Your message dated Thu, 11 May 2017 03:03:35 +0000
with message-id <[email protected]>
and subject line Bug#834922: fixed in gnupg2 2.1.20-4
has caused the Debian Bug report #834922,
regarding gnupg: Fails to sign if secret part of a signing subkey is not
present, but its public part known (regression from gpg1)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
834922: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834922
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnupg
Version: 2.1.14-5
Control: affects -1 devscripts git-buildpackage git
Dear GnuPG Maintainers,
approximately since the switch to GnuPG 2.x I can no more use my
4096R/2FF9CD59612616B5 key to sign stuff:
----------------------------------------------------------------------
→ echo foo | gpg --clearsign
gpg: using "2FF9CD59612616B5" as default secret key for signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
foo
gpg: signing failed: No secret key
gpg: [stdin]: clearsign failed: No secret key
----------------------------------------------------------------------
Nevertheless --list-secret-keys finds that key without issues:
----------------------------------------------------------------------
→ gpg --list-secret-keys 2FF9CD59612616B5
sec rsa4096/2FF9CD59612616B5 2009-07-12 [SC]
uid [ultimate] Axel Beckert <[email protected]>
uid [ultimate] Axel Beckert (E-Mail + Jabber) <[email protected]>
uid [ultimate] Axel Beckert (Symlink) <[email protected]>
uid [ultimate] [jpeg image of size 3155]
uid [ultimate] Axel Stefan Beckert
uid [ultimate] Axel Beckert (FSFE Fellow) <[email protected]>
uid [ultimate] Axel Beckert (Debian Developer) <[email protected]>
ssb elg4096/E230E02B004AB7CC 2009-07-12 [E]
ssb rsa4096/6BE663C75A35C975 2014-12-29 [S] [expires: 2020-12-27]
----------------------------------------------------------------------
I can reproduce this issue even with only having a single line in my
~/.gnupg/gpg.conf:
----------------------------------------------------------------------
default-key 2FF9CD59612616B5
----------------------------------------------------------------------
I also tried using "default-key 6BE663C75A35C975" (i.e. the most recent
signing subkey) instead after David Bremner mentioned something about
known issues with subkeys on IRC. But that didn't help either.
I can though still sign stuff with my old, deprecated
1024D/C09E1D8995930EDE key, e.g. if I change the above line to
"default-key C09E1D8995930EDE":
----------------------------------------------------------------------
→ echo foo | gpg --clearsign
gpg: using "C09E1D8995930EDE" as default secret key for signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
foo
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAle4ZssACgkQwJ4diZWTDt45PQCdH83vEH8DN0VLjZsxmfp6SLo6
LI0AnA319OwDkFwY8Vd2b6oYAbYHquMz
=IvvU
-----END PGP SIGNATURE-----
----------------------------------------------------------------------
Using gpg1 instead gpg works fine with "default-key 2FF9CD59612616B5",
too:
----------------------------------------------------------------------
# echo foo | gpg1 --clearsign
You need a passphrase to unlock the secret key for
user: "Axel Beckert <[email protected]>"
4096-bit RSA key, ID 2FF9CD59612616B5, created 2009-07-12
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
foo
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJXuGd9AAoJEC/5zVlhJha1ryUP/Rwyr2U7fqL7bHE+ECn0yFYy
FSldxU/F1WzbEx59FxEFFLAdSFdHbjqRemHMngRW2gwR6YgxQT/4sWcNIaNgVj+f
X+laFTlqtY4FITY33kxrDyL8WhCC4zon/Hd3S1DlFGRV5JigLSH571pW1rE6NwhM
jpBGBS3AJ9a7TQULX5FXM1hpxGZsQOr3stFHIEDqLmCOPfNe2CcQgYnW4QR38joO
kku1idWoe45Ehx9xJkT/5jV5Gf24V5z0sC2Ar4O71qiEI0tJFfUAP1ejKOQ/dk6A
MNwjOO9iyZGkN2vXyjTJUzuqljZvNUB+t6J0DPQWGxBI7TO1ycIUkW+1MUcM3mFr
ZKMz6j2WQUGRW2w1UqquEfD/GCy+fTOHz3krqSW6Kg6ApuB6C9duhaOrCrcSUAKq
kYhO9S4bMlURe6eg6jLwcZqrX3WYizuXdJiRtRPpG8hzS8VA8K44QWV5IwkyeFF6
WPQImDoVBR32vrUpYRuXB6aajYXFRr2BQq0vc+RQC8jSc4p96gqMnSAefDTFK/Gt
LvDRmN4UnSwoMp7RzTPtJ+VNROUJPrj6ARw+xTKSueNI5lKuA22LyPtEqXgYzrpQ
+he3kAu50QgKymifagxz8aZeDqoiXw098Z+M8AhFuKPs37+yl0dLfK26L1xrq9/B
mj2FqtlogW7zgQJCae7i
=dupP
-----END PGP SIGNATURE-----
----------------------------------------------------------------------
Ran into this issue with "gbp import-…", "debsign …" and "git tag -s …".
At least for debsign I found a workaround by instructing it to use gpg1
instead: "debsign -pgpg1 …" -- But that's not a solution for eternity.
Since I can even reproduce this with only having "default-key
2FF9CD59612616B5" in my ~/.gnupg/gpg.conf while that (secret and public)
key definitely exists in my keyring, I consider this being a bug, maybe
an incomplete conversion when GnuPG 2.x was first run or so.
IIRC the conversion happened during a run of "gbp import-dscs --debsnap
…" or similar command, i.e. nothing where I called gpg manually or could
intervene. At least there exists an empty file called
~/.gnupg/.gpg-v21-migrated, dated 16th of August 2016, 00:57 CEST
(GMT+0200).
