Intermittent Error "Wrong secret key used" When Decrypting

jatedev's Avatar

jatedev

03 Jul, 2018 07:32 PM

gpg commandline

Describe your problem. Add as much detail as possible.

Running the command

gpg -vvv -u REDACTED -d Passwords.txt.gpg
fails about half the time.

What did you expect instead

The command should always succeed.

Describe steps leading to the problem.

Encrypt a data file. Then attempt to decrypt.

Are you using any other Mail.app plugins?

This is command-line only.

Success:

gpg -vvv -d -u 0xREDACTED Passwords.txt.gpg
gpg: using character set 'utf-8'
 # off=0 ctb=85 tag=1 hlen=3 plen=268
:pubkey enc packet: version 3, algo 1, keyid REDACTED
    data: [2047 bits]
gpg: public key is REDACTED
gpg: using subkey REDACTED instead of primary key REDACTED
gpg: public key encrypted data: good DEK  <==========================
 # off=271 ctb=d2 tag=18 hlen=2 plen=0 partial new-ctb
:encrypted data packet:
    length: unknown
    mdc_method: 2
gpg: using subkey 3950DF97FEC89CBB instead of primary key REDACTED
gpg: encrypted with 2048-bit RSA key, ID REDACTED, created 2013-06-18
      "REDACTED"
gpg: AES256 encrypted data
 # off=292 ctb=a3 tag=8 hlen=1 plen=0 indeterminate
:compressed packet: algo=1
 # off=294 ctb=cb tag=11 hlen=2 plen=0 partial new-ctb
:literal data packet:
    mode b (62), created 1530633202, name="",
    raw data: unknown length
gpg: original file name=''

Failure

gpg -vvv -d -u REDACTED Passwords.txt.gpg
gpg: using character set 'utf-8'
 # off=0 ctb=85 tag=1 hlen=3 plen=268
:pubkey enc packet: version 3, algo 1, keyid REDACTED
    data: [2047 bits]
gpg: public key is REDACTED
gpg: using subkey REDACTED instead of primary key REDACTED
 # off=271 ctb=d2 tag=18 hlen=2 plen=0 partial new-ctb
:encrypted data packet:
    length: unknown
    mdc_method: 2
gpg: using subkey REDACTED instead of primary key REDACTED
gpg: encrypted with 2048-bit RSA key, ID REDACTED, created 2013-06-18
      "REDACTED"
gpg: public key decryption failed: Wrong secret key used
gpg: decryption failed: No secret key

The difference is the Good DEK message on the seventh line of the output.

Edited: Removed table

  1. Support Staff 1 Posted by Luke Le on 09 Jul, 2018 06:43 PM

    Luke Le's Avatar

    Hi,

    we are very sorry you are experiencing problems with GPG Suite.
    hmm... is there any chance you have a custom GnuPG from homebrew/MacPorts/fink? In your output I don't see any calls to pinentry which is responsible for requesting the passphrase to unlock the private key. There should be a line reading something like gpg: pinentry launched (15814 mac 1.1.1 /dev/ttys003 xterm-256color -)

    I have written a test script which runs decrypt 100 times and each decryption seems to work.

    I have also noticed that you are using -u REDACTED. Is there any particular reason you are passing this option? I think it's a no-op for the decryption operation.

  2. 2 Posted by jatedev on 09 Jul, 2018 08:35 PM

    jatedev's Avatar

    I have recently installed python 3 from macports. I have not intentionally installed any gpg packages from there. Here are some results of commands that I think would check that:

    $ which gpg
    /usr/local/bin/gpg
    $ ls -l /usr/local/bin/gpg
    lrwxr-xr-x  1 root  wheel  27 Jun  9  2017 /usr/local/bin/gpg -> /usr/local/MacGPG2/bin/gpg2
    
    $ gpgconf
    gpg:OpenPGP:/usr/local/MacGPG2/bin/gpg
    gpg-agent:Private Keys:/usr/local/MacGPG2/bin/gpg-agent
    scdaemon:Smartcards:/usr/local/MacGPG2/libexec/scdaemon
    gpgsm:S/MIME:/usr/local/MacGPG2/bin/gpgsm
    dirmngr:Network:/usr/local/MacGPG2/bin/dirmngr
    pinentry:Passphrase Entry:/usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
    

    I did see the pinentry verbose message once. I have been caching my credentials within the MacOS Keychain, it seems. I can force it to prompt me for the password after removing the credential from the "Keychain Access" program.

