Page MenuHome GnuPG
Create Task
Maniphest T5673

Using empty passphrase key pair, gpg2.2.9 fails to decrypt with error "No secret key" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful
Closed, DuplicatePublic
Actions

Description

Using empty passphrase generated keys (from gpg2, old purring/secring format), gpg2,2,9 fails to decrypt with an error message "No secret key" on gpg1.4/2.0 keyring format even though the secret keys porting and migration were successful according to the log.
Note: I tried to testing empty passphrase generated key pair in gpg2.2.9 and encryption/decryption was successful.

Here are the details of the test that I did.

his is keyring directory from gpg1.4/2.0

fubar:testingGPG2.2.9-> ls -lstra gnupg2.0
total 112
32 drwxrwxrwx. 8 geodnila newbiz  709 Oct 26 16:59 ..
32 drwxrwxrwx. 2 geodnila newbiz   58 Oct 26 16:59 .
24 -rwxrwxrwx. 1 geodnila newbiz 1160 Oct 26 16:59 pubring.gpg
24 -rwxrwxrwx. 1 geodnila newbiz 2538 Oct 26 16:59 secring.gpg

list the keys using gpg2.2.9 executable using gnup1.4/2.0 keyring

fubar:testingGPG2.2.9-> gpg2.2.9_rhel8 --homedir gnupg2.0  --list-keys
gpg: WARNING: unsafe permissions on homedir 'testingGPG2.2.9/gnupg2.0'
gpg: testingGPG2.2.9/gnupg2.0/trustdb.gpg: trustdb created
testingGPG2.2.9/gnupg2.0/pubring.gpg
'------------------------------------------------------------------
pub   rsa2048 2020-01-21 [SCEA]
      3D750223D5B78DB1FEA5A23714BC819B0A74ABC1
uid           [ unknown] testclientdev

pub   rsa2048 2020-07-09 [SCEA]
      CD5010FB80A7F564F2A59DD6F7E2E540CBDD6AE1
uid           [ unknown] testclientdev

List the secret-keys using gpg2.2.9 executable using gnup1.4/2.0 keyring

The secret keys were ported and migrated successfully according to the logs below
by just listing the secret keys

fubar:testingGPG2.2.9-> gpg2.2.9_rhel8 --homedir gnupg2.0 --list-secret-keys
gpg: WARNING: unsafe permissions on homedir 'testingGPG2.2.9/gnupg2.0'
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from 'testingGPG2.2.9/gnupg2.0/secring.gpg' to gpg-agent
gpg: key 14BC819B0A74ABC1: secret key imported
gpg: key F7E2E540CBDD6AE1: secret key imported
gpg: migration succeeded
testingGPG2.2.9/gnupg2.0/pubring.gpg
'------------------------------------------------------------------
sec   rsa2048 2020-01-21 [SCEA]
      3D750223D5B78DB1FEA5A23714BC819B0A74ABC1
uid           [ unknown] testclientdev

sec   rsa2048 2020-07-09 [SCEA]
      CD5010FB80A7F564F2A59DD6F7E2E540CBDD6AE1
uid           [ unknown] testclientdev

content of the gnupg2.0 at this point

fubar:testingGPG2.2.9-> ls -lstraR gnupg2.0/
gnupg2.0/:
total 264
48 -rwxrwxrwx. 1 geodnila newbiz 1160 Oct 26 16:59 pubring.gpg
48 -rwxrwxrwx. 1 geodnila newbiz 2538 Oct 26 16:59 secring.gpg
32 drwxrwxrwx. 8 geodnila newbiz  709 Oct 26 17:07 ..
48 -rwxrwxrwx. 1 geodnila newbiz 1200 Oct 26 17:15 trustdb.gpg
32 drwxrwxrwx. 2 geodnila newbiz  124 Oct 26 17:17 private-keys-v1.d
24 -rwxrwxrwx. 1 geodnila newbiz    0 Oct 26 17:17 .gpg-v21-migrated
32 drwxrwxrwx. 3 geodnila newbiz  157 Oct 26 17:17 .

gnupg2.0/private-keys-v1.d:
total 160
48 -rwxrwxrwx. 1 geodnila newbiz 1417 Oct 26 17:17 6F484E349157AB7F43700283F78DF8F044BA8065.key
32 drwxrwxrwx. 2 geodnila newbiz  124 Oct 26 17:17 .
48 -rwxrwxrwx. 1 geodnila newbiz 1417 Oct 26 17:17 FF293D5AAEC940977E1825F8B8305A18CF7C4D2A.key
32 drwxrwxrwx. 3 geodnila newbiz  157 Oct 26 17:17 ..

