How do I get going again with GPGTools with a new computer and new OS X.
I've downloaded GPGTools onto a new Macbook, with Lion OS X. How do I get GPG Keychain Access to show my sec key? As is I can't find any keys: "Searching for key failed. Code = 0".
I know about the issues with the Apple Mail plug ins, but believe there is a preliminary version available. I may give that a try, but first I just want to get the basic operation going so I can encrypt documents.
C
Showing page 2 out of 3. View the first page
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
31 Posted by Craig McKune on 05 Dec, 2011 07:36 PM
Right it seems to working fine! Thanks a lot. I'll let you know if anything doesn't work.
Support Staff 32 Posted by Luke Le on 05 Dec, 2011 07:45 PM
Perfect! Glad to know! I'll close the discussion. Feel free to re-open it any time or a new one if you have questions or run into problems
Luke Le closed this discussion on 05 Dec, 2011 07:45 PM.
Steve re-opened this discussion on 06 Dec, 2011 12:45 AM
Support Staff 33 Posted by Steve on 06 Dec, 2011 12:45 AM
And also congratulations on the first 2 page-discussion on our new support platform :)
Steve closed this discussion on 06 Dec, 2011 12:45 AM.
craig.mckune re-opened this discussion on 06 Dec, 2011 05:40 AM
34 Posted by craig.mckune on 06 Dec, 2011 05:40 AM
Ha!
35 Posted by craig.mckune on 06 Dec, 2011 07:29 AM
Sorry to say I'm back.
I opened apple mail this morning and received an encrypted mail. It landed in my inbox automatically reading "Unable to decrypt PGP message. There was a problem decrypting this message. Verify that you have a valid key in your GPG Keychain."
I tried to decrypt a document in my finder and was met with: "Decryption failed: Bad passphrase."
Exactly the same as yesterday.
C
36 Posted by craig.mckune on 06 Dec, 2011 07:55 AM
I copied the contents of my old machine's .gnupg folder again. They looked like this:
I opened the same folder on my new machine. It looked like this:
Note S.gpg-agent is not in the new machine's folder. However I DID copy that folder across last night, when GPG was working.
I tried to copy the old contents into the new contents, but S.gpg-agent wouldn't go because "it already exists". However I could not find it on my drive.
I then deleted the .gnupg folder on the new machine, created a new one and copied across the old contents now everything works fine.
I assume when I reboot I may run into the same problem - which obviously won't be sustainable. I just can't test reboot right now because I am busy 3-pass deleting empty space.
:)
C
Support Staff 37 Posted by Luke Le on 06 Dec, 2011 08:03 AM
For some reason your copied files don't stick around after a reboot.
Could you check for me what happens if you attach your disk with the old .gnupg folder on it.
Simply attach it, restart Mail and try to execute the decrypt command again.
Let me know if that works.
38 Posted by craig.mckune on 06 Dec, 2011 08:11 AM
Sorry I'm not sure what you mean by attach my disk... attach to what?
Support Staff 39 Posted by Luke Le on 06 Dec, 2011 08:49 AM
Where do you store your old gnupg folder? I thought you might have it on an external harddisk.
Support Staff 40 Posted by Luke Le on 06 Dec, 2011 08:50 AM
Is there any chance we could have a Team Viewer (remote access) session.
I'd log into your computer and could see what exactly is going on.
Of course this is a very sensitive thing, so just tell me if you'd feel comfortable with it.
41 Posted by Craig McKune on 06 Dec, 2011 08:59 AM
Hi, yes the old .gnupg is on an external drive. Sorry I gather I'm being a dunce about the attach question
I'd prefer not to do any remote access, as a rule :) The paranoia that has us using encryption...
Support Staff 42 Posted by Luke Le on 06 Dec, 2011 09:03 AM
Indeed, I completely understand that.
So basically what I mean is, you should connect your external harddrive and after that run the Terminal.app gpg --decrypt command again, we've talked about before.
43 Posted by craig.mckune on 06 Dec, 2011 09:15 AM
Right I force quit mail and force relaunched my finder with my USB attached containing old .gnupg contents. (still 3-pass deleting so can't reboot, this will go on all day) And encryption/decryption still worked. I opened the new .gnupg and noted the S.gpg-agent file was not there anymore. I then removed the USB and force quit mail, force quit GKA, relaunched the finder. Encryption/Dec still worked.
