Page MenuHome GnuPG

Regression in GnuPG 2.2.34 with some ECC keys
Open, HighPublic

Description

We noticed that GnuPG 2.2.35 rejected some keys that were generated in our unit test. Surprisingly, only Windows seems to be affected: we tested GnuPG 2.2.35-2 from Debian testing, and it imports the key just fine.

Through manual testing we discovered that 2.2.34 is also affected, whereas 2.2.33 is fine. The tests use the binary distributions from https://gnupg.org/ftp/gcrypt/binary/

Because only some keys are rejected, this smells like an MPI encoding, and there is a change to that in the changelog, T5120. It is curious why this should only affect Windows though.

C:\Users\justus>gnupg-2.2.33\bin\gpg --import bad-sign-key.pgp
gpg: keybox 'C:/Users/justus/AppData/Roaming/gnupg/pubring.kbx' created
gpg: C:/Users/justus/AppData/Roaming/gnupg/trustdb.gpg: trustdb created
gpg: key 8F73CF0A8EB36B6F: public key "someone@example.org" imported
gpg: key 8F73CF0A8EB36B6F: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

C:\Users\justus>rm -r AppData/Roaming/gnupg

C:\Users\justus>rm -r AppData/Local/gnupg

C:\Users\justus>gnupg-2.2.34\bin\gpg --import bad-sign-key.pgp
gpg: keybox 'C:/Users/justus/AppData/Roaming/gnupg/pubring.kbx' created
gpg: C:/Users/justus/AppData/Roaming/gnupg/trustdb.gpg: trustdb created
gpg: key 8F73CF0A8EB36B6F: public key "someone@example.org" imported
gpg: key 8F73CF0A8EB36B6F/8F73CF0A8EB36B6F: error sending to agent: Invalid argument
gpg: key 8F73CF0A8EB36B6F/29C3C33E92C23B71: error sending to agent: Invalid argument
gpg: error reading 'bad-sign-key.pgp': Invalid argument
gpg: import from 'bad-sign-key.pgp' failed: Invalid argument
gpg: Total number processed: 0
gpg:               imported: 1
gpg:       secret keys read: 1

C:\Users\justus>rm -r AppData/Roaming/gnupg

C:\Users\justus>rm -r AppData/Local/gnupg

C:\Users\justus>gnupg-2.2.35\bin\gpg --import bad-sign-key.pgp
gpg: keybox 'C:/Users/justus/AppData/Roaming/gnupg/pubring.kbx' created
gpg: C:/Users/justus/AppData/Roaming/gnupg/trustdb.gpg: trustdb created
gpg: key 8F73CF0A8EB36B6F: public key "someone@example.org" imported
gpg: key 8F73CF0A8EB36B6F/8F73CF0A8EB36B6F: error sending to agent: Invalid argument
gpg: key 8F73CF0A8EB36B6F/29C3C33E92C23B71: error sending to agent: Invalid argument
gpg: error reading 'bad-sign-key.pgp': Invalid argument
gpg: import from 'bad-sign-key.pgp' failed: Invalid argument
gpg: Total number processed: 0
gpg:               imported: 1
gpg:       secret keys read: 1

C:\Users\justus>cat bad-sign-key.pgp
-----BEGIN PGP PRIVATE KEY BLOCK-----

xVgEYqsJ8xYJKwYBBAHaRw8BAQdAfUB/E4q/4KXVCYOwdx/KRJ5dfUzuWhKQS92F
uIaVMuEAAQCBqKT9nDUo6VcdJkU9euHtJnVyzK8r9RVZDpFpKFHr5Q94wsALBB8W
CgB9BYJiqwnzAwsJBwkQj3PPCo6za29HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu
c2VxdW9pYS1wZ3Aub3JnsWbhoMETNIFiPfRvM64Q1+g7Cpjf/w/QT5cVSrq1cW4D
FQoIApsBAh4BFiEEbr3AxOjW2vy6BFtuj3PPCo6za28AAFVOAP0ZVd7jchLC7P9d
+Cu2rUJ3sDWSmlZdDqFAYRIP87Ka2AEAlDYC/9ooEC+NhG00xpO8EvGxpq0S9frJ
aFkUqfBOaQ/NE3NvbWVvbmVAZXhhbXBsZS5vcmfCwA4EExYKAIAFgmKrCfMDCwkH
CRCPc88KjrNrb0cUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5v
cmdOTl3Tzas+nFXSEQCscDTYrb02k5nGyUkxJB0OYhHVUwMVCggCmQECmwECHgEW
IQRuvcDE6Nba/LoEW26Pc88KjrNrbwAAOwQA/3JJh5DP5HBY2yi1pNWvw45oqDl5
GH6BJWieDbevaGagAQDcRo9xM8d44PRIxbl/RiKAtVll9LufuJ0aRRmdxQaqCsdY
BGKrCfMWCSsGAQQB2kcPAQEHQMRGCST173LcHXGM4rL4jc7GrT1ohOlp8bSAnt9r
bCAEAAEAxcO+aAGmeAj5oX5oI4XWP/PdkopaXzZpP+I8Efj2lgMQTMLAvwQYFgoB
MQWCYqsJ8wkQj3PPCo6za29HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p
YS1wZ3Aub3Jno3ks/10/XSnOV+cQlINOFse1UbCdEosHuo4nDb5HOZoCmwK+oAQZ
FgoAbwWCYqsJ8wkQKcPDPpLCO3FHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2Vx
dW9pYS1wZ3Aub3JnsMBBdQlPZkZCAi9BDWTSpnxVL5wQSxVdkMjLoJw9RVEWIQQS
PtMJ9bs65OYxKoYpw8M+ksI7cQAA3bQBAMHk5D+pg89YiB+AxNhYz1218zRViZUX
5fQjGcal6s1GAQCP0pmojI6vMXiWaOo1ATGxloqvoWj3V+qA5RtPbxmKBRYhBG69
wMTo1tr8ugRbbo9zzwqOs2tvAADgzgEA22TQn3B2cc5hKL/oIrCz1Dp1FkF4iGkI
y0KLnG75ZUMA/RcO6tgrtzHBGpXwHN2U9S+z4qtdqN6sPHBJ9rhVRLwD
=zzAE
-----END PGP PRIVATE KEY BLOCK-----

Details

Version
2.2.34

Event Timeline

werner added a subscriber: werner.

You deleted the socket file but you did not restart the agent. Thus gpg can't contact the agent anymore. On Windows we use a socket emulation which requires the socket's file only for a new connection (to get the port and magic cookie).

werner triaged this task as High priority.Fri, Jun 17, 12:36 PM
werner edited projects, added Bug Report; removed Windows, Not A Bug.

Looking again at your report, I don't think it is an IPC problem (bad magic cooky was my assumption). I can replicate this with the current 2.2 but not with 2.3. Both un Unix.

The likely cause is that the secret key is not protected. Problem seems to be in gpg-agent.

I can replicate the error by 2.2.35, but I cannot replicate it with rG7b1db7192.
I tested:

  • GNU/Linux
    • i686
    • x86_64
  • Windows
    • i686

So, I think that it's T5120.
2.2.35-2 of Debian has the patch of T5120.

The mentioned "g10: Fix garbled status messages in NOTATION_DATA" has nothing to do with the problem. So it can'r be the actual cause. Anway, I hope to get a 2.2.36 out this week.

werner renamed this task from Regression in GnuPG 2.2.34 on Windows to Regression in GnuPG 2.2.34 with some ECC keys.Mon, Jun 20, 1:06 PM

I fixed the title, because it is not a Windows only issue.

My intention to refer rG7b1db7192 was to specify the HEAD of STABLE-BRANCH-2-2, meaning "the head of STABLE-BRANCH-2-2 today". The commit itself has no meaning.