Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: devel

Migrating from OpenPGP card + gnupg 1.4 to 2.1

 

 

GnuPG devel RSS feed   Index | Next | Previous | View Threaded


alphazo at gmail

Dec 21, 2011, 6:35 AM

Post #1 of 5 (510 views)
Permalink
Migrating from OpenPGP card + gnupg 1.4 to 2.1

I'm testing the latest beta 3 and tried the suggested command to my
secring.gpg to 2.1 keyring.
Before I explain what I get, here is how my key is setup:
- Primary key is a RSA4096 one that I only use to sign my own subkeys
and other people's key. The private key material of this key has been
removed from this specific machine as I only sign keys offline using a
full copy of the key that I keep away from computers.
- Subkey 1 is for encryption (RSA) using an OpenPGP card (cryptostick)
therefore only a stub is present in the keychain and no private key
material
- Subkey 2 is for signature (RSA) using an OpenPGP card (cryptostick)
therefore only a stub is present in the keychain and no private key
material

When importing this key I got the pinentry-gtk popup asking for the
passphrase for this key but this won't be of any help considering that
no private key material is there.

What do you recommend to migrate this particular key?

I could probably setup a temporary machine to use the full keychain
with passphrase then migrate to 2.1 and finally remove the private key
material of the primary key (is that possible with 2.1?).

Thanks
Alphazo

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

Dec 21, 2011, 10:08 AM

Post #2 of 5 (483 views)
Permalink
Re: Migrating from OpenPGP card + gnupg 1.4 to 2.1 [In reply to]

On Wed, 21 Dec 2011 15:35, alphazo [at] gmail said:

> When importing this key I got the pinentry-gtk popup asking for the
> passphrase for this key but this won't be of any help considering that
> no private key material is there.

Are you sure that it ask for the passphrase of the primary key? It
should ask for the one of the subkey. In any case, please enter the
passphrase of the subkey (which is usually the same as of the primary
key). Note, that I have a very similar setup and it worked without
problems. It is however possible that we have a regression here.

> I could probably setup a temporary machine to use the full keychain
> with passphrase then migrate to 2.1 and finally remove the private key
> material of the primary key (is that possible with 2.1?).

Yes, very easy:

gpg2 --with-keygrip -K

shows you the keygrip of the keys. Now, simply remove the file
~/.gnupg/private-keys-v1.d/KEYGRIP.key


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


alphazo at gmail

Dec 21, 2011, 1:38 PM

Post #3 of 5 (480 views)
Permalink
Re: Migrating from OpenPGP card + gnupg 1.4 to 2.1 [In reply to]

You were right on the subkey. In the meantime I realized that the
import function was also trying to import old revoked keys as well.
That's why I got the password prompt for an old non OpenGPG card based
key.

Now for testing purposes I cleaned up my secring.gpg by removing all
secret keys but one which is the one I described in my previous post.

I started the import and didn't get any password prompt but
unfortunately also no PIN prompt for my OpenPGP card (?).
alpha [at] fatfl ~/.gnupg % gpg2 --import ~/.gnupg/secring.gpg
gpg: key F89A6E41: "Test Key <testkey [at] nomail>" not changed
gpg: key F89A6E41: secret key imported
gpg: Total number processed: 4
gpg: unchanged: 1
gpg: secret keys read: 4

Then I looked at my gnugp2 keystore but it remains empty.

alpha [at] fatfl ~/.gnupg % ls private-keys-v1.d
alpha [at] fatfl ~/.gnupg %

Is my OpenPGP card stub being checked correctly?
Is gpg-agent supposed to work out of the box with OpenPGP card?

I then did another test by using a regular key (no OpenPGP card) and
got a strange 'can't handle public key algorithm 3" error then a seg.
fault when doing a --list-secret-keys. However --edit-key did work
fine.

(gdb) run -v --list-secret-keys
Starting program: /usr/bin/gpg2 -v --list-secret-keys
gpg: using PGP trust model
gpg: can't handle public key algorithm 3
gpg: subpacket of type 20 has critical bit set

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff732e700 in ?? () from /lib/libgcrypt.so.11


