Mailing List Archive

On 6/26/2020 at 4:54 AM, "Fourhundred Thecat" <400thecat@gmx.ch> wrote:
>
>Hello,
>
>I have file encrypted with symmetric cipher (aes256) and not
>signed.
>
>How can I decrypt it without using gpg agent ?
>
>I get these errors:
>
>$ gpg -d file.gpg
>gpg: failed to start gpg agent
>...
>gpg: decryption failed: no secret key

=====

Also can't get it without using agent.
Tried using option of --no-use-agent and gpg2 says 'obsolete option, has no effect'.
The option of --no-default-keyring doesn't help if the home directory is not open.

Agent will not start unless home directory is open ( my home directory is in an encrypted container)
Once the home directory is there (when I unencrypted mine), agent starts, and a pinentry window opens asking for the symmetric passphrase,

When I unencrypt the home directory, but not the keyring,
gpg will still decrypt when using the option of --no-default-keyring

(feature request: can GPG2 be made to work from only the command-line without a pine entry window, and without gpg-agent?)

TIA

vedaal


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

vedaal@nym.hush.com wrote:
> can GPG2 be made to work from only the command-line without a pine entry window

| '--pinentry-mode MODE'
| Set the pinentry mode to MODE. Allowed values for MODE are:
| ‹…›
| loopback
| Redirect Pinentry queries to the caller. Note that in
| contrast to Pinentry the user is not prompted again if he
| enters a bad password.
— (info "(gnupg) GPG Esoteric Options")

On Fri, 26 Jun 2020 09:33, Fourhundred Thecat said:

> How can I decrypt it without using gpg agent ?

You can't the agent is a cornerstone of gpg and is thus required.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

> On 2020-06-28 16:07, Werner Koch wrote:
> On Fri, 26 Jun 2020 09:33, Fourhundred Thecat said:
>
>> How can I decrypt it without using gpg agent ?
>
> You can't the agent is a cornerstone of gpg and is thus required.

I thought the agent is for manipulating the private key.

But why do I need the agent, when no secret key is involved? I simply
want to decrypt a password-encrypted file. What possible useful role
would agent play?

Seems to me that this is a terrible design, that gpg is basically
unusable without agent. Why should I need some monstrosity running as
daemon, when I just want to decrypt file?

I remember a time, when gpg was a simple, cleanly design utility that
worked.

Imagine the maintainers of ls decided, that ls will no longer work,
unless ls-daemon is running.

What happened to this project?


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Freitag, 26. Juni 2020 09:33:15 CEST Fourhundred Thecat wrote:
> I have file encrypted with symmetric cipher (aes256) and not signed.
>
> How can I decrypt it without using gpg agent ?

Use openssl. Or another simple program offering symmetric encryption/
decryption with AES.

GnuPG is a tool for public key encryption. The fact that it can also be used
for symmetric encryption doesn't mean that it's the best tool for symmetric
encryption. You want to decrypt files without using gpg-agent? Then don't use
gpg.

Regards,
Ingo

> I thought the agent is for manipulating the private key.

It's also responsible for calling pinentry, which is how GnuPG receives
passphrases. It's a pluggable component: on Windows you get a Windows
pinentry that uses a Windows look and feel, on KDE you get a Qt one that
looks like a KDE app, on GNOME you get a GTK one that looks like a GNOME
app, and so on.

GnuPG sees the symmetrically encrypted message and knows it needs to
recover/derive a key. It calls gpg-agent, which in turn calls pinentry.

> But why do I need the agent, when no secret key is involved? I simply
> want to decrypt a password-encrypted file. What possible useful role
> would agent play?
>
> Seems to me that this is a terrible design...

Let's be clear: you're passing judgment on a design without first
learning what the design is.

> I remember a time, when gpg was a simple, cleanly design utility that
> worked.

