Page MenuHome GnuPG
Create Task
Maniphest T8027

Kleopatra: a secret team key should always include all public key information
Testing, HighPublic
Actions

Description

If - in the new "Save Secret Team Key" action - you choose that the team key users should only get the encryption subkey, the export includes only the main key and the public key for the included subkey. Looks for example like this after import in an other keyring:

C:\Users\g10code.WIN-TEST3\Documents>gpg -K cv25519
sec#  ed25519 2026-01-09 [CG] [verfällt: 2029-01-09]
      45B50EE5F6FCAF821B293C53440857D04B65BDDB
uid        [ ultimativ ] team cv25519 <team.cv25519@gnupg.test>
ssb   cv25519 2026-01-09 [E] [verfällt: 2029-01-09]
      5771944DF5ECEB941339A5AAC95335816371CD5D

It should include the public key of the missing signing subkey, too.
Otherwise you can not verify a signature made by the team key's original "copy":

Details

Version
Gpg4win-5.0.0-beta479

Revisions and Commits

rKLEOPATRA Kleopatra
rKLEOPATRA104c91a18df0 Add public signing key to secret team key export

Related Objects
Search...

Event Timeline

ebo created this task.Fri, Jan 9, 6:12 PM
ebo triaged this task as High priority.Mon, Jan 12, 11:23 AM
ebo added a project: Bug Report.Mon, Jan 12, 11:49 AM
ikloecker claimed this task.Tue, Jan 13, 5:30 PM
ikloecker moved this task from Backlog to WIP on the gpd5x board.
ikloecker added a commit: rKLEOPATRA104c91a18df0: Add public signing key to secret team key export.Wed, Jan 14, 4:32 PM
ikloecker closed subtask T8033: gpgme: Support --export-filter as Resolved.Wed, Jan 14, 4:34 PM
ikloecker changed the task status from Open to Testing.Wed, Jan 14, 4:42 PM

Done.

If only the secret encryption subkey is exported and there is a signing subkey then, additionally, to the secret subkey export a public export is added to the created file, i.e. in the created file there's a PUBLIC KEY BLOCK and a PRIVATE KEY BLOCK. (With the next version of gpgme the public key block only contains the primary key and the signing subkey. Currently, it's a full public key export of the team key.)

When importing such a combined secret subkey export + public export Kleopatra will report that 2 certificates have been imported. That's because there are two separate key blocks and neither gpg nor Kleopatra consolidate the information.

ikloecker mentioned this in Unknown Object (Maniphest Task).Mon, Jan 19, 9:04 AM