Valid RSA key is erroneous detected as withdrawn
OpenPGP addon for Mozilla Thunderbird
Brought to you by:
pbrunschwig
Menu
▾
▴
#688 Valid RSA key is erroneous detected as withdrawn
wont-fix
nobody
None
1.9.6
Major
52.1.1
gpg4win 2.3.3
Windows
---
nobody
2017-05-25
2017-05-24
No
I'm not sure whether this is subject for Enigmail or Gpg4Win.
My 1024 bit RSA key is valid since 1996. I have been working all the time with different programs and versions. But in the meantime some of the older email addresses became invalid. 2012 I decided to delete these invalid user names (email addresses). Deletion is not possible but only withdrawing.
With update to Thunderbird 52.1.1 GnuPG API 1.4 is no longer supported. So I was required to update also to GnuPG version 2. After some hours of installation and configuration together with Gpg4Win I could get up my system again. Nearly everything works well now.
All older crypted mails for me are readable.
All older signed mails from me are detected as valid signed and are readable.
That means that my public key and my secret key was used in both cases succesfully.
But if I'm going to send a new mail (with crypt and/or sign) an error report occurs:
"The key with ID 0x... is withdrawn."
But this is wrong. Not the key is withdrawn but only the old user-ID is withdrawn.
This wrong error occurs also if I only want to crypt without signing, that means my key is not necessary in this case.
Can you please attach a debugging log file? I also have keys with revoked user IDs - this alone won't block Enigmail in any way.
See https://www.enigmail.net/index.php/en/faq-en?view=topic&id=15 for creating a debugging log file.
Hi Patrick,
thanks for immediate answer. Here is the log. Last activity was the error.
Juergen, 0x39870AC1 is a V2 format key. I strongly doubt, that this key can be handled by recent GnuPG versions. Recent key format is V4, since about 15 years or longer. I have replaced my V3 key 8 years ago. I'd recommend to generate a new key, also accounting for the fact that a key length of 1024 bits is no longer considered safe for future operation.
You can try this yourself. Open a command line prompt and type:
I would expect this to fail.
Hi Ludwig,
thanks for your suggestions. Yes, this might be a workaround. But not a solution. I hope a solution is possible. Don't laugh, but I'm proud of my old key :-)
Juergen
Juergen, you may be proud of your old key, but older versions of the
OpenPGP standard are flawed and have known problems. You do yourself
(and the people with whom you correspond) no favors by keeping around a
relatively small key that has been in use for over 20 years, and is in a
format that is known-broken.
Please generate a new key and start using it. This is what you want
going forward.
Patrick,
this is the answer:
gpg: Hinweis: Signaturen mit dem MD5 Hashverfahren werden zurückgewiesen.
So, how can I trace back to the working version that I still had last week? (GnuPG 1.4)
Or should I try to contact Werner Koch. Maybe it is not such a great action to implement this.
Juergen
Enigmail v1.9.x and newer does not work with GnuPG 1.4 anymore. The oldest version of Enigmail working with Thunderbird 52.x is 1.9.6. The only way to go back to GnuPG 1.4 is therefore to downgrade both Thunderbird and Enigmail.
Let me summarize.
This is not a technical problem because old mails are further readable in both directions.
The usage of these old keys is unwanted because of security risks.
Solution would be to generate a new key pair. Mailtools downgrade seems not to be an option for me.
I think I send plaintext :-)
Appendix
Btw., in the command line console it works fine:
Encr: gpg2 -a -r 0x39870AC1 -e file.txt
Decr: gpg2 -a -r 0x39870AC1 -o file1.txt -d file.txt.asc
In both cases the warning above (not integrity protected because MD5) occurs. A warning is acceptable. But there is no reason to completely block further processing.
It may work today, but it will no longer work if you (or the people
trying to send you mail) upgrade gpg to a modern version of 2.1.x or
later.
You should replace your old key.
--dkg