Page MenuHome GnuPG
Create Task
Maniphest T3942

Can't unregister a non-existent private key
Closed, ResolvedPublic
Actions

Description

Steps to reproduce:

  1. insert someone's smartcard into your computer and use that to decrypt a file
  2. remove the smartcard
  3. gpg2 --list-secret-keys lists the (absent) private key on the smartcard
  4. gpg2 --delete-secret-keys NAME refuses to unregister the private key

Impact: if you receive a file that is encrypted both for you and the smartcard owner, there is a chance that gpg2 will try to decrypt the file with the wrong private key. Because you don't have that key, you can't decrypt the file.

Workaround: list the keygrips with --list-keys --with-keygrip and delete the corresponding files in private-keys-v1.d/

Details

Version
gpg (GnuPG) 2.2.6

Related Objects

Event Timeline

DamienCassou created this task.Apr 26 2018, 5:25 PM
dkg added a subscriber: dkg.Apr 26 2018, 5:31 PM

I note that this problem could also affect a user with multiple identities, one of which has their decryption keys on a smartcard. If a message arrives encrypted to both identities, but the user does not have their smartcard available, they will hit the same issue.

werner added a subscriber: werner.May 4 2018, 10:50 AM

Workaround is to click cancel so that the next key is tried; right?

werner triaged this task as High priority.May 4 2018, 10:50 AM
werner merged a task: T3941: Check whether --delete-secret-key works with just a stub.
werner added a project: gnupg (gpg22).
DamienCassou added a comment.May 6 2018, 9:56 AM

Workaround is to click cancel so that the next key is tried; right?

I guess that depends on the pinentry you use. Cancelling within the Emacs pinentry does not ask for the next key.

werner lowered the priority of this task from High to Normal.Jun 8 2018, 8:59 AM

I tried this with the current 2.2 branch and master and was not able to replicate it. The stubs are all deleted as expected. I also checked the commit log since 2.2.6 and didn't found anything which indicated that such a bug was fixed.

Are you sure that you are using 2.2.6? I ask because you installed it under the name gpg2 which is not the default.
If you still have this problem, can you please provide a transcript of what you did? It would alsobe good to use the option "--debug ipc" so that we can see wheat gpg-agent had to say. It is fine to redact keygrips, fingerprints etc.

DamienCassou added a comment.Jun 8 2018, 9:51 AM

In the meantime, I upgraded my Fedora installation so I won't be able to reproduce in the same circumstances. I suggest we close the issue for now. I will reopen if I manage to reproduce.

werner closed this task as Resolved.Jun 8 2018, 10:19 AM
werner claimed this task.

Okay. Thanks for looking into this.