Page MenuHome GnuPG
Create Task
Maniphest T1759

gnupg 2.1 regression: cannot use OpenPGP card for signing
Closed, InvalidPublic
Actions

Description

With gnupg 2.1, I can no longer use my OpenPGP smartcard. gnupg is able to see
the card (--card-status shows it) and --card-edit also works. However, gpg -K no
longer shows the key.

Output with gnugpg 2.0:

$ gpg -K

/home/thomas/.gnupg/secring.gpg

sec 1024D/31CFFD50 2005-09-04
uid Thomas Bächler <thomas.baechler@rwth-aachen.de>
uid Thomas Bächler <thomas.baechler@gmx.de>
ssb 2048g/648E6F29 2005-09-04

sec 4096R/8E4B1A25 2011-05-04
uid Thomas Bächler <thomas@archlinux.org>
ssb 4096R/20016BDB 2011-05-04

sec> 3072R/824B18E8 2011-11-19
Kartenseriennr. = 1234 56789012
uid Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>
ssb> 1024R/AAE53976 2011-11-19
ssb> 2048R/96A8F3F2 2011-11-19

Output with gnupg 2.1:

$ gpg -K

/home/thomas/.gnupg/pubring.gpg

sec dsa1024/31CFFD50 2005-09-04
uid [ultimate] Thomas Bächler <thomas.baechler@gmx.de>
uid [ultimate] Thomas Bächler <thomas.baechler@rwth-aachen.de>
ssb elg2048/648E6F29 2005-09-04

sec rsa4096/8E4B1A25 2011-05-04
uid [ultimate] Thomas Bächler <thomas@archlinux.org>
ssb rsa4096/20016BDB 2011-05-04

As you can see, the third key is no longer listed with gnupg 2.1. When I try to
use the key for signing, gnupg complains that there is no private key.
Downgrading to version 2.0 again resolves the issue.

Details

Version
2.1

Event Timeline

brain0 set Version to 2.1.Nov 15 2014, 11:58 AM
brain0 added projects: gnupg, Bug Report.
brain0 added a subscriber: brain0.
gniibe added a subscriber: gniibe.Dec 26 2014, 3:17 AM

In 2.1, secret key handling has been changed.
It's now *not* in secring.gpg but files under private-keys-v1.d.
I think that there were some migration problems for your environment (and GnuPG
2.1.0) and one of your secret key is not converted.

I don't know the reason, but I guess that your key is only available in
secring.gpg and not in pubring.gpg.

About secret key reference (in secring.gpg for 1.4/2.0, under private-keys-v1.d
for 2.1) can be generated by accessing card.
With 2.1.1, --card-status will register key reference. With 2.1.0, you can do:

  $ gpg-connect-agent learn /bye

Once you have public key entry and private key reference to your card, it should
work well.
Could you please try installing your public key with 2.1.0 and making private
key reference?

gniibe claimed this task.Dec 26 2014, 3:18 AM
gniibe added a project: Info Needed.Apr 10 2015, 9:51 AM
marcus closed this task as Invalid.Jun 30 2017, 8:27 PM
marcus added a subscriber: marcus.

No feedback for 2 years.