Kleopatra and certification of gpg keys

incedis

Member
Joined
Jul 16, 2021
Messages
79
Reaction score
13
Credits
801
I have been trying to certifiy gpg keys using Kleopatra but to no avail.
Nothing actually happens with no message.
I received two external keys. Imported those keys into Kleopatra. Tried to certify those keys and no go.
I created two keys myself using Kleopatra and everything is fine..
I checked the system logs and nothing.
I enabled verbose mode for GnuPG system but nothing much as well. See below..

2021-12-04 08:21:39 gpg[14995] enabled debug flags: memstat trust extprog
2021-12-04 08:21:39 gpg[14995] keydb: handles=1 locks=0 parse=4 get=4
2021-12-04 08:21:39 gpg[14995] build=0 update=0 insert=0 delete=0
2021-12-04 08:21:39 gpg[14995] reset=1 found=4 not=1 cache=0 not=0
2021-12-04 08:21:39 gpg[14995] kid_not_found_cache: count=0 peak=0 flushes=0
2021-12-04 08:21:39 gpg[14995] sig_cache: total=13 cached=9 good=9 bad=0
2021-12-04 08:21:39 gpg[14995] random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
2021-12-04 08:21:39 gpg[14995] rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
2021-12-04 08:21:39 gpg[14995] secmem usage: 0/32768 bytes in 0 blocks
2021-12-04 08:21:43 gpg[15011] enabled debug flags: memstat trust extprog
2021-12-04 08:21:43 gpg[15011] keydb: handles=1 locks=0 parse=1 get=1
2021-12-04 08:21:43 gpg[15011] build=0 update=0 insert=0 delete=0
2021-12-04 08:21:43 gpg[15011] reset=0 found=1 not=1 cache=0 not=0
2021-12-04 08:21:43 gpg[15011] kid_not_found_cache: count=0 peak=0 flushes=0
2021-12-04 08:21:43 gpg[15011] sig_cache: total=4 cached=4 good=4 bad=0
2021-12-04 08:21:43 gpg[15011] random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
2021-12-04 08:21:43 gpg[15011] rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
2021-12-04 08:21:43 gpg[15011] secmem usage: 0/32768 bytes in 0 blocks

trust level is also unknown even though I did change the trust using gpg and kleopatra..

Finally, as per Kleopatra doc, it clearly says the certification should be possible with keys created by individual since no central authority to certify those keys.

Doc Kleopatra

Create a personal OpenPGP key pair
OpenPGP key pairs are created locally, and certified by your friends and acquaintances.
There is no central certification authority; instead, every individual creates a personal Web
Of Trust by certifying other user’s key pairs with his own certificate.

PS: I believe that the keys being not certified cannot be used by Kmail. I verified it. Installed Kmail and tried to decrypt the corresponding email that was encrypted with the key and Kmail says key unknown and cannot decrypt the email.

I guess I am confused between 'certify' and 'level of trust". Aren't they the same ?
 
Last edited:


Finally got it working and posting for visibility in the hope this may help. There is a lot of moving parts here, so your mileage may vary. I am using Arch/KDE.
Because I am using KDE, I had to add this line of code
Code:
pinentry-program /usr/bin/pinentry-qt
in 'gpg-agent.conf'. Then restart the agent
Code:
gpg-connect-agent reloadagent /bye
Direct certification from Kleopatra did not work. I had to go through cli

Git:
gpg --edit-key <yourkey>
trust <pick option>

After that automagically Kleopatra started seeing the keys as trusted and certified. I could then use those keys with Kmail for signing and encrypting.

I guess, if your pgp key is not protected by a passphrase, you may not have to go through all those steps.
 
I guess I am confused between 'certify' and 'level of trust". Aren't they the same ?
Level of trust is something only local to you, to receive warnings and concede some credibility if you receive signed messages.

Certification is publishing the fact that you trust a key, by signing it with yours and publishing the signature for everybody to see your trust. And certifying means ultimate trust as a matter of fact because you’re vouching for someone else’s identity and you’re putting your own trustability on the line: you’re sharing accountability to some extent in the case of a misuse of a key, if you’ve certified/signed it.

Certification has to do with the web of trust, but they’re not exactly the same. One is a means to achieve the other.

As said, certifying is the act of signing someone else’s key/certificate with your own, endorsing their key.

When a Certificate Authority issues you with a certificate, your certificate is signed by that CA at the moment of issuing, and hence the browsers and other public facing systems, like gateways and firewalls, would trust your traffic and authenticate you or your domain if you use mutual TLS.

The above is the simplest web of trust as it is a trusted entity (the CA) who trusts your certificate to the extent of signing it, and that makes everyone else to trust it as everybody factually trusts the CAs.

If you create a certificate on your machine, it is only trusted by you and it’s signed by your machine —it’s called a self-signed certificate. To achieve any web of trust, other users need to sign your certificate and publish the signatures (thereby certifying it).

At some point, someone I already trust will certify your keys, allowing me to trust it; in that case, you would have built your own web of trust to the extent of reaching my own.
 
Last edited:
I had to bring the level of trust higher using gpg and then the keys became certify in Kleopatra.
The trust level I picked was option 5 which is 'trust in full'. Then Kleopatra automatically certified the keys. it did confused me a great deal because I thought it would either be fully trusted or certified but not AND. So know I know if a key is fully trusted, then it is allowed to be certified. Is that that case ? I did not try the other option when I used gpg; which were, below fully trusted "somewhat trusted etc..."
 
It sounds like it is just how Kleopatra chooses to do things.

From a PGP perspective, the fact of signing a key and publish your signatures to the different keyservers forces you set up an ultimate trust for it, but not the other way around (you can ultimate trust a key, but just not sign it). From how you describe it, looks like Kleopatra calls "to certify a key" to somehow represent the fully / ultimate trusted keys.

I don't think Kleopatra would automatically sign the keys and publish your signatures by default, whenever you chose the highest level of trust.
 
I don't think Kleopatra would automatically sign the keys and publish your signatures by default, whenever you chose the highest level of trust.

It seems that is correct. I am not going to be deterministic as I am learning step by step but kleopatra seems to live that to the user.
 
Last edited:
Small addon that I just found out. Posting to help others.. Again, a lot of moving parts so your mileage may vary.
If in gpg.conf (.gnupg) you have the option use-agent commented out, the passphrase for the pgp key will not be asked when using kmail. Just comment in the option and the pop up for your passphrase should appear using pinentry-qt (for kde)..
For the sake of understanding. Could anyone let me know in what circumstances I would need to be using 'pinentry-loopback' mode ?. My understanding, reading the doc gpg doc was, this would be the option to have the pop up show the passphrase using for ex kmail. Apparently, I was wrong.
 
Last edited:

Members online


Top