A Few GNU-Privacy Guard Notes

This page is should provide a quick reference to some of the common GNU Privacy Guard commands and a few issues.

Finding the Key ID

You need to have a key ID before you can request a key from a server.
Look at the top of an email for the signer, for example:

   Message was signed by Unknown Key 20B19259

Receiving a Key from a Server
[pete@nebula pete]$ gpg --keyserver certserver.pgp.com --recv-key 20B19259
gpg: Warning: using insecure memory!
gpg: requesting key 20B19259 from certserver.pgp.com ...
gpg: key 20B19259: public key imported
gpg: sig 20B19259.69: duplicated certificate - deleted
gpg: sig 20B19259.69: duplicated certificate - deleted
gpg: sig 20B19259.69: duplicated certificate - deleted
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Listing Keys
[pete@nebula pete]$ gpg --list-key
gpg: Warning: using insecure memory!
pub  1024D/2442DB43 2001-07-31 Pete Nesbitt (Promoting the Bird) <peternola.bc.ca>
sub  1024g/01AF5D44 2001-07-31
pub 1024D/7FE12896 2001-08-01 Pete Nesbitt <pmnesbitt@home.com> sub 1024g/2BDB90AC 2001-08-01
pub 1024R/20B19259 2000-09-20 CERT Coordination Center <cert@cert.org>

Sending a Key to a Server
[pete@nebula pete]$ gpg --keyserver certserver.pgp.com --send-key pmnesbitt@home.com
gpg: Warning: using insecure memory!
gpg: success sending to `certserver.pgp.com' (status=200)
[pete@nebula pete]$

Key Servers and Firewalls

The --keyserver option will accept a port as part of its argument. If your connection times out, your local firewall may be blocking the connection, often to LDAP port 389, but not always. Try using http on port 80 by appending it to the server name.

For example:
gpg --keyserver certserver.pgp.com:80 --recv-key 20B19259

Eliminating "using insecure memory" warnings

This is very important if others have access to your system.
To force gpg to run as user root, set the executable to SUID:

[root@nebula /root]# ls -al /usr/bin/gpg
-rwxr-xr-x    1 root     root       542396 Feb 27 13:18 /usr/bin/gpg

[root@nebula /root]# chmod u+s /usr/bin/gpg
[root@nebula /root]# ls -l /usr/bin/gpg -rwsr-xr-x 1 root root 542396 Feb 27 13:18 /usr/bin/gpg

PGP & GNU-PG Compatability Notes
  1. Why would your signature be Invalid?
    On the PGP side, you seem to need to validate the signature yourself before it acknowleges it as valid. You need to "sign" it saying you trust the key.

  2. netscape plugin broke pgp in win 95, netsc 6.

  3. In GNU-PG you need to force --compress-algo 1 --cipher-algo 3des
    Sample command line:
    "gpg -o ./testtowin --compress-algo 1 --cipher-algo 3des -r pete_nesbitt@yahoo.com -e testtoencr"

    Note: These can both go into the ~/.gnupg/options file so they work with other apps such as email. (drop the leading dashes):
    compress-algo 1
    cipher-algo 3des

  4. You need some kind of plugin for email, without it you can not read any encrypted mail you send out, because you do not (likely) have the recipients Private key to decrypt it.

  5. By default, it was set to sync with the key server for:
    Encrypting to an unknown key or Verification
    You may prefer not to enable these.

  6. Kmail auto decripts and has the good line returns. PGP for Windows fails at the line-return characters (but see Eudora section).

    Eudora & PGP supplied Plugin:

  7. I have not yet tried GNU PG for Windows. The people who would be using it want/need the GUI that PGP offers. I am sure that if a GNU PG graphical front end was available, Privacy Guard would be the better solution. It works so well with Linux, but then again.... what did you expect.

original document created by Pete Nesbitt, August 2001