In GPG, my own uid presents as [ full ] rather than [ ultimate ].

gpg --list-keys --with-sig-check

pub   ed25519 2025-07-02 [SC] [expires: 2030-07-01]
      GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
uid           [  full  ] Me 
sig!3        XXXXXXXXXXXXXXXX 2025-07-02  [self-signature]
sig!3        XXXXXXXXXXXXXXXX 2025-07-04  [self-signature]
sig!         YYYYYYYYYYYYYYYY 2025-07-03  Person1
sig!         ZZZZZZZZZZZZZZZZ 2025-07-03  Person2
sub   cv25519 2025-07-02 [E] [expires: 2030-07-01]
sig!         XXXXXXXXXXXXXXXX 2025-07-02  [self-signature]
sub   ed25519 2025-07-02 [S]
sig!         XXXXXXXXXXXXXXXX 2025-07-02  [self-signature]

This is pretty weird. If I delete the uid

adduid
uid 2
primary
uid 2
uid 1
deluid

and recreate it:

adduid
uid 2
primary
uid 2
uid 1
deluid

I end up with

gpg --list-keys --with-sig-check

pub   ed25519 2025-07-02 [SC] [expires: 2030-07-01]
      GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
uid           [ultimate] Me 
sig!3        XXXXXXXXXXXXXXXX 2025-07-04  [self-signature]
sub   cv25519 2025-07-02 [E] [expires: 2030-07-01]
sig!         XXXXXXXXXXXXXXXX 2025-07-02  [self-signature]
sub   ed25519 2025-07-02 [S]
sig!         XXXXXXXXXXXXXXXX 2025-07-02  [self-signature]

but once I import Person1 and Person2's signatures, I'm back to [ full ]. What's going on here?

My PGP-key follows the long-lived-mainkey-short-time-subkeys pattern. Thus I already have 12 expired subkeys attached to my mainkey. When handing out my key today, there seems to be not much reason to include the expired encryption subkeys - nobody's going to need them anymore. Is there a way to only export a few of the **public** subkeys along with the (public) mainkey? I tried to explicitly export the two current subkeys, which should provoke the mainkey to be exported alongside:

gpg -a --export   >output.file

But this command exported the complete key: mainkey with *all* subkeys.

How can I export *only* those non-expired public keys from my gpg keyring? If I export all of the public keys in my keyring, the ascii armored output file is several megabytes large, and it contains a lot of unusable keys that expired years (or decades) ago. I want to export only a subset of the public keys in my keyring -- just those that haven't yet expired. How can I export only these non-expired keys from gpg?

I'm trying to understand why Debian identifies .key files as PGP files instead of Apple Keynote files. The mime.types file from Debian's repository lists .key files as PGP: https://salsa.debian.org/debian/media-types/-/blob/master/mime.types?ref_type=heads . However, according to the IANA registry, .key is designated as an Apple Keynote file: https://www.iana.org/assignments/media-types/application/vnd.apple.keynote . What is the reason for this discrepancy?

Based on [this answer](https://unix.stackexchange.com/a/775900/384822) , I followed [this guide](https://earthly.dev/blog/creating-and-hosting-your-own-deb-packages-and-apt-repo/) to create a local apt repository. Now I an specifying that debootstrap use my repository with file:path/to/my/apt/repo. When debootstrap runs, I get this:

I: Target architecture can be executed
I: Retrieving InRelease 
I: Checking Release signature
E: Release signed by unknown key (key id ***REDACTED***)
   The specified keyring /files/raspberrypi.gpg may be incorrect or out of date.
   You can find the latest Debian release key at https://ftp-master.debian.org/keys.html 

For some background, I am using [pi-gen](https://github.com/RPi-Distro/pi-gen) to generate raspberry pi images. They provide a file called raspberrypi.gpg, which I believe is the keyring for raspbian.raspberrypi.com. However, I want to use my local apt repo instead of the public internet one. So I am replacing http://raspbian.raspberrypi.com/raspbian with file:path/to/my/apt/repo so that debootstrap will be able to pull packages from my local apt repo instead of pulling them from the internet. So essentially I think I need to create an equivalent my-apt-repo.gpg file, but all I have after following the above linked tutorial is the following: - Release, which I think is the header of my apt repo - Release.gpg, which I think is a signed version of Release - InRelease, which I think is a combination of Release and Release.gpg - my-pgp-key.private which is the private key I used to sign the Release file - my-pgp-key.public which is the public key corresponding to the private key So somehow from these I think I need to create my-apt-repo.gpg which should allow me to actually use the apt repo. But I do not know how to create this file.

