Importing GPG Subkeys Fails

[asayler]

I'm trying to import my existing GPG subkeys into Whiteout (i.e. offline master setup). My GPG keyring is currently setup with two 4096-bit RSA subkeys, one for encryption and one for authentication. The master private key is stored offline and is not present in the keyring:

$ gpg -K
~/.gnupg/secring.gpg
--------------------------------
sec#  4096R/<REDACTED> 2013-10-08
uid                  Andrew Sayler <andrew.sayler@colorado.edu>
uid                  Andy Sayler <andy@wmfo.org>
uid                  Andy Sayler (andysayler.com)
uid                  Andrew Jackson Sayler (Born September 6th, 1988)
uid                  Andy Sayler (asayler) <andy.sayler@gmail.com>
uid                  Andrew Sayler (Graduated May 2011, BSEE) <andrew.sayler@alumni.tufts.edu>
uid                  Andy Sayler <neueWelt@gmail.com>
uid                  Andy Sayler <andy.sayler@colorado.edu>
uid                  Andrew Jackson Sayler (MSCS, December 2013) <andy.sayler@colorado.edu>
uid                  Andrew Jackson Sayler (BSEE, May 2011) <andrew.sayler@alumni.tufts.edu>
ssb   4096R/<REDACTED> 2013-10-08
ssb   4096R/<REDACTED> 2013-10-08

I'm exporting both the public and private subkeys from gpg for import into Whiteout:

$ gpg --armor --export asayler > asayler-150225-pub-armor.gpg
$ gpg --armor --export-secret-subkeys asayler > asayler-150225-sub-armor.gpg
$ cat asayler-150225-pub-armor.gpg asayler-150225-sub-armor.gpg > asayler-150225-combined-armor.gpg

When I try to import the resulting combined key file into Whiteout, however, I get the following error message:

Error reading key parameters!

The same thing happens when I try to import just the private key file.

Does Whiteout know how to handle subkeys, or am I doing something else wrong?

I'm using GnuPG 2.0.24 and Whiteout 0.24.0 (Chrome App) with Chrome 40.0.2214.115 (64-bit).

[davidcroda]

I am trying the same and having a similar issue. However instead of Error read key parameters!, I am receiving an "Incorrect Passphrase" error. Are encryption subkeys supported?

[4bitfocus]

I have this problem too. I have the same subkey setup and followed the same steps as @asayler. My error message is: "Incorrect passphrase!"

I'm using the iOS app, GPG 2.0.27, Whiteout 0.25.0

[felixhammerl]

there is always the workaround of generating a key with whiteout mail for your address :)

but i see where this is coming from. @tanx is this an issue for openpgp.js?

[tanx]

GPG subkeys should import fine in openpgp.js. My personal key was generated in GPG as well. Does the email address match the user id of the key you are trying to import?

[4bitfocus]

I think the answer is yes. My wmail.io account is listed as one of the UIDs in my key. Does it matter if its not the primary one?

gpg -K
~/.gnupg/secring.gpg
-------------------------------
sec#  4096R/<REDACTED> 2015-02-28 [expires: 2019-02-28]
uid                  Kevin Douglas <addr@gmail.com>
uid                  Kevin Douglas <addr@wmail.io>
ssb   4096R/<REDACTED> 2015-02-28
ssb   4096R/<REDACTED> 2015-03-04

Here are the commands I used to create the key file:

gpg --export --armor USER-ID > public.asc
gpg --export-secret-subkeys --armor USER-ID > private.asc
cat public.asc private.asc > both.asc

When I import both.asc (using the Chrome App now) I get the "Incorrect passphrase!" message.

[4bitfocus]

I tried this again tonight with the Chrome client version 1.0.1 and its still an issue. I think the multiple UIDs are at least part of the problem. That would also explain why the OP had issues too. @tanx can you confirm that this should work with a key with multiple UIDs?

Also, see email.js line 153 and 165. IMO, these should be two separate error messages. It would help when debugging these types of errors.

[davidcroda]

@tanx @kevin559er I believe the specific issue isn't only GPG subkeys, but GPG subkeys where the master private key has been removed.

[asayler]

My subkeys use the standard offline master setup (after all, that's why one has subkeys), so that may be an issue if openpgp.js lacks support for such a setup as suggested by @davidcroda. I also have multiple UIDs, only one of which matches the whiteout email address, so that may also be an issue as @kevin559er suggests.

[ghost]

Same here, attempting to import my subkeys into a new account via connected Google OAuth. Do I need to add @wmail.io as a UID to the key?

[ghost]

Just to add, I would love to give Whiteout a try but this one is blocker to me, as I'm not going to upload my master key.

[gellenburg]

I'm having a similar issue, only when I go to import my private key I'm getting an error of "Unknown s2k gnu protection mode." (This is using the web-client.)

Here's how my keyring looks:

pub   4096R/37DFA462 2015-05-16 [expires: 2016-05-15]
uid                  George Ellenburg <george@ellenburg.org>
uid                  George Ellenburg <gme@well.com>
uid                  George Ellenburg <gme@riseup.net>
uid                  [jpeg image of size 15645]
sub   2048R/99E4CCB5 2015-05-16 [expires: 2016-05-15]
sub   2048R/64069E56 2015-05-16 [expires: 2016-05-15]
sub   2048R/1BC4D997 2015-05-16 [expires: 2016-05-15]

I believe this might be related to #1598 from Keybase, and also #366 for WhiteOut.

[moparisthebest]

I also get the same "Incorrect Passphrase" error and have a similar stripped-master-key setup as people above, obviously that's a show stopper so I can't even get into whiteout.

I am running my own whiteout instance from git though, so I can test patches if anyone feels like fixing this and providing one.

[CR0CKER]

I'm having the same issue as described in bug #384 with a standard key that's been working fine with the desktop client. Only causes problems when trying to set up Whiteout Mail on iPhone.

[Manouchehri]

No luck here either. I only have one UID too.

~ > gpg --homedir /tmp/.gnupg/ -K
/tmp/.gnupg//pubring.kbx
------------------------
sec#  rsa4096/40839755 2011-08-20
uid         [ unknown] David Manouchehri <manouchehri@riseup.net>
ssb   rsa4096/6A5A902C 2012-06-22 [expires: 2016-07-01]

[Manouchehri]

I also tried another method of having different passwords on the master and subkey. That got rejected as well.