[pkg-gnupg-maint] Bug#1103233: "Key-Type: default" no longer supported when generating key: "Unknown elliptic curve"

Christoph Biedl debian.axhn at manchmal.in-ulm.de
Tue Apr 15 08:10:37 BST 2025 

Package: gpg
Version: 2.4.7-14
Severity: normal
X-Debbugs-Cc: debian.axhn at manchmal.in-ulm.de

Summary: When trying to generate a key using the batch file mode, the
"Key-Type: default" option beraks the operation.


As part of some testing, I'm generating a temporary key, using a batch
file to pass some parameters. Use this little shell script as a
reproducer:

===========================================================
#!/bin/sh

set -eu

temp_dir="$(mktemp --directory --tmpdir "reprod.$$.XXXXX")"
trap "cd / ; rm -rf \"$temp_dir\"" EXIT

gpg_home="$temp_dir/gpg_home"
mkdir -m700 "$gpg_home"

batch_file="$temp_dir/batch"

cat <<__EOS__ >"$batch_file"
Key-Type: default
Subkey-Type: default
Name-Real: John Doe
Name-Email: john.doe at example.com
Expire-Date: 0
%no-protection
%commit
__EOS__

gpg --homedir "$gpg_home" --batch --generate-key "$batch_file"

gpg --homedir "$gpg_home" --with-colons --list-keys
===========================================================

In Debian 12 (gpg 2.2.40-1.1), and expected, output is (modulo
timestamps and various random bits):

| gpg: keybox '/tmp/reprod.1908235.T8HfC/gpg_home/pubring.kbx' created
| gpg: /tmp/reprod.1908235.T8HfC/gpg_home/trustdb.gpg: trustdb created
(...)
| tru:o:1:1744699266:1:3:1:5
| pub:u:3072:1:5568831507F12921:1744699264:::u:::escaESCA::::::23::0:
| fpr:::::::::41F2D907E7F11CD5825719045568831507F12921:
| uid:u::::1744699264::454A9C7753721D33C846A7FFEDB690FD548BCE5C::John Doe <john.doe at example.com>::::::::::0:
| sub:u:3072:1:2B5308B1ED9F66BA:1744699264::::::esa::::::23:
| fpr:::::::::0E7033D83012E06FE36CB9762B5308B1ED9F66BA:

Since the advent of gpg 2.4.7-14, gpg --generate-key fails:

| gpg: keybox '/tmp/reprod.1908493.etLXj/gpg_home/pubring.kbx' created
| gpg: key generation failed: Unknown elliptic curve

Not sure whether this is and intended change, at least it took
me some hours.


The workaround is to make the key type explicit, so

-Key-Type: default
-Subkey-Type: default
+Key-Type: rsa
+Key-Length: 3072
+Subkey-Type: rsa
+Subkey-Length: 3072

... which isn't nice. Also, there's a subtle change in the "key
capabilities" (column 12), already in Debian 12:

Using "default", gpg 2.2

| pub:scESC
| sub:e

Using "rsa/3072", gpg 2.2

| pub:escaESCA
| sub:esa

Using  "rsa/3072", gpg 2.4

| pub:escarESCA
| sub:esa

This is documented in gpg(1), in "Key-Usage:" - still it came as a
surprise.

And the change (here: subkey may be used to sign) actually seems
sensible. Too bad my mediocre test program couldn't deal with it. But
that's none of your concern.

Regards

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.22 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gpg depends on:
ii  gpgconf              2.4.7-14
ii  init-system-helpers  1.68
ii  libassuan9           3.0.2-2
ii  libbz2-1.0           1.0.8-6
ii  libc6                2.41-6
ii  libgcrypt20          1.11.0-7
ii  libgpg-error0        1.51-4
ii  libksba8             1.6.7-2+b1
ii  libnpth0t64          1.8-3
ii  libreadline8t64      8.2-6
ii  libsqlite3-0         3.46.1-3
ii  zlib1g               1:1.3.dfsg+really1.3.1-1+b1

Versions of packages gpg recommends:
ii  gnupg  2.4.7-14

gpg suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20250415/622047f2/attachment-0001.sig>

More information about the pkg-gnupg-maint mailing list