    $ echo RELOADAGENT | gpg-connect-agent
    OK
    $ gpg -vvv -d Passwords.txt.gpg
    gpg: using character set 'utf-8'
     # off=0 ctb=85 tag=1 hlen=3 plen=268
    :pubkey enc packet: version 3, algo 1, keyid XXXXXXXXXXXXXXXX
        data: [2047 bits]
    gpg: public key is XXXXXXXXXXXXXXXX
    gpg: using subkey XXXXXXXXXXXXXXXX instead of primary key XXXXXXXXXXXXXXXX
    gpg: pinentry launched (42808 unknown 0.9.7 ? ? ?)
     # off=271 ctb=d2 tag=18 hlen=2 plen=0 partial new-ctb
    :encrypted data packet:
        length: unknown
        mdc_method: 2
    gpg: using subkey XXXXXXXXXXXXXXXX instead of primary key XXXXXXXXXXXXXXXX
    gpg: encrypted with 2048-bit RSA key, ID XXXXXXXXXXXXXXXX, created 2013-06-18
          "XXX <[email blocked]>"
    gpg: public key decryption failed: Wrong secret key used
    gpg: decryption failed: No secret key
    
    $ gpg -vvv -d Passwords.txt.gpg
    gpg: using character set 'utf-8'
     # off=0 ctb=85 tag=1 hlen=3 plen=268
    :pubkey enc packet: version 3, algo 1, keyid XXXXXXXXXXXXXXXX
        data: [2047 bits]
    gpg: public key is XXXXXXXXXXXXXXXX
    gpg: using subkey XXXXXXXXXXXXXXXX instead of primary key XXXXXXXXXXXXXXXX
    gpg: pinentry launched (42839 unknown 0.9.7 ? ? ?)
    gpg: public key encrypted data: good DEK
     # off=271 ctb=d2 tag=18 hlen=2 plen=0 partial new-ctb
    :encrypted data packet:
        length: unknown
        mdc_method: 2
    gpg: using subkey XXXXXXXXXXXXXXXX instead of primary key XXXXXXXXXXXXXXXX
    gpg: encrypted with 2048-bit RSA key, ID XXXXXXXXXXXXXXXX, created 2013-06-18
          "XX <[email blocked]>"
    gpg: AES256 encrypted data
     # off=292 ctb=a3 tag=8 hlen=1 plen=0 indeterminate
    :compressed packet: algo=1
     # off=294 ctb=cb tag=11 hlen=2 plen=0 partial new-ctb
    :literal data packet:
        mode b (62), created 1530633202, name="",
        raw data: unknown length
    gpg: original file name=''
    ...
    gpg: decryption okay
    
    The call to pinentry does not seem to affect the problem. It fails at around the same rate.

    I added the -u option because I thought it would have an effect on the problem when I tried to decipher the error messages. I think that it's not affecting anything, as you suggest.

  3. Support Staff 3 Posted by Luke Le on 11 Jul, 2018 03:14 PM

    Luke Le's Avatar

    Hmm... that is indeed curious. What file size is the Passwords.txt.gpg file?

  4. 4 Posted by jatedev on 11 Jul, 2018 03:18 PM

    jatedev's Avatar

    It's about 3k.

  5. Support Staff 5 Posted by Luke Le on 11 Jul, 2018 03:20 PM

    Luke Le's Avatar

    Hmm... ok, so file size shouldn't be an issue either. Do you see any crashes in ~/Library/DiagnosticReports/ related to gpg processes?