GnuPG adopted gpg-agent in large part to clean up GnuPG's design. GnuPG
was introduced in GnuPG 1.9.0, released in August *2003*.

You've ignored GnuPG development for so long you're surprised by a
change introduced seventeen years ago. That's on you.

Ingo Kl?cker wrote:

> On Freitag, 26. Juni 2020 09:33:15 CEST Fourhundred Thecat wrote:
> > I have file encrypted with symmetric cipher (aes256) and not signed.
> >
> > How can I decrypt it without using gpg agent ?
>
> Use openssl. Or another simple program offering symmetric encryption/
> decryption with AES.

Well, the OP could use sequoia pgp, to decrypt his file(s) ...

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> On 2020-06-28 22:24, Robert J. Hansen wrote:
>> I remember a time, when gpg was a simple, cleanly design utility that
>> worked.
>
> GnuPG adopted gpg-agent in large part to clean up GnuPG's design. GnuPG
> was introduced in GnuPG 1.9.0, released in August *2003*.
>
> You've ignored GnuPG development for so long you're surprised by a
> change introduced seventeen years ago. That's on you.

excuse me, gpg-agent might have been introduced in 2003, but it was
optional. Until not long ago, it was still possible to decrypt file with
password, without having the agent.

Also, I would like to add, I am not protesting the existence of the
agent. I actually use it on my desktop/gui. I am protesting the fact,
that gpg can no longer be used without the agent.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> On 2020-06-28 21:47, Ingo Kl?cker wrote:
> On Freitag, 26. Juni 2020 09:33:15 CEST Fourhundred Thecat wrote:
>> I have file encrypted with symmetric cipher (aes256) and not signed.
>>
>> How can I decrypt it without using gpg agent ?
>
> Use openssl. Or another simple program offering symmetric encryption/
> decryption with AES.

how can I use openssl, to decrypt a file that has been encrypted with
gpg (symmetrically, aes256).

Can openssl read the gpg format/header ?
Can openssl decrypt gpg file ?

thanks,


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> excuse me, gpg-agent might have been introduced in 2003, but it was
> optional. Until not long ago, it was still possible to decrypt file with
> password, without having the agent.

If you were using GnuPG 1.4, yes. GnuPG 2.0 and later have always used
gpg-agent.

If you want a gpg-agent free version of GnuPG, use version 1.4.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Sun, 28 Jun 2020 16:24, Robert J. Hansen said:

> GnuPG sees the symmetrically encrypted message and knows it needs to
> recover/derive a key. It calls gpg-agent, which in turn calls pinentry.

In addition gpg-agent also takes care of caching passphrases which makes
even symmetrically encryption more convenient. It is also used to
figure out a suitable number of hash iteration to make new symmetric
passphrase encryption stronger - this can't be done by a plain command
line tool.

In theory it is possible to pass a set of option to avoid the use of
gpg-agent for plain symmetric encryption but as soon as any pubkey key
is used as an alternative to the symmetric encryption the agent is
required to check whether a private key exists. From engineering and
security POVs it does not make sense to special case very rare use
cases.


Salam-Shalom,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Fourhundred Thecat <400thecat@gmx.ch> wrote:
> I am protesting the fact, that gpg can no longer be used without the agent.

Yet you have not described the reason behind it so far, have you? Why are you sure, that the issue, that make gpg-agent fail to start in your case, is hard to resolve?

> On 2020-06-29 14:42, Dmitry Alexandrov wrote:
> Fourhundred Thecat <400thecat@gmx.ch> wrote:
>> I am protesting the fact, that gpg can no longer be used without the agent.
>
> Yet you have not described the reason behind it so far, have you? Why are you sure, that the issue, that make gpg-agent fail to start in your case, is hard to resolve?

I don't have gpg-agent installed, on this particular server, where I
need to decrypt one file.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 6/29/2020 at 12:40 PM, "Fourhundred Thecat" <400thecat@gmx.ch> wrote:

>I don't have gpg-agent installed, on this particular server, where
>I
>need to decrypt one file.

