Package: gpg
Version: 2.2.12-1
Control: found -1 2.2.13-1
Control: found -1 2.2.14-1
Control: found -1 2.2.15-1
Control: tags -1 patch upstream
Control: affects -1 src:monkeysphere
Control: forwarded -1

When a passphraseless keyfile in ~/.gnupg/private-keys-v1.d/*.key
contains a (comment) sublist or a (uri) sublist, and it is associated
with an OpenPGP certificate, then "gpg --export-secret-key" fails with
"Bad secret key".

This happens because the code to translate from the S-expression to an
OpenPGP certificate is too brittle, assuming that a (private-key) list
can only have one sublist, which is the list for the private key itself.

The attached patch fixes the problem by ignoring all sublists after the
first in a (private-key) list.


From 29adca88f5f6425f5311c27bb839718a4956ec3a Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <>
Date: Mon, 13 May 2019 21:22:38 -0400
Subject: [PATCH] gpg: enable OpenPGP export of cleartext keys with comments

* g10/export.c (cleartext_secret_key_to_openpgp): ignore trailing
sublists in private-key S-expression.


When gpg-agent learns about a private key from its ssh-agent
interface, it stores its S-expression with the comment attached.  The
export mechanism for OpenPGP keys already in cleartext was too brittle
because it would choke on these comments.  This change lets it ignore
any additional trailing sublists.

Signed-off-by: Daniel Kahn Gillmor <>
Gnupg-Bug-Id: 4490
 g10/export.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/g10/export.c b/g10/export.c
index 4f6c9137e..b12da9cdb 100644
--- a/g10/export.c
+++ b/g10/export.c
@@ -596,7 +596,10 @@ cleartext_secret_key_to_openpgp (gcry_sexp_t s_key, PKT_public_key *pk)
   top_list = gcry_sexp_find_token (s_key, "private-key", 0);
   if (!top_list)
     goto bad_seckey;
-  if (gcry_sexp_length(top_list) != 2)
+  /* ignore all S-expression after the first sublist -- we assume that
+     they are comments or otherwise irrelevant to OpenPGP */
+  if (gcry_sexp_length(top_list) < 2)
     goto bad_seckey;
   key = gcry_sexp_nth (top_list, 1);
   if (!key)

Attachment: signature.asc
Description: PGP signature

Reply via email to