[BUG] "No working decryption method found" on 2.x, with key-pairs generated by very old GnuPG versions

[raxod502]

Describe the bug

I've just tried out 2.x from the snapshot apk of 2023-01-20, to get #1922 for #1982. Repo cloning, key import, and password list works fine, but passwords cannot be decrypted.

When selecting any password file, a dialog is immediately displayed requesting I enter a password. Regardless of whether the entered password is correct or incorrect, on submission an error Wrong password is displayed. With debug logs enabled, the following stacktrace (No working decryption method found) is displayed via logcat on error:

01-20 21:15:17.991  3158  3158 E StandaloneCoroutine: app.passwordstore.crypto.errors.UnknownError
01-20 21:15:17.991  3158  3158 E StandaloneCoroutine: 	at app.passwordstore.data.crypto.CryptoRepository.access$decryptPgp(SourceFile:372)
01-20 21:15:17.991  3158  3158 E StandaloneCoroutine: 	at app.passwordstore.data.crypto.CryptoRepository$decrypt$2.invokeSuspend(SourceFile:35)
01-20 21:15:17.991  3158  3158 E StandaloneCoroutine: 	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(SourceFile:9)
01-20 21:15:17.991  3158  3158 E StandaloneCoroutine: 	at kotlinx.coroutines.DispatchedTask.run(SourceFile:109)
01-20 21:15:17.991  3158  3158 E StandaloneCoroutine: 	at kotlinx.coroutines.internal.LimitedDispatcher.run(SourceFile:12)
01-20 21:15:17.991  3158  3158 E StandaloneCoroutine: 	at kotlinx.coroutines.scheduling.TaskImpl.run(SourceFile:3)
01-20 21:15:17.991  3158  3158 E StandaloneCoroutine: 	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(SourceFile:77)
01-20 21:15:17.991  3158  3158 E StandaloneCoroutine: Caused by: org.bouncycastle.openpgp.PGPKeyValidationException: No working decryption method found.
01-20 21:15:17.991  3158  3158 E StandaloneCoroutine: 	at org.pgpainless.decryption_verification.OpenPgpMessageInputStream.consumePackets(SourceFile:2229)
01-20 21:15:17.991  3158  3158 E StandaloneCoroutine: 	at org.pgpainless.decryption_verification.OpenPgpMessageInputStream.<init>(SourceFile:79)
01-20 21:15:17.991  3158  3158 E StandaloneCoroutine: 	at io.sentry.JavaMemoryCollector.withOptions(SourceFile:52)
01-20 21:15:17.991  3158  3158 E StandaloneCoroutine: 	at app.passwordstore.data.crypto.CryptoRepository.access$decryptPgp(SourceFile:304)
01-20 21:15:17.991  3158  3158 E StandaloneCoroutine: 	... 6 more

In the PGP Key Manager panel, I can see that I've imported one PGP key, which is displayed as Radon Rosborough <radon.neon@gmail.com>. The file I imported was generated via gpg --export-secret-key radon@intuitiveexplanations.com. Here is the fingerprint (note, there are two identities attached to the key):

/home/raxod502/.gnupg/pubring.gpg
---------------------------------
sec   rsa2048 2016-08-12 [SC]
      E9370884F35CED9DF20E627998A50086F826A705
uid           [ultimate] Radon Rosborough <radon@intuitiveexplanations.com>
uid           [ultimate] Radon Rosborough <radon.neon@gmail.com>
ssb   rsa2048 2016-08-12 [E]

My ~/.password-store/.gpg-id file has a single line, Radon Rosborough.

Steps to reproduce

Steps to reproduce the behavior:

1. Install app
2. Clone GitLab repo, import ssh private key from local file
3. Import gpg private key from local file
4. Attempt to tap on password file
5. Receive passphrase prompt, enter passphrase
6. Get error

Update: comment #2340 (comment) has a sample key-pair and public repo on GitHub that reproduce the issue.

Expected behavior

In v1.13.5 using the same repo and GPG key, decryption (via OpenKeychain) works as expected - passphrase is read from the user and then used for decryption; cached according to configuration.

I noticed that, in 2.x, there is no selection dialog for how long to cache the passphrase for, unlike in v1.13.5. From #1523 I am guessing this is just not implemented yet.

Screenshots

Happy to add screenshots of the relevant UI elements if it would be helpful.

