Page MenuHome GnuPG
Create Task
Maniphest T7892

keyboxd: subkey listing issue with ADSKs
Open, HighPublic
Actions

Description

(This is most easily reproduced via Kleopatra but it works the same on the cli with gpg alone)

How to reproduce:

  • Configure an ADSK (via gpg.conf)
  • Import the public key of the ADSK
C:\Users\g10code.WIN-TEST3>gpg -k CC5274CB8072E9778DADD15BCD573B2B0736643A
pub   rsa3072 2023-03-08 [SC]
      98111E67AE06F2BEFD2BDE10C5D6C919005F36A4
uid        [ unbekannt ] Ted Tester <Ted.Tester@demo.gnupg.com>
sub   rsa3072 2023-03-08 [E]
      CC5274CB8072E9778DADD15BCD573B2B0736643A
  • Create a new keypair, which then has the ADSK as additional encryption subkey
C:\Users\g10code.WIN-TEST3>gpg -k CC5274CB8072E9778DADD15BCD573B2B0736643A
gpg: error reading key: Unbrauchbarer öffentlicher Schlüssel

-> So it looks like keyboxd can not handle a subkey present in more than one keypair.

  • Delete the newly generated key again
C:\Users\g10code.WIN-TEST3>gpg -k CC5274CB8072E9778DADD15BCD573B2B0736643A
gpg: error reading key: Kein öffentlicher Schlüssel

-> And here it seems that deleting such a subkey completly deletes the subkey from pubring.db
Although the subkey is still listed when searching by UID or listing the whole keyring, so maybe "only" finding it via the fingerprint is broken?

C:\Users\g10code.WIN-TEST3>gpg -k
[keyboxd]
---------
pub   rsa3072 2023-03-08 [SC]
      98111E67AE06F2BEFD2BDE10C5D6C919005F36A4
uid        [ unbekannt ] Ted Tester <Ted.Tester@demo.gnupg.com>
sub   rsa3072 2023-03-08 [E]
      CC5274CB8072E9778DADD15BCD573B2B0736643A

Reimporting the pubkey does not change anything, still error "no public key".

This is purely a keyboxd issue, I removed "use keyboxd" from common.conf and did the same steps again, which worked perfectly, the pubkey could always be found.

Details

Version
Gpg4win-5.0.0-beta395

Revisions and Commits

rG GnuPG
rGf6237ccd313a gpg: New import option "force-update"
rG0cc7759ed5a3 kbx: Fix schema of the fingerprint table.
rG5bcf5f57b863 gpg: Include ADSK keys in a key listing with fingerprints.

Related Objects

Event Timeline

ebo created this task.Oct 29 2025, 3:40 PM
ebo created this object with edit policy "Contributor (Project)".
ebo updated the task description. (Show Details)
ebo updated the task description. (Show Details)Oct 29 2025, 3:51 PM
ebo removed a project: kleopatra.
werner triaged this task as High priority.Nov 3 2025, 9:52 AM
werner added projects: keyboxd, Bug Report.
werner added a subscriber: werner.

It is not an ADSK issue. The problem is that the new subkey has not been entered into the fingerprint table and can thus not be found.

werner renamed this task from keyboxd: subkey issue connected to ADSK to keyboxd: a new subkey is sometimes not stored in the fingerprint table..Nov 3 2025, 9:54 AM
ebo added a project: gnupg26.Nov 17 2025, 12:09 PM
werner added a commit: rG5bcf5f57b863: gpg: Include ADSK keys in a key listing with fingerprints..Tue, Nov 18, 12:11 PM
werner changed the task status from Open to Testing.Tue, Nov 18, 5:29 PM
werner moved this task from Backlog to WIP on the gnupg26 board.
werner added a commit: rG0cc7759ed5a3: kbx: Fix schema of the fingerprint table..Tue, Nov 18, 5:29 PM
werner added a commit: rGf6237ccd313a: gpg: New import option "force-update".
werner mentioned this in T7940: Release GnuPG 2.5.15.Wed, Nov 19, 5:37 PM
werner mentioned this in T7869: Release GnuPG 2.5.14.Wed, Nov 19, 5:40 PM
werner moved this task from WIP to QA on the gnupg26 board.Wed, Nov 19, 5:44 PM
ebo changed the task status from Testing to Open.EditedTue, Dec 16, 11:57 AM

Tested with Gpg4win-5.0.0-beta446, identically to the procedure from the description:

[…]

  • Create a new keypair, which then has the ADSK as additional encryption subkey:
C:\Users\g10code.WIN-TEST3>gpg -k CC5274CB8072E9778DADD15BCD573B2B0736643A
pub   ed25519 2025-12-16 [SC] [verfällt: 2028-12-16]
      15E9584470DDDED30DE2D744DC72257CC6D4D20B
uid        [ ultimativ ] g10code_withADSK
sub   cv25519 2025-12-16 [E] [verfällt: 2028-12-16]
      35B2CB806F2B9F051A30D117C434CFD43C77F364
sub   rsa3072 2023-03-08 [R]
      CC5274CB8072E9778DADD15BCD573B2B0736643A

Seems OK at first, but only the new key is listed, not the ADSK Origin key.

  • Delete the newly generated key again
C:\Users\g10code.WIN-TEST3>gpg -k CC5274CB8072E9778DADD15BCD573B2B0736643A

that is: no output. Although the ADSK origin key (Ted) is still there.

Only after deleting it and importing it again is it again listet with the above command line.

ebo added a comment.Tue, Dec 16, 12:23 PM

The expected behavior is that only "Ted" (the key from where the ADSK originates) is listed, regardless of ADSKs, on every listing.
Because for regular keys there can only ever be one, "gpg -k" shows always only one key.
Subkeys which are ADSKs shall therefore never be listed with this command.

ebo moved this task from QA to Backlog on the gnupg26 board.Tue, Dec 16, 12:25 PM

This relates to T7917: Check for revocation of the ADSK's original subkey

ebo renamed this task from keyboxd: a new subkey is sometimes not stored in the fingerprint table. to keyboxd: subkey listing issue with ADSKs.Tue, Dec 16, 12:28 PM