P.S.: Even in the case that this is not a bug but a configuration issue
(then where?), any help or hint is appreciated as this issue severly
hinders me in doing work for Debian and I already invested several hours
to find a fix or at least track down the reason (commenting out line by
line in gpg.conf, etc.). TIA!
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'),
(500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1,
'buildd-experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.7.0-rc7-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages gnupg depends on:
ii gnupg-agent 2.1.14-5
ii libassuan0 2.4.3-1
ii libbz2-1.0 1.0.6-8
ii libc6 2.23-4
ii libgcrypt20 1.7.3-1
ii libgpg-error0 1.24-1
ii libksba8 1.3.4-4
ii libreadline6 6.3-8+b4
ii libsqlite3-0 3.14.1-1
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages gnupg recommends:
ii dirmngr 2.1.14-5
pn gnupg-l10n <none>
Versions of packages gnupg suggests:
ii parcimonie 0.10.2-1
ii xloadimage 4.1-23+b2
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: gnupg2
Source-Version: 2.1.20-4
We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <[email protected]> (supplier of updated gnupg2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 10 May 2017 14:59:02 -0400
Source: gnupg2
Binary: gnupg-agent scdaemon gpgsm gnupg gnupg2 gpgv gpgv2 dirmngr gpgv-udeb
gpgv-static gpgv-win32 gnupg-l10n
Architecture: source
Version: 2.1.20-4
Distribution: experimental
Urgency: medium
Maintainer: Debian GnuPG Maintainers <[email protected]>
Changed-By: Daniel Kahn Gillmor <[email protected]>
Description:
dirmngr - GNU privacy guard - network certificate management service
gnupg - GNU privacy guard - a free PGP replacement
gnupg-agent - GNU privacy guard - cryptographic agent
gnupg-l10n - GNU privacy guard - localization files
gnupg2 - GNU privacy guard - a free PGP replacement (dummy transitional pa
gpgsm - GNU privacy guard - S/MIME version
gpgv - GNU privacy guard - signature verification tool
gpgv-static - minimal signature verification tool (static build)
gpgv-udeb - minimal signature verification tool (udeb)
gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
gpgv2 - GNU privacy guard - signature verification tool (dummy transition
scdaemon - GNU privacy guard - smart card support
Closes: 834922
Changes:
gnupg2 (2.1.20-4) experimental; urgency=medium
.
* avoid shipping or trying to use .skel files
* more bugfixes from upstream
* skip missing signing keys (Closes: #834922)
* prefer available smartcard
Checksums-Sha1:
eb2076400ecb7b0d415614a72258f5217a8bd634 3115 gnupg2_2.1.20-4.dsc
eeb4ce74da0f75198f28a180e618a60941054adf 89754 gnupg2_2.1.20-4.debian.tar.bz2
13b5cf38197bc9203adf4e54a17d1f1dd41df0ef 16414 gnupg2_2.1.20-4_amd64.buildinfo
Checksums-Sha256:
457ae6a18e6138264aed1bfd4504f3382a97804e5c7f9d139b917fc479c7bcc9 3115
gnupg2_2.1.20-4.dsc
aa2d9e58e35aeed14f2cfb8ae77eadbe14c97fef85a42819a79cc6c4f73415b3 89754
gnupg2_2.1.20-4.debian.tar.bz2
cc8ba4d1d3b0210024fb6116d2e9f431c48af20672e10ddb1615920353aa1504 16414
gnupg2_2.1.20-4_amd64.buildinfo
Files:
526ceb2cace70060b1f7c38ac31b5138 3115 utils optional gnupg2_2.1.20-4.dsc
7895a56a4e2a15ce335db5ba8d9ee764 89754 utils optional
gnupg2_2.1.20-4.debian.tar.bz2
67571493c0de3026c78eda9d8ecfe2b5 16414 utils optional
gnupg2_2.1.20-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOCdgUepHf6PklTkyFJitxsGSMjcFAlkTz4cACgkQFJitxsGS
MjeAKA/9H4k8M3ikDKOmzEonfP5ZTTeIxvVMxcU8ypwuMIlaC/AZCqEJAmjD5U31
Js8gyl4bRjvV2uXwtA1nntvxllLsdhBO/CJsTGD8reBnlr5pdgbcrRTMsVDAAttH
cg7sE1+8/aCKqmJf37M0CqgkesbAysFPee9jC/ZLvUsiZ72Rkq6Nzta5NNFxCCBW
KM/4rx+/wXgRtQkaP5YpRlBQHbSO9M/Hccb8CpynF5fZgy//HMinvv60WRRbG+dc
VpkD9am5dIiyEiNZtUwNmdMw8HL5G6A3YCQzpdmoJM2tzTdVw1YO8sLsftEE6c9e
PDFGjqea30ohxAjBMW4j+NCrI2wjljS3/4g37BGJfwlgA4KGh+6YaVJCDTc7CQF8
DcWHoPM9Einp8qU3UkI3WYuDc+lAdrGtkoUgLzdirYI2LAI9PbI5KPS1jdAHeiaf
sTrpbhmCUsSSPNJYGSCL/dyvzviZvOHYYGAsE15XqFn/htu2SMYOBFEdR1NiXYJH
XroldVtEbVycxNTkedvYW7NdqC77QZow3QbEkvQTEDwJlo6lHGL/x9BlCOhlX0qO
xr9YbVrCD3JOy/tY+ONCiSWh2nje2QasQo2WUHY6zfdrDAzzm5YUOJ+M4o6aeqZR
GaqvvnKhiZT4w9JZhUNSdoNzKS8+YPYuqPDxlmVfyDORXvjsXgE=
=ZuHL
-----END PGP SIGNATURE-----
--- End Message ---
