Page MenuHome GnuPG
Create Task
Maniphest T2176

--default-key and --local-user stopped working with gpg 2.1.10 and offline master keys
Closed, ResolvedPublic
Actions

Description

I have two keys $FPR1 and $FPR2 in my secret keyring (identified by fingerprint,
and both with signing capability), listed in that order by 'gpg -K'. My
~/.gnupg/gpg.conf contains 'default-key $FPR2', however gpg 2.1.10 ignores the
option and selects the first available key, namely $FPR1, for signing
operations. I'm able to force it to select $FPR2 using --local-user:

    echo test | gpg2 --local-user $FPR2 -a --sign

(But the manpage suggests that --default-key should work in the absence of
--local-user option.) However, while the command line option work, I can't seem
to be able to add it to the configuration file:

    ~$ echo local-user $FPR2 >>~/.gnupg/gpg.conf
    ~$ echo test | gpg2 -a --sign
    gpg: key specification '$FPR2' is ambiguous
    gpg: (check argument of option '--local-user')
    gpg: '$FPR2' matches at least:
    gpg:   $FPR2
    gpg:   $FPR2

(Yes, the same fingerprint is listed twice. And there are no collisions in my
private keyring :-P.)

I also tried to add '--default-key $FPR2' as a command line option, but unless
--local-user this does not make gpg select that key.

Details

Version
2.1.10

Related Objects

Event Timeline

guilhem added a project: Bug Report.Dec 10 2015, 11:03 AM
guilhem added subscribers: neal, guilhem.
neal added a comment.Dec 11 2015, 11:44 AM

6dc37c5 fixes the ambiguous key specification error. The problem is that FPR2
actually appears in your keyring twice! Are you use a keyring or a keybox? Use:

  $ gpg2 --debug=lookup -k FPR2
  gpg: DBG: check_user_ids: Checking --hidden-encrypt-to=FPR2
  gpg: DBG: keydb_search: 1 search descriptions:
  gpg: DBG: keydb_search   0: LONG_KID: 'FPR2'
  gpg: DBG: keydb_search: searching keyring (resource 0 of 1)

keyring, not keybox

gpg: DBG: keyring_search: need_uid = 0; need_words = 0; need_keyid = 1;

need_fpr = 0; any_skip = 0

  gpg: DBG: keyring_search: initializing offset table. (need_keyid: 1 => 1)
  gpg: DBG: keyring_search: searching from start of resource.
  gpg: DBG: keyring_search: packet starting at offset 3357784 matched descriptor 0

first match

gpg: DBG: keyring_search: returing success
gpg: DBG: keydb_search: searched keyring (resource 0 of 1) => Success
gpg: DBG: check_user_ids: Checking if --hidden-encrypt-to='FPR2' is ambiguous

or there are dups

gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search   0: LONG_KID: 'FPR2'
gpg: DBG: keydb_search: searching keyring (resource 0 of 1)
gpg: DBG: keyring_search: need_uid = 0; need_words = 0; need_keyid = 1;

need_fpr = 0; any_skip = 0

  gpg: DBG: keyring_search: initializing offset table. (need_keyid: 1 => 1)
  gpg: DBG: keyring_search: not searching from start of resource.
  gpg: DBG: keyring_search: packet starting at offset 3562559 matched descriptor 0

second match

gpg: DBG: keyring_search: returing success
gpg: DBG: keydb_search: searched keyring (resource 0 of 1) => Success
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search   0: LONG_KID: 'FPR2'
gpg: DBG: keydb_search: searching keyring (resource 0 of 1)
gpg: DBG: keyring_search: need_uid = 0; need_words = 0; need_keyid = 1;

need_fpr = 0; any_skip = 0

gpg: DBG: keyring_search: initializing offset table. (need_keyid: 1 => 1)
gpg: DBG: keyring_search: not searching from start of resource.
gpg: DBG: keyring_search: no matches (EOF)
gpg: DBG: keydb_search: searched keyring (resource 0 of 1) => EOF
gpg: Warning: FPR2 appears in the keyring 2 times.
guilhem added a comment.Dec 11 2015, 1:07 PM

The problem is that FPR2 actually appears in your keyring twice! Are you use

a keyring or a keybox?

