GPG Mail - decrypting - does it have to check all my keys?
Which of our tools is giving you problems? GPG Mail 6.2 Build 2050
Attach a screenshot of the version info for all installed components (how to: https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...):
Describe your problem. Add as much detail as possible. The tool is working but when I get an encrypted message it prompts me for ALL my keys, in order. Is there a way to change that so it is smarter and just looks for the keys that correspond to that email address? The pop up screen pops up repeatedly asking me to enter passwords for or insert yubikeys which is probably something I could make a mistake on.
What did you expect instead
- I receive encrypted email for [email blocked], it uses the key that goes with [email blocked]
- I receive encrypted email for [email blocked], and instead of asking me for the key that goes with [email blocked], it asks for [email blocked], and quits if I don't have it rather than cycling through all my keys.
Describe steps leading to the problem. Receipt of an encrypted message for an address that is not the first of my keys will kick into a long sequence of asking for every key.
Are you using any other Mail.app plugins? Nope
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Steve on 24 Aug, 2022 03:49 PM
Hi Dennis,
can you elaborate a bit more. I don't fully understand your setup yet.
How many secret keys do you have? Are those intentional? Are you aware you can use as many emails as you want in a single key?
Staying with your example, in that scenario, do you have a key which has email [email blocked]?
If [email blocked] is included in one of your keys, that key should be picked automatically. Is the email you received using [email blocked] as recipient or is the bcc: field also involved?
Best,
Steve
2 Posted by Dennis Evangeli... on 24 Aug, 2022 06:02 PM
Let's say I have 4 keys. Two are my normal ones on different Yubikeys, one for me@home and one for me@work. Maybe I also have another for pi@raspberry and another for other@group.
If I send an email that is encrypted for other@group, when I try to open it in Mail, GPGMail will cycle through asking for
Please insert key for me@home
If I hit cancel:
Please insert key for me@work
If I hit cancel:
Please enter password for pi@raspberry key
Cancel again:
Please enter password for other@group key
And it will repeat too.
What I think it should do is only ask:
Please enter password for other@group key
and if I don't it should quit trying to decrypt
Similarly if I get an encrypted message for me@home, it should only ask:
Please insert key for me@home
and if I hit cancel it should quit trying to decrypt
There's no BCC or anything in what I am seeing.
Support Staff 3 Posted by Steve on 26 Aug, 2022 02:44 PM
Hi Dennis,
when you mention other@group is that a key used for a group or just an individual key for one of your email addresses?
Where does the secret key for that email address reside? If that on its own yubikey or locally in your keyring?
What I don't understand yet, if you receive an email encrypted for me@home and you put in the yubikey with the secret key for that email does the decryption not happen instantly? Could you send screenshots of the requests you see in that scenario please.
When I try tp reproduce this on macOS 12.5.1 and a yubikey when I cancel the request to
Please insert the card with serial number:attempt to decrypt is canceled and Mail app showsSecret key to decrypt the message is missing. No additional requests are showing up.Best,
Steve
4 Posted by Dennis Evangeli... on 27 Aug, 2022 11:50 AM
Hello - yes sorry for not being so clear.
Example setup is this:
me@home has a gpg key on a Yubikey 0x12341234abcdabcd for example
me@work has a different gpg key on a different Yubikey 0xffffeeee
other@group has a different gpg key in .gnupg managed by MacGPG in its normal keyring
another@group2 has a different gpg key in .gnupg managed by MacGPG
1. Correct behavior: If I receive an encrypted email for me@home it asks for Yubikey and decrypts. This works as desired, but only for the first key.
2. Less desirable behavior: If I receive an encrypted email for another@group2 it asks, for the Yubikey 0xabcdabcd... then for Yubikey 0xfffeee then for other@group password, then for another@group2 password...
What I think it should do: ask only for the password for another@group2, not others
3. Also: If I receive an encrypted email for me@home and I don't want to read it, so click Cancel, it still asks for the next Yubikey, then the password for other@group, then the password for another@group2, etc
What I think it should do: cancel the operation, not cycle through other keys
Support Staff 5 Posted by Steve on 05 Nov, 2022 04:42 PM
Please excuse the super late response:
I tried reproducing the case you described. I have several secret keys, most of them locally and one on a yubikey.
I sent an encrypted and signed email from the email account with key on yubikey to one of the accounts with the secret key locally on the mac.
Upon receiving the message, I was first asked for the passphrase of the receiving account. Click Cancel, and pinentry asked to unlock yubikey. Since I sent from that account and sent emails are also encrypted with the public key of the sending account, that would also be expected. I also canceled that request.
I did not receive additional requests.
So what still would have to be tested is how this behaves for groups. Maybe that is similar to BCC: receivers where not all receivers are known to gpg. But actually they should be. Hmm, somewhat unsure what to make of this.
Can you confirm the cycling through all secret keys does not happen, if you are not using the group feature?
Best,
Steve