Page MenuHome GnuPG
Create Task
Maniphest T7983

gpg: the validity of a secret key is changed by making a certification with it
Open, Needs TriagePublic
Actions

Description

The first report of this issue was given on the forum with Gpg4win 4.4.1, see external link.
I tested now with the current 5.0 beta.

How to reproduce:

  • Create or import a secret key (here a cv25519 key, haven't checked yet if this is relevant).

Kleopatra shows the key a "certified", gpg --edit-key shows:

sec  ed25519/08F8682320DEDDB9
     erzeugt: 2023-03-08  verfällt: niemals     Nutzung: SC
     Vertrauen: ultimativ     Gültigkeit: ultimativ
ssb  cv25519/EFB23BB2F1DA0599
     erzeugt: 2023-03-08  verfällt: niemals     Nutzung: E
[ ultimativ ] (1). Conny-cv25519
  • Certify a public key with this secret key:
C:\Users\g10code.WIN-TEST3\Documents>gpg --lsign ted

pub  rsa3072/C5D6C919005F36A4
     erzeugt: 2023-03-08  verfällt: niemals     Nutzung: SC
     Vertrauen: unbekannt     Gültigkeit: unbekannt
sub  rsa3072/CD573B2B0736643A
     erzeugt: 2023-03-08  verfällt: niemals     Nutzung: E
[ unbekannt ] (1). Ted Tester <Ted.Tester@demo.gnupg.com>


pub  rsa3072/C5D6C919005F36A4
     erzeugt: 2023-03-08  verfällt: niemals     Nutzung: SC
     Vertrauen: unbekannt     Gültigkeit: unbekannt
      98111E67AE06F2BEFD2BDE10C5D6C919005F36A4

     Ted Tester <Ted.Tester@demo.gnupg.com>

Sind Sie wirklich sicher, daß Sie vorstehenden Schlüssel mit Ihrem
Schlüssel "Conny-cv25519" (08F8682320DEDDB9) beglaubigen wollen

Die Signatur wird als nicht-exportfähig markiert werden.

Wirklich signieren? (j/N) y

Result: The secret key is now shown as "not certified" in Kleopatra, gpg --edit-key shows the validity as undefined:

sec  ed25519/08F8682320DEDDB9
     erzeugt: 2023-03-08  verfällt: niemals     Nutzung: SC
     Vertrauen: ultimativ     Gültigkeit: unbestimmt
ssb  cv25519/EFB23BB2F1DA0599
     erzeugt: 2023-03-08  verfällt: niemals     Nutzung: E
[undefiniert] (1). Conny-cv25519

Deleting the certified public key returns the validity of the secret key to ultimate.

Details

External Link
https://forum.gnupg.org/t/zertifikat-nicht-mehr-beglaubigt-nach-governikus-signierung/6949/23
Version
Gpg4win-5.0.0-beta446, Gpg4win 4.4.1

Event Timeline

ebo created this task.Wed, Dec 17, 12:28 PM
ebo created this object with edit policy "Contributor (Project)".
ebo added a comment.Wed, Dec 17, 3:04 PM

This is really weird behavior. It seems other secret keys in the keyring may also change to "undefined" validity when the certification is done with another key. And something about the key which is certified is important.
But it can also happen that it is enough to just import a secret key without certifying anything with it for it to be shown as "undefined" validity.

It looks like for this behavior to happen (that a secret key is shown with undefined validity) keyboxd is required.

ebo added a project: Bug Report.Wed, Dec 17, 4:14 PM
ebo added a project: keyboxd.Wed, Dec 17, 4:19 PM
pl13 added a subscriber: pl13.Wed, Dec 17, 5:12 PM
werner added a subscriber: werner.EditedThu, Dec 18, 10:21 AM

Yesterday I was able to reproduce it once. But despite more than a dozen more tries yesterday and this morning, I could not anymore replicate it. I tested on Unix and one oddity was that I forgot to kill the keyboxd for a clean new test and thus it could serve old keys despite that the pubring.db was already deleted (but the inode still open by keyboxd).

On the difference between unknown and undefined: unknown (value 0) is the initial value. If the trust computation works on such a key and has not enough information to assign a trust value (vaildity), it sets the validity to unknown (value 2). Both values are handles more or less indentical. To check what has been assigned a gpg --list-trustdb can be used and interpreted according to the description found in doc/DETAILS.