9
9
there is a need to track down problems. We call this debugging in a
10
10
reminiscent to the moth jamming a relay in a Mark II box back in 1947.
12
Most of the probelsm a merely configuration and user problems but
13
nevertheless there are the most annoying ones and reposnible for may
12
Most of the problems a merely configuration and user problems but
13
nevertheless there are the most annoying ones and reponsible for many
14
14
gray hairs. We try to give some guidelines here on how to identify and
15
15
solve the problem at hand.
19
* Debugging Tools:: Description of some useful tools
19
* Debugging Tools:: Description of some useful tools.
20
* Debugging Hints:: Various hints on debugging.
20
21
* Common Problems:: Commonly seen problems.
21
22
* Architecture Details:: How the whole thing works internally.
77
78
provided by @command{gpgsm} or @command{gpg}. 81 certifcates are stored
78
79
in a standard way and directly available from @command{gpgsm}.
82
To find duplicated certificates and keyblocks in a keybox file (this
83
should not occur but sometimes things go wrong), run it using
85
@samp{kbxutil --find-dups ~/.gnupg/pubring.kbx}
89
@section Various hints on debugging.
93
@item How to find the IP address of a keyserver
95
If a round robin URL of is used for a keyserver
96
(e.g. subkeys.gnupg.org); it is not easy to see what server is actually
97
used. Using the keyserver debug option as in
100
gpg --keyserver-options debug=1 -v --refresh-key 1E42B367
103
is thus often helpful. Note that the actual output depends on the
104
backend and may change from release to release.
84
110
@node Common Problems
125
151
making use of ssh.
154
@item Exporting a secret key without a certificate
156
I may happen that you have created a certificate request using
157
@command{gpgsm} but not yet received and imported the certificate from
158
the CA. However, you want to export the secret key to another machine
159
right now to import the certificate over there then. You can do this
160
with a little trick but it requires that you know the approximate time
161
you created the signing request. By running the command
164
ls -ltr ~/.gnupg/private-keys-v1.d
167
you get a listing of all private keys under control of @command{gpg-agent}.
168
Pick the key which best matches the creation time and run the command
171
/usr/local/libexec/gpg-protect-tool --p12-export ~/.gnupg/private-keys-v1.d/@var{foo} >@var{foo}.p12
174
(Please adjust the path to @command{gpg-protect-tool} to the approriate
175
location). @var{foo} is the name of the key file you picked (it should
176
have the suffix @file{.key}). A Pinentry box will pop up and ask you
177
for the current passphrase of the key and a new passphrase to protect it
180
To import the created file on the machine you use this command:
183
/usr/local/libexec/gpg-protect-tool --p12-import --store @var{foo}.p12
186
You will be asked for the pkcs#12 passphrase and a new passphrase to
187
protect the imported private key at its new location.
189
Note that there is no easy way to match existing certificates with
190
stored private keys because some private keys are used for Secure Shell
191
or other purposes and don't have a corresponding certificate.
194
@item A root certificate does not verify
196
A common problem is that the root certificate misses the required
197
basicConstrains attribute and thus @command{gpgsm} rejects this
198
certificate. An error message indicating ``no value'' is a sign for
199
such a certificate. You may use the @code{relax} flag in
200
@file{trustlist.txt} to accept the certificate anyway. Note that the
201
fingerprint and this flag may only be added manually to
202
@file{trustlist.txt}.
204
@item Error message: ``digest algorithm N has not been enabled''
206
The signature is broken. You may try the option
207
@option{--extra-digest-algo SHA256} to workaround the problem. The
208
number N is the internal algorighm indentifier; for example 8 refers to
139
* gpg 1.4 vs. 1.9:: Relationship between the two branches.
222
* GnuPG-1 and GnuPG-2:: Relationship between the two branches.
142
@node gpg 1.4 vs. 1.9
225
@node GnuPG-1 and GnuPG-2
143
226
@subsection Relationship between the two branches.
145
228
Here is a little picture showing how the components work together:
147
@image{gnupg-card-architecture, 14cm}
230
@image{gnupg-card-architecture, 10cm}
150
233
Lets try to explain it: