Page MenuHome GnuPG
Create Task
Maniphest T3363

gpg2 fails to find secret key when content encrypted with throw-keyids option
Open, LowPublic
Actions

Description

Potential bug:

  • Case 1: gpg2 fails to find secret key when content encrypted with "throw-keyids" option in gpg.conf file.
    • "gpg: decryption failed: No secret key"
  • Case 2: gpg2 succeeds with "# throw-keyids" in gpg.conf file.
  • gpg succeeds in both Case 1 and 2.

Example:

  1. Encrypt clearfilename to cipherfilename with "throw-keyids" option ON, gpg can decrypt but gpg2 fails

[gpg.conf]
...

throw-keyids

...

$ gpg2 --recipient 0xKEYID --output cipherfilename.throw-keyids --encrypt clearfilename

$ gpg --verbose --decrypt cipherfilename.throw-keyids
gpg: public key is 0x00000000
gpg: anonymous recipient; trying secret key 0xKEYID001
gpg: using subkey 0xsubKEY001 instead of primary key 0xKEYID001
[pinentry-gtk-2] Enter passphrase:
... 0xKEYID002
... 0xsubKEYID002
gpg: anonymous recipient; trying secret key 0xKEYID
gpg: anonymous recipient; trying secret key 0xsubKEYID
gpg: okay, we are the anonymous recipient.
gpg: encrypted with RSA key, ID 0x00000000
gpg: AES256 encrypted data
gpg: original file name='clearfilename'
[contents of clearfilename successfully output to terminal]

$ gpg2 --verbose --decrypt cipherfilename.throw-keyids
gpg: public key is 0x00000000
gpg: encrypted with RSA key, ID 0x00000000
gpg: decryption failed: No secret key
  1. Encrypt clearfilename to cipherfilename with "throw-keyids" option OFF, gpg AND gpg2 can decrypt

[gpg.conf]
...

##### throw-keyids

...

$ gpg2 --recipient 0xKEYID --output cipherfilename.throw-keyids.OFF --encrypt clearfilename

$ gpg --verbose --decrypt cipherfilename.throw-keyids.OFF
gpg: public key is 0xsubKEYID
gpg: using subkey 0xsubKEYID instead of primary key 0xKEYID

You need a passphrase to unlock the secret key for user: "name <email>"
gpg: using subkey 0xsubKEYID instead of primary key 0xKEYID
4096-bit RSA key, ID 0xsubKEYID, created [past]
    (subkey on main key ID 0xKEYID)

gpg: encrypted with 4096-bit RSA key, ID 0xsubKEYID, created [past] "name <email>"
gpg: AES256 encrypted data
gpg: original file name='clearfilename'
[contents of clearfilename successfully output to terminal]

$ gpg2 --verbose --decrypt cipherfilename.throw-keyids.OFF
gpg: public key is 0xKEYID
gpg: using subkey 0xsubKEYID instead of primary key 0xKEYID
gpg: using subkey 0xsubKEYID instead of primary key 0xKEYID [yes, duplicate]
gpg: encrypted with 4096-bit RSA key, ID 0xsubKEYID, created [past] "name <email>"
gpg: AES256 encrypted data
gpg: original file name='clearfilename'
[contents of clearfilename successfully output to terminal]

What can I do to help gpg2 find the secret key when sender uses throw-keyids option in their gpg.conf file? Or even ask for a passphrase?

Details

Version
gpg (GnuPG) 2.1.11 libgcrypt 1.6.5

Event Timeline

jtd created this task.Aug 23 2017, 3:21 AM
werner triaged this task as Low priority.Aug 23 2017, 10:46 AM
werner added a subscriber: werner.

Please try again with a recent version of GnuPG. We had a dozen more releases since 2.1.11 and we can't spend time on trying to replicate bugs which may have already been fixed in the last 18 month.