Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subkey binding issuer id mismatch, subkey removed on import #2914

Open
clerie opened this issue Apr 18, 2024 · 2 comments
Open

Subkey binding issuer id mismatch, subkey removed on import #2914

clerie opened this issue Apr 18, 2024 · 2 comments

Comments

@clerie
Copy link

clerie commented Apr 18, 2024

I have a GPG public key that, on import to OpenKeychain gets removed all its subkeys during canonicalization. Following, the primary key is imported but shows up as defective.

Expected Behavior

On import of a GPG public key, all its attached subkeys should be imported.

Current Behavior

While importing the attached GPG public key, all subkeys get stripped during canonicalization and shows up as defective.

[START] Importing public keyring 0x17f39044ed4ebcb1
 [START] Canonicalizing public keyring 0x17f39044ed4ebcb1
  [DEBUG] Processing primary key
  [DEBUG] Processing subkey 0x92b4230a70a573d9
   [WARN] Subkey binding issuer id mismatch
   [DEBUG] No valid certificate found for 0x92b4230a70a573d9, removing from ring
  [OK] Keyring canonicalization successful, removed one erroneous certificate
 [DEBUG] Preparing database operations
  [DEBUG] Encoding keyring data
  [DEBUG] Parsing keys
   [DEBUG] Processing primary key 0x17f39044ed4ebcb1
    [DEBUG] Primary flags: certify
    [DEBUG] Keyring expires on Fri Apr 18 16:03:32 GMT+02:00 2025
  [DEBUG] Classifying user IDs (no trusted keys available)
   [DEBUG] Processing user ID testkey
  [DEBUG] Re-ordering user IDs
 [DEBUG] No old key deleted (creating a new one?)
 [DEBUG] Applying insert batch operation.
 [OK] Successfully imported public keyring

Possible Solution

Steps to Reproduce (for bugs)

I generated a GPG key on my computer and imported it to OpenKeychain.

Generate key

There is a reproducible way to create a key, which shows the described issue.

Primary key

I created a RSA key that can certify only.

[clerie@krypton ~]$ gpg --expert --full-generate-key 
gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
  (14) Existing key from card
Your selection? 8

Possible actions for this RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Sign Certify Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for this RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Certify Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for this RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Certify 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Fr 18 Apr 2025 16:03:24 CEST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: testkey
Email address: 
Comment: 
You selected this USER-ID:
    "testkey"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/home/clerie/.gnupg/openpgp-revocs.d/67CFA42A4E0EE8CF0BEA6D7517F39044ED4EBCB1.rev'
public and secret key created and signed.

pub   rsa4096 2024-04-18 [C] [expires: 2025-04-18]
      67CFA42A4E0EE8CF0BEA6D7517F39044ED4EBCB1
uid                      testkey

Adding an encryption subkey

It seem to not matter which action the subkeys support or how many we add.

[clerie@krypton ~]$ gpg --expert --edit-key 67CFA42A4E0EE8CF0BEA6D7517F39044ED4EBCB1
gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/17F39044ED4EBCB1
     created: 2024-04-18  expires: 2025-04-18  usage: C   
     trust: ultimate      validity: ultimate
[ultimate] (1). testkey

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 8

Possible actions for this RSA key: Sign Encrypt Authenticate 
Current allowed actions: Sign Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for this RSA key: Sign Encrypt Authenticate 
Current allowed actions: Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Fr 18 Apr 2025 16:04:39 CEST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/17F39044ED4EBCB1
     created: 2024-04-18  expires: 2025-04-18  usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa4096/92B4230A70A573D9
     created: 2024-04-18  expires: 2025-04-18  usage: ER  
[ultimate] (1). testkey

gpg> save

Export key

Following I exported the key and imported it to OpenKeychain.

