Page MenuHome GnuPG
Create Task
Maniphest T5840

--export-secret-ssh-key cannot find the key
Closed, InvalidPublic
Actions

Description

Hello!

This is my first contribution to the GPG bug tracker. Please let me know if there is anything missing, and sorry if I missed an existing bug.

I am on macOS using brew's GPG:

gpg (GnuPG) 2.3.4
libgcrypt 1.10.0

GPG won't let me export a secret ssh key:

$ gpg --export-secret-ssh-key 17477E54BB15F155AB66CA72E8BC9929304AEAED
gpg: key "17477E54BB15F155AB66CA72E8BC9929304AEAED" not found: Not a Keygrip

But it lets me export the same key as a public key:

$ gpg --export-ssh-key 17477E54BB15F155AB66CA72E8BC9929304AEAED
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5RCHoVRB7rCs4WDbPXc9ak3oRqt48W1wOKM+JCXHxJaYB4i7rq9ZAvAUIvCQT8R05A+/f9pCEOUm/ZW14/isij7SBO3UExoX2OFddOcqdTFYyQFrUY98EX5XvNa/2aT7qS80bMptIDY8DAEmE4+cozvkHolWm3Erc56cZwaZN6Yt49gHQUoaq5Iy3qWdoLdzEcV6ke9MrvhV/rBJUwEqdgH1ENUBnbS5u/gmxSm9QVOhNf3Dl1HjsGsynX2Af2qu6Gcu6okRgM7ftbUd6Fh06lN/D3PHXtWnOUznyePo8vnZi0MKK4c8iM3lbK360JyseXHOBhyn5hbySmgnVDi6mIcddXIWxyr09uScSirc9c/sJjCmyfIddzNnGJ9x5kCznGsqnZDMlFId2gnonV8i8471gkwgGG2Put6/8wwtQJhGvgavS/+WNfhKBN0/V3qaLo0aaeNrW1KZDT8y/ZzucTD1iOlsuhNgNB/0CUU2de8ojJsDLcymcz7dvf3mV29M= openpgp:0x632A040F

Steps to reproduce:

  • Generate a new key
  • gpg --expert --edit-key <KEYID>
  • addkey
  • RSA (add your own capabilities)
  • Enable only the A (Authenticate) capability
  • Try to export it.

It could be that I am doing something wrong here, but the "not found" error does not help me understand it. Obviously the key exists if I am able to export the public version of it.

I considered that I may need to specify the subkey fingerprint to export the secret ssh key, so I tried to find the fingerprint:

$ gpg --list-secret-keys --with-subkey-fingerprint
sec   ed25519 2022-02-17 [SC] [expires: 2024-02-17]
      17477E54BB15F155AB66CA72E8BC9929304AEAED
uid           [ultimate] Alexandre Viau
ssb   cv25519 2022-02-17 [E] [expires: 2024-02-17]
      0B0FB91C5F9674BF5E2F0CA67A2C2C0F04F463F6
ssb   rsa3072 2022-02-17 [A]
      21DEE1DF6D759B8593EF8118B056AF8B632A040F

Then export the public key, that works:

$ gpg --export-ssh-key 21DEE1DF6D759B8593EF8118B056AF8B632A040F
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5RCHoVRB7rCs4WDbPXc9ak3oRqt48W1wOKM+JCXHxJaYB4i7rq9ZAvAUIvCQT8R05A+/f9pCEOUm/ZW14/isij7SBO3UExoX2OFddOcqdTFYyQFrUY98EX5XvNa/2aT7qS80bMptIDY8DAEmE4+cozvkHolWm3Erc56cZwaZN6Yt49gHQUoaq5Iy3qWdoLdzEcV6ke9MrvhV/rBJUwEqdgH1ENUBnbS5u/gmxSm9QVOhNf3Dl1HjsGsynX2Af2qu6Gcu6okRgM7ftbUd6Fh06lN/D3PHXtWnOUznyePo8vnZi0MKK4c8iM3lbK360JyseXHOBhyn5hbySmgnVDi6mIcddXIWxyr09uScSirc9c/sJjCmyfIddzNnGJ9x5kCznGsqnZDMlFId2gnonV8i8471gkwgGG2Put6/8wwtQJhGvgavS/+WNfhKBN0/V3qaLo0aaeNrW1KZDT8y/ZzucTD1iOlsuhNgNB/0CUU2de8ojJsDLcymcz7dvf3mV29M= openpgp:0x632A040F

