Bug#795639: assword fails with "Decryption error: Decryption failed"

2015-10-13 Thread demure
These two commands have fixed gpg 2.1.8 for me, on sid.

Prior to the fix, I had:
gpg: decryption failed: No secret key

On Sun, 16 Aug 2015 10:16:03 -0700 Russ Allbery  wrote:
> Daniel Kahn Gillmor  writes:
> 
> 
> Aha.  Okay, I seem to have fixed it, although I still don't really
> understand what happened.  On a hunch, I ran:
> 
> $ gpg2 --import ~/.gnupg/pubring.gpg
> 
> That spat out a bunch of output (tons and tons of those legacy key
> messages), and then I ran:
> 
> $ gpg2 --import ~/.gnupg/secring.gpg
>... 
> -- 
> Russ Allbery (r...@debian.org)   
> 
> 


Bug#795639: assword fails with "Decryption error: Decryption failed"

2015-09-20 Thread William Hay
Might this be a symptom of bug #772897 ?



Bug#795639: assword fails with "Decryption error: Decryption failed"

2015-08-17 Thread Russ Allbery
Just one more data point:

I just upgraded another system using assword, with a separate private key
that was generated on 2014-08-20, and everything worked fine with it.  And
I don't get the legacy keys errors on that system either.

-- 
Russ Allbery (r...@debian.org)   



Bug#795639: assword fails with "Decryption error: Decryption failed"

2015-08-17 Thread Russ Allbery
Daniel Kahn Gillmor  writes:

> interesting.  what is the history of this secret key material?  Was it
> generated fresh on 2009-05-29?  or was it converted from some other
> (older) key source?

It was generated fresh on 2009-05-29 using gpg at the time.

>> Aha.  Okay, I seem to have fixed it, although I still don't really
>> understand what happened.  On a hunch, I ran:
>>
>> $ gpg2 --import ~/.gnupg/pubring.gpg
>>
>> That spat out a bunch of output (tons and tons of those legacy key
>> messages), and then I ran:
>>
>> $ gpg2 --import ~/.gnupg/secring.gpg
>>
>> again.

> Did you happen to compare your test commands (e.g. looking at files,
> running "gpg -kv $FPR") between these two --import operations?  I'm
> assuming that the last one is the one that "fixed" things, but i'd like
> to make sure...

Sadly, I didn't, but I do know for certain that just doing the second did
not fix the problem.  It just declined to import the key with the legacy
key message and then another message about how there was no self-sig.
(Actually, you probably already know that since I think that was a
previous message -- now I'm forgetting what I did when.)

I started wondering if it couldn't see the self-sig because it didn't have
the corresponding public key and wondered what would happen if I imported
the public key ring.  After I did that, the second command actually
imported the secret key as well (in that I saw "1 key imported" in the
resulting message).  For some reason, all my other secret keys were
successfully imported.  Just not that one.

> do you know if there were more "legacy key" messages for the second
> --import command?

Oh, yeah, there are tons every time I run that command.  Basically one for
every key.

-- 
Russ Allbery (r...@debian.org)   



Bug#795639: assword fails with "Decryption error: Decryption failed"

2015-08-17 Thread Daniel Kahn Gillmor
Control: retitle 795639 automated secret key import process for gpg2.1 skips 
some keys

On Sun 2015-08-16 19:16:03 +0200, Russ Allbery wrote:
> Daniel Kahn Gillmor  writes:
>> do you see
>> ~/.gnupg/private-keys-v1.d/FD1DA474D3DF3C728C54F9E479EDFC5BBE2E14EA.key
>> ?
>
> No, that file doesn't exist.  So it looks like you've located the problem.
 [...]
> mithrandir:~$ gpg2 -kv D15D313882004173
> gpg: using classic trust model
> gpg: keydb_get_keyblock failed: Legacy key
> gpg: error reading key: No public key

interesting.  what is the history of this secret key material?  Was it
generated fresh on 2009-05-29?  or was it converted from some other
(older) key source?

