Gopass: Private key with no expiration can't be found

Created on 17 Feb 2017 · 9Comments · Source: gopasspw/gopass

This might be related to #5

I found that I was getting the Error: No useable private keys found error and dug into the source and debugged and found what I believe is the issue. I have a key that has no expiration date.

in gpg.go:IsUseable - the following code would faild on the Before(time.Now()) check:

if !k.ExpirationDate.IsZero() && k.ExpirationDate.Before(time.Now()) {
    return false
}

I changed this to and it works fine:

if !k.ExpirationDate.IsZero() {
    if k.ExpirationDate.Before(time.Now()) {
        return false
    }
}

I would have though short-circuit eval would have come into effect here? I'm on go 1.6.

can-not-reproduce

Source

switchtrue

Most helpful comment

Sorry for taking so long to reply I've only just found a chance to try again. I couldn't get it working by generating a key with the defaults. However, I modified the key with gpg --edit-key as per @frntn screencast and its now working perfectly. Thanks for your time.

switchtrue on 2 Jul 2017

👍2

All 9 comments

hmm. I just created and then edited a key to have no expiration date. So far it works for me, without any issues whatsoever. Maybe a few more details on how to reproduce this would be helpful, thanks!

metalmatze on 24 Mar 2017

Hello,

I stumbled upon this bug too.
After some tests, I believe the issue is on the key validity [1] [2].
Here is an asciinema record to show some valid and invalid tust/validity : https://asciinema.org/a/5g77rduux3c9tc801potfc54k?autoplay=1&speed=7

TLDR :

unknown/unknown => NOT OK
full/unknown => NOT OK
ultimate/ultimate => OK

I haven't tried all possible trust/validity combinations because it requires complex scenario with multiple signing identities.
Hope this helps anyway.

frntn on 13 Jun 2017

👍1

To the best of my understading we are correctly handling trust/validity of keys.

For GPG to accept a recipients public key it must at least have marginal validity. If you import a secret key it has no validity. See 1 and 2.

I've tried to reproduce the issue using your (very cool!) screencast, but for using an exported/imported secret key with ultimate/unknown worked perfectly well.

dominikschulz on 16 Jun 2017

Yes this may just be a documentation issue.

How did you manage to get ultimate/unknown ?
Everytime I ultimately trusted a key, validity was automatically set to ultimate too...

frntn on 16 Jun 2017

Using a script to automate a relevant web of trust with all possible validity values, I have confirmed that gopass init will show you the keys with ultimate, full or marginal validity and NOT those with unknown or undefined validity

validity is computed based on a combination of signing trust, signing distance and signing count while trust is manually set by the keyring owner.

The only trust value that will automatically update the validity of itself is ultimate
So if you have imported your key _(from keybase for example)_ then you must edit the trust value so the validity can be computed accordingly.

Also note the following :

Generated keys (gpg --gen-key) will always have a ultimate validity, because the trust value is automatically set to ultimate
Imported keys (gpg --import) will almost everytime have an unknown validity, because the trust value is unknown. If the key is yours, it must be edited (gpg --edit-key [email protected] trust quit), if it's not yours but want the system to consider it valid, it must be signed (gpg --edit-key [email protected] lsign quit)