Import PGP Keys with no user id into gpg

Question

My company used Authora Edge to create / manage pgp keys. The company unexpectedly closed, and we are in the process of migrating the existing keys into gpg.

When trying to import the public keys, I received the following error:

# gpg --import ./Feedback-RSA-4096.public.asc
gpg: key 5DE4473F: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

However, I was able to resolve this by using --allow-non-selfsigned-uid:

# gpg --allow-non-selfsigned-uid --import ./Feedback-RSA-4096.public.asc
gpg: key 5DE4473F: accepted non self-signed user ID "Feedback-RSA-4096.public.asc"
gpg: key 5DE4473F: public key "Feedback-RSA-4096.public.asc" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Unfortunately, this does not work when importing secret keys:

# gpg --expert --allow-non-selfsigned-uid --import Feedback-RSA-4096.private.txt
gpg: key 5DE4473F: no user ID
gpg: Total number processed: 1
gpg:       secret keys read: 1

Any idea how I can import the secret keys into gpg? I read that I can use expert mode, but so far my attempts have been unsuccessful.

Answer 1

It's true that GnuPG will not import a secret key without a User ID. Fortunately the --allow-non-selfsigned-uid option makes it very easy to just invent a temporary User ID and write it to the file as a short bytestring prior to importing. In this case I'll use the User ID "foobar" so the bytestring will be \xb4\x06foobar.

In order for this to work the secret key file has to be in binary format - not ascii-armored. If the file can be read with a normal text editor and starts with -----BEGIN PGP PRIVATE KEY BLOCK-----, then it is ascii-armored and needs to be converted. If it's already binary, you should instead make a copy.

If original secret key file is ascii-armored, create a binary copy:

gpg -o Feedback-RSA-4096.private.gpg --dearmor Feedback-RSA-4096.private.txt

Else if original secret key file is binary, create a renamed binary copy:

cp Feedback-RSA-4096.private.txt Feedback-RSA-4096.private.gpg

Whichever of the above commands you use will create a binary copy of your secret key file named Feedback-RSA-4096.private.gpg. This way if something goes wrong you won't mess up your original secret key file.

Append the User ID bytestring to binary copy:

printf '\xb4\x06foobar' >> Feedback-RSA-4096.private.gpg

Import the secret key file using the --allow-non-selfsigned-uid option:

gpg --allow-non-selfsigned-uid --import Feedback-RSA-4096.private.gpg

Almost done...

A key with a non-selfsigned User ID has severely limited functionality, so once the key is imported you must use gpg --edit-key foobar to enter edit mode. Once in edit mode at the gpg> prompt enter adduid and follow the on-screen prompts to add a real (self-signed) User ID. After you've added your User ID and while still in edit mode at the gpg> prompt enter 1 to select the "foobar" User ID (there will be a * next to the name indicating it is selected), then enter deluid and confirm deletion of that User ID. Finally enter save to save changes and exit key edit mode.

Note that a secret key packet always includes the corresponding public key packet within it, so importing a file that contains the secret key will also import the public key. This means you can skip the step of importing the public key file and instead import only the secret key file.