export-filter question or bug

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

export-filter question or bug

GnuPG - User mailing list
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I'm using the following command to export keys for wkd:

$GPG --export --export-filter keep-uid="mbox = $mbox" $fpr

However, this creates funny results for the key for
[hidden email] which is downloadable here:
https://archlinux32.org/keys.php?k=2E29129B8C684FE7A959C422714A1770ECE2DF62

Is my filtering wrong or is this some bug in gpg?

To reproduce the issue, run:

tmp_dir=$(mktemp -d)
GPG='gpg --homedir '"$tmp_dir"
curl 'https://archlinux32.org/keys.php?k=2E29129B8C684FE7A959C422714A1770ECE2DF62' | $GPG --import
$GPG --export --export-filter keep-uid="mbox = [hidden email]" 2E29129B8C684FE7A959C422714A1770ECE2DF62 | gpg

this gives:

pub   rsa4096 2017-06-23 [SC] [expired: 2019-06-23]
       2E29129B8C684FE7A959C422714A1770ECE2DF62
uid           buildmaster <[hidden email]>
sub   rsa4096 2017-06-23 [S] [expired: 2021-12-31]

(note the expired pub, thus the whole key is considered expired)

However, skipping the --export-filter:

$GPG --export 2E29129B8C684FE7A959C422714A1770ECE2DF62 | gpg

gives the correct expiration:

pub   rsa4096 2017-06-23 [SC] [expires: 2021-12-31]
       2E29129B8C684FE7A959C422714A1770ECE2DF62
uid           buildmaster <[hidden email]>
uid           archlinux32 repository signing key <[hidden email]>
sub   rsa4096 2017-06-23 [S] [expires: 2021-12-31]

This is not usable for wkd for me, because it contains all uids (of
course).

Thanks in advance,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmAmXBMACgkQCu7JB1Xa
e1rL3Q/8Doo2VqaXgZgJAPw3xK0CvF8VQc8GLW4krEDTQH6Wu70e7nYGxFeJyLgt
pqmloRZHDbGBfAh35qIfO1eQZgoe9eyVQyriJcqG/BrW5H9Qk20KGUHhHD1yjupZ
+8WAQXzbmapiZz5COBkp1AQlOXgjKWMMTWMPt1DyaOaUKvw6LfpU78nML7wY6rF5
r7VX5jwrEDQmdyuPrumCotuZZpNOPgdAtURO9YHGh9sbOSsuIh4jvxWPyLOiFLRO
M9wmyVhDt7sDQzoyzKew5LJGqsXaJ+SaAbQszNnS5NYMWeoeZk9nJGKgUosWFhwi
RWe9ADVo9JTJcivGT/u/DGIlUtYhIdCO3z87sNvON6o4Uh9twAJk+okR/X7EYcRu
ZcVWp/HFqwqBGDKtnxw8TCvLFEHPmnnklaXBwZW0k1TQw1HbmdQoe5vHsJJoIx0s
CGMD2/5NxDWZtRPs/hJMnERgX7n15VJgMVDPSMSeGGQUIibrmEO3Pggyy2xNmVeo
x0Bhobi+zsUKluC78Jv/GHkSc1jJa0ioXQIU2Kf2/zfm9148NFtE3bWOiz/sqC19
n+SItHRN/qs4J8obNNX2T9pXbnOXQ9wAmA5rYxG/3lKyq0rCKfXAXlOFSXksabDG
PI10H2boPeMLu+HlnRtuAOq5an70flwuvXlDWg3Ux8NY3vJ4eu0=
=dzM2
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: export-filter question or bug

GnuPG - User mailing list
On Fri, 12 Feb 2021 11:44, Erich Eckner said:

> $GPG --export --export-filter keep-uid="mbox = $mbox" $fpr

gpg-wks-client does something similar but using "uid =" with a
pre-checked UID in an import filter.  It also uses
import-options=import-export to process the keyblock without actually
importing it.

