Endpoint Encryption

Hi,

I am using PGP 10.3.2 command line on Windows-2008 and my client is using PGP 10.3.2 command line on Linux.

We shared public keys and at both sides key imported and signed with our private keys.

I am able to decrypt the file sent by my client and don't see any issues. But when my client tries to decrypt the file sent by me, he is able to decrypt but see a message 3079:signing key invalid. I initially suspected that this could be due to my client did not sign my public key and/or not trusted in his key-ring after import. But this was not the case. My client imported my public key, signed and trusted using his private key but still encounters same message while decrypt. 

Note: My client is using a trial version but I am using licensed version. ( I believe, this shouldn't be an issue)

I don't any issues with another client who is using PGP 10.3.2 command line on Windows-2008 but why the 3079 message prompts on Linux version of PGP.

Hi mrsreeniv,

As both sides can decrypt file(s) do you see before 3079:signig key invalid a 3037:cannot verify signature ?

If yes did your client followed the same steps for signing and trusting as you. Are you able to verify with him the steps.

Did you follow below KB for signing:

http://www.symantec.com/docs/TECH149450

Also apart from the above the only difference (except licensed version which should not be the case but without further test I can't guarantee for 100%) is that PGP command is use on Linux and Windows. So becuase of this is there a chance to test this with another client of yours (if any) having Windows version of PGP CMD to see if the issue persist ?

Workaround to get rid of the offending lines if decryption works fine and key is infact verified would be to use in linux attaching to pgp command line syntaxt below stderr

2>&1 | grep -v 'pgp:decrypt (3090:operation failed, unknown error)' | grep -v 'decrypt (3037:cannot verify signature)' | grep -v 'decrypt(3079:signing key invalid)'

 

 

Hi, There is no 3037 message before 3079. The following are log messages when my client decrypt the file. 3177: message signed by key ID 0x158... 3038: signing key 0x158... Test-SIT 3079: signing key invalid 3040: signature created 2014-11-21. .. 3170: signature hash SHA-256 3035: good signature 0: output file Test.txt File is getting decrypted but 3079 remains. We are following the same steps given in documentation to sign and trust the public keys. When we list the public key at both sides using pgp -l , can see the flags [VT---] set which means key is imported, signed and trusted right ? I tested with another client who is using same pgp version on windows server 2008. I don't see that 3079 message. It's only happening with client using Linux. Please advise. Thank you, Sreenivas

Hi,

On my linux when the key is sign I see as follow:

 

[root@keys1 bin]# ./pgp -l
 Alg  Type Size/Type Flags   Key ID     User ID
----- ---- --------- ------- ---------- -------
*RSA4 pair 2048/2048 [-----] 0xD373AF0B user3 <user3@ag.dom>
1 key found
[root@keys1 bin]# ./pgp --list-sigs
 Alg  Type Size/Type Flags   Key ID     User ID
----- ---- --------- ------- ---------- -------
*RSA4 pair 2048/2048 [-----] 0xD373AF0B user3 <user3@ag.dom>
 RSA  sig            [  -- ] 0xD373AF0B user3 <user3@ag.dom>
 RSA  sig?           [  -- ] 0x8E5E4A89
1 key found
[root@keys1 bin]#

 

I can't see VT flags but --list-sigs give a bit different and the key is signed.
 

I have encrpted file on Windows 2008 PGP CMD and decrypt on Linux  (both PGP command line fully licensed)

[root@keys1 bin]# ./pgp --version
PGP Command Line 10.3.2 build 12268
Copyright (C) 2014 Symantec Corporation. All rights reserved.
All rights reserved.

 

C:\Program Files\PGP Corporation\PGP Command Line>pgp --encrypt "testfiletoencry
pt.txt.txt" --recipient "0xD373AF0B" -v
pgp:encrypt (3157:current local time 2014-11-25T01:19:48-08:00)
C:\Users\Administrator\Documents\PGP\pubring.pkr:open keyrings (1006:public keyr
ing)
C:\Users\Administrator\Documents\PGP\secring.skr:open keyrings (1007:private key
ring)
0xD373AF0B:encrypt (3064:key invalid)
0xD373AF0B:encrypt (1030:key added to recipient list)
testfiletoencrypt.txt.txt:encrypt (3048:data encrypted with cipher AES-256)
Encoding testfiletoencrypt.txt.txt... 100% (⸥昱猥)
testfiletoencrypt.txt.txt:encrypt (0:output file testfiletoencrypt.txt.txt.pgp)
C:\Program Files\PGP Corporation\PGP Command Line>

 

[root@keys1 bin]# ./pgp --decrypt "testfiletoencrypt.txt.txt.pgp" --recipient 0xD373AF0B --passphrase "user3pass" -v
pgp:decrypt (3157:current local time 2014-11-25T10:24:42+01:00)
/root/.pgp/pubring.pkr:open keyrings (1006:public keyring)
/root/.pgp/secring.skr:open keyrings (1007:private keyring)
Decoding file testfiletoencrypt.txt.txt.pgp... 100% (372B)
testfiletoencrypt.txt.txt.pgp:decrypt (0:output file testfiletoencrypt.txt.txt)
[root@keys1 bin]#

 

Hi,

My client is using Linux CentOS. I understood from Symantec Technical Support that PGP command line is not supported on CentOS platform.

Thank you.

 

 

Hi,

Officially as per release note of PGP command line 10.3.2

PGP Command Line 10.3.2 Release Notes
http://www.symantec.com/business/support/index?page=content&id=DOC7057

only the following platforms are supported:

---snip---

Supported Platforms
You can install PGP Command Line on these platforms:
Windows Server 2012 (64-bit), Windows Server 2012 R2 (64-bit), Windows 8.1 Enterprise (32- and 64-bit versions),
Windows 8.1 Pro (32- and 64-bit editions), Windows 8 Enterprise (32- and 64-bit versions), Windows 8 Pro (32- and 64-bit
editions), Windows Vista 32-bit and 64-bit (including Service Pack 2), Windows 7 32-bit and 64-bit (including Service Pack
1), Windows Server 2003 32-bit and 64-bit (including Service Pack 2), Windows Server 2008 32-bit (including Service Pack
2), Windows Server 2008 R2 (64-bit)
HP-UX 11i and above for Itanium 2 and similar processors (64-bit)
IBM AIX 7.1 (TL 2) PowerPC, 32- and 64-bit, IBM AIX 6.1 (TL 4 and greater) PowerPC, 32- and 64-bit, and IBM AIX 5.3
(Technology Levels supported by IBM; as of July 2011, TL 11 and greater) PowerPC, 32- and 64-bit
Red Hat Enterprise Linux 6.4 (32- and 64-bit), Red Hat Enterprise Linux 6.3 (32- and 64-bit), Red Hat Enterprise Linux 5.10
(32- and 64-bit), Red Hat Enterprise Linux 5.9 (32- and 64-bit)
SUSE Linux Enterprise Server (SLES) 11.3 (32- and 64-bit), SLES 11 SP3 (32- and 64-bit), SLES 10 SP4 (32- and 64-bit)
Oracle Solaris 11 (64-bit), Oracle Solaris 11 (SPARC, 64-bit), Oracle Solaris 10 (32- and 64-bit), Oracle Solaris 10 (SPARC,
32- and 64-bit), Oracle Solaris 9 (SPARC, 32- and 64-bit)

For Oracle Solaris 9 on SPARC, we require the Oracle Solaris patch 111722-04 in order for the installation to succeed.
Apple Mac OS X 10.9, Mac OS X 10.8.5, and Mac OS X 10.8.4
Note:
These platforms are no longer supported: Windows 2000, Red Hat Enterprise Linux 5.0, SLES (SUSE Linux
Enterprise Server) 9, Oracle Solaris 9 (32- and 64-bit), Fedora Core 6, AIX 5.2 and Mac OS X 10.4

---------------------------

I would try RedHat to see if it's working. As you can see above in my tests supported versions are working fine.

Generally speaking source code of Redhat is used in CentOS so both distribution should be compatible.

HTH