[pkg-gnupg-maint] Bug#1131530: gpg: Key generation with --dry-run adds unusable private key files

Seth McDonald dev at sethm.id.au
Sun Mar 22 12:30:15 GMT 2026 

Package: gpg
Version: 2.4.7-21+deb13u1+b2
Severity: normal
File: /usr/bin/gpg

Dear Maintainer,

It appears that when GnuPG generates keys with the --dry-run option,
rather than discarding any generated keys, it creates and stores new
private keys on disk.  However, these keys cannot be accessed via the
keyring, meaning they effectively just take up disk space with no use.

Consider the following sequence of shell commands (with some irrelevant
output removed or replaced).

$ mkdir -m u=rwx,go= ~/gpg-test
$ export GNUPGHOME=~/gpg-test
$ gpg --dry-run --yes --quick-generate-key "hello <hello at domain.tld>"
gpg: keybox '/.../gpg-test/pubring.kbx' created
[...]
gpg: /.../gpg-test/trustdb.gpg: trustdb created
gpg: directory '/.../gpg-test/openpgp-revocs.d' created
gpg: revocation certificate stored as '/.../gpg-test/openpgp-revocs.d/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.rev'
public and secret key created and signed.

pub   ed25519 YYYY-MM-DD [SC] [expires: YYYY-MM-DD]
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid                      hello <hello at domain.tld>
sub   cv25519 YYYY-MM-DD [E]
$ gpg --check-trustdb
gpg: Note: ultimately trusted key XXXXXXXXXXXXXXXX not found
gpg: no ultimately trusted keys found
$ gpg --list-public-keys
$ gpg --list-secret-keys
$ ls $GNUPGHOME
openpgp-revocs.d  private-keys-v1.d  pubring.kbx  trustdb.gpg
$ ls $GNUPGHOME/openpgp-revocs.d
$ ls $GNUPGHOME/private-keys-v1.d
YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY.key
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ.key
$

After the key XXXXXXXXXXXXXXXX is said to be generated, gpg is unable to
find it.  This is expected, due to the use --dry-run.

However, the `$GNUPGHOME/private-keys-v1.d` directory is filled with two
keys - YYYYYYYYYYYYYYYY and ZZZZZZZZZZZZZZZZ - neither of which are
specified by the key generation nor can be reached via the keyring.  To
my understanding, these files have no use and should not have been left
by gpg.

Take care,
	Seth McDonald.

-- System Information:
Debian Release: 13.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.74+deb13+1-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gpg depends on:
ii  gpgconf              2.4.7-21+deb13u1+b2
ii  init-system-helpers  1.69~deb13u1
ii  libassuan9           3.0.2-2
ii  libbz2-1.0           1.0.8-6
ii  libc6                2.41-12+deb13u2
ii  libgcrypt20          1.11.0-7
ii  libgpg-error0        1.51-4
ii  libksba8             1.6.7-2+b1
ii  libnpth0t64          1.8-3
ii  libreadline8t64      8.2-6
ii  libsqlite3-0         3.46.1-7+deb13u1
ii  zlib1g               1:1.3.dfsg+really1.3.1-1+b1

Versions of packages gpg recommends:
ii  gnupg  2.4.7-21+deb13u1

gpg suggests no packages.

-- no debconf information

More information about the pkg-gnupg-maint mailing list