-
Notifications
You must be signed in to change notification settings - Fork 481
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
java.lang.AssertionError: Unhandled SecretKeyType (should not happen) #1262
Comments
it probably makes sense to just assume a passphrase is needed for this case.... although it would be interesting to know the root cause of this. it could be just non-consolidated databases, but that seems unlikely. |
OpenKeychain v3.2.1 I get the same. I've imported a private+public key as *.asc file from Enigmail export. The key has no password or timeout defined. When i try to set it as primary key (or change anything else) the app crashes like this:
When it try to validate another imported public key by fingerprint and sign(?) it (during import) with my key this error appears:
I can encrypt/sign/decrypt a mail with K9 though (sending to myself). |
handling is improved in a couple of ways in c4d3920. I'm not entirely sure this covers the problem here, we'll see with the bugfix release |
......nope. |
Same happens to me when trying to validate a key via fingerprint using my Yubikey. Upon finishing the process, when I hit the button to confirm the key, the application just crashes with a very similar stack trace. |
Do you have any special type of key, like a stripped master key with divert-to-card subkeys or something? |
Exactly like what you described. The master key is not on the Yubikey and not in Openkeychain, just the subkeys. |
in that case, the bug is that certification is not available, and it should throw an error about it rather than try to perform the operation. by design, only the primary key can issue certifications. |
You are of course absolutely right. I'm still trying to figure out how to best use the Yubikey without handing over all the keys to the stick itself (lest I lose it). Should not crash, anyway, but I guess then that's not a related issue. |
Imagine I want to keep master key on offline storage in a vault, and only carry signing and decryption subkeys with me (on yubikey or on the device). I want to forgo my ability to publicly certify others' keys, to have extra protection for the master key. But I still want to locally mark others' public keys as verified. Do you think openkeychain should support such setup? |
@crosser Create a second key in OpenKeychain. Don't upload it. You can use a name such as "Confirm local key". And then confirm all other keys with this local key. |
@dschuermann that works, thanks. But the process could be more user-friendly for this special case.
|
@crosser As you said, it's a special case... we don't advise doing it for average users. |
@dschuermann why don't you? It looks like the "best practice" security-wise, no? |
@dschuermann fair ehough. I just wanted to make a point, it was heard, the rest is up to you folks 👍 |
I recently had a conversation with someone who was confused why he wasn't able to certify keys with this sort of key setup. I explained to him that only primary keys could sign, which somewhat surprised him. Now this would be fine, but: This person had written quite the elaborate blog post on how to create a key like this, subkeys on yubikey and master key on a special purpose "air-gapped" machine - without realizing he couldn't use the yubikey to certify keys then. at the point of this writing this post is on the first page of google for relevant keywords for me, so it does its part to shape what is "best practice". |
I think I found exactly that post ;). I found a working solution for my "bug/problem" though: I have the subkeys on the Yubikey and the master key in OpenKeychain as well. For certifiying, I still need to input my master password (which is complicated and a pain in the... to type), but that happens rarely. |
I don't see this bug anymore on 3.4.1 in Google Play's developer console. Anyone still having this problem? |
From G Play:
"I am using a custom-made private key (main key has capability C only, and each subkey has its own capability: S, E and A). I exported the private subkeys only (so that my private key with C capability, used for key-parties only, stays safe). I guess OpenKeychain crashes for this reason: my main private key (the C one) is non-existent on this device (it stays safe at home)!"
The text was updated successfully, but these errors were encountered: