Egads, I'm really a fool. I omitted two lines from my gpg.conf:
cert-digest-algo H10 force-v4-certs My most sincere apologies, David Z On 12/10/2014 11:50 PM, David Z wrote: > I originally wondered if it might be passphrase length. I managed to > reproduce it (100% of times i've tried addkey today in general) even > with a single-character passphrase. I will try no passphrase now (success): > > > ################### > ################### > > > $ gpg --gen-key > gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > Please select what kind of key you want: > (1) RSA and RSA (default) > (2) DSA and Elgamal > (3) DSA (sign only) > (4) RSA (sign only) > (7) DSA (set your own capabilities) > (8) RSA (set your own capabilities) > Your selection? 8 > > Possible actions for a RSA key: Sign Certify Encrypt Authenticate > Current allowed actions: Sign Certify Encrypt > > (S) Toggle the sign capability > (E) Toggle the encrypt capability > (A) Toggle the authenticate capability > (Q) Finished > > Your selection? e > > Possible actions for a RSA key: Sign Certify Encrypt Authenticate > Current allowed actions: Sign Certify > > (S) Toggle the sign capability > (E) Toggle the encrypt capability > (A) Toggle the authenticate capability > (Q) Finished > > Your selection? q > RSA keys may be between 1024 and 4096 bits long. > What keysize do you want? (2048) 4096 > Requested keysize is 4096 bits > Please specify how long the key should be valid. > 0 = key does not expire > <n> = key expires in n days > <n>w = key expires in n weeks > <n>m = key expires in n months > <n>y = key expires in n years > Key is valid for? (0) 8y > Key expires at Thu 08 Dec 2022 11:18:35 PM EST > Is this correct? (y/N) y > > You need a user ID to identify your key; the software constructs the user ID > from the Real Name, Comment and Email Address in this form: > "Heinrich Heine (Der Dichter) <heinri...@duesseldorf.de>" > > Real name: secmemtest > Email address: > Comment: > You selected this USER-ID: > "secmemtest" > > Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o > You need a Passphrase to protect your secret key. > > You don't want a passphrase - this is probably a *bad* idea! > I will do it anyway. You can change your passphrase at any time, > using this program with the option "--edit-key". > > We need to generate a lot of random bytes. It is a good idea to perform > some other action (type on the keyboard, move the mouse, utilize the > disks) during the prime generation; this gives the random number > generator a better chance to gain enough entropy. > ........+++++ > +++++ > gpg: writing self signature > gpg: RSA/SHA512 signature from: "0x6AC09B03FBEC393A [?]" > gpg: writing public key to `/home/user/.gnupg/pubring.gpg' > gpg: writing secret key to `/home/user/.gnupg/secring.gpg' > gpg: using PGP trust model > gpg: key 0x6AC09B03FBEC393A marked as ultimately trusted > public and secret key created and signed. > > gpg: checking the trustdb > gpg: 66 keys cached (4286 signatures) > gpg: 26 keys processed (19 validity counts cleared) > gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model > gpg: next trustdb check due at 2015-02-21 > pub 4096R/0x6AC09B03FBEC393A 2014-12-11 [expires: 2022-12-09] > Key fingerprint = 2B4B 9CF0 DABC 03D5 9928 A311 6AC0 9B03 FBEC 393A > uid [ultimate] secmemtest > > Note that this key cannot be used for encryption. You may want to use > the command "--edit-key" to generate a subkey for this purpose. > > > ################### > > > $ gpg --edit-key 0x6AC09B03FBEC393A > gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > Secret key is available. > > gpg: using PGP trust model > pub 4096R/0x6AC09B03FBEC393A created: 2014-12-11 expires: 2022-12-09 > usage: SC > trust: ultimate validity: ultimate > [ultimate] (1). secmemtest > > gpg> addkey > This key is not protected. > Please select what kind of key you want: > (3) DSA (sign only) > (4) RSA (sign only) > (5) Elgamal (encrypt only) > (6) RSA (encrypt only) > (7) DSA (set your own capabilities) > (8) RSA (set your own capabilities) > Your selection? 8 > > Possible actions for a RSA key: Sign Encrypt Authenticate > Current allowed actions: Sign Encrypt > > (S) Toggle the sign capability > (E) Toggle the encrypt capability > (A) Toggle the authenticate capability > (Q) Finished > > Your selection? e > > Possible actions for a RSA key: Sign Encrypt Authenticate > Current allowed actions: Sign > > (S) Toggle the sign capability > (E) Toggle the encrypt capability > (A) Toggle the authenticate capability > (Q) Finished > > Your selection? q > RSA keys may be between 1024 and 4096 bits long. > What keysize do you want? (2048) 4096 > Requested keysize is 4096 bits > Please specify how long the key should be valid. > 0 = key does not expire > <n> = key expires in n days > <n>w = key expires in n weeks > <n>m = key expires in n months > <n>y = key expires in n years > Key is valid for? (0) 6y > Key expires at Tue 08 Dec 2020 11:19:18 PM EST > Is this correct? (y/N) y > Really create? (y/N) y > We need to generate a lot of random bytes. It is a good idea to perform > some other action (type on the keyboard, move the mouse, utilize the > disks) during the prime generation; this gives the random number > generator a better chance to gain enough entropy. > ..........+++++ > ...............+++++ > gpg: writing key binding signature > gpg: RSA/SHA512 signature from: "0x6AC09B03FBEC393A secmemtest" > gpg: RSA/SHA512 signature from: "0xFEE0B1DCA2C1090C [?]" > gpg: writing key binding signature > gpg: RSA/SHA512 signature from: "0x6AC09B03FBEC393A secmemtest" > gpg: RSA/SHA512 signature from: "0xFEE0B1DCA2C1090C [?]" > > pub 4096R/0x6AC09B03FBEC393A created: 2014-12-11 expires: 2022-12-09 > usage: SC > trust: ultimate validity: ultimate > sub 4096R/0xFEE0B1DCA2C1090C created: 2014-12-11 expires: 2020-12-09 > usage: S > [ultimate] (1). secmemtest > > gpg> save > > > ################### > ################### > > > However, I then deleted that keypair and tried another, with the > passphrase "test" and met the same error: > > > ################### > ################### > > > $ gpg --gen-key > gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > Please select what kind of key you want: > (1) RSA and RSA (default) > (2) DSA and Elgamal > (3) DSA (sign only) > (4) RSA (sign only) > (7) DSA (set your own capabilities) > (8) RSA (set your own capabilities) > Your selection? 8 > > Possible actions for a RSA key: Sign Certify Encrypt Authenticate > Current allowed actions: Sign Certify Encrypt > > (S) Toggle the sign capability > (E) Toggle the encrypt capability > (A) Toggle the authenticate capability > (Q) Finished > > Your selection? e > > Possible actions for a RSA key: Sign Certify Encrypt Authenticate > Current allowed actions: Sign Certify > > (S) Toggle the sign capability > (E) Toggle the encrypt capability > (A) Toggle the authenticate capability > (Q) Finished > > Your selection? q > RSA keys may be between 1024 and 4096 bits long. > What keysize do you want? (2048) 4096 > Requested keysize is 4096 bits > Please specify how long the key should be valid. > 0 = key does not expire > <n> = key expires in n days > <n>w = key expires in n weeks > <n>m = key expires in n months > <n>y = key expires in n years > Key is valid for? (0) 8y > Key expires at Thu 08 Dec 2022 11:20:36 PM EST > Is this correct? (y/N) y > > You need a user ID to identify your key; the software constructs the user ID > from the Real Name, Comment and Email Address in this form: > "Heinrich Heine (Der Dichter) <heinri...@duesseldorf.de>" > > Real name: secmemtestmore > Email address: > Comment: > You selected this USER-ID: > "secmemtestmore" > > Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o > You need a Passphrase to protect your secret key. > > We need to generate a lot of random bytes. It is a good idea to perform > some other action (type on the keyboard, move the mouse, utilize the > disks) during the prime generation; this gives the random number > generator a better chance to gain enough entropy. > ......+++++ > .........+++++ > gpg: writing self signature > gpg: RSA/SHA512 signature from: "0xE5E0E87C61CE7430 [?]" > gpg: writing public key to `/home/user/.gnupg/pubring.gpg' > gpg: writing secret key to `/home/user/.gnupg/secring.gpg' > gpg: using PGP trust model > gpg: key 0xE5E0E87C61CE7430 marked as ultimately trusted > public and secret key created and signed. > > gpg: checking the trustdb > gpg: 66 keys cached (4286 signatures) > gpg: 27 keys processed (19 validity counts cleared) > gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model > gpg: next trustdb check due at 2015-02-21 > pub 4096R/0xE5E0E87C61CE7430 2014-12-11 [expires: 2022-12-09] > Key fingerprint = D696 FDB4 1843 FB42 5730 8664 E5E0 E87C 61CE 7430 > uid [ultimate] secmemtestmore > > Note that this key cannot be used for encryption. You may want to use > the command "--edit-key" to generate a subkey for this purpose. > > > ################### > > > $ gpg --edit-key 0xE5E0E87C61CE7430 > gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > Secret key is available. > > gpg: using PGP trust model > pub 4096R/0xE5E0E87C61CE7430 created: 2014-12-11 expires: 2022-12-09 > usage: SC > trust: ultimate validity: ultimate > [ultimate] (1). secmemtestmore > > gpg> addkey > Key is protected. > > You need a passphrase to unlock the secret key for > user: "secmemtestmore" > 4096-bit RSA key, ID 0xE5E0E87C61CE7430, created 2014-12-11 > > Please select what kind of key you want: > (3) DSA (sign only) > (4) RSA (sign only) > (5) Elgamal (encrypt only) > (6) RSA (encrypt only) > (7) DSA (set your own capabilities) > (8) RSA (set your own capabilities) > Your selection? 8 > > Possible actions for a RSA key: Sign Encrypt Authenticate > Current allowed actions: Sign Encrypt > > (S) Toggle the sign capability > (E) Toggle the encrypt capability > (A) Toggle the authenticate capability > (Q) Finished > > Your selection? e > > Possible actions for a RSA key: Sign Encrypt Authenticate > Current allowed actions: Sign > > (S) Toggle the sign capability > (E) Toggle the encrypt capability > (A) Toggle the authenticate capability > (Q) Finished > > Your selection? q > RSA keys may be between 1024 and 4096 bits long. > What keysize do you want? (2048) 4096 > Requested keysize is 4096 bits > Please specify how long the key should be valid. > 0 = key does not expire > <n> = key expires in n days > <n>w = key expires in n weeks > <n>m = key expires in n months > <n>y = key expires in n years > Key is valid for? (0) 6y > Key expires at Tue 08 Dec 2020 11:21:23 PM EST > Is this correct? (y/N) y > Really create? (y/N) y > We need to generate a lot of random bytes. It is a good idea to perform > some other action (type on the keyboard, move the mouse, utilize the > disks) during the prime generation; this gives the random number > generator a better chance to gain enough entropy. > ...+++++ > .+++++ > gpg: writing key binding signature > gpg: out of secure memory while allocating 1024 bytes > gpg: (this may be caused by too many secret keys used simultaneously or > due to excessive large key sizes) > > > ################### > ################### > > I repeated that process with a new keypair and again the passphrase > "test" again and it also failed. > > I then generated two keypairs both without a passphrase and succeeded > both times. > > After that I generated one more with passphrase "test" and it failed again. > > > ################### > ################### > > > My gpg.conf: > > > charset utf-8 > keyserver hkp://hkps.pool.sks-keyservers.net > keyserver-options no-honor-keyserver-url > verbose > list-options show-keyring show-sig-expire show-uid-validity > ask-cert-level > ask-sig-expire > ask-cert-expire > > compress-level 0 > bzip2-compress-level 0 > personal-digest-preferences SHA512 > cert-digest-algo SHA512 > default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES > CAST5 Uncompressed > keyid-format 0xlong > expert > no-emit-version > default-preference-list S10 S9 S8 S7 H10 H9 H8 H3 H2 Z0 > personal-cipher-preferences S10 S9 S8 S7 > personal-digest-preferences H10 H9 H8 H3 H2 > personal-compress-preferences Z0 > s2k-cipher-algo S10 > s2k-digest-algo H10 > s2k-mode 3 > s2k-count 65011712 > > > ################### > ################### > > > If there is anything more I can do to help, please let me know. > > > On 12/10/2014 11:15 PM, NIIBE Yutaka wrote: >> Thank you for your report. >> >> On 12/11/2014 10:05 AM, David Z wrote: >>> Created a new keypair today. Was unable to add a subkey, even though all >>> keys >>> involved are within expected limits (4096 bit RSA). >>> >>> Dies at: >>> >>> gpg: writing key binding signature >>> gpg: out of secure memory while allocating 1024 bytes >>> gpg: (this may be caused by too many secret keys used simultaneously or due >>> to >>> excessive large key sizes) >>> >>> This has occurred in all of my attempts today, with multiple fresh testing >>> keys, though I recall performing this action at least somewhat recently with >>> success. Full output: >> >> I tried to reproduce this bug. It was very difficult for me, but I >> managed to reproduce it this afternoon. >> >> My experiment is following your scenario with my configuration of >> GnuPG. My configuration of GnuPG is as same as: >> >> http://keyring.debian.org/creating-key.html >> >> (It looks like your configuration has preference of SHA512, though.) >> >> I used 1400-byte long passphrase, and I got same error. >> >> Are you using such a long passphrase like mine? >> > > > > >
signature.asc
Description: OpenPGP digital signature
