bug with one key's private keys spread over several keyrings when signing keys

Hauke Laging mailinglisten at hauke-laging.de
Thu Jun 3 05:02:42 CEST 2010 

Hello,

I use gpg 2.0.15 (under GNU/Linux).

I just tried to improve my gpg usage to more security while keeping a good 
level of convenience. My aim was to take the secret main key off my system as 
I need it for signing keys only (thus rather seldom).

My general approach is this: I have created a LUKS partition on a USB stick so 
that I just have to plug it in when I need some of its data keeping it safe 
(offline) most of the time. The key file for this partition is in my home 
directory. I put my critical data on this stick and have it mounted by udev on 
~/homeextension. I link my critical files to that stick. So I have created 
~/homeextension/.gnupg/secring.gpg.

I have deleted the secret main key from ~/.gnupg/secring.gpg (which is 
unconvenient IMHO as I had to export the secret subkeys, delete all secret 
keys and import the secret subkeys). My plan was to call gpg with an --secret-
keyring parameter if I need the secret main key. So I imported that key into a 
new key ring:

start cmd:> gpg --no-default-keyring \
--secret-keyring ~/homeextension/.gnupg/secring.gpg \
--keyring ~/.gnupg/pubring.gpg \
--import hauke__0xECCB5814.sec.asc

The next step was to remove the subkeys completely by --edit-key. This was not 
possible without access to the public keys which does not make sense IMHO. You 
have to import keys in order to delete them... because secret keys cannot be 
deleted without deleting the respective public key.

However, it seemed to work:

start cmd:> gpg --no-default-keyring \
--secret-keyring ~/homeextension/.gnupg/secring.gpg \
--keyring ~/tmp/pubring.gpg --list-secret-keys
/home/hl/homeextension/.gnupg/secring.gpg
-----------------------------------------
sec   1024D/0xECCB5814 2005-09-05
uid                    Hauke Laging <hauke at laging.de>
uid                    Hauke Laging <mail at hauke-laging.de>
uid                    Hauke Laging <mailinglisten at hauke-laging.de>


Let's have a look at the default key ring:
start cmd:> gpg --list-secret-keys eccb5814
sec#  1024D/0xECCB5814 2005-09-05
uid                    Hauke Laging <hauke at laging.de>
uid                    Hauke Laging <mailinglisten at hauke-laging.de>
uid                    Hauke Laging <mail at hauke-laging.de>
ssb   2048g/0xE623EF88 2005-09-05 [verfällt: 2010-04-03]
ssb   2048R/0x51B279FA 2010-03-04 [verfällt: 2013-03-03]
ssb   2048R/0x3A403251 2010-03-04 [verfällt: 2013-03-03]
ssb   2048R/0x2282921E 2010-03-08 [verfällt: 2013-03-07]

Everything as it should be.

Now, after this not so short introduction, the bug: In my understanding gpg 
should have access to all secret keys if I add the new key ring. This works 
for --list-secret-keys:

start cmd:> LC_ALL=C gpg \
--secret-keyring ~/homeextension/.gnupg/secring.gpg \
--list-secret-keys eccb5814
Keyring: /home/hl/.gnupg/secring.gpg
------------------------------------
sec#  1024D/0xECCB5814 2005-09-05
uid                    Hauke Laging <hauke at laging.de>
uid                    Hauke Laging <mailinglisten at hauke-laging.de>
uid                    Hauke Laging <mail at hauke-laging.de>
ssb   2048g/0xE623EF88 2005-09-05 [expires: 2010-04-03]
ssb   2048R/0x51B279FA 2010-03-04 [expires: 2013-03-03]
ssb   2048R/0x3A403251 2010-03-04 [expires: 2013-03-03]
ssb   2048R/0x2282921E 2010-03-08 [expires: 2013-03-07]

Keyring: /home/hl/homeextension/.gnupg/secring.gpg
--------------------------------------------------
sec   1024D/0xECCB5814 2005-09-05
uid                    Hauke Laging <hauke at laging.de>
uid                    Hauke Laging <mailinglisten at hauke-laging.de>
uid                    Hauke Laging <mail at hauke-laging.de>

But it DOES NOT work for signing another key! Unless I misunderstand something 
about the usage of --secret-keyring:

start cmd:> LC_ALL=C gpg \
--secret-keyring ~/homeextension/.gnupg/secring.gpg \
--edit-key 297AB799
[...]
gpg> sign
"Smartcard Test <smartcardtest at hauke-laging.de>" was already signed by key 
0xECCB5814
Do you want to sign it again anyway? (y/N) y
[...]
I have checked this key very carefully.

Really sign? (y/N) y
gpg: secret key parts are not available
gpg: signing failed: Unusable secret key

gpg>


I can sign the key if I use just one secret key file:
start cmd:> LC_ALL=C gpg --no-default-keyring \
--secret-keyring ~/homeextension/.gnupg/secring.gpg \
--edit-key 297AB799
[...]
Really sign? (y/N) y

You need a passphrase to unlock the secret key for
user: "Hauke Laging <hauke at laging.de>"
1024-bit DSA key, ID 0xECCB5814, created 2005-09-05


gpg>


It even works if I reverse the file order:
start cmd:> LC_ALL=C gpg --no-default-keyring \
--secret-keyring ~/homeextension/.gnupg/secring.gpg \
--secret-keyring ~/.gnupg/secring.gpg --edit-key 297AB799

So it seems that gpg takes the private main key from the first key ring which 
contains any of that key only.

This problem does not arise if all private keys are in the second key ring.

Funnily it does not arise, too, if the decryption subkey is needed. So this 
problem seems to be related to signing keys.


CU

Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20100603/b0864278/attachment.pgp>

More information about the Gnupg-devel mailing list