IPC error on batch import of secret kyber cert
Open, HighPublic
Actions

Assigned To

None

Authored By

	timegrid
	Tue, Jan 13, 12:46 PM

Description

Importing a secret kyber cert results in an IPC error (only seen in audit log, no error communicated on import):

The secret subkey is not imported though:

Import of "Backup Secret Keys" file

Import of "Save Team Key" file with signing key

To reproduce (applies to non team keys, too, but team keys have more options to test):

Create a new openpgp key pair (kyber, team, no passphrase)
Export the secret cert
1. via "Backup Secret Keys"
2. via "Save Secret Team Key" with signing key
3. via "Save Secret Team Key" without signing key
Kill processes and delete the gpghome folder
Import one of the exported files
Confirm ownership
Check the audit log -> IPC parameter error

Note: Import via gpg cli does work as expected.

gpg.log (ipc)

[...]
2026-01-13 12:18:58 gpg[8984] DBG: chan_0x0000000000000270 -> SETKEYDESC Please+enter+the+passphrase+to+import+the+OpenPGP+secret+key:%0A%22team+kyber+<team.kyber@gnupg.test>%22%0A768-bit+Kyber+key,+ID+51902D21C77ADE21,%0Acreated+2026-01-13+(main+key+ID+9499F81486CBBEDE).%0A
2026-01-13 12:18:58 gpg[8984] DBG: chan_0x0000000000000270 <- OK
2026-01-13 12:18:58 gpg[8984] DBG: chan_0x0000000000000270 -> IMPORT_KEY --timestamp=20260113T103149 --unattended --mode1003
2026-01-13 12:18:58 gpg[8984] DBG: chan_0x0000000000000270 <- INQUIRE KEYDATA
2026-01-13 12:18:58 gpg[8984] DBG: chan_0000000000000270 -> [ 44 20 08 0b 62 cc 21 17 a3 54 5f 5f 01 a1 88 b7 ...(982 byte(s) skipped) ]
2026-01-13 12:18:58 gpg[8984] DBG: chan_0000000000000270 -> [ 44 20 1a 46 9b 13 44 4c 03 10 a7 ae 38 4d a1 da ...(982 byte(s) skipped) ]
2026-01-13 12:18:58 gpg[8984] DBG: chan_0000000000000270 -> [ 44 20 ea 35 ef a8 1a 39 31 9e 90 fd 06 d0 82 fd ...(982 byte(s) skipped) ]
2026-01-13 12:18:58 gpg[8984] DBG: chan_0000000000000270 -> [ 44 20 e3 25 30 41 72 17 d0 c0 f0 0c 9a ff 22 ac ...(930 byte(s) skipped) ]
2026-01-13 12:18:58 gpg[8984] DBG: chan_0x0000000000000270 -> END

2026-01-13 12:18:58 gpg[8984] DBG: chan_0x0000000000000270 <- ERR 67109144 IPC parameter error <GPG Agent> - "--unattended" may only be used with OpenPGP keys
2026-01-13 12:18:58 gpg[8984] key 9499F81486CBBEDE/51902D21C77ADE21: error sending to agent: IPC parameter error

2026-01-13 12:18:58 gpg[8984] DBG: chan_0x0000000000000270 -> SETKEYDESC Please+enter+the+passphrase+to+import+the+OpenPGP+secret+key:%0A%22team+kyber+<team.kyber@gnupg.test>%22%0A256-bit+ECDSA+key,+ID+F7FAEAA9D30009D1,%0Acreated+2026-01-13+(main+key+ID+9499F81486CBBEDE).%0A
2026-01-13 12:18:58 gpg[8984] DBG: chan_0x0000000000000270 <- OK
2026-01-13 12:18:58 gpg[8984] DBG: chan_0x0000000000000270 -> IMPORT_KEY --timestamp=20260113T103150 --unattended
2026-01-13 12:18:58 gpg[8984] DBG: chan_0x0000000000000270 <- INQUIRE KEYDATA
2026-01-13 12:18:58 gpg[8984] DBG: chan_0000000000000270 -> [ 44 20 4e 64 59 91 44 25 32 35 08 1b 39 5e 37 fd ...(244 byte(s) skipped) ]
2026-01-13 12:18:58 gpg[8984] DBG: chan_0x0000000000000270 -> END
2026-01-13 12:18:58 gpg[8984] DBG: chan_0x0000000000000270 <- OK
2026-01-13 12:18:58 gpg[8984] key 9499F81486CBBEDE/F7FAEAA9D30009D1: secret key imported
2026-01-13 12:18:58 gpg[8984] key 9499F81486CBBEDE: secret key imported
2026-01-13 12:18:58 gpg[8984] Total number processed: 1
2026-01-13 12:18:58 gpg[8984]               imported: 1
2026-01-13 12:18:58 gpg[8984]       secret keys read: 1
2026-01-13 12:18:58 gpg[8984]   secret keys imported: 1
2026-01-13 12:18:58 gpg[8984] DBG: chan_0x00000000000000e0 -> BYE
2026-01-13 12:18:58 gpg[8984] secmem usage: 0/32768 bytes in 0 blocks
[...]