> $GPG --export --export-filter keep-uid="mbox =
> [hidden email]" 2E29129B8C684FE7A959C422714A1770ECE2DF62
> | gpg

You should use

  | gpg --show-keys


> pub   rsa4096 2017-06-23 [SC] [expired: 2019-06-23]
>        2E29129B8C684FE7A959C422714A1770ECE2DF62
> uid           buildmaster <[hidden email]>
> sub   rsa4096 2017-06-23 [S] [expired: 2021-12-31]
>
> (note the expired pub, thus the whole key is considered expired)

Please try with --show-keys instead of using the default action.

> This is not usable for wkd for me, because it contains all uids (of
> course).

I am curious why you don't use gpg-wks-client for example with
the --install-key command.


Salam-Shalom,

   Werner


--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: export-filter question or bug

GnuPG - User mailing list
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, 12 Feb 2021, Werner Koch wrote:

> On Fri, 12 Feb 2021 11:44, Erich Eckner said:
>
>> $GPG --export --export-filter keep-uid="mbox = $mbox" $fpr
>
> gpg-wks-client does something similar but using "uid =" with a
> pre-checked UID in an import filter.  It also uses
> import-options=import-export to process the keyblock without actually
> importing it.

Changing to "uid = ..." filter yields the same result. Same for adding
"--import-options=import-export". But I'm also confused, why
- --import-options should be relevant when exporting a key :-/

>
>> $GPG --export --export-filter keep-uid="mbox =
>> [hidden email]" 2E29129B8C684FE7A959C422714A1770ECE2DF62
>> | gpg
>
> You should use
>
>  | gpg --show-keys

ok, noted.

>
>
>> pub   rsa4096 2017-06-23 [SC] [expired: 2019-06-23]
>>        2E29129B8C684FE7A959C422714A1770ECE2DF62
>> uid           buildmaster <[hidden email]>
>> sub   rsa4096 2017-06-23 [S] [expired: 2021-12-31]
>>
>> (note the expired pub, thus the whole key is considered expired)
>
> Please try with --show-keys instead of using the default action.

Makes no difference.

>
>> This is not usable for wkd for me, because it contains all uids (of
>> course).
>
> I am curious why you don't use gpg-wks-client for example with
> the --install-key command.

Well, for multiple reasons:

First, it's not in $PATH, so I didn't see it, when <tab><tab><tab>'ing ;-)

Now, that I played around with gpg-wks-client, I cannot find a --homedir
option to set the homedir of the keyring (I do not want to fill the wks's
user keyring with all the installed keys). Assuming, I have the key in the
gpg directory in $tmp_dir, what's the best way to get gpg-wks-client to
read it from there? Only way I found, is exporting into a temporary file:

$GPG --export 2E29129B8C684FE7A959C422714A1770ECE2DF62 > "$tmp_dir/key"
gpg-wks-server --install-key "$tmp_dir/key" [hidden email]

Interesting thing: This also installes an expired key, while
"$tmp_dir/key" looks ok:

$ gpg --show-keys < "$tmp_dir/key"
pub   rsa4096 2017-06-23 [SC] [expires: 2021-12-31]
       2E29129B8C684FE7A959C422714A1770ECE2DF62
uid                      archlinux32 repository signing key <[hidden email]>
uid                      buildmaster <[hidden email]>
sub   rsa4096 2017-06-23 [S] [expires: 2021-12-31]

$ gpg --show-keys < archlinux32.org/hu/z4eyw18p7a9p7c9owm78fj93mqkks6q3
pub   rsa4096 2017-06-23 [SC] [expired: 2019-06-23]
       2E29129B8C684FE7A959C422714A1770ECE2DF62
uid                      buildmaster <[hidden email]>
sub   rsa4096 2017-06-23 [S] [expired: 2021-12-31]


Ah, yet another question: The difference between `gpg-wks-client
- --install-key ...` and `gpg-wks-server --install-key ...` is quite opaque
to me: With gpg-wks-client, I need to add "-C .", else it tries in
openpgp/, but besides that, the options and result look rather identical
to me.

