Cannot extend expired subkeys

cmonty14 · May 11, 2022, 2:18pm

Hello,
checking the keys stored on Nitrokey with command gpg --card-status I can see that any subkey has expired:

sec#  rsa4096/0x8891383EF89D9F5A  erzeugt: 2020-02-25  verfällt: niemals
ssb>  rsa4096/0x82F7E075D0B3AB32  erzeugt: 2020-02-25  verfällt: 2021-02-24
                                  Kartennummer:0005 00XXXXXX
ssb>  rsa4096/0x27886A4F0A4D017E  erzeugt: 2020-02-25  verfällt: 2021-02-24
                                  Kartennummer:0005 00XXXXXX
ssb>  rsa4096/0x34DD0A449BDDB937  erzeugt: 2020-02-25  verfällt: 2021-02-24
                                  Kartennummer:0005 00XXXXXX

If I try to change expire date I get this error message:

gpg: signing failed: No secret key
gpg: make_keysig_packet failed: No secret key

I tried it using this procedure:

gpg --expert --edit-key 0x8891383EF89D9F5A
Select relevant subkey
expire
1y

My understanding is that I cannot modify expired subkeys on the security card directly. Instead I must create new subkeys and export these keys to the security card.

Can you please advise how to proceed correctly?

THX

dtw · May 11, 2022, 2:58pm

cmonty14:

Hello,
checking the keys stored on Nitrokey with command gpg --card-status I can see that any subkey has expired:

sec#  rsa4096/0x8891383EF89D9F5A  erzeugt: 2020-02-25  verfällt: niemals
ssb>  rsa4096/0x82F7E075D0B3AB32  erzeugt: 2020-02-25  verfällt: 2021-02-24
                                  Kartennummer:0005 00XXXXXX
ssb>  rsa4096/0x27886A4F0A4D017E  erzeugt: 2020-02-25  verfällt: 2021-02-24
                                  Kartennummer:0005 00XXXXXX
ssb>  rsa4096/0x34DD0A449BDDB937  erzeugt: 2020-02-25  verfällt: 2021-02-24
                                  Kartennummer:0005 00XXXXXX

If I try to change expire date I get this error message:

gpg: signing failed: No secret key
gpg: make_keysig_packet failed: No secret key

You need the primary key (the [C]ertificate capable key) to make any key signatures. That is, to change anything in the key itself. In the program’s output above the sec# means that this keyring does not have the primary key.

cmonty14 · May 11, 2022, 3:20pm

The output of gpg --expert --edit-key 0x8891383EF89D9F5A confirms that [C]ertificate capable key exists:

pub  rsa4096/0x8891383EF89D9F5A
     erzeugt: 2020-02-25  verfällt: niemals     Nutzung: C
     Vertrauen: ultimativ     Gültigkeit: ultimativ

dtw · May 11, 2022, 3:45pm

Only the public part of the primary key exists. The secret part doesn’t exist which is confirmed by the sec#.

cmonty14 · May 11, 2022, 3:53pm

I have exported the private key using command gpg -a --export-secret-keys 0x8891383EF89D9F5A > private.key.
I verified the generated file private.key, and it shows this at the end of the file:

kPhWYHNszMbYnMZlO9zTkFRxBrqaIZorwG+JhcNRgU5NdS24I28hS9hAXwJBFvx8
Xb+Dssa/dZSzLNt8CJkPugAU+vRJ3izzC6YRROhdE0fwp9AKfm/FxrLp9Wi8um9x
wnbEQfQ97Cv0F1pgWvMIwKruDTyn
=D7aU
-----END PGP PRIVATE KEY BLOCK-----

Then I executed this command:
gpg --import .\private.key

However, gpg -K still shows secret part as missing:

gpg -K
C:\Users\d038783\gnupg\pubring.kbx
----------------------------------
sec#  rsa4096/0x8891383EF89D9F5A 2020-02-25 [C]
  Schl.-Fingerabdruck = 5C70 D64F 418E BADB 77EE  05DE 8891 383E F89D 9F5A
uid                [ ultimativ ]

cntrl · May 11, 2022, 4:41pm

I had my subkeys expired recently as well, what I did was the following and it worked:

# display card status for keyid
gpg2 --card-status
# edit key that you specified by it's keyid
gpg2 --edit-key keyid
# select the keys you want to renew
# after selection they should be marked with a *
key 1
key 2
key 3
# renew selected keys
expire
1y
y
save

since my cert key was on another nitrokey I needed to plug in that nitrokey as well for the second last step.

and the keys on the card were renewed, I didn’t have to transfer new keys.

edit: I re-tested it a minute ago for all my subkeys and it worked without any issues.

cmonty14 · May 12, 2022, 7:20am

What is your output of gpg -K?
Do you get output with the sec#?

cntrl · May 12, 2022, 7:45am

this is how my gpg -K output looks like.

no sec# but it specifies the serial number of the other nitrokey it’s on.

Also, I thought Nitrokeys can only store up to three keypairs. In your case this would mean that you’d have three subkeys + the cert key on it which shouldn’t work afaik

szszszsz · May 12, 2022, 11:25am

Hi!

What Nitrokey model do you use?
In general extending is a public key operation - one needs to modify public key data, sign it and send to key server / recipients.
The private key never leaves any Nitrokey USB stick by design. What you should get from GPG is a private key stub, referring to the hardware location.
You might need to remove the private key stubs, and recreate them with gpg2 --card-status, with the Nitrokey connected. If you use the same keys on multiple Nitrokey USB sticks, then the GnuPG could be confused, and ask for the originally used device with this key. Here the key stub removal could help.
If you are using Nitrokey Start, please make sure you are on the right Identity.

dtw · May 12, 2022, 2:59pm

sec# means that the particular secret key file is completely missing in .gnupg/private-keys-v1.d directory.

sec> means that there is a stub key file in .gnupg/private-keys-v1.d but the actual key data has been moved to (or created in) a smart card, like Nitrokey. The stub key file knows the serial number of the smart card so GnuPG can prompt for a smart card.

My1 · May 13, 2022, 8:18pm

wait I thought nitrokeys are made to not be capable of just exporting out the private keys?

dtw · May 14, 2022, 10:27am

gpg has its own keyring in $HOME/.gnupg directory (by default). Public keys are in pubring.kbx file and secret keys are in subdirectory private-keys-v1.d. Commands gpg --export (for public keys) and gpg --export-secret-keys (for public and secret keys) export keys from those places in the filesystem. They can’t export anything from a smart card (like Nitrokey).