Secret key export difference in 1.4 and 2.1

Neal H. Walfield neal at
Wed Oct 26 14:31:28 CEST 2016

On Wed, 26 Oct 2016 14:20:56 +0200,
A.L.E.C wrote:
> On 10/26/2016 11:35 AM, Werner Koch wrote:
> > It seems that the key binding signature for the subkey has been
> > re-created.  DSA is depending on the implementation not deterministic
> > and thus you see different signature values.
> > 
> > An you please describe exactly how you created the keys and the test
> > vector?
> For each test we setup a new homedir with content generated long time
> ago with this script
> As generating keys takes long time we obviously can't generate the
> content on every tests execution.
> In other words, we generated a set of keys and imported them to the
> empty keyring. Then when we run tests we re-create a new homedir and
> copy saved keyring (and other homedir files) there, then execute a test.

This is good.

> In this case we compare the original private key block with the result
> of the --export-secret-keys command.

Please don't do this.

> Maybe I just should generate a homedir and keys sets for each main gpg
> version separately. I should probably do it anyway, to skip the
> migration process on every test, but will that solve the secret key
> export issue? Will be signature the same for every gpg release across
> the main version, i.e. 1.4, 2.0, 2.1? Or maybe there's some command line
> argument which we could use for export command to get the same signature
> value?

I provided you with an example of how to do what you want using the
official API.  Is it somehow inadequate?


:) Neal

More information about the Gnupg-devel mailing list