How do I indoctrinate an new user when using a pubring.kbx file?

[Binarytales]

My system is using GPG2.1 which uses a new Keybox file format pubring.kbx.

So I can't run gpg --import keyrings/live/pubring.gpg.

And if I try gpg --import keyrings/live/pubring.kbx it doesn't work.

gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Even though gpg --homedir=keyrings/live --list-keys shows the keys I expect.

It turns out that --import doesn't work with the kbx format.

How are users of Blackbox dealing with this? Is there an alternative mechanism for importing keys or should I downgrade/start-over in a way that ensures the older .gpg file format is used?

[tlimoncelli]

The newest version of gpg uses a new filename and format for pubring. Sadly this breaks blackbox. Until there's a patch, please install the older gpg. The gpg2 docs say that if the old filename exists gpg2 will continue to use it, so this won't affect old repos.

This change caught me off guard.

[kri5]

It seems that a patch has already been merged a while ago #82

The issues being that it seems that you cannot import keybox keyrings like with the old format.

I do not know what would be the way to do so.

[kri5]

Another way to work around that issue would be to create manually the pubring.gpg before, then gpg2 would fallback into compatibility mode, and use this file.

But it is not future proof as we don't know for how long the pubring.gpg file format will be supported by gpg

[Binarytales]

We do know how long the old format will be supported but it's not long. From the project homepage for GPG (https://www.gnupg.org/):

2.0.30 is the stable version from an often used branch. This branch will reach end-of-life on 2017-12-31

[Binarytales]

After some playing around and a bit of reading I think I may have the right combination of commands to import new keys from Blackbox into the local keybox if using GPG 2.1+

gpg2 --keyring keyrings/live/pubring.kbx  --export | gpg2 --import

The trick is to export the keys and then pipe them into the import

This mailing list email has some good insights into the different mechanisms for importing/exporting between keyrings and keyboxes:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790665;msg=7

[tlimoncelli]

Please try this again. I believe this was fixed in 4bc9704

[sryabkov]

I ran into this today with the latest version of blackbox on Ubuntu LTS 16.04 while adding a new admin

Solved the issue as follows.

Importing the key (thanks @Binarytales!):

gpg2 --keyring keyrings/live/pubring.kbx  --export | gpg2 --import

To re-encrypt the files, I had to prefix blackbox_update_all_files with GPG=gpg2:

GPG=gpg2 blackbox_update_all_files

[jcrben]

over at git-secret, a RFC on "A stable and forwards compatible public key storage format" was merged recently https://github.com/sobolevn/git-secret/pull/207/files

[zakkg3]

Ran into this and @Binarytales solutions works on macOS X with

gpg --keyring keyrings/live/pubring.kbx  --export | gpg --import
blackbox_update_all_files

[kormat]

A better form of the workaround is:

gpg --no-default-keyring --keyring .blackbox/pubring.kbx  --export -a | gpg --import

--no-default-keyring prevents gpg from also exporting the default keyring, which is pointless and noisy for this operation.

[mbyd916]

Thanks a lot for your solution

[Maxattax97]

It's 2020, can we make a push to update the README with this information?

Also, is there any reason this isn't included and automated into blackbox? Why can't the commands try to import these keys on each run, or at the very least before blackbox_update_all_files?

My problem was elsewhere and it looks like the source already does this. Why is this not closed?

[cdan-youdo]

I've managed to add myself to a blackbox repo that is using the old GPG using this

GPG=gpg blackbox_addadmin ....

I am not sure if GPG=gpg is obeyed by blackbox_addadmin script or by gpg itself.

[tlimoncelli]

Yes, using GPG=gpg is fully supported. All blackbox tools use $GPG if it is set, otherwise it defaults to gpg.