gpg looking for strange additional key upon import (was Re: clean sigs)

Dirk Traulsen dirk.traulsen at lypso.de
Sat Sep 10 14:21:24 CEST 2005 

Am 9 Sep 2005 um 10:29 hat David Shaw geschrieben:

> On Fri, Sep 09, 2005 at 04:18:11PM +0200, Dirk Traulsen wrote:
> 
> > Interestingly there is a difference, whether I use '--import' to get
> > a key from a 'key.asc' or '--recv-key' to import it from a
> > keyserver. It reproducibly asks for two different, not existing
> > keys. On WinXP it is always 0022FB70 when a key gets '--import'ed
> > and 0022FA10 when it is '--recv-key'ed. It is the same for Win95,
> > but with other key IDs: 0080F760 for '--import' and 0080F8F0 for
> > '--recv-key'.
> 
> That looks disturbingly like uninitialized data, but I'm not able to
> duplicate it here.
> 
> Here is what I'm doing:
> 
> $ rm ~/.gnupg/trustdb.gpg
> $ gpg --import koch.asc
> gpg: /home/dshaw/.gnupg/trustdb.gpg: trustdb created
> gpg: key 57548DCD: public key "Werner Koch (gnupg sig)
> <dd9jn(at)gnu.org>" imported gpg: Total number processed: 1 gpg:      
>         imported: 1
> 
> Can you give exact steps to follow?


Ok, I'll try.

First, I did this with gpg 1.4.2 under WinXP and confirmed my 
findings on another machine with gpg 1.4.2 under Win95. Your machine 
seems to be Linux. Unfortunately I cannot test gpg 1.4.2 under Linux 
at the moment.

The first output below is what I described the last two days. When 
there is not at least one public key in the keyring, which has 
ultimate trust, gpg tries to find non-existing keys upon importing or 
receiving (but not from new generated keys). See above for the 
constant key IDs.

Today I thought about it and concluded, it could be dependent on a 
read of the trustdb after a change and not specifically the import. I 
made some experiments and it seems to be true. When I set the trust-
model via gpg.conf to direct or always,  this line never comes. I 
tried to find the simplest situation for you. I hope, this is simple 
enough:
I deleted everything, added one public key (Werners :) ), set it to 
ultimate trust, set it back to full trust to have the change in the 
trustdb and issued --list-key. As you can see below, it brings up the 
bug.

And something new: When I ask for the secret keys after the same 
procedure, it asks for a new third key ID, which is always the same 
like the other two. And like before, it is the same on Win95, but 
with a different ID.  

I hope, this will help you and that maybe somebody else can reproduce 
it.

Dirk

+++++++++++++++++++++++++++++++++++++++++++++
  (Delete keyrings and trustdb. I did not delete random_seed. 
  Does it matter? Made new gpg.conf with only one line for 
  shorter output: no-greeting)

C:\DOKUME~1\Dirk\ANWEND~1\gnupg>del *.gpg
C:\DOKUME~1\Dirk\ANWEND~1\gnupg>del *.bak
C:\DOKUME~1\Dirk\ANWEND~1\gnupg>edit gpg.conf

  (Import previously exported key file =>
  gpg states: no ultimately trusted key 0022FB70 found)

C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --import koch.asc
gpg: key 57548DCD: public key "Werner Koch (gnupg sig) 
<dd9jn at gnu.org>" imported
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                              importiert: 1
gpg: kein uneingeschränkt vertrauenswürdiger Schlüssel 0022FB70 
gefunden

  (Next one is just to show, it has nothing to do with Werners key)

C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --import binner.asc
gpg: key D86A0D19: public key "Stephan Binner <binner at kde.org>" 
imported
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                              importiert: 1
gpg: kein uneingeschränkt vertrauenswürdiger Schlüssel 0022FB70 
gefunden

  (Import a new generated, exported and then deleted key =>
  The line comes not!)

C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --import koch.asc
gpg: key 57548DCD: "Werner Koch (gnupg sig) <dd9jn at gnu.org>" not 
changed
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                             unverändert: 1

  (Fetch key from keyserver (tried several) =>
  gpg states: no ultimately trusted key 0022FA10 found)

C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --keyserver 
random.sks.keyserver.penguin.de --recv-key 08b0a90b
gpg: requesting key 08B0A90B from hkp server 
random.sks.keyserver.penguin.de
gpg: key 08B0A90B: public key "PuTTY Releases (DSA) <putty-
bugs at lists.tartarus.o
rg>" imported
gpg: kein uneingeschränkt vertrauenswürdiger Schlüssel 0022FA10 
gefunden
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                              importiert: 1

+++++++++++++++++++++++++++++++++++++++++++++++
  (Start again with deleting everything. Made new gpg.conf
  with only one line for shorter output: no-greeting)

C:\DOKUME~1\Dirk\ANWEND~1\gnupg>del *.bak
C:\DOKUME~1\Dirk\ANWEND~1\gnupg>del *.gpg
C:\DOKUME~1\Dirk\ANWEND~1\gnupg>edit gpg.conf

  (As before: Import previously exported key file =>
  gpg states: no ultimately trusted key 0022FB70 found)

C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --import koch.asc
gpg: Schlüsselbund `C:/Dokumente und 
Einstellungen/Dirk/Anwendungsdaten/gnupg\secring.gpg' erstellt
gpg: Schlüsselbund `C:/Dokumente und 
Einstellungen/Dirk/Anwendungsdaten/gnupg\pubring.gpg' erstellt
gpg: C:/Dokumente und 
Einstellungen/Dirk/Anwendungsdaten/gnupg\trustdb.gpg: trust-db 
erzeugt
gpg: key 57548DCD: public key "Werner Koch (gnupg sig) 
<dd9jn at gnu.org>" imported

gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                              importiert: 1
gpg: kein uneingeschränkt vertrauenswürdiger Schlüssel 0022FB70 
gefunden


  (Set trust to ultimate (I shortened the output))

C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --ed koch
Befehl> trust

Please decide how far you trust this user to correctly verify other 
users' keys
(by looking at passports, checking fingerprints from different 
sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Ihre Auswahl? 5
Do you really want to set this key to ultimate trust? (y/N) y

Befehl> q


  (Set trust back to full => no ultimately trusted public key there
  (even further shortened output))

C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --ed koch
gpg: "Trust-DB" wird überprüft
gpg: 3 marignal-needed, 1 complete-needed, PGP Trust-Modell
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2005-12-31

pub  1024D/57548DCD  created: 1998-07-07  expires: 2005-12-31  usage: 
CSA
               trust: uneingeschränkt Gültigkeit: uneingeschränkt
[ultimate] (1). Werner Koch (gnupg sig) <dd9jn at gnu.org>

Befehl> trust
Ihre Auswahl? 4
Befehl> q


  (Now when I ask for the key-list, there is a look at the trustdb
  and gpg states: no ultimately trusted key 0022FB70 found)

C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg -k
gpg: "Trust-DB" wird überprüft
gpg: kein uneingeschränkt vertrauenswürdiger Schlüssel 0022FB70 
gefunden
C:/Dokumente und Einstellungen/Dirk/Anwendungsdaten/gnupg\pubring.gpg
---------------------------------------------------------------------
pub   1024D/57548DCD 1998-07-07 [expires: 2005-12-31]
uid                  Werner Koch (gnupg sig) <dd9jn at gnu.org>


  (This comes only the first time. 
  A look at the trustdb is nescessary?)

C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg -k
C:/Dokumente und Einstellungen/Dirk/Anwendungsdaten/gnupg\pubring.gpg
---------------------------------------------------------------------
pub   1024D/57548DCD 1998-07-07 [expires: 2005-12-31]
uid                  Werner Koch (gnupg sig) <dd9jn at gnu.org>


+++++++++++++++++++++++++++++++++++++++++++++++++++++++

  (When I do like before, but ask for the secret keys instead, gpg
  looks reproducibly for a new third non-exiting key 0022FB80!)

C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg -K
gpg: "Trust-DB" wird überprüft
gpg: kein uneingeschränkt vertrauenswürdiger Schlüssel 0022FB80 
gefunden


  (This also comes only the first time.)

C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg -K

C:\DOKUME~1\Dirk\ANWEND~1\gnupg>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++

More information about the Gnupg-users mailing list