Encryption failed due to invalid key error.

[ghost]

This error appears for every single UID:

"Encryption failed due to invalid key error. User may not have an encryption subkey or it may be expired."

Debug mode reveals that --no-default-keyring is passed both in the initial extraction and in the signing command:

DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --always-trust --armor -r ...

I thought that because my private key is on a different keyring than the keyring supplied as a parameter, it's being omitted from the temporary keyring and thus out of reach. So I ran:

gpg --export-secret-keys "$my_signing_key" | gpg --no-default-keyring --keyring keyring_to_sign.gpg --import

It imported okay but that did not change anything. I also have no problems clear-signing something using the staging key that pius makes:

gpg --no-default-keyring --keyring /tmp/pius_keyring.gpg --local-user "$my_signing_key" --clearsign "$arbitrary_file"

version

$ pius --version
pius 2.2.3

[jaymzh]

Unless something has changed recently, the only thing that is requires i the public key you want to sign with has to be on the keyring. This is a - I think - I reasonable assumption, since, if you were at the KSP, your key should be on the keyring. GPG will automatically pull a private key from the secret keyring that matches the signing key you're using - assuming the public key for said public key is available.

Also - I need to do a release... there's a ton of fixes on master that aren't in 2.2.3. :)

[jaymzh]

Oh, slight correction to the above. In the default mode, since it sends a mime-encrypted email, you also need to have the public key of your encryption key on that keyring, if they are different (they aren't for most people). If you have separate subkeys for this and I can imagine a world in which you get yourself into trouble this way. The encryption step probably does not need the --no-default-keyring option...

[ghost]

Now I'm running with version 2.2.7 and get the same error. I have also confirmed that my pubkey is on the same keyring passed to pius along with the other attendees by running:

$ gpg --keyring signing_party_keyring.gpg --no-default-keyring --list-public-keys "$my_fpr"

I'm not doing anything non-trivial AFAIK, just trying to sign using an ordinary key that is both for signing and encryption.

The ultimate command that's failing is:

$ pius -A -s "$my_fpr" -r  signing_party_keyring.gpg -m 'libBletchley@park.net' --encrypt-outfiles --out-dir="$HOME"/gpg_sigs/ --no-mail-tls -H 127.0.0.1 -P 25

(edit) I see the problem. The default-key and encrypt-to parameters were configured in gpg.conf to a different key than the signing party key. So for me the correction is obviously to change those to match the signing party key. For you there may be no change.. or perhaps pius could be made more robust by detecting this issue and erroring with a helpful error message. It's probably worthwhile to do this, because it's likely a common problem considering people going to keysigning parties are often transitioning to a new key and those parameters would easily be pointing to an old key.

[jaymzh]

ah, thanks for tracking that down. I will try to figure out how to raise this to the user!