Update GPG1 Key Email Address, Add UID, Secret Key

Summary

This post was made possible by work that was shared at Coderwall by Andrew Wong. Thanks Andrew!

So I'm working today on building a debian format (.deb) package for SCST Linux SAN from svn sourcecode for SCST. I ran into an issue where I need to update my signing key so that I can sign the package. To do that, I had to have a GPG key. I already have my old one and only original GPG key which I used to use somewhat frequently when I was posting bugs and accessing things that required a GPG key, but I haven't been doing that for awhile, so I was a bit rusty on this topic. I did find my key though in Ubuntu cyberspace where keys are found happily.

However, the email address was old and wrong and gone and inaccessible (an old work email address at a place I thought I would stay at forever *sigh*) so I had to see about updating the email address being a sort of medium-to-high perfectionist stickler type person.

One quirk that can arise is if you are using an old trusty key from gpg1 days in a gpg2 world and you stubbornly refuse to just create a new key. In that case, then on a new server you want to download the public key and then import the private key from wherever into the key on the new server. If the private key was created in gpg1 it adds some quirky additional steps as described below. Thanks to Jaza in Sydney who raised this issue and pointed the way to installing gpg1.

I don't know if using gpg1 to do operations requiring the secret key is the best way to address this, but so far, it's the only way I know. I haven't tried signing a package yet with a key updated this way, so I'll provide an update once I've tried that to see if it works.

Request GPG Key from Keyserver

I requested the key from the keyserver as shown below. Note that here there is some extra messaging because I am doing this after the fact for the purpose of this blog and this key is already on my local machine. Still, requesting it again does no harm. Note also that they key now provides some information on the updating of the email address that we are presently discussing.

Update 2017-07-09

If you are resurrecting an old gpg key created when gpg1 was in use (these days gpg2 is in use) you will want to do some extra steps here because otherwise your secret key will not import correctly.

Install gpg1

Install gpg1 as shown below.

ubuntu@skynet3:~/Downloads$ sudo apt-get install gnupg1

Reading package lists... Done

Building dependency tree

Reading state information... Done

The following additional packages will be installed:

gnupg1-curl gnupg1-l10n libusb-0.1-4

Suggested packages:

parcimonie

The following NEW packages will be installed:

gnupg1 gnupg1-curl gnupg1-l10n libusb-0.1-4

0 upgraded, 4 newly installed, 0 to remove and 4 not upgraded.

Need to get 1,172 kB of archives.

After this operation, 5,319 kB of additional disk space will be used.

Do you want to continue? [Y/n] y

Get:1 http://us.archive.ubuntu.com/ubuntu zesty/main amd64 libusb-0.1-4 amd64 2:0.1.12-30 [17.2 kB]

Get:2 http://us.archive.ubuntu.com/ubuntu zesty/universe amd64 gnupg1 amd64 1.4.21-2ubuntu1 [632 kB]

Get:3 http://us.archive.ubuntu.com/ubuntu zesty/universe amd64 gnupg1-curl amd64 1.4.21-2ubuntu1 [18.6 kB]

Get:4 http://us.archive.ubuntu.com/ubuntu zesty/universe amd64 gnupg1-l10n all 1.4.21-2ubuntu1 [504 kB]

Fetched 1,172 kB in 0s (1,601 kB/s)

Selecting previously unselected package libusb-0.1-4:amd64.

(Reading database ... 217397 files and directories currently installed.)

Preparing to unpack .../libusb-0.1-4_2%3a0.1.12-30_amd64.deb ...

Unpacking libusb-0.1-4:amd64 (2:0.1.12-30) ...

Selecting previously unselected package gnupg1.

Preparing to unpack .../gnupg1_1.4.21-2ubuntu1_amd64.deb ...

Unpacking gnupg1 (1.4.21-2ubuntu1) ...

Selecting previously unselected package gnupg1-curl.

Preparing to unpack .../gnupg1-curl_1.4.21-2ubuntu1_amd64.deb ...

Adding 'diversion of /usr/lib/gnupg1/gpgkeys_curl to /usr/lib/gnupg1/gpgkeys_curl.non_curl by gnupg1-curl'

Adding 'diversion of /usr/lib/gnupg1/gpgkeys_hkp to /usr/lib/gnupg1/gpgkeys_hkp.non_curl by gnupg1-curl'

Unpacking gnupg1-curl (1.4.21-2ubuntu1) ...

Selecting previously unselected package gnupg1-l10n.

Preparing to unpack .../gnupg1-l10n_1.4.21-2ubuntu1_all.deb ...

Unpacking gnupg1-l10n (1.4.21-2ubuntu1) ...

Processing triggers for install-info (6.3.0.dfsg.1-1) ...

Setting up gnupg1-l10n (1.4.21-2ubuntu1) ...