[clerie@krypton ~]$ gpg --armor --export 67CFA42A4E0EE8CF0BEA6D7517F39044ED4EBCB1
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGYhKDQBEACt7BZL3AbeKckibofb9kEYQCMwCgaSb4ooNR/Thal4ItnY9b4T
g7gkqaagSuQsl+Az16fMoizn45zQdtJIuUTowd+R2WZFLfR1dOjnvscJI21G5Qtr
NRBFB2SC0GFHsSAvP/beOuk2l3I/h9barso6eEfKKquDLo7tbVca//1ozZdPTs0B
3Sb/NOycmjj/6V4KeeId3qZovu1Zwr+cbZiqFY+CXEitVswFinP2V5zZkNsPpp9h
MSiOKhFCYwrgO4LSRZbQMcCyjISvnRceKT1lm0u6zRYls8wcadnZW9PJqpHnIa4/
3QCmpGNYpsXHEZ2C6Im9dgWb5dqjzmIFfWOYEJSXKfw1SSDdMOaDGqWstbkJRvko
SrrmFXaDwoRdd1NRobJc2diLmayTMxiYk1+fDPLyPIa4vF7+URxsWCZ9jmo8XAjh
RCN2euvIZTdbChqR0Ymiztlk3sIHmy+Po4mGVY9e1mpQg6/Ev57oSkYLCWQakTa7
AQzxYpwL2OFVc0Bwrx5SbYgkuNsESwVIk9GwYxHU7jdrl+agek5rou6vycJ7hp3K
iXxv9cWRNASHfN12p35wX0TBIj3AW5RHXZN1JsNrOSvJ+WRhGDqnx/rInP5Z8yGu
d6wgBg2qvCGYizDIRl5SfSSxnAzCkFCWzp9AIzNlr65x3ujvl257loOLuQARAQAB
tAd0ZXN0a2V5iQJXBBMBCABBFiEEZ8+kKk4O6M8L6m11F/OQRO1OvLEFAmYhKDQC
GwEFCQHhM4AFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQF/OQRO1OvLHY
jw//ZNHJ9F+dqMQx8cscKFAcHmtCQfukekxiweTC6HHaJDUPwZ9C8BBVO0lkV7Iq
5gb3yu4Sa7r+klgMGy/Q/n8ZPxofpt7YkeKdY7GEpgq6uAv9Hfwk4G8EiBjQOqfI
lxvajO+PXEPLebhJryFp2dxbrRN3EqatQyiDLcI0EzghAXuUtQwg08xv8MwpoTYS
lU0GfTfNiAp1XmCv0CtKDZOnhNbmKP/xtZxkqQpMkhJKbZ0vpZeMb27/Nzbsf4xL
vTkRuFWy/FdApwNfJCmFoGPnwpzNJ5eZJ3KqOSN5v/CbvHN0Ovi89NSJ6BLOvCTe
tSfBqg/S9QR1EFK/MT69kI8QpUWwqexsUrKbR4c2n5zHiIKoJhgmdkcutT5J/Jka
UWLuOgglX1HJwkNlANF9Hkh3HvO8eaIO9PuFIu9Yyadhxp0Z+J396G5g4zk2mvJb
ISgYRLO0EpNwD7/r6BscSxnBJBh8xwNkT4KMK/dIy8PmzI9X5QqkfW1/c3lJkIy8
KAeBhBt1wkdC7NRjGJlGvM6LZcbbCpuD8ITbMOgKaF44Z+UnoXMgTqF91+Pp/xu8