> Aha.  Okay, I seem to have fixed it, although I still don't really
> understand what happened.  On a hunch, I ran:
>
> $ gpg2 --import ~/.gnupg/pubring.gpg
>
> That spat out a bunch of output (tons and tons of those legacy key
> messages), and then I ran:
>
> $ gpg2 --import ~/.gnupg/secring.gpg
>
> again.

Did you happen to compare your test commands (e.g. looking at files,
running "gpg -kv $FPR") between these two --import operations?  I'm
assuming that the last one is the one that "fixed" things, but i'd like
to make sure...

do you know if there were more "legacy key" messages for the second
--import command?

> That prompted me for the passphrase for the private key for
> D15D313882004173, and then apparently successfully imported it.  Now,
> the gpg2 command works:
>
> mithrandir:~$ gpg2 -kv D15D313882004173
> gpg: using classic trust model
> pub   rsa4096/D15D313882004173 2009-05-29 [expires: 2017-09-17]
> uid [ultimate] Russ Allbery 
> uid [ultimate] Russ Allbery 
> uid [ultimate] Russ Allbery 
> uid [ revoked] Russ Allbery 
> uid [ultimate] Russ Allbery 
> sub   rsa4096/7CE29A76E9769486 2009-05-29 [expires: 2017-09-17]
> sub   rsa2048/7D80315C5736DE75 2010-09-17 [expires: 2016-03-20]
>
> and now assword works again.

ok, i'm glad this part is fixed for you for now, but I'm a little
disturbed that I don't know how to reproduce the scenario you got into.
This is made more complicated by the fact that i don't have (or want)
access to your secret keys, of course.

> So, something weird about the automated key import process for gpg2?

yes, definitely.  I'm retitling the bug to account for that.

 --dkg



Bug#795639: assword fails with "Decryption error: Decryption failed"

2015-08-16 Thread Russ Allbery
Daniel Kahn Gillmor  writes:

> ok, so the keygrip for 0x7CE29A76E9769486 is
> FD1DA474D3DF3C728C54F9E479EDFC5BBE2E14EA

> (via "gpg2  --with-keygrip --list-keys 7CE29A76E9769486")

> do you see
> ~/.gnupg/private-keys-v1.d/FD1DA474D3DF3C728C54F9E479EDFC5BBE2E14EA.key
> ?

No, that file doesn't exist.  So it looks like you've located the problem.

> I agree with you that this key clearly has valid self-sigs.  it does in
> my copy as well.

> can you show the same output from gpg2 as well as gpg ?

I can't, no, because I get the same problem:

mithrandir:~$ gpg2 -kv D15D313882004173
gpg: using classic trust model
gpg: keydb_get_keyblock failed: Legacy key
gpg: error reading key: No public key

Aha.  Okay, I seem to have fixed it, although I still don't really
understand what happened.  On a hunch, I ran:

$ gpg2 --import ~/.gnupg/pubring.gpg

That spat out a bunch of output (tons and tons of those legacy key
messages), and then I ran:

$ gpg2 --import ~/.gnupg/secring.gpg

again.  That prompted me for the passphrase for the private key for
D15D313882004173, and then apparently successfully imported it.  Now, the
gpg2 command works:

mithrandir:~$ gpg2 -kv D15D313882004173
gpg: using classic trust model
pub   rsa4096/D15D313882004173 2009-05-29 [expires: 2017-09-17]
uid [ultimate] Russ Allbery 
uid [ultimate] Russ Allbery 
uid [ultimate] Russ Allbery 
uid [ revoked] Russ Allbery 
uid [ultimate] Russ Allbery 
sub   rsa4096/7CE29A76E9769486 2009-05-29 [expires: 2017-09-17]
sub   rsa2048/7D80315C5736DE75 2010-09-17 [expires: 2016-03-20]

and now assword works again.

So, something weird about the automated key import process for gpg2?