Device information

• Device: Google Pixel 3a
• OS: LineageOS 19-20230103-NIGHTLY-sargo (Android 12)
• App version: Snapshot build of 2fbad7e from GitHub Releases

Additional context

My main (selfish) motivation is getting #1922 into my local apk; looks like upgrading to 2.x is a necessary first step there.

[msfjarvis]

Your GPG key has two identities, both of which share a name and differ in emails, but your .gpg-id file just contains the name so how does GPG disambiguate between those identities when it's time to encrypt? Does it encrypt passwords to both identities?

[raxod502]

how does GPG disambiguate between those identities when it's time to encrypt?

I am not an expert on PGP, but I do not believe it is necessary to disambiguate between identities when encrypting a message. I believe that one encrypts a message to a public key, and not to a particular identity. I don't think that information about the identity is even included in the encrypted message, but only the public key fingerprint.

So, whether I instruct GPG/Pass to use Radon Rosborough, radon.neon@gmail.com, or radon@intuitiveexplanations.com, all three are shorthand for the same key, and will have the same ability to encrypt and decrypt messages.

When I decrypt a message, the identity is shown:

% cat _/activation-keys/adobe-acrobat-dc-classic.gpg | gpg -d
gpg: encrypted with 2048-bit RSA key, ID 6547984E8E1701CA, created 2016-08-12
      "Radon Rosborough <radon@intuitiveexplanations.com>"

However, if I do not have the private key available, then no identity is shown. I would presume that if the message content included any information about which identity it was intended for, then this would be displayed by GPG:

% cat _/activation-keys/adobe-acrobat-dc-classic.gpg | GNUPGHOME=/tmp/.gnupg gpg -d
gpg: directory '/tmp/.gnupg' created
gpg: keybox '/tmp/.gnupg/pubring.kbx' created
gpg: encrypted with RSA key, ID 6547984E8E1701CA
gpg: decryption failed: No secret key

So in other words, I think GPG encrypts my password files to my single public key, regardless of what identity or identities may be associated with it.

Like I said, I'm not very familiar with the details of PGP and its implementations, so what I said above could be wrong. Please let me know if I made a mistake!

[msfjarvis]

You're right, I had a bit of a brainfart on the multiple identities front. Can you reproduce this by generating a fresh throwaway key and uploading it here? That'll let me test it myself and then be included in the regression test suite.

[raxod502]

Done: https://github.com/raxod502/test-password-store

And I confirmed that the problem is indeed with the multiple identities. The first time around, I created the key, added a second identity, and then encrypted my password. Import key and repo into app, it works. But the second time, I created the key, encrypted my password, and then added the second identity. Import key and repo into app, I get the error above.

[raxod502]

Actually, I take that back. The second time I tested, I made a mistake and forgot to copy the updated private key. When I did it correctly, it worked. So I have not yet been able to reproduce the problem with a separate key-pair. I will keep working on this and get back to you when I figure out how to reproduce it separately from my primary key-pair.

(And I forgot to mention the passphrase for the key-pair in the repo linked above is password)

[raxod502]

Still working on this... I found something interesting using the commands in https://davesteele.github.io/gpg/2014/09/20/anatomy-of-a-gpg-key/ though. As far as I can tell my existing keypair and the new one are almost identical:

% gpg --list-secret-keys               
/home/raxod502/.gnupg/pubring.gpg
---------------------------------
sec   rsa2048 2016-08-12 [SC]
      E937xxx
uid           [ultimate] Radon Rosborough <radon@intuitiveexplanations.com>
uid           [ultimate] Radon Rosborough <radon.neon@gmail.com>
ssb   rsa2048 2016-08-12 [E]

sec   rsa2048 2023-01-27 [SC]
      B762xxx
uid           [ultimate] Homer Simpson <hsimpson@gmail.com>
uid           [ultimate] Homer Simpson <homersimpson@springfield.il.us>
ssb   rsa2048 2023-01-27 [E]

However, if I look carefully at the packet descriptions, I can see a few differences, probably because the original keypair was generated so many years ago (and especially that the original identity signature was generated at keypair creation, while the added identity signature was generated recently).

Note the two identity signatures on the new key, with identical key options:

:user ID packet: "Homer Simpson <homersimpson@springfield.il.us>"
:signature packet: algo 1, keyid F5B9E217D08E1909
        version 4, created 1674790764, md5len 0, sigclass 0x13
        digest algo 10, begin of digest a1 56
        hashed subpkt 33 len 21 (issuer fpr v4 B762xxx)
        hashed subpkt 2 len 4 (sig created 2023-01-27)
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
        hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        subpkt 16 len 8 (issuer key ID F5B9E217D08E1909)

...

