Page MenuHome GnuPG

Kleopatra: Export secret subkeys
Closed, ResolvedPublic

Description

In the more details subkey view I would like to have another action for subkeys with secret -> Export to file

Which would open a save file dialog with .asc file filter for a subkey. The filename should be talkative like the suggessted file name for secret key exports like "Bernd_Brot_0xDEADBEEF_Encrypt.asc" With the difference to the secret key export the added usage in the end.

Related Objects

StatusAssignedTask
Resolved aheinecke

Event Timeline

aheinecke created this task.
aheinecke created this object in space Restricted Space.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker closed subtask Unknown Object (Maniphest Task) as Resolved.Jan 10 2022, 1:57 PM
ikloecker closed subtask Unknown Object (Maniphest Task) as Resolved.
ikloecker changed the task status from Open to Testing.Jan 27 2022, 10:44 AM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ebo claimed this task.
ebo added a subscriber: ebo.

works

ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 5 2023, 2:57 PM

This has a serious usability issue. If you cancel the password entry when exporting it reports success and creates an apparently valid secret key file but without the subkey you intended to export. So worst case the user thinks he has a backup but instead has no backup :/

Exported with cancelling the password question:

# off=0 ctb=95 tag=5 hlen=3 plen=277
:secret key packet:
        version 4, algo 1, created 1557992709, expires 0
        pkey[0]: [2048 bits]
        pkey[1]: [17 bits]
        gnu-dummy, algo: 0, simple checksum, hash: 0
        protect IV: 
        keyid: EE77B3D57243F72E
# off=280 ctb=b4 tag=13 hlen=2 plen=25
:user ID packet: "berta.boss@demo.gnupg.com"
# off=307 ctb=89 tag=2 hlen=3 plen=337
:signature packet: algo 1, keyid EE77B3D57243F72E
        version 4, created 1557992709, md5len 0, sigclass 0x13
        digest algo 8, begin of digest f7 50
        hashed subpkt 33 len 21 (issuer fpr v4 DC0B670A715728F0F8CCA76DEE77B3D57243F72E)
        hashed subpkt 2 len 4 (sig created 2019-05-16)
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
        hashed subpkt 34 len 1 (pref-aead-algos: 2)
        hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 07)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        subpkt 16 len 8 (issuer key ID EE77B3D57243F72E)
        data: [2045 bits]

# off=0 ctb=95 tag=5 hlen=3 plen=277
:secret key packet:
        version 4, algo 1, created 1557992709, expires 0
        pkey[0]: [2048 bits]
        pkey[1]: [17 bits]
        gnu-dummy, algo: 0, simple checksum, hash: 0
        protect IV: 
        keyid: EE77B3D57243F72E
# off=280 ctb=b4 tag=13 hlen=2 plen=25
:user ID packet: "berta.boss@demo.gnupg.com"
# off=307 ctb=89 tag=2 hlen=3 plen=337
:signature packet: algo 1, keyid EE77B3D57243F72E
        version 4, created 1557992709, md5len 0, sigclass 0x13
        digest algo 8, begin of digest f7 50
        hashed subpkt 33 len 21 (issuer fpr v4 DC0B670A715728F0F8CCA76DEE77B3D57243F72E)
        hashed subpkt 2 len 4 (sig created 2019-05-16)
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
        hashed subpkt 34 len 1 (pref-aead-algos: 2)
        hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 07)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        subpkt 16 len 8 (issuer key ID EE77B3D57243F72E)
        data: [2045 bits]
# off=647 ctb=9d tag=7 hlen=3 plen=966
:secret sub key packet:
        version 4, algo 1, created 1557992709, expires 0
        pkey[0]: [2048 bits]
        pkey[1]: [17 bits]
        iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: DF22B12B3A0F2DA5
        protect count: 7864320 (206)
        protect IV:  97 82 db f5 98 3f 2c 2c dd 26 15 2f da 77 6c c3
        skey[2]: [v4 protected]
        keyid: B47052506607DA6E
# off=1616 ctb=89 tag=2 hlen=3 plen=310
:signature packet: algo 1, keyid EE77B3D57243F72E
        version 4, created 1557992709, md5len 0, sigclass 0x18
        digest algo 8, begin of digest c2 3a
        hashed subpkt 33 len 21 (issuer fpr v4 DC0B670A715728F0F8CCA76DEE77B3D57243F72E)
        hashed subpkt 2 len 4 (sig created 2019-05-16)
        hashed subpkt 27 len 1 (key flags: 0C)
        subpkt 16 len 8 (issuer key ID EE77B3D57243F72E)
        data: [2046 bits]
aheinecke shifted this object from the Restricted Space space to the S1 Public space.Jul 4 2023, 1:41 PM
aheinecke removed a project: g10code.
aheinecke moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

I cannot reproduce the problem with Cancel. When I try this, I get the error "The result of the export is empty." and nothing is written to disk. I'm using GnuPG 2.4.

Anyway, handling of cancel was indeed missing.

I cannot reproduce the problem with Cancel. When I try this, I get the error "The result of the export is empty." and nothing is written to disk. I'm using GnuPG 2.4.

Anyway, handling of cancel was indeed missing.

No, its about right clicking the encryption subkey in the more details window. For a normal secret key export I get the same results as you.

ikloecker changed the task status from Open to Testing.Jul 5 2023, 1:36 PM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

Of course, it's about right clicking the encryption subkey. That's what I tested. Anyway, cancel wasn't handled properly. Now it is.

gpg --export-secret-subkeys --armor 704769B8D5C15319A27C74BBB47052506607DA6E confirms that gpg 2.4.1-beta21 outputs nothing if the password entry is canceled.

The original reporter mentioned that this only occurs when called from kleo. But let me recheck.

aheinecke claimed this task.

Tested and works now for me as expected. Thanks.

It turned out that my pinentry reported "fully canceled" on Cancel (see T6491: Pinentry-Qt: Password prompt for each subkey if password change is cancelled) which made gpg output nothing.

ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jul 24 2023, 2:13 PM