Migrating from OpenPGP card + gnupg 1.4 to 2.1

Alphazo alphazo at gmail.com
Wed Jan 11 23:25:24 CET 2012


Now that the seg. fault is fixed. I tried again to migrate my hybrid
private key to the new gnupg2 key storage. I do get password prompt
for older keys (and I clicked on cancel for each)  but I don't get
password or PIN prompt for my current hybrid key. However gnupg2 says
that it has imported my secret key but the private-keys-v1.d directory
stays empty.... Where has my private key been imported to?
As a side not I also get some errors with some old keys.

# gpg2 --import ~/.gnupg/secring.gpg
....
gpg: key 12345678 : "Test Key1 <testkey1 at dummy.org>" not changed
gpg: key 12345678/3344556677: error sending to agent: Operation cancelled
gpg: key 0022446688: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: key 0022446688/AABBCCDDEE: error sending to agent: Operation cancelled
...
gpg: key 7A7B7D7E: "Hybrid Key <hybrid at current.key>" not changed
gpg: key 7A7B7D7E: secret key imported
...
gpg: Total number processed: 24
gpg:           w/o user IDs: 1
gpg:              unchanged: 9
gpg:       secret keys read: 24


On Wed, Jan 11, 2012 at 11:14 PM, Alphazo <alphazo at gmail.com> wrote:
> Now that the seg. fault is fixed. I tried again to migrate my hybrid
> private key to the new gnupg2 key storage but I don't get
>
> On Wed, Dec 21, 2011 at 10:38 PM, Alphazo <alphazo at gmail.com> wrote:
>> You were right on the subkey. In the meantime I realized that the
>> import function was also trying to import old revoked keys as well.
>> That's why I got the password prompt for an old non OpenGPG card based
>> key.
>>
>> Now for testing purposes I cleaned up my secring.gpg by removing all
>> secret keys but one which is the one I described in my previous post.
>>
>> I started the import and didn't get any password prompt but
>> unfortunately also no PIN prompt for my OpenPGP card (?).
>> alpha at fatfly ~/.gnupg % gpg2 --import ~/.gnupg/secring.gpg
>> gpg: key F89A6E41: "Test Key <testkey at nomail.org>" not changed
>> gpg: key F89A6E41: secret key imported
>> gpg: Total number processed: 4
>> gpg:              unchanged: 1
>> gpg:       secret keys read: 4
>>
>> Then I looked at my gnugp2 keystore but it remains empty.
>>
>> alpha at fatfly ~/.gnupg % ls private-keys-v1.d
>> alpha at fatfly ~/.gnupg %
>>
>> Is my OpenPGP card stub being checked correctly?
>> Is gpg-agent supposed to work out of the box with OpenPGP card?
>>
>> I then did another test by using a regular key (no OpenPGP card) and
>> got a strange 'can't handle public key algorithm 3" error then a seg.
>> fault when doing a --list-secret-keys. However --edit-key did work
>> fine.
>>
>> (gdb) run -v --list-secret-keys
>> Starting program: /usr/bin/gpg2 -v --list-secret-keys
>> gpg: using PGP trust model
>> gpg: can't handle public key algorithm 3
>> gpg: subpacket of type 20 has critical bit set
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x00007ffff732e700 in ?? () from /lib/libgcrypt.so.11
>>
>>
>> #0  0x00007ffff732e700 in ?? () from /lib/libgcrypt.so.11
>> No symbol table info available.
>> #1  0x00007ffff72e6726 in ?? () from /lib/libgcrypt.so.11
>> No symbol table info available.
>> #2  0x00007ffff72e7bfa in ?? () from /lib/libgcrypt.so.11
>> No symbol table info available.
>> #3  0x00007ffff72e1ef2 in gcry_sexp_build () from /lib/libgcrypt.so.11
>> No symbol table info available.
>> #4  0x000000000042a05b in ?? ()
>> No symbol table info available.
>> #5  0x0000000000471e63 in ?? ()
>> No symbol table info available.
>> #6  0x00000000004383fc in ?? ()
>> No symbol table info available.
>> #7  0x000000000040c120 in ?? ()
>> No symbol table info available.
>> #8  0x00007ffff6b6114d in __libc_start_main () from /lib/libc.so.6
>> No symbol table info available.
>> #9  0x000000000040c5ed in ?? ()
>> No symbol table info available.
>> #10 0x00007fffffffe0b8 in ?? ()
>> ---Type <return> to continue, or q <return> to quit---
>> No symbol table info available.
>> #11 0x00000000ffffffff in ?? ()
>> No symbol table info available.
>> #12 0x0000000000000003 in ?? ()
>> No symbol table info available.
>> #13 0x00007fffffffe408 in ?? ()
>> No symbol table info available.
>> #14 0x00007fffffffe416 in ?? ()
>> No symbol table info available.
>> #15 0x00007fffffffe419 in ?? ()
>> No symbol table info available.
>> #16 0x0000000000000000 in ?? ()
>> No symbol table info available.
>>
>>
>> gpg2 -v --edit-key alphazo at gmail.com
>> Secret key is available.
>>
>> gpg: using PGP trust model
>> pub  1024D/242D4DFB  created: 2009-08-20  expires: never       usage: SC
>>                     trust: ultimate      validity: ultimate
>> sub  2048g/CBF93DD2  created: 2009-08-20  expires: never       usage: E
>> [ultimate] (1). Alphazo <alphazo at gmail.com>
>>
>> Alphazo
>>
>> On Wed, Dec 21, 2011 at 7:08 PM, Werner Koch <wk at gnupg.org> wrote:
>>> On Wed, 21 Dec 2011 15:35, alphazo at gmail.com said:
>>>
>>>> When importing this key I got the pinentry-gtk popup asking for the
>>>> passphrase for this key but this won't be of any help considering that
>>>> no private key material is there.
>>>
>>> Are you sure that it ask for the passphrase of the primary key?  It
>>> should ask for the one of the subkey.  In any case, please enter the
>>> passphrase of the subkey (which is usually the same as of the primary
>>> key).  Note, that I have a very similar setup and it worked without
>>> problems.  It is however possible that we have a regression here.
>>>
>>>> I could probably setup a temporary machine to use the full keychain
>>>> with passphrase then migrate to 2.1 and finally remove the private key
>>>> material of the primary key (is that possible with 2.1?).
>>>
>>> Yes, very easy:
>>>
>>>  gpg2 --with-keygrip -K
>>>
>>> shows you the keygrip of the keys.  Now, simply remove the file
>>> ~/.gnupg/private-keys-v1.d/KEYGRIP.key
>>>
>>>
>>> Salam-Shalom,
>>>
>>>   Werner
>>>
>>> --
>>> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>>>



More information about the Gnupg-devel mailing list