GPG_ERROR_CODES reports "incorrect passphrase" when in fact the secret key is missing

[vsajip]

Original report by Anonymous.

---

Discovered this by trying to decrypt a file for which the secret key is not loaded.

import gnupg

gpg = gnupg.GPG(gnupghome='/home/user/gnupg/')

with open('priv-key.asc') as fd:
    content = fd.read()
res = gpg.import_keys(content)

with open('file.gpg', 'rb') as gpgfile:
    decrypted = gpg.decrypt_file(gpgfile, passphrase='password', output='file')

print(decrypted.ok)   # prints False
print(decrypted.GPG_ERROR_CODES) # {11: 'incorrect passphrase'}

I'm using an elliptic curve key with ed25519.

The logs with logging.DEBUG on (paraphrased):

• gpg: encrypted with ECDH key, ID
• [GNUPG:] NO_SECKEY
• [GNUPG:] BEGIN_DECRYPTION
• [GNUPG:] DECRYPTION_FAILED
• gpg: decryption failed: No secret key
• [GNUPG:] END_DECRYPTION

[vsajip]

gpg.ERROR_CODESis an internal mapping of error codes to messages. What’s the value of decrypted.status? That’s what you should look at when something goes wrong. However, you’re right that the NO_SECKEY message isn’t being handled correctly.

[vsajip]

Fix #157: Handle NO_SECKEY message better than before.

[vsajip]

Original changes by Vinay Sajip (Bitbucket: vinay.sajip, GitHub: vsajip).

---

changed state from "new" to "resolved"

[vsajip]

Original comment by Ryan McLeod (Bitbucket: [Ryan McLeod](https://bitbucket.org/Ryan McLeod), ).

---

decrypted.status reports “decryption failed”

‌

[vsajip]

I’ve made some changes and added a test. The next release will have better handling of this situation.

[vsajip]

Original comment by Ryan McLeod (Bitbucket: [Ryan McLeod](https://bitbucket.org/Ryan McLeod), ).

---

Probably worth checking the verify_file function as well. I played with that a bit earlier. the GPG_ERROR_CODES states incorrect passphrase. the stderr string states “unexpected error”. i have to look further as to what the specific issue is. i expect it’s either the file isn’t signed, or because i dont have the signee’s pubkey loaded.

[vsajip]

Can you try with the latest repository version and see if my changes make a difference? As I mentioned earlier, GPG_ERROR_CODES isn’t relevant to all error reporting - it’s merely an internal constant table mapping from GPG error codes to messages. Can you please post the logs relating to the problem area?

[vsajip]

Original comment by Ryan McLeod (Bitbucket: [Ryan McLeod](https://bitbucket.org/Ryan McLeod), ).

---

Looks like the issue’s persisting. Can you confirm I’ve done the right method to ensure the correct version is used?

First I just installed the 0.4.8, but my terminal was still loading 0.4.7. So I’ve done the following:

‌

sudo pip uninstall python-gnupg
sudo python3 setup.py install 
python3
>>> gnupg.__version__
'0.4.8.dev0'

Then using the same code as above, still getting incorrect passphrase.

[vsajip]

You should never normally use sudo and pip together, that can seriously mess up your system. For more information, see for example here. Can you download the repository as a .zip from the “Download repository” link on this page, then run test_gnupy.py? If all tests pass, then it shows that the problem is perhaps not with python-gnupgbut with your setup (e.g. version of GnuPG installed). The test I added is called test_no_such_key- if it fails, please post the test_gnupg.log that test_gnupg.py creates.

[vsajip]

Also, enable logging in your script and post the log of the test script that shows the failure.

[vsajip]

Original comment by Ryan McLeod (Bitbucket: [Ryan McLeod](https://bitbucket.org/Ryan McLeod), ).

---

The script has a few failures. looks strange to me, like something’s missing in the environment.

....................F....F.....FF.
======================================================================
FAIL: test_no_such_key (__main__.GPGTestCase)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "test_gnupg.py", line 1242, in test_no_such_key
    self.assertEqual(decrypted.status, expected)
AssertionError: 'no secret key' != 'decryption failed'
- no secret key
+ decryption failed


======================================================================
FAIL: test_search_keys (__main__.GPGTestCase)
Test that searching for keys works
----------------------------------------------------------------------
Traceback (most recent call last):
  File "test_gnupg.py", line 1060, in test_search_keys
    self.assertEqual(0, r.returncode, "Non-zero return code")
AssertionError: 0 != 2 : Non-zero return code

======================================================================
FAIL: recv_keys (gnupg.GPG)
Doctest: gnupg.GPG.recv_keys
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/lib/python3.8/doctest.py", line 2204, in runTest
    raise self.failureException(self.format_failure(new.getvalue()))
AssertionError: Failed doctest test for gnupg.GPG.recv_keys
  File "/home/vmuser/py-gnupg/vinay.sajip-python-gnupg-0fbbe008b12d/gnupg.py", line 1219, in recv_keys

----------------------------------------------------------------------
File "/home/vmuser/py-gnupg/vinay.sajip-python-gnupg-0fbbe008b12d/gnupg.py", line 1229, in gnupg.GPG.recv_keys
Failed example:
    if 'NO_EXTERNAL_TESTS' not in os.environ: assert result
Exception raised:
    Traceback (most recent call last):
      File "/usr/lib/python3.8/doctest.py", line 1336, in __run
        exec(compile(example.source, filename, "single",
      File "<doctest gnupg.GPG.recv_keys[7]>", line 1, in <module>
        if 'NO_EXTERNAL_TESTS' not in os.environ: assert result
    AssertionError


======================================================================
FAIL: search_keys (gnupg.GPG)
Doctest: gnupg.GPG.search_keys
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/lib/python3.8/doctest.py", line 2204, in runTest
    raise self.failureException(self.format_failure(new.getvalue()))
AssertionError: Failed doctest test for gnupg.GPG.search_keys
  File "/home/vmuser/py-gnupg/vinay.sajip-python-gnupg-0fbbe008b12d/gnupg.py", line 1430, in search_keys

----------------------------------------------------------------------
File "/home/vmuser/py-gnupg/vinay.sajip-python-gnupg-0fbbe008b12d/gnupg.py", line 1440, in gnupg.GPG.search_keys
Failed example:
    if 'NO_EXTERNAL_TESTS' not in os.environ: assert result, 'Failed using default keyserver'
Exception raised:
    Traceback (most recent call last):
      File "/usr/lib/python3.8/doctest.py", line 1336, in __run
        exec(compile(example.source, filename, "single",
      File "<doctest gnupg.GPG.search_keys[7]>", line 1, in <module>
        if 'NO_EXTERNAL_TESTS' not in os.environ: assert result, 'Failed using default keyserver'
    AssertionError: Failed using default keyserver


----------------------------------------------------------------------
Ran 34 tests in 90.658s

FAILED (failures=4)

Here’s the output from my sample script with logging turned on.

‌

399630: gpg --pinentry-mode loopback --status-fd 2 --no-tty --no-verbose --fixed-list-mode --batch --with-colons --homedir /home/vmuser/gnupg/ --passphrase-fd 0 --decrypt --output file.txt
Wrote passphrase
data copier: <Thread(Thread-3, initial daemon)>, <_io.BufferedReader name='file.txt.gpg'>, <_io.BufferedWriter name=5>
stderr reader: <Thread(Thread-4, initial daemon)>
stdout reader: <Thread(Thread-5, initial daemon)>
gpg: WARNING: unsafe permissions on homedir '/home/vmuser/gnupg'
[GNUPG:] ENC_TO F58123473A9339D6 18 0
[GNUPG:] KEY_CONSIDERED 235408C133F1BE86D16DCCB38B0E1394715B93 0
closed output, 35849524 bytes sent
gpg: encrypted with 256-bit ECDH key, ID F58123473A9339D6, created 2021-05-15
      "ryan mcleod <ryan mcleod@gmail.com>"
[GNUPG:] NO_SECKEY F58123473A9339D6
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_FAILED
gpg: decryption failed: No secret key
[GNUPG:] END_DECRYPTION
gpg returned a non-zero error code: 2
decrypt result[:100]: b''
False
{11: 'incorrect passphrase'}

‌

[vsajip]

I think it might be something to do with your environment; perhaps it’s something to do with having run pip with sudo. As far as I know all tests seem to pass on the CI system for the latest change, including the test_no_such_key that I added most recently. And they all pass on my machine, too, of course.

[vsajip]

Original comment by Ryan McLeod (Bitbucket: [Ryan McLeod](https://bitbucket.org/Ryan McLeod), ).

---

Yeah it’s strange. With a bit of tinkering i got the gnupg package in a directory for just my account. I ran the test again and got the same failures. I purged the source directory and unziped it again. Got the same result with the four errors.

