2.1.0~beta864: gpg2 --list-secret-keys fails if gniibe's key is in pubring.kbx

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Oct 8 20:47:47 CEST 2014


Hi GnuPG folks--

i'm trying to use 2.1.0 beta864.  gpg2 --list-secret-keys fails (returns
a non-zero return code) if any of the *public* keys it knows about fail
to have a proper keygrip.

Gniibe's key has such a subkey (for some reason i don't understand).

This means that anyone who has gniibe's key in their pubring won't be
able to get gpg2 --list-secret-keys to return a non-zero error.

Enigmail apparently regularly does gpg --list-secret-keys in the
background before sending signed mail, and returns an error if the
process terminates abnormally.

This means that anyone with gniibe's key in their public keyring can't
sign messages in enigmail.

Below is a transcript of the problem, from a clean slate.  the numbers
before the shell prompt are the return code of the previous invocation.

Its also worth noting that the output of --with-keygrip appears to
publish something that changes each time it's run -- this may be an
information leak of memory that isn't properly initialized or cleared.

       --dkg


0 demo at saturn:~$ rm -rf .gnupg
0 demo at saturn:~$ gpg2 --list-secret-keys
gpg: directory '/home/demo/.gnupg' created
gpg: new configuration file '/home/demo/.gnupg/gpg.conf' created
gpg: WARNING: options in '/home/demo/.gnupg/gpg.conf' are not yet active during this run
gpg: keybox '/home/demo/.gnupg/pubring.kbx' created
gpg: /home/demo/.gnupg/trustdb.gpg: trustdb created
0 demo at saturn:~$ gpg2 --list-secret-keys
0 demo at saturn:~$ gpg2 --recv 124124BD3B4862AF7A0A42F100B45EBD4CA7BABE
gpg: key 4CA7BABE: public key "NIIBE Yutaka <gniibe at fsij.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
0 demo at saturn:~$ gpg2 --list-secret-keys
gpg: error computing keygrip
2 demo at saturn:~$ gpg2 --list-keys --with-keygrip
gpg: error computing keygrip
/home/demo/.gnupg/pubring.kbx
------------------------------
pub   rsa2048/4CA7BABE 2010-10-15
      Keygrip = 101DE7B639FE29F4636BDEECF442A9273AFA6565
uid       [ unknown] NIIBE Yutaka <gniibe at fsij.org>
uid       [ unknown] NIIBE Yutaka <gniibe at debian.org>
sub   secp256k1/975B9053 2014-01-16 secp256k1
      Keygrip = 00000000000000000000000000000000A0021C13
sub   rsa2048/084239CF 2010-10-15
      Keygrip = 65F67E742101C7FE6D5B33FCEFCF4F65EAF0688C
sub   rsa2048/5BB065DC 2010-10-22
      Keygrip = 5D6C89682D07CCFC034AF508420BF2276D8018ED

2 demo at saturn:~$ gpg2 --list-keys --with-keygrip
gpg: error computing keygrip
/home/demo/.gnupg/pubring.kbx
------------------------------
pub   rsa2048/4CA7BABE 2010-10-15
      Keygrip = 101DE7B639FE29F4636BDEECF442A9273AFA6565
uid       [ unknown] NIIBE Yutaka <gniibe at fsij.org>
uid       [ unknown] NIIBE Yutaka <gniibe at debian.org>
sub   secp256k1/975B9053 2014-01-16 secp256k1
      Keygrip = 00000000000000000000000000000000A0A26DAD
sub   rsa2048/084239CF 2010-10-15
      Keygrip = 65F67E742101C7FE6D5B33FCEFCF4F65EAF0688C
sub   rsa2048/5BB065DC 2010-10-22
      Keygrip = 5D6C89682D07CCFC034AF508420BF2276D8018ED

2 demo at saturn:~$  diff -u <(gpg2 --with-colons --list-keys --with-keygrip)  <(gpg2 --with-colons --list-keys --with-keygrip)
gpg: gpg: error computing keygrip
error computing keygrip
--- /dev/fd/63	2014-10-08 14:43:27.084783772 -0400
+++ /dev/fd/62	2014-10-08 14:43:27.084783772 -0400
@@ -4,7 +4,7 @@
 uid:-::::1290131210::95E10B8292AEC7A07277EBF8853FF9C6647CAAEB::NIIBE Yutaka <gniibe at fsij.org>:
 uid:-::::1290130668::449322114961C0A907E070744D791FEF23AB63D4::NIIBE Yutaka <gniibe at debian.org>:
 sub:-:0:19:824E72CE975B9053:1389837376::::::sa::::::
-grp:::::::::0000000000000000106FBC00057F0000A0B2BB00:
+grp:::::::::000000000000000010CFA2B3597F0000A012A2B3:
 sub:-:2048:1:79A79093084239CF:1287125193::::::e::::::
 grp:::::::::65F67E742101C7FE6D5B33FCEFCF4F65EAF0688C:
 sub:-:2048:1:9C33B6BA5BB065DC:1287727596::::::a::::::
1 jj955 at alice:~$ 
gpg2 --version
gpg (GnuPG) 2.1.0
libgcrypt 1.6.2
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
0 demo at saturn:~$ 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20141008/392a5c99/attachment.sig>


More information about the Gnupg-devel mailing list