1 |
Hello, |
2 |
|
3 |
I updated to gnupg-2.1.9 from 2.0.x on both my desktop and laptop |
4 |
and now I have big problems. |
5 |
|
6 |
1. gpgme is now broken. |
7 |
|
8 |
Gpgme consumers (e.g. sylpheed, mcabber) can verify, encrypt and |
9 |
decrypt messages, but can't sign them. On signing I have the |
10 |
following issues: |
11 |
|
12 |
Please enter your PGP passphrase: |
13 |
[17:26:06] GPGME signature error: Unusable secret key |
14 |
|
15 |
Or: |
16 |
** Sylpheed-WARNING: pgp_sign(): signing failed: User defined error |
17 |
code 1 |
18 |
|
19 |
I _can_ sign using the very same keys and plain |
20 |
gpg -s --default-key $id |
21 |
command. GPG itself works fine, something is amiss with gmgme. |
22 |
|
23 |
I updated gpgme, libgcrypt, libgpg-error and libassuan to the |
24 |
latest unstable versions and rebuilt consumer applications. |
25 |
Of course, keys were migrated to the new format using gpg --import |
26 |
and gpg-agent was restarted (I even rebooted the whole host), but |
27 |
problem is still here. |
28 |
|
29 |
The problem is even more strange, since I found a workaround way to |
30 |
sign messages in sylpheed. Program has three options for key |
31 |
selection: |
32 |
a) use default GPG key; |
33 |
b) select key by e-mail; |
34 |
c) use key with provided ID. |
35 |
|
36 |
Options b) and c) cause the error above, while option a) works, so |
37 |
by editing gpg.conf I can set default key id to what I need to sign |
38 |
a message. This is very inconvenient (since I have many keys), but |
39 |
at least works somehow. |
40 |
|
41 |
|
42 |
2. I have duplicated keys in the ring with the same ID and |
43 |
fingerprint. |
44 |
|
45 |
Duplication happens only to _some_ of my keys where I have a secret |
46 |
key, fetched public keys of other users are not duplicated. |
47 |
|
48 |
Examples: |
49 |
a) Here I have the very same key twice: |
50 |
|
51 |
$ gpg --fingerprint -K 0x8EE705C07CFA83D3 |
52 |
sec rsa4096/0x8EE705C07CFA83D3 2012-09-11 [expired: 2015-09-11] |
53 |
Key fingerprint = 3F2D 1E49 4F96 2CE6 1597 F217 8EE7 05C0 7CFA 83D3 |
54 |
uid [ expired] Bircoph <bircoph@××××××.ru> |
55 |
|
56 |
sec rsa4096/0x8EE705C07CFA83D3 2012-09-11 [expired: 2015-09-11] |
57 |
Key fingerprint = 3F2D 1E49 4F96 2CE6 1597 F217 8EE7 05C0 7CFA 83D3 |
58 |
uid [ expired] Bircoph <bircoph@××××××.ru> |
59 |
|
60 |
b) Now comes more interesting: |
61 |
|
62 |
$ gpg --fingerprint -K 0x565953B95372756C |
63 |
sec rsa4096/0x565953B95372756C 2013-02-27 [expires: 2018-02-26] |
64 |
Key fingerprint = 63EB 04FA A30C 76E2 952E 6ED6 5659 53B9 5372 756C |
65 |
uid [ultimate] Andrew Savchenko <bircoph@×××××.com> |
66 |
uid [ultimate] Andrew A. Savchenko (NRNU MEPhI) <aasavchenko@×××××.ru> |
67 |
uid [ultimate] Andrew A. Savchenko (UT Department) <aasavchenko@××××××××.ru> |
68 |
uid [ultimate] Andrew Savchenko (Gentoo Dev) <bircoph@g.o> |
69 |
uid [ultimate] Andrew A. Savchenko (XMPP) <bircoph@××××××.ru> |
70 |
uid [ultimate] Andrew A. Savchenko (UT Department) <bircoph@××××××××.ru> |
71 |
uid [ultimate] Andrey Savchenko (RHIC) <bircoph@××××××××××××.gov> |
72 |
ssb rsa4096/0x7AB649CA518C8321 2013-02-27 [expires: 2018-02-26] |
73 |
ssb rsa4096/0xF6535A33BA1EE48D 2015-01-13 [expires: 2018-01-12] |
74 |
|
75 |
sec rsa4096/0x565953B95372756C 2013-02-27 [expires: 2018-02-26] |
76 |
Key fingerprint = 63EB 04FA A30C 76E2 952E 6ED6 5659 53B9 5372 756C |
77 |
uid [ultimate] Andrew A. Savchenko (NRNU MEPhI) <aasavchenko@×××××.ru> |
78 |
uid [ultimate] Andrew Savchenko <bircoph@×××××.com> |
79 |
uid [ultimate] Andrew Savchenko (Gentoo Dev) <bircoph@g.o> |
80 |
uid [ultimate] Andrew A. Savchenko (XMPP) <bircoph@××××××.ru> |
81 |
uid [ultimate] Andrew A. Savchenko (UT Department) <bircoph@××××××××.ru> |
82 |
uid [ultimate] Andrew A. Savchenko (UT Department) <aasavchenko@××××××××.ru> |
83 |
ssb rsa4096/0x7AB649CA518C8321 2013-02-27 [expires: 2018-02-26] |
84 |
ssb rsa4096/0xF6535A33BA1EE48D 2015-01-13 [expires: 2018-01-12] |
85 |
|
86 |
I have two versions of the same key: the latest and previous one |
87 |
(before I added one more e-mail uid to the key). |
88 |
|
89 |
This problem may be related to the first one, may be not, I'm not |
90 |
sure. It is possible that gpgme goes crazy with these duplicates. |
91 |
|
92 |
I have no idea how to remove duplicates and old versions. All gpg |
93 |
commands are tied to either key id, e-mail or fingerprint. They |
94 |
are all not unique to delete such duplicates. |
95 |
|
96 |
I have though that this may happen due to both secring.gpg and |
97 |
private-keys-v1.d present, but moving secring.gpg away doesn't |
98 |
help. |
99 |
|
100 |
Maybe manual editing of pubring.gpg will help to remove duplicates, |
101 |
but it will be quite hard to handle this binary format. |
102 |
|
103 |
|
104 |
Googling gave me very litte here: |
105 |
|
106 |
1st issue: may happen for some custom gpgme client software, but |
107 |
no data on global failures after gnupg update. |
108 |
|
109 |
2nd issue: may happen when key is stored in multiple sources and |
110 |
fetched from them, but I have no --keyring options in my gpg.conf |
111 |
(see attached file). |
112 |
|
113 |
Any ideas how to fix these issues, especially the signing failure |
114 |
are much appreciated. |
115 |
|
116 |
Best regards, |
117 |
Andrew Savchenko |