Processing triggers for libc-bin (2.24-9ubuntu2.2) ...

Processing triggers for man-db (2.7.6.1-2) ...

Setting up libusb-0.1-4:amd64 (2:0.1.12-30) ...

Setting up gnupg1 (1.4.21-2ubuntu1) ...

Setting up gnupg1-curl (1.4.21-2ubuntu1) ...

Processing triggers for libc-bin (2.24-9ubuntu2.2) ...

ubuntu@skynet3:~/Downloads$

Verify Both gpg1 gpg2 Installed

Verify that both gpg1 and gpg2 are installed.

ubuntu@skynet3:~/Downloads$ gpg1 --version

gpg (GnuPG) 1.4.21

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg

Supported algorithms:

Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA

Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,

CAMELLIA128, CAMELLIA192, CAMELLIA256

Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224

Compression: Uncompressed, ZIP, ZLIB, BZIP2

ubuntu@skynet3:~/Downloads$ gpg2 --version

gpg (GnuPG) 2.1.15

libgcrypt 1.7.6-beta

License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Home: /home/ubuntu/.gnupg

Supported algorithms:

Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA

Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,

CAMELLIA128, CAMELLIA192, CAMELLIA256

Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224

Compression: Uncompressed, ZIP, ZLIB, BZIP2

ubuntu@skynet3:~/Downloads$

Note that if you type gpg at the command line, you will be defaulting to gpg2 as shown below.

ubuntu@skynet3:~/Downloads$ gpg --version

gpg (GnuPG) 2.1.15

libgcrypt 1.7.6-beta

License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Home: /home/ubuntu/.gnupg

Supported algorithms:

Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA

Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,

CAMELLIA128, CAMELLIA192, CAMELLIA256

Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224

Compression: Uncompressed, ZIP, ZLIB, BZIP2

ubuntu@skynet3:~/Downloads$

Download the Key

I used gpg to download the key, but probably you can use gpg, gpg1 or gpg2 for this step. I used 'gpg" (which means in this case gpg2 was used) and it worked fine as shown below.

ubuntu@skynet3:~/Downloads$ gpg --keyserver hkp://keyserver.ubuntu.com --search-key 'new-email@domain1.com'

gpg: searching for "new-email@domain1.com" from hkp server keyserver.ubuntu.com

(1) Gilbert Standen (Updates email) <new-email@domain1.com>

Gilbert Standen (AO722 Netbook) <old-email@domain2.net>

2048 bit RSA key D0XX1234, created: 2012-07-07

Keys 1-1 of 1 for "new-email@domain1.com". Enter number(s), N)ext, or Q)uit > 1

gpg: requesting key D0XX1234 from hkp server keyserver.ubuntu.com

gpg: key D0XX1234: "Gilbert Standen (Updates email) <new-email@domain1.com>" not changed

gpg: Total number processed: 1

gpg: unchanged: 1

ubuntu@skynet3:~/Downloads$

Get Private GPG Key

The private GPG key will be needed for the next step of adding a UID to the key ("adduid") and revoking a UID from the key ("revuid"). The fact is you can't "download" the private key from anywhere (unless you stashed it away somewhere in the cloud or on a USB key that you have) as I discovered. However, I noticed that my key above referenced in the comments "(A0722 Netbook)" which just happened to be imy possession due to at least a couple of small miracles:

(1) I've never reimaged that Netbook since first imaging it with Ubuntu 12.04.1 LTS (and it's the only device in my possession that hasn't been reimaged multiple times!!)

(2) I actually knew where it was because for the first time in years I completely redesiged my office and took inventory of everything and actually knew where A0722 was!

(3) Asus Netbook A0722 actually still had it's power cord WITH it and actually STARTED UP with no issues.

And, so, voila, I was able to get the secret key from this probably-never-been-started-for-about-5-years device and scp it over my network to the machine I was working on at the time. Note, you typically would not want to "email" your private key over public networks no matter how secure they be claiming lately.

The private GPG key is exported into a file from the key itself (which is what I did from A0722) as shown below. You might already have it stashed somewhere so you would just need to get the file from that source. Successful export just returns a prompt. Then scp the key or use a USB drive to transfer it to the machine where it is needed.

!! Note !!

1. You'll also need to know your ORIGINAL passphrase for your private key or else you won't be able to perform the operations to modify the UID in the GPG key.

2. Also, if your secret key was created awhile back in gpg1 era, then you will probably need to use gpg1 to import the private key. I found that it was difficult and almost impossible to import a gpg1 secret key using gpg2 (although I got it to work once no idea how after a bunch of steps that I dont' recall).

The take home recommendation is use gpg1 to import a secret key that was created with gpg1.

If you don't have the passphrase, or can't manage to guess or retrieve it from deep storage, then I believe afaik your're SOL. Here in the command below my secret key is on an old machine running Ubuntu 12.04 and thus was created with gpg1. So on the destination machine, you will want to install gpg1 as described earlier in this blog which will be used to import the secret key.

gstanden@LW1204-A0722:~$ gpg --export-secret-keys D0XX1234 > secret.asc

gstanden@LW1204-A0722:~$

Add Private Key

Add the private key as shown below. I updated this to show using "sudo" for the private key import. I found that it did not work without use of 'sudo'.

Note: I had some issues getting the secret key to be recognized (i.e. import of secret.asc was successful, but when I went it with gpg --edit-key it did not have it recognized and would block any action that required the secret key). I found that to fix this I had to run the following commands (I'm not sure if all of these are necessary or even correct, but they did result in the secret key being fully recognized when running gpg --edit-key):

And here's the step to import the secret key file (it can have any name - here it is called secret.asc).

Again, NOTE that if you originally created the secret key with gpg1, you will use gpg1 go import it here as shown below.

ubuntu@skynet3:~/Downloads$ sudo gpg --import secret.asc

(use sudo gpg1 instead if you created your secret key with gpg1 originally)!

gpg: key D0XX1234: secret key imported

gpg: key D0XX1234: "Gilbert Standen (Updates email) <new-email@domain1.com>" not changed

gpg: Total number processed: 1

gpg: unchanged: 1

gpg: secret keys read: 1

gpg: secret keys imported: 1

ubuntu@skynet3:~/Downloads$

Add New UID to GPG Key

Add the new UID to the GPG key. I learned how to do this from this link here at Coderwall (post by Andrew Wong). Here are my steps. My procedure differed slightly in that after I changed the TRUST level to 5 on the new UID with the correct email address, I saved that first before continuing to revoke TRUST on the old UID. I did that because the TRUST displayed did not update until I first saved that step and then went back into GPG and I wanted to be sure the new key had been updated to ULTIMATE TRUST first before proceeding to revoke the TRUST from the old UID #1.

Add New Trusted UID to GPG Key

Add the new UID to the GPG key as shown below.

NOTE: If you created the key originally with gpg1 then you have to use gpg1 to do the edit key step, otherwise you won't have access to the secret key in gpg2 as shown below.

ubuntu@skynet3:~/Downloads$ gpg1 --edit-key D0XX1234

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Secret key is available. <-- Secret key is available when using gpg1

pub 2048R/D0XX1234 created: 2012-07-07 expires: never usage: SC

trust: unknown validity: ultimate

sub 2048R/81F65996 created: 2012-07-07 expires: never usage: E

[ultimate] (1). Gilbert Standen (Updates email) <new-email@domain1.com>

[ revoked] (2) Gilbert Standen (AO722 Netbook) <old-email@domain2.com>

gpg> adduid

Real name: <-- gpg1 allows operations that require secret key

ubuntu@skynet3:~/Downloads$ gpg --edit-key D0XX1234 <-- Here 'gpg' means we are using 'gpg2' actually.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

(no secret key) <-- Secret key is NOT available when using gpg2

pub rsa2048/45ADC11BD0XX1234

created: 2012-07-07 expires: never usage: SC

trust: unknown validity: ultimate

sub rsa2048/5423603C81F65996

created: 2012-07-07 expires: never usage: E

[ultimate] (1). Gilbert Standen (Updates email) <new-email@domain1.com>

[ revoked] (2) Gilbert Standen (AO722 Netbook) <old-email@domain2.com>

gpg> adduid

Need the secret key to do this. <-- gpg2 does NOT allows operations that require secret key

gpg> quit

ubuntu@skynet3:~/Downloads$ gpg --edit-key D0XX1234

So use gpg1 to edit the key as shown below and do whatever ops are needed.

ubuntu@skynet3:~/Downloads$ gpg1/gpg2 --edit-key D0XX1234

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub 2048R/D0XX1234 created: 2012-07-07 expires: never usage: SC

trust: ultimate validity: ultimate

sub 2048R/xxxxxxxx created: 2012-07-07 expires: never usage: E

[ultimate] (1). Gilbert Standen (AO722 Netbook) <old-email@domain2.com>

gpg> adduid

Real name: Gilbert Standen

Email address: new-email@domain1.com

Comment: Updates email

You selected this USER-ID:

"Gilbert Standen (Updates email) <new-email@domain1.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You need a passphrase to unlock the secret key for

user: "Gilbert Standen (AO722 Netbook) <old-email@domain2.com>"

2048-bit RSA key, ID D0XX1234, created 2012-07-07

pub 2048R/D0XX1234 created: 2012-07-07 expires: never usage: SC

trust: ultimate validity: ultimate

sub 2048R/xxxxxxxx created: 2012-07-07 expires: never usage: E

[ultimate] (1) Gilbert Standen (AO722 Netbook) <old-email@domain2.com>

[ unknown] (2). Gilbert Standen (Updates email) <new-email@domain1.com>

gpg> uid 2

pub 2048R/D0XX1234 created: 2012-07-07 expires: never usage: SC

trust: ultimate validity: ultimate

sub 2048R/xxxxxxxx created: 2012-07-07 expires: never usage: E

[ultimate] (1) Gilbert Standen (AO722 Netbook) <old-email@domain2.com>

[ unknown] (2)* Gilbert Standen (Updates email) <new-email@domain1.com>

gpg> trust

pub 2048R/D0XX1234 created: 2012-07-07 expires: never usage: SC

trust: full validity: ultimate

sub 2048R/xxxxxxxx created: 2012-07-07 expires: never usage: E

[ultimate] (1) Gilbert Standen (AO722 Netbook) <old-email@domain2.com>

[ unknown] (2)* Gilbert Standen (Updates email) <new-email@domain1.com>

Please decide how far you trust this user to correctly verify other users' keys

(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say

2 = I do NOT trust

3 = I trust marginally

4 = I trust fully

5 = I trust ultimately

m = back to the main menu

Your decision? 5

Do you really want to set this key to ultimate trust? (y/N) y

pub 2048R/D0XX1234 created: 2012-07-07 expires: never usage: SC

trust: ultimate validity: ultimate

sub 2048R/xxxxxxxx created: 2012-07-07 expires: never usage: E

[ultimate] (1) Gilbert Standen (AO722 Netbook) <old-email@domain2.com>

[ unknown] (2)* Gilbert Standen (Updates email) <new-email@domain1.com>

gpg> save

ubuntu@skynet3:~/Downloads$

Verify New UID and Revoke Old UID

Verify the new UID in the GPG key as shown below. Ensure that the UID now has ULTIMATE trust level 5 as shown below.

ubuntu@skynet3:~/Downloads$ gpg1/gpg2 --edit-key D0XX1234

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub 2048R/D0XX1234 created: 2012-07-07 expires: never usage: SC

trust: ultimate validity: ultimate

sub 2048R/xxxxxxxx created: 2012-07-07 expires: never usage: E

[ultimate] (1). Gilbert Standen (Updates email) <new-email@domain1.com>

[ultimate] (2) Gilbert Standen (AO722 Netbook) <old-email@domain2.com>

gpg> uid 2

pub 2048R/D0XX1234 created: 2012-07-07 expires: never usage: SC

trust: ultimate validity: ultimate

sub 2048R/xxxxxxxx created: 2012-07-07 expires: never usage: E

[ultimate] (1). Gilbert Standen (Updates email) <new-email@domain1.com>

[ultimate] (2)* Gilbert Standen (AO722 Netbook) <old-email@domain2.com>

gpg> revuid

Really revoke this user ID? (y/N) y

Please select the reason for the revocation:

0 = No reason specified

4 = User ID is no longer valid

Q = Cancel

(Probably you want to select 4 here)

Your decision? 4

Enter an optional description; end it with an empty line:

> Invalid email

Reason for revocation: User ID is no longer valid

Invalid email

Is this okay? (y/N) y

You need a passphrase to unlock the secret key for

user: "Gilbert Standen (Updates email) <new-email@domain1.com>"

2048-bit RSA key, ID D0XX1234, created 2012-07-07

pub 2048R/D0XX1234 created: 2012-07-07 expires: never usage: SC

trust: ultimate validity: ultimate

sub 2048R/xxxxxxxx created: 2012-07-07 expires: never usage: E

[ultimate] (1). Gilbert Standen (Updates email) <new-email@domain1.com>

[ revoked] (2) Gilbert Standen (AO722 Netbook) <old-email@domain2.com>

gpg> quit

Save changes? (y/N) y

ubuntu@skynet3:~/Downloads$

Verify GPG Key Changes Complete

Verify that the GPG key changes are complete as shown below.

ubuntu@skynet3:~/Downloads$ gpg1/gpg2 --edit-key D0XX1234

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u

pub 2048R/D0XX1234 created: 2012-07-07 expires: never usage: SC

trust: ultimate validity: ultimate

sub 2048R/xxxxxxxx created: 2012-07-07 expires: never usage: E

[ultimate] (1). Gilbert Standen (Updates email) <new-email@domain1.com>

[ revoked] (2) Gilbert Standen (AO722 Netbook) <old-email@domain2.com>

Upload Updated GPG Key to Keyserver

Upload the updated GPG key to the keyserver as shown below.

ubuntu@skynet3:~/Downloads$ gpg --keyserver hkp://keyserver.ubuntu.com --send-keys D0XX1234

gpg: sending key D0XX1234 to hkp server keyserver.ubuntu.com

ubuntu@skynet3:~/Downloads$