Error generating subkey in gpg's batch mode using curve brainpoolP512r1

Hi!

Using the curve brainpoolP512r1 to generate subkeys for signing and verification for a key reports an error, using the following command:

printf "$pass" | \
gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \
   --quick-add-key $fpr brainpoolP512r1 sign 0

Output:

gpg: Key generation failed: Wrong key usage

The brainpoolP512r1 curve supports signing and encryption via ECC - GnuPG wiki. In the above command, subkeys can be generated normally when usage is encr, but using sign and auth will prompt the “gpg: Key generation failed: Wrong key usage”.

Subkeys with signatures and authentication can be added normally through the --full-generate-key interaction mode using brainpoolP512r1 curve. Is this an incorrect Gnupg configuration?

system and software information:

  1. macOS Ventura 13.7.2 and gnupg version 2.4.7(installation via dmg)
$ uname -a
Darwin macos 22.6.0 Darwin Kernel Version 22.6.0: Fri Nov 15 17:21:49 PST 2024; root:xnu-8796.141.3.709.7~2/RELEASE_X86_64 x86_64

$ gpg --version                
gpg (GnuPG) 2.4.7
libgcrypt 1.11.0-unknown
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /var/folders/1d/z9761hbd67lbrny8yg2prtd80000gn/T/tmp.leYRKAXq
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
  1. openSUSE Leap 15.6 x86_64 and gnupg version 2.4.4
$ uname -a
Linux opensuse 6.4.0-150600.23.30-default #1 SMP PREEMPT_DYNAMIC Sat Dec  7 08:37:53 UTC 2024 (8c25a0a) x86_64 x86_64 x86_64 GNU/Linux

$ gpg --version
gpg (GnuPG) 2.4.4
libgcrypt 1.10.3
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /tmp/tmp.OMPvvhtAJ3
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

After checking the Gnupg documentation, finding an alternative approach, use --command-fd with --edit-key:

add sign subkey

gpg --command-fd 0 --pinentry-mode=loopback --expert --edit-key "$KEYID" << EOF
addkey
10
8
0
$pass
save
EOF

add auth subkey

gpg --command-fd 0 --pinentry-mode=loopback --expert --edit-key "$KEYID" << EOF
addkey
11
S
A
Q
8
0
$pass
save
EOF

This is not a permanent solution, and this command will need to be adapted if the options change in the --edit-key interaction model.

Thanks for reporting. That really is a bug for all the ECDSA curves. I could reproduce it and reported it ⚓ T7506 GnuPG: Error when adding ECDSA subkey in batch mode with quick-add-key "Wrong key usage"

Okay, thanks for reporting it.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.