Using empty passphrase key pair, gpg2.3.4 fails to decrypt with error "No passphrase given" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful
Open, NormalPublic
Actions

Assigned To

None

Authored By

	engel97
	Jan 28 2022, 1:49 AM

Description

Using empty passphrase generated keys (from gpg2, old pubring/secring format), gpg2.3.4 fails to decrypt with an error message "No passphrase given" on gpg1.4/2.0 keyring format even though the secret keys porting and migration were successful according to the log.
Note: I tried to testing empty passphrase generated key pair in gpg2.3.4 and encryption/decryption was successful.

GnuPG version:

gpg (GnuPG) 2.3.4
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/geodnila/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB

Here are the details of the test that I did.

This is keyring directory from gpg1.4/2.0

fubar:testingGPG2.3.4-> ls -lstra gnupg2.0_keyring
total 160
32 drwxrwxrwx. 9 geodnila newbiz  801 Jan 27 16:15 ..
32 drwxrwxrwx. 2 geodnila newbiz   58 Jan 27 16:15 .
48 -rwxrwxrwx. 1 geodnila newbiz 1160 Jan 27 16:15 pubring.gpg
48 -rwxrwxrwx. 1 geodnila newbiz 2538 Jan 27 16:15 secring.gpg

list the keys using gpg2.3.4 executable from gnupg2.0_keyring

fubar:testingGPG2.3.4-> gpg2.3.4_rhel8 --homedir gnupg2.0_keyring  --list-keys
gpg: WARNING: unsafe permissions on homedir '/home/geodnila/testingGPG2.3.4/gnupg2.0_keyring'
gpg: /home/geodnila/testingGPG2.3.4/gnupg2.0_keyring/trustdb.gpg: trustdb created
/home/geodnila/gnupg2.0_keyring/pubring.gpg
----------------------------------------------------------------------------------
pub   rsa2048 2020-01-21 [SCEA]
      3D750223D5B78DB1FEA5A23714BC819B0A74ABC1
uid           [ unknown] testclientdev

pub   rsa2048 2020-07-09 [SCEA]
      CD5010FB80A7F564F2A59DD6F7E2E540CBDD6AE1
uid           [ unknown] testclientdev

List the secret-keys from the gnupg2.0_keyring using gpg2.3.4 executable
The secret keys were ported and migrated successfully according to the logs below
by just listing the secret keys

fubar:testingGPG2.3.4-> gpg2.3.4_rhel8 --homedir gnupg2.0_keyring --list-secret-keys
gpg: WARNING: unsafe permissions on homedir '/home/geodnila/testingGPG2.3.4/gnupg2.0_keyring'
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from 'home/geodnila/testingGPG2.3.4/gnupg2.0_keyring/secring.gpg' to gpg-agent
gpg: key 14BC819B0A74ABC1: secret key imported
gpg: key F7E2E540CBDD6AE1: secret key imported
gpg: migration succeeded
/home/geodnila/gnupg2.0_keyring/pubring.gpg
----------------------------------------------------------------------------------
sec   rsa2048 2020-01-21 [SCEA]
      3D750223D5B78DB1FEA5A23714BC819B0A74ABC1
uid           [ unknown] testclientdev

sec   rsa2048 2020-07-09 [SCEA]
      CD5010FB80A7F564F2A59DD6F7E2E540CBDD6AE1
uid           [ unknown] testclientdev

content of the gnupg2.0_keyring at this point

fubar:testingGPG2.3.4-> ls -lstraR gnupg2.0_keyring/
total 264
32 drwxrwxrwx. 9 geodnila newbiz  801 Jan 27 16:15 ..
48 -rwxrwxrwx. 1 geodnila newbiz 1160 Jan 27 16:15 pubring.gpg
48 -rwxrwxrwx. 1 geodnila newbiz 2538 Jan 27 16:15 secring.gpg
48 -rwxrwxrwx. 1 geodnila newbiz 1200 Jan 27 16:28 trustdb.gpg
32 drwxrwxrwx. 2 geodnila newbiz  124 Jan 27 16:33 private-keys-v1.d
24 -rwxrwxrwx. 1 geodnila newbiz    0 Jan 27 16:33 .gpg-v21-migrated
32 drwxrwxrwx. 3 geodnila newbiz  157 Jan 27 16:33 .
edhlsfepd008.otprod.dstcorp.net:/usr/local/farm/common/engel/GPG2.3.4/RHEL8.2/testing-> ls -lstraR fg
edhlsfepd008.otprod.dstcorp.net:/usr/local/farm/common/engel/GPG2.3.4/RHEL8.2/testing-> ls -lstraR gnupg2.0_keyring/
gnupg2.0_keyring/:
total 264
32 drwxrwxrwx. 9 geodnila newbiz  801 Jan 27 16:15 ..
48 -rwxrwxrwx. 1 geodnila newbiz 1160 Jan 27 16:15 pubring.gpg
48 -rwxrwxrwx. 1 geodnila newbiz 2538 Jan 27 16:15 secring.gpg
48 -rwxrwxrwx. 1 geodnila newbiz 1200 Jan 27 16:28 trustdb.gpg
32 drwxrwxrwx. 2 geodnila newbiz  124 Jan 27 16:33 private-keys-v1.d
24 -rwxrwxrwx. 1 geodnila newbiz    0 Jan 27 16:33 .gpg-v21-migrated
32 drwxrwxrwx. 3 geodnila newbiz  157 Jan 27 16:33 .