I’m running it on ubuntu 20, not 18, but that shouldn’t make a difference really.

probably not a big issue. I’ve been trying to automate some gpg stuff using bash and have had some headaches trying to capture stdout/stderr to make decisions. This project at least handles that. so ican probably switch it over to this and have more success.

[vsajip]

Wait - there’s one other possibility I haven’t bottomed out - different versions of GnuPG behave differently with respect to the messages they send out. Here’s what I get with GnuPG 1.4.22:

2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] ENC_TO 24819C9B75BCAD8D 16 0
2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 gpg: encrypted with ELG-E key, ID 75BCAD8D
2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] NO_SECKEY 24819C9B75BCAD8D
2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] BEGIN_DECRYPTION
2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] DECRYPTION_FAILED
2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 gpg: decryption failed: secret key not available
2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] END_DECRYPTION

Here’s what I get with GnuPG 2.3.1:

2021-08-20 21:44:42,520 DEBUG gnupg      Thread-10   980 [GNUPG:] ENC_TO 031F36181FE503A2 16 0
2021-08-20 21:44:42,520 DEBUG gnupg      Thread-10   980 gpg: encrypted with ELG key, ID 031F36181FE503A2
2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 gpg: public key decryption failed: No secret key
2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 [GNUPG:] ERROR pkdecrypt_failed 33554449
2021-08-20 21:44:42,521 WARNING gnupg      Thread-10   651 potential problem: ERROR: pkdecrypt_failed 33554449
2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 [GNUPG:] BEGIN_DECRYPTION
2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 [GNUPG:] DECRYPTION_FAILED
2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 gpg: decryption failed: No secret key
2021-08-20 21:44:42,524 DEBUG gnupg      Thread-10   980 [GNUPG:] END_DECRYPTION
2021-08-20 21:44:42,524 DEBUG gnupg      Thread-10   980 gpg: [don't know]: invalid packet (ctb=73)
2021-08-20 21:44:42,524 DEBUG gnupg      Thread-10   980 [GNUPG:] NODATA 3

and here’s the behaviour with GnuPG 2.2.19:

2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] ENC_TO 1A453EB8AC49419F 16 0
2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 gpg: encrypted with ELG key, ID 1A453EB8AC49419F
2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] NO_SECKEY 1A453EB8AC49419F
2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] BEGIN_DECRYPTION
2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] DECRYPTION_FAILED
2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 gpg: decryption failed: No secret key
2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] END_DECRYPTION

And your log shows that your version of GnuPG outputs NO_SECKEY.

So I might have been bamboozled by the fact that the very latest version behaves differently to older versions. It looks as it you might or might not get ‘no secret key’ depending on the version of GnuPG you run - so I’ll update my test to pass if either of ‘no secret key’ or ‘decryption failed’. Of course the latest GnuPG should output a NO_SECKEY message, but it doesn’t. My test_no_such_key was flawed because it assumed 1.4.22 behaves one way (NO_SECKEY seen), and 2.X behaves another way (no NO_SECKEY seen). I’ll update the test, but you’ll need to be prepared to see decryption failed if GnuPG never outputs a `

Former user

created an issue 2021-08-13

Discovered this by trying to decrypt a file for which the secret key is not loaded.

‌

import gnupg

gpg = gnupg.GPG(gnupghome='/home/user/gnupg/')

with open('priv-key.asc') as fd:
    content = fd.read()
res = gpg.import_keys(content)

with open('file.gpg', 'rb') as gpgfile:
    decrypted = gpg.decrypt_file(gpgfile, passphrase='password', output='file')

print(decrypted.ok)   # prints False
print(decrypted.GPG_ERROR_CODES) # {11: 'incorrect passphrase'}

I'm using an elliptic curve key with ed25519.

‌

The logs with logging.DEBUG on (paraphrased): * gpg: encrypted with ECDH key, ID * [GNUPG:] NO_SECKEY * [GNUPG:] BEGIN_DECRYPTION * [GNUPG:] DECRYPTION_FAILED * gpg: decryption failed: No secret key * [GNUPG:] END_DECRYPTION

Comments (12)

1. 

   Vinay Sajip repo owner

   gpg.ERROR_CODESis an internal mapping of error codes to messages. What’s the value of decrypted.status? That’s what you should look at when something goes wrong. However, you’re right that the NO_SECKEY message isn’t being handled correctly.

   • Edit
   • 
     ‌ Pin to top
     
   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 2021-08-14
     

2. 

