#65 ✓released
Adam Prescott

`gpg --gen-key` with default settings produces incorrect SCEA/SEA usage keys with RSA schemes

Reported by Adam Prescott | July 25th, 2011 @ 08:48 PM | in 2.0.18 (closed)

The problem has been seen on a recent install of v2.0.17. To reproduce:

  1. Run gpg --gen-key.
  2. Continue with all default settings, notably choosing RSA and RSA at the first step.
  3. Get the ID of the newly created key with gpg -k.
  4. After the keypair has been made, run gpg --edit-key <ID> for the newly created key.

The usage will be listed as

pub 2048R/xxx usage: SCEA
sub 2048R/yyy usage: SEA

(some information removed here to highlight the point).

Running these steps on gpg 1.4.11 and 2.0.17 on a Linux operating system produces, in contrast, SC and E usage, which I believe is correct behaviour; it is often repeated that the same RSA key should not be used for both signing and encryption, which the above usage output shows is possible. It is not clear to me whether the subkey (and only the subkey) part of the master-subkey pair is used for encryption and never for signing, but the usage should be restricted as part of the key, to prevent this.

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Shared Ticket Bins

People watching this ticket