Downgrade problem. (Jean-David Beyer, David Shaw )
Leigh S. Jones
kr6x@kr6x.com
Tue Jun 4 05:57:02 2002
And thanks for the correction on the secret key checksum
algorithm. I was repeating word of mouth and I apparently
had the information wrong.
----- Original Message -----
From: "Leigh S. Jones" <kr6x@kr6x.com>
To: "GnuPG Users' List" <gnupg-users@gnupg.org>
Sent: Monday, June 03, 2002 8:47 PM
Subject: Re: Downgrade problem. (Jean-David Beyer)
> Thanks for the supportive words, but where David Shaw
> is concerned I'll have to point out that I'm a neophyte with
> gpg next to him, and need to absorb from him anything I
> can learn.
>
> ----- Original Message -----
> From: "Jean-David Beyer" <jdbeyer@exit109.com>
> To: "GnuPG Users' List" <gnupg-users@gnupg.org>
> Sent: Monday, June 03, 2002 7:32 PM
> Subject: Re: Downgrade problem. (Jean-David Beyer)
>
>
> > David Shaw wrote:
> > > This is not correct. There is no need to go through the trouble
> (and
> > > danger) of making a special copy of the key with no passphrase,
> > > disconnecting from the network, etc.
> >
> > I think Leigh S. Jones was showing that it could be done that way.
I
> > am not sure that his procedure would not work, nor do I really
care.
> > I believe he was trying to show me, in a round-about way, that I
> > should just upgrade, which I have now done. Note especially his
last
> > line, emphasized by me with <---<<<
> >
> > Before upgrading from Red Hat 6.2 to 7.3, I made and verified
three
> > backup tapes of EVERYTHING on this machine, so I did not need to
> > download 1.0.7; I simply restored the .gz from tape and did the
> > usual things.
> >
> > There are a lot of uses, in addition to fumble-fingers and disk
> > crashes, for good complete backups.
> >
> > > Just do this:
> > >
> > > 0) Make a backup of your keyrings.
> > >
> > > 1) On the 1.0.7 box:
> > > gpg --simple-sk-checksum --edit (keyid)
> > > Enter "passwd", and change your password to anything. It
does
> not
> > > have to be blank, and you can in fact "set" it to what it
> currently
> > > is.
> > >
> > > 2) On the 1.0.7 box:
> > > gpg --export-secret-key (keyid) > mykey.gpg
> > > gpg --export-key (keyid) >> mykey.gpg
> > >
> > > (copy mykey.gpg to the new box)
> > >
> > > 3) On the 1.0.6 box:
> > > gpg --allow-secret-key-import --import mykey.gpg
> > >
> > > However, I wouldn't do it - rebuild 1.0.7, and use that. <---<<<
> > >
> > > David
> > >
> > > On Mon, Jun 03, 2002 at 04:36:28PM -0700, Leigh S. Jones, KR6X
> wrote:
> > >
> > >>You will need 1.0.7 to fix the problem. If you chose to
> > >>retain gpg 1.0.6, you will need to use someone's copy
> > >>of 1.0.7 to fix your keyring before it can be used by
> > >>1.0.6.
> > >>
> > >>To perform the fix, rename the existing keyring files
> > >>and options files for safe keeping. Next, transport the
> > >>keyring files to be adjusted together with your options
> > >>file onto the ~/.gnupg directory being used. Next,
> > >>temporarily disconnect the computer being used from
> > >>the network, for security purposes. Edit your options
> > >>file, adding the line "simple-sk-checksum" at or near
> > >>the end of the file. Now use the command:
> > >>
> > >>gpg --edit-key <keyID>
> > >>
> > >>to start the key edit function of gpg. At the Command>
> > >>prompt enter "passwd". Set your password to a zero
> > >>length blank password. At the Command>
> > >>prompt enter "save". Do this once for each secret key
> > >>on your keyring. Now copy your keyring file to a floppy
> > >>drive and keep it safe. Blast away the copy of your
> > >>options file (edited) and the (now insecure) keyrings.
> > >>on the workstation, and rename the "safe keeping" files
> > >>to return the workstation to its original condition.
> > >>Reconnect this machine to the network. Take the
> > >>keyring files back to your own version 1.0.6 machine.
> > >>Disconnect it from the network before proceeding.
> > >>Don't overwrite your existing (unusable) keyring files --
> > >>rename them for now -- just to make sure you don't
> > >>overwrite something you will need later. On gpg1.0.6
> > >>you won't need the simple-sk-checksum option added.
> > >>Edit each of your secret keys to reintroduce your
> > >>password in place of the blank password. Test
> > >>by signing a file to make sure the password is right
> > >>on each of your secret keys. When everything is shown
> > >>to be working OK, reformat/wipe the floppy drive to
> > >>blast away the insecure keyring files. Now you can
> > >>reconnect your computer to the network.
> > >>
> > >>Sounds like it would be easier to build 1.0.7 again,
> > >>doesn't it?
> > >>
> > >>----- Original Message -----
> > >>From: "David Shaw" <dshaw@jabberwocky.com>
> > >>To: "GnuPG Users' List" <gnupg-users@gnupg.org>
> > >>Sent: Monday, June 03, 2002 15:58
> > >>Subject: Re: Downgrade problem.
> > >>
> > >>
> > >>
> > >>>On Mon, Jun 03, 2002 at 06:52:20PM -0400, Jean-David Beyer
wrote:
> > >>>
> > >>>>I was running gnuPG 1.0.7 that I had compiled from scratch,
and
> made
> > >>>>my keys with it. I have since upgraded my OS from Red Hat
Linux
> 6.2
> > >>>>to R.H.L. 7.3 which has gnupg-1.0.6-5 on it. Nothing much
works
> > >>>>because it has trouble with the key rings.
> > >>>>
> > >>>>I suspect an incompatibility with the way the key rings are
> > >>>>constructed. I further suspect that were I to download the
> latest
> > >>>>(1.0.7, I suppose) and built it, that my existing key rings
> would
> > >>>>resume operating? Are my suspicions correct, or is it likely
to
> be a
> > >>>>different problem?
> > >>>
> > >>>You are correct. 1.0.7 has a slightly different keyring format
> > >>>(actually a problem in 1.0.6).
> > >>
> > >
> >
> >
> >
> > --
> > .~. Jean-David Beyer Registered Linux User 85642.
> > /V\ Registered Machine 73926.
> > /( )\ Shrewsbury, New Jersey http://counter.li.org
> > ^^-^^ 10:25pm up 6 days, 6 min, 2 users, load average: 5.30, 5.05,
> 4.86
> >
> >
> > _______________________________________________
> > Gnupg-users mailing list
> > Gnupg-users@gnupg.org
> > http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users