2020-02-13

How to live with both GnuPG key formats, gpg1 and gpg2

GNU Privacy Guard (GPG) changed the format in which keys are stored, the so-called keyring directory, somewhere around version 2.1. I am faced with a situation where both, older and newer versions of GPG have to be used with the same keys. This is possible, in principle. But there are a few caveats and don'ts.

First create a temporary keyring directory. We don't want to mess with productive keyrings in the following:

  GNUPGHOME=$(mktemp -d); chmod 700 $GNUPGHOME; export GNUPGHOME

For this demo only: set the shell prompt to show our GPG version:

  PS1=$(gpg --version | head -1 | sed 's/ .GnuPG. /-/')'> '

Now generate a key pair:

 gpg --batch --gen-key <<EOF
 %no-protection
 Key-Type:1
 Key-Length:2048
 Subkey-Type:1
 Subkey-Length:2048
 Name-Real: foo
 Name-Email: foo@bar.com
 Expire-Date:0
 EOF

 This HERE file notation is still needed in GPG2, it's a shame.

 gpg-1.2.1:
gpg: keyring `/tmp/tmp.npsekdHuuE/secring.gpg' created
gpg: keyring `/tmp/tmp.npsekdHuuE/pubring.gpg' created
gpg: skipping control `%no-protection' ()
...........+++++
gpg: /tmp/tmp.npsekdHuuE/trustdb.gpg: trustdb created


gpg-1.4.20:
gpg: keyring `/tmp/tmp.CTWQLCtLlJ/secring.gpg' created
gpg: keyring `/tmp/tmp.CTWQLCtLlJ/pubring.gpg' created
gpg: skipping control `%no-protection' ()
.....+++++
gpg: /tmp/tmp.CTWQLCtLlJ/trustdb.gpg: trustdb created
gpg: key 12B2E56A marked as ultimately trusted

gpg-2.2.4:
gpg: keybox '/tmp/tmp.RJ0dQbUWsJ/pubring.kbx' created
gpg: /tmp/tmp.RJ0dQbUWsJ/trustdb.gpg: trustdb created
gpg: key B7659D91346F6245 marked as ultimately trusted
gpg: directory '/tmp/tmp.RJ0dQbUWsJ/openpgp-revocs.d' created
gpg: revocation certificate stored as '/tmp/tmp.RJ0dQbUWsJ/openpgp-revocs.d/508DB21AA7490081AB326E26B7659D91346F6245.rev'

We see that "key ring" is replaced by "keybox" in gpg2.

Compatibility tests:
gpg-1.2.1> gpg --armor --export > public-1.2.1
gpg-1.4.20> gpg --import public-1.2.1 
gpg-2.2.4> gpg --import public-1.2.1 

gpg-1.4.20> gpg --armor --export > public-1.4.20
gpg-1.2.1> gpg --import public-1.4.20 
gpg-2.2.4> gpg --import public-1.4.20 

gpg-2.2.4> gpg --armor --export > public-2.2.4
gpg-1.2.1> gpg --import public-2.2.4 
 gpg: key 346F6245: invalid self-signature on user id "foo <foo@bar.com>" 
 gpg: key 346F6245: invalid subkey binding
 gpg: key 346F6245: no valid user IDs
 gpg: this may be caused by a missing self-signature
gpg-1.4.20> gpg --import public-2.2.4 

A key generated on gpg-2.2.4 can be imported by 1.4.20, but not by 1.2.1.


Posted by at No comments:
Subscribe to: Posts (Atom)