:user ID packet: "Homer Simpson <hsimpson@gmail.com>"
:signature packet: algo 1, keyid F5B9E217D08E1909
        version 4, created 1674791207, md5len 0, sigclass 0x13
        digest algo 10, begin of digest 2c 0d
        hashed subpkt 33 len 21 (issuer fpr v4 B762xxx)
        hashed subpkt 2 len 4 (sig created 2023-01-27)
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
        hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        subpkt 16 len 8 (issuer key ID F5B9E217D08E1909)

But if I look at the original keypair, only the second (recent) signature packet matches up:

:user ID packet: "Radon Rosborough <radon@intuitiveexplanations.com>"
:signature packet: algo 1, keyid 98A50086F826A705
        version 4, created 1660956992, md5len 0, sigclass 0x13
        digest algo 10, begin of digest 32 79
        hashed subpkt 33 len 21 (issuer fpr v4 E937xxx)
        hashed subpkt 2 len 4 (sig created 2022-08-20)
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
        hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        subpkt 16 len 8 (issuer key ID 98A50086F826A705)

While the first (older) one is different:

:user ID packet: "Radon Rosborough <radon.neon@gmail.com>"
:signature packet: algo 1, keyid 98A50086F826A705
        version 4, created 1471028457, md5len 0, sigclass 0x13
        digest algo 2, begin of digest 3b ee
        hashed subpkt 2 len 4 (sig created 2016-08-12)
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
        hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        subpkt 16 len 8 (issuer key ID 98A50086F826A705)

Note it is missing an issuer fpr v4 field, the pref-hash-algos are in a different order, and pref-sym-algos does not have algorithm 3. I suspect the older default key options might trigger a bug in the new crypto library in use in the app.

All testing done with the latest release as of ce54200, by the way.

I'll continue investigating and see if I can manufacture a key that triggers the same behavior, but that I can share publicly.

[msfjarvis]

@vanitasvitae anything that jumps out to you as a reason for BC not finding a decryption method in the key?

[vanitasvitae]

Hm, this is not trivial to debug without deeper knowledge of the key material (or even better, the ciphertext), but of course it is not always possible to share those.

PGPainless includes some logging (e.g. here) which could help identify the issue, but it appears APS does not output these messages?

[msfjarvis]

Hm, this is not trivial to debug without deeper knowledge of the key material (or even better, the ciphertext), but of course it is not always possible to share those.

PGPainless includes some logging (e.g. here) which could help identify the issue, but it appears APS does not output these messages?

APS does not set an explicit global logger so SLF4J defaults to a no-op implementation. We do have an existing implementation of an SLF4J Logger (for SSHJ) that forwards to Android's logcat stream so I can probably just set that globally.

[msfjarvis]

I've wired up our internal logger to SLF4J. @raxod502 please try decrypting again with your key on the latest snapshot and capture a log following the steps here.

[raxod502]

Aha, yep, got some more interesting logs indeed:

