Home → Nightly →

GPG Keychain: GPG Tools no longer works with hiera - how to narrow down the problem?

• Edit

Martin Gladdish

18 Jan, 2018 02:33 PM

Sorry, I don't know whether this is actually a GPG Tools problem or a hiera problem, but I also don't know how to narrow it down further and wondering whether I might get some help here.

We've been using GPG Tools on OS X with hiera-eyaml and hiera-eyaml-gpg for well over a year and it's been working perfectly.

That is, until I tried to encrypt our files again yesterday, when it just broke. I've not changed any versions of anything, not changed the recipients file, nothing. My two colleagues with the same setup have the same problem, too. The last time we used the tool was Nov 30th, when it worked fine.

The error I get from eyaml is

[hiera-eyaml-core] No key found on keyring for 7C8EA11F8C223C12A406122A8D1534C20100F74A # [email blocked]

But I do have that key in GPG Keychain, for that address, with that fingerprint.

I'm running High Sierra, one of my colleagues is running just Sierra, and we have the same problem. I suspect, but don't have any evidence, that the one thing we have in common is we've applied the Meltdown patch to OS X.

This error happened when I was running GPG Tools 1.4. I upgraded to 1.4.1, then to yesterday's nightly build, and they all have the same problem.

Has anyone encountered anything similar, or can help with next steps that I can take to narrow down where my problem is?

Many thanks.

Expected
Encrypting and decrypting to just continue working as it used to

macOS                   10.13.2     17C205
GPG Suite               2017.3      2090n   (9658b70)
GPGMail                 3.0         1270n   (4060831)
GPG Keychain            1.4.2       1408n   (2e097c4)
GPGServices             1.11.2      972n    (c0766ee)
MacGPG                  2.2.4       901n    (bd8150b)
GPG Suite Preferences   2.1.1       995n    (05eb1a6)
Libmacgpg               0.8.2       828n    (943132e)
pinentry                1.1.1       26n     (74d8675)

1. Support Staff 1 Posted by Luke Le on 18 Jan, 2018 03:00 PM

   

   Hi Martin,

   thank you for your report and the debug log.
   Your key setup looks fine, so this is probably related to something else. With 2017.1 we have upgraded GnuPG to the back then new version 2.2 which brought a lot of changes and might in some cases have broken compatibility with existing tools.
   Is there any chance to have Hiera provide some debug output?

   • Edit

2. 2 Posted by Martin Gladdish on 18 Jan, 2018 03:11 PM

   

   I’m struggling to understand how it could be “just” a problem with an upgrade of GnuPG - this used to work fine *with the same version of GPGTools*. We know we haven’t changed the version of hiera, either.

   Here’s as much debug info as it gives me:

   With this command:
   bundle exec eyaml encrypt \
       -v \
       -f "$file" \
       -n gpg \
       --gpg-recipients-file recipients.rcp \
       --gpg-always-trust \
       --output string \
   | tr -d '\n’ \

   We get this output:

   [2018-01-18T 15:04:28+0000Z] (encrypt-all): Encrypting credentials...
   [gpg] GNUPGHOME is /Users/martingladdish/.gnupg
   [gpg] Using --recipients-file option
   [gpg] Recipents are ["7C8EA11F8C223C12A406122A8D1534C20100F74A # [email blocked]", —-more recipients redacted--]
   [hiera-eyaml-core] No key found on keyring for 7C8EA11F8C223C12A406122A8D1534C20100F74A # [email blocked]
   [hiera-eyaml-core] /Library/Ruby/Gems/2.3.0/gems/hiera-eyaml-gpg-0.6/lib/hiera/backend/eyaml/encryptors/gpg.rb:137:in `block in encrypt'
                      /Library/Ruby/Gems/2.3.0/gems/hiera-eyaml-gpg-0.6/lib/hiera/backend/eyaml/encryptors/gpg.rb:134:in `map'
                      /Library/Ruby/Gems/2.3.0/gems/hiera-eyaml-gpg-0.6/lib/hiera/backend/eyaml/encryptors/gpg.rb:134:in `encrypt'
                      /Library/Ruby/Gems/2.3.0/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/subcommands/encrypt.rb:80:in `execute'
                      /Library/Ruby/Gems/2.3.0/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/CLI.rb:46:in `execute'
                      /Library/Ruby/Gems/2.3.0/gems/hiera-eyaml-2.1.0/bin/eyaml:21:in `<top (required)>'
                      /usr/local/bin/eyaml:22:in `load'
                      /usr/local/bin/eyaml:22:in `<top (required)>'
                      /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/cli/exec.rb:75:in `load'
                      /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/cli/exec.rb:75:in `kernel_load'
                      /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/cli/exec.rb:28:in `run'
                      /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/cli.rb:424:in `exec'
                      /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/vendor/thor/lib/thor/command.rb:27:in `run'
                      /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/vendor/thor/lib/thor/invocation.rb:126:in `invoke_command'
                      /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/vendor/thor/lib/thor.rb:387:in `dispatch'
                      /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/cli.rb:27:in `dispatch'
                      /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/vendor/thor/lib/thor/base.rb:466:in `start'
                      /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/cli.rb:18:in `start'
                      /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/exe/bundle:30:in `block in <top (required)>'
                      /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/lib/bundler/friendly_errors.rb:122:in `with_friendly_errors'
                      /Library/Ruby/Gems/2.3.0/gems/bundler-1.16.0/exe/bundle:22:in `<top (required)>'
                      /usr/local/bin/bundle:22:in `load'
                      /usr/local/bin/bundle:22:in `<main>’

