Stefan-Schmidt
commented
7 years ago GIve the pius 2.2.3 release from github a try. I run into the bug #39 which was already fixed in this release. You can find it in the releases tab.
Closed jwflory closed 6 years ago
Stefan-Schmidt
commented
7 years ago GIve the pius 2.2.3 release from github a try. I run into the bug #39 which was already fixed in this release. You can find it in the releases tab.
jwflory
commented
7 years ago @Stefan-Schmidt Thanks for the comment! I grabbed the binary from GitHub and tried running it, but I still get the same error when signing the keys in pius. 😞
jwflory
commented
7 years ago Is there any more information I can provide to help narrow this issue down?
echarlie
commented
7 years ago I'm having what appears to be the same issue with gnupg 2.1.21, libgcrypt 1.7.7, on archlinux using the master branch from this repo (d09e8d06cff331fc5afd8d9eb8874906f5122adb).
jaymzh
commented
7 years ago Can I get a fingerprint of a key that this repro's on?
jwflory
commented
7 years ago @jaymzh Sorry for the delay, you can try on my key. 39E45FB6014131E4
Edit: I tried doing this again today, just to see if anything has changed, but still hitting the same problem.
Edit2: I added my keyid to the original comment as well.
jaymzh
commented
7 years ago Huh, I cannot reproduce this. I created a temp keyring with both 39E45FB6014131E4 and 79E924EBEDA7F3FD the two keys mentioned in this bug - and of course my own - and it works fine:
Keyring:
$ gpg --fingerprint --no-default-keyring --keyring /tmp/test.gpg
/tmp/test.gpg
-------------
pub rsa4096/79E924EBEDA7F3FD 2016-07-06 [SC] [expires: 2018-01-11]
Key fingerprint = EA33 8528 809E 9749 E2C3 0643 79E9 24EB EDA7 F3FD
uid [ unknown] Alexander John Fisher <alex@linfratech.co.uk>
sub rsa2048/45C40945D8E04848 2017-01-11 [S] [expires: 2017-07-10]
Key fingerprint = 9480 1924 3DFF 1F6D 1E0C D58C 45C4 0945 D8E0 4848
sub rsa2048/F36168154EF6BD04 2017-01-11 [E] [expires: 2017-07-10]
Key fingerprint = 64A2 7DCB FFC5 7D5B 05B1 1C1C F361 6815 4EF6 BD04
sub rsa2048/44F5719AD9243C47 2017-01-11 [A] [expires: 2017-07-10]
Key fingerprint = 4FCF 9A2C DE62 3D9E 5250 B107 44F5 719A D924 3C47
pub rsa4096/58E11BB1E414D9AD 2013-09-10 [SC]
Key fingerprint = 121B DA2D 4ACB 6361 6B36 7A0E 58E1 1BB1 E414 D9AD
uid [ full ] Phil Dibowitz <phil@ipom.com>
uid [ full ] Phil Dibowitz <webmaster@ipom.com>
sub rsa4096/977CDA6871E6B6A4 2013-09-10 [E]
Key fingerprint = 787F F436 11C2 A41E 0CE7 3D21 977C DA68 71E6 B6A4
pub rsa4096/39E45FB6014131E4 2016-01-24 [SC] [expires: 2020-01-23]
Key fingerprint = CF9B 1408 4750 916C 4D8F CACC 39E4 5FB6 0141 31E4
uid [ unknown] Justin W. Flory <me@justinwflory.com>
uid [ unknown] Justin W. Flory <jflory@me.com>
uid [ unknown] Justin W. Flory (git) <git@jwf.io>
uid [ unknown] Justin W. Flory <jflory7@gmail.com>
uid [ unknown] Justin W. Flory (SpigotMC) <jflory7@spigotmc.org>
uid [ unknown] Justin W. Flory (Fedora Project) <jwf@fedoraproject.org>
uid [ unknown] Justin W. Flory (Opensource.com) <jflory@opensource.com>
uid [ unknown] Justin W. Flory (CrystalCraftMC) <admin@crystalcraftmc.com>
uid [ unknown] Justin W. Flory (Fedora Project) <jflory7@fedoraproject.org>
uid [ unknown] Justin W. Flory (Rochester Institute of Technology) <jwf9260@rit.edu>
sub rsa4096/E62449B350862BD9 2016-01-24 [E] [expires: 2020-01-23]
Key fingerprint = AD2F AD10 22FF 9A11 53BB 84C5 E624 49B3 5086 2BD9
sub rsa4096/3AA2DC1FF6ABF0B6 2016-01-24 [S] [expires: 2020-01-23]
Key fingerprint = 8846 1BEB 49BE 4E83 13FA B634 3AA2 DC1F F6AB F0B6Signing the keys (with -n for safety :)
$ pius -r /tmp/test.gpg -A -a -n phil@ipom.com
Welcome to PIUS, the PGP Individual UID Signer.
