Trouble importing secret subkeys

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Mar 25 16:08:24 CET 2014 

On 03/25/2014 10:27 AM, Mikael "MMN-o" Nordfeldth wrote:

> Also: One thing I noticed is that my output from 'gpg -K' for the master
> keyring (which I'm exporting from) only has one UID (the JPEG photo),
> but not the primary UID 'Mikael "MMN-o" Nordfeldth <mmn at hethane.se>'
> which is listed when using the '--edit-key' argument.

aha, this is likely to be the problem!  RFC 4880 states that a valid
transferable key needs to have at least one User ID:

https://tools.ietf.org/html/rfc4880#section-11.1

You can see from your --list-packets dump of subkeys that no user ID is
present.

(take a look at your example dump from the test account and you'll see
an extra user ID and signature packet)

> If this lack of UID in the list is related, how can I include my primary
> UID with the export? Why is it excluded at all?

gpg has some rough edge cases when dealing with changed secret keys.  I
don't know how you've updated the key, or transferred the key between
machines, etc, but it's entirely possible that you ran into something like:

 https://bugs.gnupg.org/gnupg/issue1543

when combined with a move from a separate home directory.

The best advice i know of here is pretty clumsy:

i'd use gpgsplit on your two separate files to break out the distinct
packets, and then use cat to combine the uid and self-sig packets from
the pubkeys file with the secrets from the subkeys file, feeding the
result into gpg --import.

so something like this:

 mkdir pubpackets subpackets
 (cd pubpackets && gpgsplit < ../pubkeys)
 (cd subpackets && gpgsplit < ../subkeys)

 cat subpackets/000001-005.secret_key \
     pubpackets/000002-013.user_id \
     pubpackets/000003-002.sig \
     subpackets/000002-007.secret_subkey \
     subpackets/000003-002.sig \
     subpackets/000004-007.secret_subkey \
     subpackets/000005-002.sig \
  | gpg --import

please let the list know if this works, or if you have any questions
about it.

regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140325/1232dc13/attachment.sig>

More information about the Gnupg-users mailing list