Is there a way to load the password of the pgp key, a bit like it happens with Keepass with ssh keys? For example with Keepass? Or Kleopatra?

https://sks-keyservers.net/ ([Internet Archive snapshot](https://web.archive.org/web/20220119094712/https://www.sks-keyservers.net/)) says > This service is deprecated. This means it is no longer maintained, and new HKPS certificates will not be issued. Service reliability should not be expected. > > Update 2021-06-21: Due to even more GDPR takedown requests, the DNS records for the pool will no longer be provided at all. Which keyservers can I use for gpg --keyserver "$keyserver1" --recv-key keyid that I can expect not will go away anytime soon?

eg.: https://www.freebsd.org/security/advisories/FreeBSD-SA-24:08.openssh.asc The **Question**: how can i make an openssh.asc file from my plain TXT file? And how can i verify it? Does it always needs to be max 78 character long per line?

I am trying to download an update for a piece of software, and my package manager says that the key is invalid and thus warns me. W: Failed to fetch https://deb.torproject.org/torproject.org/dists/buster/InRelease The following signatures were invalid: EXPKEYSIG 74A941BA219EC810 deb.torproject.org archive signing key Then the output after listing the key in GPG.

pub   rsa2048/0xEE8CBC9E886DDD89 2009-09-04 [SC] [expires: 2022-08-05]
      Key fingerprint = A3C4 F0F9 79CA A22C DBA8  F512 EE8C BC9E 886D DD89
uid                   [ unknown] deb.torproject.org archive signing key
sub   rsa2048/0x74A941BA219EC810 2009-09-04 [S] [expires: 2020-11-23]
      Key fingerprint = 2265 EB4C B2BF 88D9 00AE  8D1B 74A9 41BA 219E C810

As you can see, the subkey has expired recent to writing this post. I went to the developer's website and the signing key is unchanged. How do I continue the software update without skipping the signing process?

I am trying to backup a disk image of a local system to a remote system, in a way I can automate by bash script at a later point. Backing up and restoring was going well until I introduced encryption, now I think I'm getting a backup but having difficulty restoring. I'm hoping someone can spot what I'm doing wrong or whether what I'm trying to do isn't possible using these tools. To be more specific I am using: - **dd** - to image the disk - **gzip** - to compress the image - **gpg** - to encrypt the compressed image - **ssh** - to transfer the image to the: - ***Backup Controller*** (192.168.1.10) which will be used to store and retrieve backups on. I will refer to it as *remote* because it is seperate to the *local* system I am aiming to back up. Taking a step back to simplify it (without encryption) and to to show you what **I did have working**: **Backing Up:** dd if=/dev/sda | gzip --best - | ssh user@192.168.1.10 dd of=/home/user/sys1-backup.gz.img This backups up the local drive (/dev/sda) to the remote *Backup Controller* whilst compressing it with a high level of compression. **Restoring Backup:** When restoring I live boot to something like gparted or Turnkey Linux Core and run: ssh user@192.168.1.10 dd if=/home/user/sys1-backup.gz.img | gunzip -d - | sudo dd of=/dev/sda This connects to a remote *Backup Controller*, pipes dd through gunzip to decompress the image and then restores it to the local disk successfully. **That works.** But when I try to introduce encryption (pgp) things fail when restoring. **Backing up with Encryption**: dd if=/dev/sda | gzip --best - | gpg -q --symmetric --cipher-algo AES256 --yes --batch --passphrase MySuperSecurePassword | ssh user@192.168.1.10 dd of=/home/user/servername-disk.gz.gpg To the best of my knowledge I think this part (backing up) is working with encryption. **Restoring with Encryption** - (which I think is failing): ssh user@192.168.1.10 dd if=/home/user/servername-disk.gz.gpg | gpg -q --symmetric --cipher-algo AES256 --yes --batch --passphrase MySuperSecurePassword | gunzip -d - | dd of=/dev/sda Gives the output: gzip: stdin: not in gzip format 0+0 records in 0+0 records out 0 bytes copied, 0.325412 s, 0.0 kB/s gpg: [stdout]: write error: Broken pipe gpg: DBG: deflate: iobuf_write failed gpg: [stdout]: write error: Broken pipe gpg: DBG: deflate: iobuf_write failed gpg: [stdout]: write error: Broken pipe gpg: filter_flush failed on close: Broken pipe I'm new to using gpg and dd on the shell so if anyone can spot my mistake or inform me of limitations of the tools I'm using I would greatly appreciate it!