-- 
Russ Allbery (r...@debian.org)   



Bug#795639: assword fails with "Decryption error: Decryption failed"

2015-08-16 Thread Daniel Kahn Gillmor
On Sun 2015-08-16 02:55:43 +0200, Russ Allbery wrote:
> Daniel Kahn Gillmor  writes:
>
>> does this succeed with gpg2 --decrypt as well, or just gpg --decrypt?
>
> Aha.  Here's a problem:
>
> mithrandir:~/private/db$ gpg2 --decrypt personal
> gpg: error reading keyblock: Legacy key
> gpg: keydb_get_keyblock failed: Legacy key
> gpg: encrypted with RSA key, ID 7CE29A76E9769486
> gpg: decryption failed: No secret key
>
> I have no idea what that means, and Google was not particularly
> enlightening.
>
>> do you see files listed when you look at the GnuPG 2.1 secret key storage:
>
>>ls -l ~/.gnupg/private-keys-v1.d/*.key
>
> Yes.

ok, so the keygrip for 0x7CE29A76E9769486 is
FD1DA474D3DF3C728C54F9E479EDFC5BBE2E14EA

(via "gpg2  --with-keygrip --list-keys 7CE29A76E9769486")

do you see 
~/.gnupg/private-keys-v1.d/FD1DA474D3DF3C728C54F9E479EDFC5BBE2E14EA.key ?

>> Depending on the output of the above, maybe you can try importing your
>> secret keyring again:
>
>>  gpg2 --import < ~/.gnupg/secring.gpg
>
>> (this should have been imported automatically for you upon your first
>> use of gpg 2.1 after the upgrade)
>
> I get a lot more "legacy key" errors, and this weird error that I don't
> understand:
>
> gpg: key D15D313882004173: no valid user IDs
> gpg: this may be caused by a missing self-signature
> gpg: keydb_get_keyblock failed: Legacy key
> gpg: key D15D313882004173: failed to re-lookup public key
>
> That key definitely has a self-signature.  It's the same key I use for
> Debian.
>
> mithrandir:~/private/db$ gpg -kv D15D313882004173
> pub   4096R/D15D313882004173 2009-05-29 [expires: 2017-09-17]
> uid   [ultimate] Russ Allbery 
> uid   [ultimate] Russ Allbery 
> uid   [ultimate] Russ Allbery 
> uid   [ revoked] Russ Allbery 
> uid   [ultimate] Russ Allbery 
> sub   4096R/7CE29A76E9769486 2009-05-29 [expires: 2017-09-17]
> sub   2048R/7D80315C5736DE75 2010-09-17 [expires: 2016-03-20]

I agree with you that this key clearly has valid self-sigs.  it does in
my copy as well.

can you show the same output from gpg2 as well as gpg ?

Also: does it show up in the output of:

 gpg2 --list-secret-keys

sorry for the hassle, and thanks for the quick debugging responses.

--dkg



Bug#795639: assword fails with "Decryption error: Decryption failed"

2015-08-15 Thread Russ Allbery
Daniel Kahn Gillmor  writes:

> does this succeed with gpg2 --decrypt as well, or just gpg --decrypt?

Aha.  Here's a problem:

mithrandir:~/private/db$ gpg2 --decrypt personal
gpg: error reading keyblock: Legacy key
gpg: keydb_get_keyblock failed: Legacy key
gpg: encrypted with RSA key, ID 7CE29A76E9769486
gpg: decryption failed: No secret key

I have no idea what that means, and Google was not particularly
enlightening.

> do you see files listed when you look at the GnuPG 2.1 secret key storage:

>ls -l ~/.gnupg/private-keys-v1.d/*.key

Yes.

> what about checking to see the date that GnuPG 2.1 did the keyring
> migration:

>ls -l ~/.gnupg/.gpg-v21-migrated

> ?

Looks like this afernoon just when this problem started.

