GPG Mail: cannot decrypt a message that is encrypted to my public key
Which of our tools is giving you problems?
GPG
Attach a screenshot of the version info for all installed components (how to: https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...):
Attached
Describe your problem. Add as much detail as possible.
I received an email today that neither GPGMail nor GPGServices can decrypt, despite it being encrypted to my public key.
What did you expect instead
To be able to decrypt said message.
Describe steps leading to the problem.
It fails in GPGMail saying I don't have the right private key, when I do have it. From the CLI:
gpg encrypted.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: encrypted with 4096-bit RSA key, ID 0xNOT_ME, created XXXX-XX-XX
"NOT_ME [email blocked]" gpg: encrypted with 4096-bit RSA key, ID 0xNOT_ME2, created XXXX-XX-XX
"NOT_ME2 [email blocked]" gpg: encrypted with 4096-bit RSA key, ID 0xME, created YYYY-YY-YY
"ME [email blocked]" gpg: decryption failed: No secret key
But here I confirm I do have the right private key:
gpg --list-secret-keys 0xME 1>/dev/null && echo found
found
Are you using any other Mail.app plugins?
No
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Steve on 03 Aug, 2020 05:04 PM
Hi gpg_dude,
would it be possible to provide the email message in question? If so, please export the message in question, so that we can have a closer look. To export, simply select the message in Mail.app and press CMD + SHIFT + S, select "Raw Message Source" as type and save it. We won't of course be able to decrypt it, but it will help with analyzing and hopefully finding a solution for your problem.
Attach the resulting .eml file to this discussion by visiting it in your browser (email reply should work but sometimes attachments do not arrive).
Do you know which OpenPGP software was used to create the message in question?
Best,
Steve
2 Posted by gpg_dude on 03 Aug, 2020 06:13 PM
Hi Steve,
Your note has actually given me an idea of what might be wrong. Let me follow up with the sender and get back to you. The message looks like it may have been sent with Canary Mail V2, which had lots of bugs and this person should be on V3 already.
3 Posted by gpg_dude on 03 Aug, 2020 09:46 PM
Did a little more digging and found the following:
The only major difference between the setup for user vs. my own is they are not using a Yubikey for GPG. I'm going to try and get them to use Canary Mail to send another message to a different Yubikey user to see if it persists or if it's just my key. I suspect it's the former since the point of the Yubikey is that the master key remains on ICE and individual sub-keys are generated & loaded onto the Yubikey - so despite
gpg --list-secret-keys
showing my master key ID, I don't think it actually has access to it in this setup. Let me know if that doesn't sound right or you can think of another reason that might explain this behavior. I suspect we'll have to engage with the Canary Mail developers to address this.Support Staff 4 Posted by Luke Le on 04 Aug, 2020 10:43 PM
Hi gpg_dude,
ah that might explain it. If --list-secret-keys shows a # before the sec line, it means that gnupg is aware that a secret key exists, but that the secret key is not locally available. What you might have to do is to run
gpg --card-status
in order to create the local stubs for the key. After that you should technically be asked to enter your card in order to decrypt the message.Unfortunately smart card support is still rather fragile, but please let us know if that helps or what else you find.
5 Posted by gpg_dude on 04 Aug, 2020 11:48 PM
I'm not sure how
gpg --card-status
would help here? It just shows me the card info, which does list the#
on the master secret-key:sec# rsa4096/0xMY_MASTER_KEYID created: YYYY-MM-DD expires: YYYY-MM-DD
6 Posted by gpg_dude on 06 Aug, 2020 02:11 AM
I think we have found the cause of this issue on the Canary Mail side as well. I'm told they updated their software to use Bouncy Castle in the last 30 days and verified older messages sent via Canary Mail were encrypted to user's encryption sub-keys and not their master keys. We're pushing them to fix this, so you can go ahead and close this. Thanks.
Support Staff 7 Posted by Steve on 07 Aug, 2020 12:22 PM
Great to hear you were able to identify where the problems stem from. Can you update this discussion, once a fix is available in CanaryMail so other users that read this discussions are made aware of the solution?
Steve closed this discussion on 17 Aug, 2020 02:07 PM.
gpg_dude re-opened this discussion on 19 Jan, 2021 02:35 PM
8 Posted by gpg_dude on 19 Jan, 2021 02:35 PM
It appears the Canary team fixed this in version 3.19
Support Staff 9 Posted by Steve on 20 Jan, 2021 02:06 PM
That is great news! Thanks for sharing.
Steve closed this discussion on 20 Jan, 2021 02:06 PM.
Steve re-opened this discussion on 20 Jan, 2021 02:06 PM
Steve closed this discussion on 20 Jan, 2021 02:06 PM.