<p>I think Mike nailed it with the backup/restore error.</p>
<p>A restore method I swear by (at) is to always restore to a tmp directory. I have to do more work to complete things but it means I don't wind up with an older copy of something important.</p>
<div class="gmail_quote">On Oct 10, 2011 11:24 PM, "Michael H. Warfield" <<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Mon, 2011-10-10 at 22:51 -0400, Michael Trausch wrote:<br>
> On Mon, Oct 10, 2011 at 21:15, Jim Kinney <<a href="mailto:jim.kinney@gmail.com">jim.kinney@gmail.com</a>> wrote:<br>
> ><br>
> > Check mtimes and see if you overwrote them. Check mounts and see you have something mounted over you. Get ready to test your recovery process.<br>
><br>
> All the file times are different, because I just imported a key so<br>
> that I could write an encrypted mail. So, the public keyring was<br>
> *just* modified, whereas the private one has been the same for a long<br>
> time. Unfortunately, it seems that my present dilapidated method of<br>
> backing things up doesn't preserve the timestamps, so the private ring<br>
> has a timestamp from when I last backed up/restored it.<br>
><br>
> I have nothing mounted in my $HOME.<br>
><br>
> And this is just plain weird...<br>
<br>
Sigh... Not as weird as you might think.<br>
<br>
> Here is the listing for --list-keys and --list-secret (so, public and<br>
> private, in order):<br>
<br>
> mbt@aloe ~/.gnupg $ gpg2 --list-keys 19C59A30<br>
> pub 1024D/19C59A30 2006-02-15 [expires: 2012-02-09]<br>
> uid Michael B. Trausch <<a href="mailto:mike@trausch.us">mike@trausch.us</a>><br>
> uid [jpeg image of size 2663]<br>
> uid Michael B. Trausch <<a href="mailto:fd0man@gmail.com">fd0man@gmail.com</a>><br>
> uid Michael B. Trausch (Educational Address)<br>
> <<a href="mailto:fd0man@email.wintu.edu">fd0man@email.wintu.edu</a>><br>
> uid Michael B. Trausch (Primary Address)<br>
> <<a href="mailto:michael.trausch@gmail.com">michael.trausch@gmail.com</a>><br>
> uid Michael B. Trausch <<a href="mailto:mbt@zest.trausch.us">mbt@zest.trausch.us</a>><br>
> sub 4096g/2B4060E1 2011-02-22 [expires: 2012-02-09]<br>
<br>
> mbt@aloe ~/.gnupg $ gpg2 --list-secret 19C59A30<br>
> sec 1024D/19C59A30 2006-02-15 [expires: 2012-02-09]<br>
> uid Michael B. Trausch <<a href="mailto:mike@trausch.us">mike@trausch.us</a>><br>
> uid [jpeg image of size 2663]<br>
> uid Michael B. Trausch <<a href="mailto:fd0man@gmail.com">fd0man@gmail.com</a>><br>
> uid Michael B. Trausch (Educational Address)<br>
> <<a href="mailto:fd0man@email.wintu.edu">fd0man@email.wintu.edu</a>><br>
> uid Michael B. Trausch (Primary Address)<br>
> <<a href="mailto:michael.trausch@gmail.com">michael.trausch@gmail.com</a>><br>
> uid Michael B. Trausch <<a href="mailto:mbt@zest.trausch.us">mbt@zest.trausch.us</a>><br>
> ssb 4096g/EE066969 2006-02-15 [expires: 2011-02-14]<br>
<br>
Ok... That's interesting that --list-keys doesn't show your expired<br>
public key though -kv does (from my test on your downloaded key).<br>
<br>
Yeah, crap... Looks like, in the process of backing up and restoring<br>
keys and what not, you've backed up and restored the secret key to your<br>
expired encryption key but not the new one. That can happen any one of<br>
a number of ways but I would suspect that at one time you backed up your<br>
old keyrings and then, after generating a new encryption key, restored<br>
the old keyrings clobbering your secret keys and loosing the active one.<br>
If you refreshed your public keys from the public key servers (something<br>
I do quite often to pick up signatures others have given me) it would<br>
restore your public key to the newer key but not the private key. And<br>
there you would be.<br>
<br>
You're probably toast. Unless you have a backup with that private key<br>
somewhere, you are screwed. Your only choice is to create a new<br>
encryption key and revoke that old one you've lost the key to. Then<br>
make sure your keyrings are backed up and the old backups discarded.<br>
<br>
Personally... I would take the opportunity right here and now to<br>
generate a completely new 2048R key (signed by the old key) and be done<br>
with it. That's going to expire in a few months anyways. Bite the<br>
bullet and just get off the DSS/DSA keys and back onto an RSA key.<br>
You'll still have signing and encryption keys but they'll all be RSA<br>
instead of DSA for signing and ElGamal for encryption.<br>
<br>
> These are identical, except for the ElGamal encryption subkey. If<br>
> memory serves me correctly, I generated the second one to make the<br>
> expiration date line up with that for the entire remainder of the key.<br>
> What I *don't* understand is, how in the world could this have<br>
> happened? Obviously one possibility is that I deleted my encryption<br>
> subkey and regenerated it in February, 2011. But generating an<br>
> encryption key is a big deal in my mind and I think I would remember<br>
> that. I remember when I originally generated this key, and I remember<br>
> every time someone has signed the public part of it. I don't recall<br>
> regenerating my encryption key, though.<br>
><br>
> Now, I haven't used my encryption key much since I generated it; I<br>
> received maybe 20 encrypted emails from 2006 to 2008, and maybe 20 in<br>
> total since then. And I sent no more than that in those years, as<br>
> well.<br>
><br>
> For that matter, if I would have generated the new encryption key,<br>
> wouldn't it have been updated in my private key, too?<br>
><br>
> I need to look through the backups that I have taken throughout the<br>
> year, but I don't think that I've ever backed up either my ~/.ssh or<br>
> ~/.gnupg directories in part; I've always done it in full.<br>
><br>
> For that matter, except at the system's console, I can't get into the<br>
> system without using an SSH key.<br>
><br>
> I guess it is time to step through the backups from the last two years<br>
> and see what happened and when it changed...<br>
><br>
> Would it be paranoid to think that this is something more than a<br>
> simple error? It seems unlikely that (a) I would have regenerated my<br>
> encryption key more than halfway into my key's useful life without<br>
> revoking and regenerating the whole bloody key, (b) that I would have<br>
> forgotten such an event and (c) that gpg had a bug that failed to<br>
> write to the secret key, doesn't it?<br>
><br>
> --- Mike<br>
><br>
> ><br>
> > On Oct 10, 2011 8:11 PM, "Michael Trausch" <<a href="mailto:mike@trausch.us">mike@trausch.us</a>> wrote:<br>
> >><br>
> >> Don't know what happened, but I have a bad situation.<br>
> >><br>
> >> I have gpg keys, like many here. Somehow, though, my main key set (thankfully expiring in a few months!) isn't right. My signing keys all appear to match, but my encryption key is different, and I cannot decrypt encrypted mail sent to me.<br>
> >><br>
> >> Can anyone tell me how I might have screwed up so badly?<br>
<br>
Regards,<br>
Mike<br>
--<br>
Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20985-6132" value="+17709856132">(770) 985-6132</a> | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div>