Page MenuHome GnuPG
Create Task
Maniphest T7944

GnuPG: full-gen-key for kyber keys without passphrase will ask for passphrase twice
Open, LowPublic
Actions

Description

On full-gen-key for kyber keys without passphrase, the empty passphrase needs to be entered twice (two pinentry dialogs).
This might lead to one key without and the other with passphrase (not sure if that's a problem).
If the non-empty passphrase was entered the first time, no second pinentry shows up (so i think this is a bug for empty ones).

To reproduce:

>gpg -v --full-gen-key
Please select what kind of key you want: 16
Please select the Kyber variant you want: 1 (default)
[...]
gpg: pinentry launched (1660 qt 1.3.2 - - - - 0/0 -)
-> OK (no passphrase), protection not needed
gpg: pinentry launched (2836 qt 1.3.2 - - - - 0/0 -)

Version:

>gpg -v --version
gpg (GnuPG) 2.5.14
libgcrypt 1.11.2

Details

Version
gpg4win-5.0.0-beta413 / gpg (GnuPG) 2.5.14 @ win11

Event Timeline

timegrid created this task.Fri, Nov 21, 2:25 PM
timegrid created this object with edit policy "Contributor (Project)".
werner triaged this task as Low priority.Mon, Nov 24, 6:01 PM
werner added projects: Feature Request, PQC.

That is a feature not a bug. Make also sense if your threat model is store-trafic-no-decrypt-later. If you can get the key you will also be abale to get the cleartext. Any nobody can remember a passphrase on par with the claimed Kyber security level.