gnupg2.0_keyring/private-keys-v1.d:
total 160
48 -rwxrwxrwx. 1 geodnila newbiz 2701 Jan 27 16:33 6F484E349157AB7F43700283F78DF8F044BA8065.key
32 drwxrwxrwx. 2 geodnila newbiz  124 Jan 27 16:33 .
48 -rwxrwxrwx. 1 geodnila newbiz 2701 Jan 27 16:33 FF293D5AAEC940977E1825F8B8305A18CF7C4D2A.key
32 drwxrwxrwx. 3 geodnila newbiz  157 Jan 27 16:33 ..

Encrypt using the key with empty passphrase. Successful

fubar:testingGPG2.3.4-> gpg2.3.4_rhel8 --homedir gnupg2.0_keyring --no-permission-warning --no-random-seed-file --no-secmem-warning --batch --yes --always-trust --no-auto-check-trustdb -r testclientdev -o samplefile.txt.enc --encrypt samplefile.txt

create the empty passphrase file

fubar:testingGPG2.3.4-> echo >emptypassphrasefile

Decrypt using a key with empty passphrase. Failed

fubar:testingGPG2.3.4-> gpg2.3.4_rhel8 --homedir gnupg2.0_keyring --no-secmem-warning --no-mdc-warning --no-symkey-cache --pinentry-mode loopback --batch --yes --passphrase-fd 5 -o samplefile.txt.dec --decrypt samplefile.txt.enc 5<emptypassphrasefile
gpg: WARNING: unsafe permissions on homedir '/home/geodnila/gnupg2.0_keyring'
gpg: encrypted with rsa2048 key, ID 14BC819B0A74ABC1, created 2020-01-21
      "testclientdev"
gpg: public key decryption failed: No passphrase given
gpg: decryption failed: No passphrase given

Related Objects

Mentioned In: T5673: Using empty passphrase key pair, gpg2.2.9 fails to decrypt with error "No secret key" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful

Event Timeline

engel97 renamed this task from Using empty passphrase key pair, gpg2.3.4 fails to decrypt with error "No secret key" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful to Using empty passphrase key pair, gpg2.3.4 fails to decrypt with error "No passphrase given" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful .Jan 28 2022, 1:49 AM

engel97 triaged this task as High priority.

engel97 created this task.

engel97 created this object in space S1 Public.

engel97 updated the task description. (Show Details)

• werner lowered the priority of this task from High to Normal.Jan 28 2022, 7:20 AM

• werner updated the task description. (Show Details)

• werner added projects: gnupg (gpg23), Bug Report.

I can't replicate this symptom (gpg1 generated key, no problem after migration).
Could you share the *.key file under private-keys-v1.d?

• gniibe added a project: Info Needed.Mar 17 2022, 1:53 AM

{F3381469}I uploaded the whole homedir containing the keys after they were migrated by the new gnupg2.3.4. It should have all of the keys in there. Don't worry, these keys are just for testing and not used anywhere.

Thank you.

I examined the files, and the secring.gpg is encrypted by null passphrase not not encrypted.
Currently, gpg 2.2/2.3 has no way to handle this, because libgcrypt (>= 1.6) doesn't allow null passphrase for KDF.

Let us consider how this can be solved.

• gniibe removed a project: Info Needed.Mar 23 2022, 9:08 AM

• gniibe mentioned this in T5673: Using empty passphrase key pair, gpg2.2.9 fails to decrypt with error "No secret key" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful .Mar 23 2022, 9:41 AM

• gniibe merged a task: T5673: Using empty passphrase key pair, gpg2.2.9 fails to decrypt with error "No secret key" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful .Mar 24 2022, 6:02 AM

• gniibe added a subscriber: • werner.

Any progress on how the solution for this have been considered? Thanks.

Because it's the library which refuses null passphrase as input, only possible options are either:

(if really needed) implement the KDF in gpg, which accepts null-passphrase.
Document this issue with a possible workaround
- use gpg 1.4 to export secret key with valid (non-null) passphrase
- then, import the key by gpg 2.2/2.3

I'm afraid the first option kills the intention of the library refusing null passphrase.

• werner added a project: gnupg24.Dec 13 2022, 11:21 AM

• werner removed a project: gnupg (gpg23).Jan 19 2023, 4:47 PM

Using empty passphrase key pair, gpg2.3.4 fails to decrypt with error "No passphrase given" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful Open, NormalPublicActions

Description

Related Objects

Event Timeline

Using empty passphrase key pair, gpg2.3.4 fails to decrypt with error "No passphrase given" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful
Open, NormalPublic
Actions