Bug#846953: [pkg-gnupg-maint] Bug#846953: gpg2 fails to decrypt with "No secret key" but gpg1 succeeds
Control: reassign 846953 gnupg-agent Control: retitle 846953 gnupg-agent cannot deal with extremely large passphrase-encrypted keys Control: forwarded 846953 https://bugs.gnupg.org/gnupg/issue2857 On Mon 2016-12-05 11:24:08 -0500, Daniel Kahn Gillmor wrote: > on to the rest of it... > > do you have > ~/.gnupg/private-keys-v1.d/DFE35C37A3C37A72BEE31A2E55252BA2A1EB0A2C.key > ? > > is it (in)appropriately large compared to the other, smaller secret key > material? > > (that path is derived from --with-keyrip, fwiw) > > can you try turning up the logging for gpg-agent (log-file and > debug-level in ~/.gnupg/gpg-agent.conf, followed by restarting the > agent) and see if it reports anything differently? > > Also, how did you generate such a large key? gpg usually limits key > generation to sane lengths. OK, i'm now able to replicate the problem by making such a large key and trying to use it with gpg-agent. the key works fine as long as it has no passphrase attached, but once i add a passphrase and try to use it, gpg-agent crashes with: 2016-12-05 11:30:11 gpg-agent[24311] Fatal: out of core in secure memory while allocating 640 bytes 2016-12-05 11:30:11 gpg-agent[24311] socket file has been removed - shutting down It'd be better to fail gracefully instead. I'm attaching an encryption-capable 10240-bit RSA secret key (in OpenPGP transferable secret key format, with passphrase "abc123") for use by anyone who wants to test. In a new GNUPGHOME, do: gpg --batch --yes --import test-hugekey.key echo test | gpg -r 861A97D02D4EE690A125DCC156CC9789743D4A89 --encrypt --armor --trust-model=always --batch --yes --output data.gpg gpg --decrypt data.gpg you'll note that the agent dies when doing that :/ I'm reassigning and retitling the bug to gnupg-agent, since that seems to be where the problem lies. I also noticed that upstream's https://bugs.gnupg.org/gnupg/issue2857 is quite similar, so i'm marking this as "forwarded" there. --dkg test-hugekey.key Description: application/pgp-keys signature.asc Description: PGP signature
Bug#846953: [pkg-gnupg-maint] Bug#846953: gpg2 fails to decrypt with "No secret key" but gpg1 succeeds
On Mon 2016-12-05 09:40:38 -0500, Ryan Kavanagh wrote: > I didn't have it set. Setting it now makes pinentry appear when I try to > decrypt stdin (thanks!), but it unfortunately didn't fix the rest of the > issue, e.g., I still can't decrypt files. (And I still can't decrypt > stdin, though this is likely no longer due to lack of GPG_TTY). cool, glad we got the passphrase-prompting bit sorted out. on to the rest of it... do you have ~/.gnupg/private-keys-v1.d/DFE35C37A3C37A72BEE31A2E55252BA2A1EB0A2C.key ? is it (in)appropriately large compared to the other, smaller secret key material? (that path is derived from --with-keyrip, fwiw) can you try turning up the logging for gpg-agent (log-file and debug-level in ~/.gnupg/gpg-agent.conf, followed by restarting the agent) and see if it reports anything differently? Also, how did you generate such a large key? gpg usually limits key generation to sane lengths. --dkg signature.asc Description: PGP signature
Bug#846953: [pkg-gnupg-maint] Bug#846953: gpg2 fails to decrypt with "No secret key" but gpg1 succeeds
