On Fri, 27 Nov 2015 at 12:39:30 +0300, Dmitrii Tcvetkov wrote:
> In this case passphrase is needed to decrypt private key from keyring.
> Becuase of passphrase is not provided gpg-agent can't give gpg the
> private key. 

Or perhaps Andrey tries to export an *unprotected* private key using
GnuPG 2.1.  In that case this seems to be a known issue [0].

> Private key exports in cleartext.

I think this is incorrect.  gpg --export's output is always in the
OpenPGP format (possibly armored), while as of 2.1 private material is
stored in another format (in ~/.gnupg/private-keys-v1.d/$KEYGRIP.key).
Thus the agent asks for the passphrase to decrypt the private key, and
gpg reencrypts it on the fly (using the same passphrase).  gpg2(1) also
says:

  --export-secret-keys

      GnuPG may ask you to enter the passphrase for the key.  This is
      required because the internal protection method of the secret key is
      different from the one specified by the OpenPGP protocol.

Indeed ‘gpg2 --export-secret-keys $KEYID | gpg --list-only --list-packets’
tells me that the secret material is protected.

-- 
Guilhem.

[0] https://bugs.gnupg.org/gnupg/issue2070

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to