GnuPG 1.9.92 -- first findings

Werner Koch wk at
Wed Oct 18 16:07:33 CEST 2006

On Mon, 16 Oct 2006 20:07, Patrick Brunschwig said:

> I could reproduce it on the command line without Enigmail. I believe
> it's related to my keyring; using just a subset of the keyring,
> everything works fine. On the other hand I don't have the same issue
> with gpg 1.4.5.

Thanks for stripping it down to one key.  The culprit was a 16384 bit
RSA key (Pretty please, don't use such keys at all. They actually
reduce security because you are bothering people with long
verification and encryption times.  Eventually they will stop using
encryption at all.).

Of course gpg should have properly detect that and tell this error.
It used to write only parts of the key and thus reading later stopped.
The reason why it fails only in gpg2 is due to the use of libgcrypt
with a slightly different API.  With the fixes you would see:

gpg: mpi too large (16380 bits)
gpg: build_packet(2) failed: Provided object is too large
gpg: error writing keyring [..]/pubring.gpg': Provided object is too large
gpg: key xxxxxxxx: public key "[User ID not found]" imported
gpg: error reading `xxxxxxx-pub.gpg': Provided object is too large
gpg: import from `xxxxxxxxx-pub.gpg' failed: Provided object is too large

However we allow reading 16384 bit keys, so I changed the writing
limit calculation in that such a key will actually work.

2006-10-18  Werner Koch  <wk at>

	* build-packet.c (do_public_key): Care about mpi_write errors.
	(do_secret_key, do_pubkey_enc, do_signature): Ditto. 
	(mpi_write): Print an extra warning on error.

The fix is in the SVN.  A new release will follow ASAP.



More information about the Gnupg-devel mailing list