pub rsa4096/79E924EBEDA7F3FD 2016-07-06 [SC] [expires: 2018-01-11]
Key fingerprint = EA33 8528 809E 9749 E2C3 0643 79E9 24EB EDA7 F3FD
uid [ unknown] Alexander John Fisher <alex@linfratech.co.uk>
sub rsa2048/45C40945D8E04848 2017-01-11 [S] [expires: 2017-07-10]
Key fingerprint = 9480 1924 3DFF 1F6D 1E0C D58C 45C4 0945 D8E0 4848
sub rsa2048/F36168154EF6BD04 2017-01-11 [E] [expires: 2017-07-10]
Key fingerprint = 64A2 7DCB FFC5 7D5B 05B1 1C1C F361 6815 4EF6 BD04
sub rsa2048/44F5719AD9243C47 2017-01-11 [A] [expires: 2017-07-10]
Key fingerprint = 4FCF 9A2C DE62 3D9E 5250 B107 44F5 719A D924 3C47
Have you verified this user/key, and if so, what level do you want to sign at?
0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q] (default: n) 0
Signing all UIDs on key 79E924EBEDA7F3FD
There is 1 UID on this key to sign
UID 1 (alex@linfratech.co.uk): signed, mailed
pub rsa4096/39E45FB6014131E4 2016-01-24 [SC] [expires: 2020-01-23]
Key fingerprint = CF9B 1408 4750 916C 4D8F CACC 39E4 5FB6 0141 31E4
uid [ unknown] Justin W. Flory <me@justinwflory.com>
uid [ unknown] Justin W. Flory <jflory@me.com>
uid [ unknown] Justin W. Flory (git) <git@jwf.io>
uid [ unknown] Justin W. Flory <jflory7@gmail.com>
uid [ unknown] Justin W. Flory (SpigotMC) <jflory7@spigotmc.org>
uid [ unknown] Justin W. Flory (Fedora Project) <jwf@fedoraproject.org>
uid [ unknown] Justin W. Flory (Opensource.com) <jflory@opensource.com>
uid [ unknown] Justin W. Flory (CrystalCraftMC) <admin@crystalcraftmc.com>
uid [ unknown] Justin W. Flory (Fedora Project) <jflory7@fedoraproject.org>
uid [ unknown] Justin W. Flory (Rochester Institute of Technology) <jwf9260@rit.edu>
sub rsa4096/E62449B350862BD9 2016-01-24 [E] [expires: 2020-01-23]
Key fingerprint = AD2F AD10 22FF 9A11 53BB 84C5 E624 49B3 5086 2BD9
sub rsa4096/3AA2DC1FF6ABF0B6 2016-01-24 [S] [expires: 2020-01-23]
Key fingerprint = 8846 1BEB 49BE 4E83 13FA B634 3AA2 DC1F F6AB F0B6
Have you verified this user/key, and if so, what level do you want to sign at?
