Mailing List Archive

Why is there no secret key?
ayoub@vboxpwfl:~/testdir$ ls

textfile


ayoub@vboxpwfl:~/testdir$ gpg -r develop1 -e textfile
ayoub@vboxpwfl:~/testdir$ ls

textfile  textfile.gpg



ayoub@vboxpwfl:~/testdir$ gpg -u develop1 -o textfile.dcr -d textfile.gpg
gpg: encrypted with 256-bit ECDH key, ID 367BD2210D4E904D, created
2020-07-09
      "develop1"
gpg: public key decryption failed: End of file

gpg: decryption failed: No secret key



ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys
/home/ayoub/.gnupg/pubring.kbx
------------------------------
sec   ed25519 2020-07-09 [SC] [expired: 2020-07-19]
      3C5B212A55B966881E2D2718A45398B520BEE91E
uid           [ expired] sentry

sec   ed25519 2020-07-09 [SC] [expires: 2021-07-09]
      7A675D7F52BC905C22F8249091556BC29D4C595E
uid           [ultimate] develop1
ssb   cv25519 2020-07-09 [E] [expires: 2021-07-09]

ayoub@vboxpwfl:~/testdir$


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is there no secret key? [ In reply to ]
On 20/07/2020 20:25, Ayoub Misherghi via Gnupg-users wrote:
> gpg: decryption failed: No secret key

Are your gpg.conf and gpg-agent.conf (or let's just say any .conf-file
in your GnuPG home, ~/.gnupg) empty? Do you get a pinentry popup asking
for a passphrase?

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
Re: Why is there no secret key? [ In reply to ]
I am not asked for pass phrase.

The following lines show you what I have in the ".conf-file"


###############################################
###############################################
#
# Lines uncommented in $HOME/.gnupg/gpg-agent.conf
log-file $HOME/gpg-log.txt
# The same thing happens when I comment this line out
allow-loopback-pinentry

batch

###############################################
###############################################
# Lines uncommented in $HOME/.gnupg/gpg.conf

batch
require-secmem
no-greeting


Ayoub

On 7/26/2020 2:49 AM, Peter Lebbing wrote:
> On 20/07/2020 20:25, Ayoub Misherghi via Gnupg-users wrote:
>> gpg: decryption failed: No secret key
> Are your gpg.conf and gpg-agent.conf (or let's just say any .conf-file
> in your GnuPG home, ~/.gnupg) empty? Do you get a pinentry popup asking
> for a passphrase?
>
> Peter.
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is there no secret key? [ In reply to ]
On Sun, 26 Jul 2020 13:25, Ayoub Misherghi said:
> I am not asked for pass phrase.

Right; that is because:

> # Lines uncommented in $HOME/.gnupg/gpg-agent.conf
> log-file $HOME/gpg-log.txt
> # The same thing happens when I comment this line out
> allow-loopback-pinentry
>
> batch

of the "batch" option. This option should in general not be used for
gpg-agent.

> # Lines uncommented in $HOME/.gnupg/gpg.conf
>
> batch

Do not but this option into the conf file. All kind of stuff won't
work; --batch is used case-by-case on the command line.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Why is there no secret key? [ In reply to ]
On 27/07/2020 11:17, Werner Koch wrote:
> of the "batch" option. This option should in general not be used for
> gpg-agent.

Which, by the way, is documented well in the man page gpg-agent(1):

--batch
Don't invoke a pinentry or do any other thing requiring human
interaction

Cheers,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
Re: Why is there no secret key? [ In reply to ]
The same thing happens when I give the option --no-batch on the command
line.


The problem seems to have gone away when I moved the config option
inentry-mode loopback

to the $HOME/.gnupg/gpg.conf from the $HOME/.ngupg/gpg-agent.conf


In the final version when development ends, I am going to have
"no-batch" in the config because the final version works

non-interactively (and through the API.) That is why I have it in the
config now.


Thanks guys,


Ayoub




_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is there no secret key? [ In reply to ]
On 27/07/2020 20:56, Ayoub Misherghi wrote:
> The same thing happens when I give the option --no-batch on the
> command line.

But that only passes --no-batch to gpg, not to gpg-agent. Werner said
you shouldn't put these options in your .conf-files. Please just include
--batch on the command line with the actual batch commands.

> The problem seems to have gone away when I moved the config option
> inentry-mode loopback
>
> to the $HOME/.gnupg/gpg.conf from the $HOME/.ngupg/gpg-agent.conf

--pinentry-mode is a gpg option, not a gpg-agent option. The
loopback-related option to gpg-agent is --allow-loopback-pinentry.

> In the final version when development ends, I am going to have
> "no-batch" in the config because the final version works
>
> non-interactively (and through the API.) That is why I have it in the
> config now.

Please just include --batch (I assume you mistyped when you wrote
--no-batch) on the command line with the actual batch commands.

Not sure what you mean by through the API.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
Re: Why is there no secret key? [ In reply to ]
With API I mean something like GPGME.


This is what came across to me:


1) It is preferable to have "--batch" on command line even in unattended
operation; and not in the gpg.conf file?


2) --pinentry-mode when needed goes in gpg.conf


3) --allow-loopback-pinentry when needed goes in gpg-agent.conf



New related question:


Is it true that command line parameters only go to gpg and gpg-agent?



Ayoub


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is there no secret key? [ In reply to ]
On 27/07/2020 22:53, Ayoub Misherghi wrote:
> With API I mean something like GPGME.

It seems to me that including options in gpg.conf that GPGME does not
expect people to put there might throw it out of whack.

> 1) It is preferable to have "--batch" on command line even in
> unattended operation; and not in the gpg.conf file?

Precisely when you do unattended operation should you have it on the
command line. And it should not be in your gpg.conf.

Why do you say "_even_ in unattended operation"?

> 2) --pinentry-mode when needed goes in gpg.conf

No, it makes more sense to specify this on the command line in the
instances you actually need this. However, I explained two methods[1] of
seeding the passphrase, neither of which uses --pinentry-mode.
--pinentry-mode is a great way to shoot oneself in the foot
security-wise.

> 3) --allow-loopback-pinentry when needed goes in gpg-agent.conf

It's already the default, if you want to disallow it you would specify
--no-allow-loopback-pinentry.

Please see the man page.

> Is it true that command line parameters only go to gpg and gpg-agent?

I don't really understand the question.

Usually, you only specify command line parameters to gpg. gpg might
launch a gpg-agent, or connect to an already running instance. There
are gpg command line parameters that influence the command line used to
launch gpg-agent, but in general, gpg's parameters do not propagate to
gpg-agent.

They each have their own set of parameters, documented in the man pages
gpg(1) and gpg-agent(1) respectively. GnuPG consists of more binaries,
but those two are the major ones.

HTH,

Peter.

[1] https://lists.gnupg.org/pipermail/gnupg-users/2020-July/063825.html

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>