   Vinay Sajip repo owner

   • changed status to resolved

   Fix #157: Handle NO_SECKEY message better than before.

   → <<cset 0fbbe008b12d>>

   • Edit
   • 
     ‌ Pin to top
     
   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 2021-08-14
     

3. 

   Ryan McLeod

   decrypted.status reports “decryption failed”

   ‌

   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 4 days ago
     

4. 

   Vinay Sajip repo owner

   I’ve made some changes and added a test. The next release will have better handling of this situation.

   • Edit
   • 
     ‌ Pin to top
     
   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 4 days ago
     

5. 

   Ryan McLeod

   Probably worth checking the verify_file function as well. I played with that a bit earlier. the GPG_ERROR_CODES states incorrect passphrase. the stderr string states “unexpected error”. i have to look further as to what the specific issue is. i expect it’s either the file isn’t signed, or because i dont have the signee’s pubkey loaded.

   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 4 days ago
     

6. 

   Vinay Sajip repo owner

   Can you try with the latest repository version and see if my changes make a difference? As I mentioned earlier, GPG_ERROR_CODES isn’t relevant to all error reporting - it’s merely an internal constant table mapping from GPG error codes to messages. Can you please post the logs relating to the problem area?

   • Edit
   • 
     ‌ Pin to top
     
   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 4 days ago
     

7. 

   Ryan McLeod

   Looks like the issue’s persisting. Can you confirm I’ve done the right method to ensure the correct version is used?

   First I just installed the 0.4.8, but my terminal was still loading 0.4.7. So I’ve done the following:

   ‌

   sudo pip uninstall python-gnupg
   sudo python3 setup.py install 
   python3
   >>> gnupg.__version__
   '0.4.8.dev0'
   

   Then using the same code as above, still getting incorrect passphrase.

   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ yesterday
     

8. 

   Vinay Sajip repo owner

   You should never normally use sudo and pip together, that can seriously mess up your system. For more information, see for example here. Can you download the repository as a .zip from the “Download repository” link on this page, then run test_gnupy.py? If all tests pass, then it shows that the problem is perhaps not with python-gnupgbut with your setup (e.g. version of GnuPG installed). The test I added is called test_no_such_key- if it fails, please post the test_gnupg.log that test_gnupg.py creates.

   • Edit
   • 
     ‌ Pin to top
     
   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 22 hours ago
     

9. 

   Vinay Sajip repo owner

   Also, enable logging in your script and post the log of the test script that shows the failure.

   • Edit
   • 
     ‌ Pin to top
     
   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 22 hours ago
     

10. 

    Ryan McLeod

    The script has a few failures. looks strange to me, like something’s missing in the environment.

    ....................F....F.....FF.
    ======================================================================
    FAIL: test_no_such_key (__main__.GPGTestCase)
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "test_gnupg.py", line 1242, in test_no_such_key
        self.assertEqual(decrypted.status, expected)
    AssertionError: 'no secret key' != 'decryption failed'
    - no secret key
    + decryption failed
    
    
    ======================================================================
    FAIL: test_search_keys (__main__.GPGTestCase)
    Test that searching for keys works
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "test_gnupg.py", line 1060, in test_search_keys
        self.assertEqual(0, r.returncode, "Non-zero return code")
    AssertionError: 0 != 2 : Non-zero return code
    
    ======================================================================
    FAIL: recv_keys (gnupg.GPG)
    Doctest: gnupg.GPG.recv_keys
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/usr/lib/python3.8/doctest.py", line 2204, in runTest
        raise self.failureException(self.format_failure(new.getvalue()))
    AssertionError: Failed doctest test for gnupg.GPG.recv_keys
      File "/home/vmuser/py-gnupg/vinay.sajip-python-gnupg-0fbbe008b12d/gnupg.py", line 1219, in recv_keys
    
    ----------------------------------------------------------------------
    File "/home/vmuser/py-gnupg/vinay.sajip-python-gnupg-0fbbe008b12d/gnupg.py", line 1229, in gnupg.GPG.recv_keys
    Failed example:
        if 'NO_EXTERNAL_TESTS' not in os.environ: assert result
    Exception raised:
        Traceback (most recent call last):
          File "/usr/lib/python3.8/doctest.py", line 1336, in __run
            exec(compile(example.source, filename, "single",
          File "<doctest gnupg.GPG.recv_keys[7]>", line 1, in <module>
            if 'NO_EXTERNAL_TESTS' not in os.environ: assert result
        AssertionError
    
