Why gpg 2.1.9 cannot export secret key without passphrase?

Andrey Utkin andrey.od.utkin at gmail.com
Mon Nov 30 23:54:06 CET 2015

On 30.11.2015 21:53, Peter Lebbing wrote:
> On 30/11/15 20:10, Andrey Utkin wrote:
>> Is it impossible straight from RFC 4880 in any defined mode, or is
>> it just a wrong behaviour in GnuPG/Libgcrypt?
> It is a specific bug of GnuPG 2.1, and Werner's comment on the bug entry
> mentioned here makes me believe he intends to fix it eventually.
> GnuPG 1.4 and 2.0 can export keys without passphrases, and this is fully
> defined in RFC 4880.

Thanks for clarification. I'd be glad to help Werner to fix it if he has
no time.
Could you please direct me to exact S2K-stuff modes for exporting it
which would be compliant with earlier GnuPG branches 1.4 and 2.0? Then I
would have a chance to accomplish the fix in finite time.

>> Empty passphrases are banned in several places in this software:
> Yes; that's because there is a difference between not encrypting stuff
> and encrypting it with an empty passphrase :). The latter is just silly.
> The only purpose of doing that is to be able to tell your client that
> you "encrypted it" without technically lying. And I'm not making stuff
> up. This actually happens (I'm looking at you, DropBox!).
> When a private key is stored without a passphrase, it is stored without
> encryption. The actual packet looks different: it clearly indicates that
> what follows is plaintext. If you were to encrypt it with an empty
> passphrase, it would actually be encrypted, but with a key that
> corresponds to an empty passphrase and hence would be trivially cracked
> by anyone.

Surely these two ways are distinguishable. But for unattended processing
cases, I'd like a mode that makes utils skip all passphrase entry
prompts. I guess the no-encryption case ("trivially cracked by anyone")
is needed here.
Which of the mentioned modes was used in 1.4 and 2.0 for exporting
without passphrase?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20151201/594d704e/attachment.sig>

More information about the Gnupg-users mailing list