Thunderbird and deleted pubring.gpg for testing purposes.
> According to the post mentioned above, GPG then should have used
> pubring.kbx instead of pubring.gpg, so I expected to see the new,
> imported key when issuing gpg -k.
>
> But instead, gpg -k generated a new (empty) pubring.gpg instead of using
> pubring.kbx.
>
> 4) I have found no way to make GPG use pubring.kbx although I have
> double checked that I am using the most recent version of gpg4win,
> meaning that I am using gpg2. I also have double checked the
> installation directory; there is no gpg.exe, but there is gpg2.exe (and
> gpgv2.exe, whatever that might be). So it should use pubring.kbx,
> shouldn't it?
>
For GnuPG to use KBX format, you must have the modern branch which is
2.1 and later. For that, you need to use the experimental version of
Gpg4Win:

https://files.gpg4win.org/Beta/current/

It should be very stable both with Kleopatra and gnupg in command line,
but if you find an error or bug please inform to the respective channel.

More info on how and where to report bugs here:
https://www.gpg4win.org/reporting-bugs.html

> 5) I have found no way to convert pubring.kbx to pubring.gpg, or to join
> them.
>

After you download the experimental version, you must do the follow:

1. The first time you use gpg -K (and maybe gpg -k), GnuPG will
automatically convert the keys in secring.gpg to the new format which is
storing the secret parts in individual files in
%AppData%\gnupg\private-keys-v1.d (if you changed GNUPGHOME then this
may differ and it should be in %GNUPGHOME%\private-keys-v1.d\).
You can then delete your secring.gpg file if the secret keys conversion
has been successful as it won't be used anymore. This is only for
OpenPGP keys as x509 secret keys as far as I know have always used the
private-keys-v1.d folder and pubring.kbx file.

2. As you imported the x509 key and so you have a pubring.kbx, you won't
be able to see the OpenPGP stored in pubring.gpg as it will prefer the
.kbx format over the .gpg. To import those keys, you should be able to
execute gpg --import X:\Path\To\pubring.gpg and it should start
importing the keys to the new format.
Renaming pubring.gpg to publickeys and then using gpg --import
publickeys is also a good idea if you didn't have a pubring.kbx to begin
with.

I must remind you that your partner's key will still be a X.509 key and
so you'll still need to use GPGSM to list, verify messages from and
encrypt message to that key but now both public OpenPGP and X.509 keys
will be stored in pubring.kbx.

--
Juan Miguel Navarro Martínez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to join pubring.kbx and pubring.gpg?

Binarus
At first, I'd like to thank you for the great explanations.

On 14.06.2017 19:21, Juan Miguel Navarro Martínez wrote:

> As far as I know, GPGSM is a GPG tool to use X.509 certificates. That's
> not the OpenPGP protocol. With this said...

Here is where my worry begins. AFAIK, all PGP variants are using RSA key
pairs. A public X.509 certificate is just a container for such keys (and
possibly has information about the certificate chain). Given that, in my
naive world, it should be no problem to extract that public PGP key from
the certificate; the goal would be to gain the "pure" key which then
could be added to the traditional PGP (Enigmail / gpg4win) world.

Of course, any information regarding the certification chain would be
lost when doing so, but I really wouldn't care about that (I have
downloaded the certificate from the website of a very big well-known
company; the website is protected by TLS, and I have checked that there
was no man in the middle).

Unfortunately, I didn't find any hint on how to extract that key. It is
in the certificate for sure, and I think I will eventually be able to
dump it after playing some time with OpenSSL, but then I eventually
won't know how to integrate it into Enigmail / gpg4win.

Furthermore, I am still not sure if this is just a matter of
transforming the key or if the whole software / data exchange protocol
depends on the sort of key. In other words, even if I would manage to
extract the key and to integrate it into the Enigmail / gpg4win world,
would the communication partner be able to decrypt the respective messages?

> For GnuPG to use KBX format, you must have the modern branch which is
> 2.1 and later. For that, you need to use the experimental version of
> Gpg4Win:

This is a very important hint. I didn't even know that such a branch
exists. An average user visiting their website mainly for downloading
their software won't see any hint regarding that ... or I have missed
something.

> After you download the experimental version, you must do the follow:
[...]
>
> I must remind you that your partner's key will still be a X.509 key and
> so you'll still need to use GPGSM to list, verify messages from and
> encrypt message to that key but now both public OpenPGP and X.509 keys
> will be stored in pubring.kbx.

Thank you very much for the manual :-) So I now know how use pubring.kbx
instead of pubring.gpg, but obviously, this is not the solution to my
problem (as I initially have thought).

