Page MenuHome GnuPG
Create Task
Maniphest T1985

Option --try-all-secrets doesn't work
Closed, ResolvedPublic
Actions

Description

GPG v2.1.4 (and v2.1.3 too) can't decrypt any file encrypted with
--hidden-recipient using --try-all-secrets option. Option --try-secret-key
works fine, but it's not handy.

I use windows builds from
ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.4_20150512.exe

Details

Version
2.1.4

Related Objects

Event Timeline

ajaja added projects: gnupg, Bug Report.May 13 2015, 10:37 PM
ajaja set Version to 2.1.4.
ajaja added a subscriber: ajaja.
werner added a project: gnupg (gpg21).May 15 2015, 2:14 PM
ueno added a subscriber: ueno.Aug 18 2015, 10:17 AM

D304: 668_0001-Make-try-all-secrets-work-for-hidden-recipients.patch

ueno added a comment.Aug 18 2015, 10:17 AM

I have also encountered this while testing the --throw-keyids option with 2.1.6.
It seemed to me that the fix is not that hard, so I'm attaching a patch.

werner claimed this task.Aug 20 2015, 2:44 PM
werner added a subscriber: werner.

I take this because I have a related other improvement in mind.

neal added a subscriber: neal.Nov 20 2015, 12:21 PM

Werner notes:

There is a comment in mainproc that we need to sort the list of keys and try
them in an order to get a decryption key early. The other thing is about the
meta data for keys. It would be possible to add a priority to the private keys
and use them to prioritise the list of keys to try.

dkg added a subscriber: dkg.Jun 30 2016, 6:07 PM

I can confirm that this is still a problem on 2.1.13: --try-all-secrets does not
work as documented:

2 dkg@alice:/tmp/cdtemp.hphmpn$ gpg --try-all-secrets --decrypt test.asc
gpg: encrypted with RSA key, ID 00000000
gpg: decryption failed: No secret key
2 dkg@alice:/tmp/cdtemp.hphmpn$ gpg --try-secret-key test --decrypt test.asc
gpg: anonymous recipient; trying secret key 82A22A9306735B0C ...
gpg: okay, we are the anonymous recipient.
gpg: encrypted with RSA key, ID 00000000
test test
0 dkg@alice:/tmp/cdtemp.hphmpn$

dkg added a comment.Jun 30 2016, 6:12 PM

fwiw, the documentation says:

       --try-all-secrets
              Don't look at the key ID as stored in the message  but  try  all
              secret  keys  in  turn  to  find  the right decryption key. This
              option forces the behaviour  as  used  by  anonymous  recipients
              (created  by  using  --throw-keyids  or  --hidden-recipient) and
              might come handy in case where an encrypted message  contains  a
              bogus key ID.

but that behavior is in fact not the default when used with anonymous
recipients, either:

2 dkg@alice:/tmp/cdtemp.hphmpn$ gpg --decrypt test.asc
gpg: encrypted with RSA key, ID 00000000
gpg: decryption failed: No secret key
2 dkg@alice:/tmp/cdtemp.hphmpn$ gpg --no-skip-hidden-recipients --decrypt test.asc
gpg: encrypted with RSA key, ID 00000000
gpg: decryption failed: No secret key
2 dkg@alice:/tmp/cdtemp.hphmpn$

werner added a project: Restricted Project.Jul 13 2016, 6:33 PM

I forgot to apply Daiki's patch. Done now with commit 82b90ee.

I won't work on the other mentioned change now and this commit is actually about
a regression. Thus bumping to testing.

werner removed a project: Restricted Project.Sep 28 2016, 9:45 AM

Fixed with 2.1.14.

werner closed this task as Resolved.Sep 28 2016, 9:45 AM