Different result of scan_keys for gpg versions

Issue #86 invalid
Anonymous created an issue

Hello, We ran into an issue with scanning a secret key with different versions of GNUPG. The same key is reported as public on one machine and as secret on another.

Trace 1:

In [1]: gpg.version
Out [1]: (2, 2, 0)
In [2]: gpg.scan_keys('key3_priv.pgp')
Out[2]: 
[{'algo': u'1',
  'date': u'1451901287',
  'dummy': u'',
  'expires': u'',
  'fingerprint': u'FFE8D916133A4E750DF970052A4695B2E121B776',
  'keyid': u'2A4695B2E121B776',
  'length': u'2048',
  'ownertrust': u'-',
  'sig': u'',
  'sigs': [],
  'subkeys': [],
  'trust': u'-',
  'type': u'pub',
  'uids': [u'']}]

Trace 2:

In [1]: gpg.version
Out[1]: (1, 4, 20)

In [2]: gpg.scan_keys('key3_priv.pgp')
Out[2]: 
[{'algo': u'1',
  'date': u'2016-01-04',
  'dummy': u'',
  'expires': u'',
  'fingerprint': u'FFE8D916133A4E750DF970052A4695B2E121B776',
  'keyid': u'2A4695B2E121B776',
  'length': u'2048',
  'ownertrust': u'',
  'subkeys': [],
  'trust': u'',
  'type': u'sec',
  'uids': []}]

Comments (4)

  1. Tomas Pazderka
    $ gpg --version
    gpg (GnuPG) 2.2.1
    libgcrypt 1.7.9
    Copyright (C) 2017 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Home: /home/tomas/.gnupg
    Supported algorithms:
    Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
    Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
            CAMELLIA128, CAMELLIA192, CAMELLIA256
    Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
    Compression: Uncompressed, ZIP, ZLIB, BZIP2
    
    $ gpg --dry-run --import-options import-show --import /home/tomas/Git/nicauth/nicauth/tests/data/key3_priv.pgp
    pub   rsa2048 2016-01-04 [SCEA]
          FFE8D916133A4E750DF970052A4695B2E121B776
    uid                      
    
    gpg: key 2A4695B2E121B776: failed to re-lookup public key
    gpg: Total number processed: 1
    gpg:       secret keys read: 1
    
  2. Vinay Sajip repo owner

    Note that although gpg2.2.1 says it read a secret key, it displays "pub" on the line.

    I set up a simple script, testscan.py:

    import logging
    import os
    import pprint
    import sys
    
    from gnupg import GPG
    
    def main():
        gpg = os.environ.get('GPGBINARY', 'gpg')
        g = GPG(gnupghome='keys', gpgbinary=gpg)
        print(g.version)
        keys = g.scan_keys('key3_priv.pgp')
        pprint.pprint(keys)
    
    if __name__ == '__main__':
        logging.basicConfig(level=logging.DEBUG, filename='testscan.log',
                            filemode='w', format='%(message)s')
        try:
            rc = main()
        except Exception as e:
            import traceback
            print('Failed: %s' % e)
            traceback.print_exc()
            rc = 1
        sys.exit(rc)
    

    The run with gpg 1.X:

    $ python testscan.py
    (1, 4, 20)
    [{'algo': u'1',
      'date': u'1451901287',
      'dummy': u'',
      'expires': u'',
      'fingerprint': u'FFE8D916133A4E750DF970052A4695B2E121B776',
      'keyid': u'2A4695B2E121B776',
      'length': u'2048',
      'ownertrust': u'',
      'sig': u'',
      'sigs': [],
      'subkeys': [],
      'trust': u'',
      'type': u'sec',
      'uids': []}]
    

    The log:

    8661: gpg --status-fd 2 --no-tty --debug ipc --fixed-list-mode --batch --with-colons --homedir keys --version
    stderr reader: <Thread(Thread-1, initial daemon)>
    stdout reader: <Thread(Thread-2, initial daemon)>
    gpg: NOTE: no default option file `keys/gpg.conf'
    chunk: 'gpg (GnuPG) 1.4.20\nCopyright (C) 2015 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permit'
    Trying to list packets, but if the file is not a keyring, might accidentally decrypt
    8664: gpg --status-fd 2 --no-tty --debug ipc --fixed-list-mode --batch --with-colons --homedir keys --with-fingerprint --with-colons --fixed-list-mode key3_priv.pgp
    stderr reader: <Thread(Thread-3, initial daemon)>
    stdout reader: <Thread(Thread-4, initial daemon)>
    gpg: NOTE: no default option file `keys/gpg.conf'
    chunk: 'sec::2048:1:2A4695B2E121B776:1451901287:::::\nfpr:::::::::FFE8D916133A4E750DF970052A4695B2E121B776:\n'
    line: u'sec::2048:1:2A4695B2E121B776:1451901287:::::'
    line: u'fpr:::::::::FFE8D916133A4E750DF970052A4695B2E121B776:'
    

    Note the lines beginning with line: these are used to interpret the key as a secret key (the sec at the start).

    Now the run with 2.x:

    LD_LIBRARY_PATH=$HOME/tmp/lib GPGBINARY=$HOME/tmp/bin/gpg python testscan.py
    (2, 2, 1)
    [{'algo': u'1',
      'date': u'1451901287',
      'dummy': u'',
      'expires': u'',
      'fingerprint': u'FFE8D916133A4E750DF970052A4695B2E121B776',
      'keyid': u'2A4695B2E121B776',
      'length': u'2048',
      'ownertrust': u'-',
      'sig': u'',
      'sigs': [],
      'subkeys': [],
      'trust': u'-',
      'type': u'pub',
      'uids': [u'']}]
    

    The log:

    8699: /home/vinay/tmp/bin/gpg --status-fd 2 --no-tty --debug ipc --fixed-list-mode --batch --with-colons --homedir keys --version
    stderr reader: <Thread(Thread-1, initial daemon)>
    stdout reader: <Thread(Thread-2, initial daemon)>
    gpg: Note: no default option file '/home/vinay/projects/scratch/keys/gpg.conf'
    chunk: 'gpg (GnuPG) 2.2.1\nlibgcrypt 1.8.1\nCopyright (C) 2017 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to t'
    8702: /home/vinay/tmp/bin/gpg --status-fd 2 --no-tty --debug ipc --fixed-list-mode --batch --with-colons --homedir keys --dry-run --import-options import-show --import key3_priv.pgp
    stderr reader: <Thread(Thread-3, initial daemon)>
    gpg: Note: no default option file '/home/vinay/projects/scratch/keys/gpg.conf'
    gpg: enabled debug flags: ipc
    stdout reader: <Thread(Thread-4, initial daemon)>
    gpg: key 2A4695B2E121B776: failed to re-lookup public key
    chunk: 'pub:-:2048:1:2A4695B2E121B776:1451901287:::-:::escaESCA::::::23::0:\nfpr:::::::::FFE8D916133A4E750DF970052A4695B2E121B776:\nuid:-::::1451901287::9C1185A5C5E9FC54612808977EE8F548B2258D31::::::::::::0:\n'
    gpg: Total number processed: 1
    gpg:       secret keys read: 1
    [GNUPG:] IMPORT_RES 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0
    gpg: secmem usage: 0/32768 bytes in 0 blocks
    line: u'pub:-:2048:1:2A4695B2E121B776:1451901287:::-:::escaESCA::::::23::0:'
    line: u'fpr:::::::::FFE8D916133A4E750DF970052A4695B2E121B776:'
    line: u'uid:-::::1451901287::9C1185A5C5E9FC54612808977EE8F548B2258D31::::::::::::0:'
    

    Note the lines beginning with line: these are used to interpret the key as a public key (the pub at the start).

    Also, your key appears to have been created using Bouncy Castle C# libraries (the Version: BCPG C# v1.6.1.0 in the key file indicates this). This might be the reason for your problem. See this page for more details.

  3. Log in to comment