>
>
> Salam-Shalom,
>
>   Werner

regards,
Erich

-----BEGIN PGP SIGNATURE-----
Comment: Topal (https://zircon.org.uk/topal/)

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmAnrBoACgkQCu7JB1Xa
e1pPHw/+N6zqijbSYsMZb/e5AHVdq4czvYy9+hoo087XIcr5214rB7BYfoM4lZMy
NivAbrekYm1wHu4JZv420Yybn0wcSDGoQZZOv5LTJ2G8xz/1xBAWObQ5Hk6KJyTa
cY4vzEYKTbhFMha48zLA1zKFzEM3Iqhq2xmziTcHRj8AgyOt8VlpZzdA1YgsOgdo
eGnxY857CNUAJIXxTg6oVdUjr2ISTrkDinf8ZqpI5DncIatMS5dKKko0DBEkdR0m
/kufwkntOR3PmhxkYw2Z+ThTlTEmhnxHHHxyLrVm30gJPDN9b/+ZyD4B5ShswGTm
AtwjVi3nOL6oDfsHjQNq/EcbH/kdd44TLQLRXEzJ48SIAPnOvo3Y8K2diV00CdhC
qdKFpT4Vh1HIdI7hivtqvj46kgN1jn+lUzYldXixldCMaYkFz7ibeoP/KSMscFs7
VtHF0U/Ipbj8fcwxRrSRkOpfgKALpZDO4+NO9j3V29pSPZk7UCvBeduxs4TG3Koa
veC8m1v1QJleh2FdCz8ExSSrQi+py+uOFYt2XAflCG9fQzfLLF/02dQ9MrNxpbHU
zhgp07BzqxNdH/rOV74OqbJ9S5a4aiMmzHwRWuEZafBDitWcsSw69J7K6kCrmpiV
+zVTCDozeKstpb411cQhpiwSjyTOOKOtFjB/ThhpmLiQ+ljuhP4=
=pSy7
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: export-filter question or bug

GnuPG - User mailing list
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I wanted to ask for help regarding this wkd-key-installation issue I had,
once more.

Whichever way I try, I always end up with an expired key being installed
into wkd, although the key file looks all-right to me:

$ gpg --show-keys --with-wkd-hash $tmp_dir/key
pub   rsa4096 2017-06-23 [SC] [expires: 2021-12-31]
       2E29129B8C684FE7A959C422714A1770ECE2DF62
uid                      archlinux32 repository signing key <[hidden email]>
                          [hidden email]
uid                      buildmaster <[hidden email]>
                          [hidden email]
sub   rsa4096 2017-06-23 [S] [expires: 2021-12-31]

$ /usr/lib/gnupg/gpg-wks-client -C . --install-key "$tmp_dir/key" [hidden email]
gpg-wks-client: key 2E29129B8C684FE7A959C422714A1770ECE2DF62 published for '[hidden email]'

$ gpg --show-keys archlinux32.org/hu/z4eyw18p7a9p7c9owm78fj93mqkks6q3
pub   rsa4096 2017-06-23 [SC] [expired: 2019-06-23]
       2E29129B8C684FE7A959C422714A1770ECE2DF62
uid                      buildmaster <[hidden email]>
sub   rsa4096 2017-06-23 [S] [expired: 2021-12-31]


Instead of `gpg-wks-client --install-key`, I also tried `gpg-wks-server
- --install-key` and `gpg --export --exportfilter keep-uid="uid=buildmaster
<[hidden email]>"`.

What am I doing wrong? Or is there something special about this key?

The key can be found here:
https://archlinux32.org/keys.php?k=2E29129B8C684FE7A959C422714A1770ECE2DF62

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmA09xMACgkQCu7JB1Xa
e1oNbQ//aBqnPH6yw+Fp6z1+0q73Xkg0cNgxIXgvxZKV+9imYadIKWyc1CRpVsG9
EuvSff3d5R9oxol6AIRzo3/ny0khm/CYuHr5TAmQlu8byQn4n7YK6J34m5ul9m6J
P3E7ShbmnLTdfGW7nY2jc5V1DdGNo+Rgyb6rughxULW/IeqFFQyyvKUv/XCenlKB
I2J6i/N7GYzdKmjFtei4qggvmAlMfktWeHZ12BysOxyroMnyjLlTCVReBk5mcUqJ
BZkGhiprHlx8bZRQ/ZPYZZ4RJI+KoxkKTrpeasu6fkjdSONFf0I4KiyMA9GzJArq
QX40PYPR7Jb6FrKTm6JqlNvhZqpPkCoNoyP0TVUUPN53TL/we/9rky/KGPcYXcjy
YYXOG26HQlGWIbQIUoqHaztT2Kp17WM90ENRRk3ZYYM06t4bwWPxjxdzBsi8FK/w
b9dvbMACnI3kYmB+hiFCsFUgJPCrGJ1RSpGIU7/PpMKQQFC7agxj5cJz+mEtHaAJ
3qzHtd4xVjaWYURqvAhfgkwBEZlOgzOEn8c5S7gLGfSHo+L5EwpDxkmSWsbOvTwR
/jM2FnZyIfNFnKGUSVKp7iU8nYUswMqOvFLQ1DCSmd8EFpcohdARPY8BTwC3r+T4
tFaPvPTj3fJ1BF1zXchVF/XAFlw0q5S5M5/kT4+zyYp2niyQDpc=
=ud5u
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: export-filter question or bug

GnuPG - User mailing list
On Tue, 23 Feb 2021 13:37, Erich Eckner said:

> What am I doing wrong? Or is there something special about this key?

Nothing.  It is an interesting case.  Let's have a look at key exported
without any options (listing slightly edited):

  $ gpg --show-keys --with-sig-check c.pub
  pub   rsa4096 2017-06-23 [SC] [expires: 2021-12-31]
        2E29129B8C684FE7A959C422714A1770ECE2DF62
  uid                      [...] <[hidden email]>
  sig 3        714A1770ECE2DF62 2021-01-25  [...] <[hidden email]>
  uid                      [...] <[hidden email]>
  sig 3        714A1770ECE2DF62 2017-06-23  [...] <[hidden email]>
  sub   rsa4096 2017-06-23 [S] [expires: 2021-12-31]
        FD45993ACA052203886D618205CDEE5C356A46AD
  sig          714A1770ECE2DF62 2021-01-25  [...] <[hidden email]>

What we see is a key with two user ids.  The self-signatures binding the
user ids to the key carry important information, for example the
expiration date.

If we look close at the self-signatures using --list-packets we see:

  :user ID packet: "[...] <[hidden email]>"
  :signature packet: algo 1, keyid 714A1770ECE2DF62
          version 4, created 1498203061, md5len 0, sigclass 0x13
          [...]
          hashed subpkt 9 len 4 (key expires after 2y0d0h0m)
          [...]

Adding this expiration value to the key creation time yields 2019-06-17
and thus the key would be expired.

  :user ID packet: "[...] <[hidden email]>"
  :signature packet: algo 1, keyid 714A1770ECE2DF62
          version 4, created 1611599717, md5len 0, sigclass 0x13
          [...]
          hashed subpkt 9 len 4 (key expires after 4y192d3h29m)
          [...]

Adding this expiration value to the key creation time yields 2021-12-31
and thus the key would be valid.

The actual used key expiration date is the latest one seen in user id
self-signaturres, thus in out case 2021-12-31.

Now if we export just one user id as done by gpg-wks-client

  gpg --no-options -v --batch --status-fd=2 --always-trust --armor \
       --export-options=export-minimal \
       --export-filter 'keep-uid=mbox= [hidden email]'
       --export -- 2E29129B8C684FE7A959C422714A1770ECE2DF62

We get a key with the buildmaster@ user id and thus the latest
expiration date is 2019-06-17.  This is because the other user id and
its self-signature has been stripped.

Sure, this could be considered a bug in export-minimal but fixing this
would require to create a new self-signature for the exported user id
which then requires the private key and would even more confuse.
I am not sure how to solve it but it needs to be solved at least for
gpg-wks-client.  See https://dev.gnupg.org/T5323

You may simply want to change the expiration date of the key which, in
contrast to "adduid" updates all self-signatures.


Salam-Shalom,

   Werner


--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (233 bytes) Download Attachment