gpg addkey hangs for 2 days
erjoalgo opened this issue · 4 comments
I am trying to generate a signing sub-key derived from my ledger ultimate key. When I follow the below process, with GNUPGHOME set to /home/ealfonso/.gnupg/ledger, and after approving the requested actions on my ledger device, the addkey command hangs for days:
█[my-hostname][0]$ gpg --edit-key user@example.com
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec nistp256/A8C9AFCC2934EC60
created: 1970-01-01 expires: never usage: SC
trust: ultimate validity: ultimate
ssb nistp256/94CCE018F5F158FE
created: 1970-01-01 expires: never usage: E
[ultimate] (1). MY-FIRST-NAME MY-LAST-NAME <user@example.com>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(14) Existing key from card
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Thu 19 Sep 2024 05:42:16 PM EDT
Is this correct? (y/N) y
Really create? (y/N) y
^[[A^[[A
Checking the strace of the gpg and ledger-agent processes, this is what I find:
█[my-hostname][0]$ pgrep -af gpg
195494 /usr/bin/python3 /home/USER/.local/bin/ledger-gpg-agent -vv --pin-entry-binary=pinentry --passphrase-entry-binary=pinentry --cache-expiry-seconds=inf --homedir /home/USER/.gnupg/ledger --use-standard-socket --daemon
195661 gpg --edit-key user@example.com
█[my-hostname][0]$ strace -a 195661
strace: must have PROG [ARGS] or -p PID
Try 'strace -h' for more information.
█[my-hostname][1]$ sudo strace -p 195661
strace: Process 195661 attached
read(4, ^Cstrace: Process 195661 detached
<detached ...>
█[my-hostname][130]$ sudo strace -p 195494
strace: Process 195494 attached
recvfrom(5, ^Cstrace: Process 195494 detached
<detached ...>
So the ledger agent process appears to be stuck on a read. Connecting my ledger device again and starting the SSH PGP Agent app appears to have no effect.
Is this the correct way to add a signing subkey or am I doing something wrong?
I saw the --subkey flag but this appears to be useful for initializing a ledger-based subkey from an existing non-ledger ultimate key, which doesn't seem to be what I want.
It seems that you are trying to add a RSA key, which is not supported by this project.
You can use https://github.com/romanz/trezor-agent/blob/master/doc/README-GPG.md#generate-gnupg-subkeys to add a new Ledger-based subkey to an existing non-Ledger identity.
What I would like to do is create a new subkey to a ledger-based ultimate key. The subkey can be DSA or RSA, and it can be ledger-based or not (preferably not).
I tried adding a DSA subkey but again the process appears to hang:
█[my-hostname][~][0]$ gpg --edit-key user@example.com
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec nistp256/A8C9AFCC2934EC60
created: 1970-01-01 expires: never usage: SC
trust: ultimate validity: ultimate
ssb nistp256/94CCE018F5F158FE
created: 1970-01-01 expires: never usage: E
[ultimate] (1). MY-FIRST-NAME MY-LAST-NAME <user@example.com>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(14) Existing key from card
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed 25 Sep 2024 04:41:22 PM EDT
Is this correct? (y/N) y
Really create? (y/N) y
Is it possible to add subkeys to a ledger-based ultimate key?
Is it possible to add subkeys to a ledger-based ultimate key?
Not currently see #378.
Thanks for the pointer to the detailed explanation.