The bottom line seems to be that I can't use Enigmail / gpg4win to
exchange email with communication partners which provide their keys in
form of certificates. This does not make much sense since there is a
strong trend among the big companies to provide only PGP certificates
instead of PGP keys.

Using gpgsm on the command line is not what I would like to in my daily
email routine (although I am a strong fan of the command line in other
situations).

Slightly off-topic: Does anybody eventually know if and when Enigmail /
gpg4win will support certificates?

Thank you very much,

Binarus

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to join pubring.kbx and pubring.gpg?

Peter Lebbing
On 16/06/17 10:27, Binarus wrote:
> [...] or if the whole software / data exchange protocol depends on
> the sort of key. In other words, even if I would manage to extract
> the key and to integrate it into the Enigmail / gpg4win world, would
> the communication partner be able to decrypt the respective
> messages?

This. It serves no purpose other than to confuse, to send someone who
doesn't use OpenPGP an OpenPGP message. People using X.509 certificates
for e-mail will probably expect S/MIME messages, which while potentially
using RSA just as OpenPGP can use, are distinctly different from OpenPGP
messages.

> This does not make much sense since there is a strong trend among the
> big companies to provide only PGP certificates instead of PGP keys.

This is phrased wrong. Actually, what many people call OpenPGP keys are
more accurately called OpenPGP certificates. But X.509 certificates are
not OpenPGP certificates in any sense. They both potentially use RSA.
But RSA is an algorithm, giving computation rules for numbers. RSA is
not a data format or standard for message exchange. That would be
OpenPGP or S/MIME, which do not interoperate. And, by the way, don't
even necessarily use RSA at all, it's just a common option.

I hope this makes it more clear to you.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to join pubring.kbx and pubring.gpg?

Damien Goutte-Gattat
In reply to this post by Binarus
Hi,

On 06/16/2017 10:27 AM, Binarus wrote:
> Unfortunately, I didn't find any hint on how to extract that key. It is
> in the certificate for sure, and I think I will eventually be able to
> dump it after playing some time with OpenSSL, but then I eventually
> won't know how to integrate it into Enigmail / gpg4win.

Well, there is the Monkeysphere's pem2openpgp tool [1], but AFAIK it
only works with *private* keys, not public keys.


> Furthermore, I am still not sure if this is just a matter of
> transforming the key or if the whole software / data exchange protocol
> depends on the sort of key. In other words, even if I would manage to
> extract the key and to integrate it into the Enigmail / gpg4win world,
> would the communication partner be able to decrypt the respective messages?

No. You would generate an OpenPGP-encrypted message that your partner
won't be able to decrypt using their S/MIME software. They would need an
OpenPGP implementation (be it GnuPG or any other one).



> The bottom line seems to be that I can't use Enigmail / gpg4win to
> exchange email with communication partners which provide their keys in
> form of certificates. This does not make much sense since there is a
> strong trend among the big companies to provide only PGP certificates
> instead of PGP keys.

You seem to be confused between OpenPGP certificates and X.509
certificates, and I think this is the root of your problem.

Let me try to explain.

There are two completely independent standard for e-mail encryption and
signing: OpenPGP and S/MIME.

Each standard uses its own formats. OpenPGP uses OpenPGP certificates
(which are called "public key" out of habit, but they really are
certificates), and S/MIME uses X.509 certificates.

Both partners in a conversation have to use the same standard, either
OpenPGP or S/MIME (of course they can use *any* software implementing
the same standard, because that's what standards are all about).

Now what you got from your partner is a X.509 certificate, which means
that said partner is using S/MIME, not OpenPGP.

There's no many options here: you and your partner must agree on the
standard you use for your communications. Either you convince your
partner to switch to OpenPGP when he is communicating with you, or you
switch yourself to S/MIME when you're communicating with him.


> Slightly off-topic: Does anybody eventually know if and when Enigmail /
> gpg4win will support certificates?

Thunderbird already supports S/MIME and X.509 certificates natively, you
do not need Enigmail for that.


Damien

[1] http://web.monkeysphere.info/


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to join pubring.kbx and pubring.gpg?

Juan Miguel Navarro Martínez
In reply to this post by Binarus
On 2017-06-16 at 10:27, Binarus wrote:
> Here is where my worry begins. AFAIK, all PGP variants are using RSA key
> pairs. A public X.509 certificate is just a container for such keys (and
> possibly has information about the certificate chain). Given that, in my
> naive world, it should be no problem to extract that public PGP key from
> the certificate; the goal would be to gain the "pure" key which then
> could be added to the traditional PGP (Enigmail / gpg4win) world.
>

I wouldn't try to transform an X.509 certificate into an OpenPGP
certificate for the reasons already talked in here.