Then I got your last message and I ran the decrypt command for the same file:
gpg: WARNING: unsafe permissions on configuration file `/Users/XXX'
gpg: WARNING: unsafe enclosing directory permissions on configuration file `/Users/XXX'
You need a passphrase to unlock the secret key for
user: "Craig McKune <[email blocked]>"
XXX-bit RSA key, ID XXX, created 2011-09-12 (main key ID XXX)
gpg: encrypted with XXX-bit RSA key, ID XXX, created DATE
"RECIPIENT"
gpg: encrypted with XXX-bit RSA key, ID XXX, created DATE
"RECIPIENT"
gpg: encrypted with XXX-bit RSA key, ID XXX, created DATE
"RECIPIENT"
{\rtf1\ansi\ansicpg1252\cocoartf1038\cocoasubrtf360
{\fonttbl\f0\fswiss\fcharset0 Helvetica;\f1\fswiss\fcharset0 ArialMT;}
{\colortbl;\red255\green255\blue255;\red25\green66\blue154;}
\paperw11900\paperh16840\margl1440\margr1440\vieww9000\viewh8400\viewkind0
\deftab720
\pard\pardeftab720\ql\qnatural
\f0\fs24 \cf0 \
\
Begin forwarded message:\
\pard\pardeftab720\ql\qnatural
\b \cf0 From:
\b0 \cf2 SENDER <{\field{\*\fldinst{HYPERLINK "mailto:SENDER"}}{\fldrslt \ul SENDER}}>\
\b \cf0 Date:
\b0 \cf2 02 December 2011 1:11:42 PM SAST\
\b \cf0 To:
\b0 \cf2 RECIPIENT <{\field{\*\fldinst{HYPERLINK "mailto:RECIPIENT"}}{\fldrslt \ul RECIPIENT}}>\
\b \cf0 Subject: \cf2 confidential exchange
\b0 \
\
\pard\pardeftab720\ql\qnatural
\f1\fs26 \cf2 FULL CONTENTS OF ENCRYPTED FILE REPRODUCED HERE\
}gpg: Signature made Mon Dec 5 10:12:37 2011 SAST using RSA key ID XXX
gpg: Good signature from "Craig McKune <[email blocked]>"
...Everything looks good. Perhaps we should just wait for another reboot and see if it sticks second time round. That should be tonight or tomorrow morning.
Support Staff 44 Posted by Luke Le on 06 Dec, 2011 09:19 AM
Now this is getting harder and harder.
Please run the following commands in Termina.app and post the exact output.
ls -ld ~/.gnupg
ls -l ~/.gnupg
I'd be damned if we can't track this down.
45 Posted by craig.mckune on 06 Dec, 2011 09:26 AM
mgjhb020:~ privateuser$ ls -ld ~/.gnupg
drwxr-xr-x 10 privateuser staff 340 Dec 6 11:14 /Users/privateuser/.gnupg
mgjhb020:~ privateuser$ ls -l ~/.gnupg
total 104
srwxr-xr-x 1 privateuser staff 0 Dec 6 09:42 S.gpg-agent
-rwxrwxrwx 1 privateuser staff 9086 Sep 12 14:39 gpg.conf
drwxrwxrwx 2 privateuser staff 68 Sep 12 14:48 private-keys-v1.d
-rwxrwxrwx 1 privateuser staff 12277 Nov 17 09:19 pubring.gpg
-rwxrwxrwx 1 privateuser staff 11084 Nov 1 09:20 pubring.gpg~
-rwxrwxrwx 1 privateuser staff 600 Dec 6 11:14 random_seed
-rwxrwxrwx 1 privateuser staff 5433 Sep 12 16:26 secring.gpg
-rwxrwxrwx 1 privateuser staff 1280 Sep 12 16:26 trustdb.gpg
mgjhb020:~ privateuser$
Support Staff 46 Posted by Luke Le on 06 Dec, 2011 09:34 AM
Hmm... ok, the permissions are all off, so let's fix them first.
