Endpoint Encryption

 View Only

  • 1.  3064: Key invalid

    Posted Aug 21, 2017 10:00 PM

    I get an error message, when encrypting a file:

    pgp --encrypt $filename --recipient $recipient --signer $signer --passphrase $passphrase --debug

                 0x.......:encrypt (3064: key invalid)

    pgp:encrypt (3157:current local time 2017-08-22T11:53:25+10:00)
C:\PGP\pubring.pkr:open keyrings (1006:public keyring)
C:\PGP\secring.skr:open keyrings (1007:private keyring)
 unhandled event 1
Checking signatures... 100%
 unhandled event 2
done
0xABC444E0:encrypt (3064:key invalid)
0xABC444E0:encrypt (1030:key added to recipient list)
 unhandled event 1
Checking signatures... 100%
 unhandled event 2
done
Encoding .\out\sample.txt...
.\out\sample.txt:encrypt (3048:data encrypted with cipher TripleDES)
Encoding .\out\sample.txt... 100% (⸥昱猥)
Encode complete
.\out\sample.txt:encrypt (0:output file .\out\sample.txt.pgp

    ​Output file created .pgp

                 Recipient can decrypt the file.

    I have Read the Following Document:

    https://origin-symwisedownload.symantec.com/resources/sites/SYMWISE/content/live/DOCUMENTATION/4000/DOC4570/en_US/pgpCmdline_1020_usersguide_en.pdf

    Page 283, Frequently Asked Questions > "Invalid" Keys

    1. I have imported Recipient Public Key

    pgp --import recipient.asc​​

    .\recipient.asc:import key (0:key imported as 0xABC444E0 recipients@email.com)

    2. Sign the Recipient Public Key

    pgp --sign-key recipient@email.com --signer 0xABC444E0 --sign-type exportable --passphrase ABCDEF

    0xABC444E0:sign key (0:certified user ID recipient@email.com)

     

    Windows Server 2012 R2

PGP Command Line 10.4.1 build 41
Copyright (C) 2016 Symantec Corporation. All rights reserved.
All rights reserved.
Use of this product is subject to license terms.
This Symantec product may contain open source and other third party materials
that are subject to a separate license. Please see the applicable Third Party
Notice at http://www.symantec.com/about/profile/policies/eulas/.

     

     



  • 2.  RE: 3064: Key invalid

    Posted Aug 25, 2017 09:52 AM

    You seem to be attempting to sign the imported key using itself.

    You can see the "key imported as 0xABC444E0 recipients@email.com" message.

    Which you then follow up by attempting to use teh same above Key ID as the Signer when you entered "pgp --sign-key recipient@email.com --signer 0xABC444E0".

    You need sign the imported key using your private key.  The document you linked, clearly shows an example, using the user identified as SMITH, to sign Alice Cameron's imported key.

    The commands have not changed in the latest version either:

    http://www.symantec.com/docs/DOC9492



  • 3.  RE: 3064: Key invalid

    Posted Sep 12, 2017 12:34 AM

    Not sure whether the following give more clue:

    pgp --sign-key "recipients@email.com" --signer "signer@email.com" --sig-type local --passphrase "mypassphrase"
0xABC444E0:sign key (0:certified user ID recipients@email.com)


pgp --set-trust 0xABC444E0
0xABC444E0:set trust (2023:cannot set trust on invalid key)
    pgp --verify recipients.asc
recipients.asc:verify (3113:data is armored)
 Alg  Type Size/Type Flags   Key ID     User ID
----- ---- --------- ------- ---------- -------
 DSS  pub  2048/1024 [-----] 0xABC444E0 recipients@email.com
1 key found
recipients.asc:verify (3055:data contains the key 0xABC444E0 recipients@email.com)
recipients.asc:verify (0:verify complete)


  • 4.  RE: 3064: Key invalid
    Best Answer

    Posted Sep 12, 2017 01:28 AM

    I have resolved the issue:

    Here is what I did to fix my issue.

    Important Step:

    pgp --set-trust 0x111DE6E9 --trust implicit

    where 0x111DE6E9​ = signer@email.com Key ID


    Once, I run the --set-trust, warning message go away.

    My Scenario:

    I was exporting key-pair from one server and import into another server.

    Server 1: Contain Public and Private Key

    pgp --export-key-pair ​"signer@email.com"

    This created signer@email.com.asc

     

    Server 2: Import the exported key above

    pgp --import signer@email.com.asc

    What is missing here is the Flags[VI], when using pgp --list-keys

     

    Important Step: Trust your imported Key

    pgp --set-trust 0x111DE6E9 --trust implicit

    where 0x111DE6E9​ = signer@email.com Key ID

     

    After you have Imported recipient@email.com public key

    pgp --​import recipient.email.com.asc

    ​you need to Sign the recipient public key with your signer key (signer@email.com).

    pgp --sign-key "recipients@email.com" --signer "signer@email.com" --sig-type local --passphrase "mypassphrase"
    0xABC444E0:sign key (0:certified user ID recipients@email.com)
     

     

    Note:

    0x111DE6E9 and 0xABC444E0, is just a dummy Key ID.