Subkey not importing.

eckertd · September 9, 2024, 12:00pm

Greetings

We’re trying to migrate a dataflow from a Linux system to Windows. The Linux system is running Symantec PGP Command Line, and the Windows box is gpg4win. I exported the keypair from PGP. They imported the file, but it seems the subkey (for encryption) was not imported. So, decrypting give the “no secret key” error. Is there something I’m missing? Screenshots attached.

gpg4win-import-errmsg
gpg4win-ring

cklassen · September 9, 2024, 3:09pm

Hi @eckertd,

which version of Gpg4win are you using? Maybe an upgrade would help if your version is not the current one.

You could try to import they key again by using the option -vvv when calling gpg to get more information what happened.

If the previous things didn’t help maybe you could create a test key with Symantec PGP then export it, delete it from PGP itself and import it. Does it still have a subkey? If not that would mean that it wasn’t exported in the first place.

eckertd · September 9, 2024, 3:21pm

Thanks for the reply. They’re using gpg4win v4.3.1. In the meantime, I took the private key file and imported on another/separate Linux server into a gpg (gnupg2-2.0.14-9) (EL6…hence the migration). The “ssb” shows up…not sure why the main key is 0xFFFFFFFF, though

[pgpuser@skpcpgp01 ~]$ gpg --allow-non-self-signed-uid --import ./DI-sec
gpg: invalid option “–allow-non-self-signed-uid”
[pgpuser@skpcpgp01 ~]$ gpg --allow-non-selfsigned-uid --import ./DI-sec
gpg: key FFFFFFFF: secret key imported
gpg: key BC091C93: accepted non self-signed user ID “DATAIMPORT <DATAIMPORTprod_at_company.com>”
gpg: key BC091C93: public key “DATAIMPORT <DATAIMPORTprod_at_company.com>” imported
gpg: Total number processed: 2
gpg: imported: 1 (RSA: 1)
gpg: secret keys read: 1
gpg: secret keys imported: 1
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
[pgpuser@skpcpgp01 ~]$ gpg -K
/opt/pgp/.gnupg/secring.gpg

<…other keys in keyring…>

sec 0s/FFFFFFFF 2022-12-09
uid DATAIMPORT <DATAIMPORTprod_at_company.com>
ssb 2048R/18FF95F8 2022-12-09

bernhard · September 10, 2024, 6:38am

Hi @eckertd,

there is the possibility that if the private key was on your Windows machine already, that the subkey is not merged when trying to import it. So you could try (first using a backup and on a fresh windows account) to delete the full secrete key and then reimport it together with the new subkey.

Regards,
Bernhard

eckertd · September 10, 2024, 11:38am

Thanks for the reply. I will have them remove the associated sec & pub keys, then try to import again. Separately, I have gpg 2.4.3 on another system. The keypair, with subkey, imported fine there. So, hopefully this works for them.

bernhard · September 10, 2024, 12:17pm

I have gpg 2.4.3 on another system. The keypair, with subkey, imported fine there.

As note: A full import is different to a partial import. In the partial import case, GnuPG must do a subkey merging. (And I do not remember if and when this was implemented.)

eckertd · September 11, 2024, 5:05pm

Update: They removed the sec & pub keys, then re-imported the private key file and the encryption subkey was there. Thanks all!