[Bug 1565963] Re: gpg secret keys not migrated after upgrade to gnupg 2.1
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sat Apr 9 01:37:04 CEST 2016
Over on https://bugs.launchpad.net/bugs/1565963, Timo Aaltonen has found
a repeatable scenario where the secret keyring has not been successfully
migrated properly when switching over to gnupg 2.1:
On Fri 2016-04-08 12:35:05 -0300, Timo Aaltonen <tjaalton at ubuntu.com> wrote:
> :: tjaalton at wilson:~/.gnupg> ls -al
> total 1092
> drwx------ 3 tjaalton tjaalton 4096 huhti 8 18:21 .
> drwxr-xr-x 42 tjaalton tjaalton 4096 huhti 8 18:25 ..
> -rw------- 1 tjaalton tjaalton 8081 maali 20 2015 gpg.conf
> -rw-rw-r-- 1 tjaalton tjaalton 0 huhti 8 00:09 .gpg-v21-migrated
> drw------- 2 tjaalton tjaalton 4096 maali 20 2015 private-keys-v1.d
> -rw------- 1 tjaalton tjaalton 1669 maali 20 2015 public.key
> -rw------- 1 tjaalton tjaalton 517605 maali 20 2015 pubring.gpg
> -rw------- 1 tjaalton tjaalton 600 maali 17 22:44 random_seed
> -rw------- 1 tjaalton tjaalton 7322 maali 20 2015 secring.gpg
> srwxrwxr-x 1 tjaalton tjaalton 0 huhti 8 00:37 S.gpg-agent
> -rw------- 1 tjaalton tjaalton 4520 maali 20 2015 trustdb.gpg
>
> don't see anything wrong there
It's a little unusual to have ~/.gnupg/private-keys-v1.d not be u+x, as
that would imply that the directory isn't listable. This is probably
causing problems for the gpg-agent.
When i test with this setup, i can verify that the migration doeesn't
happen properly, although .gpg-v21-migrated gets created anyway.
from a new user account, with gpg1 as 1.4.20 and gpg2 as 2.1.11, i ran
the following three commands:
gpg1 --gen-key
mkdir -m 0600 ~/.gnupg/private-keys-v1.d
gpg2 --list-secret-keys
The final command returns an error code of 2 and produces these messages
to the terminal:
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/home/demouser/.gnupg/secring.gpg' to gpg-agent
gpg: key C93913FC/C93913FC: error sending to agent: Permission denied
gpg: error building skey array: Permission denied
gpg: migration succeeded
I have no idea how this directory got the u+x bit cleared, but maybe
that's something that either:
a) gpg-agent could clean up on its own, or
b) should cause gpg-agent to not create the .gpg-v21-migrated marker file
wdyt?
--dkg
More information about the Gnupg-devel
mailing list