Importing the "Save Team Key" file without signing key results in no secret key and shows a different ipc parameter error:

gpg.log (ipc)

[...]
2026-01-13 12:34:17 gpg[6168] DBG: chan_0x0000000000000260 -> SETKEYDESC Please+enter+the+passphrase+to+import+the+OpenPGP+secret+key:%0A%22team+kyber+<team.kyber@gnupg.test>%22%0A768-bit+Kyber+key,+ID+51902D21C77ADE21,%0Acreated+2026-01-13+(main+key+ID+9499F81486CBBEDE).%0A
2026-01-13 12:34:17 gpg[6168] DBG: chan_0x0000000000000260 <- OK
2026-01-13 12:34:17 gpg[6168] DBG: chan_0x0000000000000260 -> IMPORT_KEY --timestamp=20260113T103149 --unattended --mode1003
2026-01-13 12:34:17 gpg[6168] DBG: chan_0x0000000000000260 <- INQUIRE KEYDATA
2026-01-13 12:34:17 gpg[6168] DBG: chan_0000000000000260 -> [ 44 20 ac 39 24 f4 c7 bc 25 30 44 09 90 78 fd c8 ...(982 byte(s) skipped) ]
2026-01-13 12:34:17 gpg[6168] DBG: chan_0000000000000260 -> [ 44 20 15 5e 6c 89 06 43 96 45 70 1c 17 1b 54 8c ...(982 byte(s) skipped) ]
2026-01-13 12:34:17 gpg[6168] DBG: chan_0000000000000260 -> [ 44 20 b6 92 65 7f 3a df 12 8a 6e a3 ab e1 e3 3c ...(982 byte(s) skipped) ]
2026-01-13 12:34:17 gpg[6168] DBG: chan_0000000000000260 -> [ 44 20 d4 3e b7 46 ed 13 eb 9c d3 b6 da 97 77 16 ...(904 byte(s) skipped) ]
2026-01-13 12:34:17 gpg[6168] DBG: chan_0x0000000000000260 -> END

2026-01-13 12:34:17 gpg[6168] DBG: chan_0x0000000000000260 <- ERR 67109144 IPC parameter error <GPG Agent> - "--unattended" may only be used with OpenPGP keys
2026-01-13 12:34:17 gpg[6168] key 9499F81486CBBEDE/51902D21C77ADE21: error sending to agent: IPC parameter error
2026-01-13 12:34:17 gpg[6168] error reading '-&12': IPC parameter error
2026-01-13 12:34:17 gpg[6168] import from '-&12' failed: IPC parameter error

2026-01-13 12:34:17 gpg[6168] Total number processed: 0
2026-01-13 12:34:17 gpg[6168]               imported: 1
2026-01-13 12:34:17 gpg[6168]       secret keys read: 1
2026-01-13 12:34:17 gpg[6168] DBG: chan_0x0000000000000250 -> BYE
2026-01-13 12:34:17 gpg[6168] secmem usage: 0/32768 bytes in 0 blocks
[...]

Details

Version: gpg4win-5.0.0-beta479 @ win11

Event Timeline

timegrid triaged this task as Normal priority.Tue, Jan 13, 12:46 PM

timegrid created this task.

timegrid created this object with edit policy "Contributor (Project)".

timegrid added a project: Bug Report.Tue, Jan 13, 12:54 PM

timegrid added a subscriber: • ebo.

