[Pkg-gnupg-maint] Bug#772780: gnupg: "out of secure memory" even with only 4096-RSA keys when using addkey in --edit-key interface

David Z unimportantdavidz at gmail.com
Thu Dec 11 01:05:19 UTC 2014 

Package: gnupg
Version: 1.4.12-7+deb7u6
Severity: important
Tags: upstream

Created a new keypair today. Was unable to add a subkey, even though all keys
involved are within expected limits (4096 bit RSA).

Dies at:

gpg: writing key binding signature
gpg: out of secure memory while allocating 1024 bytes
gpg: (this may be caused by too many secret keys used simultaneously or due to
excessive large key sizes)

This has occurred in all of my attempts today, with multiple fresh testing
keys, though I recall performing this action at least somewhat recently with
success. Full output:


$ gpg --gen-key
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want for the subkey? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 8y
Key expires at Thu 08 Dec 2022 07:50:01 PM EST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh at duesseldorf.de>"

Real name: secmemtest2
Email address:
Comment:
You selected this USER-ID:
    "secmemtest2"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...+++++
......+++++
gpg: writing self signature
gpg: RSA/SHA512 signature from: "0xD68CB708C68BD405 [?]"
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
....+++++
...............................+++++
gpg: writing key binding signature
gpg: RSA/SHA512 signature from: "0xD68CB708C68BD405 [?]"
gpg: writing key binding signature
gpg: RSA/SHA512 signature from: "0xD68CB708C68BD405 [?]"
gpg: writing public key to `/home/user/.gnupg/pubring.gpg'
gpg: writing secret key to `/home/user/.gnupg/secring.gpg'
gpg: using PGP trust model
gpg: key 0xD68CB708C68BD405 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 66 keys cached (4287 signatures)
gpg: 25 keys processed (19 validity counts cleared)
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: next trustdb check due at 2015-02-21
pub   4096R/0xD68CB708C68BD405 2014-12-11 [expires: 2022-12-09]
      Key fingerprint = 7FC9 1330 A315 CFA0 1918  EEC9 D68C B708 C68B D405
uid                 [ultimate] secmemtest2
sub   4096R/0x41E7C181778223B1 2014-12-11 [expires: 2022-12-09]


$ gpg --edit-key 0xD68CB708C68BD405
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: using PGP trust model
pub  4096R/0xD68CB708C68BD405  created: 2014-12-11  expires: 2022-12-09  usage:
SC
                               trust: ultimate      validity: ultimate
sub  4096R/0x41E7C181778223B1  created: 2014-12-11  expires: 2022-12-09  usage:
E
[ultimate] (1). secmemtest2

gpg> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "secmemtest2"
4096-bit RSA key, ID 0xD68CB708C68BD405, created 2014-12-11

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 6y
Key expires at Tue 08 Dec 2020 07:50:44 PM EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
......+++++
.....+++++
gpg: writing key binding signature
gpg: out of secure memory while allocating 1024 bytes
gpg: (this may be caused by too many secret keys used simultaneously or due to
excessive large key sizes)


This also occurs if I create only the Primary key, first and then attempt to
add the first subkey.

At this time I am unable to create a proper keypair with the necessary subkeys.
Any and all advice and questions are appreciated, especially any possible
explanations of why this might be an intermittent issue, although I am still
not sure of that - it may have been introduced in the latest Wheezy update. I
hope that this is important enough to receive a patch in Stable; the package is
largely broken for me at this time.



-- System Information:
Debian Release: 7.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnupg depends on:
ii  dpkg          1.16.15
ii  gpgv          1.4.12-7+deb7u6
ii  install-info  4.13a.dfsg.1-10
ii  libbz2-1.0    1.0.6-4
ii  libc6         2.13-38+deb7u6
ii  libreadline6  6.2+dfsg-0.1
ii  libusb-0.1-4  2:0.1.12-20+nmu1
ii  zlib1g        1:1.2.7.dfsg-13

Versions of packages gnupg recommends:
pn  gnupg-curl     <none>
ii  libldap-2.4-2  2.4.31-1+nmu2

Versions of packages gnupg suggests:
ii  eog           3.4.2-1+build1
pn  gnupg-doc     <none>
ii  imagemagick   8:6.7.7.10-5+deb7u3
ii  libpcsclite1  1.8.4-1+deb7u1

-- no debconf information

More information about the Pkg-gnupg-maint mailing list