Downgrade problem. (Jean-David Beyer)

Jean-David Beyer
Tue Jun 4 04:31:01 2002

David Shaw wrote:
> This is not correct.  There is no need to go through the trouble (and
> danger) of making a special copy of the key with no passphrase,
> disconnecting from the network, etc.

I think Leigh S. Jones was showing that it could be done that way. I 
am not sure that his procedure would not work, nor do I really care. 
I believe he was trying to show me, in a round-about way, that I 
should just upgrade, which I have now done. Note especially his last 
line, emphasized by me with <---<<<

Before upgrading from Red Hat 6.2 to 7.3, I made and verified three 
backup tapes of EVERYTHING on this machine, so I did not need to 
download 1.0.7; I simply restored the .gz from tape and did the 
usual things.

There are a lot of uses, in addition to fumble-fingers and disk 
crashes, for good complete backups.

> Just do this:
> 0) Make a backup of your keyrings.
> 1) On the 1.0.7 box:
>    gpg --simple-sk-checksum --edit (keyid)
>    Enter "passwd", and change your password to anything.  It does not
>    have to be blank, and you can in fact "set" it to what it currently
>    is.
> 2) On the 1.0.7 box:
>    gpg --export-secret-key (keyid) > mykey.gpg
>    gpg --export-key (keyid) >> mykey.gpg
>   (copy mykey.gpg to the new box)
> 3) On the 1.0.6 box:
>    gpg --allow-secret-key-import --import mykey.gpg
> However, I wouldn't do it - rebuild 1.0.7, and use that. <---<<<
> David
> On Mon, Jun 03, 2002 at 04:36:28PM -0700, Leigh S. Jones, KR6X wrote:
>>You will need 1.0.7 to fix the problem.  If you chose to
>>retain gpg 1.0.6, you will need to use someone's copy
>>of 1.0.7 to fix your keyring before it can be used by
>>To perform the fix, rename the existing keyring files
>>and options files for safe keeping.  Next, transport the
>>keyring files to be adjusted together with your options
>>file onto the ~/.gnupg directory being used.  Next,
>>temporarily disconnect the computer being used from
>>the network, for security purposes.  Edit your options
>>file, adding the line "simple-sk-checksum" at or near
>>the end of the file.  Now use the command:
>>gpg --edit-key <keyID>
>>to start the key edit function of gpg.  At the Command>
>>prompt enter "passwd".  Set your password to a zero
>>length blank password. At the Command>
>>prompt enter "save".  Do this once for each secret key
>>on your keyring.  Now copy your keyring file to a floppy
>>drive and keep it safe.  Blast away the copy of your
>>options file (edited) and the (now insecure) keyrings.
>>on the workstation, and rename the "safe keeping" files
>>to return the workstation to its original condition.
>>Reconnect this machine to the network.  Take the
>>keyring files back to your own version 1.0.6 machine.
>>Disconnect it from the network before proceeding.
>>Don't overwrite your existing (unusable) keyring files --
>>rename them for now -- just to make sure you don't
>>overwrite something you will need later.  On gpg1.0.6
>>you won't need the simple-sk-checksum option added.
>>Edit each of your secret keys to reintroduce your
>>password in place of the blank password.  Test
>>by signing a file to make sure the password is right
>>on each of your secret keys.  When everything is shown
>>to be working OK, reformat/wipe the floppy drive to
>>blast away the insecure keyring files.  Now you can
>>reconnect your computer to the network.
>>Sounds like it would be easier to build 1.0.7 again,
>>doesn't it?
>>----- Original Message -----
>>From: "David Shaw" <>
>>To: "GnuPG Users' List" <>
>>Sent: Monday, June 03, 2002 15:58
>>Subject: Re: Downgrade problem.
>>>On Mon, Jun 03, 2002 at 06:52:20PM -0400, Jean-David Beyer wrote:
>>>>I was running gnuPG 1.0.7 that I had compiled from scratch, and made
>>>>my keys with it. I have since upgraded my OS from Red Hat Linux 6.2
>>>>to R.H.L. 7.3 which has gnupg-1.0.6-5 on it. Nothing much works
>>>>because it has trouble with the key rings.
>>>>I suspect an incompatibility with the way the key rings are
>>>>constructed. I further suspect that were I to download the latest
>>>>(1.0.7, I suppose) and built it, that my existing key rings would
>>>>resume operating? Are my suspicions correct, or is it likely to be a
>>>>different problem?
>>>You are correct.  1.0.7 has a slightly different keyring format
>>>(actually a problem in 1.0.6).

  .~.  Jean-David Beyer           Registered Linux User 85642.
  /V\                             Registered Machine    73926.
/( )\ Shrewsbury, New Jersey
^^-^^ 10:25pm up 6 days, 6 min, 2 users, load average: 5.30, 5.05, 4.86