Page MenuHome GnuPG
Create Task
Maniphest T6975

The option --default-key gives up too early if there are multiple matches
Open, NormalPublic
Actions

Description

When using --default-key to select a key, if there are multiple matches and the first one isn't suitable, it gives up completely, even though it could have worked.

Attached test case has two keys for bob. Since the first one gpg finds is expired, it ends up signing with the key for Alice, instead of using the second and valid key of Bob.

Using --local-user does find the right key in the same scenario.

test-default-key.sh1 KBDownload

Note: gpg < 2.4.4 misleadingly show "No secret key", but that's just the message. It was fixed in 2.4.4 to say "Key expired". (T4704)

Revisions and Commits

rG GnuPG
rG5842eee80523 doc: Suggest the use of a fingerprint for --default-key.

Related Objects

Event Timeline

Angel created this task.Feb 5 2024, 1:26 AM
Angel created this object in space S1 Public.
werner added a commit: rG5842eee80523: doc: Suggest the use of a fingerprint for --default-key..Feb 5 2024, 8:52 AM
werner closed this task as Wontfix.Feb 5 2024, 8:53 AM
werner claimed this task.
werner added a subscriber: werner.

Instead of tweaking this and risk a regression for some users I added a suggested to the man page to use a fingerprint.

Angel reopened this task as Open.Feb 6 2024, 3:17 AM

Sorry, Werner, but I have to disagree on this. Specifying them by fingerprint only works if you have a specific field for the key (including the case where you are just it on the config file).

The case were we stumbled upon it was in the context of Request Tracker, which uses gpg as backend, and calls it with --default-key and the email address associated to the current queue. [1] Thus, there's no fingerprint to specify separately, it's just the email you are signing with.

After your message I have been pondering about alternate ways of solving it, but there doesn't seem to be good options.

Manually mapping the email into the fingerprint of the latest key by using group withing gpg.conf doesn't work, since --default-key and --local-user don't expand groups.

Ensuring that the last key is the first one found would be perfect, but storing the newest key appear first seems brittle for a classic keyring, and I don't even know how to reorder them with a keybox keyring.

Replacing --default-key with --local-user might be an option (plus changing the library they use to support that [2]). I have digged a little on the code history, but I don't know why they went with --default-key, if they are equivalent for what they use it for or not.

The problem seems to lie on gpg, with --default-key behaving unlike other options.

I would be ok with a new parameter that controlled the behavior of --default-key (old/new way) if backwards compatibility is so important, but I don't really find compelling that the user expectation was really to have a matching yet invalid key (expired or revoked, I guess?) and also having on their keyring a non-expired or non-revoked one and not wanting to use those instead but a completely different default key, so as to need such switch.

1- https://github.com/bestpractical/rt/blob/stable/lib/RT/Crypt/GnuPG.pm
2- https://metacpan.org/pod/GnuPG::Interface has default_key[3] but I see no local_user
3- https://metacpan.org/pod/GnuPG::Options#default_key

ikloecker added a subscriber: ikloecker.Feb 6 2024, 8:42 AM

Quite frankly, if a third party application calls gpg with anything other than fingerprints to specify keys it's asking for trouble. I have changed KMail from using user IDs to using fingerprints when calling gpg more than 20 years ago.

The bug is clearly in Request Tracker and not in gpg. Either Request Tracker needs a way to specify the fingerprint or it needs a way to delete expired keys.

Angel added a comment.Feb 7 2024, 3:29 AM

Ingo, I concede it might be considered a bug on Request Tracker that it does not allow to specify the key as a fingerprint (or calculates it automatically from the email instead of relying on gpg doing it), but you generally want to keep expired keys around for decryption.

I have tried changing the expired key not to have any signing (sub)key, and that still confuses --default-key:

test-default-key_v4.sh1 KBDownload

werner triaged this task as Normal priority.Feb 7 2024, 9:21 AM
werner added a project: Feature Request.