Page MenuHome GnuPG
Create Task
Maniphest T4071

regression on batch generation
Closed, InvalidPublic
Actions

Description

The example in the comments suggests that some of the keywords allow duplicates

https://github.com/gpg/gnupg/blob/gnupg-2.2.8/sm/certreqgen.c#L37

Same goes for the keyword declarations

https://github.com/gpg/gnupg/blob/gnupg-2.2.8/sm/certreqgen.c#L236

Yet I am getting a duplicate keyword error

https://github.com/gpg/gnupg/blob/gnupg-2.2.8/sm/certreqgen.c#L354

I personally couldn't spot the bug yet - but it's easy to replicate.

cat >master <<EOF
  Key-Type: RSA
  Key-Length: 4096
  Name-Real: Some One
  Name-Email: foo@bla.com
  Name-Email: foo@blub.com
  Expire-Date: 0
  %commit
EOF

gpg \
  --no-default-keyring \
  --secret-keyring ./test.sec \
  --keyring ./test.pub \
  --batch --gen-key master

Gives a gpg: master:5: duplicate keyword error.

Next I tried the example from the comments. But that gave me gpg: master:5: unknown keyword error.
Given that those keywords are all declared in the source code I am a little confused.
I fear I am not looking at the right code (while I should).

Either way - this seems to be implemented since some time in the 2.x tree. Therefore should be a regression.

Details

Version
2.2.8 (libgcrypt 1.8.3)

Event Timeline

tcurdt created this task.Jul 12 2018, 3:41 AM
werner closed this task as Invalid.Jul 12 2018, 9:49 AM
werner added a subscriber: werner.

You are mixing gpgsm and gpg - they have different semantics: That github mirror under the top name of "gpg" might
be a reason for that confusion.

For gpgsm: Several mail addresses are allowed because that is defined by X.509. X.509 does not allow to later add new mail addresses.

For gpg: The parameter file does only allow one user id and thus in the structured form only one email address. However, OpenPGP is different from X.509 in that new user IDs can easily be added at any time.

I would also suggest to avoid that gpg interface in favor of --quick-gen-key which does not require a parameter file.

tcurdt added a comment.Jul 12 2018, 10:18 AM

The matching error message and the similar keywords let me to miss that - indeed.

That's a big bummer though. Because when I look at --quick-gen-key I don't see a non-interactive way to create a key with two email addresses either.