Re: export-filter question or bug
On Tue, 23 Feb 2021 13:37, Erich Eckner said: > What am I doing wrong? Or is there something special about this key? Nothing. It is an interesting case. Let's have a look at key exported without any options (listing slightly edited): $ gpg --show-keys --with-sig-check c.pub pub rsa4096 2017-06-23 [SC] [expires: 2021-12-31] 2E29129B8C684FE7A959C422714A1770ECE2DF62 uid [...] sig 3714A1770ECE2DF62 2021-01-25 [...] uid [...] sig 3714A1770ECE2DF62 2017-06-23 [...] sub rsa4096 2017-06-23 [S] [expires: 2021-12-31] FD45993ACA052203886D618205CDEE5C356A46AD sig 714A1770ECE2DF62 2021-01-25 [...] What we see is a key with two user ids. The self-signatures binding the user ids to the key carry important information, for example the expiration date. If we look close at the self-signatures using --list-packets we see: :user ID packet: "[...] " :signature packet: algo 1, keyid 714A1770ECE2DF62 version 4, created 1498203061, md5len 0, sigclass 0x13 [...] hashed subpkt 9 len 4 (key expires after 2y0d0h0m) [...] Adding this expiration value to the key creation time yields 2019-06-17 and thus the key would be expired. :user ID packet: "[...] " :signature packet: algo 1, keyid 714A1770ECE2DF62 version 4, created 1611599717, md5len 0, sigclass 0x13 [...] hashed subpkt 9 len 4 (key expires after 4y192d3h29m) [...] Adding this expiration value to the key creation time yields 2021-12-31 and thus the key would be valid. The actual used key expiration date is the latest one seen in user id self-signaturres, thus in out case 2021-12-31. Now if we export just one user id as done by gpg-wks-client gpg --no-options -v --batch --status-fd=2 --always-trust --armor \ --export-options=export-minimal \ --export-filter 'keep-uid=mbox= buildmas...@archlinux32.org' --export -- 2E29129B8C684FE7A959C422714A1770ECE2DF62 We get a key with the buildmaster@ user id and thus the latest expiration date is 2019-06-17. This is because the other user id and its self-signature has been stripped. Sure, this could be considered a bug in export-minimal but fixing this would require to create a new self-signature for the exported user id which then requires the private key and would even more confuse. I am not sure how to solve it but it needs to be solved at least for gpg-wks-client. See https://dev.gnupg.org/T5323 You may simply want to change the expiration date of the key which, in contrast to "adduid" updates all self-signatures. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: export-filter question or bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I wanted to ask for help regarding this wkd-key-installation issue I had, once more. Whichever way I try, I always end up with an expired key being installed into wkd, although the key file looks all-right to me: $ gpg --show-keys --with-wkd-hash $tmp_dir/key pub rsa4096 2017-06-23 [SC] [expires: 2021-12-31] 2E29129B8C684FE7A959C422714A1770ECE2DF62 uid archlinux32 repository signing key 5s69opjiwx4q8z87mmkdaiiyizf5j...@archlinux32.org uid buildmaster z4eyw18p7a9p7c9owm78fj93mqkks...@archlinux32.org sub rsa4096 2017-06-23 [S] [expires: 2021-12-31] $ /usr/lib/gnupg/gpg-wks-client -C . --install-key "$tmp_dir/key" buildmas...@archlinux32.org gpg-wks-client: key 2E29129B8C684FE7A959C422714A1770ECE2DF62 published for 'buildmas...