Page MenuHome GnuPG
Create Task
Maniphest T1763

gpg ... delete key failed: Unknown system error
Closed, ResolvedPublic
Actions

Description

Arch Linux (x86_64 GNU/Linux 3.17.3-1-ARCH), and the shell is zsh.
I will list the output that is clearly exposing a bug first, then
explain how I got to that state:

/home/colin% gpg --delete-key "Colin Keenan"
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: there is a secret key for public key "Colin Keenan"!
gpg: use option "--delete-secret-keys" to delete it first.
/home/colin% gpg --delete-secret-key "Colin Keenan"
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: key "Colin Keenan" not found: Unknown system error
gpg: Colin Keenan: delete key failed: Unknown system error

So, you see the problem: --delete-key fails because there is a secret
key, and --delete-secret-key fails because the secret key is not found
due to an unknown system error!

Here is how I got to that state:

After setting up gpg.conf (attached), I created a new key (not as
root, as user 'colin')

gpg --gen-key

Then, I'm not sure what I did, but I ended up having the key listed
twice when I doing 'gpg --list-public-keys colin'. 'colin' matches my
email address colinnkeenan@gmail.com. It is the exact same key, uid,
fingerprint, etc. listed both as the first key and the last key.

My bug is not about the duplicate entry, it's about what has happened
now that I've tried to remove the duplicate entry. My plan was to
change the uid of the first of the duplicates so that I could refer to
it alone, and delete it. Here is what I did:

  1. add another uid to one of the duplicates:

/home/colin% gpg --edit-key colin
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub 4096R/0940E3F9 created: 2014-11-18 expires: 2015-11-18 usage:
SC

trust: ultimate      validity: ultimate

sub 4096R/EDA19F9C created: 2014-11-18 expires: 2015-11-18 usage:
E
[ultimate] (1). Colin Keenan <colinnkeenan@gmail.com>
[ultimate] (2) [jpeg image of size 6283]

gpg> adduid
Real name: Colin N Keenan
Email address: colinnkeenan@gmail.com
Comment:
You selected this USER-ID:

    "Colin N Keenan <colinnkeenan@gmail.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You need a passphrase to unlock the secret key for
user: "Colin Keenan <colinnkeenan@gmail.com>"
4096-bit RSA key, ID 0940E3F9, created 2014-11-18

pub 4096R/0940E3F9 created: 2014-11-18 expires: 2015-11-18 usage:
SC

trust: ultimate      validity: ultimate

sub 4096R/EDA19F9C created: 2014-11-18 expires: 2015-11-18 usage:
E
[ultimate] (1) Colin Keenan <colinnkeenan@gmail.com>
[ultimate] (2) [jpeg image of size 6283]
[ unknown] (3). Colin N Keenan <colinnkeenan@gmail.com>

gpg> save

  1. remove the uid that is duplicated

/home/colin% gpg --edit-key "Colin N Keenan"
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub 4096R/0940E3F9 created: 2014-11-18 expires: 2015-11-18 usage:
SC

trust: ultimate      validity: ultimate

sub 4096R/EDA19F9C created: 2014-11-18 expires: 2015-11-18 usage:
E
[ultimate] (1). Colin N Keenan <colinnkeenan@gmail.com>
[ultimate] (2) Colin Keenan <colinnkeenan@gmail.com>
[ultimate] (3) [jpeg image of size 6283]

gpg> 2

pub 4096R/0940E3F9 created: 2014-11-18 expires: 2015-11-18 usage:
SC

trust: ultimate      validity: ultimate

sub 4096R/EDA19F9C created: 2014-11-18 expires: 2015-11-18 usage:
E
[ultimate] (1). Colin N Keenan <colinnkeenan@gmail.com>
[ultimate] (2)* Colin Keenan <colinnkeenan@gmail.com>
[ultimate] (3) [jpeg image of size 6283]

gpg> deluid
Really remove this user ID? (y/N) y

pub 4096R/0940E3F9 created: 2014-11-18 expires: 2015-11-18 usage:
SC

trust: ultimate      validity: ultimate

sub 4096R/EDA19F9C created: 2014-11-18 expires: 2015-11-18 usage:
E
[ultimate] (1). Colin N Keenan <colinnkeenan@gmail.com>
[ultimate] (2) [jpeg image of size 6283]

gpg> quit
Save changes? (y/N) y

  1. Try to delete the key with uid "Colin Keenan", keeping the one with

"Colin N Keenan"
/home/colin% gpg --delete-key "Colin Keenan"
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: there is a secret key for public key "Colin Keenan"!
gpg: use option "--delete-secret-keys" to delete it first.
/home/colin% gpg --delete-secret-key "Colin Keenan"
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: key "Colin Keenan" not found: Unknown system error
gpg: Colin Keenan: delete key failed: Unknown system error

And, that's the bug. I can't delete it because gpg says there is a
secret key but it can't find it.

