Page MenuHome GnuPG

--default-key and --local-user stopped working with gpg 2.1.10 and offline master keys
Closed, ResolvedPublic

Description

I have two keys $FPR1 and $FPR2 in my secret keyring (identified by fingerprint,
and both with signing capability), listed in that order by 'gpg -K'. My
~/.gnupg/gpg.conf contains 'default-key $FPR2', however gpg 2.1.10 ignores the
option and selects the first available key, namely $FPR1, for signing
operations. I'm able to force it to select $FPR2 using --local-user:

    echo test | gpg2 --local-user $FPR2 -a --sign

(But the manpage suggests that --default-key should work in the absence of
--local-user option.) However, while the command line option work, I can't seem
to be able to add it to the configuration file:

    ~$ echo local-user $FPR2 >>~/.gnupg/gpg.conf
    ~$ echo test | gpg2 -a --sign
    gpg: key specification '$FPR2' is ambiguous
    gpg: (check argument of option '--local-user')
    gpg: '$FPR2' matches at least:
    gpg:   $FPR2
    gpg:   $FPR2

(Yes, the same fingerprint is listed twice. And there are no collisions in my
private keyring :-P.)

I also tried to add '--default-key $FPR2' as a command line option, but unless
--local-user this does not make gpg select that key.

Details

Version
2.1.10

Event Timeline

6dc37c5 fixes the ambiguous key specification error. The problem is that FPR2
actually appears in your keyring twice! Are you use a keyring or a keybox? Use:

  $ gpg2 --debug=lookup -k FPR2
  gpg: DBG: check_user_ids: Checking --hidden-encrypt-to=FPR2
  gpg: DBG: keydb_search: 1 search descriptions:
  gpg: DBG: keydb_search   0: LONG_KID: 'FPR2'
  gpg: DBG: keydb_search: searching keyring (resource 0 of 1)

keyring, not keybox

gpg: DBG: keyring_search: need_uid = 0; need_words = 0; need_keyid = 1;

need_fpr = 0; any_skip = 0

  gpg: DBG: keyring_search: initializing offset table. (need_keyid: 1 => 1)
  gpg: DBG: keyring_search: searching from start of resource.
  gpg: DBG: keyring_search: packet starting at offset 3357784 matched descriptor 0

first match

gpg: DBG: keyring_search: returing success
gpg: DBG: keydb_search: searched keyring (resource 0 of 1) => Success
gpg: DBG: check_user_ids: Checking if --hidden-encrypt-to='FPR2' is ambiguous

or there are dups

gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search   0: LONG_KID: 'FPR2'
gpg: DBG: keydb_search: searching keyring (resource 0 of 1)
gpg: DBG: keyring_search: need_uid = 0; need_words = 0; need_keyid = 1;

need_fpr = 0; any_skip = 0

  gpg: DBG: keyring_search: initializing offset table. (need_keyid: 1 => 1)
  gpg: DBG: keyring_search: not searching from start of resource.
  gpg: DBG: keyring_search: packet starting at offset 3562559 matched descriptor 0

second match

gpg: DBG: keyring_search: returing success
gpg: DBG: keydb_search: searched keyring (resource 0 of 1) => Success
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search   0: LONG_KID: 'FPR2'
gpg: DBG: keydb_search: searching keyring (resource 0 of 1)
gpg: DBG: keyring_search: need_uid = 0; need_words = 0; need_keyid = 1;

need_fpr = 0; any_skip = 0

gpg: DBG: keyring_search: initializing offset table. (need_keyid: 1 => 1)
gpg: DBG: keyring_search: not searching from start of resource.
gpg: DBG: keyring_search: no matches (EOF)
gpg: DBG: keydb_search: searched keyring (resource 0 of 1) => EOF
gpg: Warning: FPR2 appears in the keyring 2 times.

The problem is that FPR2 actually appears in your keyring twice! Are you use

a keyring or a keybox?