@archlinux32.org' $ gpg --show-keys archlinux32.org/hu/z4eyw18p7a9p7c9owm78fj93mqkks6q3 pub rsa4096 2017-06-23 [SC] [expired: 2019-06-23] 2E29129B8C684FE7A959C422714A1770ECE2DF62 uid buildmaster sub rsa4096 2017-06-23 [S] [expired: 2021-12-31] Instead of `gpg-wks-client --install-key`, I also tried `gpg-wks-server - --install-key` and `gpg --export --exportfilter keep-uid="uid=buildmaster "`. What am I doing wrong? Or is there something special about this key? The key can be found here: https://archlinux32.org/keys.php?k=2E29129B8C684FE7A959C422714A1770ECE2DF62 regards, Erich -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmA09xMACgkQCu7JB1Xa e1oNbQ//aBqnPH6yw+Fp6z1+0q73Xkg0cNgxIXgvxZKV+9imYadIKWyc1CRpVsG9 EuvSff3d5R9oxol6AIRzo3/ny0khm/CYuHr5TAmQlu8byQn4n7YK6J34m5ul9m6J P3E7ShbmnLTdfGW7nY2jc5V1DdGNo+Rgyb6rughxULW/IeqFFQyyvKUv/XCenlKB I2J6i/N7GYzdKmjFtei4qggvmAlMfktWeHZ12BysOxyroMnyjLlTCVReBk5mcUqJ BZkGhiprHlx8bZRQ/ZPYZZ4RJI+KoxkKTrpeasu6fkjdSONFf0I4KiyMA9GzJArq QX40PYPR7Jb6FrKTm6JqlNvhZqpPkCoNoyP0TVUUPN53TL/we/9rky/KGPcYXcjy YYXOG26HQlGWIbQIUoqHaztT2Kp17WM90ENRRk3ZYYM06t4bwWPxjxdzBsi8FK/w b9dvbMACnI3kYmB+hiFCsFUgJPCrGJ1RSpGIU7/PpMKQQFC7agxj5cJz+mEtHaAJ 3qzHtd4xVjaWYURqvAhfgkwBEZlOgzOEn8c5S7gLGfSHo+L5EwpDxkmSWsbOvTwR /jM2FnZyIfNFnKGUSVKp7iU8nYUswMqOvFLQ1DCSmd8EFpcohdARPY8BTwC3r+T4 tFaPvPTj3fJ1BF1zXchVF/XAFlw0q5S5M5/kT4+zyYp2niyQDpc= =ud5u -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: export-filter question or bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, 12 Feb 2021, Werner Koch wrote: On Fri, 12 Feb 2021 11:44, Erich Eckner said: $GPG --export --export-filter keep-uid="mbox = $mbox" $fpr gpg-wks-client does something similar but using "uid =" with a pre-checked UID in an import filter. It also uses import-options=import-export to process the keyblock without actually importing it. Changing to "uid = ..." filter yields the same result. Same for adding "--import-options=import-export". But I'm also confused, why - --import-options should be relevant when exporting a key :-/ $GPG --export --export-filter keep-uid="mbox = buildmas...@archlinux32.org" 2E29129B8C684FE7A959C422714A1770ECE2DF62 | gpg You should use | gpg --show-keys ok, noted. pub rsa4096 2017-06-23 [SC] [expired: 2019-06-23] 2E29129B8C684FE7A959C422714A1770ECE2DF62 uid buildmaster sub rsa4096 2017-06-23 [S] [expired: 2021-12-31] (note the expired pub, thus the whole key is considered expired) Please try with --show-keys instead of using the default action. Makes no difference. This is not usable for wkd for me, because it contains all uids (of course). I am curious why you don't use gpg-wks-client for example with the --install-key command. Well, for multiple reasons: First, it's not in $PATH, so I didn't see it, when 'ing ;-) Now, that I played around with gpg-wks-client, I cannot find a --homedir option to set the homedir of the keyring (I do not want to fill the wks's user keyring with all the installed keys). Assuming, I have the key in the gpg directory in $tmp_dir, what's the best way to get gpg-wks-client to read it from there? Only way I found, is exporting into a temporary file: $GPG --export 2E29129B8C684FE7A959C422714A1770ECE2DF62 > "$tmp_dir/key" gpg-wks-server --install-key "$tmp_dir/key" buildmas...@archlinux32.org Interesting thing: This also installes an expired key, while "$tmp_dir/key" looks ok: $ gpg --show-keys < "$tmp_dir/key" pub rsa4096 2017-06-23 [SC] [expires: 2021-12-31] 2E29129B8C684FE7A959C422714A1770ECE2DF62 uid archlinux32 repository signing key uid buildmaster sub rsa4096 2017-06-23 [S] [expires: 2021-12-31] $ gpg --show-keys < archlinux32.org/hu/z4eyw18p7a9p7c9owm78fj93mqkks6q3 pub rsa4096 2017-06-23 [SC] [expired: 2019-06-23] 2E29129B8C684FE7A959C422714A1770ECE2DF62 uid buildmaster sub rsa4096 2017-06-23 [S] [expired: 2021-12-31] Ah, yet another question: The difference between `gpg-wks-client - --install-key ...` and `gpg-wks-server --install-key ...