Hi Daniel, On Mon, Dec 05, 2016 at 09:20:09AM -0500, Daniel Kahn Gillmor wrote: > > rak@zeta:~$ echo "ABC" | gpg -r$GPGKEY1 --encrypt | gpg --debug 8 --decrypt > > do you have GPG_TTY set? if not, can you retry the first command after > having done: > >GPG_TTY=$(tty) I didn't have it set. Setting it now makes pinentry appear when I try to decrypt stdin (thanks!), but it unfortunately didn't fix the rest of the issue, e.g., I still can't decrypt files. (And I still can't decrypt stdin, though this is likely no longer due to lack of GPG_TTY). > if you set GPG_TTY then gpg will tell gpg-agent (which will tell > pinentry-curses) which terminal it should prompt on. I now get prompted for my passphrase by pinentry-curses on the current terminal, and entering a bogus passphrase causes pinentry-curses to complain about a bad passphrase. So there is some checking (hopefully by gpg-agent!) of the passphrase somewhere along the line: rak@zeta:/tmp$ killall gpg-agent rak@zeta:/tmp$ export GPG_TTY=$(tty) rak@zeta:/tmp$ echo "abc" | gpg -r$GPGKEY --encrypt > abc.gpg && gpg --decrypt abc.gpg gpg: encrypted with 10240-bit RSA key, ID 20E0235B0F5E9C64, created 2009-09-24 "Ryan Kavanagh" gpg: public key decryption failed: End of file gpg: decryption failed: No secret key rak@zeta:/tmp$ echo "abc" | gpg -r$GPGKEY --encrypt | gpg --decrypt gpg: encrypted with 10240-bit RSA key, ID 20E0235B0F5E9C64, created 2009-09-24 "Ryan Kavanagh " gpg: public key decryption failed: End of file gpg: decryption failed: No secret key rak@zeta:/tmp$ echo "abc" | gpg -r$GPGKEY --encrypt | gpg --decrypt gpg: encrypted with 10240-bit RSA key, ID 20E0235B0F5E9C64, created 2009-09-24 "Ryan Kavanagh " gpg: public key decryption failed: Bad passphrase gpg: decryption failed: No secret key rak@zeta:/tmp$ env | grep GPG_TTY GPG_TTY=/dev/pts/7 > Upstream tends to recommend setting GPG_TTY in your .bashrc. Noted, thanks! Best wishes, Ryan -- |_)|_/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F | \| \ https://ryanak.ca/ | BD95 8F7B F8FC 4A11 C97A signature.asc Description: PGP signature
Bug#846953: [pkg-gnupg-maint] Bug#846953: gpg2 fails to decrypt with "No secret key" but gpg1 succeeds
On Sun 2016-12-04 20:37:47 -0500, Ryan Kavanagh wrote: > Guessing from the bug report and from the fact that > ~/.gnupg/.gpg-v21-migrated is empty, the first command was supposed to > be an rm on that file. whoop, yes, you're right. > rak@zeta:~$ echo "ABC" | gpg -r$GPGKEY1 --encrypt | gpg --debug 8 --decrypt > gpg: reading options from '/home/rak/.gnupg/gpg.conf' > gpg: enabled debug flags: filter > gpg: encrypted with 2048-bit ELG key, ID 6C6FA7C974FCFC3F, created 2006-02-22 > "Ryan Kavanagh (kubuntu.org email alias)" > gpg: public key decryption failed: Inappropriate ioctl for device […] > rak@zeta:~$ readlink -f $(which pinentry) > /usr/bin/pinentry-curses […] > rak@zeta:~$ echo "abc" > /tmp/abc && gpg --clearsign /tmp/abc > gpg: using "8F7BF8FC4A11C97A" as default secret key for signing > > rak@zeta:~$ gpg --verify /tmp/abc.asc > gpg: Signature made Sun 04 Dec 2016 08:34:55 PM EST > gpg:using RSA key 4E469519ED677734268FBD958F7BF8FC4A11C97A > do you have GPG_TTY set? if not, can you retry the first command after having done: GPG_TTY=$(tty) in the failed example, stdin of --decrypt is set to the incoming data stream. in the two successful examples, stdin is just the terminal's attached stdin. if you set GPG_TTY then gpg will tell gpg-agent (which will tell pinentry-curses) which terminal it should prompt on. Upstream tends to recommend setting GPG_TTY in your .bashrc. I will say that this: > gpg: public key decryption failed: Inappropriate ioctl for device > gpg: decryption failed: No secret key Is a very unclear set of error messages to give you a hint that this is the case, though :/ --dkg signature.asc Description: PGP signature
Bug#846953: [pkg-gnupg-maint] Bug#846953: gpg2 fails to decrypt with "No secret key" but gpg1 succeeds