timegrid raised the priority of this task from Normal to High.Tue, Jan 13, 1:32 PM

gpgme.log (import of normal non team key kyber cert):

gpgme.log330 KBDownload

gpgme.log (import of kyber team key with signing key):

gpgme.teamkey.withsigning.log422 KBDownload

gpgme.log (import of kyber team key without signing key):

gpgme.teamkey.withoutsigning.log285 KBDownload

Screenshots of different imports:

kyber key (via "Backup Secret Key")
kyber team key
- via "Backup Secret Key"
- via "Save Team Key" with signing key
- via "Save Team Key" without signing key

timegrid updated the task description. (Show Details)Tue, Jan 13, 2:09 PM

Importing the same files via cli does work:

kyber key (via "Backup Secret Key")
kyber team key
- via "Backup Secret Key"
- via "Save Team Key" with signing key
- via "Save Team Key" without signing key

These are the export files I used:

kyber key (via "Backup Secret Key")

kyber_0x7BE4EAE51727E653_SECRET.asc7 KBDownload

kyber team key
- via "Backup Secret Key"

team kyber_0x9499F81486CBBEDE_SECRET.asc8 KBDownload

via "Save Team Key" with signing key

team kyber_0x9499F81486CBBEDE_SECRET_TEAM_KEY_SIGN.asc8 KBDownload

via "Save Team Key" without signing key

team kyber_0x9499F81486CBBEDE_SECRET_TEAM_KEY.asc7 KBDownload

timegrid updated the task description. (Show Details)Tue, Jan 13, 2:21 PM

@werner: gpg fails to batch import secret Kyber keys:

$ GNUPGHOME=/home/ingo/dev/g10/.gnupghomes/empty gpg --batch --import --verbose ~/dev/g10/testdata/exported/Kyber768_0xDD89C34EF2B69576_SECRET.asc 
gpg: WARNING: unsafe permissions on homedir '/home/ingo/dev/g10/.gnupghomes/empty'
gpg: enabled compatibility flags:
gpg: sec  brainpoolP256r1/DD89C34EF2B69576 2024-11-14  Kyber768 <kyber768@example.net>
gpg: using pgp trust model
gpg: key DD89C34EF2B69576: public key "Kyber768 <kyber768@example.net>" imported
gpg: key DD89C34EF2B69576/DD89C34EF2B69576: secret key imported
gpg: key DD89C34EF2B69576/D07DD3BF9F1AAF4F: error sending to agent: IPC parameter error
gpg: error reading '/home/ingo/dev/g10/testdata/exported/Kyber768_0xDD89C34EF2B69576_SECRET.asc': IPC parameter error
gpg: import from '/home/ingo/dev/g10/testdata/exported/Kyber768_0xDD89C34EF2B69576_SECRET.asc' failed: IPC parameter error
gpg: Total number processed: 0
gpg:               imported: 1
gpg:       secret keys read: 1

$ GNUPGHOME=/home/ingo/dev/g10/.gnupghomes/empty gpg -K
gpg: WARNING: unsafe permissions on homedir '/home/ingo/dev/g10/.gnupghomes/empty'
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
/home/ingo/dev/g10/.gnupghomes/empty/pubring.kbx
------------------------------------------------
sec   brainpoolP256r1 2024-11-14 [SC] [expires: 2027-11-14]
      B6326DBDB654BF6B39005EFFDD89C34EF2B69576
uid           [ unknown] Kyber768 <kyber768@example.net>
ssb#  ky768_bp256 2024-11-14 [E] [expires: 2027-11-14]
      D07DD3BF9F1AAF4F165BCBC6B091FC28749EEB22E3F8FCDD58BAF25488711C45

Fixed by allowing "unattended" also for composite keys:

diff --git a/agent/command.c b/agent/command.c
index 21c95203c..da332923a 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -2948,7 +2948,7 @@ cmd_import_key (assuan_context_t ctx, char *line)
       goto leave;
     }
 
-  if (opt_unattended && keydata_type != KEYDATA_PGP_TRANSFER)
+  if (opt_unattended && keydata_type != KEYDATA_PGP_TRANSFER && keydata_type != KEYDATA_COMPOSITE)
     {
       err = set_error (GPG_ERR_ASS_PARAMETER,
                        "\"--unattended\" may only be used with OpenPGP keys");

Or maybe gpg shouldn't use the --unattended option when sending secret composite keys to gpg-agent.

• ikloecker renamed this task from Kleopatra: IPC error on import of secret kyber cert to IPC error on batch import of secret kyber cert.Thu, Jan 15, 10:38 AM

IPC error on batch import of secret kyber certOpen, HighPublicActions

Description

Details

Event Timeline

IPC error on batch import of secret kyber cert
Open, HighPublic
Actions