gpg subkeys, revisited

Derek D. Martin
Sat Mar 16 18:45:03 2002

Hash: SHA1

At some point hitherto, Douglas Calvert hath spake thusly:
> On Fri, 2002-03-15 at 23:38, Derek D. Martin wrote:
> > I missed it the first time, but it sounds like I'm having the same
> > exact problem as Douglas Calvert had a couple of weeks ago:
> No dice. There is a problem with the keyservers. They cannot handle
> multiple subkeys.

Ok thanks, but well, my problem is a bit more involved than just
that.  Basically the problem is that on the machine that I read mail,
I accidentally deleted my old encryption subkey.  I still have other
subkeys on that keyring associated with my signing key (0x81CFE75D)
that I need to keep.  But obviously, I want to keep my old encryption
key around, so I can decrypt messages that are sent to me by people
who haven't yet gotten the new subkey from me, or forgot to import it,
or for messages I already have hanging around...

I have a copy of the old subkey on another machine.  That old keyring
does not have the other subkeys that I wish to keep.  What I need to
do is merge the two keyrings.

I can do this with the PUBLIC subkeys no problem.  However, GPG will
not let me incorporate the SECRET subkey, no matter what I try.  I've
tried using both --export-secret-key and --export-secret-subkey on the
export side of things, and I always use --allow-secret on the import
side, but I only get error messages from gpg as such:

  $ ssh otherhost gpg -a --export-secret-subkey ddm |gpg --allow-secret --import
  ddm@otherhost's password: 
  gpg: key 81CFE75D: already in secret keyring
  gpg: Total number processed: 1
  gpg:       secret keys read: 1
  gpg:  secret keys unchanged: 1

So, gpg seems to fail to realize that there are subkeys in the
exported block that are not in the local copy, and refuses to import
them.  Whether or not this is intended behavior, I think this is a
bug.  Otherwise, there's no way to recover accidentally deleted
subkeys, and if you DO accidentally delete a subkey, your options
would be to maintain two different keyrings (one with the deleted one
and the other with all the other keys), or throw up your hands in
frustration and generate a whole new key.  And if you have old
messages that you still need to decrypt with the old key, the latter
isn't even really an option. Neither of those options is ideal.  IMO,
the best solution is for gpg to allow the import of secret subkeys.

Please note: I'm not on gnupg-devel, so please CC me ONLY if your
reply is going to be ONLY on that list (I'm on gnupg-users).  


- -- 
Derek Martin         
- ---------------------------------------------
I prefer mail encrypted with PGP/GPG!
GnuPG Key ID: 0x81CFE75D
Retrieve my public key at
Learn more about it at
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see