我在 Debian buster(测试)amd64 上使用 GnuPG 运行 Evolution 来加密邮件。我的 GPG 私钥位于充当 GPG 智能卡的 YubiKey 上。由于 Evolution 无法使用 CalDAV 加载我的日历,我重置进化。 CalDAV 现在运行良好。
但重置后出现了另一个问题:GPG 加密/签名不再起作用。邮件解密没有问题。
此外,我无法在帐户设置中选择自己的 GPG 密钥,即使它已正确导入并列在gpg -K:
我现在可以选择我的密钥了。
当我尝试发送加密邮件时,失败,Evolution 显示以下错误:
Could not create message.
You may need to select different mail options.
Detailed error: Failed to encrypt: Invalid recipient <[email protected]> specified. A common issue is that the gpg2 doesn’t have imported public key for this recipient.
但是我的公钥是进口的。当我禁用该选项时,也会发生同样的情况Always encrypt to myself when sending encrypted messages with this account。那么错误是:
Detailed error: Failed to encrypt: Invalid recipient <[email protected]> specified. A common issue is that the gpg2 doesn’t have imported public key for this recipient.
使用命令从命令行加密/签名gpg效果很好。使用不在智能卡上的私钥也不起作用。重置 GPG 和 Evolution 均无效。
我现在不知道我现在应该做什么。谢谢大家 :)
编辑:strace -p $(pidof evolution) -f -e trace=execve解密时的输出(工作正常):
[pid 4613] execve("/usr/local/bin/gpg2", ["gpg2", "--verbose", "--no-secmem-warning", "--no-greeting", "--no-tty", "--status-fd=66", "--command-fd=67", "--verify-options", "show-photos", "--photo-viewer", "/usr/lib/evolution/camel-gpg-pho"..., "--decrypt", "--output", "-"], [/* 34 vars */]) = -1 ENOENT (No such file or directory)
[pid 4613] execve("/usr/bin/gpg2", ["gpg2", "--verbose", "--no-secmem-warning", "--no-greeting", "--no-tty", "--status-fd=66", "--command-fd=67", "--verify-options", "show-photos", "--photo-viewer", "/usr/lib/evolution/camel-gpg-pho"..., "--decrypt", "--output", "-"], [/* 34 vars */]) = 0
加密时(失败):
[pid 4537] execve("/usr/local/bin/gpg2", ["gpg2", "--verbose", "--no-secmem-warning", "--no-greeting", "--no-tty", "--batch", "--yes", "--status-fd=67", "--encrypt", "--armor", "-u", "[email protected]", "-r", "<[email protected]>", "--output", "-"], [/* 34 vars */]) = -1 ENOENT (No such file or directory)
[pid 4537] execve("/usr/bin/gpg2", ["gpg2", "--verbose", "--no-secmem-warning", "--no-greeting", "--no-tty", "--batch", "--yes", "--status-fd=67", "--encrypt", "--armor", "-u", "[email protected]", "-r", "<[email protected]>", "--output", "-"], [/* 34 vars */]) = 0
该文件/usr/local/bin/gpg2不存在并且似乎不存在任何 Debian 软件包的一部分。
编辑2:评论中发布的命令 @Hauke Laging 有效,但我需要交互地确认执行该操作(就像我使用命令行手动加密时一样):
echo foo | /usr/bin/gpg2 --status-fd=1 --encrypt --armor -u [email protected] -r [email protected] --output -
虽然 Evolution 想要执行的命令失败(我删除了<>导致 zsh 出现问题的 as):
➜ ~ gpg2 --verbose --no-secmem-warning --no-greeting --no-tty --batch --yes --status-fd=67 --encrypt --armor -u [email protected] -r [email protected] --output
gpg: Fatal: status-fd is invalid: Bad file descriptor
设置--status-fd=1仍然失败,但出现不同的错误:
➜ ~ echo "foo" | gpg2 --verbose --no-secmem-warning --no-greeting --no-tty --batch --yes --status-fd=1 --encrypt --armor -u [email protected] -r [email protected] --output -
[GNUPG:] KEY_CONSIDERED <recipient's key fingerprint> 0
gpg: using pgp trust model
gpg: using subkey <recipient's encryption subkey id> instead of primary key <recipient's primary key id>
[GNUPG:] KEY_CONSIDERED <recipient's key fingerprint> 0
gpg: automatically retrieved '[email protected]' via Local
gpg: <recipient's encryption subkey id>: There is no assurance this key belongs to the named user
[GNUPG:] INV_RECP 10 [email protected]
[GNUPG:] FAILURE encrypt 53
gpg: [stdin]: encryption failed: Unusable public key
编辑3:刚刚测试:对来自 Evolution 的消息进行签名和解密一样有效。
当我使用命令行手动加密消息时,我收到以下消息,我认为这导致了此问题:
➜ ~ echo "foo" | gpg --encrypt -r [email protected] --armor
gpg: automatically retrieved '[email protected]' via Local
gpg: <recipient's encryption subkey id>: There is no assurance this key belongs to the named user
sub rsa4096/<recipient's encryption subkey id> 2015-10-14 Recipient's Name <[email protected]>
Primary key fingerprint: <recipient's key fingerprint>
Subkey fingerprint: <recipient's encryption subkey fingerprint>
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
-----BEGIN PGP MESSAGE-----
[...]
-----END PGP MESSAGE-----
编辑4:由于上面的消息是由于缺少所有者信任引起的(至少我是这么认为),我想使用以下方法设置收件人的所有者信任gpg --edit-key(之前未设置过):
gpg> trust
pub rsa4096/<some key id>
created: <some date in the past> expires: <some date in the future> usage: SCA
trust: unknown validity: unknown
sub rsa4096/<some other key id>
created: <some date in the past> expires: <some date in the future> usage: E
[ unknown] (1). Pecipient's Name <[email protected]>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 3
pub rsa4096/<some key id>
created: <some date in the past> expires: <some date in the future> usage: SCA
trust: marginal validity: unknown
sub rsa4096/<some other key id>
created: <some date in the past> expires: <some date in the future> usage: E
[ unknown] (1). Pecipient's Name <[email protected]>
所以我设置了收件人的ownertrust,但是为什么[ unknown]最后还是这个?
答案1
您还没有了解 OpenPGP 有效性方案的工作原理。但除此之外:应用程序不应该出现使用无效密钥的问题(因此您可能会向 Evolution 开发人员抱怨)。
有两种方法(在标准模式下使用 GnuPG)使证书生效:
- 它的所有者信任将被设定为最终的。
- 它具有来自具有最终所有者信任的密钥的有效(即未过期)签名的(有效的,即未过期的)签名。
这意味着:如果您的密钥环中没有证书具有最终所有者信任,那么您就自动失败了。
或者,您可以使用以下命令更改信任模型
--trust-model direct
然后你可以直接按照你的尝试设置有效性。但无论如何,证书必须“完全有效”。边际效度还不够。
我已经在我的网站上详细解释了这一点:
http://www.hauke-laging.de/sicherheit/openpgp.html#wot
文本是德语,但该块中有一些图像可能有助于理解。
答案2
启用Always trust keys in my keyring for encrypting为我解决了这个问题。