Unable to `keytocard` twice in a row (with an import between)

Christian Chavez x10an14 at gmail.com
Sun Dec 26 11:07:17 CET 2021


So, I've come across either a bug, or a somewhat unfortunate wording in the
man-pages I wanted to ask if it has been discussed before, before I spend
any more effort learning man-pages' source and coming with a patch.

I'm currently in the process of updating the expiry date on my gpg key's
So I import the backup files (noticing that there are two, one for the
masterkey's secret key, and another one for the subkeys' secret keys), and
decide to export them to _one_ file with `--export-secret-keys <primary key

The man pages state:
              Same as --export, but exports the secret keys instead.  The
exported keys are written to STDOUT or to the file given with option
--output.  This command is often used along with the option --armor to
allow for easy printing of the key
              for paper backup; however the external tool paperkey does a
better job of creating backups on paper.  Note that exporting a secret key
can be a security risk if the exported keys are sent over an insecure

              The second form of the command has the special property to
render the secret part of the primary key useless; this is a GNU extension
to OpenPGP and other implementations can not be expected to successfully
import such a key.  Its in‐
              tended use is in generating a full key with an additional
signing subkey on a dedicated machine.  This command then exports the key
without the primary key to the main machine.

I don't see how to interpret that in any way other than that the output of
`--export-secret-keys` is a superset of `--export-secret-subkeys`.
So I export to _one_ file (as mentioned above), to simplify my life before
I update the expiration date, and use `keytocard`.

Deciding I'd like to confirm that I've got a working backup, I repeat the
process, AKA import the file I just exported before running `keytocard`,
and running `keytocard` again (just intending to overwrite with a new
machine-local copy).

But now I get:
Replace existing key? (y/N) y
gpg: KEYTOCARD failed: Unusable secret key

There are several mentions of such symptoms online, but I found one
particularly interesting one: https://dev.gnupg.org/T3391.

Ignoring my newly created export of the secret keys, following the
instructions in above link with the old file that _only_ had the subkeys,
seem to work for me.

Like I asked at the beginning of this sordid tale, anyone got any
suggestions/tips/thoughts about this?
I imagine this can be quite jarring and annoying for users who interpret
the man-pages in the same way as I have (especially for new users who must
have spent some time and effort ensuring they've got all their ducks in a
row, just for this to fail here due to their understanding of the man-pages
or the above bug).

Med vennlig hilsen/Kind regards,
Christian Chavez
Phone/Tlf: +47 922 22 603
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211226/3f22d176/attachment-0001.html>

More information about the Gnupg-users mailing list