Re: Changing the email address of a key
That worked. Thanks a lot! Rgds Richard On Do, 2012-08-30 at 10:48 +0200, Peter Lebbing wrote: On 30/08/12 10:25, Richi Lists wrote: Using the primary key was what I tried first. But when I saw the error message signing failed, I thought I'd have to force the proper signing subkey, like I have to do for signing emails. My setup is more or less the following: http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups with the addition of a sub key for ssh authentication: http://www.programmierecke.net/howto/gpg-ssh.html - section with smartcard (openpgp) The thing is that for a new UID, you need the, what they call, master key. That would be the primary key. So when you followed the instructions under the heading Remove the master key from the keyring, you where after that unable to use your master/primary key to create a new UID. So you go back a little in the document to the part where you had your USB stick with the primary key and all subkeys guarded by Orcs or some other fearsome creature. Plead with the creature to have your USB stick back, once again follow the section Go offline, import your primary key from the USB stick (wipe away the Orc spittle before inserting; ignore the chew marks on the protective cap). After you have created the new UID with the primary key and exported the whole to the USB stick, re-remove the primary key from the system. Oh, by the way, the reason you need the exclamation mark to specify which key to use to sign is because you have two signing keys. Apparently GnuPG tries it with the one you don't have the secret part for if you don't give the exclamation mark. But bear in mind the difference between a signature on a key(/UID) and on data. The signing subkey is for signatures on data. Good luck, Peter. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing the email address of a key
Using the primary key was what I tried first. But when I saw the error message signing failed, I thought I'd have to force the proper signing subkey, like I have to do for signing emails. My setup is more or less the following: http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups with the addition of a sub key for ssh authentication: http://www.programmierecke.net/howto/gpg-ssh.html - section with smartcard (openpgp) Rgds Richard $ gpg --edit-key 0AE275A9 gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 2048R/0AE275A9 created: 2012-08-07 expires: 2022-08-05 usage: SC trust: ultimate validity: ultimate sub 2048R/8760DB3E created: 2012-08-07 expires: never usage: E sub 2048R/E8401492 created: 2012-08-07 expires: never usage: S sub 2048R/5A097EF6 created: 2012-08-07 expires: never usage: S sub 2048R/EC980139 created: 2012-08-07 expires: 2022-08-05 usage: E [ultimate] (1). Richard Ulrich (ulrichard) richi...@gmail.com gpg adduid Real name: Richard Ulrich Email address: ri...@paraeasy.ch Comment: ulrichard You selected this USER-ID: Richard Ulrich (ulrichard) ri...@paraeasy.ch Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o gpg: secret key parts are not available gpg: signing failed: general error $ gpg --list-keys /home/richi/.gnupg/pubring.gpg -- pub 2048R/0AE275A9 2012-08-07 [expires: 2022-08-05] uid Richard Ulrich (ulrichard) richi...@gmail.com sub 2048R/8760DB3E 2012-08-07 sub 2048R/E8401492 2012-08-07 sub 2048R/5A097EF6 2012-08-07 sub 2048R/EC980139 2012-08-07 [expires: 2022-08-05] $ gpg --card-status Application ID ...: D276000124010205115F Version ..: 2.0 Manufacturer .: ZeitControl Serial number : 115F Name of cardholder: Richard Ulrich Language prefs ...: de Sex ..: male URL of public key : [not set] Login data ...: [not set] Private DO 1 .: [not set] Private DO 2 .: [not set] Private DO 3 .: [not set] Signature PIN : not forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 6 Signature key : 6555 FA9F AEEF 386C 50E2 7AE1 02EC 6014 E840 1492 created : 2012-08-07 19:01:59 Encryption key: 3A6C CF0A C29F 3DFC 60AF DCCE 31AA D811 8760 DB3E created : 2012-08-07 19:00:54 Authentication key: 2C12 F55B 69D3 088E BFD9 C010 BABF AE12 5A09 7EF6 created : 2012-08-07 19:04:12 General key info..: pub 2048R/E8401492 2012-08-07 Richard Ulrich (ulrichard) richi...