DkpFOJY+rpxEouO0QE4OuReLg8ki9uWrtpPk8OA0Wgfz1VQr3gaB7O1XOZ/fOiaO
/oqUr0Nr5XsiqXYn7R++cNADJP9nqo5EXfkS58NS/8+Scb65Ag0EZiEoawEQAMXF
CM3peuX5YF9XJSi/Cm/NNreoFqT9ItgZZ8zRvJcoiLxrOO0osUggFKfX5KyhXCQr
KhpQ4DreoSl75J3CaURYjMSb9zbENJKv7IqgdfX1MvPr3Bp1DW47MeIe8Mvyovgd
vhxBRh1nvn/Ul7hIzAnFBgE32tkyRhB1mvizzzjgW9awCp/gv6sT6qvE8aIqrkqb
EGNtbLXb7WMcpNW0k3C/xvopiP56s8o/vbvBRBIj5J4NpXxplqNhQlQQwSAUSQuW
Q5I/plwGDFPIDpGlcTxh78FoLXTGOyIHURhA+gaZUMmRmVrt6WvMb3Zqu/Fl5IeE
3glVYTgSj9vH4BW3gD+LYxD/ztrdFhnXY0Maqs5mCPPRqWnQXv+iz42XStjm0U9v
1CoIfBtKF5gKoV1JUoVP9SyXvOomMDfulVoRml7JaRoOJypDRdukfh07yyIoRxO6
mcT+RXtARJL9mrY5CclMgnUfUjpkzBxht2fHdsxPuNv0C8781FNjOyrLSLmACr5s
opjXLJ+2se65qzatCvnxQohUd4KjbCdwNxfZMre7OaoKi55s9gAxjPHvN7VIOr/b
E6J+AK3BfJ3Kds4c9dm7stPOeBZjMdrldIyE6ccyYa5CJDzN+2kqPwMNF68gTVWA
beXJShPOAkHitQICPvUbqdLTUO/qouTkKAkDbAW5ABEBAAGJAjMEGAEIACcWIQRn
z6QqTg7ozwvqbXUX85BE7U68sQUCZiEoawMbDAQFCQHhM4AAAD/7EACRDj4YUpCf
+bUy3BOrCasQDV22YLXWfcakI2eexxJoDl9+fM7t9JD4fg7CQvYCLWsO0krfTGIQ
zVoUj2WhFQ8MSdqPx7/MAf8fteLZkUiYfsmFQVOXcgmwx6lq0xrFqvOoWnBdIhIF
IIL9A9BuxuX9C+iXuoGko0tIV+GLGwbxIpdks0wem4NLYC0RYWkogKD2hghD/Vxb
Ez37RX9b8G7O32l9eUG5Ag2kbMYvHcDso28xp9x9tRrQXAZMAJag1JKG2cdyA1bn
d8jVwQb6W9jqvbkStSV1etSa2rfGy+/xvv255Rh8i/TFKgBASc+MjqSgIHnIDZ4F
yiyjQ4GS5i7DsQ6S520G3HGsYVMh39Jl8R5Vbo8PHz6yc8rYLjAqZnXeZmWS7r8i
+L78qjscqQYFXTa+nv2bP8TgamQvuc8XzvrXcO1j3m8vXdp2McyaA+Q4bOkHtlxY
YvaiQN/8KNXu8XMPXsoMGEFX8zofkrR4Nq0VO+ZWTZLhZ98bruwVFKdJqKu5mPqo
Jy8AUqZ5D/VW1maK5T+ogo2vGNAZ74JPtml8NZGGB4sP0XlcdX6yJg0MJ9TS4kuG
VAlglx5cs8KHaPhOfTB5I0gL7iE/K6/K9jlXGTTlVJpsvtxyzu7f3FPgwMKQLC5e
zdC3G4MgRudZu5QpmEhoq5IzUKEl2B7ELA==
=yeJE
-----END PGP PUBLIC KEY BLOCK-----