    
    ======================================================================
    FAIL: search_keys (gnupg.GPG)
    Doctest: gnupg.GPG.search_keys
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/usr/lib/python3.8/doctest.py", line 2204, in runTest
        raise self.failureException(self.format_failure(new.getvalue()))
    AssertionError: Failed doctest test for gnupg.GPG.search_keys
      File "/home/vmuser/py-gnupg/vinay.sajip-python-gnupg-0fbbe008b12d/gnupg.py", line 1430, in search_keys
    
    ----------------------------------------------------------------------
    File "/home/vmuser/py-gnupg/vinay.sajip-python-gnupg-0fbbe008b12d/gnupg.py", line 1440, in gnupg.GPG.search_keys
    Failed example:
        if 'NO_EXTERNAL_TESTS' not in os.environ: assert result, 'Failed using default keyserver'
    Exception raised:
        Traceback (most recent call last):
          File "/usr/lib/python3.8/doctest.py", line 1336, in __run
            exec(compile(example.source, filename, "single",
          File "<doctest gnupg.GPG.search_keys[7]>", line 1, in <module>
            if 'NO_EXTERNAL_TESTS' not in os.environ: assert result, 'Failed using default keyserver'
        AssertionError: Failed using default keyserver
    
    
    ----------------------------------------------------------------------
    Ran 34 tests in 90.658s
    
    FAILED (failures=4)
    

    Here’s the output from my sample script with logging turned on.

    ‌

    399630: gpg --pinentry-mode loopback --status-fd 2 --no-tty --no-verbose --fixed-list-mode --batch --with-colons --homedir /home/vmuser/gnupg/ --passphrase-fd 0 --decrypt --output file.txt
    Wrote passphrase
    data copier: <Thread(Thread-3, initial daemon)>, <_io.BufferedReader name='file.txt.gpg'>, <_io.BufferedWriter name=5>
    stderr reader: <Thread(Thread-4, initial daemon)>
    stdout reader: <Thread(Thread-5, initial daemon)>
    gpg: WARNING: unsafe permissions on homedir '/home/vmuser/gnupg'
    [GNUPG:] ENC_TO F58123473A9339D6 18 0
    [GNUPG:] KEY_CONSIDERED 235408C133F1BE86D16DCCB38B0E1394715B93 0
    closed output, 35849524 bytes sent
    gpg: encrypted with 256-bit ECDH key, ID F58123473A9339D6, created 2021-05-15
          "ryan mcleod <ryan mcleod@gmail.com>"
    [GNUPG:] NO_SECKEY F58123473A9339D6
    [GNUPG:] BEGIN_DECRYPTION
    [GNUPG:] DECRYPTION_FAILED
    gpg: decryption failed: No secret key
    [GNUPG:] END_DECRYPTION
    gpg returned a non-zero error code: 2
    decrypt result[:100]: b''
    False
    {11: 'incorrect passphrase'}
    

    ‌

    • 
      ‌ Mark as spam
      
    • 
      ‌ Delete
      
    • 
      ‌ 3 hours ago
      

11. 

    Vinay Sajip repo owner

    I think it might be something to do with your environment; perhaps it’s something to do with having run pip with sudo. As far as I know all tests seem to pass on the CI system for the latest change, including the test_no_such_key that I added most recently. And they all pass on my machine, too, of course.

    • Edit
    • 
      ‌ Pin to top
      
    • 
      ‌ Mark as spam
      
    • 
      ‌ Delete
      
    • 
      ‌ an hour ago
      

12. 

    Ryan McLeod

    Yeah it’s strange. With a bit of tinkering i got the gnupg package in a directory for just my account. I ran the test again and got the same failures. I purged the source directory and unziped it again. Got the same result with the four errors.

    I’m running it on ubuntu 20, not 18, but that shouldn’t make a difference really.

    probably not a big issue. I’ve been trying to automate some gpg stuff using bash and have had some headaches trying to capture stdout/stderr to make decisions. This project at least handles that. so ican probably switch it over to this and have more success.

    • 
      ‌ Mark as spam
      
    • 
      ‌ Delete
      
    • 
      ‌ 56 minutes ago
      

13. 

    Wait - there’s one other possibility I haven’t bottomed out - different versions of GnuPG behave differently with respect to the messages they send out. Here’s what I get with GnuPG 1.4.22:

    2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] ENC_TO 24819C9B75BCAD8D 16 0
    2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 gpg: encrypted with ELG-E key, ID 75BCAD8D
    2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] NO_SECKEY 24819C9B75BCAD8D
    2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] BEGIN_DECRYPTION
    2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] DECRYPTION_FAILED
    2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 gpg: decryption failed: secret key not available
    2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] END_DECRYPTION
    
    
    

    Here’s what I get with GnuPG 2.3.1:

    2021-08-20 21:44:42,520 DEBUG gnupg      Thread-10   980 [GNUPG:] ENC_TO 031F36181FE503A2 16 0
    2021-08-20 21:44:42,520 DEBUG gnupg      Thread-10   980 gpg: encrypted with ELG key, ID 031F36181FE503A2
    2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 gpg: public key decryption failed: No secret key
    2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 [GNUPG:] ERROR pkdecrypt_failed 33554449
    2021-08-20 21:44:42,521 WARNING gnupg      Thread-10   651 potential problem: ERROR: pkdecrypt_failed 33554449
    2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 [GNUPG:] BEGIN_DECRYPTION
    2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 [GNUPG:] DECRYPTION_FAILED
    2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 gpg: decryption failed: No secret key
    2021-08-20 21:44:42,524 DEBUG gnupg      Thread-10   980 [GNUPG:] END_DECRYPTION
    2021-08-20 21:44:42,524 DEBUG gnupg      Thread-10   980 gpg: [don't know]: invalid packet (ctb=73)
    2021-08-20 21:44:42,524 DEBUG gnupg      Thread-10   980 [GNUPG:] NODATA 3
    
    
    

    and here’s the behaviour with GnuPG 2.2.19:

    2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] ENC_TO 1A453EB8AC49419F 16 0
    2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 gpg: encrypted with ELG key, ID 1A453EB8AC49419F
    2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] NO_SECKEY 1A453EB8AC49419F
    2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] BEGIN_DECRYPTION
    2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] DECRYPTION_FAILED
    2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 gpg: decryption failed: No secret key
    2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] END_DECRYPTION
    
    
    

    And your log shows that your version of GnuPG outputs NO_SECKEY.

    So I might have been bamboozled by the fact that the very latest version behaves differently to older versions. It looks as it you might or might not get ‘no secret key’ depending on the version of GnuPG you run - so I’ll update my test to pass if either of ‘no secret key’ or ‘decryption failed’. Of course the latest GnuPG should output a NO_SECKEY message, but it doesn’t. My test_no_such_key was flawed because it assumed 1.4.22 behaves one way (NO_SECKEY seen), and 2.X behaves another way (no NO_SECKEY seen). I’ll update the test, but you’ll need to be prepared to see decryption failed if GnuPG never outputs a `Former user

    created an issue 2021-08-13

    Discovered this by trying to decrypt a file for which the secret key is not loaded.

    import gnupg
    
    gpg = gnupg.GPG(gnupghome='/home/user/gnupg/')
    
    with open('priv-key.asc') as fd:
        content = fd.read()
    res = gpg.import_keys(content)
    
    with open('file.gpg', 'rb') as gpgfile:
        decrypted = gpg.decrypt_file(gpgfile, passphrase='password', output='file')
    
    print(decrypted.ok)   # prints False
    print(decrypted.GPG_ERROR_CODES) # {11: 'incorrect passphrase'}
    

    I'm using an elliptic curve key with ed25519.

    The logs with logging.DEBUG on (paraphrased): * gpg: encrypted with ECDH key, ID * [GNUPG:] NO_SECKEY * [GNUPG:] BEGIN_DECRYPTION * [GNUPG:] DECRYPTION_FAILED * gpg: decryption failed: No secret key * [GNUPG:] END_DECRYPTION

Comments (12)

1. 

   Vinay Sajip repo owner

   gpg.ERROR_CODESis an internal mapping of error codes to messages. What’s the value of decrypted.status? That’s what you should look at when something goes wrong. However, you’re right that the NO_SECKEY message isn’t being handled correctly.

   • Edit
   • 
     ‌ Pin to top
     
   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 2021-08-14
     

2. 

   Vinay Sajip repo owner

   • changed status to resolved

   Fix #157: Handle NO_SECKEY message better than before.

   → <<cset 0fbbe008b12d>>

   • Edit
   • 
     ‌ Pin to top
     
   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 2021-08-14
     

3. 

   Ryan McLeod

   decrypted.status reports “decryption failed”

   ‌

   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 4 days ago
     

4. 

   Vinay Sajip repo owner

   I’ve made some changes and added a test. The next release will have better handling of this situation.

   • Edit
   • 
     ‌ Pin to top
     
   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 4 days ago
     

5. 

   Ryan McLeod

   Probably worth checking the verify_file function as well. I played with that a bit earlier. the GPG_ERROR_CODES states incorrect passphrase. the stderr string states “unexpected error”. i have to look further as to what the specific issue is. i expect it’s either the file isn’t signed, or because i dont have the signee’s pubkey loaded.

   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 4 days ago
     

6. 

   Vinay Sajip repo owner

   Can you try with the latest repository version and see if my changes make a difference? As I mentioned earlier, GPG_ERROR_CODES isn’t relevant to all error reporting - it’s merely an internal constant table mapping from GPG error codes to messages. Can you please post the logs relating to the problem area?

   • Edit
   • 
     ‌ Pin to top
     
   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 4 days ago
     

7. 

   Ryan McLeod

   Looks like the issue’s persisting. Can you confirm I’ve done the right method to ensure the correct version is used?

   First I just installed the 0.4.8, but my terminal was still loading 0.4.7. So I’ve done the following:

   ‌

   sudo pip uninstall python-gnupg
   sudo python3 setup.py install 
   python3
   >>> gnupg.__version__
   '0.4.8.dev0'
   

   Then using the same code as above, still getting incorrect passphrase.

   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ yesterday
     

8. 

   Vinay Sajip repo owner

   You should never normally use sudo and pip together, that can seriously mess up your system. For more information, see for example here. Can you download the repository as a .zip from the “Download repository” link on this page, then run test_gnupy.py? If all tests pass, then it shows that the problem is perhaps not with python-gnupgbut with your setup (e.g. version of GnuPG installed). The test I added is called test_no_such_key- if it fails, please post the test_gnupg.log that test_gnupg.py creates.

   • Edit
   • 
     ‌ Pin to top
     
   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 22 hours ago
     

9. 

   Vinay Sajip repo owner

   Also, enable logging in your script and post the log of the test script that shows the failure.

   • Edit
   • 
     ‌ Pin to top
     
   • 
     ‌ Mark as spam
     
   • 
     ‌ Delete
     
   • 
     ‌ 22 hours ago
     

10. 

    Ryan McLeod

    The script has a few failures. looks strange to me, like something’s missing in the environment.

    ....................F....F.....FF.
    ======================================================================
    FAIL: test_no_such_key (__main__.GPGTestCase)
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "test_gnupg.py", line 1242, in test_no_such_key
        self.assertEqual(decrypted.status, expected)
    AssertionError: 'no secret key' != 'decryption failed'
    - no secret key
    + decryption failed
    
    
    ======================================================================
    FAIL: test_search_keys (__main__.GPGTestCase)
    Test that searching for keys works
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "test_gnupg.py", line 1060, in test_search_keys
        self.assertEqual(0, r.returncode, "Non-zero return code")
    AssertionError: 0 != 2 : Non-zero return code
    
    ======================================================================
    FAIL: recv_keys (gnupg.GPG)
    Doctest: gnupg.GPG.recv_keys
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/usr/lib/python3.8/doctest.py", line 2204, in runTest
        raise self.failureException(self.format_failure(new.getvalue()))
    AssertionError: Failed doctest test for gnupg.GPG.recv_keys
      File "/home/vmuser/py-gnupg/vinay.sajip-python-gnupg-0fbbe008b12d/gnupg.py", line 1219, in recv_keys
    
    ----------------------------------------------------------------------
    File "/home/vmuser/py-gnupg/vinay.sajip-python-gnupg-0fbbe008b12d/gnupg.py", line 1229, in gnupg.GPG.recv_keys
    Failed example:
        if 'NO_EXTERNAL_TESTS' not in os.environ: assert result
    Exception raised:
        Traceback (most recent call last):
          File "/usr/lib/python3.8/doctest.py", line 1336, in __run
            exec(compile(example.source, filename, "single",
          File "<doctest gnupg.GPG.recv_keys[7]>", line 1, in <module>
            if 'NO_EXTERNAL_TESTS' not in os.environ: assert result
        AssertionError
    
    
    ======================================================================
    FAIL: search_keys (gnupg.GPG)
    Doctest: gnupg.GPG.search_keys
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/usr/lib/python3.8/doctest.py", line 2204, in runTest
        raise self.failureException(self.format_failure(new.getvalue()))
    AssertionError: Failed doctest test for gnupg.GPG.search_keys
      File "/home/vmuser/py-gnupg/vinay.sajip-python-gnupg-0fbbe008b12d/gnupg.py", line 1430, in search_keys
    
