Page MenuHome GnuPG

Using empty passphrase key pair, gpg2.2.9 fails to decrypt with error "No secret key" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful
Open, Needs TriagePublic

Description

Using empty passphrase generated keys (from gpg2, old purring/secring format), gpg2,2,9 fails to decrypt with an error message "No secret key" on gpg1.4/2.0 keyring format even though the secret keys porting and migration were successful according to the log.
Note: I tried to testing empty passphrase generated key pair in gpg2.2.9 and encryption/decryption was successful.

Here are the details of the test that I did.

his is keyring directory from gpg1.4/2.0

fubar:testingGPG2.2.9-> ls -lstra gnupg2.0
total 112
32 drwxrwxrwx. 8 geodnila newbiz  709 Oct 26 16:59 ..
32 drwxrwxrwx. 2 geodnila newbiz   58 Oct 26 16:59 .
24 -rwxrwxrwx. 1 geodnila newbiz 1160 Oct 26 16:59 pubring.gpg
24 -rwxrwxrwx. 1 geodnila newbiz 2538 Oct 26 16:59 secring.gpg

list the keys using gpg2.2.9 executable using gnup1.4/2.0 keyring

fubar:testingGPG2.2.9-> gpg2.2.9_rhel8 --homedir gnupg2.0  --list-keys
gpg: WARNING: unsafe permissions on homedir 'testingGPG2.2.9/gnupg2.0'
gpg: testingGPG2.2.9/gnupg2.0/trustdb.gpg: trustdb created
testingGPG2.2.9/gnupg2.0/pubring.gpg
'------------------------------------------------------------------
pub   rsa2048 2020-01-21 [SCEA]
      3D750223D5B78DB1FEA5A23714BC819B0A74ABC1
uid           [ unknown] testclientdev

pub   rsa2048 2020-07-09 [SCEA]
      CD5010FB80A7F564F2A59DD6F7E2E540CBDD6AE1
uid           [ unknown] testclientdev

List the secret-keys using gpg2.2.9 executable using gnup1.4/2.0 keyring

The secret keys were ported and migrated successfully according to the logs below
by just listing the secret keys

fubar:testingGPG2.2.9-> gpg2.2.9_rhel8 --homedir gnupg2.0 --list-secret-keys
gpg: WARNING: unsafe permissions on homedir 'testingGPG2.2.9/gnupg2.0'
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from 'testingGPG2.2.9/gnupg2.0/secring.gpg' to gpg-agent
gpg: key 14BC819B0A74ABC1: secret key imported
gpg: key F7E2E540CBDD6AE1: secret key imported
gpg: migration succeeded
testingGPG2.2.9/gnupg2.0/pubring.gpg
'------------------------------------------------------------------
sec   rsa2048 2020-01-21 [SCEA]
      3D750223D5B78DB1FEA5A23714BC819B0A74ABC1
uid           [ unknown] testclientdev

sec   rsa2048 2020-07-09 [SCEA]
      CD5010FB80A7F564F2A59DD6F7E2E540CBDD6AE1
uid           [ unknown] testclientdev

content of the gnupg2.0 at this point

fubar:testingGPG2.2.9-> ls -lstraR gnupg2.0/
gnupg2.0/:
total 264
48 -rwxrwxrwx. 1 geodnila newbiz 1160 Oct 26 16:59 pubring.gpg
48 -rwxrwxrwx. 1 geodnila newbiz 2538 Oct 26 16:59 secring.gpg
32 drwxrwxrwx. 8 geodnila newbiz  709 Oct 26 17:07 ..
48 -rwxrwxrwx. 1 geodnila newbiz 1200 Oct 26 17:15 trustdb.gpg
32 drwxrwxrwx. 2 geodnila newbiz  124 Oct 26 17:17 private-keys-v1.d
24 -rwxrwxrwx. 1 geodnila newbiz    0 Oct 26 17:17 .gpg-v21-migrated
32 drwxrwxrwx. 3 geodnila newbiz  157 Oct 26 17:17 .

gnupg2.0/private-keys-v1.d:
total 160
48 -rwxrwxrwx. 1 geodnila newbiz 1417 Oct 26 17:17 6F484E349157AB7F43700283F78DF8F044BA8065.key
32 drwxrwxrwx. 2 geodnila newbiz  124 Oct 26 17:17 .
48 -rwxrwxrwx. 1 geodnila newbiz 1417 Oct 26 17:17 FF293D5AAEC940977E1825F8B8305A18CF7C4D2A.key
32 drwxrwxrwx. 3 geodnila newbiz  157 Oct 26 17:17 ..

Encrypt using the key with empty passphrase. Successful

fubar:testingGPG2.2.9-> gpg2.2.9_rhel8 --homedir gnupg2.0 --no-permission-warning --no-random-seed-file --no-secmem-warning --batch --yes --always-trust --no-auto-check-trustdb -r testclientdev -o samplefile.txt.enc --encrypt samplefile.txt

create the empty passphrase file

fubar:testingGPG2.2.9-> echo >emptypassphrasefile

Decrypt using a key with empty passphrase. Failed

fubar:testingGPG2.2.9-> gpg2.2.9_rhel8 --homedir gnupg2.0 --no-secmem-warning --no-mdc-warning --no-symkey-cache --pinentry-mode loopback --batch --yes --passphrase-fd 5 -o samplefile.txt.dec --decrypt samplefile.txt.enc 5<emptypassphrasefile
gpg: WARNING: unsafe permissions on homedir 'testingGPG2.2.9/gnupg2.0'
gpg: encrypted with RSA key, ID 93861A50514971EC
gpg: decryption failed: No secret key

Details

Version
2.2.9

Event Timeline

By the way he is the version details of gpg2.2.9_rhe8 that I used:
fubar:testingGPG2.2.9-> gpg2.2.9_rhel8 --homedir gnupg2.0 --version --verbose
gpg: WARNING: unsafe permissions on homedir 'TESTING_GPG2.2.9/gnupg2.0'
gpg (GnuPG) 2.2.9
libgcrypt 1.9.4
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: TESTING_GPG2.2.9/gnupg2.0
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,

CAMELLIA128, CAMELLIA192, CAMELLIA256

Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

(I edited the report to make it readable, but did not yet looked at it in detail)
I wonder why you are using a decent libgcrypt but a 3 years old GnuPG version?

Thanks for responding to this issue. The GnuPG2.29 is the version of GnuPG that came with the RHEL8.2 server provided for by our server engineer team(might be part of an RPM package the installed). Do you know if this issue got fixed in the later versions after that?

Does the key have a passsphrase or somehow the empty string as passphrase?
If you don't use lookback mode: does the pinentry pop up?

The key was generated without a passphrase.
Removing the pinentry-mode loopback parameter did not result in any popup at all but just gave me the below result:

gpg2.2.9_rhel8 --homedir gnupg2.0 --no-secmem-warning --no-mdc-warning --no-symkey-cache --batch --yes --passphrase-fd 5 -o samplefile.txt.dec --decrypt samplefile.txt.enc 5<emptypassphrasefile
gpg: WARNING: unsafe permissions on homedir '/usr/local/farm/common/engel/TESTING_GPG2.2.9/gnupg2.0'
gpg: encrypted with RSA key, ID 93861A50514971EC
gpg: decryption failed: No secret key