[ale] Uh-oh, gpg keyrings don't match!

Michael H. Warfield mhw at WittsEnd.com
Mon Oct 10 23:19:18 EDT 2011 

On Mon, 2011-10-10 at 22:51 -0400, Michael Trausch wrote: 
> On Mon, Oct 10, 2011 at 21:15, Jim Kinney <jim.kinney at gmail.com> wrote:
> >
> > Check mtimes and see if you overwrote them. Check mounts and see you have something mounted over you. Get ready to test your recovery process.
> 
> All the file times are different, because I just imported a key so
> that I could write an encrypted mail.  So, the public keyring was
> *just* modified, whereas the private one has been the same for a long
> time.  Unfortunately, it seems that my present dilapidated method of
> backing things up doesn't preserve the timestamps, so the private ring
> has a timestamp from when I last backed up/restored it.
> 
> I have nothing mounted in my $HOME.
> 
> And this is just plain weird...

Sigh...  Not as weird as you might think.

> Here is the listing for --list-keys and --list-secret (so, public and
> private, in order):

> mbt at aloe ~/.gnupg $ gpg2 --list-keys 19C59A30
> pub   1024D/19C59A30 2006-02-15 [expires: 2012-02-09]
> uid                  Michael B. Trausch <mike at trausch.us>
> uid                  [jpeg image of size 2663]
> uid                  Michael B. Trausch <fd0man at gmail.com>
> uid                  Michael B. Trausch (Educational Address)
> <fd0man at email.wintu.edu>
> uid                  Michael B. Trausch (Primary Address)
> <michael.trausch at gmail.com>
> uid                  Michael B. Trausch <mbt at zest.trausch.us>
> sub   4096g/2B4060E1 2011-02-22 [expires: 2012-02-09]

> mbt at aloe ~/.gnupg $ gpg2 --list-secret 19C59A30
> sec   1024D/19C59A30 2006-02-15 [expires: 2012-02-09]
> uid                  Michael B. Trausch <mike at trausch.us>
> uid                  [jpeg image of size 2663]
> uid                  Michael B. Trausch <fd0man at gmail.com>
> uid                  Michael B. Trausch (Educational Address)
> <fd0man at email.wintu.edu>
> uid                  Michael B. Trausch (Primary Address)
> <michael.trausch at gmail.com>
> uid                  Michael B. Trausch <mbt at zest.trausch.us>
> ssb   4096g/EE066969 2006-02-15 [expires: 2011-02-14]

Ok...  That's interesting that --list-keys doesn't show your expired
public key though -kv does (from my test on your downloaded key).

Yeah, crap...  Looks like, in the process of backing up and restoring
keys and what not, you've backed up and restored the secret key to your
expired encryption key but not the new one.  That can happen any one of
a number of ways but I would suspect that at one time you backed up your
old keyrings and then, after generating a new encryption key, restored
the old keyrings clobbering your secret keys and loosing the active one.
If you refreshed your public keys from the public key servers (something
I do quite often to pick up signatures others have given me) it would
restore your public key to the newer key but not the private key.  And
there you would be.

You're probably toast.  Unless you have a backup with that private key
somewhere, you are screwed.  Your only choice is to create a new
encryption key and revoke that old one you've lost the key to.  Then
make sure your keyrings are backed up and the old backups discarded.

Personally...  I would take the opportunity right here and now to
generate a completely new 2048R key (signed by the old key) and be done
with it.  That's going to expire in a few months anyways.  Bite the
bullet and just get off the DSS/DSA keys and back onto an RSA key.
You'll still have signing and encryption keys but they'll all be RSA
instead of DSA for signing and ElGamal for encryption.

> These are identical, except for the ElGamal encryption subkey.  If
> memory serves me correctly, I generated the second one to make the
> expiration date line up with that for the entire remainder of the key.
>  What I *don't* understand is, how in the world could this have
> happened?  Obviously one possibility is that I deleted my encryption
> subkey and regenerated it in February, 2011.  But generating an
> encryption key is a big deal in my mind and I think I would remember
> that.  I remember when I originally generated this key, and I remember
> every time someone has signed the public part of it.  I don't recall
> regenerating my encryption key, though.
> 
> Now, I haven't used my encryption key much since I generated it; I
> received maybe 20 encrypted emails from 2006 to 2008, and maybe 20 in
> total since then.  And I sent no more than that in those years, as
> well.
> 
> For that matter, if I would have generated the new encryption key,
> wouldn't it have been updated in my private key, too?
> 
> I need to look through the backups that I have taken throughout the
> year, but I don't think that I've ever backed up either my ~/.ssh or
> ~/.gnupg directories in part; I've always done it in full.
> 
> For that matter, except at the system's console, I can't get into the
> system without using an SSH key.
> 
> I guess it is time to step through the backups from the last two years
> and see what happened and when it changed...
> 
> Would it be paranoid to think that this is something more than a
> simple error?  It seems unlikely that (a) I would have regenerated my
> encryption key more than halfway into my key's useful life without
> revoking and regenerating the whole bloody key, (b) that I would have
> forgotten such an event and (c) that gpg had a bug that failed to
> write to the secret key, doesn't it?
> 
>    --- Mike
> 
> >
> > On Oct 10, 2011 8:11 PM, "Michael Trausch" <mike at trausch.us> wrote:
> >>
> >> Don't know what happened, but I have a bad situation.
> >>
> >> I have gpg keys, like many here. Somehow, though, my main key set (thankfully expiring in a few months!) isn't right.  My signing keys all appear to match, but my encryption key is different, and I cannot decrypt encrypted mail sent to me.
> >>
> >> Can anyone tell me how I might have screwed up so badly?

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20111010/89128bb7/attachment.bin

More information about the Ale mailing list