Page MenuHome GnuPG
Create Task
Maniphest T2070

Can not leave passphrase empty when exporting secret key
Closed, ResolvedPublic
Actions

Description

If I export a secret key or subkey, I am asked for a passphrase (actually, one
passphrase for each subkey, but that is a separate issue). If I leave the fields
empty, a dialog asks if I am sure. I can click "Yes, protection is not needed.",
but this results in the message

  gpg: key ...: error receiving key from agent: No passphrase given - skipped

and the file is empty afterwards.
My hard disks are encrypted, so I have no additional passphrase set for my
secret keys. Whenever I create new subkeys (which I do every year), I have to
synchronize it to my laptop, which also has an encrypted hard drive and the
transport is also done securely. So I do not see why I should set a passphrase
for the exported secret key (after all, the key is not even additionally
encrypted in my .gnupg-folder). But even if for some reason there is a design
decision that it should not be possible to export without passphrase (which
would be odd), the dialog suggests that it is possible.

Details

Version
2.1

Related Objects

Event Timeline

viktor added projects: gnupg, Bug Report.Aug 12 2015, 5:29 PM
viktor added a subscriber: viktor.
werner added a subscriber: werner.Aug 13 2015, 6:17 PM

That is a known problem. I have not yet found the time to fix it. I think
there is another bug report as well.

werner set Version to 2.1.Apr 19 2016, 10:45 AM
justus mentioned this in T2324: gpg --batch --export-secret-key fails (requires user interaction) if key has no passphrase.Mar 30 2017, 7:17 PM
dkg added a subscriber: dkg.Apr 19 2016, 3:18 PM
justus claimed this task.Apr 20 2016, 11:13 AM
justus added a subscriber: justus.

Related T2324.

dkg added a comment.Apr 20 2016, 2:58 PM

Thanks for looking into this, Justus.

While you're working on this, it might make sense to consider restoration of the
--export-options export-reset-subkey-passwd flag, which was dropped in 2.1.

This flag was used by at least one GnuPG downstream (monkeysphere); its absence
causes "monkeysphere subkey-to-ssh-agent" to fail.

In GnuPG 1.4.x and 2.0.x, the option was defined this way:

export-reset-subkey-passwd
       When  using  the  --export-secret-subkeys  command,  this
       option resets the passphrases for all exported subkeys to
       empty. This is useful when the exported subkey is  to  be
       used  on an unattended machine where a passphrase doesn't
       necessarily make sense. Defaults to no.
werner added a comment.Apr 20 2016, 3:59 PM

I already sent Justsus some code I started with to restore that feature.

guilhem added a subscriber: guilhem.May 10 2016, 7:41 PM
bernhard added a subscriber: bernhard.Jun 1 2016, 3:25 PM

I am resolving this issue as duplicate of T2324
in the case of intented empty passphrase for the exported key.
(the export-reset-subkey-passwd flag should be taken to an entirely different
issue.)

bernhard closed this task as Resolved.Jun 1 2016, 3:25 PM

Duplicate of T2324

bernhard added a project: Duplicate.Jun 1 2016, 3:25 PM