2.1.x regression (Re: gpg2 keytocard removes secret key)
NIIBE Yutaka
gniibe at fsij.org
Wed Feb 18 01:26:30 CET 2015
On 02/18/2015 02:35 AM, micah anderson wrote:
> To move the secret key material to the card, removing it from the
> computer, you would simply do a 'keytocard' operation, and then quit and
> save. In order to keep the secret key material on the computer, you
> would do the same operation, but this time you would *not* save when you
> quit. There are a number of tutorials out there that describe this step
> as the way to do it.
>
> I discovered yesterday that this third method does not work with gpg2,
> when you do the 'keytocard' operation, the secret key material is
> removed, you do not have the ability to opt-out of the saving process.
Sorry, my badness. It is obviously a regression of 2.1.x. Note that
it works with 2.0, as gpg1.
An excuse. From 2.0 to 2.1, there was a major architectural change
which moved private keys handling to gpg-agent. Then, the feature of
"keytocard" was lost and it had been unimplemented (somehow longer)
during 2.1 development. It was a kind of the last unimplemented
feature of 2.1 which blocked the release. A year ago, I managed to
implement the feature back by the commits:
b90506ea220860c89128f002bd593d0462a08d73
30f8a3c8736451d8c06ef72521a8da5eabf23016
But I forgot about the third case.
No, this is not correct description. Now, I can remember that I
clearly recognized this particular regression once or twice, and I
knew the exact reason. But it was buried into under my unconscious
world. Then, I made myself blind to this regression.
To support the third case, it would be required to add another command
(or two) in gpg-agent. But, I think that it's worth to do that.
Meanwhile...
> Perhaps a giant warning asking you to confirm, would help people not
> lose their secret key material
this make sense now, at least.
> Fortunately, when I was doing this, I had backups... !
Good.
I opened the issue here to track:
https://bugs.g10code.com/gnupg/issue1846
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150218/423fc069/attachment.sig>
More information about the Gnupg-devel
mailing list