gpg subkeys, revisited

David Shaw
Tue Mar 19 22:42:03 2002

On Sat, Mar 16, 2002 at 12:41:53PM -0500, Derek D. Martin wrote:
> So, gpg seems to fail to realize that there are subkeys in the
> exported block that are not in the local copy, and refuses to import
> them.  Whether or not this is intended behavior, I think this is a
> bug.  Otherwise, there's no way to recover accidentally deleted
> subkeys, and if you DO accidentally delete a subkey, your options
> would be to maintain two different keyrings (one with the deleted one
> and the other with all the other keys), or throw up your hands in
> frustration and generate a whole new key.  And if you have old
> messages that you still need to decrypt with the old key, the latter
> isn't even really an option. Neither of those options is ideal.  IMO,
> the best solution is for gpg to allow the import of secret subkeys.

GnuPG does not currently allow importing secret subkeys.  In your
particular example where you have two different copies of the secret
key, each with a different subkey, you are going to have a
difficulties.  It's not exactly a common problem. :)

The solution is to generate one key from your two, and import that.
To do this, you need the "gpgsplit" tool, which is part of GnuPG 1.0.7
(grab the test version from if you need it).
Run one of the keys through gpgsplit and delete all the files that
come before the first "XXXXXXX-007.secret_subkey" file.

Then cat the key you didn't split along with the files that are left
after you deleted everything before the secret subkey.

For example:

$ gpgsplit mykey2
$ rm 000001-005.secret_key 000002-013.user_id 000003-002.sig
$ cat mykey1 000004-007.secret_subkey 000005-002.sig > mywholekey
$ gpg --allow-secret-key-import --import mywholekey


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson