After creating new key, can't sign anymore
OpenPGP addon for Mozilla Thunderbird
Brought to you by:
pbrunschwig
Menu
▾
▴
#699 After creating new key, can't sign anymore
My key 1377 B867 recently expired, and I created a new key, D002 AD59, already a few weeks ago, and set its trust to "absolute". The email address for it is manuel@enigmage.de, in both cases, and I'm pretty sure I didn't mistype it. Anyways, for good measure, I assigned my new key specifically to my Thunderbird account.
I sign mails by default, and I encrypt drafts. Now whenever I create a new mail, I get error messages every minute or so. One of them just dumps these messages here:
KEYEXPIRED 1502552852 KEY_CONSIDERED B6FC54C04F844B94592681ED55DB0FF21377B867 3 INV_RECP 0 55DB0FF21377B867 FAILURE encrypt 53
Note this is the old key, which I've purged from every config option in Enigmail I could find.
Another one says, even when I just try to save the mail without sending it:
Unable to save your message as a draft. Sending of the message failed.
When I send a mail to another address, it delivers the mail with a correct signature of my new key.
When I try to send an encrypted mail to myself, it'll say:
Sending of the message failed.
When I turn off encryption, it'll work.
So it seems that Enigmail still somehow tries to encrypt with my old key. Why? How do I turn it off?
There are 2 general pitfalls when replacing the own key:
Thanks! That maybe brought me a step forward.
Note that this is now my valid new key. The other error messages persist unchanged.
Last edit: Manuel Bärenz 2017-08-15
I don't see how this bug is invalid. It still persists, please see my answer to Ludwig Hügelschäfer's comment.
An additional error message I sometimes see is this one:
The error number at the end means "All subkeys of the key are expired or have been revoked." This explains why GnuPG cannot use your new key. You can check the structure of the Key using the Key Details window of the Enigmail Key Manager
I have checked the structure of my new key, itself and all subkeys are valid until 2022.
Please try the following command on the command line:
Does it succeed?
Yes, that works.
For fun, I also tried it with
--encrypt, and that says that the public key is missing! Which is strange, because this certainly is the fingerprint of the public subkey. And I've created the key with Enigmail. Andgpg2 -k | grep AD59spits out the key.Ah, yes. Sorry, INV_RECP is for encryption. This means that gpg cannot find the public key. I'd suggest you try to export your secret key (gpg2 -o someFile --export-secret-key 0x2DEE9D239F065826DA5680E373989AFCD002AD59) and then re-import it (gpg2 --import someFile). This should in theory re-create your public key.
Actually you may have run into a bug of Gnupg 2.1.21 that was fixed in a later version. I think there was a bug that may corrupt your public key ring.
Hmm, good idea, but unfortunately didn't change anything. Not even when I exported (the secret key), deleted and then reimported it.
Then I'd recommend that you first install a different version of gpg that doesn't have that bug. Then you export all public and secret keys, delete your complete keyring and then re-import all keys.
In any case, this is more a gpg problem than an issue with Enigmail.
To 1: see menu Tools (Windows/Mac) or Edit (Linux) > Account Manager > OpenPGP Settings (and also check all identities).