Page MenuHome GnuPG
Create Task
Maniphest T4535

gpgsm --sign prints misleading error message when using default key
Closed, ResolvedPublic
Actions

Description

When creating a signature with gpgsm --sign using the default key (without the -u option), the following error message it output:

gpgsm: certificate is not usable for signing

But the program still continues and creates the signature:

gpgsm: signature create

The first error message is confusing to the user, hinting that there is something wrong with the signing certificate.

The error message only occurs when the default signature key in the database is preceded by at least one public key with a keyUsage extension lacking the digitalSignature and nonRepuditions bits.

For example, the following key database triggers the error message.

$ gpgsm -k

/home/user/.gnupg/pubring.kbx
           ID: <ID of first key: root CA certificate without secret key>
           ...
    key usage: certSign crlSign
           ...
           ID: <ID of second key: signing key certificate with secret key available>
           ...
    key usage: digitalSignature certSign crlSign
           ...

The confusing error message is output by gpgsm_cert_use_sign_p as a side effect when gpgsm_get_default_cert enumerates the certificates in the key database, searching for the first key to use as the default signature key.

Revisions and Commits

rG GnuPG
rG32210e855c46 sm: Avoid confusing diagnostic for the default key.
rG521e7d4644ed sm: Avoid confusing diagnostic for the default key.

Related Objects

Event Timeline

misterzed88 created this task.May 23 2019, 9:53 AM
werner triaged this task as Low priority.May 27 2019, 3:29 PM
werner added projects: S/MIME, gnupg (gpg22).
werner added a commit: rG521e7d4644ed: sm: Avoid confusing diagnostic for the default key..May 27 2019, 3:48 PM
werner added a commit: rG32210e855c46: sm: Avoid confusing diagnostic for the default key..
werner closed this task as Resolved.May 27 2019, 3:49 PM
werner claimed this task.
werner added a subscriber: werner.

Thanks to your very good analysis, this was easy to fix.

There are some other places where we may get diagnostics which might be confusing. However, this would be a lot more work to fix thus I won't go after them.

werner mentioned this in T4509: Release GnuPG 2.2.16.May 28 2019, 5:08 PM
misterzed88 added a comment.May 29 2019, 8:51 AM

Thank you for a quick fix (despite this being a minor problem).