Run the following commands in your Terminal.app
chmod 700 ~/.gnupg
chmod 644 ~/.gnupg/gpg-agent.conf
chmod 600 ~/.gnupg/gpg.conf
chmod 700 ~/.gnupg/private-keys-v1.d
chmod 600 ~/.gnupg/pubring.gpg
chmod 600 ~/.gnupg/random_seed
chmod 600 ~/.gnupg/secring.gpg
chmod 600 ~/.gnupg/trustdb.gpg
After that, please run
ls -l ~/.gnupg
again so we can verify that the permission are correct
47 Posted by craig.mckune on 06 Dec, 2011 09:58 AM
Last login: Tue Dec 6 11:24:08 on ttys000
mgjhb020:~ privateuser$ chmod 700 ~/.gnupg
mgjhb020:~ privateuser$ chmod 644 ~/.gnupg/gpg-agent.conf
chmod: /Users/privateuser/.gnupg/gpg-agent.conf: No such file or directory
mgjhb020:~ privateuser$ chmod 600 ~/.gnupg/gpg.conf
mgjhb020:~ privateuser$ chmod 700 ~/.gnupg/private-keys-v1.d
mgjhb020:~ privateuser$ chmod 700 ~/.gnupg/private-keys-v1.d
mgjhb020:~ privateuser$ chmod 600 ~/.gnupg/pubring.gpg
mgjhb020:~ privateuser$ chmod 600 ~/.gnupg/random_seed
mgjhb020:~ privateuser$ chmod 600 ~/.gnupg/secring.gpg
mgjhb020:~ privateuser$ chmod 600 ~/.gnupg/trustdb.gpg
mgjhb020:~ privateuser$ ls -l ~/.gnupg
total 104
srwxr-xr-x 1 privateuser staff 0 Dec 6 09:42 S.gpg-agent
-rw------- 1 privateuser staff 9086 Sep 12 14:39 gpg.conf
drwx------ 2 privateuser staff 68 Sep 12 14:48 private-keys-v1.d
-rw------- 1 privateuser staff 12277 Nov 17 09:19 pubring.gpg
-rwxrwxrwx 1 privateuser staff 11084 Nov 1 09:20 pubring.gpg~
-rw------- 1 privateuser staff 600 Dec 6 11:14 random_seed
-rw------- 1 privateuser staff 5433 Sep 12 16:26 secring.gpg
-rw------- 1 privateuser staff 1280 Sep 12 16:26 trustdb.gpg
mgjhb020:~ privateuser$
Support Staff 48 Posted by Luke Le on 06 Dec, 2011 10:12 AM
great, so the permissions are fixed.
once you are able to restart again, we can take another stab at it
and hopefully get this finally sorted out :)
49 Posted by craig.mckune on 06 Dec, 2011 10:17 AM
Cool, thanks. I'll shout when this deleting is done. Very tenacious of you.
50 Posted by craig.mckune on 06 Dec, 2011 09:05 PM
The encrypt/decrypt worked all day until my 3pass delete was finished. I then logged out and logged back in and got the same "unable to decrypt" message for email and "bad passphrase" for documents...
51 Posted by craig.mckune on 06 Dec, 2011 09:17 PM
Hey, I rebooted and this time around my enc/dec worked perfectly, 5 min after my last despairing message :)
What the hang!
Now my machine is encrypting with filevault, but as I understand I can still reboot while this happens, so I can still test the encryption.
C
On 06 Dec 2011, at 11:04 PM, Craig McKune wrote:
> The encrypt/decrypt worked all day until my 3pass delete was finished. I then logged out and logged back in and got the same "unable to decrypt" message for email and "bad passphrase" for documents...
>
>
>
> On 06 Dec 2011, at 12:12 PM, Luke Le wrote:
>
>>
Support Staff 52 Posted by Luke Le on 06 Dec, 2011 10:59 PM
This is extremely strange. Is there any chance that your home folder is not located on your installed harddrive?
Could you describe your general setup a little? Are you logged in as a normal user or an administrator?
53 Posted by craig.mckune on 07 Dec, 2011 05:16 AM
Hmm. I'll try.
my home folder is on Macintosh HD/Users/Home folder
If I look in Users & Groups, in the bar on the left I have Current User which is <username> and "Admin" below that. There is also Other Users which has "Guest User" and "Disabled" below that. Guest User is greyed out so I can't click on it.
A little history which is largely irrelevant, I think: When I bought this machine and went through the setup, I skipped the migration option and simply created a user, with the intention of migrating from my time machine later - I didn't know at the time the entire old user profile would be migrated. I then encrypted the drive using filevault and migrated the time machine using migration assistant. It took a while for me to work out that a new user profile had been moved across. Then I dicked around for hours trying to work out how to move everything into the new profile. I didn't want the old user profile at all because it was set up by my the IT guys at my employers office and I wanted to understand the set up and eliminate all security risks and links to their network. I eventually ended up at the iStore who had said it was easy to drag my mail/contacts/calendar across from one user to the other. The system wouldn't let him do that, however. He set up a third user which he tried to use to do the file swapping. This didn't work either. Then he rebooted and the only user available for log in was the third one, which wasn't enabled to decrypt the drive. :) So he formatted the drive and reloaded everything. I took the machine home, migrated the old user across again and dicked around for ages trying to just change the username, account name and password. To change the account name I needed to log in as "root". I enabled root user and made a password for that, logged out, and was met with the error message that "network accounts are unavailable" (see attached pic). It would not let me log in as root, it did let me log in on the old user profile. I could never work out the error message, but from the online forums I gathered it was some sort of Lion bug that no one could get to the bottom of (I reinstalled Lion in the process of trying to work this out). So I ignored that and created a new user profile. I dragged across all my documents, music, etc using the public folder. I exported calendar and contacts using the same folder. By now I had realised that I did not need to migrate my mail because I was using Gmail and an exchange account via my employers office, once I set up my email profiles (this took about a day to get right), all the mail downloaded. Duh. Then my GPG Tools wouldn't work and I contacted you guys. Lame week.
