Peculiar behavior of --list-secret-keys

Werner Koch wk at
Mon Jul 20 20:37:00 CEST 2015

On Mon, 20 Jul 2015 19:01, rjh at said:

> [rjh at localhost ~]$ gpg --list-secret-key b44427c7
> sec   3072R/1DCBDC01B44427C7 2015-07-16
> uid                          Robert J. Hansen <rob at>

You created it with gpg 1.x or 2.0 and thus they are stored in
pubring.gpg .

> [rjh at localhost ~]$ gpg2 --list-secret-keys
> /home/rjh/.gnupg/pubring.kbx

and here you are using 2.1 which uses pubring.kbx.

As soon as there is a single OpenPGP key in pubring.kbx (maybe due to
gpg2.1 --import) gpg2.1 will use pubring.kbx and ignore an existing
pubring.gpg.   Note that the presence of a pubring.kbx is not
sufficient to let gpg2.1 use it becuase a file with that name has always
been used by gpgsm.

To check whether an OpenPGP key is in a pubring.kbx run

  $ kbxutil ~/.gnupg/pubring.kbx | head
  Length: 32
  Type:   Header
  Version: 1
  Flags:   0002 (openpgp)

and check that the openpgp flag is there (very recent file(1) versions
should also be able to tell you this).

> Also, GnuPG seems to have lost track of the fact that D6B98E10 is an
> ultimately-trusted key.

This is a separate issue; iirc we have/had this in the tracker.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list