02-03 16:13:50.721  6789  7091 D org.pgpainless.decryption_verification.OpenPgpMessageInputStream: Symmetrically Encrypted Data Packet at depth 0 encountered
02-03 16:13:50.722  6789  7091 D org.pgpainless.decryption_verification.OpenPgpMessageInputStream: Symmetrically Encrypted Integrity-Protected Data has 0 SKESK(s) and 1 PKESK(s) from which 0 PKESK(s) have an anonymous recipient
02-03 16:13:50.723  6789  7091 D org.pgpainless.decryption_verification.OpenPgpMessageInputStream: Encountered PKESK for recipient 6547984E8E1701CA
02-03 16:13:50.765  6789  7091 D org.pgpainless.decryption_verification.OpenPgpMessageInputStream: Subkey 6547984e8e1701ca cannot be used for decryption.
02-03 16:13:50.765  6789  7091 D org.pgpainless.decryption_verification.OpenPgpMessageInputStream: Skipping PKESK because no matching key 6547984E8E1701CA was provided
02-03 16:13:50.766  6789  7091 D org.pgpainless.decryption_verification.OpenPgpMessageInputStream: Failed to decrypt encrypted data packet
02-03 16:13:50.766  6789  6789 E StandaloneCoroutine: app.passwordstore.crypto.errors.UnknownError
02-03 16:13:50.766  6789  6789 E StandaloneCoroutine: 	at app.passwordstore.data.crypto.CryptoRepository.access$decryptPgp(SourceFile:370)
02-03 16:13:50.766  6789  6789 E StandaloneCoroutine: 	at app.passwordstore.data.crypto.CryptoRepository$decrypt$2.invokeSuspend(SourceFile:35)
02-03 16:13:50.766  6789  6789 E StandaloneCoroutine: 	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(SourceFile:9)
02-03 16:13:50.766  6789  6789 E StandaloneCoroutine: 	at kotlinx.coroutines.DispatchedTask.run(SourceFile:109)
02-03 16:13:50.766  6789  6789 E StandaloneCoroutine: 	at kotlinx.coroutines.internal.LimitedDispatcher.run(SourceFile:12)
02-03 16:13:50.766  6789  6789 E StandaloneCoroutine: 	at kotlinx.coroutines.scheduling.TaskImpl.run(SourceFile:3)
02-03 16:13:50.766  6789  6789 E StandaloneCoroutine: 	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(SourceFile:77)
02-03 16:13:50.766  6789  6789 E StandaloneCoroutine: Caused by: org.bouncycastle.openpgp.PGPKeyValidationException: No working decryption method found.
02-03 16:13:50.766  6789  6789 E StandaloneCoroutine: 	at org.pgpainless.decryption_verification.OpenPgpMessageInputStream.consumePackets(SourceFile:2214)
02-03 16:13:50.766  6789  6789 E StandaloneCoroutine: 	at org.pgpainless.decryption_verification.OpenPgpMessageInputStream.<init>(SourceFile:74)
02-03 16:13:50.766  6789  6789 E StandaloneCoroutine: 	at org.eclipse.jgit.lib.IndexDiff$1.withOptions(SourceFile:52)
02-03 16:13:50.766  6789  6789 E StandaloneCoroutine: 	at app.passwordstore.data.crypto.CryptoRepository.access$decryptPgp(SourceFile:302)
02-03 16:13:50.766  6789  6789 E StandaloneCoroutine: 	... 6 more

[vanitasvitae]

So now we only need to find out why the key cannot be used for decryption :P
Perhaps the binding signature on the key is expired? Maybe its key flags do not contain any of ENCRYPT_COMMS or ENCRYPT_STORAGE?

I really should add an error message containing the reason for why the key cannot be used :D

[raxod502]

I'll continue working on getting a working key-pair to reproduce the issue.

[raxod502]

Got it! 🙂

I booted up an Ubuntu 14.04 container running GnuPG 2.0.22 of 2013-10-04, generated the key with that ancient version, exported it out of the container, and then used that to init a password repository. It works fine with Pass, but produces exactly the same error on Android as with my personal key, so I can share it.

Steps to repro:

• Clone https://github.com/raxod502/test-password-store into the app
• Import homersimpson-private-noarmor.asc into the app as a private key, it is a PGP key with passphrase password (I copied the key to my phone with adb so I could import it from the Downloads folder into the app)
• Try decrypting a password entry and providing password, receive error in logcat (if debug logging was enabled):

02-15 19:27:48.141 23687 24249 D org.pgpainless.decryption_verification.OpenPgpMessageInputStream: Symmetrically Encrypted Data Packet at depth 0 encountered
02-15 19:27:48.141 23687 24249 D org.pgpainless.decryption_verification.OpenPgpMessageInputStream: Symmetrically Encrypted Integrity-Protected Data has 0 SKESK(s) and 1 PKESK(s) from which 0 PKESK(s) have an anonymous recipient
02-15 19:27:48.141 23687 24249 D org.pgpainless.decryption_verification.OpenPgpMessageInputStream: Encountered PKESK for recipient 10A446852276B456
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: app.passwordstore.crypto.errors.UnknownError
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	at app.passwordstore.data.crypto.CryptoRepository.access$decryptPgp(SourceFile:370)
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	at app.passwordstore.data.crypto.CryptoRepository$decrypt$2.invokeSuspend(SourceFile:35)
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(SourceFile:9)
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	at kotlinx.coroutines.DispatchedTask.run(SourceFile:109)
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	at kotlinx.coroutines.internal.LimitedDispatcher.run(SourceFile:12)
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	at kotlinx.coroutines.scheduling.TaskImpl.run(SourceFile:3)
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(SourceFile:77)
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: Caused by: java.util.NoSuchElementException: No direct-key signature and no user-id signature found.
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	at org.pgpainless.key.info.KeyRingInfo.getPrimaryKeyExpirationDate(SourceFile:128)
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	at org.pgpainless.key.info.KeyRingInfo.getEncryptionSubkeys(SourceFile:1)
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	at org.pgpainless.decryption_verification.OpenPgpMessageInputStream.getDecryptionKey(SourceFile:52)
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	at org.pgpainless.decryption_verification.OpenPgpMessageInputStream.consumePackets(SourceFile:1676)
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	at org.pgpainless.decryption_verification.OpenPgpMessageInputStream.<init>(SourceFile:74)
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	at org.eclipse.jgit.lib.IndexDiff$1.withOptions(SourceFile:52)
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	at app.passwordstore.data.crypto.CryptoRepository.access$decryptPgp(SourceFile:302)
02-15 19:27:48.145 23687 23687 E StandaloneCoroutine: 	... 6 more