So ultimately, my set-up should be pretty straightforward.
C
54 Posted by craig.mckune on 07 Dec, 2011 05:19 AM
For clarity, my GPG Tools is and was always set up with my Gmail account, not the exchange account.
Also last night I left my computer encrypting. When I logged in this morning, the PGP enc worked perfectly
On 07 Dec 2011, at 7:14 AM, Craig McKune wrote:
> Hmm. I'll try.
>
> my home folder is on Macintosh HD/Users/Home folder
>
> If I look in Users & Groups, in the bar on the left I have Current User which is <username> and "Admin" below that. There is also Other Users which has "Guest User" and "Disabled" below that. Guest User is greyed out so I can't click on it.
>
> A little history which is largely irrelevant, I think: When I bought this machine and went through the setup, I skipped the migration option and simply created a user, with the intention of migrating from my time machine later - I didn't know at the time the entire old user profile would be migrated. I then encrypted the drive using filevault and migrated the time machine using migration assistant. It took a while for me to work out that a new user profile had been moved across. Then I dicked around for hours trying to work out how to move everything into the new profile. I didn't want the old user profile at all because it was set up by my the IT guys at my employers office and I wanted to understand the set up and eliminate all security risks and links to their network. I eventually ended up at the iStore who had said it was easy to drag my mail/contacts/calendar across from one user to the other. The system wouldn't let him do that, however. He set up a third user which he tried to use to do the file swapping. This didn't work either. Then he rebooted and the only user available for log in was the third one, which wasn't enabled to decrypt the drive. :) So he formatted the drive and reloaded everything. I took the machine home, migrated the old user across again and dicked around for ages trying to just change the username, account name and password. To change the account name I needed to log in as "root". I enabled root user and made a password for that, logged out, and was met with the error message that "network accounts are unavailable" (see attached pic). It would not let me log in as root, it did let me log in on the old user profile. I could never work out the error message, but from the online forums I gathered it was some sort of Lion bug that no one could get to the bottom of (I reinstalled Lion in the process of trying to work this out). So I ignored that and created a new user profile. I dragged across all my documents, music, etc using the public folder. I exported calendar and contacts using the same folder. By now I had realised that I did not need to migrate my mail because I was using Gmail and an exchange account via my employers office, once I set up my email profiles (this took about a day to get right), all the mail downloaded. Duh. Then my GPG Tools wouldn't work and I contacted you guys. Lame week.
>
> So ultimately, my set-up should be pretty straightforward.
>
> C
>
> On 07 Dec 2011, at 12:59 AM, Luke Le wrote:
>
>>
Support Staff 55 Posted by Luke Le on 07 Dec, 2011 12:42 PM
I really feel for you, that was one hell of a ride!
It might however explain some of your troubles.
Could you check in Preferences if you're Mac is still connected
to an Active Directory Service?
Please check if any URL is in there.
56 Posted by craig.mckune on 07 Dec, 2011 01:23 PM
Ah yes, when click edit I get a window with where there is a green light with text that reads MEDIA Active Directory Domain (attached image). If I click "Open Directory Utility" I get three service options. Active Directory, LDAPv3 and NIS.
Support Staff 57 Posted by Luke Le on 07 Dec, 2011 01:26 PM
Ok, so the problem you've been seeing is somehow related to that.
Do you still need that Active Directory connection?
I have to do a little digging to find out how this might mess with your home folder but I think it does.
58 Posted by Craig McKune on 07 Dec, 2011 01:35 PM
I don't know what that connection is, so no idea if I need it. The chap at the iStore told me that if I removed that he would be able to copy across my emails, but that it would prevent me from connecting to my exchange server - however I got a strong feeling he was grasping at straws and was uncertain. I figured that if I set up my own user profile, which I've done (I secure deleted the migrated version once I'd shipped my docs and activated my email, by the way), that that connection wouldn't be there. I didn't purposefully activate it... ?
Support Staff 59 Posted by Luke Le on 07 Dec, 2011 01:45 PM
Hmm... there's a chance it is in fact relevant to your exchange account, but I can't say that for sure.
Could you please try to follow these steps and tell me what you see,
maybe make some screenshots with sensitive information removed.
60 Posted by Craig McKune on 07 Dec, 2011 02:00 PM
See attached.
The computer ID is my old machine's ID from which I'm trying to disassociate myself.
The active directories contain the domain of my current employer - and the suffix (or whatever it's called) of my exchange email address.
C
[cid:[email blocked]]