Thank you for looking into this, Neal. I'm using a keybox, but I don't have the
same output:

~$ FPR2=7420DF86BCE15A458DCE997639278DA8109E6244
~$ gpg2 --debug=lookup -k $FPR2
gpg: reading options from '/home/guilhem/.gnupg/gpg.conf'
gpg: enabled debug flags: lookup
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search   0: FPR20: '7420 DF86 BCE1 5A45 8DCE  9976 3927 8DA8

7420 DF8'

gpg: DBG: keydb_search: searching keybox (resource 0 of 1)
gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => Success
gpg: DBG: finish_lookup: checking key 109E6244 (all)(req_usage=0)
gpg: DBG: 	using key 109E6244
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search   0: FPR20: '7420 DF86 BCE1 5A45 8DCE  9976 3927 8DA8

7420 DF8'

  gpg: DBG: keydb_search: searching keybox (resource 0 of 1)
  gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => EOF
  gpg: secmem usage: 0/65536 bytes in 0 blocks
  pub   rsa4096/0x39278DA8109E6244 2012-11-05 [expires: 2017-12-02]
  uid                   [ unknown] Guilhem Moulin <guilhem@fripost.org>
  uid                   [ unknown] Guilhem Moulin <guilhem.moulin@chalmers.se>
  uid                   [ unknown] Guilhem Moulin <guilhem.moulin@fripost.org>
  uid                   [ unknown] Guilhem Moulin <guilhem.moulin@ens-lyon.org>
  uid                   [ unknown] Guilhem Moulin <guilhem@guilhem.org>
  sub   rsa4096/0xD39A499C3C21A552 2012-11-05 [expires: 2016-10-31]
  sub   rsa4096/0xC27306B86774D6F7 2012-11-05 [expires: 2016-10-31]
  sub   rsa4096/0x73FB3BE5DB686A30 2012-11-05 [expires: 2016-10-31]

I've also tried to replicate the behavior in a clean GNUPGHOME:

  ~$ mkdir -m0700 /run/shm/gnupg
  ~$ ln -s ~/.gnupg/S.gpg-agent /run/shm/gnupg
  ~$ gpg2 --export $FPR1 | gpg2 --homedir /run/shm/gnupg --import
  ~$ gpg2 --export $FPR2 | gpg2 --homedir /run/shm/gnupg --import

(So /run/shm/gnupg contains a keybox, with $FPR1 and $FPR2 in that order.) The
following ouput should rule out a problem with a not properly merged key

~$ gpg2 --homedir /run/shm/gnupg --export | gpg --list-packets | grep -c

'^:public key'

  2
  ~$ kbxutil /run/shm/gnupg/pubring.kbx | grep '^Key-Fpr\[0\]:'
  Key-Fpr[0]: $FPR1
  Key-Fpr[0]: 7420DF86BCE15A458DCE997639278DA8109E6244

  ~$ gpg2 --homedir /run/shm/gnupg -a --sign </dev/null
  # selects $FPR1 (expected)

  ~$ gpg2 --homedir /run/shm/gnupg --default-key $FPR2 -a --sign </dev/null
  # selects $FPR1 (unexpected)

  ~$ gpg2 --homedir /run/shm/gnupg --local-user $FPR2 -a --sign </dev/null
  # selects $FPR2 (expected)

  ~$ echo default-key $FPR2 >/run/shm/gnupg/gpg.conf
  ~$ gpg2 --homedir /run/shm/gnupg -a --sign </dev/null
  # selects $FPR1 (unexpected)

  ~$ echo local-user $FPR2 >/run/shm/gnupg/gpg.conf
  ~$ gpg2 --homedir /run/shm/gnupg -a --sign </dev/null
  gpg: key specification '7420DF86BCE15A458DCE997639278DA8109E6244' is ambiguous
  gpg: (check argument of option '--local-user')
  gpg: '7420DF86BCE15A458DCE997639278DA8109E6244' matches at least:
  gpg:   7420DF86BCE15A458DCE997639278DA8109E6244
  gpg:   7420DF86BCE15A458DCE997639278DA8109E6244
neal added a comment.Dec 11 2015, 1:08 PM

I can't reproduce this. Normally, gpg uses EE37CF96 to sign. When I add
"default-key 4F43C989" to my gpg.conf file, it uses the indicated key:

  $ echo | gpg2 -s | gpg2
  Please enter the passphrase to unlock the OpenPGP secret key:
  "Testing (insecure!)"
  1024-bit RSA key, ID EE37CF96,
  created 2015-09-18.
  