I'm still new to linux, so please give me time if you need something from me. As the title says I cannot create new key pairs or import existing keys into Kleopatra 3.2.0.240501 (24.05.1). I've just done a system update (sudo pacman -Syu) before trying out the included application. When I try to import an existing key this error comes up:

/home/keys/xxxxxxxxxx_SECRET.asc(I18N_ARGUMENT_MISSING) (imported with gpg(I18N_ARGUMENT_MISSING))
Audit log is empty.

/home/keys/xxxxxxxxxx_SECRET.asc(I18N_ARGUMENT_MISSING) (imported with gpgsm(I18N_ARGUMENT_MISSING))
Audit log is empty.

(key name is censored by me, but the correct name is being used) Creating a new key pair gives this result:

The creation of a new OpenPGP certificate failed.

Error: /SQL library used incorrectly/

I've tried importing the same key in Windows or creating a new key pair and it worked without problems there (all keys were created with windows so far) Thank you for your help

I have generated keys using GPG, by executing the following command gpg --gen-key Now I need to export the key pair to a file; i.e., private and public keys to private.pgp and public.pgp, respectively.  How do I do it?

If the output of gpg --list-secret-keys --keyid-format=long is pub rsa3072 2023-01-13 [SC] [expires: 2025-01-12] D8524A558964E86Cxxxx93111270xxxxxxxx7A74 uid [ultimate] demo(demo) sub rsa3072 2023-01-13 [E] [expires: 2025-01-12] How can I grep only "D8524A558964E86Cxxxx93111270xxxxxxxx7A74" from the output? I am using Linux.

Suppose Bob got a message from Alice encrypted with his public key and signed with her private key. Now he wants to prove to Charlie that he got a message from her with this exact content. The message was created via gpg --sign --encrypt. My idea was that he could decrypt the message and save it with its signature somewhere but I could find no way to achieve this. But since GPG signs the message and then encrypts it afterwards this should at least theoretically be possible. Now how can he do this or do you have any other ideas how Bob can proof the message authenticity to Charlie? Restrictions: - Giving Charlie Bobs private key is (obviously) not an option. - Communication is only possible via email. - Alice cannot be contacted any more so resending the message or Charlie and Alice communicating with each other is not possible. Bob has to work with what he already has.

I am working about a GUI PGP application with Zenity. GPG asks passphrase on terminal screen. But I want to enter passphrase from a GUI dialog box not in terminal (like zenity --password) I tried piping gpg -c with Zenity command but not working. Is there any solution for this or another program feature? I know Kleopatra, GPA and seahorse by the way. Thanks...

i tried to do an upgrade today and got an error about 2 keys I am trying to figure out which packages are causing the error so I can either delete them or gather the key file for them. downloading required keys... :: Import PGP key 139B09DA5BF0D338, "David Runge "? [Y/n] y error: key "139B09DA5BF0D338" could not be looked up remotely :: Import PGP key F4AA4E0ED2568E87, "Jiachen YANG "? [Y/n] y error: key "F4AA4E0ED2568E87" could not be looked up remotely error: required key missing from keyring

I'm getting a few friends to sign my key. Each time they've signed my key, if they send the signed key to a key server, when I try to get the signatures with

--refresh-keys --keyserver some.keyserver

, my key is unchanged, I don't see their signatures. The same thing happens if I use

--recv-keys

. They've tried three different servers. However, if they If they email me my key, or I look up my key on the keyserver's web interface and copy the text, then I import it, I see their signatures on my key. Does anyone have an idea as to why this might be happening or what I'm doing wrong?

