Page MenuHome GnuPG
Create Task
Maniphest T5660

Second key decrypts messages it shouldn't
Closed, ResolvedPublic
Actions

Description

Bug report originally posted here: https://bitbucket.org/vinay.sajip/python-gnupg/issues/139/python-wrapper-for-gnupg-second-key

I wrote a very simple example provided in the link above showing a confusing result I encountered. I create 2 keys and encrypt 3 messages with the first key and another 3 messages with the second key. I then try to decrypt all of the messages with each key. What I expect is that the first key can only decrypt the first 3 messages and the second key can only decrypt the second 3 messages. However, what happens is that the first key can only decrypt the first 3 messages (as expected) yet the second key can decrypt all of the messages. Why is this happening and how do I produce the expected results?

I am using Ubuntu 5.4.0-88-generic, Python 3.8.10, GnuPG 2.2.19, libgcrypt 1.8.5, python-gnupg 0.4.7

Details

External Link
https://bitbucket.org/vinay.sajip/python-gnupg/issues/139/python-wrapper-for-gnupg-second-key
Version
GnuPG 2.2.19

Event Timeline

GnuBoy created this task.Oct 14 2021, 11:15 PM
werner closed this task as Resolved.Oct 16 2021, 4:23 PM
werner claimed this task.
werner edited projects, added Support; removed Bug Report.
werner added a subscriber: werner.

That looks like a support question. Please ask on a mailing list for help. Sorry, we can't do individual support here.

ikloecker added a subscriber: ikloecker.Oct 18 2021, 9:28 AM

I'm pretty sure that the first 3 messages are always decrypted with the first key because the passphrase of the first key is still cached. I don't think you can tell gpg to only use a specific key for decryption. The only way to make sure that gpg does not try to use the first key for decryption is to remove the private key of the first key. Alternatively, clear the cache after using the first key, but gpg might still ask the user for the passphrase of the first key.