Details

Version
2.0.26

Event Timeline

colinkeenan added a subscriber: colinkeenan.Nov 19 2014, 4:26 AM

527_gpg.conf7 KBDownload

colinkeenan set Version to 2.0.26.Nov 19 2014, 4:26 AM
colinkeenan added projects: gnupg, Bug Report.
werner added a subscriber: werner.Nov 19 2014, 11:01 AM

Can you please try to delete it using the fingerprint of the key?

colinkeenan added a comment.Nov 19 2014, 4:49 PM

After reading your suggestion, I realized using the fingerprint would
be the same as deleting the secret key for "Colin N Keenan" instead of
"Colin Keenan". Since I had made a backup of .gnupg while it was
showing a duplicate public key for "Colin Keenan", I realized that's
what I wanted to do anyway. So, I solved the issue by

gpg --delete-secret-key "Colin N Keenan"
gpg --delete-key "Colin N Keenan"
cp .gnupg/pubring.gpg .gnupg-backup
rm -r .gnupg
cp -r .gnupg-backup .gnupg

But still, this seems like a bug. Is there a better way to remove a
duplicate entry? Also, why is it allowed to have a duplicate entry?

colinkeenan added a comment.Nov 19 2014, 7:36 PM

I figured out the steps that led to the duplicate entry in the first
place. After editing ~/.gnupg/gpg.conf to include

keyring /etc/pacman.d/gnupg/pubring.gpg

I generated the key

gpg --gen-key

Then did

sudo pacman-key --import /home/colin/.gnupg

I've filed a bug against pacman-key, but I think it translates to

sudo gpg --homedir /etc/pacman.d/gnupg/ --no-permission-warning --
import /home/colin/.gnupg

And, this is what lead to the duplicate entry. Does it make sense this
would lead to a duplicate entry? Is it a bug of gpg, or is it supposed
to do that for some reason?

colinkeenan added a comment.Nov 19 2014, 11:25 PM

I am finally understanding what is going on with the duplicate listing
of my key, and now wonder if I have screwed something up with the
procedure that "fixed" the double key.

The reason for getting my public key listed twice as an output to 'gpg
-k' is that it first listed the contents of ~/.gnupg/pubring.gpg (just
my key) then listed the contents of /etc/pacman.d/gnupg/pubring.gpg
which also had my key in it. The reason it listed
/etc/pacman.d/gnupg/pubring.gpg is that was the keyring defined in my
gpg.conf.

My procedure that successfully got rid of the duplicate listing has
actually made my ~/.gnupg/pubring.gpg file empty! So, I don't get a
duplicate because gpg -k only lists the contents of
/etc/pacman.d/gnupg/pubring.gpg.

Will this work as is or should I try to put my public key back into
~/.gnupg/pubring.gpg?

colinkeenan added a comment.Nov 20 2014, 12:47 AM

I understand you may not have time to work on this since it's not the
bug I thought.

I hope you will just answer one question for me though.

Having imported my key in the system-wide keyring defined in my
gpg.conf, can I safely do without the local pubring.gpg?

Or, is it necessary for some reason that I import my public key back
into the local pubring.gpg so that there will be a double listing of
my key when I do gpg -k?

werner added a comment.May 11 2015, 8:25 PM

When updating a key gpg uses the keyring where it was found in the first place
and only this. Thus it is better to have only one copy.

werner added a project: gnupg (gpg20).May 11 2015, 8:25 PM
neal added a subscriber: neal.Nov 18 2015, 11:23 AM

As I understand the problem, a key appeared in multiple keyrings and this was
causing confusion. I don't think there is a bug here so I'm marking this issue
as resolved.

neal closed this task as Resolved.Nov 18 2015, 11:23 AM
neal claimed this task.