[ale] Uh-oh, gpg keyrings don't match!

Michael Trausch mike at trausch.us
Mon Oct 10 22:51:16 EDT 2011


On Mon, Oct 10, 2011 at 21:15, Jim Kinney <jim.kinney at gmail.com> wrote:
>
> Check mtimes and see if you overwrote them. Check mounts and see you have something mounted over you. Get ready to test your recovery process.

All the file times are different, because I just imported a key so
that I could write an encrypted mail.  So, the public keyring was
*just* modified, whereas the private one has been the same for a long
time.  Unfortunately, it seems that my present dilapidated method of
backing things up doesn't preserve the timestamps, so the private ring
has a timestamp from when I last backed up/restored it.

I have nothing mounted in my $HOME.

And this is just plain weird...

Here is the listing for --list-keys and --list-secret (so, public and
private, in order):

mbt at aloe ~/.gnupg $ gpg2 --list-keys 19C59A30
pub   1024D/19C59A30 2006-02-15 [expires: 2012-02-09]
uid                  Michael B. Trausch <mike at trausch.us>
uid                  [jpeg image of size 2663]
uid                  Michael B. Trausch <fd0man at gmail.com>
uid                  Michael B. Trausch (Educational Address)
<fd0man at email.wintu.edu>
uid                  Michael B. Trausch (Primary Address)
<michael.trausch at gmail.com>
uid                  Michael B. Trausch <mbt at zest.trausch.us>
sub   4096g/2B4060E1 2011-02-22 [expires: 2012-02-09]

mbt at aloe ~/.gnupg $ gpg2 --list-secret 19C59A30
sec   1024D/19C59A30 2006-02-15 [expires: 2012-02-09]
uid                  Michael B. Trausch <mike at trausch.us>
uid                  [jpeg image of size 2663]
uid                  Michael B. Trausch <fd0man at gmail.com>
uid                  Michael B. Trausch (Educational Address)
<fd0man at email.wintu.edu>
uid                  Michael B. Trausch (Primary Address)
<michael.trausch at gmail.com>
uid                  Michael B. Trausch <mbt at zest.trausch.us>
ssb   4096g/EE066969 2006-02-15 [expires: 2011-02-14]

These are identical, except for the ElGamal encryption subkey.  If
memory serves me correctly, I generated the second one to make the
expiration date line up with that for the entire remainder of the key.
 What I *don't* understand is, how in the world could this have
happened?  Obviously one possibility is that I deleted my encryption
subkey and regenerated it in February, 2011.  But generating an
encryption key is a big deal in my mind and I think I would remember
that.  I remember when I originally generated this key, and I remember
every time someone has signed the public part of it.  I don't recall
regenerating my encryption key, though.

Now, I haven't used my encryption key much since I generated it; I
received maybe 20 encrypted emails from 2006 to 2008, and maybe 20 in
total since then.  And I sent no more than that in those years, as
well.

For that matter, if I would have generated the new encryption key,
wouldn't it have been updated in my private key, too?

I need to look through the backups that I have taken throughout the
year, but I don't think that I've ever backed up either my ~/.ssh or
~/.gnupg directories in part; I've always done it in full.

For that matter, except at the system's console, I can't get into the
system without using an SSH key.

I guess it is time to step through the backups from the last two years
and see what happened and when it changed...

Would it be paranoid to think that this is something more than a
simple error?  It seems unlikely that (a) I would have regenerated my
encryption key more than halfway into my key's useful life without
revoking and regenerating the whole bloody key, (b) that I would have
forgotten such an event and (c) that gpg had a bug that failed to
write to the secret key, doesn't it?

   --- Mike

>
> On Oct 10, 2011 8:11 PM, "Michael Trausch" <mike at trausch.us> wrote:
>>
>> Don't know what happened, but I have a bad situation.
>>
>> I have gpg keys, like many here. Somehow, though, my main key set (thankfully expiring in a few months!) isn't right.  My signing keys all appear to match, but my encryption key is different, and I cannot decrypt encrypted mail sent to me.
>>
>> Can anyone tell me how I might have screwed up so badly?
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



More information about the Ale mailing list