#0 0x00007ffff732e700 in ?? () from /lib/libgcrypt.so.11
No symbol table info available.
#1 0x00007ffff72e6726 in ?? () from /lib/libgcrypt.so.11
No symbol table info available.
#2 0x00007ffff72e7bfa in ?? () from /lib/libgcrypt.so.11
No symbol table info available.
#3 0x00007ffff72e1ef2 in gcry_sexp_build () from /lib/libgcrypt.so.11
No symbol table info available.
#4 0x000000000042a05b in ?? ()
No symbol table info available.
#5 0x0000000000471e63 in ?? ()
No symbol table info available.
#6 0x00000000004383fc in ?? ()
No symbol table info available.
#7 0x000000000040c120 in ?? ()
No symbol table info available.
#8 0x00007ffff6b6114d in __libc_start_main () from /lib/libc.so.6
No symbol table info available.
#9 0x000000000040c5ed in ?? ()
No symbol table info available.
#10 0x00007fffffffe0b8 in ?? ()
---Type <return> to continue, or q <return> to quit---
No symbol table info available.
#11 0x00000000ffffffff in ?? ()
No symbol table info available.
#12 0x0000000000000003 in ?? ()
No symbol table info available.
#13 0x00007fffffffe408 in ?? ()
No symbol table info available.
#14 0x00007fffffffe416 in ?? ()
No symbol table info available.
#15 0x00007fffffffe419 in ?? ()
No symbol table info available.
#16 0x0000000000000000 in ?? ()
No symbol table info available.


gpg2 -v --edit-key alphazo [at] gmail
Secret key is available.

gpg: using PGP trust model
pub 1024D/242D4DFB created: 2009-08-20 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/CBF93DD2 created: 2009-08-20 expires: never usage: E
[ultimate] (1). Alphazo <alphazo [at] gmail>

Alphazo

On Wed, Dec 21, 2011 at 7:08 PM, Werner Koch <wk [at] gnupg> wrote:
> On Wed, 21 Dec 2011 15:35, alphazo [at] gmail said:
>
>> When importing this key I got the pinentry-gtk popup asking for the
>> passphrase for this key but this won't be of any help considering that
>> no private key material is there.
>
> Are you sure that it ask for the passphrase of the primary key?  It
> should ask for the one of the subkey.  In any case, please enter the
> passphrase of the subkey (which is usually the same as of the primary
> key).  Note, that I have a very similar setup and it worked without
> problems.  It is however possible that we have a regression here.
>
>> I could probably setup a temporary machine to use the full keychain
>> with passphrase then migrate to 2.1 and finally remove the private key
>> material of the primary key (is that possible with 2.1?).
>
> Yes, very easy:
>
>  gpg2 --with-keygrip -K
>
> shows you the keygrip of the keys.  Now, simply remove the file
> ~/.gnupg/private-keys-v1.d/KEYGRIP.key
>
>
> Salam-Shalom,
>
>   Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


alphazo at gmail

Jan 11, 2012, 2:14 PM

Post #4 of 5 (467 views)
Permalink
Re: Migrating from OpenPGP card + gnupg 1.4 to 2.1 [In reply to]

Now that the seg. fault is fixed. I tried again to migrate my hybrid
private key to the new gnupg2 key storage but I don't get

