[pkg-gnupg-maint] Bug#836772: gnupg: unable to sign anyone's keys

Ramakrishnan Muthukrishnan rkrishnan at debian.org
Mon Sep 5 15:24:52 UTC 2016 

Package: gnupg
Version: 2.1.15-2
Severity: important

Dear Maintainer,

I was trying to sign a key after a get together. Here are the steps I
did:

1. Import the keys

gpg --recv-key <key id>

2. verify the fingerprint

gpg --fingerprint <key id>

3. Sign the key

rkrishnan at ken:~$ gpg --sign-key ben

pub  rsa4096/E7BFC8EC95861109
     created: 2009-07-12  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa4096/CF0469521357C3D7
     created: 2009-07-12  expires: never       usage: E   
[ unknown] (1). Ben Hutchings (DOB: 1977-01-11)
[ unknown] (2)  Ben Hutchings <benh at debian.org>
[ unknown] (3)  Ben Hutchings <ben at decadent.org.uk>

Really sign all text user IDs? (y/N) y
gpg: using "EB46CA9A" as default secret key for signing

pub  rsa4096/E7BFC8EC95861109
     created: 2009-07-12  expires: never       usage: SC  
     trust: unknown       validity: unknown
 Primary key fingerprint: AC2B 29BD 34A6 AFDD B3F6  8F35 E7BF C8EC 9586
     1109

     Ben Hutchings (DOB: 1977-01-11)
     Ben Hutchings <benh at debian.org>
     Ben Hutchings <ben at decadent.org.uk>

Are you sure that you want to sign this key with your
key "Ramakrishnan Muthukrishnan <rkrishnan at debian.org>"
(CF64CD61EB46CA9A)

Really sign? (y/N) y
gpg: signing failed: Permission denied
gpg: signing failed: Permission denied

Key not changed so no update needed.

4. I did a bit of stracing if that can be of help.

strace gpg --sign-key benh

rt_sigaction(SIGWINCH, {0x7f1ea8410d30, [], SA_RESTORER|SA_RESTART,
0x7f1ea7c55040}, {SIG_DFL, [], SA_RESTORER, 0x7f1ea7c55040}, 8) = 0
write(5, "Really sign? (y/N) ", 19Really sign? (y/N) )     = 19
read(5, "y", 1)                         = 1
write(5, "y", 1y)                        = 1
read(5, "\r", 1)                        = 1
write(5, "\n", 1
)                       = 1
ioctl(5, TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
ioctl(5, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo
...}) = 0
ioctl(5, TCGETS, {B38400 opost isig icanon echo ...}) = 0
rt_sigaction(SIGWINCH, {SIG_DFL, [], SA_RESTORER, 0x7f1ea7c55040},
{0x7f1ea8410d30, [], SA_RESTORER|SA_RESTART, 0x7f1ea7c55040}, 8) = 0
getrusage(RUSAGE_SELF, {ru_utime={0, 16000}, ru_stime={0, 8000}, ...}) =
0
clock_gettime(CLOCK_PROCESS_CPUTIME_ID, {0, 25640163}) = 0
getrusage(RUSAGE_SELF, {ru_utime={0, 16000}, ru_stime={0, 8000}, ...}) =
0
clock_gettime(CLOCK_PROCESS_CPUTIME_ID, {0, 25730112}) = 0
write(7, "RESET", 5)                    = 5
write(7, "\n", 1)                       = 1
read(7, "OK\n", 1002)                   = 3
write(7, "SIGKEY A1B82D0BB07925DE883F06A42"..., 47) = 47
write(7, "\n", 1)                       = 1
read(7, "OK\n", 1002)                   = 3
write(7, "SETKEYDESC Please+enter+the+pass"..., 196) = 196
write(7, "\n", 1)                       = 1
read(7, "OK\n", 1002)                   = 3
write(7, "SETHASH 8 264BD194692F69443218DE"..., 74) = 74
write(7, "\n", 1)                       = 1
read(7, "OK\n", 1002)                   = 3
write(7, "PKSIGN", 6)                   = 6
write(7, "\n", 1)                       = 1
read(7, "INQUIRE PINENTRY_LAUNCHED 31248\n", 1002) = 32
write(7, "END", 3)                      = 3
write(7, "\n", 1)                       = 1
read(7, "ERR 83918849 Permission denied <"..., 1002) = 42
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
write(2, "gpg: signing failed: Permission "..., 38gpg: signing failed:
Permission denied) = 38
write(2, "\n", 1
)                       = 1
write(2, "gpg: signing failed: Permission "..., 38gpg: signing failed:
Permission denied) = 38
write(2, "\n", 1
)                       = 1
write(5, "\n", 1
)                       = 1
write(5, "Key not changed so no update nee"..., 37Key not changed so no
update needed.
) = 37
munmap(0x7f1ea927d000, 65536)           = 0
exit_group(2)                           = ?
+++ exited with 2 +++


I used another machine that I own, copied over the keys in a new account
created on this machine. THis machine had an older version of gpg
running on it (1.4.x) and that worked just fine and I could sign the
keys.

I am not sure if I missed some important step while upgrading to gpg2
that acused the signing to fail. I also checked the file permissions in
~/.gnupg/* and all seem fine. The .mo files are locale files and I am
not sure why they should cause "permission failed" errors. It appears to
me that those are not the cause of the trouble. I am happy to debug and
help out in fixing this problem.

Thanks
Ramakrishnan

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnupg depends on:
ii  gnupg-agent    2.1.15-2
ii  libassuan0     2.4.3-1
ii  libbz2-1.0     1.0.6-8
ii  libc6          2.24-2
ii  libgcrypt20    1.7.3-1
ii  libgpg-error0  1.24-1
ii  libksba8       1.3.5-2
ii  libreadline6   6.3-8+b4
ii  libsqlite3-0   3.14.1-1
ii  zlib1g         1:1.2.8.dfsg-2+b1

Versions of packages gnupg recommends:
ii  dirmngr     2.1.15-2
ii  gnupg-l10n  2.1.15-2

Versions of packages gnupg suggests:
pn  parcimonie  <none>
pn  xloadimage  <none>

-- no debconf information

More information about the pkg-gnupg-maint mailing list