Closed Bug 790487 Opened 8 years ago Closed 2 years ago
GPG Primary key selected while there is a encryption subkey
A GPG public key could have multiple subkeys for signing, encrypting, etc. The mail sent from secureMail is always encrypted with the primary key which should be only used to sign and create new subkeys. My primary secret key is stored somewhere else so I got: gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Version: Crypt::OpenPGP 1.04 :pubkey enc packet: version 3, algo 1, keyid xxxxxxxxxxxx data: [4096 bits] gpg: public key is xxxxxxxx gpg: secret key parts are not available
Hmm. Can you tell us what we should be doing differently in our calls to Version::Crypt::OpenPGP? Alternatively, can you give Bugzilla an ASCII-armoured copy of only the correct key? Gerv
Seems a bug in Crypt::OpenPGP, presumably you mean http://search.cpan.org/~btrott/Crypt-OpenPGP-1.06/lib/Crypt/OpenPGP.pm, which always use the first key that has encryption capability. I guess Crypt::OpenPGP chose my primary key because it is a RSA key which Crypt::OpenPGP considered can_encrypt. Not much to do unless Crypt::OpenPGP is fixed :(
OK :-( I'm resolving this bug WONTFIX; please feel free to reopen it if you manage to get a fix made to Crypt::OpenPGP. Gerv
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
I just ran into this issue and opened an issue with upstream at https://github.com/btrott/Crypt-OpenPGP/issues/9
Thanks for that!
Violating key usage flags is WONTFIX? That's very sad and makes the OpenPGP feature useless for anyone who keeps the primary key offline. :-(
If Crypt::OpenPGP is fundamentally broken, how about using gpg via a pipe?
And why is this WONTFIX because the bug is in upstream code? It's still a Bugzilla bug as far as Bugzilla users are concerned, so it would make sense to fix the bug even if the code needs to go in an upstream lib instead of Bugzilla itself.
I have no issue with this bug staying open; however, I think it's unlikely that in the near future I'll get a chance to redo SecureMail to use an entirely different mechanism for communicating with GPG. Is it really not possible to "extract" the relevant key, ASCII-armour it and paste it standalone into Bugzilla? Gerv
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Gerv: I asked about this, and it's possible, but you have to jump through some nasty hoops with GPG because technically it violates the OpenPGP spec. http://security.stackexchange.com/q/74067/9571
I've turned those instructions plus the RFC into this simple script, which should split out the subkeys of a given key ID. (It took ages to find the right params for the checksum...) However, when I put one of the two subkeys I have into Bugzilla, the email only contains an error from OpenPGP: "No known recipients for encryption". I'm out of time here; perhaps someone else (Henri, or strugee) can use my script and recreate the problem? Perhaps with a test Perl script invoking the OpenPGP module? Gerv
I would like to see this moved forward, too. But I have no knowledge of the parts involved to do it myself. :/
This bug may have been resolved by the Securemail update last week. If anyone following along can verify whether it has or not, that would be very useful to know.
See Also: → 1460980
Works for me now, thanks! I guess this can get closed then?
Dylan, do you see any further work left here?
Status: REOPENED → RESOLVED
Closed: 8 years ago → 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.