Check that the first secret-key packet is a 'secret-key packet'

From RFC 4880 [1]:

  The format of a transferable secret key is the same as a
  transferable public key except that secret-key and secret-subkey
  packets are used instead of the public key and public-subkey
  packets.

[1]: http://tools.ietf.org/search/rfc4880#section-11.2

diff --git a/gpg-migrate.py b/gpg-migrate.py
index 9bc9ecc13bccd1fbf317d1484629ce7dfa34af7b..3041b16ca55f325addd7aec311f6dc147c82bb04 100755 (executable)
--- a/gpg-migrate.py
+++ b/gpg-migrate.py
@@ -725,6 +725,10 @@ class PGPKey (object):
             ['gpg', '--export-secret-keys', self.fingerprint])
         self.secret_packets = list(
             packets_from_bytes(data=key_secret_export))
+        if self.secret_packets[0]['type'] != 'secret-key packet':
+            raise ValueError(
+                '{} does not start with a secret-key packet'.format(
+                    self.fingerprint))
 
     def export_to_gpg(self):
         raise NotImplemetedError('export to gpg')