Closed Bug 790487 Opened 8 years ago Closed 2 years ago

GPG Primary key selected while there is a encryption subkey

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Production
x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: kanru, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

A GPG public key could have multiple subkeys for signing, encrypting, etc. The mail sent from secureMail is always encrypted with the primary key which should be only used to sign and create new subkeys.

My primary secret key is stored somewhere else so I got:

 gpg: armor: BEGIN PGP MESSAGE
 gpg: armor header: Version: Crypt::OpenPGP 1.04
 :pubkey enc packet: version 3, algo 1, keyid xxxxxxxxxxxx
         data: [4096 bits]
 gpg: public key is xxxxxxxx
 gpg: secret key parts are not available
Hmm. Can you tell us what we should be doing differently in our calls to Version::Crypt::OpenPGP?

Alternatively, can you give Bugzilla an ASCII-armoured copy of only the correct key?

Gerv
Seems a bug in Crypt::OpenPGP, presumably you mean http://search.cpan.org/~btrott/Crypt-OpenPGP-1.06/lib/Crypt/OpenPGP.pm, which always use the first key that has encryption capability. I guess Crypt::OpenPGP chose my primary key because it is a RSA key which Crypt::OpenPGP considered can_encrypt.

Not much to do unless Crypt::OpenPGP is fixed :(
OK :-( I'm resolving this bug WONTFIX; please feel free to reopen it if you manage to get a fix made to Crypt::OpenPGP.

Gerv
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
I just ran into this issue and opened an issue with upstream at https://github.com/btrott/Crypt-OpenPGP/issues/9
Thanks for that!
Duplicate of this bug: 905538
Violating key usage flags is WONTFIX? That's very sad and makes the OpenPGP feature useless for anyone who keeps the primary key offline. :-(
Blocks: 905543
If Crypt::OpenPGP is fundamentally broken, how about using gpg via a pipe?
And why is this WONTFIX because the bug is in upstream code? It's still a Bugzilla bug as far as Bugzilla users are concerned, so it would make sense to fix the bug even if the code needs to go in an upstream lib instead of Bugzilla itself.
I have no issue with this bug staying open; however, I think it's unlikely that in the near future I'll get a chance to redo SecureMail to use an entirely different mechanism for communicating with GPG.

Is it really not possible to "extract" the relevant key, ASCII-armour it and paste it standalone into Bugzilla?

Gerv
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Duplicate of this bug: 988970
Duplicate of this bug: 1059720
Gerv: I asked about this, and it's possible, but you have to jump through some nasty hoops with GPG because technically it violates the OpenPGP spec.

http://security.stackexchange.com/q/74067/9571
Attached file splitkey script
I've turned those instructions plus the RFC into this simple script, which should split out the subkeys of a given key ID. (It took ages to find the right params for the checksum...) However, when I put one of the two subkeys I have into Bugzilla, the email only contains an error from OpenPGP: "No known recipients for encryption".

I'm out of time here; perhaps someone else (Henri, or strugee) can use my script and recreate the problem? Perhaps with a test Perl script invoking the OpenPGP module?

Gerv
I would like to see this moved forward, too. But I have no knowledge of the parts involved to do it myself. :/
This bug may have been resolved by the Securemail update last week. If anyone following along can verify whether it has or not, that would be very useful to know.
See Also: → 1460980
Works for me now, thanks! I guess this can get closed then?
Dylan, do you see any further work left here?
Flags: needinfo?(dylan)
Status: REOPENED → RESOLVED
Closed: 8 years ago2 years ago
Flags: needinfo?(dylan)
Resolution: --- → FIXED
Component: Extensions: SecureMail → Extensions
You need to log in before you can comment on or make changes to this bug.