--export-secret-ssh-key cannot find the key
Closed, InvalidPublic
Actions

Assigned To

None

Authored By

	aviau
	Feb 17 2022, 6:40 PM

Description

Hello!

This is my first contribution to the GPG bug tracker. Please let me know if there is anything missing, and sorry if I missed an existing bug.

I am on macOS using brew's GPG:

gpg (GnuPG) 2.3.4
libgcrypt 1.10.0

GPG won't let me export a secret ssh key:

$ gpg --export-secret-ssh-key 17477E54BB15F155AB66CA72E8BC9929304AEAED
gpg: key "17477E54BB15F155AB66CA72E8BC9929304AEAED" not found: Not a Keygrip

But it lets me export the same key as a public key:

$ gpg --export-ssh-key 17477E54BB15F155AB66CA72E8BC9929304AEAED
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5RCHoVRB7rCs4WDbPXc9ak3oRqt48W1wOKM+JCXHxJaYB4i7rq9ZAvAUIvCQT8R05A+/f9pCEOUm/ZW14/isij7SBO3UExoX2OFddOcqdTFYyQFrUY98EX5XvNa/2aT7qS80bMptIDY8DAEmE4+cozvkHolWm3Erc56cZwaZN6Yt49gHQUoaq5Iy3qWdoLdzEcV6ke9MrvhV/rBJUwEqdgH1ENUBnbS5u/gmxSm9QVOhNf3Dl1HjsGsynX2Af2qu6Gcu6okRgM7ftbUd6Fh06lN/D3PHXtWnOUznyePo8vnZi0MKK4c8iM3lbK360JyseXHOBhyn5hbySmgnVDi6mIcddXIWxyr09uScSirc9c/sJjCmyfIddzNnGJ9x5kCznGsqnZDMlFId2gnonV8i8471gkwgGG2Put6/8wwtQJhGvgavS/+WNfhKBN0/V3qaLo0aaeNrW1KZDT8y/ZzucTD1iOlsuhNgNB/0CUU2de8ojJsDLcymcz7dvf3mV29M= openpgp:0x632A040F

Steps to reproduce:

Generate a new key
gpg --expert --edit-key <KEYID>
addkey
RSA (add your own capabilities)
Enable only the A (Authenticate) capability
Try to export it.

It could be that I am doing something wrong here, but the "not found" error does not help me understand it. Obviously the key exists if I am able to export the public version of it.

I considered that I may need to specify the subkey fingerprint to export the secret ssh key, so I tried to find the fingerprint:

$ gpg --list-secret-keys --with-subkey-fingerprint
sec   ed25519 2022-02-17 [SC] [expires: 2024-02-17]
      17477E54BB15F155AB66CA72E8BC9929304AEAED
uid           [ultimate] Alexandre Viau
ssb   cv25519 2022-02-17 [E] [expires: 2024-02-17]
      0B0FB91C5F9674BF5E2F0CA67A2C2C0F04F463F6
ssb   rsa3072 2022-02-17 [A]
      21DEE1DF6D759B8593EF8118B056AF8B632A040F

Then export the public key, that works:

$ gpg --export-ssh-key 21DEE1DF6D759B8593EF8118B056AF8B632A040F
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5RCHoVRB7rCs4WDbPXc9ak3oRqt48W1wOKM+JCXHxJaYB4i7rq9ZAvAUIvCQT8R05A+/f9pCEOUm/ZW14/isij7SBO3UExoX2OFddOcqdTFYyQFrUY98EX5XvNa/2aT7qS80bMptIDY8DAEmE4+cozvkHolWm3Erc56cZwaZN6Yt49gHQUoaq5Iy3qWdoLdzEcV6ke9MrvhV/rBJUwEqdgH1ENUBnbS5u/gmxSm9QVOhNf3Dl1HjsGsynX2Af2qu6Gcu6okRgM7ftbUd6Fh06lN/D3PHXtWnOUznyePo8vnZi0MKK4c8iM3lbK360JyseXHOBhyn5hbySmgnVDi6mIcddXIWxyr09uScSirc9c/sJjCmyfIddzNnGJ9x5kCznGsqnZDMlFId2gnonV8i8471gkwgGG2Put6/8wwtQJhGvgavS/+WNfhKBN0/V3qaLo0aaeNrW1KZDT8y/ZzucTD1iOlsuhNgNB/0CUU2de8ojJsDLcymcz7dvf3mV29M= openpgp:0x632A040F

But once again, I can't export the private key:

$ gpg --export-secret-ssh-key 21DEE1DF6D759B8593EF8118B056AF8B632A040F
gpg: key "21DEE1DF6D759B8593EF8118B056AF8B632A040F" not found: Not a Keygrip

The error says "not a keygrip", so I probably need to use a keygrip! Let's find it:

$ gpg --list-secret-keys --with-keygrip
sec   ed25519 2022-02-17 [SC] [expires: 2024-02-17]
      17477E54BB15F155AB66CA72E8BC9929304AEAED
      Keygrip = 1DDF1E8CF981026EAD80AADAE683FD8E6EE816A2
uid           [ultimate] Alexandre Viau
ssb   cv25519 2022-02-17 [E] [expires: 2024-02-17]
      Keygrip = 2CD5ACAEDBFB6A62B972DAFE150AB3E8C943404C
ssb   rsa3072 2022-02-17 [A]
      Keygrip = 2764D50D0AD3A7A2495B21AE5F35BD3E710B46C2

Yay, we have a keygrip, the exact thing the error message is asking for me! Let's use it:

$ gpg --export-secret-ssh-key 2764D50D0AD3A7A2495B21AE5F35BD3E710B46C2
gpg: key "2764D50D0AD3A7A2495B21AE5F35BD3E710B46C2" not found: Not a Keygrip

Ah, apparently its not a keygrip...

Details

Version: 2.3.4

Related Objects

Mentioned Here: rGafe5fcda52e8: gpg: Add unfinished code for --export-secret-ssh-key.

Event Timeline

aviau created this task.Feb 17 2022, 6:40 PM

aviau updated the task description. (Show Details)

aviau updated the task description. (Show Details)Feb 17 2022, 6:43 PM

aviau updated the task description. (Show Details)Feb 17 2022, 6:48 PM

aviau updated the task description. (Show Details)Feb 17 2022, 6:51 PM

You are trying to use unfinished code. See https://dev.gnupg.org/rGafe5fcda52e88438c7a7278117b2e03f510a9c1c. It's not really surprising that unfinished code doesn't work.

Ah! Sorry! Is there any reason the command-line flag made it to a release? How should the user know that the feature does not work, other than reading the bugtracker and source code?

@werner will have to answer why he added the unfinished code. My guess is that he wanted to prevent it from being lost on his computer. I would probably have deactivated the code as long as it's unfinished.

Regarding your question, how the user should know that the feature does not work, let me ask a counter question: How does the user know about the feature in the first place, other than reading the source code or searching the executable for "hidden" command-line flags?

The flag is neither mentioned in the manual page nor in the output of gpg --help nor in the release notes of GnuPG 2.3.4. How did you become aware of this new command-line flag?

There is another hacker working on finishing it. I only provided the framework.

How does the user know about the feature in the first place, other than reading the source code or searching the executable for "hidden" command-line flags?

I haven't done any of these things. I just wrote gpg --export and pressed tab. Then bash autocompleted for it.

Bash autocompletion for gpg uses gpg --dump-options:

$ gpg --dump-options | grep ssh
--export-ssh-key
--export-secret-ssh-key

I suspected that it would be listed by gpg --dump-options, but I didn't think about autocompletion cleverly using it. I apologize.

--export-secret-ssh-key cannot find the keyClosed, InvalidPublicActions

Description

Details

Related Objects

Event Timeline

--export-secret-ssh-key cannot find the key
Closed, InvalidPublic
Actions