Bug#765483: half-adds non working encryption key, causing unrelated key operations to fail

Gaudenz Steinlin Wed, 15 Oct 2014 07:01:22 -0700

Package: obnam
Version: 1.8-1
Severity: normal

If you try to add-key a key which does not work for encryption (eg.
because all it's subkeys are expired) the key is nevertheless added to
the chunklist/userkeys file (only this file). This causes later add-key 
commands to fail in the same way and keys are only added to the
chunklist/userkeys file. This is probably because gpg reports an error
but nevertheless encrypts the file with the working keys.  Failed attempts
to add an encryption key should be completely rolled back.


Steps to reproduce:

1. Create repository with one working encryption key (private key
   available locally, id 0xAAA)
2. Now try to add two additional keys where only the public key is
   available. The private key of the first key is always used for 
   decryption (--encrypt-with option). Key ids 0xBBB and 0xCCC. Key 
   0xBBB has only expired subkeys.

   # obnam --encrypt-with 0xAAA --repository /repo add-key --keyid 0xBBB 
clientname
   ERROR: R0C79EX: gpg failed with exit code 2:
   gpg: 0xBBB: skipped: unusable public key
   gpg: [stdin]: encryption failed: unusable public key

   # obnam --encrypt-with 0xAAA --repository /repo list-keys
   key: 0xAAA
     chunklist
     9697248738376258603
     chunksums
     chunks
     clientlist
   key: 0xBBB
     chunklist

   # obnam --encrypt-with 0xAAA --repository /repo add-key --keyid 0xCCC 
clientname
   ERROR: R0C79EX: gpg failed with exit code 2:
   gpg: 0xBBB: skipped: unusable public key
   gpg: [stdin]: encryption failed: unusable public key

   # obnam --encrypt-with 0xAAA --repository /repo list-keys
   key: 0xAAA
     chunklist
     9697248738376258603
     chunksums
     chunks
     clientlist
   key: 0xBBB
     chunklist
   key: 0xCCC
     chunklist


Gaudenz

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages obnam depends on:
ii  libc6             2.19-11
ii  python            2.7.8-1
ii  python-cliapp     1.20140719-1
ii  python-fuse       2:0.2.1-10
ii  python-larch      1.20131130-1
ii  python-paramiko   1.15.1-1
ii  python-tracing    0.8-1
ii  python-ttystatus  0.23-1

obnam recommends no packages.

obnam suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Bug#765483: half-adds non working encryption key, causing unrelated key operations to fail

Reply via email to