> Depending on the output of the above, maybe you can try importing your
> secret keyring again:

>  gpg2 --import < ~/.gnupg/secring.gpg

> (this should have been imported automatically for you upon your first
> use of gpg 2.1 after the upgrade)

I get a lot more "legacy key" errors, and this weird error that I don't
understand:

gpg: key D15D313882004173: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: keydb_get_keyblock failed: Legacy key
gpg: key D15D313882004173: failed to re-lookup public key

That key definitely has a self-signature.  It's the same key I use for
Debian.

mithrandir:~/private/db$ gpg -kv D15D313882004173
pub   4096R/D15D313882004173 2009-05-29 [expires: 2017-09-17]
uid   [ultimate] Russ Allbery 
uid   [ultimate] Russ Allbery 
uid   [ultimate] Russ Allbery 
uid   [ revoked] Russ Allbery 
uid   [ultimate] Russ Allbery 
sub   4096R/7CE29A76E9769486 2009-05-29 [expires: 2017-09-17]
sub   2048R/7D80315C5736DE75 2010-09-17 [expires: 2016-03-20]

-- 
Russ Allbery (r...@debian.org)   



Bug#795639: assword fails with "Decryption error: Decryption failed"

2015-08-15 Thread Daniel Kahn Gillmor
Control: tags 795639 + moreinfo
Control: reassign 795639 gnupg2 2.1.7-2
Control: affects 795639 assword

Hi Russ--

On Sun 2015-08-16 01:03:16 +0200, Russ Allbery wrote:
> strace seems to back that up.  It chats with the agent for a bit, and
> then it fails.  See the partial trace below.  It seems to get as far
> as realizing that I don't currently have the secret key unlocked, but
> then rather than popping up a dialog to prompt me, just immediately
> fails.

Thanks for sending this report.  I've been using gpg 2.1.7 for
several months now, and i haven't had this problem.  Hopefully we can
diagnose what's going on here.

fwiw, i agree that this is most likely a bug we should deal with in
gnupg2, not in assword.

> Running gpg manually on a file pops up the agent dialog like I would
> expect.

does this succeed with gpg2 --decrypt as well, or just gpg --decrypt?

do you see files listed when you look at the GnuPG 2.1 secret key storage:

   ls -l ~/.gnupg/private-keys-v1.d/*.key

what about checking to see the date that GnuPG 2.1 did the keyring
migration:

   ls -l ~/.gnupg/.gpg-v21-migrated

?

> I tried killing all the agents and logging out and then back in again to
> force the agent to respawn, but unfortunately there was no change in
> behavior.

Depending on the output of the above, maybe you can try importing your
secret keyring again:

 gpg2 --import < ~/.gnupg/secring.gpg

(this should have been imported automatically for you upon your first
use of gpg 2.1 after the upgrade)

Please let me know if this solves the problem for you, or if you learn
any new information.

Regards,

  --dkg


signature.asc
Description: PGP signature


Bug#795639: assword fails with "Decryption error: Decryption failed"

2015-08-15 Thread Russ Allbery
Jameson Graef Rollins  writes:

> Thanks for the report, Russ, and sorry about the trouble.

> I'm actually unable to reproduce this bug by just installing gnupg2 from
> unstable (2.1.7-2).  However, my /usr/bin/gpg is from the gnupg package,
> not gnupg2.  I'm guessing that maybe you're using gnupg2 as gnupg in
> this case?

Hm, nope, I'm similarly using /usr/bin/gpg from the gnupg package.  Is
that what assword is using?  Now I'm quite confused

I should mention that I upgraded both gnupg2 and gnupg-agent and it broke,
and then I downgraded both and it started working.  I was assuming that it
was gnupg2, but maybe the problem is actually the agent, and only people
using the agent will have trouble?

strace seems to back that up.  It chats with the agent for a bit, and then
it fails.  See the partial trace below.  It seems to get as far as
realizing that I don't currently have the secret key unlocked, but then
rather than popping up a dialog to prompt me, just immediately fails.
Running gpg manually on a file pops up the agent dialog like I would
expect.

I tried killing all the agents and logging out and then back in again to
force the agent to respawn, but unfortunately there was no change in
behavior.

