gpg --card-edit cuts secret keys

Carsten Grohmann carstengrohmann at gmx.de
Sun Sep 10 20:56:44 CEST 2023 

Hi,

I've a public key with two subkeys. I transferred one of the subkeys (0x6F5B8616ACB0354B) to a YubiKey 5 NFC and then restored my ~/.gnupg directory.

After that, every time I call "gpg --card-edit", the subkey previously transferred to the Yubikey is truncated without warning. This is an infinite loop. If I restore the ~/.gnupg directory from a backup and run "gpg --card-edit", the key is shortened again.


Initial setup
=============

#  LANG=C gpg --version
gpg (GnuPG) 2.2.41
libgcrypt 1.10.2-unknown
Copyright (C) 2022 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/carsten/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2


# LANG=C gpg --list-secret-keys --with-keygrip 0x033AA0B393AFAE6C
sec   rsa4096/0x033AA0B393AFAE6C 2013-10-16 [SC] [expires: 2028-09-02]
      D17696EEDCFEC2038171D953033AA0B393AFAE6C
      Keygrip = AB143A7B31FBB715329D5083B317D1581B591975
uid                   [ultimate] Carsten Grohmann <carstengrohmann at gmx.de>
uid                   [ultimate] Carsten Grohmann <carsten at grohmann-online.de>
uid                   [ultimate] Carsten Grohmann <mail at carstengrohmann.de>
ssb   rsa4096/0x6F5B8616ACB0354B 2013-10-16 [E] [expires: 2028-09-02]
      Keygrip = 541DBB9E9190F1692E1EE65F14ADB13B5B0C9EA8
ssb   rsa4096/0x468E025260DD710F 2023-09-04 [S] [expires: 2028-09-02]
      Keygrip = AA95FFE1C4A1522B819ED8AF89E9390B61D49F68

# ll ~/.gnupg/private-keys-v1.d/541DBB9E9190F1692E1EE65F14ADB13B5B0C9EA8.key
-rw------- 1 carsten carsten 2055  5. Feb 2015  /home/carsten/.gnupg/private-keys-v1.d/541DBB9E9190F1692E1EE65F14ADB13B5B0C9EA8.key


Executing "gpg --card-edit"
===========================

# LANG=C gpg --card-edit

Reader ...........: <deleted>
Application ID ...: <deleted>
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: <deleted>
Name of cardholder: Carsten Grohmann
Language prefs ...: [not set]
Salutation .......:
URL of public key : https://carstengrohmann.de/download/carstengrohmann.pub
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa4096 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: DD36 8F14 0651 75DE B159  3980 6F5B 8616 ACB0 354B
      created ....: 2013-10-16 19:39:54
Authentication key: [none]
General key info..:
sub  rsa4096/0x6F5B8616ACB0354B 2013-10-16 Carsten Grohmann <carstengrohmann at gmx.de>
sec   rsa4096/0x033AA0B393AFAE6C  created: 2013-10-16  expires: 2028-09-02
ssb>  rsa4096/0x6F5B8616ACB0354B  created: 2013-10-16  expires: 2028-09-02
                                  card-no: 0006 18031866
ssb   rsa4096/0x468E025260DD710F  created: 2023-09-04  expires: 2028-09-02



Check the result - key is truncated
===================================

# LANG=C gpg --list-secret-keys --with-keygrip 0x033AA0B393AFAE6C
sec   rsa4096/0x033AA0B393AFAE6C 2013-10-16 [SC] [expires: 2028-09-02]
      D17696EEDCFEC2038171D953033AA0B393AFAE6C
      Keygrip = AB143A7B31FBB715329D5083B317D1581B591975
uid                   [ultimate] Carsten Grohmann <carstengrohmann at gmx.de>
uid                   [ultimate] Carsten Grohmann <carsten at grohmann-online.de>
uid                   [ultimate] Carsten Grohmann <mail at carstengrohmann.de>
ssb>  rsa4096/0x6F5B8616ACB0354B 2013-10-16 [E] [expires: 2028-09-02]
      Keygrip = 541DBB9E9190F1692E1EE65F14ADB13B5B0C9EA8
ssb   rsa4096/0x468E025260DD710F 2023-09-04 [S] [expires: 2028-09-02]
      Keygrip = AA95FFE1C4A1522B819ED8AF89E9390B61D49F68

# ll ~/.gnupg/private-keys-v1.d/541DBB9E9190F1692E1EE65F14ADB13B5B0C9EA8.key
-rw------- 1 carsten carsten 1237 10. Sep 20:48 /home/carsten/.gnupg/private-keys-v1.d/541DBB9E9190F1692E1EE65F14ADB13B5B0C9EA8.key


Is this an expected behaviour? Can I control it?

Regards,
Carsten

More information about the Gnupg-users mailing list