If you want to use OpenPGP, tell your partner to make an OpenPGP
certificate using GnuPG or any OpenPGP supported software. You can them
make PGP/Inline or PGP/MIME (if your email client/plugin supports it,
Enigmail does) email.

If you want to use the X.509 certificate of your partner, you must use
an X.509-supported client to generate a certificate (OpenSSL normally
but Kleopatra, which comes by default with Gpg4Win unless selected
otherwise, also allows you to generate an X.509). Normally, email
software support S/MIME messages and there is no need for an extra
plugin. Thunderbird does so by default and you can configure your X.509
from the Security section of your account settings.

The problem with an X.509 is that it usually requires a Certificate
Authority (CA) to make a trusted signature. Comodo allows you to sign-up
for a free certificate X.509 certificate for each of your personal
emails. There may be others, some paid.

> Unfortunately, I didn't find any hint on how to extract that key. It is
> in the certificate for sure, and I think I will eventually be able to
> dump it after playing some time with OpenSSL, but then I eventually
> won't know how to integrate it into Enigmail / gpg4win.
>

Enigmail only works with OpenPGP-related keys.
gpg4win is only a suite of GnuPG related software, with GPGSM for the
management of X.509 certs. Kleopatra is only a front-end GUI client for
both OpenPGP and X.509 operations with the respecting GnuPG tools.

> Furthermore, I am still not sure if this is just a matter of
> transforming the key or if the whole software / data exchange protocol
> depends on the sort of key. In other words, even if I would manage to
> extract the key and to integrate it into the Enigmail / gpg4win world,
> would the communication partner be able to decrypt the respective messages?
>

As said above, if your partner uses X.509 then use X.509. If you want to
use OpenPGP tell him to make an OpenPGP key.

If he tries to decrypt a PGP/Inline or PGP/MIME message using an S/MIME
client it won't work. He'll need a PGP/Inline or PGP/MIME compatible
software for that (Thunderbird with Enigmail; Claws Mail, Mutt, etc...).

>> For GnuPG to use KBX format, you must have the modern branch which is
>> 2.1 and later. For that, you need to use the experimental version of
>> Gpg4Win:
>
> This is a very important hint. I didn't even know that such a branch
> exists. An average user visiting their website mainly for downloading
> their software won't see any hint regarding that ... or I have missed
> something.
>

It was announced on the mail-list of Gpg4Win. But you can also find the
Beta directory link in the mid part of "All Downloads" section in the
Download page.

> Using gpgsm on the command line is not what I would like to in my daily
> email routine (although I am a strong fan of the command line in other
> situations).
>

If you want to manage certs with GUI client use an S/MIME-supported
email client, which you do with Thunderbird, or Kleopatra for X.509 as I
said above.

> Slightly off-topic: Does anybody eventually know if and when Enigmail /
> gpg4win will support certificates?
>

And to reiterate again, Enigmail, as far as I know, will only support
OpenPGP certificate or keys.
Gpg4Win supports X.509 by using the GPGSM CLI tool or Kleopatra as a GUI
front-end but for S/MIME emails I would recommend an email client like
Thunderbird.

--
Juan Miguel Navarro Martínez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to join pubring.kbx and pubring.gpg?

Binarus
In reply to this post by Damien Goutte-Gattat
On 16.06.2017 11:32, Damien Goutte-Gattat wrote:

> Well, there is the Monkeysphere's pem2openpgp tool [1], but AFAIK it
> only works with *private* keys, not public keys.

Most articles / tutorials I came across during my research were dealing
with private keys ... that should have made me mistrustful on its own.

> No. You would generate an OpenPGP-encrypted message that your partner
> won't be able to decrypt using their S/MIME software. They would need an
> OpenPGP implementation (be it GnuPG or any other one).

This is where I have been mislead. Of course, I already knew that S/MIME
and PGP are both widely used, but totally different, and it was also
clear to me that a recipient who uses S/MIME has no way to decrypt PGP
messages, and vice versa.

There were three things which pulled me on the wrong track:

1) My new communication partner claimed that they supported S/MIME as
well as PGP, making the impression that I could choose which one I would
like to use. I told him that I would like to use PGP (as I've always
done in similar cases in the past) and not S/MIME.

2) My new communication partner claimed (even in written form) that the
certificate they provided to me was a "PGP certificate". Well, we all
probably know the level of technical knowledge in big companies'
customer support ... I should have been warned.

