Downgrade problem. (Jean-David Beyer)

Leigh S. Jones kr6x@kr6x.com
Tue Jun 4 05:38:01 2002


Thanks for the supportive words, but where David Shaw
is concerned I'll have to point out that I'm a neophyte with
gpg next to him, and need to absorb from him anything I
can learn.

----- Original Message -----
From: "Jean-David Beyer" <jdbeyer@exit109.com>
To: "GnuPG Users' List" <gnupg-users@gnupg.org>
Sent: Monday, June 03, 2002 7:32 PM
Subject: Re: Downgrade problem. (Jean-David Beyer)


> David Shaw wrote:
> > This is not correct.  There is no need to go through the trouble
(and
> > danger) of making a special copy of the key with no passphrase,
> > disconnecting from the network, etc.
>
> I think Leigh S. Jones was showing that it could be done that way. I
> am not sure that his procedure would not work, nor do I really care.
> I believe he was trying to show me, in a round-about way, that I
> should just upgrade, which I have now done. Note especially his last
> line, emphasized by me with <---<<<
>
> Before upgrading from Red Hat 6.2 to 7.3, I made and verified three
> backup tapes of EVERYTHING on this machine, so I did not need to
> download 1.0.7; I simply restored the .gz from tape and did the
> usual things.
>
> There are a lot of uses, in addition to fumble-fingers and disk
> crashes, for good complete backups.
>
> > Just do this:
> >
> > 0) Make a backup of your keyrings.
> >
> > 1) On the 1.0.7 box:
> >    gpg --simple-sk-checksum --edit (keyid)
> >    Enter "passwd", and change your password to anything.  It does
not
> >    have to be blank, and you can in fact "set" it to what it
currently
> >    is.
> >
> > 2) On the 1.0.7 box:
> >    gpg --export-secret-key (keyid) > mykey.gpg
> >    gpg --export-key (keyid) >> mykey.gpg
> >
> >   (copy mykey.gpg to the new box)
> >
> > 3) On the 1.0.6 box:
> >    gpg --allow-secret-key-import --import mykey.gpg
> >
> > However, I wouldn't do it - rebuild 1.0.7, and use that. <---<<<
> >
> > David
> >
> > On Mon, Jun 03, 2002 at 04:36:28PM -0700, Leigh S. Jones, KR6X
wrote:
> >
> >>You will need 1.0.7 to fix the problem.  If you chose to
> >>retain gpg 1.0.6, you will need to use someone's copy
> >>of 1.0.7 to fix your keyring before it can be used by
> >>1.0.6.
> >>
> >>To perform the fix, rename the existing keyring files
> >>and options files for safe keeping.  Next, transport the
> >>keyring files to be adjusted together with your options
> >>file onto the ~/.gnupg directory being used.  Next,
> >>temporarily disconnect the computer being used from
> >>the network, for security purposes.  Edit your options
> >>file, adding the line "simple-sk-checksum" at or near
> >>the end of the file.  Now use the command:
> >>
> >>gpg --edit-key <keyID>
> >>
> >>to start the key edit function of gpg.  At the Command>
> >>prompt enter "passwd".  Set your password to a zero
> >>length blank password. At the Command>
> >>prompt enter "save".  Do this once for each secret key
> >>on your keyring.  Now copy your keyring file to a floppy
> >>drive and keep it safe.  Blast away the copy of your
> >>options file (edited) and the (now insecure) keyrings.
> >>on the workstation, and rename the "safe keeping" files
> >>to return the workstation to its original condition.
> >>Reconnect this machine to the network.  Take the
> >>keyring files back to your own version 1.0.6 machine.
> >>Disconnect it from the network before proceeding.
> >>Don't overwrite your existing (unusable) keyring files --
> >>rename them for now -- just to make sure you don't
> >>overwrite something you will need later.  On gpg1.0.6
> >>you won't need the simple-sk-checksum option added.
> >>Edit each of your secret keys to reintroduce your
> >>password in place of the blank password.  Test
> >>by signing a file to make sure the password is right
> >>on each of your secret keys.  When everything is shown
> >>to be working OK, reformat/wipe the floppy drive to
> >>blast away the insecure keyring files.  Now you can
> >>reconnect your computer to the network.
> >>
> >>Sounds like it would be easier to build 1.0.7 again,
> >>doesn't it?
> >>
> >>----- Original Message -----
> >>From: "David Shaw" <dshaw@jabberwocky.com>
> >>To: "GnuPG Users' List" <gnupg-users@gnupg.org>
> >>Sent: Monday, June 03, 2002 15:58
> >>Subject: Re: Downgrade problem.
> >>
> >>
> >>
> >>>On Mon, Jun 03, 2002 at 06:52:20PM -0400, Jean-David Beyer wrote:
> >>>
> >>>>I was running gnuPG 1.0.7 that I had compiled from scratch, and
made
> >>>>my keys with it. I have since upgraded my OS from Red Hat Linux
6.2
> >>>>to R.H.L. 7.3 which has gnupg-1.0.6-5 on it. Nothing much works
> >>>>because it has trouble with the key rings.
> >>>>
> >>>>I suspect an incompatibility with the way the key rings are
> >>>>constructed. I further suspect that were I to download the
latest
> >>>>(1.0.7, I suppose) and built it, that my existing key rings
would
> >>>>resume operating? Are my suspicions correct, or is it likely to
be a
> >>>>different problem?
> >>>
> >>>You are correct.  1.0.7 has a slightly different keyring format
> >>>(actually a problem in 1.0.6).
> >>
> >
>
>
>
> --
>   .~.  Jean-David Beyer           Registered Linux User 85642.
>   /V\                             Registered Machine    73926.
> /( )\ Shrewsbury, New Jersey     http://counter.li.org
> ^^-^^ 10:25pm up 6 days, 6 min, 2 users, load average: 5.30, 5.05,
4.86
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users