I'm installing the Ultimaker Cura 3D printer slicer program from here (https://github.com/Ultimaker/Cura/releases/tag/5.1.0) onto Linux Ubuntu 20.04. I downloaded these 2 files:

Ultimaker-Cura-5.1.0-linux-modern.AppImage
Ultimaker-Cura-5.1.0-linux-modern.AppImage.asc

Opening the .asc file in a text editor shows it contains:

-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEEGInq7S25O/ff+zymwaG5EGnEr1kFAmLWpkEACgkQwaG5EGnE
r1necwgAwO8fqUtXicpJPiIXeFR6L3a2cTc/hLgTgk4Bw8Ey5LKiQyeIsDd3r/vZ
tGiMsb4TrG8WuGIvidBoubuamnIdy2zKyy8Gk1e+MiIgfIWdWIl7KuX/K3GY0oyV
H5rfQWv/g4hCHsDXRpElva79p6W6DYvgdSGeNTpjaeGmLT29OcXCP4wPvSN4izsi
9AU+0DOdq204ZeiGKboXpdPdkWXeyuMJHFdvTlOZVZSb0Ib0zZugSmWYLo8fvK2p
8mrqPMdLu7BMS9ZS/wGrxRfVyOwxk72xuPjGXsrcPXWHtAF5OjvzvCPUzGfnDN10
fVF3+MKS79PQOEYXwAi2hixPCReWNA==
=12yS
-----END PGP SIGNATURE-----

How do I use this .asc signature file to check the main file? I read this page, and the last example seems to apply: https://www.gnupg.org/gph/en/manual/x135.html So I tried this:

gpg --verify Ultimaker-Cura-5.1.0-linux-modern.AppImage.asc Ultimaker-Cura-5.1.0-linux-modern.AppImage

...and I got the following error, as shown in my run output:

~/Downloads/Install_Files/Cura$ gpg --verify Ultimaker-Cura-5.1.0-linux-modern.AppImage.asc Ultimaker-Cura-5.1.0-linux-modern.AppImage
gpg: Signature made Tue 19 Jul 2022 05:40:33 AM MST
gpg:                using RSA key 1889EAED2DB93BF7DFFB3CA6C1A1B91069C4AF59
gpg: Can't check signature: No public key

I tried following the solution in [this answer](https://stackoverflow.com/a/55088831/4561887) , using the RSA key hash printed in the previous output above, and it doesn't work either:

$ gpg --receive-keys 1889EAED2DB93BF7DFFB3CA6C1A1B91069C4AF59
gpg: keyserver receive failed: Server indicated a failure

I'm looking around: [Google search for "ultimaker public key"](https://www.google.com/search?q=ultimaker+public+key&oq=ultimaker+public+key&aqs=chrome..69i57j69i60.8488j0j7&sourceid=chrome&ie=UTF-8) ## Related 1. My question: [Which AppImage should I install (.AppImage vs modern.AppImage)?](https://unix.stackexchange.com/q/711975/114401)

I have sent an armored pgp encrypted message and since then have lost the original message. Being on the same system, the algorithms and keys used to encrypt the message should could also be reversed to decrypt the message back, right? I've tried

--decrypt pgpmessage.txt

and

--decrypt --recipient recipient pgpmessage.txt

and I still get errors. Is it even possible?

so I spent many hours on this now and I hope someone can give me any useful input. I want to export an encrypted secret key from GPG (which lies in ~/.gnupg/private-keys-v1.d) but I do not have the passphrase. So the normal gpg --armor --export-secret-keys does not work for me. My goal is to get that encrypted private key into the armored OpenPGP format (while still being encrypted). Just a change of format without any decryption happening. So I dove into the RFC 4880 standard to understand how the packet structure works but that doesn't lead me anywhere. I hope this is understable. Is it even possible to do this manually or is the key decrypted and reencrypted a different way during gpg's export function?