Gentoo Archives: gentoo-user

From: Jean-Christophe Bach <jc.bach@×××××××.org>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Gnupg-2.1.* nightmare
Date: Mon, 19 Oct 2015 08:58:01
Message-Id: 5624B081.6070407@schplaf.org
In Reply to: [gentoo-user] Gnupg-2.1.* nightmare by Andrew Savchenko
1 On 10/13/2015 04:53 PM, Andrew Savchenko wrote:
2 > Hello,
3 >
4 > I updated to gnupg-2.1.9 from 2.0.x on both my desktop and laptop
5 > and now I have big problems.
6 >
7 > 1. gpgme is now broken.
8 >
9 > Gpgme consumers (e.g. sylpheed, mcabber) can verify, encrypt and
10 > decrypt messages, but can't sign them. On signing I have the
11 > following issues:
12 >
13 > Please enter your PGP passphrase:
14 > [17:26:06] GPGME signature error: Unusable secret key
15 >
16 > Or:
17 > ** Sylpheed-WARNING: pgp_sign(): signing failed: User defined error
18 > code 1
19 >
20 > I _can_ sign using the very same keys and plain
21 > gpg -s --default-key $id
22 > command. GPG itself works fine, something is amiss with gmgme.
23 >
24 > I updated gpgme, libgcrypt, libgpg-error and libassuan to the
25 > latest unstable versions and rebuilt consumer applications.
26 > Of course, keys were migrated to the new format using gpg --import
27 > and gpg-agent was restarted (I even rebooted the whole host), but
28 > problem is still here.
29 >
30 > The problem is even more strange, since I found a workaround way to
31 > sign messages in sylpheed. Program has three options for key
32 > selection:
33 > a) use default GPG key;
34 > b) select key by e-mail;
35 > c) use key with provided ID.
36 >
37 > Options b) and c) cause the error above, while option a) works, so
38 > by editing gpg.conf I can set default key id to what I need to sign
39 > a message. This is very inconvenient (since I have many keys), but
40 > at least works somehow.
41 >
42 >
43 > 2. I have duplicated keys in the ring with the same ID and
44 > fingerprint.
45 >
46 > Duplication happens only to _some_ of my keys where I have a secret
47 > key, fetched public keys of other users are not duplicated.
48 >
49 > Examples:
50 > a) Here I have the very same key twice:
51 >
52 > $ gpg --fingerprint -K 0x8EE705C07CFA83D3
53 > sec rsa4096/0x8EE705C07CFA83D3 2012-09-11 [expired: 2015-09-11]
54 > Key fingerprint = 3F2D 1E49 4F96 2CE6 1597 F217 8EE7 05C0 7CFA 83D3
55 > uid [ expired] Bircoph <bircoph@××××××.ru>
56 >
57 > sec rsa4096/0x8EE705C07CFA83D3 2012-09-11 [expired: 2015-09-11]
58 > Key fingerprint = 3F2D 1E49 4F96 2CE6 1597 F217 8EE7 05C0 7CFA 83D3
59 > uid [ expired] Bircoph <bircoph@××××××.ru>
60 >
61 > b) Now comes more interesting:
62 >
63 > $ gpg --fingerprint -K 0x565953B95372756C
64 > sec rsa4096/0x565953B95372756C 2013-02-27 [expires: 2018-02-26]
65 > Key fingerprint = 63EB 04FA A30C 76E2 952E 6ED6 5659 53B9 5372 756C
66 > uid [ultimate] Andrew Savchenko <bircoph@×××××.com>
67 > uid [ultimate] Andrew A. Savchenko (NRNU MEPhI) <aasavchenko@×××××.ru>
68 > uid [ultimate] Andrew A. Savchenko (UT Department) <aasavchenko@××××××××.ru>
69 > uid [ultimate] Andrew Savchenko (Gentoo Dev) <bircoph@g.o>
70 > uid [ultimate] Andrew A. Savchenko (XMPP) <bircoph@××××××.ru>
71 > uid [ultimate] Andrew A. Savchenko (UT Department) <bircoph@××××××××.ru>
72 > uid [ultimate] Andrey Savchenko (RHIC) <bircoph@××××××××××××.gov>
73 > ssb rsa4096/0x7AB649CA518C8321 2013-02-27 [expires: 2018-02-26]
74 > ssb rsa4096/0xF6535A33BA1EE48D 2015-01-13 [expires: 2018-01-12]
75 >
76 > sec rsa4096/0x565953B95372756C 2013-02-27 [expires: 2018-02-26]
77 > Key fingerprint = 63EB 04FA A30C 76E2 952E 6ED6 5659 53B9 5372 756C
78 > uid [ultimate] Andrew A. Savchenko (NRNU MEPhI) <aasavchenko@×××××.ru>
79 > uid [ultimate] Andrew Savchenko <bircoph@×××××.com>
80 > uid [ultimate] Andrew Savchenko (Gentoo Dev) <bircoph@g.o>
81 > uid [ultimate] Andrew A. Savchenko (XMPP) <bircoph@××××××.ru>
82 > uid [ultimate] Andrew A. Savchenko (UT Department) <bircoph@××××××××.ru>
83 > uid [ultimate] Andrew A. Savchenko (UT Department) <aasavchenko@××××××××.ru>
84 > ssb rsa4096/0x7AB649CA518C8321 2013-02-27 [expires: 2018-02-26]
85 > ssb rsa4096/0xF6535A33BA1EE48D 2015-01-13 [expires: 2018-01-12]
86 >
87 > I have two versions of the same key: the latest and previous one
88 > (before I added one more e-mail uid to the key).
89 >
90 > This problem may be related to the first one, may be not, I'm not
91 > sure. It is possible that gpgme goes crazy with these duplicates.
92 >
93 > I have no idea how to remove duplicates and old versions. All gpg
94 > commands are tied to either key id, e-mail or fingerprint. They
95 > are all not unique to delete such duplicates.
96 >
97 > I have though that this may happen due to both secring.gpg and
98 > private-keys-v1.d present, but moving secring.gpg away doesn't
99 > help.
100 >
101 > Maybe manual editing of pubring.gpg will help to remove duplicates,
102 > but it will be quite hard to handle this binary format.
103 >
104 >
105 > Googling gave me very litte here:
106 >
107 > 1st issue: may happen for some custom gpgme client software, but
108 > no data on global failures after gnupg update.
109 >
110 > 2nd issue: may happen when key is stored in multiple sources and
111 > fetched from them, but I have no --keyring options in my gpg.conf
112 > (see attached file).
113 >
114 > Any ideas how to fix these issues, especially the signing failure
115 > are much appreciated.
116 >
117 > Best regards,
118 > Andrew Savchenko
119
120 Hello,
121
122 I have a very similar problem, at least concerning your 2nd point
123 (duplicated keys). All my problems came when I updated gnupg from 1.x to
124 2.x. I tried to solve them by playing with different 2.x versions but
125 with the last one it is broken:
126
127 1. I detect duplicated keys in the ring
128 2. some friends told me my signature was bad
129 3. I am not able to verify all the signatures with Mutt or Thunderbird
130 (I do not understand why it works for some signatures and not for others)
131 4. with Thunderbird, I am not able anymore to sign/verify/cypher/decypher
132
133 I think that it is related to your problems, but I have no clue to fix
134 that. I would also appreciate any help.
135
136 JC

Replies

Subject Author
Re: [gentoo-user] Gnupg-2.1.* nightmare Andrew Savchenko <bircoph@g.o>