Thank you for looking into this, Neal. I'm using a keybox, but I don't have the
same output:

~$ FPR2=7420DF86BCE15A458DCE997639278DA8109E6244
~$ gpg2 --debug=lookup -k $FPR2
gpg: reading options from '/home/guilhem/.gnupg/gpg.conf'
gpg: enabled debug flags: lookup
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search   0: FPR20: '7420 DF86 BCE1 5A45 8DCE  9976 3927 8DA8

7420 DF8'

gpg: DBG: keydb_search: searching keybox (resource 0 of 1)
gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => Success
gpg: DBG: finish_lookup: checking key 109E6244 (all)(req_usage=0)
gpg: DBG: 	using key 109E6244
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search   0: FPR20: '7420 DF86 BCE1 5A45 8DCE  9976 3927 8DA8

7420 DF8'

  gpg: DBG: keydb_search: searching keybox (resource 0 of 1)
  gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => EOF
  gpg: secmem usage: 0/65536 bytes in 0 blocks
  pub   rsa4096/0x39278DA8109E6244 2012-11-05 [expires: 2017-12-02]
  uid                   [ unknown] Guilhem Moulin <guilhem@fripost.org>
  uid                   [ unknown] Guilhem Moulin <guilhem.moulin@chalmers.se>
  uid                   [ unknown] Guilhem Moulin <guilhem.moulin@fripost.org>
  uid                   [ unknown] Guilhem Moulin <guilhem.moulin@ens-lyon.org>
  uid                   [ unknown] Guilhem Moulin <guilhem@guilhem.org>
  sub   rsa4096/0xD39A499C3C21A552 2012-11-05 [expires: 2016-10-31]
  sub   rsa4096/0xC27306B86774D6F7 2012-11-05 [expires: 2016-10-31]
  sub   rsa4096/0x73FB3BE5DB686A30 2012-11-05 [expires: 2016-10-31]

I've also tried to replicate the behavior in a clean GNUPGHOME:

  ~$ mkdir -m0700 /run/shm/gnupg
  ~$ ln -s ~/.gnupg/S.gpg-agent /run/shm/gnupg
  ~$ gpg2 --export $FPR1 | gpg2 --homedir /run/shm/gnupg --import
  ~$ gpg2 --export $FPR2 | gpg2 --homedir /run/shm/gnupg --import

(So /run/shm/gnupg contains a keybox, with $FPR1 and $FPR2 in that order.) The
following ouput should rule out a problem with a not properly merged key

~$ gpg2 --homedir /run/shm/gnupg --export | gpg --list-packets | grep -c

'^:public key'

  2
  ~$ kbxutil /run/shm/gnupg/pubring.kbx | grep '^Key-Fpr\[0\]:'
  Key-Fpr[0]: $FPR1
  Key-Fpr[0]: 7420DF86BCE15A458DCE997639278DA8109E6244

  ~$ gpg2 --homedir /run/shm/gnupg -a --sign </dev/null
  # selects $FPR1 (expected)

  ~$ gpg2 --homedir /run/shm/gnupg --default-key $FPR2 -a --sign </dev/null
  # selects $FPR1 (unexpected)

  ~$ gpg2 --homedir /run/shm/gnupg --local-user $FPR2 -a --sign </dev/null
  # selects $FPR2 (expected)

  ~$ echo default-key $FPR2 >/run/shm/gnupg/gpg.conf
  ~$ gpg2 --homedir /run/shm/gnupg -a --sign </dev/null
  # selects $FPR1 (unexpected)

  ~$ echo local-user $FPR2 >/run/shm/gnupg/gpg.conf
  ~$ gpg2 --homedir /run/shm/gnupg -a --sign </dev/null
  gpg: key specification '7420DF86BCE15A458DCE997639278DA8109E6244' is ambiguous
  gpg: (check argument of option '--local-user')
  gpg: '7420DF86BCE15A458DCE997639278DA8109E6244' matches at least:
  gpg:   7420DF86BCE15A458DCE997639278DA8109E6244
  gpg:   7420DF86BCE15A458DCE997639278DA8109E6244

I can't reproduce this. Normally, gpg uses EE37CF96 to sign. When I add
"default-key 4F43C989" to my gpg.conf file, it uses the indicated key:

  $ echo | gpg2 -s | gpg2
  Please enter the passphrase to unlock the OpenPGP secret key:
  "Testing (insecure!)"
  1024-bit RSA key, ID EE37CF96,
  created 2015-09-18.
  
