search

Yubico / ykneo-openpgp

OpenPGP applet for the YubiKey NEO
https://developers.yubico.com/ykneo-openpgp/
GNU General Public License v2.0
215 stars 67 forks source link

fetch assumes signing key is master key and fails if not #25

Closed aelana closed 9 years ago

aelana commented 9 years ago

I currently have a master key with three subkeys, one for signing, one for encryption and one for authentication. I loaded the three subkeys on the NEO and everything works fine except fetch on a new machine. (The master key is intended to live offline and only used to occasionally re-issue or re-certify subkeys).

If I do a gpg --card-edit followed by a 'fetch', I get the error

gpg: requesting key AEB99527 from https server gist.githubusercontent.com gpg: no valid OpenPGP data found. gpg: Total number processed: 0

Where AEB99527 is the signing subkey identifier not the master key identifier which is what it should be "fetching".

It appears to be pulling the key from the https server and comparing the key identity with what it expects which appears to be the subkey instead of just accepting the key data that is there which is the master public key which includes the public keys of the subkeys. (There is no easy or supported way to separate out the public key of a single subkey)

If I manually load the public key of the master (the one at the URL I configured) and then run gpg --card-status everything works properly (the resulting --list-secret shows as follows): sec# 4096R/757C0180 2015-02-03 [expires: 2015-11-30] uid John Tennyson uid Elvish Wanderer aelana@me.com uid Elvish Wanderer aelana@mac.com uid John Tennyson jtennys@umass.edu uid John Tennyson john.tennyson@me.com uid John Tennyson john.tennyson@mac.com uid John Tennyson john.tennyson@umass.edu uid John Tennyson jtennyson@oit.umass.edu uid Elvish Wanderer aelana@elfindreams.com ssb> 2048R/AEB99527 2015-02-03 ssb> 2048R/CADC0F35 2015-02-03 ssb> 2048R/C40CA003 2015-02-03

jas4711 commented 9 years ago

This is a GnuPG issue, right? Try asking on gnupg-user, or if that fails, reporting a GnuPG bug. Personally, I haven't used 'fetch' since --card-status followed by --recv-keys on the key has been sufficient. But that requires that you have uploaded your key to a keyserver.

aelana commented 9 years ago

Sorry, my bad... I wasn't sure the line between what was on-card functionality and what was gpg core functionality... I will move this there then. :) Thanks!

jas4711 commented 9 years ago

No problem -- feel free to reopen if indeed this is a problem with the card, but I don't see anything suggesting this now.