[pkg-gnupg-maint] Bug#790665: gpg2 fails to import gpg2 created keyring in a gpg1 created keyring

David Kalnischkies david at kalnischkies.de
Tue Jun 30 17:22:59 UTC 2015 

Package: gnupg2
Version: 2.1.4-2
Severity: normal

Hi,

while continuing my work on gpg2-proofing apt-key (and hence apt)
I noticed that the 2.1 branch (2.0 isn't effected) currently in
experimental can't import (even if it has nothing to do) from a gpg2
created keyring, if the target is a gpg1 created one.

Consider the following example:
| ~$ export LANG=C.UTF-8
| ~$ export GNUPGHOME="/tmp/gpg2to1"
| ~$ mkdir $GNUPGHOME; cd $GNUPGHOME

| /tmp/gpg2to1$ gpg --no-options --no-default-keyring --keyring ~/.gnupg/pubring.gpg --export 76B9B739 | gpg --no-options --no-default-keyring --keyring ./gpg1.ring --import
| gpg: WARNING: unsafe permissions on homedir `/tmp/gpg2to1'
| gpg: WARNING: unsafe permissions on homedir `/tmp/gpg2to1'
| gpg: keyring `/tmp/gpg2to1/secring.gpg' created
| gpg: keyring `./gpg1.ring' created
| gpg: /tmp/gpg2to1/trustdb.gpg: trustdb created
| gpg: key 76B9B739: public key "David Kalnischkies <david at kalnischkies.de>" imported
| gpg: Total number processed: 1
| gpg:               imported: 1  (RSA: 1)
| gpg: no ultimately trusted keys found

| /tmp/gpg2to1$ gpg2 --no-options --no-default-keyring --keyring ~/.gnupg/pubring.gpg --export 76B9B739 | gpg2 --no-options --no-default-keyring --keyring ./gpg2.ring --import
| gpg: WARNING: unsafe permissions on homedir '/tmp/gpg2to1'
| gpg: WARNING: unsafe permissions on homedir '/tmp/gpg2to1'
| gpg: keybox './gpg2.ring' created
| gpg: starting migration from earlier GnuPG versions
| gpg: porting secret keys from '/tmp/gpg2to1/secring.gpg' to gpg-agent
| gpg: migration succeeded
| gpg: key 76B9B739: public key "David Kalnischkies <david at kalnischkies.de>" imported
| gpg: Total number processed: 1
| gpg:               imported: 1
| gpg: no ultimately trusted keys found

| /tmp/gpg2to1$ gpg2 --no-options --no-default-keyring --keyring gpg1.ring --import gpg2.ring
| gpg: WARNING: unsafe permissions on homedir '/tmp/gpg2to1'
| gpg: no valid OpenPGP data found.
| gpg: Total number processed: 0

(exits with code 2 btw)

Importing gpg1.ring into gpg2.ring works.
As does --export | --import:
| /tmp/gpg2to1$ gpg2 --no-options --no-default-keyring --keyring gpg2.ring --export | gpg2 --no-options --no-default-keyring --keyring gpg1.ring --import
| gpg: WARNING: unsafe permissions on homedir '/tmp/gpg2to1'
| gpg: WARNING: unsafe permissions on homedir '/tmp/gpg2to1'
| gpg: key 76B9B739: "David Kalnischkies <david at kalnischkies.de>" not changed
| gpg: Total number processed: 1
| gpg:              unchanged: 1

This is the same error as printed if I s#gpg2#gpg# btw which is kinda
expected, but it would be handy if gpg could deal with gpg2 keyrings
– especially as the gpg1.ring into gpg2.ring generates some very
interesting output if done by gpg. If that would work (or at least
reliably fail with a good message) this might even help your planed
transition…

Background information: apt tries to sidestep the existing 40 --keyring
(and threatened 1 --keyring) limit by first merging all its fragmented
key(ring)s shipped by *-archive-keyring packages (and hence might be
created by other gpg versions) into one big keyring which is then used
as keyring for whatever action is actually supposed to happen. This is
all fine and dandy for read-only operations as most of apt-key
operations are, but you can also add/remove/update keys and that is
where it gets complicated as these actions apply on our big merged
keyring and have to be split up and applied to the fragmented keys
instead. Add and remove are simple list comparisons, but updated keys
(new signatures or expire dates) are dealt with by "--import-options
merge-only --import big.ring" and that is what fails here – even through
it will be a glorified no-op 99,9% of the time in apt-key.


Best regards

David Kalnischkies


Versions of packages gnupg2 depends on:
ii  dpkg           1.18.1
ii  gnupg-agent    2.1.4-2
ii  install-info   6.0.0.dfsg.1-2
ii  libassuan0     2.2.1-1
ii  libbz2-1.0     1.0.6-8
ii  libc6          2.19-18
ii  libgcrypt20    1.6.3-2
ii  libgpg-error0  1.19-2
ii  libksba8       1.3.3-1
ii  libreadline6   6.3-8+b3
ii  zlib1g         1:1.2.8.dfsg-2+b1

Versions of packages gnupg2 recommends:
ii  dirmngr  2.1.4-2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20150630/922bd7de/attachment.sig>

More information about the pkg-gnupg-maint mailing list