But once again, I can't export the private key:

$ gpg --export-secret-ssh-key 21DEE1DF6D759B8593EF8118B056AF8B632A040F
gpg: key "21DEE1DF6D759B8593EF8118B056AF8B632A040F" not found: Not a Keygrip

The error says "not a keygrip", so I probably need to use a keygrip! Let's find it:

$ gpg --list-secret-keys --with-keygrip
sec   ed25519 2022-02-17 [SC] [expires: 2024-02-17]
      17477E54BB15F155AB66CA72E8BC9929304AEAED
      Keygrip = 1DDF1E8CF981026EAD80AADAE683FD8E6EE816A2
uid           [ultimate] Alexandre Viau
ssb   cv25519 2022-02-17 [E] [expires: 2024-02-17]
      Keygrip = 2CD5ACAEDBFB6A62B972DAFE150AB3E8C943404C
ssb   rsa3072 2022-02-17 [A]
      Keygrip = 2764D50D0AD3A7A2495B21AE5F35BD3E710B46C2

Yay, we have a keygrip, the exact thing the error message is asking for me! Let's use it:

$ gpg --export-secret-ssh-key 2764D50D0AD3A7A2495B21AE5F35BD3E710B46C2
gpg: key "2764D50D0AD3A7A2495B21AE5F35BD3E710B46C2" not found: Not a Keygrip

Ah, apparently its not a keygrip...

Details

Version
2.3.4

Related Objects

Event Timeline

aviau created this task.Feb 17 2022, 6:40 PM
aviau updated the task description. (Show Details)
aviau updated the task description. (Show Details)
aviau updated the task description. (Show Details)Feb 17 2022, 6:43 PM
aviau updated the task description. (Show Details)Feb 17 2022, 6:48 PM
aviau updated the task description. (Show Details)Feb 17 2022, 6:51 PM
ikloecker closed this task as Invalid.Feb 17 2022, 7:42 PM
ikloecker added a subscriber: ikloecker.

You are trying to use unfinished code. See https://dev.gnupg.org/rGafe5fcda52e88438c7a7278117b2e03f510a9c1c. It's not really surprising that unfinished code doesn't work.

aviau added a comment.EditedFeb 17 2022, 10:41 PM

Ah! Sorry! Is there any reason the command-line flag made it to a release? How should the user know that the feature does not work, other than reading the bugtracker and source code?

ikloecker added a subscriber: werner.Feb 18 2022, 9:19 AM

@werner will have to answer why he added the unfinished code. My guess is that he wanted to prevent it from being lost on his computer. I would probably have deactivated the code as long as it's unfinished.

Regarding your question, how the user should know that the feature does not work, let me ask a counter question: How does the user know about the feature in the first place, other than reading the source code or searching the executable for "hidden" command-line flags?

The flag is neither mentioned in the manual page nor in the output of gpg --help nor in the release notes of GnuPG 2.3.4. How did you become aware of this new command-line flag?

werner added a comment.Feb 18 2022, 10:10 AM

There is another hacker working on finishing it. I only provided the framework.

aviau added a comment.EditedFeb 18 2022, 1:41 PM

How does the user know about the feature in the first place, other than reading the source code or searching the executable for "hidden" command-line flags?

I haven't done any of these things. I just wrote gpg --export and pressed tab. Then bash autocompleted for it.

Bash autocompletion for gpg uses gpg --dump-options:

$ gpg --dump-options | grep ssh
--export-ssh-key
--export-secret-ssh-key
ikloecker added a comment.Feb 18 2022, 2:08 PM

I suspected that it would be listed by gpg --dump-options, but I didn't think about autocompletion cleverly using it. I apologize.