   Passphrase: 
  
  gpg: Signature made Fri 11 Dec 2015 12:49:16 PM CET using RSA key ID EE37CF96
  gpg: Good signature from "Testing (insecure!)" [ultimate]

Add a default-key to gpg.conf:

$ echo | gpg2 -s | gpg2

gpg: using "4F43C989" as default secret key

Please enter the passphrase to unlock the OpenPGP secret key:

"Testing <testing@testing.com>"

1024-bit RSA key, ID 4F43C989,

created 2015-11-17.



 Passphrase: 



gpg: Signature made Fri 11 Dec 2015 12:49:35 PM CET using RSA key ID 4F43C989
guilhem added a comment.Dec 11 2015, 2:21 PM

I was able to reproduce by creating two keys with the default settings, adding a
signing subkey to the second one and then removing the private part of the
second master key.

Starting with two news keys in a fresh GNUPGHOME:

  ~$ mkdir -m0700 /run/shm/gnupg
  ~$ gpg2 --homedir /run/shm/gnupg --gen-key
  […]
  pub   rsa2048/86874ACC 2015-12-11
        Key fingerprint = 769C 9102 D5C2 2C35 9521  B4C9 C386 39F6 8687 4ACC
  uid         [ultimate] This is the 1st key
  sub   rsa2048/1B30F327 2015-12-11
  ~$ gpg2 --homedir /run/shm/gnupg --gen-key
  […]
  pub   rsa2048/FB0BE35A 2015-12-11
        Key fingerprint = B340 0EFB 296D EA60 6A86  D273 25C8 9A38 FB0B E35A
  uid         [ultimate] This is the 2nd key
  sub   rsa2048/3F1ADEB2 2015-12-11

I add a signing subkey to the second one

  ~$ gpg2 --homedir /run/shm/gnupg --expert --edit-key FB0BE35A addkey
  […]
  Possible actions for a RSA key: Sign Encrypt Authenticate
  Current allowed actions: Sign 
  […]
  gpg> save

Then I remove the private of the second master key

  ~$ gpg2 --homedir /run/shm/gnupg --with-keygrip --list-key FB0BE35A
  pub   rsa2048/FB0BE35A 2015-12-11
        Keygrip = 2B862E8DF6928622DD65D1BCDD5BF0F73FAE19CC
  uid         [ultimate] This is the 2nd key
  sub   rsa2048/3F1ADEB2 2015-12-11
        Keygrip = C4119344DBB7F874BDBC3FF706DB3D53FA8894C5
  sub   rsa2048/F9F86760 2015-12-11
        Keygrip = 30376FE31C5B6211728F8E2A4F595AF5D0F9F578
  ~$ gpg2 --homedir /run/shm/gnupg -K FB0BE35A
  sec#  rsa2048/FB0BE35A 2015-12-11
  uid         [ultimate] This is the 2nd key
  ssb   rsa2048/3F1ADEB2 2015-12-11
  ssb   rsa2048/F9F86760 2015-12-11

I want to signing something with the second key (using its signing subkey),
which I select with --default-key. But the first key is chosen instead:

~$ gpg2 --homedir /run/shm/gnupg --default-key FB0BE35A -a --sign </dev/null |

gpg --list-packets | grep keyid

  :onepass_sig packet: keyid C38639F686874ACC
  :signature packet: algo 1, keyid C38639F686874ACC

(Using --default-key 'F9F86760! doesn't help.)

guilhem renamed this task from --default-key and --local-user stopped working with gpg 2.1.10 to --default-key and --local-user stopped working with gpg 2.1.10 and offline master keys.Dec 11 2015, 6:22 PM
neal added a comment.Dec 15 2015, 11:17 AM

This should be fixed in e573e6. If you get a chance to test it and can report
back here, I'd appreciate it. Thanks!

neal added a project: Restricted Project.Dec 15 2015, 11:17 AM
neal added a project: gnupg.
guilhem added a comment.Dec 15 2015, 4:00 PM

I confirm that I'm not able to reproduce T2176 (guilhem on Dec 11 2015, 02:21 PM / Roundup) nor T2176 (guilhem on Dec 11 2015, 01:07 PM / Roundup) with 4ffe44c, so
I'm changing the issue to “resolved”. Thanks for the prompt action!

guilhem closed this task as Resolved.Dec 15 2015, 4:00 PM
guilhem claimed this task.
guilhem set Version to 2.1.10.
guilhem removed a project: Restricted Project.