Encrypt using the key with empty passphrase. Successful

fubar:testingGPG2.2.9-> gpg2.2.9_rhel8 --homedir gnupg2.0 --no-permission-warning --no-random-seed-file --no-secmem-warning --batch --yes --always-trust --no-auto-check-trustdb -r testclientdev -o samplefile.txt.enc --encrypt samplefile.txt

create the empty passphrase file

fubar:testingGPG2.2.9-> echo >emptypassphrasefile

Decrypt using a key with empty passphrase. Failed

fubar:testingGPG2.2.9-> gpg2.2.9_rhel8 --homedir gnupg2.0 --no-secmem-warning --no-mdc-warning --no-symkey-cache --pinentry-mode loopback --batch --yes --passphrase-fd 5 -o samplefile.txt.dec --decrypt samplefile.txt.enc 5<emptypassphrasefile
gpg: WARNING: unsafe permissions on homedir 'testingGPG2.2.9/gnupg2.0'
gpg: encrypted with RSA key, ID 93861A50514971EC
gpg: decryption failed: No secret key

Details

Version
2.2.9

Related Objects

Event Timeline

engel97 created this task.Oct 27 2021, 6:02 PM
engel97 added a comment.Oct 27 2021, 6:15 PM

By the way he is the version details of gpg2.2.9_rhe8 that I used:
fubar:testingGPG2.2.9-> gpg2.2.9_rhel8 --homedir gnupg2.0 --version --verbose
gpg: WARNING: unsafe permissions on homedir 'TESTING_GPG2.2.9/gnupg2.0'
gpg (GnuPG) 2.2.9
libgcrypt 1.9.4
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: TESTING_GPG2.2.9/gnupg2.0
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,

CAMELLIA128, CAMELLIA192, CAMELLIA256

Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

werner updated the task description. (Show Details)Oct 29 2021, 12:05 PM
werner added a subscriber: werner.Oct 29 2021, 12:08 PM

(I edited the report to make it readable, but did not yet looked at it in detail)
I wonder why you are using a decent libgcrypt but a 3 years old GnuPG version?

engel97 added a comment.Oct 29 2021, 6:27 PM

Thanks for responding to this issue. The GnuPG2.29 is the version of GnuPG that came with the RHEL8.2 server provided for by our server engineer team(might be part of an RPM package the installed). Do you know if this issue got fixed in the later versions after that?

werner added a comment.Oct 29 2021, 6:49 PM

Does the key have a passsphrase or somehow the empty string as passphrase?
If you don't use lookback mode: does the pinentry pop up?

engel97 added a comment.Oct 29 2021, 10:08 PM

The key was generated without a passphrase.
Removing the pinentry-mode loopback parameter did not result in any popup at all but just gave me the below result:

gpg2.2.9_rhel8 --homedir gnupg2.0 --no-secmem-warning --no-mdc-warning --no-symkey-cache --batch --yes --passphrase-fd 5 -o samplefile.txt.dec --decrypt samplefile.txt.enc 5<emptypassphrasefile
gpg: WARNING: unsafe permissions on homedir '/usr/local/farm/common/engel/TESTING_GPG2.2.9/gnupg2.0'
gpg: encrypted with RSA key, ID 93861A50514971EC
gpg: decryption failed: No secret key

gniibe triaged this task as Normal priority.Mar 17 2022, 3:31 AM
gniibe added a subscriber: gniibe.

I can't replicate this symptom when I use gnupg1 for creating keys with no passphrase.

Could you share your pubring.gpg and secring.gpg, so that we can test concretely?

gniibe added projects: gnupg (gpg22), Info Needed.Mar 17 2022, 3:33 AM
engel97 added a comment.Mar 22 2022, 5:14 PM

gnupg2.0_keyring.tar.gz2 KBDownload
Attached is the keyring package containing both pub and sec ring files. When run into GPG2.2.9, this gets migrated to the newer format but it fails when the the passphrase is empty(which works in older gpg)

gniibe removed a project: Info Needed.Mar 23 2022, 9:41 AM

Thank you. Confirmed.

The problem is exactly same as T5804. It is due to secret key by GnuPG 1.4 with null passphrase.

GnuPG 2 handles the input of null passphrase as no protection, and generates secret key with no protection. That's the difference between GnuPG 1.4.

Error message of GnuPG 2.2 is from GPG_ERR_NO_SECKEY (while GnuPG 2.3 is from GPG_ERR_NO_PASSPHRASE), that's the difference how the OpenPGP encrypted packet is handled. (GnuPG 2.3 supports more cases with possible multiple secret keys and returns better error code on error.)

gniibe added a comment.Mar 24 2022, 5:59 AM

Merged into T5804.

gniibe closed this task as a duplicate of T5804: Using empty passphrase key pair, gpg2.3.4 fails to decrypt with error "No passphrase given" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful .Mar 24 2022, 6:02 AM