Bug#795639: assword fails with "Decryption error: Decryption failed"

[demure]

These two commands have fixed gpg 2.1.8 for me, on sid.

Prior to the fix, I had:
gpg: decryption failed: No secret key

On Sun, 16 Aug 2015 10:16:03 -0700 Russ Allbery  wrote:
> Daniel Kahn Gillmor  writes:
> 
> 
> Aha.  Okay, I seem to have fixed it, although I still don't really
> understand what happened.  On a hunch, I ran:
> 
> $ gpg2 --import ~/.gnupg/pubring.gpg
> 
> That spat out a bunch of output (tons and tons of those legacy key
> messages), and then I ran:
> 
> $ gpg2 --import ~/.gnupg/secring.gpg
>... 
> -- 
> Russ Allbery (r...@debian.org)   
> 
> 

Bug#795639: assword fails with "Decryption error: Decryption failed"

[William Hay]

Might this be a symptom of bug #772897 ?

Bug#795639: assword fails with Decryption error: Decryption failed

[Russ Allbery]

Just one more data point:

I just upgraded another system using assword, with a separate private key
that was generated on 2014-08-20, and everything worked fine with it.  And
I don't get the legacy keys errors on that system either.

-- 
Russ Allbery (r...@debian.org)   http://www.eyrie.org/~eagle/

Bug#795639: assword fails with Decryption error: Decryption failed

[Russ Allbery]

Daniel Kahn Gillmor d...@fifthhorseman.net writes:

 interesting.  what is the history of this secret key material?  Was it
 generated fresh on 2009-05-29?  or was it converted from some other
 (older) key source?

It was generated fresh on 2009-05-29 using gpg at the time.

 Aha.  Okay, I seem to have fixed it, although I still don't really
 understand what happened.  On a hunch, I ran:

 $ gpg2 --import ~/.gnupg/pubring.gpg

 That spat out a bunch of output (tons and tons of those legacy key
 messages), and then I ran:

 $ gpg2 --import ~/.gnupg/secring.gpg

 again.

 Did you happen to compare your test commands (e.g. looking at files,
 running gpg -kv $FPR) between these two --import operations?  I'm
 assuming that the last one is the one that fixed things, but i'd like
 to make sure...

Sadly, I didn't, but I do know for certain that just doing the second did
not fix the problem.  It just declined to import the key with the legacy
key message and then another message about how there was no self-sig.
(Actually, you probably already know that since I think that was a
previous message -- now I'm forgetting what I did when.)

I started wondering if it couldn't see the self-sig because it didn't have
the corresponding public key and wondered what would happen if I imported
the public key ring.  After I did that, the second command actually
imported the secret key as well (in that I saw 1 key imported in the
resulting message).  For some reason, all my other secret keys were
successfully imported.  Just not that one.

 do you know if there were more legacy key messages for the second
 --import command?

Oh, yeah, there are tons every time I run that command.  Basically one for
every key.

-- 
Russ Allbery (r...@debian.org)   http://www.eyrie.org/~eagle/

Processed: Re: Bug#795639: assword fails with Decryption error: Decryption failed

[Debian Bug Tracking System]

Processing control commands:

 retitle 795639 automated secret key import process for gpg2.1 skips some keys
Bug #795639 [gnupg2] assword fails with Decryption error: Decryption failed
Changed Bug title to 'automated secret key import process for gpg2.1 skips some 
keys' from 'assword fails with Decryption error: Decryption failed'

-- 
795639: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795639
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#795639: assword fails with Decryption error: Decryption failed

[Daniel Kahn Gillmor]

Control: retitle 795639 automated secret key import process for gpg2.1 skips 
some keys

On Sun 2015-08-16 19:16:03 +0200, Russ Allbery wrote:
 Daniel Kahn Gillmor d...@fifthhorseman.net writes:
 do you see
 ~/.gnupg/private-keys-v1.d/FD1DA474D3DF3C728C54F9E479EDFC5BBE2E14EA.key
 ?

 No, that file doesn't exist.  So it looks like you've located the problem.
 [...]
 mithrandir:~$ gpg2 -kv D15D313882004173
 gpg: using classic trust model
 gpg: keydb_get_keyblock failed: Legacy key
 gpg: error reading key: No public key

interesting.  what is the history of this secret key material?  Was it
generated fresh on 2009-05-29?  or was it converted from some other
(older) key source?

 Aha.  Okay, I seem to have fixed it, although I still don't really
 understand what happened.  On a hunch, I ran:

 $ gpg2 --import ~/.gnupg/pubring.gpg

 That spat out a bunch of output (tons and tons of those legacy key
 messages), and then I ran:

 $ gpg2 --import ~/.gnupg/secring.gpg

 again.

Did you happen to compare your test commands (e.g. looking at files,
running gpg -kv $FPR) between these two --import operations?  I'm
assuming that the last one is the one that fixed things, but i'd like
to make sure...

do you know if there were more legacy key messages for the second
--import command?

 That prompted me for the passphrase for the private key for
 D15D313882004173, and then apparently successfully imported it.  Now,
 the gpg2 command works:

 mithrandir:~$ gpg2 -kv D15D313882004173
 gpg: using classic trust model
 pub   rsa4096/D15D313882004173 2009-05-29 [expires: 2017-09-17]
 uid [ultimate] Russ Allbery ea...@eyrie.org
 uid [ultimate] Russ Allbery r...@stanford.edu
 uid [ultimate] Russ Allbery r...@debian.org
 uid [ revoked] Russ Allbery ea...@windlord.stanford.edu
 uid [ultimate] Russ Allbery r...@cs.stanford.edu
 sub   rsa4096/7CE29A76E9769486 2009-05-29 [expires: 2017-09-17]
 sub   rsa2048/7D80315C5736DE75 2010-09-17 [expires: 2016-03-20]

 and now assword works again.

ok, i'm glad this part is fixed for you for now, but I'm a little
disturbed that I don't know how to reproduce the scenario you got into.
This is made more complicated by the fact that i don't have (or want)
access to your secret keys, of course.

 So, something weird about the automated key import process for gpg2?

yes, definitely.  I'm retitling the bug to account for that.

 --dkg

Bug#795639: assword fails with Decryption error: Decryption failed

[Daniel Kahn Gillmor]

On Sun 2015-08-16 02:55:43 +0200, Russ Allbery wrote:
 Daniel Kahn Gillmor d...@fifthhorseman.net writes:

 does this succeed with gpg2 --decrypt as well, or just gpg --decrypt?

 Aha.  Here's a problem:

 mithrandir:~/private/db$ gpg2 --decrypt personal
 gpg: error reading keyblock: Legacy key
 gpg: keydb_get_keyblock failed: Legacy key
 gpg: encrypted with RSA key, ID 7CE29A76E9769486
 gpg: decryption failed: No secret key

 I have no idea what that means, and Google was not particularly
 enlightening.

 do you see files listed when you look at the GnuPG 2.1 secret key storage:

ls -l ~/.gnupg/private-keys-v1.d/*.key

 Yes.

ok, so the keygrip for 0x7CE29A76E9769486 is
FD1DA474D3DF3C728C54F9E479EDFC5BBE2E14EA

(via gpg2  --with-keygrip --list-keys 7CE29A76E9769486)

do you see 
~/.gnupg/private-keys-v1.d/FD1DA474D3DF3C728C54F9E479EDFC5BBE2E14EA.key ?

 Depending on the output of the above, maybe you can try importing your
 secret keyring again:

  gpg2 --import  ~/.gnupg/secring.gpg

 (this should have been imported automatically for you upon your first
 use of gpg 2.1 after the upgrade)

 I get a lot more legacy key errors, and this weird error that I don't
 understand:

 gpg: key D15D313882004173: no valid user IDs
 gpg: this may be caused by a missing self-signature
 gpg: keydb_get_keyblock failed: Legacy key
 gpg: key D15D313882004173: failed to re-lookup public key

 That key definitely has a self-signature.  It's the same key I use for
 Debian.

 mithrandir:~/private/db$ gpg -kv D15D313882004173
 pub   4096R/D15D313882004173 2009-05-29 [expires: 2017-09-17]
 uid   [ultimate] Russ Allbery ea...@eyrie.org
 uid   [ultimate] Russ Allbery r...@stanford.edu
 uid   [ultimate] Russ Allbery r...@debian.org
 uid   [ revoked] Russ Allbery ea...@windlord.stanford.edu
 uid   [ultimate] Russ Allbery r...@cs.stanford.edu
 sub   4096R/7CE29A76E9769486 2009-05-29 [expires: 2017-09-17]
 sub   2048R/7D80315C5736DE75 2010-09-17 [expires: 2016-03-20]

I agree with you that this key clearly has valid self-sigs.  it does in
my copy as well.

can you show the same output from gpg2 as well as gpg ?

Also: does it show up in the output of:

 gpg2 --list-secret-keys

sorry for the hassle, and thanks for the quick debugging responses.

--dkg

Bug#795639: assword fails with Decryption error: Decryption failed

[Russ Allbery]

Daniel Kahn Gillmor d...@fifthhorseman.net writes:

 ok, so the keygrip for 0x7CE29A76E9769486 is
 FD1DA474D3DF3C728C54F9E479EDFC5BBE2E14EA

 (via gpg2  --with-keygrip --list-keys 7CE29A76E9769486)

 do you see
 ~/.gnupg/private-keys-v1.d/FD1DA474D3DF3C728C54F9E479EDFC5BBE2E14EA.key
 ?

No, that file doesn't exist.  So it looks like you've located the problem.

 I agree with you that this key clearly has valid self-sigs.  it does in
 my copy as well.

 can you show the same output from gpg2 as well as gpg ?

I can't, no, because I get the same problem:

mithrandir:~$ gpg2 -kv D15D313882004173
gpg: using classic trust model
gpg: keydb_get_keyblock failed: Legacy key
gpg: error reading key: No public key

Aha.  Okay, I seem to have fixed it, although I still don't really
understand what happened.  On a hunch, I ran:

$ gpg2 --import ~/.gnupg/pubring.gpg

That spat out a bunch of output (tons and tons of those legacy key
messages), and then I ran:

$ gpg2 --import ~/.gnupg/secring.gpg

again.  That prompted me for the passphrase for the private key for
D15D313882004173, and then apparently successfully imported it.  Now, the
gpg2 command works:

mithrandir:~$ gpg2 -kv D15D313882004173
gpg: using classic trust model
pub   rsa4096/D15D313882004173 2009-05-29 [expires: 2017-09-17]
uid [ultimate] Russ Allbery ea...@eyrie.org
uid [ultimate] Russ Allbery r...@stanford.edu
uid [ultimate] Russ Allbery r...@debian.org
uid [ revoked] Russ Allbery ea...@windlord.stanford.edu
uid [ultimate] Russ Allbery r...@cs.stanford.edu
sub   rsa4096/7CE29A76E9769486 2009-05-29 [expires: 2017-09-17]
sub   rsa2048/7D80315C5736DE75 2010-09-17 [expires: 2016-03-20]

and now assword works again.

So, something weird about the automated key import process for gpg2?

-- 
Russ Allbery (r...@debian.org)   http://www.eyrie.org/~eagle/

Bug#795639: assword fails with Decryption error: Decryption failed

[Russ Allbery]

Jameson Graef Rollins jroll...@finestructure.net writes:

 Thanks for the report, Russ, and sorry about the trouble.

 I'm actually unable to reproduce this bug by just installing gnupg2 from
 unstable (2.1.7-2).  However, my /usr/bin/gpg is from the gnupg package,
 not gnupg2.  I'm guessing that maybe you're using gnupg2 as gnupg in
 this case?

Hm, nope, I'm similarly using /usr/bin/gpg from the gnupg package.  Is
that what assword is using?  Now I'm quite confused

I should mention that I upgraded both gnupg2 and gnupg-agent and it broke,
and then I downgraded both and it started working.  I was assuming that it
was gnupg2, but maybe the problem is actually the agent, and only people
using the agent will have trouble?

strace seems to back that up.  It chats with the agent for a bit, and then
it fails.  See the partial trace below.  It seems to get as far as
realizing that I don't currently have the secret key unlocked, but then
rather than popping up a dialog to prompt me, just immediately fails.
Running gpg manually on a file pops up the agent dialog like I would
expect.

I tried killing all the agents and logging out and then back in again to
force the agent to respawn, but unfortunately there was no change in
behavior.

It's quite possible that this is a bug somewhere in the new version of
gnupg and it just happens to break assword.

read(4, [GNUPG:] PROGRESS -10 ? 0 0\n, 1024) = 29
select(9, [4 8], [], NULL, {1, 0})  = 1 (in [4], left {0, 89})
select(5, [4], [], NULL, {0, 0})= 1 (in [4], left {0, 0})
read(4, [GNUPG:] ENC_TO 7CE29A76E9769486..., 1024) = 37
select(9, [4 8], [], NULL, {1, 0})  = 1 (in [4], left {0, 984921})
select(5, [4], [], NULL, {0, 0})= 1 (in [4], left {0, 0})
read(4, [GNUPG:] NO_SECKEY 7CE29A76E9769..., 1024) = 145
select(9, [4 8], [], NULL, {1, 0})  = 1 (in [8], left {0, 23})
select(9, [8], [], NULL, {0, 0})= 1 (in [8], left {0, 0})
read(8, , 4096)   = 0
close(8)= 0
select(5, [4], [], NULL, {1, 0})= 1 (in [4], left {0, 99})
select(5, [4], [], NULL, {0, 0})= 1 (in [4], left {0, 0})
read(4, , 1024)   = 0
close(4)= 0
open(/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libgpg-error.mo, O_RDONLY) = 
-1 ENOENT (No such file or directory)
open(/usr/share/locale/en_US.utf8/LC_MESSAGES/libgpg-error.mo, O_RDONLY) = -1 
ENOENT (No such file or directory)
open(/usr/share/locale/en_US/LC_MESSAGES/libgpg-error.mo, O_RDONLY) = -1 
ENOENT (No such file or directory)
open(/usr/share/locale/en.UTF-8/LC_MESSAGES/libgpg-error.mo, O_RDONLY) = -1 
ENOENT (No such file or directory)
open(/usr/share/locale/en.utf8/LC_MESSAGES/libgpg-error.mo, O_RDONLY) = -1 
ENOENT (No such file or directory)
open(/usr/share/locale/en/LC_MESSAGES/libgpg-error.mo, O_RDONLY) = -1 ENOENT 
(No such file or directory)
close(3)= 0
munmap(0x7f988d24e000, 4096)= 0
write(2, Assword database error: Decrypti..., 59Assword database error: 
Decryption error: Decryption failed) = 59

-- 
Russ Allbery (r...@debian.org)   http://www.eyrie.org/~eagle/

Bug#795639: assword fails with Decryption error: Decryption failed

[Russ Allbery]

Daniel Kahn Gillmor d...@fifthhorseman.net writes:

 does this succeed with gpg2 --decrypt as well, or just gpg --decrypt?

Aha.  Here's a problem:

mithrandir:~/private/db$ gpg2 --decrypt personal
gpg: error reading keyblock: Legacy key
gpg: keydb_get_keyblock failed: Legacy key
gpg: encrypted with RSA key, ID 7CE29A76E9769486
gpg: decryption failed: No secret key

I have no idea what that means, and Google was not particularly
enlightening.

 do you see files listed when you look at the GnuPG 2.1 secret key storage:

ls -l ~/.gnupg/private-keys-v1.d/*.key

Yes.

 what about checking to see the date that GnuPG 2.1 did the keyring
 migration:

ls -l ~/.gnupg/.gpg-v21-migrated

 ?

Looks like this afernoon just when this problem started.

 Depending on the output of the above, maybe you can try importing your
 secret keyring again:

  gpg2 --import  ~/.gnupg/secring.gpg

 (this should have been imported automatically for you upon your first
 use of gpg 2.1 after the upgrade)

I get a lot more legacy key errors, and this weird error that I don't
understand:

gpg: key D15D313882004173: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: keydb_get_keyblock failed: Legacy key
gpg: key D15D313882004173: failed to re-lookup public key

That key definitely has a self-signature.  It's the same key I use for
Debian.

mithrandir:~/private/db$ gpg -kv D15D313882004173
pub   4096R/D15D313882004173 2009-05-29 [expires: 2017-09-17]
uid   [ultimate] Russ Allbery ea...@eyrie.org
uid   [ultimate] Russ Allbery r...@stanford.edu
uid   [ultimate] Russ Allbery r...@debian.org
uid   [ revoked] Russ Allbery ea...@windlord.stanford.edu
uid   [ultimate] Russ Allbery r...@cs.stanford.edu
sub   4096R/7CE29A76E9769486 2009-05-29 [expires: 2017-09-17]
sub   2048R/7D80315C5736DE75 2010-09-17 [expires: 2016-03-20]

-- 
Russ Allbery (r...@debian.org)   http://www.eyrie.org/~eagle/

Bug#795639: assword fails with Decryption error: Decryption failed

[Russ Allbery]

Package: assword
Version: 0.8-2
Severity: grave

assword can no longer decrypt any of my password stores.  It fails with
the error:

mithrandir:~$ assword dump foo
Assword database error: Decryption error: Decryption failed

The data store is not corrupt; running GnuPG on it manually works fine.
This appears to be caused by the upgrade of gnupg2 to 2.1.7-2.
Downgrading to 2.0.28-3 makes everything start working properly again.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages assword depends on:
ii  python2.7.9-1
ii  python-gpgme  0.3-1+b1
ii  python-gtk2   2.24.0-4
ii  python-pkg-resources  18.0.1-2

Versions of packages assword recommends:
pn  python-xdo  none
ii  xclip   0.12+svn84-4

assword suggests no packages.

-- no debconf information

Processed (with 5 errors): Re: Bug#795639: assword fails with Decryption error: Decryption failed

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

 tags 795639 + unreproducible moreinfo
Bug #795639 [assword] assword fails with Decryption error: Decryption failed
Added tag(s) moreinfo and unreproducible.
 On Sat, Aug 15 2015, Russ Allbery r...@debian.org wrote:
Unknown command or malformed arguments to command.
  Package: assword
Unknown command or malformed arguments to command.
  Version: 0.8-2
Unknown command or malformed arguments to command.
  Severity: grave
Unknown command or malformed arguments to command.
 
Unknown command or malformed arguments to command.
Too many unknown commands, stopping here.

Please contact me if you need assistance.
-- 
795639: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795639
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#795639: assword fails with Decryption error: Decryption failed

[Jameson Graef Rollins]

tags 795639 + unreproducible moreinfo

On Sat, Aug 15 2015, Russ Allbery r...@debian.org wrote:
 Package: assword
 Version: 0.8-2
 Severity: grave

 assword can no longer decrypt any of my password stores.  It fails with
 the error:

 mithrandir:~$ assword dump foo
 Assword database error: Decryption error: Decryption failed

 The data store is not corrupt; running GnuPG on it manually works fine.
 This appears to be caused by the upgrade of gnupg2 to 2.1.7-2.
 Downgrading to 2.0.28-3 makes everything start working properly again.

Thanks for the report, Russ, and sorry about the trouble.

I'm actually unable to reproduce this bug by just installing gnupg2 from
unstable (2.1.7-2).  However, my /usr/bin/gpg is from the gnupg package,
not gnupg2.  I'm guessing that maybe you're using gnupg2 as gnupg in
this case?

Could this be an incompatibility between python-gpgme, which uses
libgpgme11, and gnupg2?

jamie.


signature.asc
Description: PGP signature

Processed: Re: Bug#795639: assword fails with Decryption error: Decryption failed

[Debian Bug Tracking System]

Processing control commands:

 tags 795639 + moreinfo
Bug #795639 [assword] assword fails with Decryption error: Decryption failed
Ignoring request to alter tags of bug #795639 to the same tags previously set
 reassign 795639 gnupg2 2.1.7-2
Bug #795639 [assword] assword fails with Decryption error: Decryption failed
Bug reassigned from package 'assword' to 'gnupg2'.
No longer marked as found in versions assword/0.8-2.
Ignoring request to alter fixed versions of bug #795639 to the same values 
previously set
Bug #795639 [gnupg2] assword fails with Decryption error: Decryption failed
Marked as found in versions gnupg2/2.1.7-2.
 affects 795639 assword
Bug #795639 [gnupg2] assword fails with Decryption error: Decryption failed
Added indication that 795639 affects assword

-- 
795639: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795639
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#795639: assword fails with Decryption error: Decryption failed

[Daniel Kahn Gillmor]

Control: tags 795639 + moreinfo
Control: reassign 795639 gnupg2 2.1.7-2
Control: affects 795639 assword

Hi Russ--

On Sun 2015-08-16 01:03:16 +0200, Russ Allbery wrote:
 strace seems to back that up.  It chats with the agent for a bit, and
 then it fails.  See the partial trace below.  It seems to get as far
 as realizing that I don't currently have the secret key unlocked, but
 then rather than popping up a dialog to prompt me, just immediately
 fails.

Thanks for sending this report.  I've been using gpg 2.1.7 for
several months now, and i haven't had this problem.  Hopefully we can
diagnose what's going on here.

fwiw, i agree that this is most likely a bug we should deal with in
gnupg2, not in assword.

 Running gpg manually on a file pops up the agent dialog like I would
 expect.

does this succeed with gpg2 --decrypt as well, or just gpg --decrypt?

do you see files listed when you look at the GnuPG 2.1 secret key storage:

   ls -l ~/.gnupg/private-keys-v1.d/*.key

what about checking to see the date that GnuPG 2.1 did the keyring
migration:

   ls -l ~/.gnupg/.gpg-v21-migrated

?

 I tried killing all the agents and logging out and then back in again to
 force the agent to respawn, but unfortunately there was no change in
 behavior.

Depending on the output of the above, maybe you can try importing your
secret keyring again:

 gpg2 --import  ~/.gnupg/secring.gpg

(this should have been imported automatically for you upon your first
use of gpg 2.1 after the upgrade)

Please let me know if this solves the problem for you, or if you learn
any new information.

Regards,

  --dkg


signature.asc
Description: PGP signature