Trouble importing secret subkeys

Mikael "MMN-o" Nordfeldth mmn at hethane.se
Tue Mar 25 15:27:16 CET 2014


On 2014-03-25 14:30, Daniel Kahn Gillmor wrote:
> On 03/25/2014 07:38 AM, Mikael Nordfeldth wrote:
>> The problem I experience is when importing back the 'pubkeys' and
>> 'subkeys' files (see Debian guide):
> 
> Hm, i just ran through the instructions at
> https://wiki.debian.org/Subkeys with a dummy/test user, and they seemed
> to work for me.  so something else is going on.

Thanks for trying it out. Yes, I can also do this without problems using
a newly generated keypair, just not with my B52E9B31 subkeys.

What I've tried since I sent my question is attempt to use a full secret
export, i.e. --export-secret-keys vs. --export-secret-subkeys. Also I
have tried importing the 'pubkeys' files first, and the 'subkeys' in a
second run. Both methods had the same problem as before ("no user ID",
resulting in no secret keys being imported).

> can you show the output of "gpg --list-packets < subkeys" or "pgpdump <
> subkeys" ?

Because I wasn't entirely sure what the "begin of digest" bytes really
imply, I replaced them with XX. But I guess the data in the signature
packets are pretty public, right?

Anyhow, output with redacted IVs and salts from the subkeys (the master
key is, following the --export-secret-subkeys command, a dummy):

"""
$ gpg --list-packets < subkeys
:secret key packet:
	version 4, algo 1, created 1323359625, expires 0
	skey[0]: [4096 bits]
	skey[1]: [17 bits]
	gnu-dummy S2K, algo: 3, SHA1 protection, hash: 2
	protect IV:
	keyid: C7CE635BB52E9B31
:secret sub key packet:
	version 4, algo 1, created 1383649687, expires 0
	skey[0]: [4096 bits]
	skey[1]: [17 bits]
	[...redacted iter+salt and protect (count|IV) lines...]
	encrypted stuff follows
	keyid: AED68932ED2C0D84
:signature packet: algo 1, keyid C7CE635BB52E9B31
	version 4, created 1383649687, md5len 0, sigclass 0x18
	digest algo 2, begin of digest XX XX
	hashed subpkt 2 len 4 (sig created 2013-11-05)
	hashed subpkt 27 len 1 (key flags: 02)
	hashed subpkt 9 len 4 (key expires after 1y355d0h0m)
	subpkt 16 len 8 (issuer key ID C7CE635BB52E9B31)
	subpkt 32 len 540 (signature: v4, class 0x19, algo 1, digest algo 2)
	data: [4095 bits]
:secret sub key packet:
	version 4, algo 1, created 1383649893, expires 0
	skey[0]: [4096 bits]
	skey[1]: [17 bits]
	[...redacted iter+salt and protect (count|IV) lines...]
	encrypted stuff follows
	keyid: C1DAD4F249ABFC0A
:signature packet: algo 1, keyid C7CE635BB52E9B31
	version 4, created 1383649893, md5len 0, sigclass 0x18
	digest algo 2, begin of digest XX XX
	hashed subpkt 2 len 4 (sig created 2013-11-05)
	hashed subpkt 27 len 1 (key flags: 0C)
	hashed subpkt 9 len 4 (key expires after 1y355d0h0m)
	subpkt 16 len 8 (issuer key ID C7CE635BB52E9B31)
	data: [4095 bits]
"""

If I failed to redact something that may be sensitive, I would be happy
to be informed. But I assume the creation times, signature packets etc.
aren't sensitive.


Also: One thing I noticed is that my output from 'gpg -K' for the master
keyring (which I'm exporting from) only has one UID (the JPEG photo),
but not the primary UID 'Mikael "MMN-o" Nordfeldth <mmn at hethane.se>'
which is listed when using the '--edit-key' argument.

$ gpg -K
/home/mmn/.gnupg/secring.gpg
----------------------------
sec   4096R/B52E9B31 2011-12-08 [expires: 2018-02-28]
uid                  [jpeg image of size 3372]
ssb   4096R/D1AC8558 2013-11-05
ssb   4096R/412DC5E3 2013-11-05
ssb   4096R/ED2C0D84 2013-11-05
ssb   4096R/49ABFC0A 2013-11-05

If this lack of UID in the list is related, how can I include my primary
UID with the export? Why is it excluded at all?
(all I found in the man-page was export-options and how to explicitly
allow attribute UIDs, which makes me assume all "normal" UIDs should be
included by default on export).

-- 
Mikael "MMN-o" Nordfeldth
XMPP/mail: mmn at hethane.se
http://blog.mmn-o.se/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140325/7e0107df/attachment.sig>


More information about the Gnupg-users mailing list