A passphrase-protected key generated by GPG, using its default configuration, can’t be used
Hello! Per our conversation at DefConf.CZ, filing this.
Compare earlier #1024 (closed) ; reading it, I understand it was closed without making changes to Sequoia, calling this a GnuPG bug that should be fixed there.
I have generated a key using
% GNUPGHOME=$(pwd)/signature/fixtures gpg --full-gen-keyaccepting all defaults for algorithms, setting an user ID and a passphrase. The resulting key is
pub ed25519 2025-06-10 [SC]
2A1481DA37243699CAA262D71505D9DD79D5D494
uid With Passphrase (Skopeo Test) <with@passphrase.email>
sub cv25519 2025-06-10 [E]The GPG version is gnupg 2.4.8 as it exists in Homebrew, i.e. presumably https://github.com/Homebrew/homebrew-core/blob/2d8eaba5672a56ba3876be1afb08b92aad6334b3/Formula/g/gnupg.rb .
The key can be used in GnuPG to sign:
% GNUPGHOME=$(pwd)/signature/fixtures gpg --sign --default-key 1505D9DD79D5D494 --output msg.sig /etc/csh.loginand the signature validates:
gpg: Signature made po 16 črv 18:11:07 2025 CEST
gpg: using EDDSA key 2A1481DA37243699CAA262D71505D9DD79D5D494
gpg: Good signature from "With Passphrase (Skopeo Test) <with@passphrase.email>" [ultimate]OTOH, using the sequoia-sq 1.3.1 package from Homebrew, presumably https://github.com/Homebrew/homebrew-core/blob/dbea96f607074e2a5b652a52fa8670276f61db14/Formula/s/sequoia-sq.rb#L4 :
The key can be imported:
% GNUPGHOME=$(pwd)/signature/fixtures gpg --export-secret-keys --output foo 1505D9DD79D5D494
% mkdir sq-home
% sq --home $(pwd)/sq-home key import ./foo
Imported 2A1481DA37243699CAA262D71505D9DD79D5D494 With Passphrase (Skopeo Test) <with@passphrase.email> (UNAUTHENTICATED) from ./foo: new
Hint: If this is your key, you should mark it as a fully trusted introducer:
$ sq pki link authorize --unconstrained --cert=2A1481DA37243699CAA262D71505D9DD79D5D494 --all
Hint: Otherwise, consider marking it as authenticated:
$ sq pki link add --cert=2A1481DA37243699CAA262D71505D9DD79D5D494 --all
Imported 1 new key, updated 0 keys, 0 keys unchanged, 0 errors.
Imported 1 new certificate, updated 0 certificates, 0 certificates unchanged, 0 errors.but using it fails:
% sq --home $(pwd)/sq-home sign --output msg.sig --signer 2A1481DA37243699CAA262D71505D9DD79D5D494 --message /etc/csh.login
Please enter the password to decrypt 1505D9DD79D5D494/1505D9DD79D5D494, With Passphrase (Skopeo Test) <with@passphrase.email> (UNAUTHENTICATED):
Failed to unlock key: Error: Malformed MPI: Details omitted, parsing secret(This requires using Ctrl-J to terminate the passphrase input, the Enter/Return key seems to be ignored. I have also written the key to a file, and used --password-file, but that still resulted in a prompt.)
After removing the passphrase from the key using gig --edit-key, using the imported key to sign succeeds and it is interoperable with GnuPG:
% rm -r sq-home
% sq --home $(pwd)/sq-home key import ./foo2
Imported 2A1481DA37243699CAA262D71505D9DD79D5D494 With Passphrase (Skopeo Test) <with@passphrase.email> (UNAUTHENTICATED) from ./foo2: new
Hint: If this is your key, you should mark it as a fully trusted introducer:
$ sq pki link authorize --unconstrained --cert=2A1481DA37243699CAA262D71505D9DD79D5D494 --all
Hint: Otherwise, consider marking it as authenticated:
$ sq pki link add --cert=2A1481DA37243699CAA262D71505D9DD79D5D494 --all
Imported 1 new key, updated 0 keys, 0 keys unchanged, 0 errors.
Imported 1 new certificate, updated 0 certificates, 0 certificates unchanged, 0 errors.
% sq --home $(pwd)/sq-home sign --output msg.sig --signer 2A1481DA37243699CAA262D71505D9DD79D5D494 --message /etc/csh.login
% LC_MESSAGES=en-US.UTF-8 GNUPGHOME=$(pwd)/signature/fixtures gpg -d msg.sig
…
gpg: Signature made po 16 črv 18:29:42 2025 CEST
gpg: using EDDSA key 2A1481DA37243699CAA262D71505D9DD79D5D494
gpg: Good signature from "With Passphrase (Skopeo Test) <with@passphrase.email>" [ultimate]I’m attaching both secret key exports, foo with a passphrase WithPassphrase123, and foo2 without a passphrase.
Ultimately, it’s more important for me that this works from a Rust caller, not using the sq binary. It fails, for me, the same way in https://github.com/containers/image/pull/2569 , using sequoia-openpgp 2.0.0 (and see the Cargo.* in that PR for more version numbers).