GPG Keychain: GPG Tools no longer works with hiera - how to narrow down the problem?

Martin Gladdish's Avatar

Martin Gladdish

18 Jan, 2018 02:33 PM

Sorry, I don't know whether this is actually a GPG Tools problem or a hiera problem, but I also don't know how to narrow it down further and wondering whether I might get some help here.

We've been using GPG Tools on OS X with hiera-eyaml and hiera-eyaml-gpg for well over a year and it's been working perfectly.

That is, until I tried to encrypt our files again yesterday, when it just broke. I've not changed any versions of anything, not changed the recipients file, nothing. My two colleagues with the same setup have the same problem, too. The last time we used the tool was Nov 30th, when it worked fine.

The error I get from eyaml is

[hiera-eyaml-core] No key found on keyring for 7C8EA11F8C223C12A406122A8D1534C20100F74A # [email blocked]

But I do have that key in GPG Keychain, for that address, with that fingerprint.

I'm running High Sierra, one of my colleagues is running just Sierra, and we have the same problem. I suspect, but don't have any evidence, that the one thing we have in common is we've applied the Meltdown patch to OS X.

This error happened when I was running GPG Tools 1.4. I upgraded to 1.4.1, then to yesterday's nightly build, and they all have the same problem.

Has anyone encountered anything similar, or can help with next steps that I can take to narrow down where my problem is?

Many thanks.

Encrypting and decrypting to just continue working as it used to

macOS                   10.13.2     17C205
GPG Suite               2017.3      2090n   (9658b70)
GPGMail                 3.0         1270n   (4060831)
GPG Keychain            1.4.2       1408n   (2e097c4)
GPGServices             1.11.2      972n    (c0766ee)
MacGPG                  2.2.4       901n    (bd8150b)
GPG Suite Preferences   2.1.1       995n    (05eb1a6)
Libmacgpg               0.8.2       828n    (943132e)
pinentry                1.1.1       26n     (74d8675)
  1. Support Staff 1 Posted by Luke Le on 18 Jan, 2018 03:00 PM

    Luke Le's Avatar

    Hi Martin,

    thank you for your report and the debug log.
    Your key setup looks fine, so this is probably related to something else. With 2017.1 we have upgraded GnuPG to the back then new version 2.2 which brought a lot of changes and might in some cases have broken compatibility with existing tools.
    Is there any chance to have Hiera provide some debug output?

  2. 2 Posted by Martin Gladdish on 18 Jan, 2018 03:11 PM

    Martin Gladdish's Avatar

    I’m struggling to understand how it could be “just” a problem with an upgrade of GnuPG - this used to work fine *with the same version of GPGTools*. We know we haven’t changed the version of hiera, either.

    Here’s as much debug info as it gives me:

    With this command:
    bundle exec eyaml encrypt \
        -v \
        -f "$file" \
        -n gpg \
        --gpg-recipients-file recipients.rcp \
        --gpg-always-trust \
        --output string \
    | tr -d '\n’ \

    We get this output:

    [2018-01-18T 15:04:28+0000Z] (encrypt-all): Encrypting credentials...
    [gpg] GNUPGHOME is /Users/martingladdish/.gnupg
    [gpg] Using --recipients-file option
    [gpg] Recipents are ["7C8EA11F8C223C12A406122A8D1534C20100F74A # [email blocked]", —-more recipients redacted--]
    [hiera-eyaml-core] No key found on keyring for 7C8EA11F8C223C12A406122A8D1534C20100F74A # [email blocked]
    [hiera-eyaml-core] /Library/Ruby/Gems/2.3.0/gems/hiera-eyaml-gpg-0.6/lib/hiera/backend/eyaml/encryptors/gpg.rb:137:in `block in encrypt'
                       /Library/Ruby/Gems/2.3.0/gems/hiera-eyaml-gpg-0.6/lib/hiera/backend/eyaml/encryptors/gpg.rb:134:in `map'
                       /Library/Ruby/Gems/2.3.0/gems/hiera-eyaml-gpg-0.6/lib/hiera/backend/eyaml/encryptors/gpg.rb:134:in `encrypt'
                       /Library/Ruby/Gems/2.3.0/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/subcommands/encrypt.rb:80:in `execute'
                       /Library/Ruby/Gems/2.3.0/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/CLI.rb:46:in `execute'
                       /Library/Ruby/Gems/2.3.0/gems/hiera-eyaml-2.1.0/bin/eyaml:21:in `<top (required)>'
                       /usr/local/bin/eyaml:22:in `load'
                       /usr/local/bin/eyaml:22:in `<top (required)>'
                       /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/cli/exec.rb:75:in `load'
                       /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/cli/exec.rb:75:in `kernel_load'
                       /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/cli/exec.rb:28:in `run'
                       /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/cli.rb:424:in `exec'
                       /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/vendor/thor/lib/thor/command.rb:27:in `run'
                       /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/vendor/thor/lib/thor/invocation.rb:126:in `invoke_command'
                       /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/vendor/thor/lib/thor.rb:387:in `dispatch'
                       /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/cli.rb:27:in `dispatch'
                       /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/vendor/thor/lib/thor/base.rb:466:in `start'
                       /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/cli.rb:18:in `start'
                       /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/exe/bundle:30:in `block in <top (required)>'
                       /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/friendly_errors.rb:122:in `with_friendly_errors'
                       /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/exe/bundle:22:in `<top (required)>'
                       /usr/local/bin/bundle:22:in `load'
                       /usr/local/bin/bundle:22:in `<main>’