Hi Daniel, On Sun, Dec 04, 2016 at 07:08:34PM -0500, Daniel Kahn Gillmor wrote: > Please try: > > ~/.gnupg/.gpg-v21-migrated > gpg --list-secret-keys Guessing from the bug report and from the fact that ~/.gnupg/.gpg-v21-migrated is empty, the first command was supposed to be an rm on that file. It didn't work. I thought it might have something to do with my stupidly big key size, but it doesn't work for my old (reasonably sized) key either. rak@zeta:~$ rm .gnupg/.gpg-v21-migrated rak@zeta:~$ killall gpg-agent rak@zeta:~$ ps aux | grep gpg-agent rak347 0.0 0.0 12784 972 pts/5S+ 20:29 0:00 grep gpg-agent rak@zeta:~$ gpg --list-secret-keys gpg: starting migration from earlier GnuPG versions gpg: porting secret keys from '/home/rak/.gnupg/secring.gpg' to gpg-agent gpg: key 7BD15207E95EDDC9: secret key imported gpg: key 8F7BF8FC4A11C97A: secret key imported gpg: key 5FA9C430B8F36FCA: secret key imported gpg: migration succeeded rak@zeta:~$ echo "ABC" | gpg -r$GPGKEY --encrypt | gpg --debug 8 --decrypt gpg: reading options from '/home/rak/.gnupg/gpg.conf' gpg: enabled debug flags: filter gpg: encrypted with 10240-bit RSA key, ID 20E0235B0F5E9C64, created 2009-09-24 "Ryan Kavanagh" gpg: public key decryption failed: Inappropriate ioctl for device gpg: decryption failed: No secret key gpg: secmem usage: 0/65536 bytes in 0 blocks rak@zeta:~$ echo "ABC" | gpg -r$GPGKEY1 --encrypt | gpg --debug 8 --decrypt gpg: reading options from '/home/rak/.gnupg/gpg.conf' gpg: enabled debug flags: filter gpg: encrypted with 2048-bit ELG key, ID 6C6FA7C974FCFC3F, created 2006-02-22 "Ryan Kavanagh (kubuntu.org email alias) " gpg: public key decryption failed: Inappropriate ioctl for device gpg: decryption failed: No secret key gpg: secmem usage: 0/65536 bytes in 0 blocks > If it doesn't work for you, please report back here, and let us know the > output of: > > readlink -f $(which pinentry) > grep pinentry-program ~/.gnupg/gpg-agent.conf > echo getinfo flavor | pinentry rak@zeta:~$ readlink -f $(which pinentry) /usr/bin/pinentry-curses rak@zeta:~$ grep pinentry-program ~/.gnupg/gpg-agent.conf grep: /home/rak/.gnupg/gpg-agent.conf: No such file or directory rak@zeta:~$ echo getinfo flavor | pinentry OK Pleased to meet you D curses:curses OK I run gpg from a text-mode terminal. I would be surprised if it were a pinentry problem, because I can successfully sign messages using gpg2+pinentry, e.g., rak@zeta:~$ echo "abc" > /tmp/abc && gpg --clearsign /tmp/abc gpg: using "8F7BF8FC4A11C97A" as default secret key for signing rak@zeta:~$ gpg --verify /tmp/abc.asc gpg: Signature made Sun 04 Dec 2016 08:34:55 PM EST gpg:using RSA key 4E469519ED677734268FBD958F7BF8FC4A11C97A Best wishes, Ryan -- |_)|_/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F | \| \ https://ryanak.ca/ | BD95 8F7B F8FC 4A11 C97A signature.asc Description: PGP signature
Bug#846953: [pkg-gnupg-maint] Bug#846953: gpg2 fails to decrypt with "No secret key" but gpg1 succeeds
Hi Ryan-- On Sun 2016-12-04 10:52:12 -0500, Ryan Kavanagh wrote: > I'm unable to decrypt messages with gpg2, but can decrypt them with gpg1. See > below for details. Please let me know if I can provide any further debugging > information. This sounds a lot like https://bugs.gnupg.org/gnupg/issue2811 Please try: ~/.gnupg/.gpg-v21-migrated gpg --list-secret-keys and then try the decryption again with gpg. If this works for you, please report back here! If it doesn't work for you, please report back here, and let us know the output of: readlink -f $(which pinentry) grep pinentry-program ~/.gnupg/gpg-agent.conf echo getinfo flavor | pinentry and what context you're running gpg from: within a graphical session, in a text-mode terminal, etc. Thanks! --dkg signature.asc Description: PGP signature