Page MenuHome GnuPG
Create Task
Maniphest T5444

"gpg: key generation failed: Unknown elliptic curve" from "Key-Type: default"
Open, NormalPublic
Actions

Description

This is yet another regression reported in Debian: Creating a key using a parameter file with the key type set to "default" results in an error message "gpg: key generation failed: Unknown elliptic curve". This works for gpg22, though.

Full test script can be found at https://sources.debian.org/src/gnupg2/2.2.27-2/debian/tests/simple-tests/ (beware, URL is not stable). It boils down to:

cat > key-batch << EOF
Key-Type: default
Subkey-Type: default
Name-Real: test case
Name-Email: example@example.com
Expire-Date: 0
%no-protection
%commit
EOF

gpg --batch --generate-key key-batch

Tested on current HEAD (a660e1060 aka gnupg-2.3.1-47-ga660e1060).

Changing "Key-Type" to e.g. "RSA" make the operation pass.

Related Objects

Event Timeline

cbiedl created this task.May 20 2021, 12:07 PM
cbiedl assigned this task to wk.May 20 2021, 12:29 PM
aheinecke added a subscriber: aheinecke.May 20 2021, 12:32 PM

Ha! This would have affected Kleopatra if we followed werners suggestion to use default. But in Kleo I decided that I needed to show my users what the default is so we do not use default in this case.

cbiedl added a comment.May 25 2021, 8:17 AM

Setting a curve type (which shouldn't be necessary) like "Curve-Type: ed25519" doesn't help either. While this makes the check in gpg pass, the gpg-agent process re-checks the parameter set and rejects it with the same error message.

Workaround for the test in Debian: Set key type to RSA.

werner triaged this task as Normal priority.May 25 2021, 8:37 AM
werner added a subscriber: werner.

You should anyway use --quick-gen-key.

ilya_indigo added a subscriber: ilya_indigo.Dec 23 2021, 10:17 PM

https://bugs.kde.org/show_bug.cgi?id=447326
This problem also appears for trojita.

fvogt added a subscriber: fvogt.Feb 25 2022, 2:14 PM
werner added a project: gnupg24.Dec 13 2022, 11:21 AM
heirecka added a subscriber: heirecka.Jan 10 2023, 11:27 AM
Angel added a subscriber: Angel.Feb 4 2024, 11:59 PM

I recently stumbled upon this as well.

An even simpler reproducer:

cat > template.txt << EOF
Key-Type: default
Name-Email: example@example.com
EOF
gpg --quiet --batch --generate-key template.txt

The value default is documented on https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html

It works on the 2.2 branch (verified on latest one, 2.2.42), but not from 2.3.0 onwards, including the current 2.4.4:

gpg: key generation failed: Unknown elliptic curve
jak added a subscriber: jak.Feb 14 2024, 10:30 AM

It works in 2.4.4 if you add

Key-Curve: Ed25519
Subkey-Curve: Ed25519

But obviously you end up with a key that can only sign stuff, but not encrypt, as that is Cv25519.

I don't think it's possible to have two different subkeys in the same batch?

Angel added a comment.Feb 19 2024, 2:15 AM

Interesting. So the problem is not actually the Key-Type, but that the default key-type requires a Key-Curve parameter which has no value by default