GPG Primary key selected while there is a encryption subkey




7 years ago
10 months ago


(Reporter: kanru, Unassigned)


(Blocks 1 bug)


Firefox Tracking Flags

(Not tracked)



(1 attachment)



7 years ago
A GPG public key could have multiple subkeys for signing, encrypting, etc. The mail sent from secureMail is always encrypted with the primary key which should be only used to sign and create new subkeys.

My primary secret key is stored somewhere else so I got:

 gpg: armor: BEGIN PGP MESSAGE
 gpg: armor header: Version: Crypt::OpenPGP 1.04
 :pubkey enc packet: version 3, algo 1, keyid xxxxxxxxxxxx
         data: [4096 bits]
 gpg: public key is xxxxxxxx
 gpg: secret key parts are not available
Hmm. Can you tell us what we should be doing differently in our calls to Version::Crypt::OpenPGP?

Alternatively, can you give Bugzilla an ASCII-armoured copy of only the correct key?


Comment 2

7 years ago
Seems a bug in Crypt::OpenPGP, presumably you mean, which always use the first key that has encryption capability. I guess Crypt::OpenPGP chose my primary key because it is a RSA key which Crypt::OpenPGP considered can_encrypt.

Not much to do unless Crypt::OpenPGP is fixed :(
OK :-( I'm resolving this bug WONTFIX; please feel free to reopen it if you manage to get a fix made to Crypt::OpenPGP.

Last Resolved: 7 years ago
Resolution: --- → WONTFIX

Comment 4

6 years ago
I just ran into this issue and opened an issue with upstream at

Comment 5

6 years ago
Thanks for that!
Duplicate of this bug: 905538
Violating key usage flags is WONTFIX? That's very sad and makes the OpenPGP feature useless for anyone who keeps the primary key offline. :-(
Blocks: 905543
If Crypt::OpenPGP is fundamentally broken, how about using gpg via a pipe?
And why is this WONTFIX because the bug is in upstream code? It's still a Bugzilla bug as far as Bugzilla users are concerned, so it would make sense to fix the bug even if the code needs to go in an upstream lib instead of Bugzilla itself.
I have no issue with this bug staying open; however, I think it's unlikely that in the near future I'll get a chance to redo SecureMail to use an entirely different mechanism for communicating with GPG.

Is it really not possible to "extract" the relevant key, ASCII-armour it and paste it standalone into Bugzilla?

Resolution: WONTFIX → ---
Duplicate of this bug: 988970
Gerv: I asked about this, and it's possible, but you have to jump through some nasty hoops with GPG because technically it violates the OpenPGP spec.
Posted file splitkey script
I've turned those instructions plus the RFC into this simple script, which should split out the subkeys of a given key ID. (It took ages to find the right params for the checksum...) However, when I put one of the two subkeys I have into Bugzilla, the email only contains an error from OpenPGP: "No known recipients for encryption".

I'm out of time here; perhaps someone else (Henri, or strugee) can use my script and recreate the problem? Perhaps with a test Perl script invoking the OpenPGP module?

I would like to see this moved forward, too. But I have no knowledge of the parts involved to do it myself. :/

Comment 16

11 months ago
This bug may have been resolved by the Securemail update last week. If anyone following along can verify whether it has or not, that would be very useful to know.
See Also: → 1460980

Comment 17

11 months ago
Works for me now, thanks! I guess this can get closed then?

Comment 18

11 months ago
Dylan, do you see any further work left here?
Flags: needinfo?(dylan)
Last Resolved: 7 years ago10 months ago
Flags: needinfo?(dylan)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.