  3. Support Staff 3 Posted by Luke Le on 18 Jan, 2018 03:15 PM

    Luke Le's Avatar

    Thanks for the debug output. What strikes me as odd is that hiera mentions it can't find a key for "7C8EA11F8C223C12A406122A8D1534C20100F74A # [email blocked]". This looks like a parsing error (or it might be by design that not only the fingerprint is printed but also the email address and a # sign)
    You mentioned that you last used the tool on Nov 30. 2017.3 was released on December 22nd, so GPG Suite must have been upgraded in the meantime.

    I'm trying to have a look at hiera's source code.

  4. Support Staff 4 Posted by Luke Le on 18 Jan, 2018 03:19 PM

    Luke Le's Avatar

    Would you mind attaching the recipients-file to this discussion?

  5. 5 Posted by Martin Gladdish on 18 Jan, 2018 03:20 PM

    Martin Gladdish's Avatar

    My old laptop is still running GPG Suite 2017.1 and it also has the same problem.

  6. 6 Posted by Martin Gladdish on 18 Jan, 2018 03:25 PM

    Martin Gladdish's Avatar

    recipients file attached (zipped to make tenderapp happy). We know this file hasn't changed since August 2017.

  7. Support Staff 7 Posted by Luke Le on 18 Jan, 2018 03:31 PM

    Luke Le's Avatar

    Ok, I understand now what is going on I believe.
    The upgrade to GnuPG 2.2 (which is included in GPG Suite since GPG Suite 2017.1) has unfortunately changed the way GnuPG deals with comments, which is affecting you here I believe.
    From the hiera-eyaml-gpg gem it is visible, that each recipient is passed through to the library communicating with GnuPG, gpgme without sanitizing the entries. gpgme probably passes the values through as they are to GnuPG as well. Since GnuPG 2.2 doesn't support comments that don't start a line, so basically # this is a comment for GnuPG vs some-option # this part is not treated as a comment your setup no longer works.

    The easiest solution is to remove the # email address part from each line, and you will be up and running again.

    I've raised the issue regarding the handling of comments in newer GnuPG versions with the GnuPG developers at but unfortunately they don't think this is something that should be fixed.

  8. 8 Posted by Martin Gladdish on 18 Jan, 2018 03:39 PM

    Martin Gladdish's Avatar

    Blimey, that’s fixed it!

    I removed the comments from the recipients file and I can encrypt my files again.

    I don’t understand how, if GnuPG 2.2 is at fault, my old laptop with GPGSuite 2017.1 also has the problem.

    But thanks so much for your help - I would have never sorted this so quickly on my own!

  9. Support Staff 9 Posted by Luke Le on 18 Jan, 2018 03:41 PM

    Luke Le's Avatar

    Hi Martin,

    2017.1b3 was the last version to still install GnuPG 2.0.X, 2017.1 was the first version which included GnuPG 2.2, so that explains why your old laptop also had the problem, no?

  10. 10 Posted by Martin Gladdish on 18 Jan, 2018 03:43 PM

    Martin Gladdish's Avatar

    Sorry, yes, you're quite right. I'm having version blindness.

    Thanks again for your help!

  11. Support Staff 11 Posted by Luke Le on 18 Jan, 2018 03:44 PM

    Luke Le's Avatar

    Very happy to could have helped :)

    Closing this discussion. Feel free to open a new one at any time should you have questions or run into problems.

  12. Luke Le closed this discussion on 18 Jan, 2018 03:44 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac