How do I get going again with GPGTools with a new computer and new OS X.

craig.mckune's Avatar

craig.mckune

05 Dec, 2011 09:07 AM

I've downloaded GPGTools onto a new Macbook, with Lion OS X. How do I get GPG Keychain Access to show my sec key? As is I can't find any keys: "Searching for key failed. Code = 0".

I know about the issues with the Apple Mail plug ins, but believe there is a preliminary version available. I may give that a try, but first I just want to get the basic operation going so I can encrypt documents.

C

Showing page 2 out of 3. View the first page

  1. 31 Posted by Craig McKune on 05 Dec, 2011 07:36 PM

    Craig McKune's Avatar

    Right it seems to working fine! Thanks a lot. I'll let you know if anything doesn't work.

  2. Support Staff 32 Posted by Luke Le on 05 Dec, 2011 07:45 PM

    Luke Le's Avatar

    Perfect! Glad to know! I'll close the discussion. Feel free to re-open it any time or a new one if you have questions or run into problems

  3. Luke Le closed this discussion on 05 Dec, 2011 07:45 PM.

  4. Steve re-opened this discussion on 06 Dec, 2011 12:45 AM

  5. Support Staff 33 Posted by Steve on 06 Dec, 2011 12:45 AM

    Steve's Avatar

    And also congratulations on the first 2 page-discussion on our new support platform :)

  6. Steve closed this discussion on 06 Dec, 2011 12:45 AM.

  7. craig.mckune re-opened this discussion on 06 Dec, 2011 05:40 AM

  8. 34 Posted by craig.mckune on 06 Dec, 2011 05:40 AM

    craig.mckune's Avatar

    Ha!

  9. 35 Posted by craig.mckune on 06 Dec, 2011 07:29 AM

    craig.mckune's Avatar

    Sorry to say I'm back.

    I opened apple mail this morning and received an encrypted mail. It landed in my inbox automatically reading "Unable to decrypt PGP message. There was a problem decrypting this message. Verify that you have a valid key in your GPG Keychain."

    I tried to decrypt a document in my finder and was met with: "Decryption failed: Bad passphrase."

    Exactly the same as yesterday.

    C

  10. 36 Posted by craig.mckune on 06 Dec, 2011 07:55 AM

    craig.mckune's Avatar

    I copied the contents of my old machine's .gnupg folder again. They looked like this:

    I opened the same folder on my new machine. It looked like this:

    Note S.gpg-agent is not in the new machine's folder. However I DID copy that folder across last night, when GPG was working.

    I tried to copy the old contents into the new contents, but S.gpg-agent wouldn't go because "it already exists". However I could not find it on my drive.

    I then deleted the .gnupg folder on the new machine, created a new one and copied across the old contents now everything works fine.

    I assume when I reboot I may run into the same problem - which obviously won't be sustainable. I just can't test reboot right now because I am busy 3-pass deleting empty space.

    :)

    C

  11. Support Staff 37 Posted by Luke Le on 06 Dec, 2011 08:03 AM

    Luke Le's Avatar

    For some reason your copied files don't stick around after a reboot.
    Could you check for me what happens if you attach your disk with the old .gnupg folder on it.
    Simply attach it, restart Mail and try to execute the decrypt command again.
    Let me know if that works.

  12. 38 Posted by craig.mckune on 06 Dec, 2011 08:11 AM

    craig.mckune's Avatar

    Sorry I'm not sure what you mean by attach my disk... attach to what?

  13. Support Staff 39 Posted by Luke Le on 06 Dec, 2011 08:49 AM

    Luke Le's Avatar

    Where do you store your old gnupg folder? I thought you might have it on an external harddisk.

  14. Support Staff 40 Posted by Luke Le on 06 Dec, 2011 08:50 AM

    Luke Le's Avatar

    Is there any chance we could have a Team Viewer (remote access) session.
    I'd log into your computer and could see what exactly is going on.
    Of course this is a very sensitive thing, so just tell me if you'd feel comfortable with it.

  15. 41 Posted by Craig McKune on 06 Dec, 2011 08:59 AM

    Craig McKune's Avatar

    Hi, yes the old .gnupg is on an external drive. Sorry I gather I'm being a dunce about the attach question

    I'd prefer not to do any remote access, as a rule :) The paranoia that has us using encryption...

  16. Support Staff 42 Posted by Luke Le on 06 Dec, 2011 09:03 AM

    Luke Le's Avatar

    Indeed, I completely understand that.
    So basically what I mean is, you should connect your external harddrive and after that run the Terminal.app gpg --decrypt command again, we've talked about before.

  17. 43 Posted by craig.mckune on 06 Dec, 2011 09:15 AM

    craig.mckune's Avatar

    Right I force quit mail and force relaunched my finder with my USB attached containing old .gnupg contents. (still 3-pass deleting so can't reboot, this will go on all day) And encryption/decryption still worked. I opened the new .gnupg and noted the S.gpg-agent file was not there anymore. I then removed the USB and force quit mail, force quit GKA, relaunched the finder. Encryption/Dec still worked.

    Then I got your last message and I ran the decrypt command for the same file:

    gpg: WARNING: unsafe permissions on configuration file `/Users/XXX'
    gpg: WARNING: unsafe enclosing directory permissions on configuration file `/Users/XXX'

    You need a passphrase to unlock the secret key for
    user: "Craig McKune <[email blocked]>"
    XXX-bit RSA key, ID XXX, created 2011-09-12 (main key ID XXX)

    gpg: encrypted with XXX-bit RSA key, ID XXX, created DATE
          "RECIPIENT"
    gpg: encrypted with XXX-bit RSA key, ID XXX, created DATE
          "RECIPIENT"
    gpg: encrypted with XXX-bit RSA key, ID XXX, created DATE
          "RECIPIENT"
    {\rtf1\ansi\ansicpg1252\cocoartf1038\cocoasubrtf360
    {\fonttbl\f0\fswiss\fcharset0 Helvetica;\f1\fswiss\fcharset0 ArialMT;}
    {\colortbl;\red255\green255\blue255;\red25\green66\blue154;}
    \paperw11900\paperh16840\margl1440\margr1440\vieww9000\viewh8400\viewkind0
    \deftab720
    \pard\pardeftab720\ql\qnatural

    \f0\fs24 \cf0 \
    \
    Begin forwarded message:\
    \pard\pardeftab720\ql\qnatural

    \b \cf0 From:
    \b0 \cf2 SENDER <{\field{\*\fldinst{HYPERLINK "mailto:SENDER"}}{\fldrslt \ul SENDER}}>\

    \b \cf0 Date:
    \b0 \cf2 02 December 2011 1:11:42 PM SAST\

    \b \cf0 To:
    \b0 \cf2 RECIPIENT <{\field{\*\fldinst{HYPERLINK "mailto:RECIPIENT"}}{\fldrslt \ul RECIPIENT}}>\

    \b \cf0 Subject: \cf2 confidential exchange
    \b0 \
    \
    \pard\pardeftab720\ql\qnatural

    \f1\fs26 \cf2 FULL CONTENTS OF ENCRYPTED FILE REPRODUCED HERE\
    }gpg: Signature made Mon Dec 5 10:12:37 2011 SAST using RSA key ID XXX
    gpg: Good signature from "Craig McKune <[email blocked]>"

    ...Everything looks good. Perhaps we should just wait for another reboot and see if it sticks second time round. That should be tonight or tomorrow morning.

  18. Support Staff 44 Posted by Luke Le on 06 Dec, 2011 09:19 AM

    Luke Le's Avatar

    Now this is getting harder and harder.
    Please run the following commands in Termina.app and post the exact output.

    ls -ld ~/.gnupg
    ls -l ~/.gnupg

    I'd be damned if we can't track this down.

  19. 45 Posted by craig.mckune on 06 Dec, 2011 09:26 AM

    craig.mckune's Avatar

    mgjhb020:~ privateuser$ ls -ld ~/.gnupg
    drwxr-xr-x 10 privateuser staff 340 Dec 6 11:14 /Users/privateuser/.gnupg
    mgjhb020:~ privateuser$ ls -l ~/.gnupg
    total 104
    srwxr-xr-x 1 privateuser staff 0 Dec 6 09:42 S.gpg-agent
    -rwxrwxrwx 1 privateuser staff 9086 Sep 12 14:39 gpg.conf
    drwxrwxrwx 2 privateuser staff 68 Sep 12 14:48 private-keys-v1.d
    -rwxrwxrwx 1 privateuser staff 12277 Nov 17 09:19 pubring.gpg
    -rwxrwxrwx 1 privateuser staff 11084 Nov 1 09:20 pubring.gpg~
    -rwxrwxrwx 1 privateuser staff 600 Dec 6 11:14 random_seed
    -rwxrwxrwx 1 privateuser staff 5433 Sep 12 16:26 secring.gpg
    -rwxrwxrwx 1 privateuser staff 1280 Sep 12 16:26 trustdb.gpg
    mgjhb020:~ privateuser$

  20. Support Staff 46 Posted by Luke Le on 06 Dec, 2011 09:34 AM

    Luke Le's Avatar

    Hmm... ok, the permissions are all off, so let's fix them first.
    Run the following commands in your Terminal.app

    chmod 700 ~/.gnupg
    chmod 644 ~/.gnupg/gpg-agent.conf
    chmod 600 ~/.gnupg/gpg.conf
    chmod 700 ~/.gnupg/private-keys-v1.d
    chmod 600 ~/.gnupg/pubring.gpg
    chmod 600 ~/.gnupg/random_seed
    chmod 600 ~/.gnupg/secring.gpg
    chmod 600 ~/.gnupg/trustdb.gpg

    After that, please run

    ls -l ~/.gnupg

    again so we can verify that the permission are correct

  21. 47 Posted by craig.mckune on 06 Dec, 2011 09:58 AM

    craig.mckune's Avatar

    Last login: Tue Dec 6 11:24:08 on ttys000
    mgjhb020:~ privateuser$ chmod 700 ~/.gnupg
    mgjhb020:~ privateuser$ chmod 644 ~/.gnupg/gpg-agent.conf
    chmod: /Users/privateuser/.gnupg/gpg-agent.conf: No such file or directory
    mgjhb020:~ privateuser$ chmod 600 ~/.gnupg/gpg.conf
    mgjhb020:~ privateuser$ chmod 700 ~/.gnupg/private-keys-v1.d
    mgjhb020:~ privateuser$ chmod 700 ~/.gnupg/private-keys-v1.d
    mgjhb020:~ privateuser$ chmod 600 ~/.gnupg/pubring.gpg
    mgjhb020:~ privateuser$ chmod 600 ~/.gnupg/random_seed
    mgjhb020:~ privateuser$ chmod 600 ~/.gnupg/secring.gpg
    mgjhb020:~ privateuser$ chmod 600 ~/.gnupg/trustdb.gpg
    mgjhb020:~ privateuser$ ls -l ~/.gnupg
    total 104
    srwxr-xr-x 1 privateuser staff 0 Dec 6 09:42 S.gpg-agent
    -rw------- 1 privateuser staff 9086 Sep 12 14:39 gpg.conf
    drwx------ 2 privateuser staff 68 Sep 12 14:48 private-keys-v1.d
    -rw------- 1 privateuser staff 12277 Nov 17 09:19 pubring.gpg
    -rwxrwxrwx 1 privateuser staff 11084 Nov 1 09:20 pubring.gpg~
    -rw------- 1 privateuser staff 600 Dec 6 11:14 random_seed
    -rw------- 1 privateuser staff 5433 Sep 12 16:26 secring.gpg
    -rw------- 1 privateuser staff 1280 Sep 12 16:26 trustdb.gpg
    mgjhb020:~ privateuser$

  22. Support Staff 48 Posted by Luke Le on 06 Dec, 2011 10:12 AM

    Luke Le's Avatar

    great, so the permissions are fixed.
    once you are able to restart again, we can take another stab at it
    and hopefully get this finally sorted out :)

  23. 49 Posted by craig.mckune on 06 Dec, 2011 10:17 AM

    craig.mckune's Avatar

    Cool, thanks. I'll shout when this deleting is done. Very tenacious of you.

  24. 50 Posted by craig.mckune on 06 Dec, 2011 09:05 PM

    craig.mckune's Avatar

    The encrypt/decrypt worked all day until my 3pass delete was finished. I then logged out and logged back in and got the same "unable to decrypt" message for email and "bad passphrase" for documents...

  25. 51 Posted by craig.mckune on 06 Dec, 2011 09:17 PM

    craig.mckune's Avatar

    Hey, I rebooted and this time around my enc/dec worked perfectly, 5 min after my last despairing message :)

    What the hang!

    Now my machine is encrypting with filevault, but as I understand I can still reboot while this happens, so I can still test the encryption.

    C

    On 06 Dec 2011, at 11:04 PM, Craig McKune wrote:

    > The encrypt/decrypt worked all day until my 3pass delete was finished. I then logged out and logged back in and got the same "unable to decrypt" message for email and "bad passphrase" for documents...
    >
    >
    >
    > On 06 Dec 2011, at 12:12 PM, Luke Le wrote:
    >
    >>

  26. Support Staff 52 Posted by Luke Le on 06 Dec, 2011 10:59 PM

    Luke Le's Avatar

    This is extremely strange. Is there any chance that your home folder is not located on your installed harddrive?
    Could you describe your general setup a little? Are you logged in as a normal user or an administrator?

  27. 53 Posted by craig.mckune on 07 Dec, 2011 05:16 AM

    craig.mckune's Avatar

    Hmm. I'll try.

    my home folder is on Macintosh HD/Users/Home folder

    If I look in Users & Groups, in the bar on the left I have Current User which is <username> and "Admin" below that. There is also Other Users which has "Guest User" and "Disabled" below that. Guest User is greyed out so I can't click on it.

    A little history which is largely irrelevant, I think: When I bought this machine and went through the setup, I skipped the migration option and simply created a user, with the intention of migrating from my time machine later - I didn't know at the time the entire old user profile would be migrated. I then encrypted the drive using filevault and migrated the time machine using migration assistant. It took a while for me to work out that a new user profile had been moved across. Then I dicked around for hours trying to work out how to move everything into the new profile. I didn't want the old user profile at all because it was set up by my the IT guys at my employers office and I wanted to understand the set up and eliminate all security risks and links to their network. I eventually ended up at the iStore who had said it was easy to drag my mail/contacts/calendar across from one user to the other. The system wouldn't let him do that, however. He set up a third user which he tried to use to do the file swapping. This didn't work either. Then he rebooted and the only user available for log in was the third one, which wasn't enabled to decrypt the drive. :) So he formatted the drive and reloaded everything. I took the machine home, migrated the old user across again and dicked around for ages trying to just change the username, account name and password. To change the account name I needed to log in as "root". I enabled root user and made a password for that, logged out, and was met with the error message that "network accounts are unavailable" (see attached pic). It would not let me log in as root, it did let me log in on the old user profile. I could never work out the error message, but from the online forums I gathered it was some sort of Lion bug that no one could get to the bottom of (I reinstalled Lion in the process of trying to work this out). So I ignored that and created a new user profile. I dragged across all my documents, music, etc using the public folder. I exported calendar and contacts using the same folder. By now I had realised that I did not need to migrate my mail because I was using Gmail and an exchange account via my employers office, once I set up my email profiles (this took about a day to get right), all the mail downloaded. Duh. Then my GPG Tools wouldn't work and I contacted you guys. Lame week.

    So ultimately, my set-up should be pretty straightforward.

    C

  28. 54 Posted by craig.mckune on 07 Dec, 2011 05:19 AM

    craig.mckune's Avatar

    For clarity, my GPG Tools is and was always set up with my Gmail account, not the exchange account.

    Also last night I left my computer encrypting. When I logged in this morning, the PGP enc worked perfectly

    On 07 Dec 2011, at 7:14 AM, Craig McKune wrote:

    > Hmm. I'll try.
    >
    > my home folder is on Macintosh HD/Users/Home folder
    >
    > If I look in Users & Groups, in the bar on the left I have Current User which is <username> and "Admin" below that. There is also Other Users which has "Guest User" and "Disabled" below that. Guest User is greyed out so I can't click on it.
    >
    > A little history which is largely irrelevant, I think: When I bought this machine and went through the setup, I skipped the migration option and simply created a user, with the intention of migrating from my time machine later - I didn't know at the time the entire old user profile would be migrated. I then encrypted the drive using filevault and migrated the time machine using migration assistant. It took a while for me to work out that a new user profile had been moved across. Then I dicked around for hours trying to work out how to move everything into the new profile. I didn't want the old user profile at all because it was set up by my the IT guys at my employers office and I wanted to understand the set up and eliminate all security risks and links to their network. I eventually ended up at the iStore who had said it was easy to drag my mail/contacts/calendar across from one user to the other. The system wouldn't let him do that, however. He set up a third user which he tried to use to do the file swapping. This didn't work either. Then he rebooted and the only user available for log in was the third one, which wasn't enabled to decrypt the drive. :) So he formatted the drive and reloaded everything. I took the machine home, migrated the old user across again and dicked around for ages trying to just change the username, account name and password. To change the account name I needed to log in as "root". I enabled root user and made a password for that, logged out, and was met with the error message that "network accounts are unavailable" (see attached pic). It would not let me log in as root, it did let me log in on the old user profile. I could never work out the error message, but from the online forums I gathered it was some sort of Lion bug that no one could get to the bottom of (I reinstalled Lion in the process of trying to work this out). So I ignored that and created a new user profile. I dragged across all my documents, music, etc using the public folder. I exported calendar and contacts using the same folder. By now I had realised that I did not need to migrate my mail because I was using Gmail and an exchange account via my employers office, once I set up my email profiles (this took about a day to get right), all the mail downloaded. Duh. Then my GPG Tools wouldn't work and I contacted you guys. Lame week.
    >
    > So ultimately, my set-up should be pretty straightforward.
    >
    > C
    >
    > On 07 Dec 2011, at 12:59 AM, Luke Le wrote:
    >
    >>

  29. Support Staff 55 Posted by Luke Le on 07 Dec, 2011 12:42 PM

    Luke Le's Avatar

    I really feel for you, that was one hell of a ride!
    It might however explain some of your troubles.
    Could you check in Preferences if you're Mac is still connected
    to an Active Directory Service?

    1. Open System Preferences
    2. Go to User & Groups
    3. Click Login Options in the lower left. You may have to authenticate first by clicking the lock icon in the lower left.
    4. Under Network Account Server, click Edit

    Please check if any URL is in there.

  30. 56 Posted by craig.mckune on 07 Dec, 2011 01:23 PM

    craig.mckune's Avatar

    Ah yes, when click edit I get a window with where there is a green light with text that reads MEDIA Active Directory Domain (attached image). If I click "Open Directory Utility" I get three service options. Active Directory, LDAPv3 and NIS.

  31. Support Staff 57 Posted by Luke Le on 07 Dec, 2011 01:26 PM

    Luke Le's Avatar

    Ok, so the problem you've been seeing is somehow related to that.
    Do you still need that Active Directory connection?
    I have to do a little digging to find out how this might mess with your home folder but I think it does.

  32. 58 Posted by Craig McKune on 07 Dec, 2011 01:35 PM

    Craig McKune's Avatar

    I don't know what that connection is, so no idea if I need it. The chap at the iStore told me that if I removed that he would be able to copy across my emails, but that it would prevent me from connecting to my exchange server - however I got a strong feeling he was grasping at straws and was uncertain. I figured that if I set up my own user profile, which I've done (I secure deleted the migrated version once I'd shipped my docs and activated my email, by the way), that that connection wouldn't be there. I didn't purposefully activate it... ?

  33. Support Staff 59 Posted by Luke Le on 07 Dec, 2011 01:45 PM

    Luke Le's Avatar

    Hmm... there's a chance it is in fact relevant to your exchange account, but I can't say that for sure.
    Could you please try to follow these steps and tell me what you see,
    maybe make some screenshots with sensitive information removed.

    1. Open System Preferences
    2. Go to User & Groups
    3. Click Login Options in the lower left. You may have to authenticate first by clicking the lock icon in the lower left.
    4. Under Network Account Server, click Edit
    5. Select your domain, then click Open Directory Utility
    6. Select Active Directory, then click the pencil to edit
    7. Click to Show Advanced Options
    8. Under User Experience you will see “Create mobile account at login”. (Please tell me if that is checked.)
  34. 60 Posted by Craig McKune on 07 Dec, 2011 02:00 PM

    Craig McKune's Avatar

    See attached.

    The computer ID is my old machine's ID from which I'm trying to disassociate myself.

    The active directories contain the domain of my current employer - and the suffix (or whatever it's called) of my exchange email address.

    C

    [cid:[email blocked]]

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac