Re: Unable to import Private Key

2016-12-31 Thread Damien Goutte-Gattat 

On 12/31/2016 11:22 AM, Guy Wyers wrote:

The command used to build this export was the following (executed with the
-vv option to get all the info):

  $ gpg2 -vv -ao secret-key.asc --export-secret-keys 

gpg: writing to 'secret-key.asc'
gpg: key 69F91A22: asking agent for the secret parts
gpg: key 69F91A22: error receiving key from agent: End of file - skipped
gpg: key 69F91A22/9D2311A4: asking agent for the secret parts


So gpg asks the agent for your secret primary key (69F91A22) but the 
agent cannot provide it. Then it asks for the secret subkey and gets it.


Next questions:

* What exact version of GnuPG are you using? It looks like you are using 
a version from the 2.1 branch, not 2.0. Please give the output of `gpg2 
--version`.


* Can you *use* your secret primary key? Try performing any action 
requiring the secret primary key (such as signing a message, assuming 
you do not have a signing subkey).


* If you can reproduce the issue at will, can you try exporting the 
private keys again, but with logging of debug informations?


Add the following lines to your ~/.gnupg/gpg-agent.conf file (create 
that file if it does not already exist):


  log-file /wherever/you/want.log
  debug 1024

Reload the agent (gpgconf --reload gpg-agent) and try exporting again.



Any ideas?


It's starting to look like a communication problem between gpg and the 
agent. What problem exactly, I have no clue.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unable to import Private Key

2016-12-31 Thread Guy Wyers 
Hey guys,

Interesting development: I rebuilt my whole setup, generated a new keypair
etc. and am now in the process of creating another copy of the secret key
for safekeeping and back-up purposes.

And lo and behold: the problem reappeared, so I'm now in a position to
reproduce the problem. The export command I'm using produces again a
truncated result. By that I mean that the export I'm doing right now again
produces a file that only contains part of the data, just like the old
"*.asc" export that was unusable. I can see this by looking at the size of
the exported file and also by doing:

 $ gpg --list-packets secret-key.asc

which gives:

# off=0 ctb=9d tag=7 hlen=3 plen=966
:secret sub key packet:
version 4, algo 1, created 1482831890, expires 0
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt:
F1ECE95FFB36A782
protect count: 851968 (154)
protect IV:  f1 59 85 06 71 0a 90 df 65 88 e9 c7 a7 2f 9a 61
skey[2]: [v4 protected]
keyid: 9305D7AA9D2311A4
# off=969 ctb=89 tag=2 hlen=3 plen=287
:signature packet: algo 1, keyid 16F92AB569F91A22
version 4, created 1482831890, md5len 0, sigclass 0x18
digest algo 8, begin of digest 90 08
hashed subpkt 2 len 4 (sig created 2016-12-27)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID 16F92AB569F91A22)
data: [2046 bits]


The command used to build this export was the following (executed with the
-vv option to get all the info):

  $ gpg2 -vv -ao secret-key.asc --export-secret-keys 

gpg: writing to 'secret-key.asc'
gpg: key 69F91A22: asking agent for the secret parts
gpg: key 69F91A22: error receiving key from agent: End of file - skipped
gpg: key 69F91A22/9D2311A4: asking agent for the secret parts

It asks twice for the passphrase during this process and then produces this
"truncated" file.

Any ideas?

Thanks,


-Guy

On Tue, Dec 27, 2016 at 11:29 AM, Damien Goutte-Gattat <
dgouttegat...@incenp.org> wrote:

> On 12/27/2016 11:16 AM, MFPA wrote:
>
>> The --export-secret-subkeys command will do what it says on the tin.
>>
>
> That option would still generate a secret key packet for the primary key,
> it's just that this packet would not actually contain any key material.
>
> Here, what has been generated is a file containing only a secret subkey
> packet (and the associated binding signature). That's not the result of
> using --export-secret-subkeys.
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unable to import Private Key

2016-12-27 Thread Damien Goutte-Gattat 

On 12/27/2016 11:16 AM, MFPA wrote:

The --export-secret-subkeys command will do what it says on the tin.


That option would still generate a secret key packet for the primary 
key, it's just that this packet would not actually contain any key material.


Here, what has been generated is a file containing only a secret subkey 
packet (and the associated binding signature). That's not the result of 
using --export-secret-subkeys.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unable to import Private Key

2016-12-27 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Monday 26 December 2016 at 9:21:37 PM, in
, Damien
Goutte-Gattat wrote:-



> As far as I know, the only way to export a subkey
> only is to explicitly
> specify that subkey by its key ID with an appended
> '!',

The --export-secret-subkeys command will do what it says on the tin.


- --
Best regards

MFPA  

A fool and his money are soon partying
-BEGIN PGP SIGNATURE-

iL4EARYKAGYFAlhiP3xfFIAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eORcHgEA5C0Fu1fh64FZTwxjCWQ4C4f+
G8kckfBg5WrpcHwCyQQBAId0/YO4wxMFDMa0HQdXN9p9wqpNqxPYlFzD3wFVmUgJ
iQF8BAEBCgBmBQJYYj+BXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXweMQH/jnYOyPZWIdNPglJKV28Qhmq
SAxXJGJ67VsTmFCpeFWZehA5dNYS4rDTbGJhhJKWfkb2uwMAxe/orfQUg9etcyH/
GWB2Ah3kPwRGIQnF/AJ1CfVecMN4QO2tOHwdvM3ud1j5ZsmNscvNXmiKy+iCs18f
hnHRGhSWhkAUECCJLmNsidnFMs0WFzNkLs1HzFq+iU5svxYGu2xdgMwhNnDjfdQT
3cZIpXfkO31kqCVxlWjG08X10J2yPOviBq3tdD7dUH5aL5kh0+0iUrwCSQbGqOuK
oq+WW1CiwAP5cg6SWDrFjVtlhMG8UAR7gFgHc7Kxt+g/vM31naVrr8yEAoMOCk0=
=Pi36
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unable to import Private Key

2016-12-27 Thread Guy Wyers 
Thanks for the reply. At least I know where things stand now, which is not
a good place :-(
I guess this is another *fine* example of the principle that an
insufficiently tested DR arrangement, will always break down when you need
it.

I'm still puzzled about this partial export, however. I'm quite sure that I
made it using something like this:

$ gpg2 -a --export-secret-keys [identifier]  > private_key.asc

Now the question as to what I used as identifier, I'm not sure. The most
likely option is that I used the email address used to create the key and
maybe a key identifier. I definitely have no recollection of using the
exclamation mark '!' you mention.

Could this be linked to using an earlier version of gpg? Or could it simply
be a bug? The installation is running on a Synology, using GnuPG included
in the SynoCommunity package (https://synocommunity.com/package/gnupg).

Anyway, this looks like water under the bridge.
Thanks for your help.




-Guy

On Mon, Dec 26, 2016 at 10:21 PM, Damien Goutte-Gattat <
dgouttegat...@incenp.org> wrote:

> On 12/26/2016 06:52 PM, Guy Wyers wrote:
>
>> - Can I somehow recover from this? I guess that, at least theoretically,
>> the public should be "derivable" from the private key?
>>
>
> The problem here is not that you are missing the public key (the public
> key *is* derivable from the private key, and GnuPG would automatically
> extract the public key upon importing the private key).
>
> The problem is that you are missing the secret *primary* key to which this
> secret subkey should be attached.
>
> If you do not have a backup of that primary key, I am not sure you will be
> able to recover.
>
> At least with GnuPG 2.1, it should be possible to re-attach the subkey to
> a new primary key (because GnuPG 2.1 allows to "create" a key from a
> pre-existing key if you know its keygrip), *but* the newly re-attached key
> would still have a different key creation time and thus a different key
> ID... meaning that it could not be used to decrypt messages encrypted to
> the original key.
>
>
> - How did I end up with this truncated export? As far as I remember -even
>> if it was long long time ago- I followed the standard instructions for
>> "storing my private key in a safe place".M
>>
>
> As far as I know, the only way to export a subkey only is to explicitly
> specify that subkey by its key ID with an appended '!', as in the following
> example:
>
>$ gpg2 --output backup.gpg --export-secret-keys '0xDECAFBAD!'
>
> Otherwise, GnuPG will always export the primary key and all its subkeys.
>
> What are those "standard instructions" you are referring to? If you were
> instructed to backup only your secret subkey instead of your entire private
> keyring, I am afraid you have been badly misled.
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unable to import Private Key

2016-12-26 Thread Damien Goutte-Gattat 

On 12/26/2016 06:52 PM, Guy Wyers wrote:

- Can I somehow recover from this? I guess that, at least theoretically,
the public should be "derivable" from the private key?


The problem here is not that you are missing the public key (the public 
key *is* derivable from the private key, and GnuPG would automatically 
extract the public key upon importing the private key).


The problem is that you are missing the secret *primary* key to which 
this secret subkey should be attached.


If you do not have a backup of that primary key, I am not sure you will 
be able to recover.


At least with GnuPG 2.1, it should be possible to re-attach the subkey 
to a new primary key (because GnuPG 2.1 allows to "create" a key from a 
pre-existing key if you know its keygrip), *but* the newly re-attached 
key would still have a different key creation time and thus a different 
key ID... meaning that it could not be used to decrypt messages 
encrypted to the original key.




- How did I end up with this truncated export? As far as I remember -even
if it was long long time ago- I followed the standard instructions for
"storing my private key in a safe place".M


As far as I know, the only way to export a subkey only is to explicitly 
specify that subkey by its key ID with an appended '!', as in the 
following example:


   $ gpg2 --output backup.gpg --export-secret-keys '0xDECAFBAD!'

Otherwise, GnuPG will always export the primary key and all its subkeys.

What are those "standard instructions" you are referring to? If you were 
instructed to backup only your secret subkey instead of your entire 
private keyring, I am afraid you have been badly misled.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unable to import Private Key

2016-12-26 Thread Guy Wyers 
That's what I feared looking at the output.

Now, I have two questions:
- Can I somehow recover from this? I guess that, at least theoretically,
the public should be "derivable" from the private key?
- How did I end up with this truncated export? As far as I remember -even
if it was long long time ago- I followed the standard instructions for
"storing my private key in a safe place".

Guy Wyers



On Mon, Dec 26, 2016 at 5:25 PM, Damien Goutte-Gattat <
dgouttegat...@incenp.org> wrote:

> On 12/26/2016 10:34 AM, Guy Wyers wrote:
>
>> Here is the output I get with the -vv option:
>>
>
> Your file seems to contain only a private *sub* key. I don't think GnuPG
> can import such a file (I've just tested with a similar file on my system
> with GnuPG 2.1.17, I got a similar result).
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unable to import Private Key

2016-12-26 Thread Damien Goutte-Gattat 

On 12/26/2016 10:34 AM, Guy Wyers wrote:

Here is the output I get with the -vv option:


Your file seems to contain only a private *sub* key. I don't think GnuPG 
can import such a file (I've just tested with a similar file on my 
system with GnuPG 2.1.17, I got a similar result).




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unable to import Private Key

2016-12-26 Thread Guy Wyers 
Here is the output I get with the -vv option:

gpg: armor: BEGIN PGP PRIVATE KEY BLOCK
gpg: armor header: Version: GnuPG v2
# off=0 ctb=9d tag=7 hlen=3 plen=966
:secret sub key packet:
version 4, algo 1, created 1481270099, expires 0
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt:
B7A9DC9B5F3CF65E
protect count: 2883584 (182)
protect IV:  9f aa 8f 73 4b 73 60 8c 9c a3 0c 57 a8 78 d7 cc
skey[2]: [v4 protected]
keyid: F46485A39A95FE89
# off=969 ctb=89 tag=2 hlen=3 plen=287
:signature packet: algo 1, keyid B1E1E404A5BBB5FB
version 4, created 1481270099, md5len 0, sigclass 0x18
digest algo 8, begin of digest 3b fa
hashed subpkt 2 len 4 (sig created 2016-12-09)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID B1E1E404A5BBB5FB)
data: [2048 bits]
gpg: Total number processed: 0



Guy Wyers





On Sun, Dec 25, 2016 at 9:22 PM, Robert J. Hansen 
wrote:

> > Any ideas?
>
> Try verbose mode.
>
> gpg -v --import keyfile.asc
>
> If that doesn't give you enough information, try ultra-verbose mode:
>
> gpg -vv --import keyfile.asc
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unable to import Private Key

2016-12-25 Thread Robert J. Hansen 
> Any ideas?

Try verbose mode.

gpg -v --import keyfile.asc

If that doesn't give you enough information, try ultra-verbose mode:

gpg -vv --import keyfile.asc


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Unable to import Private Key

2016-12-24 Thread Guy Wyers 
I'm using Gnupg2.0 and I'm in a situation where I need to restore my
configuration.
I have an ascii armored export of my private key which looks like

-BEGIN PGP PRIVATE KEY BLOCK-
Version: GnuPG v2
...
-END PGP PRIVATE KEY BLOCK-

When I try to import his using "gpg --import", I get:

gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Any ideas?

Thanks
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users