    What you could do is enable debug mode for gpg-agent and look for any differences in there. Add the following lines to your gpg-agent.conf and kill gpg-agent:

    log-file /tmp/gpg-agent.log
    debug-level expert
    
  6. 6 Posted by jatedev on 12 Jul, 2018 01:36 AM

    jatedev's Avatar

    I did not notice any gpg logs within DiagnosticReports.

    I activated the expert debug-level, and I noticed the following differences.
    Successful decryption:

    2018-07-11 19:47:11 gpg-agent[44420] DBG: chan_8 <- SETKEY XXXX
    2018-07-11 19:47:11 gpg-agent[44420] DBG: chan_8 -> OK
    2018-07-11 19:47:11 gpg-agent[44420] DBG: chan_8 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A YYYY %0A
    2018-07-11 19:47:11 gpg-agent[44420] DBG: chan_8 -> OK
    2018-07-11 19:47:11 gpg-agent[44420] DBG: chan_8 <- PKDECRYPT
    2018-07-11 19:47:11 gpg-agent[44420] DBG: chan_8 -> S INQUIRE_MAXLEN 4096
    2018-07-11 19:47:11 gpg-agent[44420] DBG: chan_8 -> INQUIRE CIPHERTEXT
    2018-07-11 19:47:11 gpg-agent[44420] DBG: chan_8 <- [ 44 20 28 37 3a 65 6e 63 2d 76 61 6c 28 33 3a 72 ...(281 byte(s) skipped) ]
    2018-07-11 19:47:11 gpg-agent[44420] DBG: chan_8 <- END
    2018-07-11 19:47:11 gpg-agent[44420] DBG: agent_get_cache 'XXXX'.0 (mode 2) ...
    2018-07-11 19:47:11 gpg-agent[44420] DBG: ... hit
    2018-07-11 19:47:11 gpg-agent[44420] DBG: chan_8 -> [ 44 20 28 35 3a 76 61 6c 75 65 32 35 35 3a 02 54 ...(259 byte(s) skipped) ]
    2018-07-11 19:47:11 gpg-agent[44420] DBG: chan_8 -> OK
    2018-07-11 19:47:11 gpg-agent[44420] DBG: chan_8 <- [eof]
    

    Failure:

    2018-07-11 19:47:39 gpg-agent[44420] DBG: chan_8 <- SETKEY XXXX
    2018-07-11 19:47:39 gpg-agent[44420] DBG: chan_8 -> OK
    2018-07-11 19:47:39 gpg-agent[44420] DBG: chan_8 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:YYYY%0A
    2018-07-11 19:47:39 gpg-agent[44420] DBG: chan_8 -> OK
    2018-07-11 19:47:39 gpg-agent[44420] DBG: chan_8 <- PKDECRYPT
    2018-07-11 19:47:39 gpg-agent[44420] DBG: chan_8 -> S INQUIRE_MAXLEN 4096
    2018-07-11 19:47:39 gpg-agent[44420] DBG: chan_8 -> INQUIRE CIPHERTEXT
    2018-07-11 19:47:39 gpg-agent[44420] DBG: chan_8 <- [ 44 20 28 37 3a 65 6e 63 2d 76 61 6c 28 33 3a 72 ...(281 byte(s) skipped) ]
    2018-07-11 19:47:39 gpg-agent[44420] DBG: chan_8 <- END
    2018-07-11 19:47:39 gpg-agent[44420] DBG: agent_get_cache 'XXXX'.0 (mode 2) ...
    2018-07-11 19:47:39 gpg-agent[44420] DBG: ... hit
    2018-07-11 19:47:39 gpg-agent[44420] DBG: chan_8 -> [ 44 20 28 35 3a 76 61 6c 75 65 32 35 37 3a ff 10 ...(265 byte(s) skipped) ]
    2018-07-11 19:47:39 gpg-agent[44420] DBG: chan_8 -> OK
    2018-07-11 19:47:39 gpg-agent[44420] DBG: chan_8 <- [eof]
    

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Already uploaded files

  • Screen_Shot_2018-07-03_at_3.00.32_PM.png 85 KB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac