Mailing List Archive

Importing secret keys via gpgme-json
I'm trying to import keys using gpgme-json 1.15.1.

Importing public keys works as expected, but it seems that for secret
keys, only the public key part is imported. Is there an option to allow
importing secret keys or is importing of secret keys not supported?

Thanks,
Patrick

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: Importing secret keys via gpgme-json [ In reply to ]
On Sun, 9 May 2021 11:53, Patrick Brunschwig said:

> Importing public keys works as expected, but it seems that for secret
> keys, only the public key part is imported. Is there an option to allow
> importing secret keys or is importing of secret keys not supported?

Unless you have specific gpg import options, it should just work.
If in doubt, build gpgme and test with tests/run-import or run

GPGME_DEBUG=7:gpgme.log ./gpgme-json

and check the log file. It might however, be easier to put

log-file /some-file

into gpg.conf to see gpg's diagnostics. GPGME also has an audit feature
which can be used to get the gpg diagnostics; I am not sure whether
gpgme-json supports this, though.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Importing secret keys via gpgme-json [ In reply to ]
Werner Koch wrote on 10.05.2021 19:08:
> On Sun, 9 May 2021 11:53, Patrick Brunschwig said:
>
>> Importing public keys works as expected, but it seems that for secret
>> keys, only the public key part is imported. Is there an option to allow
>> importing secret keys or is importing of secret keys not supported?
>
> Unless you have specific gpg import options, it should just work.
> If in doubt, build gpgme and test with tests/run-import or run
>
> GPGME_DEBUG=7:gpgme.log ./gpgme-json
>
> and check the log file. It might however, be easier to put
>
> log-file /some-file
>
> into gpg.conf to see gpg's diagnostics. GPGME also has an audit feature
> which can be used to get the gpg diagnostics; I am not sure whether
> gpgme-json supports this, though.

2021-05-13 15:53:58 gpg[2481] DBG: cache_user_id: already in cache
2021-05-13 15:53:58 gpg[2481] error getting the KEK: Forbidden
2021-05-13 15:53:58 gpg[2481] error reading '-&10': Forbidden
2021-05-13 15:53:58 gpg[2481] import from '-&10' failed: Forbidden
2021-05-13 15:53:58 gpg[2481] Total number processed: 0
2021-05-13 15:53:58 gpg[2481] imported: 1
2021-05-13 15:53:58 gpg[2481] secret keys read: 1
2021-05-13 15:53:58 gpg[2481] keydb: handles=3 locks=2 parse=2 get=2
2021-05-13 15:53:58 gpg[2481] build=1 update=0 insert=1 delete=0
2021-05-13 15:53:58 gpg[2481] reset=1 found=2 not=1 cache=0 not=0

I have attached the complete log, but I think this is the most relevant
part of it. Apparently, reading from -&10 does not seem to work.

-Patrick
Re: Importing secret keys via gpgme-json [ In reply to ]
On Thu, 13 May 2021 15:58, Patrick Brunschwig said:

> 2021-05-13 15:53:58 gpg[2481] error getting the KEK: Forbidden

Ooops, I forgot about this. gpgme-json tells gpg that the origin of the
request is the browser:

gpgme_set_ctx_flag (ctx, "request-origin", "browser");

which enables this gpg option

--request-origin origin
Tell gpg to assume that the operation ultimately originated at
origin. Depending on the origin certain restrictions are applied
and the Pinentry may include an extra note on the origin. Supported
values for origin are: local which is the default, remote to
indicate a remote origin or browser for an operation requested by a
web browser.

this leads to

OPTION pretend-request-origin=browser

send to gpg-agent which the assumes the requests are coming from its
browser socket which is restricted similar to the remote socket.

So, you can't do certain operations. In case you are not running from a
browser, we could add a command line option to gpgme-json to change
this restriction.


Salam-Shalom,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.