Downgrade problem. (Jean-David Beyer)

David Shaw
Tue Jun 4 04:17:02 2002

This is not correct.  There is no need to go through the trouble (and
danger) of making a special copy of the key with no passphrase,
disconnecting from the network, etc.

Just do this:

0) Make a backup of your keyrings.

1) On the 1.0.7 box:
   gpg --simple-sk-checksum --edit (keyid)
   Enter "passwd", and change your password to anything.  It does not
   have to be blank, and you can in fact "set" it to what it currently

2) On the 1.0.7 box:
   gpg --export-secret-key (keyid) > mykey.gpg
   gpg --export-key (keyid) >> mykey.gpg

  (copy mykey.gpg to the new box)

3) On the 1.0.6 box:
   gpg --allow-secret-key-import --import mykey.gpg

However, I wouldn't do it - rebuild 1.0.7, and use that.


On Mon, Jun 03, 2002 at 04:36:28PM -0700, Leigh S. Jones, KR6X wrote:
> You will need 1.0.7 to fix the problem.  If you chose to
> retain gpg 1.0.6, you will need to use someone's copy
> of 1.0.7 to fix your keyring before it can be used by
> 1.0.6.
> To perform the fix, rename the existing keyring files
> and options files for safe keeping.  Next, transport the
> keyring files to be adjusted together with your options
> file onto the ~/.gnupg directory being used.  Next,
> temporarily disconnect the computer being used from
> the network, for security purposes.  Edit your options
> file, adding the line "simple-sk-checksum" at or near
> the end of the file.  Now use the command:
> gpg --edit-key <keyID>
> to start the key edit function of gpg.  At the Command>
> prompt enter "passwd".  Set your password to a zero
> length blank password. At the Command>
> prompt enter "save".  Do this once for each secret key
> on your keyring.  Now copy your keyring file to a floppy
> drive and keep it safe.  Blast away the copy of your
> options file (edited) and the (now insecure) keyrings.
> on the workstation, and rename the "safe keeping" files
> to return the workstation to its original condition.
> Reconnect this machine to the network.  Take the
> keyring files back to your own version 1.0.6 machine.
> Disconnect it from the network before proceeding.
> Don't overwrite your existing (unusable) keyring files --
> rename them for now -- just to make sure you don't
> overwrite something you will need later.  On gpg1.0.6
> you won't need the simple-sk-checksum option added.
> Edit each of your secret keys to reintroduce your
> password in place of the blank password.  Test
> by signing a file to make sure the password is right
> on each of your secret keys.  When everything is shown
> to be working OK, reformat/wipe the floppy drive to
> blast away the insecure keyring files.  Now you can
> reconnect your computer to the network.
> Sounds like it would be easier to build 1.0.7 again,
> doesn't it?
> ----- Original Message -----
> From: "David Shaw" <>
> To: "GnuPG Users' List" <>
> Sent: Monday, June 03, 2002 15:58
> Subject: Re: Downgrade problem.
> > On Mon, Jun 03, 2002 at 06:52:20PM -0400, Jean-David Beyer wrote:
> > > I was running gnuPG 1.0.7 that I had compiled from scratch, and made
> > > my keys with it. I have since upgraded my OS from Red Hat Linux 6.2
> > > to R.H.L. 7.3 which has gnupg-1.0.6-5 on it. Nothing much works
> > > because it has trouble with the key rings.
> > >
> > > I suspect an incompatibility with the way the key rings are
> > > constructed. I further suspect that were I to download the latest
> > > (1.0.7, I suppose) and built it, that my existing key rings would
> > > resume operating? Are my suspicions correct, or is it likely to be a
> > > different problem?
> >
> > You are correct.  1.0.7 has a slightly different keyring format
> > (actually a problem in 1.0.6).

   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson