[pkg-gnupg-maint] Bug#795639: assword fails with "Decryption error: Decryption failed"

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Aug 17 12:19:58 UTC 2015 

Control: retitle 795639 automated secret key import process for gpg2.1 skips some keys

On Sun 2015-08-16 19:16:03 +0200, Russ Allbery wrote:
> Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
>> do you see
>> ~/.gnupg/private-keys-v1.d/FD1DA474D3DF3C728C54F9E479EDFC5BBE2E14EA.key
>> ?
>
> No, that file doesn't exist.  So it looks like you've located the problem.
 [...]
> mithrandir:~$ gpg2 -kv D15D313882004173
> gpg: using classic trust model
> gpg: keydb_get_keyblock failed: Legacy key
> gpg: error reading key: No public key

interesting.  what is the history of this secret key material?  Was it
generated fresh on 2009-05-29?  or was it converted from some other
(older) key source?

> Aha.  Okay, I seem to have fixed it, although I still don't really
> understand what happened.  On a hunch, I ran:
>
> $ gpg2 --import ~/.gnupg/pubring.gpg
>
> That spat out a bunch of output (tons and tons of those legacy key
> messages), and then I ran:
>
> $ gpg2 --import ~/.gnupg/secring.gpg
>
> again.

Did you happen to compare your test commands (e.g. looking at files,
running "gpg -kv $FPR") between these two --import operations?  I'm
assuming that the last one is the one that "fixed" things, but i'd like
to make sure...

do you know if there were more "legacy key" messages for the second
--import command?

> That prompted me for the passphrase for the private key for
> D15D313882004173, and then apparently successfully imported it.  Now,
> the gpg2 command works:
>
> mithrandir:~$ gpg2 -kv D15D313882004173
> gpg: using classic trust model
> pub   rsa4096/D15D313882004173 2009-05-29 [expires: 2017-09-17]
> uid                 [ultimate] Russ Allbery <eagle at eyrie.org>
> uid                 [ultimate] Russ Allbery <rra at stanford.edu>
> uid                 [ultimate] Russ Allbery <rra at debian.org>
> uid                 [ revoked] Russ Allbery <eagle at windlord.stanford.edu>
> uid                 [ultimate] Russ Allbery <rra at cs.stanford.edu>
> sub   rsa4096/7CE29A76E9769486 2009-05-29 [expires: 2017-09-17]
> sub   rsa2048/7D80315C5736DE75 2010-09-17 [expires: 2016-03-20]
>
> and now assword works again.

ok, i'm glad this part is fixed for you for now, but I'm a little
disturbed that I don't know how to reproduce the scenario you got into.
This is made more complicated by the fact that i don't have (or want)
access to your secret keys, of course.

> So, something weird about the automated key import process for gpg2?

yes, definitely.  I'm retitling the bug to account for that.

     --dkg

More information about the pkg-gnupg-maint mailing list