Endpoint Encryption

Hi,

We have been using PGP 9.9 to decrypt one file on old server. Now I have installed PGP 10.2 on new AIX server and imported the key pair.

File is encyrpyted as following --

        Software version:  gpg (GnuPG) 1.4.5

         pgp --verbose --decrypt source_file -o output_file --symmetric-passphrase "passphrase"

It gives following error --

             pgp:decrypt (3157:current local time 2012-07-03T12:01:32-04:00

Hi,

For files encrypted to your key, you need to use "--passphrase" to provide the passphrase of the key.  "--symmetric-passphrase" is used to specify a passphrase to use for "conventional" (non-public-key) encryption.

"Bad parameters" is not the most helpful of error messages, sorry.

Edited to add:

Note, using "--passphrase" was always the correct syntax for decrypting with a key.  However, using "--symmetric-passphrase" would have worked prior to 10.2.  The ability to use "--symmetric-passphrase" in place of "--passphrase" was removed as part of a bug fix related to conventional file decryption.

Regards,

Hi David,

Thank you for the reply. When I use the --passphrase option, file is decrypted but signature is not verified and command completes with a non-zero return code.

decrypt (3037:cannot verify signature)

If I use the same command with older version of PGP (with --passphrase option), it also gives the same error message.

Thank you..

Manmohan Singh

The file is signed, but you don't have a copy of the signer's key in your keyring, and so PGP Command Line gives you the message that it cannot verify the signatue.  The file still decrypted properly and so the the output file will be created.

You can get rid of this error by importing the signer's key into your keyring.  This warning will then go away to be replaced with another warning, "3079:signing key invalid", until you sign the key with "pgp --sign-key", signifying that you do indeed believe that this public key belongs to the UserID specified in the key.

I have already imported the private/public key. I am not sure if there is a separate key for signing the file.

PGP 9.9 version(on an old server) also gives this message (decrypt (3037:cannot verify signature) when using --passphrase option. With option  --symmetric-passphrase, PGP 9.9 decrypts without any error. If the signer's key is not in my keyring, then it should give 'cannot verify signature' error for both methods.

Run

"pgp --verify source-file --passphrase [your private key passphrase]"

You'll see output like

I have tried this command on both 9.9 and 10.2. Both times it could not verify the signature. With 9.9 version, the command completes without any error but with 10.2 it says "pgp:verify (3090:operation failed, unknown error". Looks like the new version is more strict in verifying the signatures.

I will get the public key used to sign the file and then try.

Thank you for your timely assistance. I am still to hear from technical support person!

Though it was fairly long-standing behavior, we considered it a potential security issue -- the signature fails to verify, but we act as if nothing is wrong (except for printing a warning message).  So we changed that behavior for 10.2.

Hi David,

After importing and the signing the signature key all the error messages gone way.

It would have saved me many hours of time if instead of calling the technical support people, I had posted on this forum straightway.

Anyhow, It is all good now. Thank you very much...

Manmohan Singh

Great, glad it's all working for you.

Regards,