   • signature.asc 834 Bytes
   • Edit

3. Support Staff 3 Posted by Luke Le on 18 Jan, 2018 03:15 PM

   

   Thanks for the debug output. What strikes me as odd is that hiera mentions it can't find a key for "7C8EA11F8C223C12A406122A8D1534C20100F74A # [email blocked]". This looks like a parsing error (or it might be by design that not only the fingerprint is printed but also the email address and a # sign)
   You mentioned that you last used the tool on Nov 30. 2017.3 was released on December 22nd, so GPG Suite must have been upgraded in the meantime.

   I'm trying to have a look at hiera's source code.

   • Edit

4. Support Staff 4 Posted by Luke Le on 18 Jan, 2018 03:19 PM

   

   Would you mind attaching the recipients-file to this discussion?

   • Edit

5. 5 Posted by Martin Gladdish on 18 Jan, 2018 03:20 PM

   

   My old laptop is still running GPG Suite 2017.1 and it also has the same problem.

   • signature.asc 834 Bytes
   • Edit

6. 6 Posted by Martin Gladdish on 18 Jan, 2018 03:25 PM

   

   recipients file attached (zipped to make tenderapp happy). We know this file hasn't changed since August 2017.

   • recipients.rcp.zip 404 Bytes
   • Edit

7. Support Staff 7 Posted by Luke Le on 18 Jan, 2018 03:31 PM

   

   Ok, I understand now what is going on I believe.
   The upgrade to GnuPG 2.2 (which is included in GPG Suite since GPG Suite 2017.1) has unfortunately changed the way GnuPG deals with comments, which is affecting you here I believe.
   From the hiera-eyaml-gpg gem it is visible, that each recipient is passed through to the library communicating with GnuPG, gpgme without sanitizing the entries. gpgme probably passes the values through as they are to GnuPG as well. Since GnuPG 2.2 doesn't support comments that don't start a line, so basically # this is a comment for GnuPG vs some-option # this part is not treated as a comment your setup no longer works.

   The easiest solution is to remove the # email address part from each line, and you will be up and running again.

   I've raised the issue regarding the handling of comments in newer GnuPG versions with the GnuPG developers at https://gnupg.org but unfortunately they don't think this is something that should be fixed.

   • Edit

8. 8 Posted by Martin Gladdish on 18 Jan, 2018 03:39 PM

   

   Blimey, that’s fixed it!

   I removed the comments from the recipients file and I can encrypt my files again.

   I don’t understand how, if GnuPG 2.2 is at fault, my old laptop with GPGSuite 2017.1 also has the problem.

   But thanks so much for your help - I would have never sorted this so quickly on my own!

   • signature.asc 834 Bytes
   • Edit

9. Support Staff 9 Posted by Luke Le on 18 Jan, 2018 03:41 PM

   

   Hi Martin,

   2017.1b3 was the last version to still install GnuPG 2.0.X, 2017.1 was the first version which included GnuPG 2.2, so that explains why your old laptop also had the problem, no?

   • Edit

10. 10 Posted by Martin Gladdish on 18 Jan, 2018 03:43 PM

    

    Sorry, yes, you're quite right. I'm having version blindness.

    Thanks again for your help!

    • Edit

11. Support Staff 11 Posted by Luke Le on 18 Jan, 2018 03:44 PM

    

    Very happy to could have helped :)

    Closing this discussion. Feel free to open a new one at any time should you have questions or run into problems.

    • Edit

12. Luke Le closed this discussion on 18 Jan, 2018 03:44 PM.