Page MenuHome GnuPG

cross-certify fails if secret master key unavailable
Closed, ResolvedPublic

Description

Release: 1.9.20

Environment

Linux/amd64

Description

When doing a cross-certify, the master key is successfully signed by the signing subkey (the signature counter on the card increases); then, storing the signature fails:

Command> cross-certify
gpg: secret key parts are not available
gpg: update_keysig_packet failed: general error

I think the secret key should not be needed for a cross-certify operation

How To Repeat

Create a secret keyring with a key that has a stub master key and a signing subkey. Using that keyring, try to cross-certify the master key.

Fix

Unknown

Event Timeline

This seems to be a bug. However the cross-certify is only required for old signing keys without a backsig. This it is questionable whether we should fix that bug for those few users with a card and a signature subkey. The workaround of doing the backsig on the machine with the primary key available is IMHO not that complicated and in fact pretty obvious.

From: Simon Richter <Simon.Richter@hogyros.de>
To: bug-any@bugs.gnupg.org
Cc:
Subject: Re: gnupg/673
Date: Wed, 21 Jun 2006 20:41:42 +0200

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigD8FA0F4263F71D46C4B2FB6E
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

> Synopsis: cross-certify fails if secret master key unavailable

> This seems to be a bug. However the cross-certify is only required for old signing keys without a backsig. This it is questionable whether we should fix that bug for those few users with a card and a signature subkey. The workaround of doing the backsig on the machine with the primary key available is IMHO not that complicated and in fact pretty obvious.

Agreed. I would be happy with merely having it documented and a more
explanatory error message.

Simon

--------------enigD8FA0F4263F71D46C4B2FB6E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iQCVAwUBRJmS5lYr4CN7gCINAQKpugQAsMmyeYHwVEIMaHKAGu2x/ZjNnahs2oTV
4ZYk+BoOVIAYc9sygqD8qvy9vZQjI94Pa+yN95VM5uTG2AFicOC+kRk7p7qnHhpA
QLEXbZ3G19eoSFKF7RIWambSudTvzQzbqb4W6K+vl3boVGacZ9ApaIfwFwsnRjkh
TFMNHmnEUPo=
=o3yL
-----END PGP SIGNATURE-----

--------------enigD8FA0F4263F71D46C4B2FB6E--

werner added a project: Won't Fix.