On Wed, Dec 21, 2011 at 10:38 PM, Alphazo <alphazo [at] gmail> wrote:
> You were right on the subkey. In the meantime I realized that the
> import function was also trying to import old revoked keys as well.
> That's why I got the password prompt for an old non OpenGPG card based
> key.
>
> Now for testing purposes I cleaned up my secring.gpg by removing all
> secret keys but one which is the one I described in my previous post.
>
> I started the import and didn't get any password prompt but
> unfortunately also no PIN prompt for my OpenPGP card (?).
> alpha [at] fatfl ~/.gnupg % gpg2 --import ~/.gnupg/secring.gpg
> gpg: key F89A6E41: "Test Key <testkey [at] nomail>" not changed
> gpg: key F89A6E41: secret key imported
> gpg: Total number processed: 4
> gpg:              unchanged: 1
> gpg:       secret keys read: 4
>
> Then I looked at my gnugp2 keystore but it remains empty.
>
> alpha [at] fatfl ~/.gnupg % ls private-keys-v1.d
> alpha [at] fatfl ~/.gnupg %
>
> Is my OpenPGP card stub being checked correctly?
> Is gpg-agent supposed to work out of the box with OpenPGP card?
>
> I then did another test by using a regular key (no OpenPGP card) and
> got a strange 'can't handle public key algorithm 3" error then a seg.
> fault when doing a --list-secret-keys. However --edit-key did work
> fine.
>
> (gdb) run -v --list-secret-keys
> Starting program: /usr/bin/gpg2 -v --list-secret-keys
> gpg: using PGP trust model
> gpg: can't handle public key algorithm 3
> gpg: subpacket of type 20 has critical bit set
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x00007ffff732e700 in ?? () from /lib/libgcrypt.so.11
>
>
> #0  0x00007ffff732e700 in ?? () from /lib/libgcrypt.so.11
> No symbol table info available.
> #1  0x00007ffff72e6726 in ?? () from /lib/libgcrypt.so.11
> No symbol table info available.
> #2  0x00007ffff72e7bfa in ?? () from /lib/libgcrypt.so.11
> No symbol table info available.
> #3  0x00007ffff72e1ef2 in gcry_sexp_build () from /lib/libgcrypt.so.11
> No symbol table info available.
> #4  0x000000000042a05b in ?? ()
> No symbol table info available.
> #5  0x0000000000471e63 in ?? ()
> No symbol table info available.
> #6  0x00000000004383fc in ?? ()
> No symbol table info available.
> #7  0x000000000040c120 in ?? ()
> No symbol table info available.
> #8  0x00007ffff6b6114d in __libc_start_main () from /lib/libc.so.6
> No symbol table info available.
> #9  0x000000000040c5ed in ?? ()
> No symbol table info available.
> #10 0x00007fffffffe0b8 in ?? ()
> ---Type <return> to continue, or q <return> to quit---
> No symbol table info available.
> #11 0x00000000ffffffff in ?? ()
> No symbol table info available.
> #12 0x0000000000000003 in ?? ()
> No symbol table info available.
> #13 0x00007fffffffe408 in ?? ()
> No symbol table info available.
> #14 0x00007fffffffe416 in ?? ()
> No symbol table info available.
> #15 0x00007fffffffe419 in ?? ()
> No symbol table info available.
> #16 0x0000000000000000 in ?? ()
> No symbol table info available.
>
>
> gpg2 -v --edit-key alphazo [at] gmail
> Secret key is available.
>
> gpg: using PGP trust model
> pub  1024D/242D4DFB  created: 2009-08-20  expires: never       usage: SC
>                     trust: ultimate      validity: ultimate
> sub  2048g/CBF93DD2  created: 2009-08-20  expires: never       usage: E
> [ultimate] (1). Alphazo <alphazo [at] gmail>
>
> Alphazo
>
> On Wed, Dec 21, 2011 at 7:08 PM, Werner Koch <wk [at] gnupg> wrote:
>> On Wed, 21 Dec 2011 15:35, alphazo [at] gmail said:
>>
>>> When importing this key I got the pinentry-gtk popup asking for the
>>> passphrase for this key but this won't be of any help considering that
>>> no private key material is there.
>>
>> Are you sure that it ask for the passphrase of the primary key?  It
>> should ask for the one of the subkey.  In any case, please enter the
>> passphrase of the subkey (which is usually the same as of the primary
>> key).  Note, that I have a very similar setup and it worked without
>> problems.  It is however possible that we have a regression here.
>>
>>> I could probably setup a temporary machine to use the full keychain
>>> with passphrase then migrate to 2.1 and finally remove the private key
>>> material of the primary key (is that possible with 2.1?).
>>
>> Yes, very easy:
>>
>>  gpg2 --with-keygrip -K
>>
>> shows you the keygrip of the keys.  Now, simply remove the file
>> ~/.gnupg/private-keys-v1.d/KEYGRIP.key
>>
>>
>> Salam-Shalom,
>>
>>   Werner
>>
>> --
>> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>>

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


alphazo at gmail

Jan 11, 2012, 2:25 PM

Post #5 of 5 (477 views)
Permalink
Re: Migrating from OpenPGP card + gnupg 1.4 to 2.1 [In reply to]

Now that the seg. fault is fixed. I tried again to migrate my hybrid
private key to the new gnupg2 key storage. I do get password prompt
for older keys (and I clicked on cancel for each) but I don't get
password or PIN prompt for my current hybrid key. However gnupg2 says
that it has imported my secret key but the private-keys-v1.d directory
stays empty.... Where has my private key been imported to?
As a side not I also get some errors with some old keys.

# gpg2 --import ~/.gnupg/secring.gpg
....
gpg: key 12345678 : "Test Key1 <testkey1 [at] dummy>" not changed
gpg: key 12345678/3344556677: error sending to agent: Operation cancelled
gpg: key 0022446688: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: key 0022446688/AABBCCDDEE: error sending to agent: Operation cancelled
...
gpg: key 7A7B7D7E: "Hybrid Key <hybrid [at] current>" not changed
gpg: key 7A7B7D7E: secret key imported
...
gpg: Total number processed: 24
gpg: w/o user IDs: 1
gpg: unchanged: 9
gpg: secret keys read: 24


