Mailing List Archive

gpg: keydb_get_keyblock failed: Invalid object
Hi,
gpg failed after I created a second sign-only Curve 448 key.

# gpg2 --version
gpg (GnuPG) 2.3.2
libgcrypt 1.9.4

# gpg2 --full-gen-key
...
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
(14) Existing key from card
Your selection? 9
Please select which elliptic curve you want:
(1) Curve 25519 *default*
(2) Curve 448
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
(9) secp256k1
Your selection? 2
...

# gpg2 --edit-key testkey1
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
Your selection? 10
Please select which elliptic curve you want:
(1) Curve 25519 *default*
(2) Curve 448
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
(9) secp256k1
Your selection? 2
..
gpg> save

# gpg2 -k
gpg: keydb_get_keyblock failed: Invalid object
Re: gpg: keydb_get_keyblock failed: Invalid object [ In reply to ]
Hello,

Thank you for your report.

William Holmes wrote:
> gpg failed after I created a second sign-only Curve 448 key.

Please use --quick-add-key instead, while I'm fixing the bug.

My changes of following commits were not enough.

2b50f942672d9a2c325a818f21f69d3ee69255d3
36355394d865f5760075e62267d70f7a7d5dd671

I think that something like this will be needed to apply.

Please note that 448 keys are not yet standardized as OpenPGP. So,
format for key, signature, encrypted data may be changed in future.

diff --git a/g10/keygen.c b/g10/keygen.c
index 239e7aca1..cb6487ea3 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -5879,7 +5879,12 @@ generate_subkeypair (ctrl_t ctrl, kbnode_t keyblock, const char *algostr,
else if (algo == PUBKEY_ALGO_ECDSA
|| algo == PUBKEY_ALGO_EDDSA
|| algo == PUBKEY_ALGO_ECDH)
- curve = ask_curve (&algo, NULL, NULL);
+ {
+ curve = ask_curve (&algo, NULL, NULL);
+
+ if (curve && (!strcmp (curve, "X448") || !strcmp (curve, "Ed448")))
+ keygen_flags |= KEYGEN_FLAG_CREATE_V5_KEY;
+ }
else
nbits = ask_keysize (algo, 0);

--

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: keydb_get_keyblock failed: Invalid object [ In reply to ]
Hi,

># gpg2 -k
>gpg: keydb_get_keyblock failed: Invalid object

Me too with "gpg --list-public-keys user-id", after ich created a key
with:
ed448 (C)
ed25519 (S)
cv25519 (E)

--
mlnl

GPG:1FC05426F87FA623

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: keydb_get_keyblock failed: Invalid object [ In reply to ]
Hi,

>gpg: keydb_get_keyblock failed: Invalid object

key delete and importing a revocation cert fails too:

$ gpg --delete-secret-and-public-keys key-id
gpg: Error reading the key block: invalid object
gpg: key-id: delete key failed: invalid object

$ gpg_importkey .gnupg/openpgp-revocs.d/key-id.rev
gpg: No valid OpenPGP data found.


--
mlnl

GPG:1FC05426F87FA623

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: keydb_get_keyblock failed: Invalid object [ In reply to ]
Hi,
Not just sign-only Curve 448 subkey, gpg will fail after any subkey
(RSA/ECC [S]/[E]/[A]/[C]) is created when a keypair is generated with Curve
448.
When gpg fails, how can I recover keys?
This is so important.
This bug will destroy keydb, it is a "big" issue.

_____________________________________

On Thu, Aug 26, 2021 at 4:25 AM NIIBE Yutaka <gniibe@fsij.org> wrote:

> Hello,
>
> Thank you for your report.
>
> William Holmes wrote:
> > gpg failed after I created a second sign-only Curve 448 key.
>
> Please use --quick-add-key instead, while I'm fixing the bug.
>
> My changes of following commits were not enough.
>
> 2b50f942672d9a2c325a818f21f69d3ee69255d3
> 36355394d865f5760075e62267d70f7a7d5dd671
>
> I think that something like this will be needed to apply.
>
> Please note that 448 keys are not yet standardized as OpenPGP. So,
> format for key, signature, encrypted data may be changed in future.
>
> diff --git a/g10/keygen.c b/g10/keygen.c
> index 239e7aca1..cb6487ea3 100644
> --- a/g10/keygen.c
> +++ b/g10/keygen.c
> @@ -5879,7 +5879,12 @@ generate_subkeypair (ctrl_t ctrl, kbnode_t
> keyblock, const char *algostr,
> else if (algo == PUBKEY_ALGO_ECDSA
> || algo == PUBKEY_ALGO_EDDSA
> || algo == PUBKEY_ALGO_ECDH)
> - curve = ask_curve (&algo, NULL, NULL);
> + {
> + curve = ask_curve (&algo, NULL, NULL);
> +
> + if (curve && (!strcmp (curve, "X448") || !strcmp (curve,
> "Ed448")))
> + keygen_flags |= KEYGEN_FLAG_CREATE_V5_KEY;
> + }
> else
> nbits = ask_keysize (algo, 0);
>
> --
>