Page MenuHome GnuPG
Create Task
Maniphest T2122

unexpected 'merging secret key blocks is not anymore available' error
Closed, ResolvedPublic
Actions

Description

I wasn't sure whether to put this here or on the mailing list. But anyway, here
is the background: The expiration dates on my subkeys recently expired, and to
update them I need to go to an offline environment and import my master keys,
change the expiration dates, and re-export the subkeys for submission to
keyservers and friends. However, importing of ANY secret keys are met with the
following error:
GPG: FIXME: merging secret key blocks is not anymore available
(and an error that I didn't record verbatim about not being able to display any
packets)
It does this once for every keypair imported. To clarify, this is into an empty
~/.gnupg with no existing keyring.
I talked with someone on the irc channel who was helpful. As far as I can tell,
this error doesn't make sense in the context of what I am doing. The 2 files that
give me this error are ascii armored private key blocks created with
gpg --export-secret-keys and
gpg --export-secret-subkeys
They were generated under Gnupg 2.1
The file with the master key has worked in the past with gpg -i because I used it
to make a signature on a friend's key.
The ascii file with the master key (created with gpg --export-secret-keys)
contains 2 expired 'practice' keys, and my current key.
Here is the current key: http://pgp.mit.edu/pks/lookup?
op=vindex&search=0x253519105D7B267F
I used --list-packets to make sure there were no duplicates and everything lined
up; it did. --list-packets did not show the signature by john@crackroot.org,
because I didn't ever update the backup to reflect his signature, and the other 2
keys were my 'practice' keys.
To the best of my knowledge there was no human error in the making of the ascii
backups or the --import commands that gave this error. I say this because I was
able to import the master key on august 5th to certify this key:
http://pgp.mit.edu/pks/lookup?op=vindex&search=0xB89351F6D774385C while today and
a few days ago I wasn't able to import the keys from the same file.
I had been using an earlier version of the Arch Linux install iso to do the
offline management, but I'm not sure which version. I tried all of the current
versions available on the downloads page and got that same error. I tried an
Ubuntu install cd, which had an ancient gpg 1.4. the import command on there
listed the names of the keys but did not actually import them.
The current Arch Install Iso uses GnuPG 2.1.8, which is the version I filed this
issue under.
It's possible I've made a mistake somewhere of course but either way my key is
unusable at this point so I would love to be pointed in the right direction.
Thanks.

Details

Version
2.1.8

Event Timeline

soulsescape set Version to 2.1.8.Oct 6 2015, 3:02 AM
soulsescape added projects: gnupg, Bug Report.
soulsescape added a subscriber: soulsescape.
gniibe added a subscriber: gniibe.Oct 15 2015, 3:55 AM

Sorry, I can't understand your situation to identify bug(s) by your explanation.

Please give us your command lines of import and exact output of GnuPG (before
your interpretation). Exact session log is preferred.

Please note that the message, "GPG: FIXME: merging secret key blocks is not
anymore available" is not an error, but the debug message,
which should not be encountered by importing keys.

So, I guess that something wrong was happened.

soulsescape added a comment.Oct 17 2015, 9:26 PM

Ok, here is the stderr of gpg -ivv sec.
This is into a clean ~/.gnupg on my regular computer. Is there a debug level you
want me to specify?

soulsescape added a comment.Oct 17 2015, 9:26 PM

693_log.txt7 KBDownload

soulsescape added a comment.Oct 18 2015, 5:33 PM

Gniibe, thanks so much for responding btw. Ok, there is a new update:
I made a new keypair for personal encryption while my current one is being sorted
out, and the EXACT same error happened when I tested my backup of it. There is
either user error on my part in the --export or --import commands, or a bug in
the way GnuPG imports or exports keys.
Therefore, I want to replicate the issue with an example@example.com key for you.
Before I do so, is there a preferred way for me to log the session so I can send
it to you along with the public and private keys?

gniibe added a comment.Oct 26 2015, 4:16 AM

Please do that:

$ script output-log.txt # which invokes new shell
$ gpg --version

And run your gpg commands of exporting and importing keys.

$ exit

Then, you have a file 'output-log.txt'.
Please describe your oparating system and your configuration file.

soulsescape added a comment.Oct 26 2015, 8:56 PM

Ok, so after further exploration, the error is related to the way I am encrypting
the exported secret key blocks. I Do NOT get this error importing private keys
made wit
h gpg -a --export-secret-keys. However, if I symmetrically encrypt the secret key
file, I get the 'merging secret key blocks... ' error. I did this in output-
log.txt whi
ch is attached.

This leaves me with 2 questions:
How should I encrypt my secret keys after I export them in a way that doesn't
break things?
Is there a way to get back my secret key that was encrypted earlier and gives me
this error??

I am also attaching sec.asc
the symmetric password is 'password', as well as the password protecting the
private keys.

My operating system is Arch Linux. There was no configuration file (I cleared
~/.gnupg before the session in output-log.txt).

soulsescape added a comment.Oct 26 2015, 8:56 PM

699_output-log.txt6 KBDownload

soulsescape added a comment.Oct 26 2015, 8:56 PM

Here is sec.asc

soulsescape added a comment.Oct 26 2015, 8:56 PM

700_sec.asc2 KBDownload

gniibe added a comment.Oct 27 2015, 2:48 AM

Thank you for your cooperation.
I think that the message was emitted by 'gpg -d' (not 'gpg -i').
Could you please confirm that by invoking 'gpg -d sec.asc' alone?

In my environment (Debian testing), the symptom is not reproducible with 2.1.8,
2.1.9, and development version of gnupg. It is decrypted with no problem, and
it is imported with no problem.

If you know there is Arch Linux specific patch, please let me know.

gniibe claimed this task.Oct 27 2015, 2:48 AM
soulsescape added a comment.Oct 27 2015, 4:01 AM

701_output-log2.txt1 KBDownload

soulsescape added a comment.Oct 27 2015, 4:01 AM

Decrypting works successfully, I should have specified earlier. Here is output-
log2.txt
I am also attaching sec , the decrypted sec.asc in case you are not able to
import (my) sec on your system

According to this
https://wiki.archlinux.org/index.php/Arch_Linux#Simplicity
it is unlikely that the Arch Linux devs applied any patches at all.

Thanks,

soulsescape added a comment.Oct 27 2015, 4:01 AM

702_sec1 KBDownload

soulsescape added a comment.Oct 27 2015, 4:21 AM

https://projects.archlinux.org/svntogit/packages.git/log/trunk?h=packages/gnupg
looking through the commits there I can't see anything that pops out as related.
The change that affects me wouldn't have come before 2015-07-01
My C is not very good and I haven't looked through GnuPG source code but the
commits since then don't seem related to importing keys.

gniibe added a comment.Oct 27 2015, 11:21 AM

Ah... It is finally reproducible for me.

The problem is: '-i' doesn't mean importing. You need to use '--import' to
import keys. '-i' means '--interactive'.

'gpg -i file' just tries to parse the file. Secret key parsing became
unsupported in 2.1.x.

soulsescape added a comment.Oct 28 2015, 3:17 AM

*Slaps forehead*

Thank you for your time. Tipping GnuPG and marking issue resolved.

soulsescape closed this task as Resolved.Oct 28 2015, 3:17 AM