   Passphrase: 
  
  gpg: Signature made Fri 11 Dec 2015 12:49:16 PM CET using RSA key ID EE37CF96
  gpg: Good signature from "Testing (insecure!)" [ultimate]

Add a default-key to gpg.conf:

$ echo | gpg2 -s | gpg2

gpg: using "4F43C989" as default secret key

Please enter the passphrase to unlock the OpenPGP secret key:

"Testing <testing@testing.com>"

1024-bit RSA key, ID 4F43C989,

created 2015-11-17.



 Passphrase: 



gpg: Signature made Fri 11 Dec 2015 12:49:35 PM CET using RSA key ID 4F43C989

I was able to reproduce by creating two keys with the default settings, adding a
signing subkey to the second one and then removing the private part of the
second master key.

Starting with two news keys in a fresh GNUPGHOME:

  ~$ mkdir -m0700 /run/shm/gnupg
  ~$ gpg2 --homedir /run/shm/gnupg --gen-key
  […]
  pub   rsa2048/86874ACC 2015-12-11
        Key fingerprint = 769C 9102 D5C2 2C35 9521  B4C9 C386 39F6 8687 4ACC
  uid         [ultimate] This is the 1st key
  sub   rsa2048/1B30F327 2015-12-11
  ~$ gpg2 --homedir /run/shm/gnupg --gen-key
  […]
  pub   rsa2048/FB0BE35A 2015-12-11
        Key fingerprint = B340 0EFB 296D EA60 6A86  D273 25C8 9A38 FB0B E35A
  uid         [ultimate] This is the 2nd key
  sub   rsa2048/3F1ADEB2 2015-12-11

I add a signing subkey to the second one

  ~$ gpg2 --homedir /run/shm/gnupg --expert --edit-key FB0BE35A addkey
  […]
  Possible actions for a RSA key: Sign Encrypt Authenticate
  Current allowed actions: Sign 
  […]
  gpg> save

Then I remove the private of the second master key

  ~$ gpg2 --homedir /run/shm/gnupg --with-keygrip --list-key FB0BE35A
  pub   rsa2048/FB0BE35A 2015-12-11
        Keygrip = 2B862E8DF6928622DD65D1BCDD5BF0F73FAE19CC
  uid         [ultimate] This is the 2nd key
  sub   rsa2048/3F1ADEB2 2015-12-11
        Keygrip = C4119344DBB7F874BDBC3FF706DB3D53FA8894C5
  sub   rsa2048/F9F86760 2015-12-11
        Keygrip = 30376FE31C5B6211728F8E2A4F595AF5D0F9F578
  ~$ gpg2 --homedir /run/shm/gnupg -K FB0BE35A
  sec#  rsa2048/FB0BE35A 2015-12-11
  uid         [ultimate] This is the 2nd key
  ssb   rsa2048/3F1ADEB2 2015-12-11
  ssb   rsa2048/F9F86760 2015-12-11

I want to signing something with the second key (using its signing subkey),
which I select with --default-key. But the first key is chosen instead:

~$ gpg2 --homedir /run/shm/gnupg --default-key FB0BE35A -a --sign </dev/null |

gpg --list-packets | grep keyid

  :onepass_sig packet: keyid C38639F686874ACC
  :signature packet: algo 1, keyid C38639F686874ACC

(Using --default-key 'F9F86760! doesn't help.)

guilhem renamed this task from --default-key and --local-user stopped working with gpg 2.1.10 to --default-key and --local-user stopped working with gpg 2.1.10 and offline master keys.Dec 11 2015, 6:22 PM

This should be fixed in e573e6. If you get a chance to test it and can report
back here, I'd appreciate it. Thanks!

I confirm that I'm not able to reproduce T2176 (guilhem on Dec 11 2015, 02:21 PM / Roundup) nor T2176 (guilhem on Dec 11 2015, 01:07 PM / Roundup) with 4ffe44c, so
I'm changing the issue to “resolved”. Thanks for the prompt action!

guilhem claimed this task.
guilhem set Version to 2.1.10.
guilhem removed a project: Testing.