3

Issue: I get a different list of secret keys when using gpg -K than gpg -edit, and the missing keys can no longer be used to decrypt. How do I fix this?

Example:

C:\...\>gpg --edit 11111111
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/11111111  created: 2012-09-09  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub  2048R/22222222  created: 2012-09-09  expired: 2015-11-28  usage: E
sub  2048R/33333333  created: 2014-11-28  expired: 2015-11-28  usage: S
sub  2048R/44444444  created: 2015-12-08  expired: 2016-12-31  usage: S
sub  2048R/55555555  created: 2015-12-08  expired: 2016-12-31  usage: E
sub  4096R/66666666  created: 2016-12-28  expires: 2017-12-31  usage: S
sub  4096R/77777777  created: 2016-12-28  expires: 2017-12-31  usage: E
[ultimate] (1). Full Name <name@email.com>

C:\...\>gpg -K
C:/GnuPG/secring.gpg
--------------------
sec   2048R/11111111 2012-09-09
uid                  Full Name <name@email.com>
ssb   2048R/22222222 2012-09-09
ssb   2048R/33333333 2014-11-28
ssb   4096R/66666666 2016-12-28
ssb   4096R/77777777 2016-12-28

You'll see that 44444444 and 55555555 are missing from gpg -K.

Things tried: adding new keys and removing newer keys (there was once a bug which only listed the latest key) and upgrading and downgrading versions of GPG4win.

Please suggest search keywords if this is an RTFM issue.

Note: I'm using Gpg4win on Win10 but I'll spin up a *nix if necessary to sort this out.

opendna
  • 61
  • 9
  • No idea, but when you do get it to work, make a backup of your key ring and other GPG config files so you can always just do an erase and restore. It's really easy to get locked out of stuff for forever. – Joe Jan 04 '17 at 03:34
  • 1
    I did restore from backup (armored exports made when the keys were generated) but it didn't help. That's my cause for concern: if it was just a "should'a had a backup to protect against bitrot" I'd blame myself and move on, but I'm not sure how to do better next time. I don't think I have a dated copy of the secring.gpg, but I'm looking for it. – opendna Jan 04 '17 at 10:01

1 Answers1

0

Issue replicated: User error.

gpg -K lists only private keys. gpg --edit lists both public subkeys and private subkeys but does not distinguish when the secret subkey is missing.

This is what it looks like when you export the public subkey, delete the secret subkey, then import the public subkey.

tl;dr: PEBKAC

opendna
  • 61
  • 9