Demonstration that the key is working

The generated key is fully functioning while using GnuPG.
It can be imported and exported without any issues.

Encrypt a message with the key

[clerie@krypton ~]$ gpg --armor --encrypt
You did not specify a user ID. (you may use "-r")

Current recipients:

Enter the user ID.  End with an empty line: 67CFA42A4E0EE8CF0BEA6D7517F39044ED4EBCB1

Current recipients:
rsa4096/92B4230A70A573D9 2024-04-18 "testkey"

Enter the user ID.  End with an empty line: 
Hello World
-----BEGIN PGP MESSAGE-----

hQIMA5K0IwpwpXPZAQ/+IRM36PZYoqX4PPXG46y5hw9OF3NAnzQUzpB3xG0+WZQV
RHra949v7itm4Hg8w7KLBM+ZY5RVkJBUpFZQ9iHUTnjse1rshgWnABxojddwEI7y
JsSmIoC4Q0YyO6+TuAlOhqZ8F8MgRyOg4132z2RwLY3FkHJ1BEKIXPo+BGjB40mH
9MNeByqaFT2+FCxifgnnO0eyybHUhyp9MjsymwZRk/LCN3djudiIsKDS8WNd+ngW
2l2mbKfydAzSmsPolPoQ262np/SXTbRBkGQPvr9aG4akLUthdGMoxteqLwng4XPZ
6yjRU1ixS3sgJRX6vy7jcEmOgtE8hA77rKv25o/1ffrd+cVA2g8q5IFylNykTqjy
pWutyYciWlrXhR6L1R/9A1PqpmFOJOzq+jd1+CtPE5uCQfA++CCtpiZcWDu57Wh2
mpv4unYYPh8eIW4c6p2S5BPlLFJpFAmWAxHM4wPh7jxoyDKfqR7z2A1fnI/uFAVp
0cKDULVHzXw4wl4I9c30/c0Sx/APaTe6OvtcjRpZO8aBtrCmxNVuPfnGnjhQP8jT
gEDo3odzaZ30B+QSzCCn/uxb9RdBVqnNTh+Tsz/bPymshR36w5ZKxN2uuzCJ9RiM
PYLDAGuk9uzHO0uIpaW8r7p3zGp++sETW6wNcBBhJO0fDiLeCgGLire5VlE1L1LU
UQEJAhBCuX6s6RBMDm+gVODFaJhZz5HGvzZERLhdTgftuZQeyHsDkf3ncvuZHidw
IEh+k6SoJayyD+euwUTgGB3ZH59265czpKBPbWGakzRy5w==
=OmvH
-----END PGP MESSAGE-----

Decrypt the message

[clerie@krypton ~]$ gpg --decrypt
-----BEGIN PGP MESSAGE-----

hQIMA5K0IwpwpXPZAQ/+IRM36PZYoqX4PPXG46y5hw9OF3NAnzQUzpB3xG0+WZQV
RHra949v7itm4Hg8w7KLBM+ZY5RVkJBUpFZQ9iHUTnjse1rshgWnABxojddwEI7y
JsSmIoC4Q0YyO6+TuAlOhqZ8F8MgRyOg4132z2RwLY3FkHJ1BEKIXPo+BGjB40mH
9MNeByqaFT2+FCxifgnnO0eyybHUhyp9MjsymwZRk/LCN3djudiIsKDS8WNd+ngW
2l2mbKfydAzSmsPolPoQ262np/SXTbRBkGQPvr9aG4akLUthdGMoxteqLwng4XPZ
6yjRU1ixS3sgJRX6vy7jcEmOgtE8hA77rKv25o/1ffrd+cVA2g8q5IFylNykTqjy
pWutyYciWlrXhR6L1R/9A1PqpmFOJOzq+jd1+CtPE5uCQfA++CCtpiZcWDu57Wh2
mpv4unYYPh8eIW4c6p2S5BPlLFJpFAmWAxHM4wPh7jxoyDKfqR7z2A1fnI/uFAVp
0cKDULVHzXw4wl4I9c30/c0Sx/APaTe6OvtcjRpZO8aBtrCmxNVuPfnGnjhQP8jT
gEDo3odzaZ30B+QSzCCn/uxb9RdBVqnNTh+Tsz/bPymshR36w5ZKxN2uuzCJ9RiM
PYLDAGuk9uzHO0uIpaW8r7p3zGp++sETW6wNcBBhJO0fDiLeCgGLire5VlE1L1LU
UQEJAhBCuX6s6RBMDm+gVODFaJhZz5HGvzZERLhdTgftuZQeyHsDkf3ncvuZHidw
IEh+k6SoJayyD+euwUTgGB3ZH59265czpKBPbWGakzRy5w==
=OmvH
-----END PGP MESSAGE-----
gpg: encrypted with rsa4096 key, ID 92B4230A70A573D9, created 2024-04-18
      "testkey"
Hello World

Context

Your Environment

  • Android Version: /e/os 1.21 (Android 12)
  • Device Model: Fairphone 4
  • OpenKeychain Version: 6.0.4
  • From Google Play or F-Droid?: F-Droid
@yamidashhh1993
Copy link

27372F84C5290D1A8C1287ECE0849ED7AEE84941

@yamidashhh1993
Copy link

27372F84C5290D1A8C1287ECE0849ED7AEE84941

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@clerie @yamidashhh1993