3) I would never have come to the idea that GnuPG handles S/MIME
certificates. Obviously, gpgsm is part of GnuPG, and obviously, it can
handle the certificate which I have been given. Thus, I have been quite
sure that it indeed must have been some sort of "PGP certificate",
because I couldn't imagine that a part of GnuPG software could deal with
S/MIME certificates.

So GnuPG seems to be in the process of becoming an S/MIME software, a
thing which I would have heavily denied until now if somebody would have
asked me.

These three reasons made me strongly believe that the certificate I have
been given actually was a thing like PGP key in a "modern" format. So I
was convinced that I could convert it to the usual PGP key format somehow.

(Sidenote: The naming of that utility of course finally makes sense now
... I have done gpgsm <some options> and have wondered about the name of
that program more than one time :-)

> You seem to be confused between OpenPGP certificates and X.509
> certificates, and I think this is the root of your problem.

Not at the level of general understanding, but having been heavily
mislead in this case (see above) ...

> Thunderbird already supports S/MIME and X.509 certificates natively, you
> do not need Enigmail for that.

Yes, I have configured Thunderbird often in all sorts of environment and
therefore often have come across the S/MIME configuration window. So I
knew it was in there, but I did not use it until now.

The actual cause of my problem, as you have already stated, is quite
simple: I just did not know nor assume nor even consider that the
certificate I have been given could be an S/MIME certificate. Now that I
know that, I am quite confident that I will be able to configure and use
S/MIME properly.

Once again, a big thanks for all the help and for your time!

Regards,

Binarus


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to join pubring.kbx and pubring.gpg?

Binarus
In reply to this post by Juan Miguel Navarro Martínez
On 16.06.2017 14:46, Juan Miguel Navarro Martínez wrote:

[..]
> If you want to use OpenPGP, tell your partner to make an OpenPGP
> certificate using GnuPG or any OpenPGP supported software. You can them
> make PGP/Inline or PGP/MIME (if your email client/plugin supports it,
> Enigmail does) email.
[...]
> Enigmail only works with OpenPGP-related keys.
> gpg4win is only a suite of GnuPG related software, with GPGSM for the
> management of X.509 certs. Kleopatra is only a front-end GUI client for
> both OpenPGP and X.509 operations with the respecting GnuPG tools.
[...]
> As said above, if your partner uses X.509 then use X.509. If you want to
> use OpenPGP tell him to make an OpenPGP key.
[...]
> If he tries to decrypt a PGP/Inline or PGP/MIME message using an S/MIME
> client it won't work. He'll need a PGP/Inline or PGP/MIME compatible
> software for that (Thunderbird with Enigmail; Claws Mail, Mutt, etc...).
[...]
> It was announced on the mail-list of Gpg4Win. But you can also find the
> Beta directory link in the mid part of "All Downloads" section in the
> Download page.
[...]
> And to reiterate again, Enigmail, as far as I know, will only support
> OpenPGP certificate or keys.
> Gpg4Win supports X.509 by using the GPGSM CLI tool or Kleopatra as a GUI
> front-end but for S/MIME emails I would recommend an email client like
> Thunderbird.

Again, thank you very much for your time. I have got it now. I will just
use S/MIME to communicate with that partner.

Please see my previous post for a detailed explanation why I have been
worried so much (although it has been clear to me since a long time that
S/MIME and PGP are different things).

To make a long story short, my partner first asked me if I would like to
use PGP or S/MIME (I answered "PGP"), and then claimed that the
certificate he provided was a "PGP certificate".

Furthermore, I wouldn't have come to the idea that gpgsm handled S/MIME
certificates (although I am now understanding why it is named gpg>SM<
:-)). In my naive world, GnuPG software (and gpgsm obviously falls into
that category) dealt only with PGP, not with S/MIME. Worlds change ...

For that three reasons, I did not even consider that the certificate my
partner provided could be an S/MIME certificate, but believed that it
would be some sort of a "new, modern PGP certificate". If I only had
known that earlier ...

Sorry for the lengthy posts, and again: Thanks you very much!

Binarus


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to join pubring.kbx and pubring.gpg?

Daniel Kahn Gillmor-7
In reply to this post by Damien Goutte-Gattat
On Fri 2017-06-16 11:32:15 +0200, Damien Goutte-Gattat wrote:
> Well, there is the Monkeysphere's pem2openpgp tool [1], but AFAIK it
> only works with *private* keys, not public keys.

for the record, pem2openpgp works with both public keys and private
keys.

        --dkg

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Loading...