[Bug 1565963] Re: gpg secret keys not migrated after upgrade to gnupg 2.1

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Apr 9 01:37:04 CEST 2016 

Over on https://bugs.launchpad.net/bugs/1565963, Timo Aaltonen has found
a repeatable scenario where the secret keyring has not been successfully
migrated properly when switching over to gnupg 2.1:

On Fri 2016-04-08 12:35:05 -0300, Timo Aaltonen <tjaalton at ubuntu.com> wrote:
> :: tjaalton at wilson:~/.gnupg> ls -al
> total 1092
> drwx------  3 tjaalton tjaalton   4096 huhti  8 18:21 .
> drwxr-xr-x 42 tjaalton tjaalton   4096 huhti  8 18:25 ..
> -rw-------  1 tjaalton tjaalton   8081 maali 20  2015 gpg.conf
> -rw-rw-r--  1 tjaalton tjaalton      0 huhti  8 00:09 .gpg-v21-migrated
> drw-------  2 tjaalton tjaalton   4096 maali 20  2015 private-keys-v1.d
> -rw-------  1 tjaalton tjaalton   1669 maali 20  2015 public.key
> -rw-------  1 tjaalton tjaalton 517605 maali 20  2015 pubring.gpg
> -rw-------  1 tjaalton tjaalton    600 maali 17 22:44 random_seed
> -rw-------  1 tjaalton tjaalton   7322 maali 20  2015 secring.gpg
> srwxrwxr-x  1 tjaalton tjaalton      0 huhti  8 00:37 S.gpg-agent
> -rw-------  1 tjaalton tjaalton   4520 maali 20  2015 trustdb.gpg
>
> don't see anything wrong there

It's a little unusual to have ~/.gnupg/private-keys-v1.d not be u+x, as
that would imply that the directory isn't listable.  This is probably
causing problems for the gpg-agent.

When i test with this setup, i can verify that the migration doeesn't
happen properly, although .gpg-v21-migrated gets created anyway.

from a new user account, with gpg1 as 1.4.20 and gpg2 as 2.1.11, i ran
the following three commands:

  gpg1 --gen-key
  mkdir -m 0600 ~/.gnupg/private-keys-v1.d
  gpg2 --list-secret-keys

The final command returns an error code of 2 and produces these messages
to the terminal:

gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/home/demouser/.gnupg/secring.gpg' to gpg-agent
gpg: key C93913FC/C93913FC: error sending to agent: Permission denied
gpg: error building skey array: Permission denied
gpg: migration succeeded

I have no idea how this directory got the u+x bit cleared, but maybe
that's something that either:

 a) gpg-agent could clean up on its own, or

 b) should cause gpg-agent to not create the .gpg-v21-migrated marker file

wdyt?

     --dkg

More information about the Gnupg-devel mailing list