` is quite opaque to me: With gpg-wks-client, I need to add "-C .", else it tries in openpgp/, but besides that, the options and result look rather identical to me. Salam-Shalom, Werner regards, Erich -BEGIN PGP SIGNATURE- Comment: Topal (https://zircon.org.uk/topal/) iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmAnrBoACgkQCu7JB1Xa e1pPHw/+N6zqijbSYsMZb/e5AHVdq4czvYy9+hoo087XIcr5214rB7BYfoM4lZMy NivAbrekYm1wHu4JZv420Yybn0wcSDGoQZZOv5LTJ2G8xz/1xBAWObQ5Hk6KJyTa cY4vzEYKTbhFMha48zLA1zKFzEM3Iqhq2xmziTcHRj8AgyOt8VlpZzdA1YgsOgdo eGnxY857CNUAJIXxTg6oVdUjr2ISTrkDinf8ZqpI5DncIatMS5dKKko0DBEkdR0m /kufwkntOR3PmhxkYw2Z+ThTlTEmhnxHHHxyLrVm30gJPDN9b/+ZyD4B5ShswGTm AtwjVi3nOL6oDfsHjQNq/EcbH/kdd44TLQLRXEzJ48SIAPnOvo3Y8K2diV00CdhC qdKFpT4Vh1HIdI7hivtqvj46kgN1jn+lUzYldXixldCMaYkFz7ibeoP/KSMscFs7 VtHF0U/Ipbj8fcwxRrSRkOpfgKALpZDO4+NO9j3V29pSPZk7UCvBeduxs4TG3Koa veC8m1v1QJleh2FdCz8ExSSrQi+py+uOFYt2XAflCG9fQzfLLF/02dQ9MrNxpbHU zhgp07BzqxNdH/rOV74OqbJ9S5a4aiMmzHwRWuEZafBDitWcsSw69J7K6kCrmpiV +zVTCDozeKstpb411cQhpiwSjyTOOKOtFjB/ThhpmLiQ+ljuhP4= =pSy7 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: export-filter question or bug
On Fri, 12 Feb 2021 11:44, Erich Eckner said: > $GPG --export --export-filter keep-uid="mbox = $mbox" $fpr gpg-wks-client does something similar but using "uid =" with a pre-checked UID in an import filter. It also uses import-options=import-export to process the keyblock without actually importing it. > $GPG --export --export-filter keep-uid="mbox = > buildmas...@archlinux32.org" 2E29129B8C684FE7A959C422714A1770ECE2DF62 > | gpg You should use | gpg --show-keys > pub rsa4096 2017-06-23 [SC] [expired: 2019-06-23] >2E29129B8C684FE7A959C422714A1770ECE2DF62 > uid buildmaster > sub rsa4096 2017-06-23 [S] [expired: 2021-12-31] > > (note the expired pub, thus the whole key is considered expired) Please try with --show-keys instead of using the default action. > This is not usable for wkd for me, because it contains all uids (of > course). I am curious why you don't use gpg-wks-client for example with the --install-key command. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
export-filter question or bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I'm using the following command to export keys for wkd: $GPG --export --export-filter keep-uid="mbox = $mbox" $fpr However, this creates funny results for the key for buildmas...@archlinux32.org which is downloadable here: https://archlinux32.org/keys.php?k=2E29129B8C684FE7A959C422714A1770ECE2DF62 Is my filtering wrong or is this some bug in gpg? To reproduce the issue, run: tmp_dir=$(mktemp -d) GPG='gpg --homedir '"$tmp_dir" curl 'https://archlinux32.org/keys.php?k=2E29129B8C684FE7A959C422714A1770ECE2DF62' | $GPG --import $GPG --export --export-filter keep-uid="mbox = buildmas...@archlinux32.org" 2E29129B8C684FE7A959C422714A1770ECE2DF62 | gpg this gives: pub rsa4096 2017-06-23 [SC] [expired: 2019-06-23] 2E29129B8C684FE7A959C422714A1770ECE2DF62 uid buildmaster sub rsa4096 2017-06-23 [S] [expired: 2021-12-31] (note the expired pub, thus the whole key is considered expired) However, skipping the --export-filter: $GPG --export 2E29129B8C684FE7A959C422714A1770ECE2DF62 | gpg gives the correct expiration: pub rsa4096 2017-06-23 [SC] [expires: 2021-12-31] 2E29129B8C684FE7A959C422714A1770ECE2DF62 uid buildmaster uid archlinux32 repository signing key sub rsa4096 2017-06-23 [S] [expires: 2021-12-31] This is not usable for wkd for me, because it contains all uids (of course). Thanks in advance, Erich -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmAmXBMACgkQCu7JB1Xa e1rL3Q/8Doo2VqaXgZgJAPw3xK0CvF8VQc8GLW4krEDTQH6Wu70e7nYGxFeJyLgt pqmloRZHDbGBfAh35qIfO1eQZgoe9eyVQyriJcqG/BrW5H9Qk20KGUHhHD1yjupZ +8WAQXzbmapiZz5COBkp1AQlOXgjKWMMTWMPt1DyaOaUKvw6LfpU78nML7wY6rF5 r7VX5jwrEDQmdyuPrumCotuZZpNOPgdAtURO9YHGh9sbOSsuIh4jvxWPyLOiFLRO M9wmyVhDt7sDQzoyzKew5LJGqsXaJ+SaAbQszNnS5NYMWeoeZk9nJGKgUosWFhwi RWe9ADVo9JTJcivGT/u/DGIlUtYhIdCO3z87sNvON6o4Uh9twAJk+okR/X7EYcRu ZcVWp/HFqwqBGDKtnxw8TCvLFEHPmnnklaXBwZW0k1TQw1HbmdQoe5vHsJJoIx0s CGMD2/5NxDWZtRPs/hJMnERgX7n15VJgMVDPSMSeGGQUIibrmEO3Pggyy2xNmVeo x0Bhobi+zsUKluC78Jv/GHkSc1jJa0ioXQIU2Kf2/zfm9148NFtE3bWOiz/sqC19 n+SItHRN/qs4J8obNNX2T9pXbnOXQ9wAmA5rYxG/3lKyq0rCKfXAXlOFSXksabDG PI10H2boPeMLu+HlnRtuAOq5an70flwuvXlDWg3Ux8NY3vJ4eu0= =dzM2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users