http://bugzilla.opensuse.org/show_bug.cgi?id=1043514 Bug ID: 1043514 Summary: Kgpg exports secret key and revokekey without asking for password from kgpg Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: x86-64 OS: openSUSE 42.2 Status: NEW Severity: Critical Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: stakanov@freenet.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- For what I am used, when a secret key is exported, the key password should be asked. The same applies for when a revoke key is exported. On this new install of 42.2 I experience the same problems as I have in the past. When they happen the system gets nearly unusable. They always come together, so I report them here. a) first problem you encounter is that the password insertion field does not react any more. After resetting the PC you find: 1) this is a luks encrypted system with password protected grub, a notebook. Before this event no problem. After(!) this event you have that external usb-keyboards works, until you reach LUKS. Then you are forced to enter the password over the notebook keyboard because the system does not recognize any USB any more (no mouse no keyboard). So now you enter the password via the notebook keyboard, the system starts and all seems normal again (note that this is not normal because a fresh install never has this problem). b) you reach the desktop, start kontact/kmail and since you protected the password with kgpg you find that the password does not react. Before I did not have any problem. Then, I installed kwalletmanager. After the install the password input worked again until the next reboot. This time I had to type the password 8 times to get the wallet to open. Now I wanted to see whether something was wrong and opened kgpg. So now I can export a public key, a secret key and a revoke without password? So that would mean if you use gpg-keys to protect you wallet, no problem to get hold on you secret key? I am used that you have to type in the password to export you secret key. And also issuing a revoke key should IMO always(!) require a password. Otherwise maybe I did misunderstand the principle of the need of a password in kgpg. Please let me know if this is a new feature. -- You are receiving this mail because: You are on the CC list for the bug.