0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q] (default: n) 0
Signing all UIDs on key 39E45FB6014131E4
There are 14 UIDs on this key to sign
UID 1 (me@justinwflory.com): signed, mailed
Skipping revoked uid 2
UID 3 (jflory@me.com): signed, mailed
UID 4 (git@jwf.io): signed, mailed
UID 5 (jflory7@gmail.com): signed, mailed
Skipping revoked uid 6
UID 7 (jflory7@spigotmc.org): signed, mailed
UID 8 (jwf@fedoraproject.org): signed, mailed
UID 9 (jflory@opensource.com): signed, mailed
UID 10 (admin@crystalcraftmc.com): signed, mailed
UID 11 (jflory7@fedoraproject.org): signed, mailed
Skipping revoked uid 12
UID 13 (jwf9260@rit.edu): signed, mailed
Skipping revoked uid 14
pub rsa4096/58E11BB1E414D9AD 2013-09-10 [SC]
Key fingerprint = 121B DA2D 4ACB 6361 6B36 7A0E 58E1 1BB1 E414 D9AD
uid [ full ] Phil Dibowitz <phil@ipom.com>
uid [ full ] Phil Dibowitz <webmaster@ipom.com>
sub rsa4096/977CDA6871E6B6A4 2013-09-10 [E]
Key fingerprint = 787F F436 11C2 A41E 0CE7 3D21 977C DA68 71E6 B6A4
Have you verified this user/key, and if so, what level do you want to sign at?
0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q] (default: n) My versions:
$ gpg --version
gpg (GnuPG) 2.1.18
libgcrypt 1.7.7-beta
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/phil/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
$ pius --version
pius 2.2.4INV_SGNR is Invalid Sender - do you have your public key in the party keyring and your private key available on this machine?
Try running that command on a temp keyring with the key at hand and provide the output:
/usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg -u 014131E4 --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key 79E924EBEDA7F3FDBut change the /tmp/pius_tmp/pius_keyring.gpg path.
jwflory
commented
7 years ago @jaymzh I didn't have my public key in this keyring, although I just added it and it didn't change the outcome from pius.
When I ran the above command, here's what I got:
$ gpg2 --keyid-format long --no-auto-check-trustdb --batch --no-default-keyring --keyring ~/.gnupg/fosdem-test.gpg -u 014131E4 --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key 79E924EBEDA7F3FD
gpg: can't do this in batch modeI tried re-running again:
$ gpg2 --keyid-format long --no-auto-check-trustdb --no-default-keyring --keyring ~/.gnupg/fosdem-test.gpg -u 014131E4 --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key 79E924EBEDA7F3FD
gpg (GnuPG) 2.1.21; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/79E924EBEDA7F3FD
created: 2016-07-06 expires: 2018-01-11 usage: SC
trust: unknown validity: unknown
sub rsa2048/44004E31943B1A84
created: 2016-07-06 expired: 2017-01-02 usage: S
sub rsa2048/9FD90BEBB628DAF9
created: 2016-07-06 expired: 2017-01-02 usage: E
sub rsa2048/72F872415E98DE9E
created: 2016-07-06 expired: 2017-01-02 usage: A
sub rsa2048/45C40945D8E04848
created: 2017-01-11 expires: 2017-07-10 usage: S
sub rsa2048/F36168154EF6BD04
created: 2017-01-11 expires: 2017-07-10 usage: E
sub rsa2048/44F5719AD9243C47
created: 2017-01-11 expires: 2017-07-10 usage: A
[ unknown] (1). Alexander John Fisher <alex@linfratech.co.uk>
gpg> sign
gpg: skipped "014131E4": No secret keyConfusingly, I do have my private key on this machine.
