cannot import subkey that was once marked to be on a card
Open, NormalPublic

Description

my setup

i have an offline .gnupg/ directory where all encryption keys are available.

i use an OpenPGP card together with my daily .gnupg/ where the private part of the encryption subkey is only available on the card.

situation

the encryption subkey expired, so i generated a new encryption subkey in my offline .gnupg/. then i imported it into my online .gnupg/ and from there moved it onto my card. all worked well until this point.

then i wanted to copy the secret subkey of the previous (now expired) encryption key, so that i can continue reading old emails encrypted to my previous subkey.

the bug

i cannot import the previous subkey into my online .gnupg/

even if i first delete the subkey, and then import it from my offline .gnupg/, it still remains marked as a stub of a card key (as opposed to be a full private subkey that i can use to decrypt old emails).

i double checked that the subkey was exported from the offline .gnupg/ where the private key is available.

log (trimmed)

$ gpg --version
gpg (GnuPG) 2.1.18
libgcrypt 1.7.6-beta

$ gpg --homedir ./full-key/ --edit-key [master-key-id]
ssb  rsa4096/[subkey-id]
     created: 2015-08-27  expired: 2017-08-26  usage: E   

$ gpg --homedir ./full-key/ --export-secret-subkeys [subkey-id] >/run/shm/secret-subkey.gpg

$ gpg --edit-key [master-key-id]
ssb  rsa4096/[subkey-id]
     created: 2015-08-27  expired: 2017-08-26  usage: E   
     card-no: [card-id]

gpg> key 8

ssb* rsa4096/[subkey-id]
     created: 2015-08-27  expired: 2017-08-26  usage: E   
     card-no: [card-id]

gpg> delkey
Do you really want to delete this key? (y/N) y

[gone]

gpg> save

$ gpg --import /run/shm/secret-subkey.gpg 
gpg: key [master-key-id]: "[user-id]" 1 new signature
gpg: key [master-key-id]: "[user-id]" 1 new subkey
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key [master-key-id]: secret key imported
gpg: Total number processed: 1
gpg:            new subkeys: 1
gpg:         new signatures: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

$ gpg --edit-key [master-key-id]
ssb  rsa4096/[subkey-id]
     created: 2015-08-27  expired: 2017-08-26  usage: E   
     card-no: [card-id]                <------- my problem

Details

Version
2.1.18

Related Objects

gniibe added a subscriber: gniibe.Sep 8 2017, 12:48 PM

Ah...

In GnuPG 2.1, secret keys are under control of gpg-agent. Currently, it is not deleted by gpg frontend.
Please run:

$ gpg -K --with-keygrip

To identify your subkey's keygrip. Then, your private key is in .gnupg/private-keys-v1.d/<KEYGRIP>.key
Remove the flle before your import of subkey.

Well, we need to fix this issue.

gniibe claimed this task.Sep 8 2017, 12:48 PM
gniibe triaged this task as Normal priority.
attila.lendvai added a comment.EditedSep 8 2017, 1:06 PM

success, thank you for the help!

for whoever stumbles on this while looking for a workaround, you'll need this:

$ gpg -K --verbose --fingerprint --with-keygrip

(--verbose to display the expired keys, and --fingerprint to be able to identify them)