=====
Try this very long workaround :

[1] Install a fake homedirectory
[2] Install a fake keyring (1 public and secret key that you never use)

Then try this command:

gpg --agent-program --no-use-agent --passphrase yourpassphrasestring --decrypt filename

This is a way of making the --no-use-agent option active.
GnuPG still needs a homedirectory and a keyring before trying to use the passphrase to decrypt

(n.b. I have not actually tried the above, so am unsure if it is effective)

otherwise , just use GnuPG 1.4.x , and unless you ever need an elliptic key, it should do everything you want.

vedaal



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

* Fourhundred Thecat:

> I am protesting the fact, that gpg can no longer be used without the
> agent.

Whining about a design detail of free software? Get a grip.

-Ralph

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Mon, 29 Jun 2020 13:07, vedaal said:

> otherwise , just use GnuPG 1.4.x , and unless you ever need an

Do not use 1.4 unless you have to decrypt old non-MDC protected data or
data encrypted to a legacy v3 key.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

On 29/06/2020 18:38, Fourhundred Thecat wrote:
> I don't have gpg-agent installed, on this particular server, where I
> need to decrypt one file.

You could try installing sequioa-pgp[1], an alternative but also libre
OpenPGP implementation (still in its infancy). It requires a Rust build
environment to compile.

Or just bite the bullet and install gpg-agent. If you also need
unattended decryption, there are ways to programmatically pass the
passphrase to it. Although many people make security theater of their
unattended decryption methods, it requires thought to design unattended
decryption that isn't trivial to bypass once the attacker has read
access to storage, or perhaps some other form of access that is
definitely within scope of your threat model.

HTH,

Peter.

[1] https://gitlab.com/sequoia-pgp/sequoia

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

Fourhundred Thecat <400thecat@gmx.ch> wrote:
>> On 2020-06-29 14:42, Dmitry Alexandrov wrote:
>> Fourhundred Thecat <400thecat@gmx.ch> wrote:
>>> I am protesting the fact, that gpg can no longer be used without the agent.
>>
>> Yet you have not described the reason behind it so far, have you? Why are you sure, that the issue, that make gpg-agent fail to start in your case, is hard to resolve?
>
> I don't have gpg-agent installed, on this particular server, where I need to decrypt one file.

Ah, so it?s in fact very easy to resolve — just install gpg-agent. :-)

On 29-06-2020 19:40, Werner Koch via Gnupg-users wrote:

> Do not use 1.4 unless you have to decrypt old non-MDC protected data or
> data encrypted to a legacy v3 key.

Do not break backwards compatibility if you want all people to upgrade.

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

Werner Koch via Gnupg-users wrote:

> On Mon, 29 Jun 2020 13:07, vedaal said:
>
> > otherwise , just use GnuPG 1.4.x , and unless you ever need an
>
> Do not use 1.4 unless you have to decrypt old non-MDC protected data or
> data encrypted to a legacy v3 key.
>
> Shalom-Salam,
>
> Werner

Sadly, there are other reasons that make it seem (to me)
as though I still need 1.4. :-(

I assume the answer must be no, but is there any chance
that --pinentry-mode loopback could be made to prompt
again when the wrong passphrase is entered? If it did
that, I'd be happy to stop using 1.4 on my mac laptop.

Alternatively, is there a pinentry program that works
inside vim and all/most variants of gvim (at least
X11/motif and MacVim)? Preferably available via
macports, but not necessarily.

I can't seem to find one. I've tried pinentry-curses
and pinentry-tty on debian-10 with gpg-2.2.12 but
neither prompt for the passphrase when invoked inside
vim or gvim, and the file is not decrypted.

