UI says “Secret key is available.” in gpg when it is not
Closed, WontfixPublic

Description

When using subkeys for an online system (aka laptop keys with primary key stored offline), I
get a confusing message from gpg leading me to believe that the primary key is available
when it is not.

See detailed description and example here:
http://security.stackexchange.com/questions/115230/why-do-i-see-secret-key-is-available-in-
gpg-when-it-is-not

Details

jcross set Version to 2.0.28.Mar 16 2016, 3:56 PM
jcross set External Link to http://security.stackexchange.com/questions/115230/why-do-i-see-secret-key-is-available-in-gpg-when-it-is-not.
jcross added a subscriber: jcross.

Bug system broke the link URL. Here is a shorter one:
http://security.stackexchange.com/q/115230/16036

jcross changed External Link from http://security.stackexchange.com/questions/115230/why-do-i-see-secret-key-is-available-in-gpg-when-it-is-not to http://security.stackexchange.com/q/115230/16036.Mar 16 2016, 3:59 PM
werner added a subscriber: werner.Mar 18 2016, 6:18 PM

Please describe the error _here_ and do not link to an external page.

Here you go:

My master key is offline and I have subkeys on a Yubikey. As expected, I see sec# when listing keys when using the
online system:

gpg -K
sec# 4096R/2FFA7695 2016-02-01 [expires: 2020-01-31]
uid NAME <EMAIL@ADDRESS.COM>
ssb> 2048R/EA7CCF1B 2016-02-01
ssb> 2048R/1E8DA9B9 2016-02-01
ssb> 2048R/5BA60C24 2016-02-01
However, when I go into edit mode, gpg indicates that the "Secret is available":

gpg --edit-key 2FFA7695
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub 4096R/2FFA7695 created: 2016-02-01 expires: 2020-01-31 usage: C

trust: ultimate      validity: ultimate

sub 2048R/EA7CCF1B created: 2016-02-01 expires: 2018-01-31 usage: S
sub 2048R/1E8DA9B9 created: 2016-02-01 expires: 2018-01-31 usage: E
sub 2048R/5BA60C24 created: 2016-02-01 expires: 2018-01-31 usage: A
[ultimate] (1). NAME <EMAIL@ADDRESS.COM>
[ultimate] (2) [jpeg image of size 1234]

Tested with several recent versions of GnuPG. Am I misunderstanding this message?

jcross changed Version from 2.0.28 to 1.4.19.Mar 18 2016, 11:54 PM

I took a look at the source code and now understand what is going on here.
The code indicates: One or more secret keys (primary or sub) were found.
But the UI message suggests that the secret key of the current (primary) key was
found, hence my confusion.

Here are some ideas:

  1. EASY: Update the message to indicate it is generic and not specific to the key

being edited.

OR

  1. HARDER: Improve the logic so the message is specific to the key being edited.

Thoughts?

jcross added a comment.EditedJun 23 2017, 5:18 PM

Any updates / thoughts on how this might be fixed?

werner closed this task as Wontfix.Oct 20 2017, 1:25 PM
werner claimed this task.

Won't be fixed for 1.4.

Won't be fixed for 2.0 because EOL is close.

2.1/2.2 is entirely different in how secret and public keys are handled. Thus the problem won't exits there (I think). Of that is still a problem, please open a new bug against 2.2.

Same issue exists in 2.2:

gpg --edit-key 2FFA7695
gpg (GnuPG/MacGPG2) 2.2.0; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  rsa4096/C0C076132FFA7695