Secret key export difference in 1.4 and 2.1

Neal H. Walfield neal at walfield.org
Wed Oct 26 11:42:41 CEST 2016


On Wed, 26 Oct 2016 11:34:04 +0200,
Justus Winter wrote:
> > On 10/26/2016 11:08 AM, Neal H. Walfield wrote:
> >> The secret key is not simply a dump of the private key material, but
> >> an OpenPGP message.  This means that there are many ways to encode the
> >> same data.  It wouldn't surprise me if we are using a slightly
> >> different encoding in 2.1 vs. 1.4.  But, this is not a bug.  What
> >> exactly is the test doing, and what is it testing for?
> >
> > Well, the test is for our exportPrivateKey() method which does just gpg
> > --export-secret-keys "fingerprint". We makes sure the output is always
> > the same. It worked with 1.4. If it's not a proper way now, we'll have
> > to change it, but I'm not sure how to do this. How to find out that
> > exported data is really the data we want. Or can I just assume that if
> > there's no error and output data contains "BEGIN PGP PRIVATE KEY BLOCK"
> > we're fine? I don't think I'll decode the message, I'd prefer some
> > simple checks.
> 
> You can use --list-packets to inspect the message.  Take a look at
> tests/openpgp/export.scm for inspiration.  Or you can try to import the
> key into a fresh gnupghome.

Using --list-packets is okay for debugging, but the interface is not
guaranteed to be stable.  Instead, you are better off doing something
like:

  gpg --status-fd 1 --import exported-key.asc | grep 'IMPORT_OK [0-9]* FINGERPRINT'

:) Neal



More information about the Gnupg-devel mailing list