Red Hat Bugzilla – Bug 427500
gnupg2-2.0.8 missing german root cert(s)
Last modified: 2008-07-30 16:11:22 EDT
Description of problem:
Version-Release number of selected component (if applicable): 2.0.8-1.fc8.i386
How reproducible: install update
Steps to Reproduce:
1. install the update to gnupg2-2.0.8-1.fc8.i386
2. Try to sign a mail in kontact/kmail
3. Error message "nich gefunden" pops up
Message could not be signed
A reinstall of the older gnupg2 Package solves the problem. Maybe a rebuild of
kontact/kmail against the newer gnupg2 Package is necessary?
WORKSFORME on my f7 box, I'll go try reproducing on f8...
Confirmed ok for me too on f8.
I notice your error is "nich gefunden" (German?), maybe it's a locale-specific
Please confirm your locale in use, and I'll try changing that too.
Sorry for my late response, was very busy this week.
Yes that's german:
My Locale is de_DE.UTF-8 the complete error message is: "Signierung
fehlgeschlagen. nich gefunden"
Please note that there is also a little typo in the localisation, it should
correctly read: "Signierung fehlgeschlagen: nicht gefunden"
But this error message is not very informative, as it doesn't what's not found!
I also changed to US locale (switched to US throug control-center), and the
problem remains. The error message is now: "signing error: not found"
The only cure I found was to force the installation of the old gnupg2 RPM.
I suppose that kontact/kmail needs a recompilation against the newer libassuan,
as libassuan is only available as a static library.
I can reproduce this problem in en_AU.UTF-8, and its in gpg rather than kmail.
Running strace on kmail while signing reveals that it is
running "gpg ... --sign --detach --armor -u <uid>", which fails with the
gpg: protection algorithm 1 (IDEA) is not supported
gpg: the IDEA cipher plugin is not present
gpg: please see http://www.gnupg.org/faq/why-not-idea.html for more
gpg: skipped "<uid>": unknown cipher algorithm
gpg: signing failed: unknown cipher algorithm
This can be repeated at the command line. In fact, I can not get
any "gpg --sign" to work, even with --disable-cipher-algo IDEA or similar
settings in the gnupg config file. gpg2 is no better.
Further to the above, I am not able to reproduce on F8/x86_64 with
gnupg-1.4.7-7.x86_64/gnupg2-2.0.8-1.fc8.x86_64. The above observation was on
F8/i686 with gnupg-1.4.7-7/gnupg2-2.0.8-1.fc8. I should also add that where I
wrote <uid>, it was chosen from a number of known-good-key uids from the local
I've the default locale in f8 and kmail fails to encrypt messages. Signing
works fine but not encryption.
Our hunch atm is on pinentry, try this test build (when it finishes):
This updates seems to work for me. Nowdays messages in sent folder
aren't correclty encrypted, so you need to send yourself to be sure
Also noticed that kmail doesn't follow kaddressbook settings for
pinentry-0.7.4-1.fc8 has been submitted as an update for Fedora 8
pinentry-0.7.4-1.fc7 has been submitted as an update for Fedora 7
pinentry-0.7.4-1.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update pinentry'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-1492
I just installed pinentry-0.7.4-1.fc8 from Fedora 8 testing, the problem still
Klaus, I'd be happy to test this with someone, please drop me an email to
firstname.lastname@example.org , my key is in keyserver.
no way to test it, since gnupg2-2.0.8 it just tells me a "not found" error
instead of the pinentry. The new pinentry version doesn't help, just the
reinstallation of gunpg2-2.0.7 cure's the problem.
As a side note: I use an S/MIME key for signing.
pinentry-0.7.4-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
pinentry-0.7.4-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
As I already noted the new pinentry Version doesn't cure the problem it persists!
The only solution I found for me is to block update of gnupg2 and stay on
The new pinentry doesn't help, but its ok so far as it doesn't break the old
Please again look deeper into changes in gnupg2!
Klaus, Mike (comment #4), seem to be the only ones able to reproduce the
problem. Both of you are on i386. So, reopening and setting to i386-specific.
I'll be getting an f8/i386 box here in a bit, but in the meantime, frankly, I'm
stumped on how to further debug this, much less fix. Would either of you mind
taking your issue to gnupg's upstream devs at
? They would likely be able to offer better help, insight at this point.
And while you're at it, please confirm problem still exists in the latest
gnupg2-2.0.8-2 builds in updates.
Yes it persists definitely with gnupg2-2.0.8-2, I just installed it to confirm.
I can confirm that the problem is still there with gnupg2-2.0.8-2 on
F8/ix86/fully-updated, and gnupg-1.4.7-7 for that matter. However, I fear its
NOTABUG. I have a lot of ``old'' (1997!) keys derived from good old pgp,
which alas, used the IDEA cypher extensively. So whenever I try to sign
something, gpg looks for an IDEA module to operate on my keys. As the error
message was showing, there is no IDEA module present in either gpg, and for
good reason: Bloody Software Patents. I therefore absolve Fedora from fixing
I suspect if I rebuilt pgp-2.something,and called it gpg, all would be well.
Or built gnupg myself with the IDEA module that is out there (see
But I am probably just going to make some new keys and retire the IDEA-based
ones. Good luck Klaus if this is what you are seeing too.
I don't believe that the problem is with IDEA keys, alas if it would be, the
cryptic error message would be a bug for itself. I don't have such old keys in
my keyring, at least I believe there are no IDEA cypher inside. Also signing on
the command line works well with gnupg2-2.0.8-2, but not together with kmail.
I even updated to the latest kde updates for Fedora 8, but as far as I install
also gnupg2-2.0.8-2 signing in kmail will no longer work. Again the only cure is
to revert to gnupg2-2.0.7-3.fc8
S/MIME signing is broken for me in kmail on a fully up-to-date f8 box. The
error message is "Signing failed: not found".
I've noticed the following error messages in the gnupg log:
gpgsm: invalid country code in `/usr/share/gnupg/qualified.txt', line
gpgsm: checking the list of qualified root certificates failed: Bad
gpgsm: checking for qualified certificate failed: Not found
gpgsm: error creating signature: Not found
gpgsm[20979.0] DBG: -> ERR 150994971 Not found
Line 196 and line 211 of /usr/share/gnupg/qualified.txt contain fingerprints
of German CA certs. However the lines are missing the country code "de", which
needs to be appended to the fingerprint just like for the other CAs.
Appending "de" to the fingerprint lines fixes the problem and signing works
OK, I've confirmed that the German code "de" exists in gnupg-2.0.9. I'll issue
an update asap.
gnupg2-2.0.9-2.fc8 has been submitted as an update for Fedora 8
Hrm, we may be seeing some separate issues here, but we'll see how it goes.
On closer inspection, gnupg-2.0.9's file is broken too.
bleh, ignore me. it's good.
I've downloaded gnupg2-2.0.9-2.fc8 (i386) from koji and I can confirm that
signing emails (S/MIME) in kmail works again.
gnupg2-2.0.9-2.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update gnupg2'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-6469
gnupg2-2.0.9-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.