gpg1密钥的gpg2导入失败(gpg 2.1.15，Ubuntu 17.10) [英] gpg2 import of gpg1 secret key fails (gpg 2.1.15, Ubuntu 17.10)

问题描述

当我尝试使用gpg2导入导出良好的gpg1密钥时，公钥导入工作正常:

When I try importing my nicely-exported gpg1 keys using gpg2, the public key import works fine:

gpg --import /path/to/publickey.gpg

gpg: directory '/home/me/.gnupg' created
gpg: new configuration file '/home/me/.gnupg/dirmngr.conf' created
gpg: new configuration file '/home/me/.gnupg/gpg.conf' created
gpg: keybox '/home/me/.gnupg/pubring.kbx' created
gpg: /home/me/.gnupg/trustdb.gpg: trustdb created
gpg: key ABCDEF1234567890: public key "Me <me@me.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

但是导入密钥失败(注意:使用--allow-secret-key-import时的结果相同):

But importing the secret key fails (note: same result when using --allow-secret-key-import):

gpg --import /path/to/secretkey.gpg

gpg: key ABCDEF1234567890: "Me <me@me.com>" not changed
gpg: key ABCDEF1234567890/ABCDEF1234567890: error sending to agent: No such file or directory
gpg: error building skey array: No such file or directory
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1

我正在使用此软件(在Ubuntu Zesty 17.04上):

I am on this (on Ubuntu Zesty 17.04):

gpg --version

gpg: WARNING: unsafe permissions on homedir '/home/me/.gnupg'
gpg (GnuPG) 2.1.15
libgcrypt 1.7.6-beta
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/me/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cypher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

如果我尝试使用gpg 1.4.21(在同一台计算机上，可以使用sudo apt-get install gnupg1进行获取)，则完全相同的导入步骤可以正常工作.

The exact same import steps work fine if I try with gpg 1.4.21 (on the same machine, can get it with sudo apt-get install gnupg1).

推荐答案

GnuPG 1.4 plus 2.0与2.1及更高版本之间的区别是

The differences between GnuPG 1.4 plus 2.0 and from 2.1 and above are explained in depth here. The first section of that page deals with the changes to the way secret keys are handled.

当您从1.4或2.0的现有实例迁移到GPG的现代分支时，您的secring.gpg文件将导入为新格式，并且不能直接用作密钥环文件.首次调用GPG 2.1或2.2时，此操作将自动完成.同时，您的公共密钥环(pubring.gpg)将转换为较新的密钥箱格式(pubring.kbx).

When you migrate to the modern branch of GPG from an existing instance of either 1.4 or 2.0 your secring.gpg file is imported into the new format and is not directly available as a keyring file. This will be done automatically the first time you invoke GPG 2.1 or 2.2. At the same time your public keyring (pubring.gpg) will be converted to the newer keybox format (pubring.kbx).

此转换过程仅执行一次，GnuPG通过将隐藏文件写入$ GNUPGHOMEDIR来跟踪此情况(通常是~/.gnupg，但可以通过运行gpgconf --list-dirs进行确认，并且homedir应该是最后一行) .隐藏的文件名为.gpg-v21-migrated，如果由于某种原因需要重新运行导入过程，则只需删除该文件并重新启动gpg-agent即可完成工作.

This conversion process is only performed once and GnuPG keeps track of this by writing a hidden file into your $GNUPGHOMEDIR (usually this is ~/.gnupg but can be confirmed by running gpgconf --list-dirs and the homedir should be the last line). The hidden file is named .gpg-v21-migrated and if, for whatever reason, you need to re-run the import process then simply deleting that file and restarting gpg-agent should do the job.

要正确地重新加载gpg-agent，请执行以下操作:

To reload gpg-agent properly, do this:

bash-4.4$ gpg-connect-agent
> RELOADAGENT
OK
> BYE
OK closing connection
bash-4.4$ 

要正确地重新启动gpg-agent，请执行以下操作:

To restart gpg-agent properly, do this:

bash-4.4$ gpg-connect-agent
> KILLAGENT
OK closing connection
bash-4.4$ 

下一个GPG命令将再次启动它.

The next GPG command will start it again.

至于private-keys-v1.d/目录；是的，它确实包含秘密材料，但是它是keygrip格式并已加密，因此不能像以前的secring.gpg文件那样直接使用.但是，如果您需要迁移系统或备份密钥或其他任何内容，仍然可以将密钥导出为该格式.该命令基本上与以前的命令相同(包括export-options).

As for the private-keys-v1.d/ directory; yes, it does contain secret key material, but it is in keygrip format and encrypted, it cannot be used directly the way the old secring.gpg file had been. You can, however, still export your secret keys to that format if you need to migrate systems or backup the keys or whatever else. That's essentially the same command as it was previously (including the export-options).

这篇关于gpg1密钥的gpg2导入失败(gpg 2.1.15，Ubuntu 17.10)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！