@gmail.com sec# 2048R/0AE275A9 created: 2012-08-07 expires: 2022-08-05 ssb 2048R/8760DB3E created: 2012-08-07 expires: never card-no: 0005 115F ssb 2048R/E8401492 created: 2012-08-07 expires: never card-no: 0005 115F ssb 2048R/5A097EF6 created: 2012-08-07 expires: never card-no: 0005 115F On Mi, 2012-08-29 at 14:11 +0200, Peter Lebbing wrote: On 29/08/12 13:53, Richi Lists wrote: I can't get it to work wether I try it on the primary or the sub key and whether I use gpg or gpg2. [...] $ gpg2 -v --edit-key E8401492! [...] gpg: using subkey E8401492 instead of primary key 0AE275A9 Secret key is available. Why are you forcing using the subkey? An UID is /always/ on the primary key, it makes no sense to make an UID on the subkey. I think. Simply losing the exclamation mark should fix it, or just specify $ gpg2 --edit-key 0AE275A9 Also, apart from UIDs on subkeys making no sense, it would seem to me that an UID needs to be bound with a Certification-capable signing key, whereas your signing subkey E8401492 can only make signatures on data. That's probably why GnuPG says: gpg: signing failed: Unusable secret key Although it could also be that the secret part for that subkey is simply not available? I'm not sure whether the secret key is available message I quoted above pertains to the primary key or the secret subkey you forced on the command line. If you still have problems after this explanation, please provide more data about your setup. You have two encryption subkeys, two data signature subkeys, and GnuPG complains that there are secret parts missing. It will be a lot easier to help you if you can explain what pieces of data are where :). Peter. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing the email address of a key
On 30/08/12 10:25, Richi Lists wrote: Using the primary key was what I tried first. But when I saw the error message signing failed, I thought I'd have to force the proper signing subkey, like I have to do for signing emails. My setup is more or less the following: http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups with the addition of a sub key for ssh authentication: http://www.programmierecke.net/howto/gpg-ssh.html - section with smartcard (openpgp) The thing is that for a new UID, you need the, what they call, master key. That would be the primary key. So when you followed the instructions under the heading Remove the master key from the keyring, you where after that unable to use your master/primary key to create a new UID. So you go back a little in the document to the part where you had your USB stick with the primary key and all subkeys guarded by Orcs or some other fearsome creature. Plead with the creature to have your USB stick back, once again follow the section Go offline, import your primary key from the USB stick (wipe away the Orc spittle before inserting; ignore the chew marks on the protective cap). After you have created the new UID with the primary key and exported the whole to the USB stick, re-remove the primary key from the system. Oh, by the way, the reason you need the exclamation mark to specify which key to use to sign is because you have two signing keys. Apparently GnuPG tries it with the one you don't have the secret part for if you don't give the exclamation mark. But bear in mind the difference between a signature on a key(/UID) and on data. The signing subkey is for signatures on data. Good luck, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing the email address of a key
On 28/08/12 21:54, Richi Lists wrote: Will this also write also to the smart-card or are the changes only in the local keyring? UIDs are not stored on the smartcard, so it does not matter. I'm a bit hesitant because the full disk encryption on my netbook works also with the same key, and I don't want to reinstall the whole thing. Understandable. If I understand correctly, you used GnuPG to encrypt the file that unlocks your netbook? In that case, the *uid commands should be safe, because they do not influence decryption of files. To be on the safe side, keep a copy of your key as it is now, and after you changed the e-mail address, try to decrypt some file. If that works, it should also decrypt the file that unlocks your netbook. It is wise to keep a copy of your key as it is now around just in case, anyway. If you do something wrong, you can take the backup and start over. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing the email address of a key
I can't get it to work wether I try it on the primary or the sub key and whether I use gpg or gpg2. Rgds Richard $ gpg2 -v --edit-key E8401492! gpg (GnuPG) 2.0.17; Copyright (C) 2011 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: using subkey E8401492 instead of primary key 0AE275A9 Secret key is available. gpg: using PGP trust model pub 2048R/0AE275A9 created: 2012-08-07 expires: 2022-08-05 usage: SC trust: ultimate validity: ultimate sub 2048R/8760DB3E created: 2012-08-07 expires: never usage: E sub 2048R/E8401492 created: 2012-08-07 expires: never usage: S sub 2048R/5A097EF6 created: 2012-08-07 expires: never usage: S sub 2048R/EC980139 created: 2012-08-07 expires: 2022-08-05 usage: E [ultimate] (1). Richard Ulrich (ulrichard) richi...@gmail.com gpg adduid Real name: Richard Ulrich Email address: ri...@paraeasy.ch Comment: ulrichard You selected this USER-ID: Richard Ulrich (ulrichard) ri...@paraeasy.ch Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o gpg: secret key parts are not available gpg: signing failed: Unusable secret key $ gpg2 -s -v -u E8401492! setup_my_system.sh gpg: no secret subkey for public subkey EC980139 - ignoring gpg: using subkey E8401492 instead of primary key 0AE275A9 gpg: writing to `setup_my_system.sh.gpg' gpg: using subkey E8401492 instead of primary key 0AE275A9 gpg: RSA/SHA1 signature from: E8401492 Richard Ulrich (ulrichard) richi...@gmail.com On Mi, 2012-08-29 at 08:49 +0200, Peter Lebbing wrote: On 28/08/12 21:54, Richi Lists wrote: Will this also write also to the smart-card or are the changes only in the local keyring? UIDs are not stored on the smartcard, so it does not matter. I'm a bit hesitant because the full disk encryption on my netbook works also with the same key, and I don't want to reinstall the whole thing. Understandable. If I understand correctly, you used GnuPG to encrypt the file that unlocks your netbook? In that case, the *uid commands should be safe, because they do not influence decryption of files. To be on the safe side, keep a copy of your key as it is now, and after you changed the e-mail address, try to decrypt some file. If that works, it should also decrypt the file that unlocks your netbook. It is wise to keep a copy of your key as it is now around just in case, anyway. If you do something wrong, you can take the backup and start over. Peter. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing the email address of a key
On 29/08/12 13:53, Richi Lists wrote: I can't get it to work wether I try it on the primary or the sub key and whether I use gpg or gpg2. [...] $ gpg2 -v --edit-key E8401492! [...] gpg: using subkey E8401492 instead of primary key 0AE275A9 Secret key is available. Why are you forcing using the subkey? An UID is /always/ on the primary key, it makes no sense to make an UID on the subkey. I think. Simply losing the exclamation mark should fix it, or just specify $ gpg2 --edit-key 0AE275A9 Also, apart from UIDs on subkeys making no sense, it would seem to me that an UID needs to be bound with a Certification-capable signing key, whereas your signing subkey E8401492 can only make signatures on data. That's probably why GnuPG says: gpg: signing failed: Unusable secret key Although it could also be that the secret part for that subkey is simply not available? I'm not sure whether the secret key is available message I quoted above pertains to the primary key or the secret subkey you forced on the command line. If you still have problems after this explanation, please provide more data about your setup. You have two encryption subkeys, two data signature subkeys, and GnuPG complains that there are secret parts missing. It will be a lot easier to help you if you can explain what pieces of data are where :). Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing the email address of a key