Hopefully, I'm just ignorant and there is a solution
to my ergonomic issues (other than using loopback
and typing long passphrases very slowly and carefully).

cheers,
raf


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> On 2020-06-29 19:16, Ralph Seichter via Gnupg-users wrote:
>
>> I am protesting the fact, that gpg can no longer be used without the
>> agent.
>
> Whining about a design detail of free software? Get a grip.

There are more examples of bad design.

In fact, gpg epitomizes a perfect anti-UNIX design. (See Eric S. Raymond
for details, what UNIX philosophy means)

For instance, even for basic operations (encrypt, decrypt), where no
modifications to my key pair are necessary, gpg still requires my
~/.gnupg/ to be writable (cannot me on read-only filesystem)

That is another example of hard-requiring something, that it does not
need (same as agent for symmetric decryption)

gpg is considered a core component of linux and other systems. This is
not some solitaire gui app, that I can choose to ignore.

That is why I a m giving here my honest feedback.

I believe this project is going in the wrong direction, and bad design
decisions are being made.



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> In fact, gpg epitomizes a perfect anti-UNIX design. (See Eric S. Raymond
> for details, what UNIX philosophy means)

Mmmhmm.

> For instance, even for basic operations (encrypt, decrypt), where no
> modifications to my key pair are necessary, gpg still requires my
> ~/.gnupg/ to be writable (cannot me on read-only filesystem)

Again, you're criticizing a design before learning why that design is
the way it is.

> That is another example of hard-requiring something, that it does not
> need (same as agent for symmetric decryption)

You don't understand the design, which means you don't know what the
system needs and/or doesn't need. You're not displaying judgment here,
you're displaying prejudice.

> That is why I a m giving here my honest feedback.

You are of course welcome to give what feedback you like. I
respectfully suggest that if you start by learning why these various
tradeoffs were made, it will allow you to make better criticisms that
will be taken more seriously by the development team.

* Fourhundred Thecat:

>> Whining about a design detail of free software? Get a grip.
>
> There are more examples of bad design.

Are there now? GnuPG is software that has evolved since its introduction
in 1997. Can you show me any meaningful software of yours that has been
evolving over 23 years and has what you consider "good design"? It
should be interesting.

> In fact, gpg epitomizes a perfect anti-UNIX design. (See Eric
> S. Raymond for details, what UNIX philosophy means)

Ha, now you're trying to teach your grandma to suck eggs. ;-) Besides,
quoting ESR is a somewhat risky business. He said and wrote a lot over
the decades, much of which I consider nonsense.

> I believe this project is going in the wrong direction, and bad design
> decisions are being made.

What insight do you have in the design and development of GnuPG; in its
goals and restrictions? There is a difference between you not liking
something for a personal reason, and objectively "bad design". You are
entitled to your opinion of course, but unless you can demonstrate the
skills to come up with a better design for free software that offers the
same functionality as GnuPG, that opinion does not mean so much.

-Ralph

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> On 2020-06-30 08:55, Ralph Seichter via Gnupg-users wrote:
> * Fourhundred Thecat:
>>
> What insight do you have in the design and development of GnuPG; in its
> goals and restrictions? There is a difference between you not liking
> something for a personal reason, and objectively "bad design". You are
> entitled to your opinion of course, but unless you can demonstrate the
> skills to come up with a better design for free software that offers the
> same functionality as GnuPG, that opinion does not mean so much.

I am basing my judgment on universal principles, that apply not only to
gpg or other software, but design of any systems in general.

One such principle is a having distinct modes of operation for:

1) maintenance (read/write operations)
2) general use (read-only operations)

In case of gpg, there is one mode where you generate your key pair,
change configuration files, or any other read-write operation.

But for general usage, there is no reason for the key pair to need to be
writable.

Take a car, as an analogy:

Imagine what a mess it would be, if you tried to design a car where the
engine can be replaced while you are driving. I have no experience
designing cars, but that does not prevent me from seeing this would be
bad design specification. Maintenance and usage are two different modes,
and should not be mixed.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users