jaymzh
commented
7 years ago I wonder if something changed in pgp. From my tests as long as they public key is on the keyring you're locking to, it can find the private key. I'll try to find time to build the latest version and test. Out of curiosity, what do the output of these look like:
gpg -K --fingerprint 014131E4
gpg -K --no-default-keyring --fingerprint 014131E4
gpg --export -a 014131E4 > /tmp/mykey.asc
gpg --no-default-keyring --keyring /tmp/test-keyring.asc --import /tmp/mykey.asc
gpg -K --no-default-keyring --keyring /tmp/test-keyring.asc --fingerprint 014131E4@jaymzh Output is as follows:
-K --fingerprint$ gpg2 -K --fingerprint 014131E4
sec rsa4096 2016-01-24 [SC] [expires: 2020-01-23]
CF9B 1408 4750 916C 4D8F CACC 39E4 5FB6 0141 31E4
# snip: my name, emails, and UIDs, as expected
ssb rsa4096 2016-01-24 [E] [expires: 2020-01-23]
ssb rsa4096 2016-01-24 [S] [expires: 2020-01-23]-K --no-default-keyring --fingerprint$ gpg2 -K --no-default-keyring --fingerprint 014131E4
sec rsa4096 2016-01-24 [SC] [expires: 2020-01-23]
CF9B 1408 4750 916C 4D8F CACC 39E4 5FB6 0141 31E4
# snip: my name, emails, and UIDs, as expected
ssb rsa4096 2016-01-24 [E] [expires: 2020-01-23]
ssb rsa4096 2016-01-24 [S] [expires: 2020-01-23]$ gpg2 --export -a 014131E4 > /tmp/mykey.asc
$ gpg2 --no-default-keyring --keyring /tmp/test-keyring.asc --import /tmp/mykey.asc
gpg: keybox '/tmp/test-keyring.asc' created
gpg: key 39E45FB6014131E4: public key "Justin W. Flory <me@i-changed-this-to-prevent-spam.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: public key of ultimately trusted key E1B90F6B8ADE8F3F not found
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2020-01-23
$ gpg2 -K --no-default-keyring --keyring /tmp/test-keyring.asc --fingerprint 014131E4
sec rsa4096 2016-01-24 [SC] [expires: 2020-01-23]
CF9B 1408 4750 916C 4D8F CACC 39E4 5FB6 0141 31E4
# snip: my name, emails, and UIDs, as expected
ssb rsa4096 2016-01-24 [E] [expires: 2020-01-23]
ssb rsa4096 2016-01-24 [S] [expires: 2020-01-23]This bit looks interesting, although I don't really know what to make of it:
gpg: public key of ultimately trusted key E1B90F6B8ADE8F3F not found
echarlie
commented
7 years ago I added my private key to the keyring I was trying to sign, and things seem to be working for me.
jwflory
commented
7 years ago @echarlie Ahh, nice! I just tried doing this and it worked like a charm for me too. Can confirm this worked on my end too.
jaymzh
commented
7 years ago Huh? What does that mean? privatekeys aren't stored in the same format keyrings in gpg2.
Aren't you trying to sign with 014131E4 ?
jwflory
commented
7 years ago @jaymzh Sorry for the late reply. I'm honestly not sure why this worked, but somehow it did the trick. My guess is that pius wasn't able to access my private key on my default keyring when I was signing the specific keyring I was passing (so it was trying to find it on the keyring I was passing), but I wouldn't be able to tell you why.
And yes, I was trying to sign with that keyid. Exporting the private key to the smaller keyring solved the issue.
aspiers
commented
7 years ago I had a very similar problem here, but eventually figured out that for some reason my secret keys had not been migrated from ~/.gnupg/secring.gpg to ~/.gnupg/private-keys-v1.d/ after upgrading to (or beyond GnuPG 2.1). Apparently this migration is supposed to happen automatically, but since it didn't in my case, pius had no secret key available for signing the other keys. I managed to fix it via:
gpg2 --import < ./.gnupg/secring.gpgAhhhhhh. @aspiers that would explain the behavior! Thanks so much for reporting back.
Sounds like there's nothing left to do here so I'm going to close this.
Summary
pius is unable to sign keys in a keyring due to an unknown error with GnuPG.
Description
Whenever I try signing keys in a keyring, pius is unable to sign the keys as expected. This results in me running through the entire keyring, and then at the end, it abruptly ends as there are no exported signatures at the end of the process.
The full debug stacktrace is below.
39E45FB6014131E4Stacktrace