GPGOL: Could not decrypt the data: Invalid crypto engine
Closed, ResolvedPublic

Description

I'm not sure whether it's Outlook 2016, or the version of gpg4win I have installed, but I've been seeing this error now when attempting to decrypt messages from Facebook. The plugin also warns that the certificate does not mention the email address they are sending from. Clicking the Encrypted button, which shows a lock and a purple question mark box, results in the dialog:

Failed to execute...
Missing value after '--query'.

kode54 created this task.Apr 19 2018, 8:40 AM
aheinecke triaged this task as High priority.
aheinecke claimed this task.
aheinecke added a subscriber: aheinecke.

"Invalid crypto engine" Means that there is some internal error in the signature verification / decryption.

Just to be clear, you also can't decrypt the messages? Or does only the signature verification fail?

It would be a huge help if we could get the gpgme log. This is our component that interacts with the crypto backend and creates the error.
The debugging for this is controlled through an environment variable.

To run with debugging you have to open a console ( cmd.exe ) set the environment variable and then start outlook from that console.

Like:

C:\Users\aheinecke>mkdir c:\temp
C:\Users\aheinecke>set GPGME_DEBUG=9;c:\temp\gpgme.log
C:\Users\aheinecke>"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"

Then look at the failing mail, and quit outlook. Put the log in a ZIP archive and attach it here or send it to aheinecke@intevation.de ( PGP Key )

I know that this is a lot to ask, but I this will really help!

As for the:

Failed to execute...
Missing value after '--query'.

I've just fixed that for the error case it will now show a better message.

jkropf added a subscriber: jkropf.Apr 20 2018, 12:19 PM

Same here with Mails from Facebook, here's the log

aheinecke raised the priority of this task from High to Unbreak Now!.Apr 20 2018, 1:05 PM

Thank you very much. It helped. I can reproduce the problem now.

It happens when a Message is combined "Signed & Encrypted" and the Public Key of the Signer is not known.

Usually PGP Mails are first signed and then encrypted and not combined so we did not notice this in our tests.

As a workaround import Facebooks Signing key:

31A70953D8D590BA1FAB37762F3898CEDEE958CF

You can look it up on the public keyservers with Kleopatra. Please confirm that this also fixes the issue for you.

Gets highest priority, aming for a new release next week.

I can confirm the workaround. After importing the key from Facebook everything works as expected!
Thank you very much!

aheinecke changed the task status from Open to Testing.Apr 20 2018, 4:30 PM

The commit mentioned fixes the problem.

Status testing until a release is available.

Also confirming the workaround. Not sure whether it would have done me any justice to counter-sign the key after accepting it locally, since I only verified it against their web page. The web page is hard to find with a Google search, since Google does not turn the unspaced hexadecimal fingerprint into something that matches the space-every-four-digits format used on their PGP/GPG instruction page. Searching for "Facebook PGP key" works, though.

I have the same issue with Xubuntu 18.04 lts, and GNUPG.
./start_linux_64bit
[Error] Source: GPGME String: "Invalid crypto engine"
[Error] Source: GPGME String: "Invalid crypto engine"
[Error] Source: GPGME String: "Invalid crypto engine"

@dcialdella Do you have a "non standard" GnuPG / GPGME installed? What are the versions?

The change underlying this issue was 0336e5d1a7b9d46e06c838e6a98aecfcc9542882 which is only part of GnuPG 2.2.6 and not of 2.2.4 as it is in Ubuntu afaik. So you might be facing a different issue.

It's possible that was one of the upstream patches they decided to include.

dcialdella added a comment.EditedApr 30 2018, 10:21 AM

gpg 2.2.4-1ubunt amd64 GNU Privacy Guard -- minimalist p

gpg4usb, using the standard version, I downloaded from the official site, two different versions
0.3.3.2
0.3.3.1
Both cases same error.

BenM added a subscriber: BenM.EditedMay 2 2018, 9:43 PM

FYI: this most recent update broke builds on OS X 10.9 for Qt, but everything else is fine.

I may need to set an explicit override to find the Qt bundle installed in /usr/local rather than the components installed in /opt/local with the rest of the gnupg libs.

This change is definitely from commit 6b267c56fd6e54fb1c254455c04495534260b547 since my last build was up to commit 7706fa2c922f5e02570b01f145ed474e82341042.

BenM added a comment.May 2 2018, 11:44 PM

I've just checked the current build to the previous one (even when I get rid of the build directories, I keep a copy of the config.log since you never know when it might come in handy).

It seems that past builds were not finding any of the Qt5 installations and silently-ish disabling Qt support. The difference between that and the most recent commit is it didn't simply gracefully disable Qt5, it encountered too many errors and produced a hard failure during the make process (with either make/clang or gmake/gcc).

aheinecke closed this task as Resolved.May 3 2018, 10:44 AM

@dcialdella I've checked the Ubuntu Patches, they don't include the patch that caused the problem for GpgOL in this issue. Please report your problem either to Ubuntu or open a new issue, ideally with some instructions how to reproduce your problem.

@BenM Many errors when building qt libraries happen sometimes if there is a version mismatch between the Qt Meta Object Compiler (moc) and the Qt headers / libraries it compiles against. Please open a new issue with the error messages.

I just retested the issue here with GnuPG 2.2.7, GPGME 1.11.2-beta3 and GpgOL 2.1.1 and it is gone -> Resolved.

@aheinecke thanks for the post.
When you said "open a new issue" is create here or in Ubuntu forums a new issue ?
I'll do. when ?
I imagine ni some weeks will be solved but I use the tool everyday for secure text.

@dcialdella Well as you are here already you can open one here. Alternatively I would have thought Ubuntu's Launchpad.

But what really would interest me how to reproduce the issue you are seeing. For Invalid Crypto Engine error you must somehow try to verify / decypt through gpgme, and that must be done by some tool or script. You mention: ./start_linux_64bit what is that. I have an Ubuntu 18.04 test VM available and could try to reproduce it.

Please don't Answer here but put this information into a new "Invalid Crypto Engine" issue.

Thanks!