• Clone repo onto a computer, import the private key into your keyring (or a temporary one), try using Pass to decrypt the entry - it works.

[msfjarvis]

That's quite helpful, thank you! The fix for this seems to be required on PGPainless' side so I'll let @vanitasvitae have a look at it when they're able to and go from there.

[vanitasvitae]

I find it hard to debug this to be honest.
Ideally I would like to invest the key itself to see what is wrong with it, but that's obviously not really an option.
@raxod502 can you check what https://crates.io/crates/sequoia-keyring-linter says to your key?

My suspicion is, that your key is simply no longer up to standards however.

[raxod502]

@vanitasvitae You can take a look directly at a key which reproduces the issue in the repo that I posted publicly here! #2340 (comment)

However, when running the tool you linked (package sq-keyring-linter on Pop!_OS 22.04) on my primary key, I did get some security warnings:

% gpg --export-secret-key radon@intuitiveexplanations.com | sq-keyring-linter             
Certificate 98A50086F826A705 contains a User ID ("Radon Rosborough <radon.neon@gmail.com>") protected by SHA-1
Certificate 98A50086F826A705, key 6547984E8E1701CA uses a SHA-1-protected binding signature.
Examined 1 certificate.
  0 certificates are invalid and were not linted. (GOOD)
  1 certificate was linted.
  1 of the 1 certificates (100%) has at least one issue. (BAD)
0 of the linted certificates were revoked.
  0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
1 of the non-revoked linted certificate has at least one non-revoked User ID:
  1 has at least one User ID protected by SHA-1. (BAD)
  0 have all User IDs protected by SHA-1. (GOOD)
1 of the non-revoked linted certificates has at least one non-revoked, live subkey:
  1 has at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
0 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey:
  0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD)

That in itself is a good enough reason to replace my private key, so I will do so.

Perhaps it is the case that all keys old enough to be incompatible with PGPainless are also old enough to use deprecated encryption algorithms, in which case it may be acceptable to simply say they are not supported since they should not be used in any case.

[msfjarvis]

The presence of an SHA-1 key confirms my suspicions, the key is being rejected by PGPainless due to its hash policy and for good reasons. I'll close this issue now since this is intended behaviour, though it's probably worth improving the logging around this in PGPainless.

[raxod502]

At the very least, it might be nice to print a different error message in APS when the user gives an invalid password, versus when PGPainless returns an unknown error.

[raxod502]

In any case, I've generated a new key-pair and rotated it on all my devices and documents:

% gpg --list-keys Radon
pub   rsa2048 2016-08-12 [SC]
      E9370884F35CED9DF20E627998A50086F826A705
uid           [ultimate] Radon Rosborough <radon@intuitiveexplanations.com>
uid           [ultimate] Radon Rosborough <radon.neon@gmail.com>
sub   rsa2048 2016-08-12 [E]

pub   rsa3072 2023-03-18 [SC]
      E6CED8CD047C9366D490C2784A88E27648CABA42
uid           [ultimate] Radon Rosborough <radon@intuitiveexplanations.com>
sub   rsa3072 2023-03-18 [E]

The new key works fine with APS.

[msfjarvis]

At the very least, it might be nice to print a different error message in APS when the user gives an invalid password, versus when PGPainless returns an unknown error.

It already does.

[vanitasvitae]

@raxod502 glad to hear that the new key works :)

[vanitasvitae]

As a sidenote (I just did some further testing using the test key from #2340 (comment)):
The reason why the key is rejected is indeed the SHA-1 signature. PGPainless' default hash policy rejects SHA-1 signatures made after a cutoff-date (2013-02-01 00:00:00 UTC). This behaviour can of course be changed by setting a custom hash algorithm policy allowing SHA-1 in the APS codebase.