search

romanz / trezor-agent

Hardware-based SSH/GPG/age agent
GNU Lesser General Public License v3.0
568 stars 152 forks source link

Can't add subkey: `gpg: error reading key: No secret key` #353

Open ondralukes opened 3 years ago

ondralukes commented 3 years ago

Hi, I'm trying to add new trezor-based subkey to my keyring, but trezor-gpg init fails with message gpg: error reading key: No secret key.

This is my keyring:

/home/ondra/.gnupg/pubring.kbx
------------------------------
sec   rsa4096 2020-07-28 [C]
      B07CB51EBE8C033214491B212F13A14459D959DA
uid           [ultimate] Ondřej Lukeš <mail@ondralukes.cz>
ssb   rsa4096 2020-07-28 [S]
ssb   rsa4096 2020-07-28 [E]

And this is output of trezor-gpg init "Ondřej Lukeš <mail@ondralukes.cz>" --subkey -v:

2021-05-09 11:18:37,461 WARNING      This GPG tool is still in EXPERIMENTAL mode, so please note that the API and features may change without backwards compatibility! [__init__.py:118]
2021-05-09 11:18:37,465 INFO         device name: trezor                                                                                  [__init__.py:126]
2021-05-09 11:18:37,465 INFO         GPG home directory: /home/ondra/.gnupg/trezor                                                        [__init__.py:131]
2021-05-09 11:18:37,469 WARNING      NOTE: in order to re-generate the exact same GPG key later, run this command with "--time=0" commandline flag (to set the timestamp of the GPG key manually). [__init__.py:33]
2021-05-09 11:18:37,515 INFO         Enumerating BridgeTransport: found 1 devices                                                         [__init__.py:120]
2021-05-09 11:18:37,520 INFO         Enumerating HidTransport: found 0 devices                                                            [__init__.py:120]
2021-05-09 11:18:37,520 INFO         Enumerating UdpTransport: found 0 devices                                                            [__init__.py:120]
2021-05-09 11:18:37,523 INFO         Enumerating WebUsbTransport: found 1 devices                                                         [__init__.py:120]
2021-05-09 11:18:37,523 INFO         creating client instance for device: bridge:2                                                        [client.py:88]
2021-05-09 11:18:38,833 INFO         Enumerating BridgeTransport: found 1 devices                                                         [__init__.py:120]
2021-05-09 11:18:38,836 INFO         Enumerating HidTransport: found 0 devices                                                            [__init__.py:120]
2021-05-09 11:18:38,836 INFO         Enumerating UdpTransport: found 0 devices                                                            [__init__.py:120]
2021-05-09 11:18:38,838 INFO         Enumerating WebUsbTransport: found 1 devices                                                         [__init__.py:120]
2021-05-09 11:18:38,838 INFO         creating client instance for device: bridge:2                                                        [client.py:88]
2021-05-09 11:18:40,140 INFO         adding nist256p1 GPG subkey for "Ondřej Lukeš <mail@ondralukes.cz>" to existing key                  [__init__.py:44]
2021-05-09 11:18:40,145 INFO         please confirm GPG signature on Trezor for "<gpg://Ondřej Lukeš <mail@ondralukes.cz>|nist256p1>"...  [client.py:32]
2021-05-09 11:18:40,147 INFO         Enumerating BridgeTransport: found 1 devices                                                         [__init__.py:120]
2021-05-09 11:18:40,149 INFO         Enumerating HidTransport: found 0 devices                                                            [__init__.py:120]
2021-05-09 11:18:40,149 INFO         Enumerating UdpTransport: found 0 devices                                                            [__init__.py:120]
2021-05-09 11:18:40,150 INFO         Enumerating WebUsbTransport: found 1 devices                                                         [__init__.py:120]
2021-05-09 11:18:40,150 INFO         creating client instance for device: bridge:2                                                        [client.py:88]
gpg: keybox '/home/ondra/.gnupg/trezor/pubring.kbx' created
gpg: armor header: Version: GnuPG v2
gpg: pub  rsa4096/2F13A14459D959DA 2020-07-28  Ond\xc5\x99ej Luke\xc5\xa1 <mail@ondralukes.cz>
gpg: public key 2F13A14459D959DA is 18471 days newer than the signature
gpg: public key 2F13A14459D959DA is 18471 days newer than the signature
gpg: key 2F13A14459D959DA/F3535D8A3AC060A3: invalid subkey binding
gpg: public key 2F13A14459D959DA is 18471 days newer than the signature
gpg: public key 2F13A14459D959DA is 18471 days newer than the signature
gpg: key 2F13A14459D959DA/AACF88C9A5F7E253: invalid subkey binding
gpg: key 2F13A14459D959DA/F3535D8A3AC060A3: skipped subkey
gpg: key 2F13A14459D959DA/AACF88C9A5F7E253: skipped subkey
gpg: /home/ondra/.gnupg/trezor/trustdb.gpg: trustdb created
gpg: using pgp trust model
gpg: key 2F13A14459D959DA: public key "Ond\xc5\x99ej Luke\xc5\xa1 <mail@ondralukes.cz>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: inserting ownertrust of 6
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: error reading key: No secret key
Traceback (most recent call last):
  File "/home/ondra/.platformio/penv/bin/trezor-gpg", line 8, in <module>
    sys.exit(gpg_tool())
  File "/home/ondra/.platformio/penv/bin/trezor_agent.py", line 6, in <lambda>
    gpg_tool = lambda: libagent.gpg.main(DeviceType)
  File "/home/ondra/.platformio/penv/lib/python3.9/site-packages/libagent/gpg/__init__.py", line 320, in main
    return args.func(device_type=device_type, args=args)
  File "/home/ondra/.platformio/penv/lib/python3.9/site-packages/libagent/gpg/__init__.py", line 198, in run_init
    check_call(keyring.gpg_command(['--homedir', homedir,
  File "/home/ondra/.platformio/penv/lib/python3.9/site-packages/libagent/gpg/__init__.py", line 104, in check_call
    subprocess.check_call(args=args, stdin=stdin, env=env)
  File "/usr/lib/python3.9/subprocess.py", line 373, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['/usr/bin/gpg', '--homedir', '/home/ondra/.gnupg/trezor', '--list-secret-keys', 'Ondřej Lukeš <mail@ondralukes.cz>']' returned non-zero exit status 2.

I think it might be an issue with character encoding, because, as you can see in the output, my name sometimes appears as Ondřej Lukeš and sometimes as Ond\xc5\x99ej Luke\xc5\xa1.

bettyvschmartz commented 3 years ago

I'm sure this is the case as I had the same issue using onlykey-agent (which is a fork). Had copied a command which had some weird enclosing back quotes around my email address rather than normal quotation symbols. Got the same error as you until I corrected it which suggested the symbol wasn't supported. Still, would be better to get a more accurate error message.

-- BVS

attila-lendvai commented 3 years ago

the problem is here: https://github.com/romanz/trezor-agent/blob/master/libagent/gpg/__init__.py#L132

and the immediate fix is this:

    if os.path.exists(homedir) and not args.subkey:
attila-lendvai commented 3 years ago

this is most probably fixed by this currently pending PR: https://github.com/romanz/trezor-agent/pull/358