Strange PGP server problem
Derek D. Martin
ddm@pizzashack.org
Sat Mar 16 05:28:01 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've come across a problem I'm not really sure how to fix. It may not
be a gpg problem per se, but a problem with the PGP servers.
To make a long story short, I have two different versions of my pgp
key -- each with a different valid encryption subkey. The old key is
no good, and no one can get the new key, because the pgp servers seem
to have problems with the key. Now, the longer version:
Today, I updated my key by creating a new 4K Elgamal encryption key,
and revoking my old encryption subkey. I also had a number of UIDs
that are no longer valid, so I revoked the signature on those.
Note that I'm pretty sure the 4K size of the key is not the problem,
as I created another key of 4K today, which I had no trouble with.
I uploaded the new version of my key to the keyserver at pgp.mit.edu,
and checked that the new key was reflected in querries. Well, it had
completely disappeared! Ok, not completely. If I searched on my
name, the key doesn't show up. If I search by key ID, it does show
up.
On my system, the key seems fine:
$ gpg --list-key ddm
pub 1024D/81CFE75D 2000-10-29 Derek Martin <ddm@pizzashack.org>
uid [revoked] Derek Martin <ddm@cerberus.ne.mediaone.net>
uid [revoked] Derek Martin <ddm@mclinux.com>
sub 4096g/F73655D5 2002-03-16 [expires: 2003-03-16]
sub 1024g/22E368D9 2000-10-29
Except when I try to edit the key:
$ gpg --edit ddm
gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: no secret subkey for public subkey 22E368D9 - ignoring
Secret key is available.
pub 1024D/81CFE75D created: 2000-10-29 expires: never trust: f/u
sub 4096g/F73655D5 created: 2002-03-16 expires: 2003-03-16
sub 1024g/22E368D9 created: 2000-10-29 expires: never
(1). Derek Martin <ddm@pizzashack.org>
(2) [revoked] Derek Martin <ddm@cerberus.ne.mediaone.net>
(3) [revoked] Derek Martin <ddm@mclinux.com>
[note the "no secret key" message for my old subkey]
If I then, from another account that does not have my gpg keyring in
it run
$ gpg --keyserver pgp.mit.edu --recv-key 0x81CFE75D
I get the following messages from gpg:
$ gpg --keyserver pgp.mit.edu --recv-keys 81CFE75D
gpg: requesting key 81CFE75D from pgp.mit.edu ...
gpg: key 81CFE75D: invalid subkey binding
gpg: key 81CFE75D: public key imported
gpg: Total number processed: 1
gpg: imported: 1
I'm suspecting this may be caused by the missing secret subkey for key
id 0x22E368D9. I have a back up copy of the old key, which looks like
this:
$ gpg --edit-key ddm
Secret key is available.
pub 1024D/81CFE75D created: 2000-10-29 expires: never trust: -/u
sub 1024g/22E368D9 created: 2000-10-29 expires: never
(1) Derek Martin <ddm@pizzashack.org>
(2) Derek Martin <ddm@cerberus.ne.mediaone.net>
(3). Derek Martin <ddm@mclinux.com>
I've tried numerous combinations of exporting and importing the secret
keys and public keys, and while I can import the public side of the
old encryption key, I can not import the corresponding secret key:
$ ssh otherhost gpg --export-secret-keys -a |gpg --import --allow-secret
ddm@otherhost's password:
gpg: key 81CFE75D: already in secret keyring
gpg: Total number processed: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
I think this may be a bug; gpg seems to be failing to detect that
there's a new secret subkey in the exported key, and isn't importing
it. During one of my iterations, I removed the old encryption key and
the revoked UIDs, and I was then able to --recv-key the key after
uploading it to the server. However, at that point, the key stopped
showing up in searches on my name (it does still show up in searches
on the key id). I did some more goofing around, and the key is
showing up in searches again, but now it can't be imported (the public
encryption subkey won't import).
So, basically, it seems like I have two different useless keys.
Obviously I don't want to create a whole new key, as a) it's a pain to
generate long keys, b) I'll have to get people to sign my key all over
again, c) I already have a couple of old keys I can't access out
there. So I'd really, really, really like to recover this key to make
it usable.
AAAAGGGGGGHHHH!
While I'm waiting for the gurus to soothsay me an answer, I'm going to
hit the Bailey's. Happy St. Patricks Day! =8^)
- --
Derek Martin ddm@pizzashack.org
- ---------------------------------------------
I prefer mail encrypted with PGP/GPG!
GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
Learn more about it at http://www.gnupg.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8kskOdjdlQoHP510RAk/WAJ0U7AwQzcq14fA4ew2F9NVHyuBxYACZAcCl
4d5U39wlLoCUuUutxMyRAk4=
=pbbW
-----END PGP SIGNATURE-----