Page MenuHome GnuPG
Create Task
Maniphest T4490

--export-secret-keys fails with unusually-created secret key
Closed, ResolvedPublic
Actions

Description

Consider this attempt to make a certficate from an OpenSSH key:

#!/bin/bash

set -e
set -x
HOSTNAME=test.example
EXPIRY=1m
export GNUPGHOME=$(mktemp -d)
cleanup() {
    tail -v "$GNUPGHOME/"{sshcontrol,gpg-agent.log,status}
    rm -rf "$GNUPGHOME"
}
trap cleanup EXIT


cat > "$GNUPGHOME/gpg-agent.conf" <<EOF
batch 
debug-level guru
log-file $GNUPGHOME/gpg-agent.log
EOF
cat >"$GNUPGHOME/gpg.conf" <<EOF
batch
no-tty
status-file $GNUPGHOME/status
with-colons
fixed-list-mode
EOF
gpgconf --launch gpg-agent
ssh-keygen -q -t rsa -N '' -f "$GNUPGHOME/example_ssh_rsa_key"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
ssh-add "$GNUPGHOME/example_ssh_rsa_key"
KEYGRIP=$(awk '/^[0-9A-F]/{print $1 }' < "$GNUPGHOME/sshcontrol")
test -n "$KEYGRIP"
gpg --full-generate-key <<EOF
Key-Type: RSA
Key-Grip: $KEYGRIP
Key-Usage: auth
Name-Real: ssh://$HOSTNAME
Expire-Date: $EXPIRY
%no-protection
%commit
EOF
gpg --list-keys "=ssh://$HOSTNAME"
gpg --armor --export "=ssh://$HOSTNAME"
gpg --armor --export-secret-key "=ssh://$HOSTNAME"

the final command here fails with:

+ gpg --armor --export-secret-key =ssh://test.example
gpg: key 6CD93B7E62135C38F5513DACA9FF9D24F6C81E81: error receiving key from agent: Bad secret key - skipped
gpg: WARNING: nothing exported

the agent does appear to be turning over some key matter, so the error may just be in the parsing on the gpg client side.

Details

Version
2.2.15

Revisions and Commits

rG GnuPG
rG9c704d9d4633 gpg: enable OpenPGP export of cleartext keys with comments
rG392e59a3d487 gpg: enable OpenPGP export of cleartext keys with comments

Related Objects

Event Timeline

dkg created this task.May 10 2019, 6:28 AM
werner triaged this task as Normal priority.May 10 2019, 10:20 AM
werner added a project: ssh.
dkg added a comment.May 10 2019, 10:45 PM

I was trying to use the above technique to be able to generate an OpenPGP transferable secret key in an ephemeral homedir. Ephemeral directories are recommended in the GnuPG info page's "unattended usage" section, but they do not work here.

dkg mentioned this in T4501: gpg --generate-key --batch from existing key (with Key-Grip:) fails on 64-bit big-endian architectures.May 11 2019, 12:36 AM
dkg added a comment.EditedMay 14 2019, 1:48 AM

And, i just discovered that when i manually edit the key to remove the (comment) list from the *.key S-expression file, the final --export-secret-key works fine. so the failure appears to be due to the presence of the (comment) clause. (same as in T4501)

dkg added a comment.May 14 2019, 3:43 AM

I've just pushed 29adca88f5f6425f5311c27bb839718a4956ec3a to the dkg/fix-T4490 branch, which i believe fixes this issue.

dkg added a comment.May 14 2019, 6:35 AM

I think this patch should be backported to STABLE-BRANCH-2-2

werner raised the priority of this task from Normal to High.May 14 2019, 4:39 PM
werner added a commit: rG392e59a3d487: gpg: enable OpenPGP export of cleartext keys with comments.May 15 2019, 9:03 AM
werner added a commit: rG9c704d9d4633: gpg: enable OpenPGP export of cleartext keys with comments.
werner closed this task as Resolved.May 15 2019, 9:04 AM
werner claimed this task.
werner added a subscriber: werner.

Applied to master and 2.2. Thanks.

werner mentioned this in T4509: Release GnuPG 2.2.16.May 28 2019, 5:08 PM