I'm trying to use BouncyCastle with PGP2 to read public keys ring. The problem is that since GnuPG 2.1 it's stored in pubring.kbx instead of pubring.gpg. That leads to IOException public key ring doesn't start with public key tag: tag 0x0
Any idea if and how I can use BC with GnuPG 2.1?
GnuPG 2.1 by default uses the new keybox file format -- if no pubring.gpg is found. If there is a "legacy" keyring file, it will be used instead.
I'm not aware Bouncy Castle supports the .kbx file format. So if you want to use Bouncy Castle together on the same key files GnuPG is using, you've got three options:
pubring.gpg file somewhere else, which means running an gpg --export or --export-secret-keys when needed. The old pubring.gpg is just a dump of keys, you can directly use the export output as keyring.Using a pubring.gpg in your GnuPG home directory, with other words dropping the better performance of the .kbx file in exchange for compatiblity.
First of all, be sure to copy the whole ~/.gnupg folder or make sure to have an up-to-date backup!
In the end, the migration process boils down to exporting the information in the keybox file to the old OpenPGP keyring format. Looking at the proposal for migration from .kbx files to .gpg files from the changelog linked above:
$ cd ~/.gnupg
$ gpg --export-ownertrust > otrust.lst
$ mv pubring.gpg publickeys
$ gpg2 --import-options import-local-sigs --import publickeys
$ gpg2 --import-ownertrust otrust.lst
The reverse process should look rather similar (given no secret keys are stored, otherwise read below, and exchange gpg2 and gpg to match the binaries installed on your machine):
$ cd ~/.gnupg
$ gpg2 --export-ownertrust > otrust.lst
$ gpg2 --export > pubring.gpg
$ mv pubring.kbx pubring.kbx~
$ gpg2 --import-options import-local-sigs
$ gpg2 --import-ownertrust otrust.lst
The --export result can directly be used as new keyring, so no --import of this file is needed. Ownertrust should probably be copied in a similar manner, I just kept was the changelog proposed here.
If you've also stored private keys, I'd better export them first into another file and finally importing them again:
$ cd ~/.gnupg
$ gpg2 --export-secret-keys > secret-keys.gpg
$ gpg2 --export-ownertrust > otrust.lst
$ gpg2 --export > pubring.gpg
$ mv pubring.kbx pubring.kbx~
$ gpg2 --import-options import-local-sigs --import secret-keys.gpg
$ gpg2 --import-ownertrust otrust.lst
Implement the .kbx format for Bouncy Castle.
As of version 1.60 BouncyCastle support reading KeyBox files.
https://www.bouncycastle.org/releasenotes.html
A parser has now been added for the GNU keybox file format. The GPG SExpr parser now covers a wider range of key types.
There is some example code in KeyBoxTest.java.
If you have come here then you will realize that the API leap from .pgp to .kbx files in bouncycastle is poorly documented. I've looked at alternatives such as https://github.com/pgpainless/pgpainless and org.eclipse.jgit.gpg.bc which attempt to rationalize the changes. But refactoring existing code which uses .pgp keyring files over to .kbx is extremely challenging.
