GPG Mail: cannot decrypt a message that is encrypted to my public key

gpg_dude's Avatar

gpg_dude

03 Aug, 2020 04:02 PM

Which of our tools is giving you problems?

GPG

Attach a screenshot of the version info for all installed components (how to: https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...):

Attached

Describe your problem. Add as much detail as possible.

I received an email today that neither GPGMail nor GPGServices can decrypt, despite it being encrypted to my public key.

What did you expect instead

To be able to decrypt said message.

Describe steps leading to the problem.

It fails in GPGMail saying I don't have the right private key, when I do have it. From the CLI:
gpg encrypted.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: encrypted with 4096-bit RSA key, ID 0xNOT_ME, created XXXX-XX-XX
"NOT_ME [email blocked]" gpg: encrypted with 4096-bit RSA key, ID 0xNOT_ME2, created XXXX-XX-XX
"NOT_ME2 [email blocked]" gpg: encrypted with 4096-bit RSA key, ID 0xME, created YYYY-YY-YY
"ME [email blocked]" gpg: decryption failed: No secret key

But here I confirm I do have the right private key:
gpg --list-secret-keys 0xME 1>/dev/null && echo found
found

Are you using any other Mail.app plugins?

No

  1. Support Staff 1 Posted by Steve on 03 Aug, 2020 05:04 PM

    Steve's Avatar

    Hi gpg_dude,

    would it be possible to provide the email message in question? If so, please export the message in question, so that we can have a closer look. To export, simply select the message in Mail.app and press CMD + SHIFT + S, select "Raw Message Source" as type and save it. We won't of course be able to decrypt it, but it will help with analyzing and hopefully finding a solution for your problem.

    Attach the resulting .eml file to this discussion by visiting it in your browser (email reply should work but sometimes attachments do not arrive).

    Do you know which OpenPGP software was used to create the message in question?

    Best,
    Steve

  2. 2 Posted by gpg_dude on 03 Aug, 2020 06:13 PM

    gpg_dude's Avatar

    Hi Steve,
    Your note has actually given me an idea of what might be wrong. Let me follow up with the sender and get back to you. The message looks like it may have been sent with Canary Mail V2, which had lots of bugs and this person should be on V3 already.

    -----BEGIN PGP MESSAGE-----

    Version: Canary PGP v2

  3. 3 Posted by gpg_dude on 03 Aug, 2020 09:46 PM

    gpg_dude's Avatar

    Did a little more digging and found the following:

    • The current version 3 of Canary Mail still reports that V2 tag in the PGP payload, so that was a red herring
    • Another user with Canary Mail V3 sent me a test message that I am also unable to open
    • Canary Mail V3 seems to be encrypting messages to the master key and not the encryption sub-key
    • The same user is able to open the message in their sent mail using GPGTools/GPGMail on their computer

    The only major difference between the setup for user vs. my own is they are not using a Yubikey for GPG. I'm going to try and get them to use Canary Mail to send another message to a different Yubikey user to see if it persists or if it's just my key. I suspect it's the former since the point of the Yubikey is that the master key remains on ICE and individual sub-keys are generated & loaded onto the Yubikey - so despite gpg --list-secret-keys showing my master key ID, I don't think it actually has access to it in this setup. Let me know if that doesn't sound right or you can think of another reason that might explain this behavior. I suspect we'll have to engage with the Canary Mail developers to address this.

  4. Support Staff 4 Posted by Luke Le on 04 Aug, 2020 10:43 PM

    Luke Le's Avatar

    Hi gpg_dude,

    ah that might explain it. If --list-secret-keys shows a # before the sec line, it means that gnupg is aware that a secret key exists, but that the secret key is not locally available. What you might have to do is to run gpg --card-status in order to create the local stubs for the key. After that you should technically be asked to enter your card in order to decrypt the message.

    Unfortunately smart card support is still rather fragile, but please let us know if that helps or what else you find.

  5. 5 Posted by gpg_dude on 04 Aug, 2020 11:48 PM

    gpg_dude's Avatar

    I'm not sure how gpg --card-status would help here? It just shows me the card info, which does list the # on the master secret-key:

    sec# rsa4096/0xMY_MASTER_KEYID created: YYYY-MM-DD expires: YYYY-MM-DD

  6. 6 Posted by gpg_dude on 06 Aug, 2020 02:11 AM

    gpg_dude's Avatar

    I think we have found the cause of this issue on the Canary Mail side as well. I'm told they updated their software to use Bouncy Castle in the last 30 days and verified older messages sent via Canary Mail were encrypted to user's encryption sub-keys and not their master keys. We're pushing them to fix this, so you can go ahead and close this. Thanks.

  7. Support Staff 7 Posted by Steve on 07 Aug, 2020 12:22 PM

    Steve's Avatar

    Great to hear you were able to identify where the problems stem from. Can you update this discussion, once a fix is available in CanaryMail so other users that read this discussions are made aware of the solution?

  8. Steve closed this discussion on 17 Aug, 2020 02:07 PM.

  9. gpg_dude re-opened this discussion on 19 Jan, 2021 02:35 PM

  10. 8 Posted by gpg_dude on 19 Jan, 2021 02:35 PM

    gpg_dude's Avatar

    It appears the Canary team fixed this in version 3.19

  11. Support Staff 9 Posted by Steve on 20 Jan, 2021 02:06 PM

    Steve's Avatar

    That is great news! Thanks for sharing.

  12. Steve closed this discussion on 20 Jan, 2021 02:06 PM.

  13. Steve re-opened this discussion on 20 Jan, 2021 02:06 PM

  14. Steve closed this discussion on 20 Jan, 2021 02:06 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac