Where does this signature come from? Some magic around --export-secret-keys?

Hauke Laging mailinglisten at hauke-laging.de
Thu Sep 19 05:36:54 CEST 2013 

Hello,

I have tried to export the secret keys only (i.e. without the user IDs) in 
order to avoid importing old user ID signatures when importing the secret key 
file.

I had the idea to delete the selfsig on the UID before exporting. Thus it 
could not be exported or imported. But due to some magic gpg exports even an 
"officially non-existent" signature:

LC_ALL= LC_MESSAGES=C gpg --edit-key foo at bar check 2>/dev/null
Secret key is available.

pub  3072R/0x5D266D4E  created: 2013-09-19  expires: never       usage: SCEA
                       trust: ultimate      validity: ultimate
sub  2048R/0x9B681F49  created: 2013-09-19  expires: 2014-09-19  usage: S
sub  2048R/0xB42B66D3  created: 2013-09-19  expires: 2014-09-19  usage: E
[ultimate] (1). Hauke Laging <foo at bar>

uid  Hauke Laging <foo at bar.de>
1 user ID without valid self-signature detected

gpg>


gpg --armor --export-secret-keys foo at bar > secret.asc


# you cannot import secret keys if there is one already
gpg --delete-secret-key foo at bar


gpg --import secret.asc


LC_ALL= LC_MESSAGES=C gpg --edit-key foo at bar check 2>/dev/null
Secret key is available.

pub  3072R/0x5D266D4E  created: 2013-09-19  expires: 2014-09-19  usage: SCE
                       trust: ultimate      validity: ultimate
sub  2048R/0x9B681F49  created: 2013-09-19  expires: 2014-09-19  usage: S
sub  2048R/0xB42B66D3  created: 2013-09-19  expires: 2014-09-19  usage: E
[ultimate] (1). Hauke Laging <foo at bar>

uid  Hauke Laging <foo at bar>
sig!3   PN   0x5D266D4E 2013-09-19 never       [self-signature]


WTF? gpg-agent is not running for this user so the signature cannot be created 
on the fly. Is there a secret selfsig storage which is used for exporting 
only?

This does not happen when exporting the public key! gpg --list-packets shows 
the difference, too.

I played around with gpgsplit and noticed that a secret key file is not 
imported if the UID is missing completely. But it is happily imported if there 
is a UID without selfsig... :-)

gpg --version
gpg (GnuPG) 2.0.19
libgcrypt 1.5.3


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130919/bba4e759/attachment.sig>

More information about the Gnupg-users mailing list