Page MenuHome GnuPG

--export-secret-keys fails with unusually-created secret key
Closed, ResolvedPublic

Description

Consider this attempt to make a certficate from an OpenSSH key:

#!/bin/bash

set -e
set -x
HOSTNAME=test.example
EXPIRY=1m
export GNUPGHOME=$(mktemp -d)
cleanup() {
    tail -v "$GNUPGHOME/"{sshcontrol,gpg-agent.log,status}
    rm -rf "$GNUPGHOME"
}
trap cleanup EXIT


cat > "$GNUPGHOME/gpg-agent.conf" <<EOF
batch 
debug-level guru
log-file $GNUPGHOME/gpg-agent.log
EOF
cat >"$GNUPGHOME/gpg.conf" <<EOF
batch
no-tty
status-file $GNUPGHOME/status
with-colons
fixed-list-mode
EOF
gpgconf --launch gpg-agent
ssh-keygen -q -t rsa -N '' -f "$GNUPGHOME/example_ssh_rsa_key"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
ssh-add "$GNUPGHOME/example_ssh_rsa_key"
KEYGRIP=$(awk '/^[0-9A-F]/{print $1 }' < "$GNUPGHOME/sshcontrol")
test -n "$KEYGRIP"
gpg --full-generate-key <<EOF
Key-Type: RSA
Key-Grip: $KEYGRIP
Key-Usage: auth
Name-Real: ssh://$HOSTNAME
Expire-Date: $EXPIRY
%no-protection
%commit
EOF
gpg --list-keys "=ssh://$HOSTNAME"
gpg --armor --export "=ssh://$HOSTNAME"
gpg --armor --export-secret-key "=ssh://$HOSTNAME"

the final command here fails with:

+ gpg --armor --export-secret-key =ssh://test.example
gpg: key 6CD93B7E62135C38F5513DACA9FF9D24F6C81E81: error receiving key from agent: Bad secret key - skipped
gpg: WARNING: nothing exported

the agent does appear to be turning over some key matter, so the error may just be in the parsing on the gpg client side.

Details

Version
2.2.15

Event Timeline

werner added a project: ssh.

I was trying to use the above technique to be able to generate an OpenPGP transferable secret key in an ephemeral homedir. Ephemeral directories are recommended in the GnuPG info page's "unattended usage" section, but they do not work here.

And, i just discovered that when i manually edit the key to remove the (comment) list from the *.key S-expression file, the final --export-secret-key works fine. so the failure appears to be due to the presence of the (comment) clause. (same as in T4501)

I've just pushed 29adca88f5f6425f5311c27bb839718a4956ec3a to the dkg/fix-T4490 branch, which i believe fixes this issue.

I think this patch should be backported to STABLE-BRANCH-2-2

werner raised the priority of this task from Normal to High.May 14 2019, 4:39 PM
werner claimed this task.
werner added a subscriber: werner.

Applied to master and 2.2. Thanks.