9

I'm having an issue with Enigmail. Here's an example to highlight my problem.

Alice and Bob wish to communicate securely using Enigmail. For extra security, they both decide to create keys using the --expert flag, and make their primary keys have only the certifying capability. Alice and Bob then each generate two subkeys--one for signing, and one for encryption. Finally, Alice and Bob remove the primary secret key from the secret keyring and record the key to external media for safekeeping. The way I see it, Alice and Bob now each have five keys, or 2 and 1/2 keypairs.

Alice and Bob each have:

  1. Primary Public Key
  2. Public Encryption Subkey
  3. Public Signing Subkey
  4. Secret Encryption Subkey
  5. Secret Signing Subkey
  6. ~~(MISSING) Primary Secret Key~~

There are many questions around stackexchange that explain why one might wish to manage their keys this way, this post in particular.

Anyhow, whenever Alice attempts to send an email using Enigmail to Bob, Enigmail complains "Key not found or not valid. The (sub-)key might have expired." All the keys I generated do not expire.

I think Enigmail is assuming Alice's primary secret key is to be used for signing, and sending the email fails when it attempts to use a key which does not exist. As I've explained, not only is Alice's primary secret key missing, but it also does not have the capability of signing. However, the subkeys are present. Is it possible to make Enigmail use the subkeys?

Yankee
  • 333
  • 1
  • 9
  • Can you provide an example (public) key set, and Alice' output of `gpg -k`/`gpg -K` for both Alice' and Bob's key? – Jens Erat Jul 06 '15 at 14:41
  • Since it's just an example, here's all keypairs. [Alice public and private keys](http://pastebin.com/FFhDGRHC). Output of Alice's [gpg -k, -K](http://pastebin.com/LFW4A0a7). Bob's [gpg -k, -K](http://pastebin.com/xnQjbQa6) And summary of [list of commands](http://pastebin.com/u7qrvBpC) I ran. – Yankee Jul 06 '15 at 17:32
  • 1
    Are you still having this issue? I have a very similar setup (just with more signing subkeys) and Enigmail recognised which encryption and signing subkey to use automatically. I just had to delete the unused signing subkeys, but that's a different, unrelated problem if your setup is exactly as described in your question. – berbt Jul 28 '16 at 07:43

1 Answers1

4

It is worth noting that the configuration described in the question above is currently impossible. This is because the Enigmail developer has refused to add custom key selection functionality--see here and here--claiming there is no reason to expose the end user to such "advanced configuration." That's really unfortunate.

Anyhow, I run Debian, so I naturally assumed all Enigmail dependencies would be installed along with Enigmail, but they were not. The solution to fixing the error was install the pinentry-qt4 package, which has the description:

pinentry-qt4 - "Qt-4-based PIN or pass-phrase entry dialog for GnuPG."

The error message, "Key not found or not valid..." threw me off the trail.

Again, this solution only fixes the error, not the situation I described in the question.

Yankee
  • 333
  • 1
  • 9