On Mon, 27 Aug 2012 23:57, pa...@cs.hmc.edu said: You can add or delete the names and emails associated with a key using gpg --edit-key and the adduid and deluid commands, respectively. You may use deluid only if you never published your public key. The better choice is revuid. Thus if you have a new mail address, you use gpg --edit-key YOURKEYID addkey # Now follow the prompts # If you don't need the old mail address anymore, you may use uid N revuid # Where N is the number of the UID. The command will mark it in the # list. REVUID then creates a revocation for the user id. # Finally save your changes # save and then send your key back to the keyservers (gpg --send-key YOURKEYID) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing the email address of a key
On 28/08/12 10:37, Werner Koch wrote: gpg --edit-key YOURKEYID addkey # Now follow the prompts Surely, Werner meant adduid which adds a new e-mail address, and not addkey which adds a new subkey. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing the email address of a key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, 27.08.2012 23:59, Richard Ulrich kirjoitti: When I generated my new private key, I used one of my email addresses. This email address is stored both on the crypto stick (smart card) and in the secring.gpg or pubring.gpg, probably both. Now I would like to use that key with another email address. Is it possible to change the email address of a key, and how would I proceed to have it on the stick and in the gpg stub files? I don't know about crypto sticks nor smart cards, but you cannot change email address in key, nor remove it (or if you do, keyservers will still contain the old uid). You can use gpg --edit-key KEYID and then select the uid with correct number and give command revuid, so the uid appears as revoked to people who get your key. - -- Mika Suomalainen -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Public key: http://mkaysi.github.com/PGP/0x82A46728.txt Comment: gpg --fetch-keys http://mkaysi.github.com/PGP/0x82A46728.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: I have personal problem with PGP/MIME... Comment: ...so signature *IS* long. See http://git.io/6FLzWg Comment: Please remove PGP lines in replies. http://git.io/nvHrDg Comment: Charset of this message should be UTF-8. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJQPM5GAAoJEE21PP6CpGcoVhMQAKZcA4DNywh+z/EPmSUdPUiz ujvGnGX08M3n/5DgK60qzBFOaULKXCzAyESWFPo2Coh/8n3ZDSFjwRVLVYrB1JvS VDdbqJc1L5sfsa8WIhop6kBr9nbhpuoPVOPDaw/kOzfcwoI2dakgwy18r4KVt/SL lgDnCatNKzYeKAy06er1TKDP9v4th2J61+Bx4pnogWLQlxqw9EfDhueyfkSTTK6x 6e9YHJfaaqtPic5i9us9Blo+8fKuhxTgN86loNc56yv4FX7lqb1Ca0K7TgwMaIU3 SYdpm5NgrQPgSXozFGOc9fDdbro7CrPW+3XB42Yx9Cv0qfrgRENJUupPxw8NhQIH 0x9Yrtq2iqDSdxPXYxEubir6CSm+GjT+xZ/gh38YvZ+JQfzBV6SIg4g20lfCGKzL /TVfEfEOjb1VwvPdl0BSzeMav3oZ+I+tk6WP1YwVw8AUj6bhjkYewI0jTHZPIyW5 S3K3CATl/MMVE0c4r0miwOn1uqTSQ8YnGSdhMh8zYggRBiG+MP1YQ7HSBxtscK4j MOpThRDfRT1brntREVni6fSSJV7QFWh8EICn3FOtQYTsVwc/OGuIDO95U1b77L2Z 9dzwOH1SxWpL47vOEIeLKb+ikZlZbxkJYEpNf2FoJ3yx7MmkU+p2XLY577U4o529 4GaNqY7oSnBtWOxk7sXW =O2Ih -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing the email address of a key
Will this also write also to the smart-card or are the changes only in the local keyring? I'm a bit hesitant because the full disk encryption on my netbook works also with the same key, and I don't want to reinstall the whole thing. Rgds Richard On Di, 2012-08-28 at 10:49 +0200, Peter Lebbing wrote: On 28/08/12 10:37, Werner Koch wrote: gpg --edit-key YOURKEYID addkey # Now follow the prompts Surely, Werner meant adduid which adds a new e-mail address, and not addkey which adds a new subkey. HTH, Peter. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Changing the email address of a key
When I generated my new private key, I used one of my email addresses. This email address is stored both on the crypto stick (smart card) and in the secring.gpg or pubring.gpg, probably both. Now I would like to use that key with another email address. Is it possible to change the email address of a key, and how would I proceed to have it on the stick and in the gpg stub files? Rgds Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing the email address of a key
On Mon, Aug 27, 2012 at 10:59:03PM +0200, Richard Ulrich wrote: Is it possible to change the email address of a key, and how would I proceed to have it on the stick and in the gpg stub files? You can add or delete the names and emails associated with a key using gpg --edit-key and the adduid and deluid commands, respectively. pants. pgp0DUoIWdDDl.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users