gnupg-2.1 -> 2.1 appears to break decryption of saved messages
Konstantin Belousov
kostikbel at gmail.com
Wed Jan 7 15:31:23 UTC 2015
On Wed, Jan 07, 2015 at 07:16:12AM -0800, David Wolfskill wrote:
> On Wed, Jan 07, 2015 at 07:49:34AM -0600, Corey Halpin wrote:
> > On 2014-11-20, David Wolfskill wrote:
> > ...
> > > Then, a few minutes ago, I tried to retrieve a password from one of my
> > > saved encrypted messages... only to be informed "Could not copy
> > > message".
> >
> > I also enjoyed some friction trying to use gnupg 2.1 with mutt,
> > though I didn't get the "Could not copy message" error that you
> > report.
> >
> > Instead I was seeing 'no secret key'. In my case, this was resolved
> > by following the advice at
> > https://wiki.archlinux.org/index.php/GnuPG#Unattended_passphrase .
>
> Thank you for digging further & reporting.
>
> I tried your suggestion, but still see the same failure.
>
> I then ran "ktrace -di mutt ..." to see what was going on (after
> replacing gnupg-2.0 with -2.1); that showed (after initialization):
>
> ...
> 9268 gpg2 CALL write(0x2,0x28c20800,0x28)
> 9268 gpg2 GIO fd 2 wrote 40 bytes
> "gpg: keydb_search failed: Invalid packet"
> 9268 gpg2 RET write 40/0x28
> 9268 gpg2 CALL write(0x2,0x80d54e4,0x1)
> 9268 gpg2 GIO fd 2 wrote 1 byte
> "
> "
> 9268 gpg2 RET write 1
> 9268 gpg2 CALL write(0x2,0x28c20800,0x32)
> 9268 gpg2 GIO fd 2 wrote 50 bytes
> "gpg: encrypted with RSA key, ID 0xC0395DCCCFC71941"
> 9268 gpg2 RET write 50/0x32
> 9268 gpg2 CALL write(0x2,0x80d70d1,0x1)
> 9268 gpg2 GIO fd 2 wrote 1 byte
> "
> "
> 9268 gpg2 RET write 1
> 9268 gpg2 CALL write(0x2,0x28c20800,0x25)
> 9268 gpg2 GIO fd 2 wrote 37 bytes
> "gpg: decryption failed: No secret key"
> 9268 gpg2 RET write 37/0x25
> 9268 gpg2 CALL write(0x2,0x80dc2ea,0x1)
> 9268 gpg2 GIO fd 2 wrote 1 byte
> "
> "
> 9268 gpg2 RET write 1
> 9268 gpg2 CALL read(0x6,0x28c33000,0x2000)
> 9268 gpg2 GIO fd 6 read 0 bytes
> ....
> 9263 mutt RET fstat 0
> 9263 mutt CALL lseek(0x6,0,SEEK_SET,0)
> 9263 mutt RET lseek 0
> 9263 mutt CALL read(0x6,0x28d29000,0x1000)
> 9263 mutt GIO fd 6 read 130 bytes
> "gpg: keydb_search failed: Invalid packet
> gpg: encrypted with RSA key, ID 0xC0395DCCCFC71941
> gpg: decryption failed: No secret key
> "
> 9263 mutt RET read 130/0x82
> 9263 mutt CALL read(0x6,0x28d29000,0x1000)
> 9263 mutt GIO fd 6 read 0 bytes
> ...
> 9263 mutt CALL write(0x1,0x28c40800,0x35)
> 9263 mutt GIO fd 1 wrote 53 bytes
> 0x0000 0d1b 5b33 316d 1b5b 3433 6d1b 5b31 6d44 |..[31m.[43m.[1mD|
> 0x0010 6563 7279 7074 696f 6e20 6661 696c 6564 |ecryption failed|
> 0x0020 1b5b 6d1b 5b33 393b 3439 6d1b 5b33 376d |.[m.[39;49m.[37m|
> 0x0030 1b5b 3430 6d |.[40m|
>
> 9263 mutt RET write 53/0x35
> 9263 mutt CALL write(0x1,0x28c40800,0x1)
> 9263 mutt GIO fd 1 wrote 1 byte
> 0x0000 07 |.|
>
> 9263 mutt RET write 1
> 9263 mutt CALL write(0x1,0x28c40800,0x41)
> 9263 mutt GIO fd 1 wrote 65 bytes
> 0x0000 0d1b 5b33 316d 1b5b 3433 6d1b 5b31 6d43 |..[31m.[43m.[1mC|
> 0x0010 6f75 6c64 206e 6f74 2064 6563 7279 7074 |ould not decrypt|
> 0x0020 2050 4750 206d 6573 7361 6765 1b5b 6d1b | PGP message.[m.|
> 0x0030 5b33 393b 3439 6d1b 5b33 376d 1b5b 3430 |[39;49m.[37m.[40|
> 0x0040 6d |m|
>
> 9263 mutt RET write 65/0x41
> 9263 mutt CALL close(0x5)
> ....
>
> > Namely:
> > echo allow-loopback-pinentry >> ~/.gnupg/gpg-agent.conf
>
> FWIW, I hadn't had a ~/.gnupg/gpg-agent.conf before doinbg that.
>
> > and editing my copy of mutt's gpg.rc to add '--pinentry-mode
> > loopback' to every gpg invocation involving a passphrase-fd.
> >
> > After that, things were back to normal for me.
> > ...
>
> Unfortunately, that wasn't my experience. I'll revert back to gnupg-2.0
> for now.
Invalid packet is a reaction to some 'invalid' key in some ring.
I used approximately the following procedure, for which I am unable
to find a reference right now.
mv .gnupg .gnupg-bad
mkdir .gnupg
mv .gnupg-bad/gpg.conf .gnupg/
gpg --import .gnupg-bad/secring.gpg
gpg --import .gnupg-bad/pubring.gpg
cp .gnupd/bad/trustdb.gpg .gnupg/
It was rather stressfull half of a hour while I thought that my private
keys are destroyed.
More information about the freebsd-ports
mailing list