Linux – gpg: import failure key xxxxxxxx: no valid user IDs

encryptiongnupglinuxpgppublic-key-encryption

i am getting this error while importing a public key on gpg (GnuPG) 1.4.2

gpg: armor header: Version: GnuPG v2.0.14 (GNU/Linux)
gpg: pub  xxxxx/xxxxxxxx 2012-05-25  abcd xyz <email@address.com>
gpg: DSA requires the use of a 160 bit hash algorithm
gpg: DSA requires the use of a 160 bit hash algorithm
gpg: key xxxxxxxx: invalid self-signature on user ID "abcd xyz <email@address.com>"
gpg: DSA requires the use of a 160 bit hash algorithm
gpg: DSA requires the use of a 160 bit hash algorithm
gpg: key xxxxxxxx: invalid subkey binding
gpg: key xxxxxxxx: skipped user ID "abcd xyz <email@address.com>"
gpg: key xxxxxxxx: skipped subkey
:pg: key xxxxxxxx: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

Even after adding "allow-non-selfsigned-uid" in my options file. gpg say its not safe to encrypt using this key. Is there anything the we must do during exporting the public key to fix this ?

Best Answer

It might also be a version conflict: The key (originating from gpg v2.x) may have some feature old 1.4 series gpg doesn't understand.

(Similar, misleading error messages are given if you try to feed a pre-2.1 gpg with an elliptic curve key that you can create using gpg --expert in version 2.1 or newer.)

Related Solutions

How to verify the trust path to a gpg key

You're right to be concerned; that Julien Danjou guy is slippery. (Kidding!)

I believe you're looking for this command:

gpg --list-keys --list-options show-uid-validity 8B78A5C2

Verifying files with GPG, without a .sig or .asc file

Received an explanation from the GNU/GCC team about this, and the .sig files were missing due to an error with file replication to their mirror servers. From the team:

Interestingly, the .sig files are only on the GNU server (e.g., http://ftp.gnu.org/gnu/gcc/gcc-4.8.0/) but not on the GCC server (e.g., ftp://gcc.gnu.org/pub/gcc/releases/gcc-4.8.0/). As the latter is used by the mirrors, it is also not available on the mirrors.

I found the .sig files on the GNU server like they suggested, but then had to dig some more to find the "GNU keyring file" required to actually verify the signature. All in all, the verification process was:

$ wget http://www.netgull.com/gcc/releases/gcc-4.8.0/gcc-4.8.0.tar.gz
$ wget http://ftp.gnu.org/gnu/gcc/gcc-4.8.0/gcc-4.8.0.tar.gz.sig
$ wget ftp://ftp.gnu.org/gnu/gnu-keyring.gpg
$ gpg --verify --keyring ./gnu-keyring.gpg ./gcc-4.8.0.tar.gz.sig

gpg: Signature made Fri 22 Mar 2013 08:32:29 AM CDT using DSA key ID C3C45C06
gpg: Good signature from "Jakub Jelinek <jakub@redhat.com>"
gpg: Note: This key has expired!
Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29  3709 A328 C3A2 C3C4 5C06

Hopefully this helps anyone else trying to verify a tarball downloaded from one of GCC's mirror sites.

Best Answer

Related Solutions

How to verify the trust path to a gpg key

Verifying files with GPG, without a .sig or .asc file

Related Question