It's quite possible that this is a bug somewhere in the new version of
gnupg and it just happens to break assword.

read(4, "[GNUPG:] PROGRESS -&10 ? 0 0\n", 1024) = 29
select(9, [4 8], [], NULL, {1, 0})  = 1 (in [4], left {0, 89})
select(5, [4], [], NULL, {0, 0})= 1 (in [4], left {0, 0})
read(4, "[GNUPG:] ENC_TO 7CE29A76E9769486"..., 1024) = 37
select(9, [4 8], [], NULL, {1, 0})  = 1 (in [4], left {0, 984921})
select(5, [4], [], NULL, {0, 0})= 1 (in [4], left {0, 0})
read(4, "[GNUPG:] NO_SECKEY 7CE29A76E9769"..., 1024) = 145
select(9, [4 8], [], NULL, {1, 0})  = 1 (in [8], left {0, 23})
select(9, [8], [], NULL, {0, 0})= 1 (in [8], left {0, 0})
read(8, "", 4096)   = 0
close(8)= 0
select(5, [4], [], NULL, {1, 0})= 1 (in [4], left {0, 99})
select(5, [4], [], NULL, {0, 0})= 1 (in [4], left {0, 0})
read(4, "", 1024)   = 0
close(4)= 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libgpg-error.mo", O_RDONLY) = 
-1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libgpg-error.mo", O_RDONLY) = -1 
ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libgpg-error.mo", O_RDONLY) = -1 
ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libgpg-error.mo", O_RDONLY) = -1 
ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libgpg-error.mo", O_RDONLY) = -1 
ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libgpg-error.mo", O_RDONLY) = -1 ENOENT 
(No such file or directory)
close(3)= 0
munmap(0x7f988d24e000, 4096)= 0
write(2, "Assword database error: Decrypti"..., 59Assword database error: 
Decryption error: Decryption failed) = 59

-- 
Russ Allbery (r...@debian.org)   



Bug#795639: assword fails with "Decryption error: Decryption failed"

2015-08-15 Thread Jameson Graef Rollins
tags 795639 + unreproducible moreinfo

On Sat, Aug 15 2015, Russ Allbery  wrote:
> Package: assword
> Version: 0.8-2
> Severity: grave
>
> assword can no longer decrypt any of my password stores.  It fails with
> the error:
>
> mithrandir:~$ assword dump foo
> Assword database error: Decryption error: Decryption failed
>
> The data store is not corrupt; running GnuPG on it manually works fine.
> This appears to be caused by the upgrade of gnupg2 to 2.1.7-2.
> Downgrading to 2.0.28-3 makes everything start working properly again.

Thanks for the report, Russ, and sorry about the trouble.

I'm actually unable to reproduce this bug by just installing gnupg2 from
unstable (2.1.7-2).  However, my /usr/bin/gpg is from the gnupg package,
not gnupg2.  I'm guessing that maybe you're using gnupg2 as gnupg in
this case?

Could this be an incompatibility between python-gpgme, which uses
libgpgme11, and gnupg2?

jamie.


signature.asc
Description: PGP signature


Bug#795639: assword fails with "Decryption error: Decryption failed"

2015-08-15 Thread Russ Allbery
Package: assword
Version: 0.8-2
Severity: grave

assword can no longer decrypt any of my password stores.  It fails with
the error:

mithrandir:~$ assword dump foo
Assword database error: Decryption error: Decryption failed

The data store is not corrupt; running GnuPG on it manually works fine.
This appears to be caused by the upgrade of gnupg2 to 2.1.7-2.
Downgrading to 2.0.28-3 makes everything start working properly again.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages assword depends on:
ii  python2.7.9-1
ii  python-gpgme  0.3-1+b1
ii  python-gtk2   2.24.0-4
ii  python-pkg-resources  18.0.1-2

Versions of packages assword recommends:
pn  python-xdo  
ii  xclip   0.12+svn84-4

assword suggests no packages.

-- no debconf information