Using BouncyCastle with GnuPG 2.1's `pubring.kbx` file

Question

I'm trying to use BouncyCastle with PGP2 to read public keys ring. The problem is that since GnuPG 2.1 it's stored in pubring.kbx instead of pubring.gpg. That leads to IOException public key ring doesn't start with public key tag: tag 0x0

Any idea if and how I can use BC with GnuPG 2.1?

Answer 1

GnuPG 2.1 by default uses the new keybox file format -- if no pubring.gpg is found. If there is a "legacy" keyring file, it will be used instead.

I'm not aware Bouncy Castle supports the .kbx file format. So if you want to use Bouncy Castle together on the same key files GnuPG is using, you've got three options:

• Additionally maintaining an old pubring.gpg file somewhere else, which means running an gpg --export or --export-secret-keys when needed. The old pubring.gpg is just a dump of keys, you can directly use the export output as keyring.

• Using a pubring.gpg in your GnuPG home directory, with other words dropping the better performance of the .kbx file in exchange for compatiblity.

  First of all, be sure to copy the whole ~/.gnupg folder or make sure to have an up-to-date backup!

  In the end, the migration process boils down to exporting the information in the keybox file to the old OpenPGP keyring format. Looking at the proposal for migration from .kbx files to .gpg files from the changelog linked above:

  $ cd ~/.gnupg
  $ gpg --export-ownertrust > otrust.lst
  $ mv pubring.gpg publickeys
  $ gpg2 --import-options import-local-sigs --import publickeys
  $ gpg2 --import-ownertrust otrust.lst
  

  The reverse process should look rather similar (given no secret keys are stored, otherwise read below, and exchange gpg2 and gpg to match the binaries installed on your machine):

  $ cd ~/.gnupg
  $ gpg2 --export-ownertrust > otrust.lst
  $ gpg2 --export > pubring.gpg
  $ mv pubring.kbx pubring.kbx~
  $ gpg2 --import-options import-local-sigs
  $ gpg2 --import-ownertrust otrust.lst
  

  The --export result can directly be used as new keyring, so no --import of this file is needed. Ownertrust should probably be copied in a similar manner, I just kept was the changelog proposed here.

  If you've also stored private keys, I'd better export them first into another file and finally importing them again:

  $ cd ~/.gnupg
  $ gpg2 --export-secret-keys > secret-keys.gpg
  $ gpg2 --export-ownertrust > otrust.lst
  $ gpg2 --export > pubring.gpg
  $ mv pubring.kbx pubring.kbx~
  $ gpg2 --import-options import-local-sigs --import secret-keys.gpg
  $ gpg2 --import-ownertrust otrust.lst
  

• Implement the .kbx format for Bouncy Castle.