Page MenuHome GnuPG

cannot import subkey that was once marked to be on a card
Open, NormalPublic

Description

my setup

i have an offline .gnupg/ directory where all encryption keys are available.

i use an OpenPGP card together with my daily .gnupg/ where the private part of the encryption subkey is only available on the card.

situation

the encryption subkey expired, so i generated a new encryption subkey in my offline .gnupg/. then i imported it into my online .gnupg/ and from there moved it onto my card. all worked well until this point.

then i wanted to copy the secret subkey of the previous (now expired) encryption key, so that i can continue reading old emails encrypted to my previous subkey.

the bug

i cannot import the previous subkey into my online .gnupg/

even if i first delete the subkey, and then import it from my offline .gnupg/, it still remains marked as a stub of a card key (as opposed to be a full private subkey that i can use to decrypt old emails).

i double checked that the subkey was exported from the offline .gnupg/ where the private key is available.

log (trimmed)

$ gpg --version
gpg (GnuPG) 2.1.18
libgcrypt 1.7.6-beta

$ gpg --homedir ./full-key/ --edit-key [master-key-id]
ssb  rsa4096/[subkey-id]
     created: 2015-08-27  expired: 2017-08-26  usage: E   

$ gpg --homedir ./full-key/ --export-secret-subkeys [subkey-id] >/run/shm/secret-subkey.gpg

$ gpg --edit-key [master-key-id]
ssb  rsa4096/[subkey-id]
     created: 2015-08-27  expired: 2017-08-26  usage: E   
     card-no: [card-id]

gpg> key 8

ssb* rsa4096/[subkey-id]
     created: 2015-08-27  expired: 2017-08-26  usage: E   
     card-no: [card-id]

gpg> delkey
Do you really want to delete this key? (y/N) y

[gone]

gpg> save

$ gpg --import /run/shm/secret-subkey.gpg 
gpg: key [master-key-id]: "[user-id]" 1 new signature
gpg: key [master-key-id]: "[user-id]" 1 new subkey
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key [master-key-id]: secret key imported
gpg: Total number processed: 1
gpg:            new subkeys: 1
gpg:         new signatures: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

$ gpg --edit-key [master-key-id]
ssb  rsa4096/[subkey-id]
     created: 2015-08-27  expired: 2017-08-26  usage: E   
     card-no: [card-id]                <------- my problem

Details

Version
2.1.18

Event Timeline

Ah...

In GnuPG 2.1, secret keys are under control of gpg-agent. Currently, it is not deleted by gpg frontend.
Please run:

$ gpg -K --with-keygrip

To identify your subkey's keygrip. Then, your private key is in .gnupg/private-keys-v1.d/<KEYGRIP>.key
Remove the flle before your import of subkey.

Well, we need to fix this issue.

gniibe triaged this task as Normal priority.

success, thank you for the help!

for whoever stumbles on this while looking for a workaround, you'll need this:

$ gpg -K --verbose --fingerprint --with-keygrip

(--verbose to display the expired keys, and --fingerprint to be able to identify them)

TL;DR: can reproduce, needs fixing

Hi, I recently sumbled upon this issue why trying to use multiple Yubikeys with the same GPG key. I used the workaround of deleting the subkey files listed by --with-keygrip before importing them from a backup, and it worked. Importing them from the backup without deleting the files did not work as the subkeys were still marked as exported to the first Yubikey and could not be exported to the second Yubikey.