[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bug in PGP2.6 when editing your key
-----BEGIN PGP SIGNED MESSAGE-----
We have found an important bug in PGP 2.6 (and 2.5).
Problem:
If you store your pass phrase in the PGPPASS environment variable or
supply it via the PGPPASSFD hack and you edit your key (pgp -ke) you may
lose.
Specifically if you edit your key and do *not* change your pass phrase,
then it gets clobbered and you lose access to your private key.
What to do if this happens to you:
You will know that this has happened because you will edit your key and
then not be able to use your private key. *IMMEDIATELY* restore your
secring.pgp and pubring.pgp from the ".bak" versions that PGP
automatically creates. This will put things back the way they were.
Work Around:
You can avoid this problem when editing your key by doing one of the two
things below.
1) Remove the PGPPASS environment variable (or don't use PGPPASSFD) when
editing your key. You will then have to manually type in your pass
phrase when editing your key, but the pass phrase will not get clobbered
this way.
2) If you still use the PGPPASS environment variable, then when the key
editing process asks you if you wish to change your pass phrase answer
"y" (i.e., tell it that you wish to change your pass phrase) it will
then prompt you twice for your new pass phrase. Note: You can set it to
what it was, effectively not really changing it. PGP will not know the
difference and your pass phrase will not get clobbered.
Status:
This problem has a known fix and it will be included in the next
release.
-Jeff
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQBVAgUBLiCWkVUFZvpNDE7hAQF/GQIAoWi86mx1TylR5CUWInJrYy/L5kNB0qqB
Uo/gA+u4M7YYeFEVF+voeBBRW686j2ksWaMA3ERTN8o6HWc5hrcf+A==
=fXWk
-----END PGP SIGNATURE-----