Mailing List Archive

Decryption fails with "No secret key"
Hi

After upgrading my PC to Fedora 30

gnupg2-2.2.17-1.fc30.x86_64
gnupg2-smime-2.2.17-1.fc30.x86_64
gpgme-1.12.0-1.fc30.x86_64
gnutls-3.6.10-1.fc30.x86_64
libgcrypt-1.8.5-1.fc30.x86_64
libgpg-error-1.33-2.fc30.x86_64

a problem with decrypting came up.

Encryption works:

$ gpg --verbose --output test.txt.gpg --recipient contact@dipohl.de --encrypt test.txt
gpg: Note: signature key E747789CEA208551 expired Fri 06 Jun 2014 07:46:32 PM CEST
gpg: using pgp trust model
gpg: using subkey 4BB3049F19616A80 instead of primary key 9C7646202CE0CBB2
gpg: automatically retrieved 'contact@dipohl.de' via Local
gpg: This key belongs to us
gpg: reading from 'test.txt'
gpg: writing to 'test.txt.gpg'
gpg: RSA/AES256 encrypted for: "4BB3049F19616A80 Gabriele Pohl <contact@dipohl.de>"

$ ls -l test.txt*
-rw-rw-r--. 1 gap gap 119 Jan 3 13:04 test.txt
-rw-rw-r--. 1 gap gap 697 Jan 3 13:07 test.txt.gpg

But decrypting fails:

$ gpg --verbose --decrypt test.txt.gpg
gpg: public key is 4BB3049F19616A80
gpg: using subkey 4BB3049F19616A80 instead of primary key 9C7646202CE0CBB2
gpg: encrypted with 4096-bit RSA key, ID 4BB3049F19616A80, created 2016-09-05
"Gabriele Pohl <contact@dipohl.de>"
gpg: decryption failed: No secret key

The secret key is available:

gpg> list

sec rsa2048/9C7646202CE0CBB2
created: 2012-09-05 expires: 2020-03-16 usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/51E12CABCB4F0264
created: 2012-09-05 expired: 2016-09-04 usage: E
sub rsa4096/4BB3049F19616A80
created: 2016-09-05 expires: 2020-03-16 usage: E
[ultimate] (1). Gabriele Pohl <contact@dipohl.de>
..


My gpg-agent.conf:

# Cache settings
default-cache-ttl 10800
default-cache-ttl-ssh 10800
max-cache-ttl 10800

# Environment file
#write-env-file /home/gap/.gpg-agent-info

# Keyboard control
no-grab

# PIN entry program
#pinentry-program /usr/bin/pinentry
pinentry-program /usr/bin/pinentry-curses
#pinentry-program /usr/bin/pinentry-qt4
#pinentry-program /usr/bin/pinentry-kwallet
#pinentry-program /usr/bin/pinentry-gtk-2
#pinentry-program /usr/bin/pinentry-gtk
#pinentry-program /usr/bin/pinentry-qt

disable-scdaemon
allow-mark-trusted
keep-display
display :0.0
debug-level basic


I hope you can help me to solve the problem.


Thanks and kind regards,

Gabriele

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Decryption fails with "No secret key" [ In reply to ]
On Freitag, 3. Januar 2020 13:53:00 CET Gabriele Pohl wrote:
> After upgrading my PC to Fedora 30
[...]
> a problem with decrypting came up.
>
> Encryption works:
>
> $ gpg --verbose --output test.txt.gpg --recipient contact@dipohl.de
> --encrypt test.txt
[...]
> gpg: RSA/AES256 encrypted for: "4BB3049F19616A80 Gabriele Pohl
> <contact@dipohl.de>"
[...]
> But decrypting fails:
>
> $ gpg --verbose --decrypt test.txt.gpg
> gpg: public key is 4BB3049F19616A80
> gpg: using subkey 4BB3049F19616A80 instead of primary key 9C7646202CE0CBB2
> gpg: encrypted with 4096-bit RSA key, ID 4BB3049F19616A80, created
> 2016-09-05 "Gabriele Pohl <contact@dipohl.de>"
> gpg: decryption failed: No secret key
>
> The secret key is available:
>
> gpg> list
>
> sec rsa2048/9C7646202CE0CBB2
> created: 2012-09-05 expires: 2020-03-16 usage: SC
> trust: ultimate validity: ultimate
> ssb rsa2048/51E12CABCB4F0264
===
> created: 2012-09-05 expired: 2016-09-04 usage: E
> sub rsa4096/4BB3049F19616A80
===
> created: 2016-09-05 expires: 2020-03-16 usage: E
> [ultimate] (1). Gabriele Pohl <contact@dipohl.de>

The secret key of subkey 4BB3049F19616A80 is not available (it's listed as
"sub", but not as "ssb"). Only the secret keys of the main key and the expired
subkey are available.

I suspect a gpg1 vs. gpg2 problem, i.e. the secret key of subkey
4BB3049F19616A80 is only available to gpg1 or gpg2, but not to both (they use
different key storages). Fedora 30 probably used gpg2 when you run 'gpg' while
the previous version used gpg1.

Possible solution:
* Make a backup (just to be sure).
* Re-run the migration of the keys from the old storage format to the new one.
I think all you have to do is to remove the file ~/.gnupg/.gpg-v21-migrated.

Regards,
Ingo




_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Decryption fails with "No secret key" [ In reply to ]
Hi Ingo,

On Sun, 05 Jan 2020 16:17:04 +0100
Ingo Klöcker wrote:

with your recipe

> all you have to do is to remove the file ~/.gnupg/.gpg-v21-migrated

the missing secret key was migrated again
and decryption is possible now :-)

The key listing now shows:

----------- snip -----------

Secret key is available.

sec rsa2048/9C7646202CE0CBB2
created: 2012-09-05 expires: 2020-03-16 usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/51E12CABCB4F0264
created: 2012-09-05 expired: 2016-09-04 usage: E
ssb rsa4096/4BB3049F19616A80
created: 2016-09-05 expires: 2020-03-16 usage: E
ssb rsa4096/534EADA0332CFAAF
created: 2016-09-09 expired: 2018-09-09 usage: S
[ultimate] (1). Gabriele Pohl <contact@dipohl.de>

----------- snip -----------


> The secret key of subkey 4BB3049F19616A80 is not available (it's listed as
> "sub", but not as "ssb"). Only the secret keys of the main key and the expired
> subkey are available.
>
> I suspect a gpg1 vs. gpg2 problem, i.e. the secret key of subkey
> 4BB3049F19616A80 is only available to gpg1 or gpg2, but not to both (they use
> different key storages). Fedora 30 probably used gpg2 when you run 'gpg' while
> the previous version used gpg1.

hmmm, I searched for fedora bug reports (before I wrote
to this mailing list) but didn't find my issue there.

I reckon there are not many users who add encryption keys
to an existent key and this special case may be the
reason for the problem arising in my case.
I think it is too late to file a bug report now
as the move from Fedora 29 to 30 is no longer relevant.

And by searching the internet this thread may arise
in the future for lucky finders ;-)


Thank you very much for your help and kind regards,

Gabriele

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users