On Wed, Jan 11, 2012 at 11:14 PM, Alphazo <alphazo [at] gmail> wrote:
> Now that the seg. fault is fixed. I tried again to migrate my hybrid
> private key to the new gnupg2 key storage but I don't get
>
> On Wed, Dec 21, 2011 at 10:38 PM, Alphazo <alphazo [at] gmail> wrote:
>> You were right on the subkey. In the meantime I realized that the
>> import function was also trying to import old revoked keys as well.
>> That's why I got the password prompt for an old non OpenGPG card based
>> key.
>>
>> Now for testing purposes I cleaned up my secring.gpg by removing all
>> secret keys but one which is the one I described in my previous post.
>>
>> I started the import and didn't get any password prompt but
>> unfortunately also no PIN prompt for my OpenPGP card (?).
>> alpha [at] fatfl ~/.gnupg % gpg2 --import ~/.gnupg/secring.gpg
>> gpg: key F89A6E41: "Test Key <testkey [at] nomail>" not changed
>> gpg: key F89A6E41: secret key imported
>> gpg: Total number processed: 4
>> gpg:              unchanged: 1
>> gpg:       secret keys read: 4
>>
>> Then I looked at my gnugp2 keystore but it remains empty.
>>
>> alpha [at] fatfl ~/.gnupg % ls private-keys-v1.d
>> alpha [at] fatfl ~/.gnupg %
>>
>> Is my OpenPGP card stub being checked correctly?
>> Is gpg-agent supposed to work out of the box with OpenPGP card?
>>
>> I then did another test by using a regular key (no OpenPGP card) and
>> got a strange 'can't handle public key algorithm 3" error then a seg.
>> fault when doing a --list-secret-keys. However --edit-key did work
>> fine.
>>
>> (gdb) run -v --list-secret-keys
>> Starting program: /usr/bin/gpg2 -v --list-secret-keys
>> gpg: using PGP trust model
>> gpg: can't handle public key algorithm 3
>> gpg: subpacket of type 20 has critical bit set
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x00007ffff732e700 in ?? () from /lib/libgcrypt.so.11
>>
>>
>> #0  0x00007ffff732e700 in ?? () from /lib/libgcrypt.so.11
>> No symbol table info available.
>> #1  0x00007ffff72e6726 in ?? () from /lib/libgcrypt.so.11
>> No symbol table info available.
>> #2  0x00007ffff72e7bfa in ?? () from /lib/libgcrypt.so.11
>> No symbol table info available.
>> #3  0x00007ffff72e1ef2 in gcry_sexp_build () from /lib/libgcrypt.so.11
>> No symbol table info available.
>> #4  0x000000000042a05b in ?? ()
>> No symbol table info available.
>> #5  0x0000000000471e63 in ?? ()
>> No symbol table info available.
>> #6  0x00000000004383fc in ?? ()
>> No symbol table info available.
>> #7  0x000000000040c120 in ?? ()
>> No symbol table info available.
>> #8  0x00007ffff6b6114d in __libc_start_main () from /lib/libc.so.6
>> No symbol table info available.
>> #9  0x000000000040c5ed in ?? ()
>> No symbol table info available.
>> #10 0x00007fffffffe0b8 in ?? ()
>> ---Type <return> to continue, or q <return> to quit---
>> No symbol table info available.
>> #11 0x00000000ffffffff in ?? ()
>> No symbol table info available.
>> #12 0x0000000000000003 in ?? ()
>> No symbol table info available.
>> #13 0x00007fffffffe408 in ?? ()
>> No symbol table info available.
>> #14 0x00007fffffffe416 in ?? ()
>> No symbol table info available.
>> #15 0x00007fffffffe419 in ?? ()
>> No symbol table info available.
>> #16 0x0000000000000000 in ?? ()
>> No symbol table info available.
>>
>>
>> gpg2 -v --edit-key alphazo [at] gmail
>> Secret key is available.
>>
>> gpg: using PGP trust model
>> pub  1024D/242D4DFB  created: 2009-08-20  expires: never       usage: SC
>>                     trust: ultimate      validity: ultimate
>> sub  2048g/CBF93DD2  created: 2009-08-20  expires: never       usage: E
>> [ultimate] (1). Alphazo <alphazo [at] gmail>
>>
>> Alphazo
>>
>> On Wed, Dec 21, 2011 at 7:08 PM, Werner Koch <wk [at] gnupg> wrote:
>>> On Wed, 21 Dec 2011 15:35, alphazo [at] gmail said:
>>>
>>>> When importing this key I got the pinentry-gtk popup asking for the
>>>> passphrase for this key but this won't be of any help considering that
>>>> no private key material is there.
>>>
>>> Are you sure that it ask for the passphrase of the primary key?  It
>>> should ask for the one of the subkey.  In any case, please enter the
>>> passphrase of the subkey (which is usually the same as of the primary
>>> key).  Note, that I have a very similar setup and it worked without
>>> problems.  It is however possible that we have a regression here.
>>>
>>>> I could probably setup a temporary machine to use the full keychain
>>>> with passphrase then migrate to 2.1 and finally remove the private key
>>>> material of the primary key (is that possible with 2.1?).
>>>
>>> Yes, very easy:
>>>
>>>  gpg2 --with-keygrip -K
>>>
>>> shows you the keygrip of the keys.  Now, simply remove the file
>>> ~/.gnupg/private-keys-v1.d/KEYGRIP.key
>>>
>>>
>>> Salam-Shalom,
>>>
>>>   Werner
>>>
>>> --
>>> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>>>

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

GnuPG devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.