Gentoo Archives: gentoo-user

From: Andrew Savchenko <bircoph@g.o>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Gnupg-2.1.* nightmare
Date: Tue, 13 Oct 2015 14:54:09
Message-Id: 20151013175353.4e247f53d261518fff3eaf4e@gentoo.org
1 Hello,
2
3 I updated to gnupg-2.1.9 from 2.0.x on both my desktop and laptop
4 and now I have big problems.
5
6 1. gpgme is now broken.
7
8 Gpgme consumers (e.g. sylpheed, mcabber) can verify, encrypt and
9 decrypt messages, but can't sign them. On signing I have the
10 following issues:
11
12 Please enter your PGP passphrase:
13 [17:26:06] GPGME signature error: Unusable secret key
14
15 Or:
16 ** Sylpheed-WARNING: pgp_sign(): signing failed: User defined error
17 code 1
18
19 I _can_ sign using the very same keys and plain
20 gpg -s --default-key $id
21 command. GPG itself works fine, something is amiss with gmgme.
22
23 I updated gpgme, libgcrypt, libgpg-error and libassuan to the
24 latest unstable versions and rebuilt consumer applications.
25 Of course, keys were migrated to the new format using gpg --import
26 and gpg-agent was restarted (I even rebooted the whole host), but
27 problem is still here.
28
29 The problem is even more strange, since I found a workaround way to
30 sign messages in sylpheed. Program has three options for key
31 selection:
32 a) use default GPG key;
33 b) select key by e-mail;
34 c) use key with provided ID.
35
36 Options b) and c) cause the error above, while option a) works, so
37 by editing gpg.conf I can set default key id to what I need to sign
38 a message. This is very inconvenient (since I have many keys), but
39 at least works somehow.
40
41
42 2. I have duplicated keys in the ring with the same ID and
43 fingerprint.
44
45 Duplication happens only to _some_ of my keys where I have a secret
46 key, fetched public keys of other users are not duplicated.
47
48 Examples:
49 a) Here I have the very same key twice:
50
51 $ gpg --fingerprint -K 0x8EE705C07CFA83D3
52 sec rsa4096/0x8EE705C07CFA83D3 2012-09-11 [expired: 2015-09-11]
53 Key fingerprint = 3F2D 1E49 4F96 2CE6 1597 F217 8EE7 05C0 7CFA 83D3
54 uid [ expired] Bircoph <bircoph@××××××.ru>
55
56 sec rsa4096/0x8EE705C07CFA83D3 2012-09-11 [expired: 2015-09-11]
57 Key fingerprint = 3F2D 1E49 4F96 2CE6 1597 F217 8EE7 05C0 7CFA 83D3
58 uid [ expired] Bircoph <bircoph@××××××.ru>
59
60 b) Now comes more interesting:
61
62 $ gpg --fingerprint -K 0x565953B95372756C
63 sec rsa4096/0x565953B95372756C 2013-02-27 [expires: 2018-02-26]
64 Key fingerprint = 63EB 04FA A30C 76E2 952E 6ED6 5659 53B9 5372 756C
65 uid [ultimate] Andrew Savchenko <bircoph@×××××.com>
66 uid [ultimate] Andrew A. Savchenko (NRNU MEPhI) <aasavchenko@×××××.ru>
67 uid [ultimate] Andrew A. Savchenko (UT Department) <aasavchenko@××××××××.ru>
68 uid [ultimate] Andrew Savchenko (Gentoo Dev) <bircoph@g.o>
69 uid [ultimate] Andrew A. Savchenko (XMPP) <bircoph@××××××.ru>
70 uid [ultimate] Andrew A. Savchenko (UT Department) <bircoph@××××××××.ru>
71 uid [ultimate] Andrey Savchenko (RHIC) <bircoph@××××××××××××.gov>
72 ssb rsa4096/0x7AB649CA518C8321 2013-02-27 [expires: 2018-02-26]
73 ssb rsa4096/0xF6535A33BA1EE48D 2015-01-13 [expires: 2018-01-12]
74
75 sec rsa4096/0x565953B95372756C 2013-02-27 [expires: 2018-02-26]
76 Key fingerprint = 63EB 04FA A30C 76E2 952E 6ED6 5659 53B9 5372 756C
77 uid [ultimate] Andrew A. Savchenko (NRNU MEPhI) <aasavchenko@×××××.ru>
78 uid [ultimate] Andrew Savchenko <bircoph@×××××.com>
79 uid [ultimate] Andrew Savchenko (Gentoo Dev) <bircoph@g.o>
80 uid [ultimate] Andrew A. Savchenko (XMPP) <bircoph@××××××.ru>
81 uid [ultimate] Andrew A. Savchenko (UT Department) <bircoph@××××××××.ru>
82 uid [ultimate] Andrew A. Savchenko (UT Department) <aasavchenko@××××××××.ru>
83 ssb rsa4096/0x7AB649CA518C8321 2013-02-27 [expires: 2018-02-26]
84 ssb rsa4096/0xF6535A33BA1EE48D 2015-01-13 [expires: 2018-01-12]
85
86 I have two versions of the same key: the latest and previous one
87 (before I added one more e-mail uid to the key).
88
89 This problem may be related to the first one, may be not, I'm not
90 sure. It is possible that gpgme goes crazy with these duplicates.
91
92 I have no idea how to remove duplicates and old versions. All gpg
93 commands are tied to either key id, e-mail or fingerprint. They
94 are all not unique to delete such duplicates.
95
96 I have though that this may happen due to both secring.gpg and
97 private-keys-v1.d present, but moving secring.gpg away doesn't
98 help.
99
100 Maybe manual editing of pubring.gpg will help to remove duplicates,
101 but it will be quite hard to handle this binary format.
102
103
104 Googling gave me very litte here:
105
106 1st issue: may happen for some custom gpgme client software, but
107 no data on global failures after gnupg update.
108
109 2nd issue: may happen when key is stored in multiple sources and
110 fetched from them, but I have no --keyring options in my gpg.conf
111 (see attached file).
112
113 Any ideas how to fix these issues, especially the signing failure
114 are much appreciated.
115
116 Best regards,
117 Andrew Savchenko

Attachments

File name MIME type
gpg.conf text/plain

Replies

Subject Author
Re: [gentoo-user] Gnupg-2.1.* nightmare Jean-Christophe Bach <jc.bach@×××××××.org>