    ----------------------------------------------------------------------
    File "/home/vmuser/py-gnupg/vinay.sajip-python-gnupg-0fbbe008b12d/gnupg.py", line 1440, in gnupg.GPG.search_keys
    Failed example:
        if 'NO_EXTERNAL_TESTS' not in os.environ: assert result, 'Failed using default keyserver'
    Exception raised:
        Traceback (most recent call last):
          File "/usr/lib/python3.8/doctest.py", line 1336, in __run
            exec(compile(example.source, filename, "single",
          File "<doctest gnupg.GPG.search_keys[7]>", line 1, in <module>
            if 'NO_EXTERNAL_TESTS' not in os.environ: assert result, 'Failed using default keyserver'
        AssertionError: Failed using default keyserver
    
    
    ----------------------------------------------------------------------
    Ran 34 tests in 90.658s
    
    FAILED (failures=4)
    

    Here’s the output from my sample script with logging turned on.

    ‌

    399630: gpg --pinentry-mode loopback --status-fd 2 --no-tty --no-verbose --fixed-list-mode --batch --with-colons --homedir /home/vmuser/gnupg/ --passphrase-fd 0 --decrypt --output file.txt
    Wrote passphrase
    data copier: <Thread(Thread-3, initial daemon)>, <_io.BufferedReader name='file.txt.gpg'>, <_io.BufferedWriter name=5>
    stderr reader: <Thread(Thread-4, initial daemon)>
    stdout reader: <Thread(Thread-5, initial daemon)>
    gpg: WARNING: unsafe permissions on homedir '/home/vmuser/gnupg'
    [GNUPG:] ENC_TO F58123473A9339D6 18 0
    [GNUPG:] KEY_CONSIDERED 235408C133F1BE86D16DCCB38B0E1394715B93 0
    closed output, 35849524 bytes sent
    gpg: encrypted with 256-bit ECDH key, ID F58123473A9339D6, created 2021-05-15
          "ryan mcleod <ryan mcleod@gmail.com>"
    [GNUPG:] NO_SECKEY F58123473A9339D6
    [GNUPG:] BEGIN_DECRYPTION
    [GNUPG:] DECRYPTION_FAILED
    gpg: decryption failed: No secret key
    [GNUPG:] END_DECRYPTION
    gpg returned a non-zero error code: 2
    decrypt result[:100]: b''
    False
    {11: 'incorrect passphrase'}
    

    ‌

    • 
      ‌ Mark as spam
      
    • 
      ‌ Delete
      
    • 
      ‌ 3 hours ago
      

11. 

    Vinay Sajip repo owner

    I think it might be something to do with your environment; perhaps it’s something to do with having run pip with sudo. As far as I know all tests seem to pass on the CI system for the latest change, including the test_no_such_key that I added most recently. And they all pass on my machine, too, of course.

    • Edit
    • 
      ‌ Pin to top
      
    • 
      ‌ Mark as spam
      
    • 
      ‌ Delete
      
    • 
      ‌ an hour ago
      

12. 

    Ryan McLeod

    Yeah it’s strange. With a bit of tinkering i got the gnupg package in a directory for just my account. I ran the test again and got the same failures. I purged the source directory and unziped it again. Got the same result with the four errors.

    I’m running it on ubuntu 20, not 18, but that shouldn’t make a difference really.

    probably not a big issue. I’ve been trying to automate some gpg stuff using bash and have had some headaches trying to capture stdout/stderr to make decisions. This project at least handles that. so ican probably switch it over to this and have more success.

    • 
      ‌ Mark as spam
      
    • 
      ‌ Delete
      
    • 
      ‌ 56 minutes ago
      

13. 

    Wait - there’s one other possibility I haven’t bottomed out - different versions of GnuPG behave differently with respect to the messages they send out. Here’s what I get with GnuPG 1.4.22:

    2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] ENC_TO 24819C9B75BCAD8D 16 0
    2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 gpg: encrypted with ELG-E key, ID 75BCAD8D
    2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] NO_SECKEY 24819C9B75BCAD8D
    2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] BEGIN_DECRYPTION
    2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] DECRYPTION_FAILED
    2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 gpg: decryption failed: secret key not available
    2021-08-20 21:43:58,058 DEBUG gnupg      Thread-10   980 [GNUPG:] END_DECRYPTION
    
    
    

    Here’s what I get with GnuPG 2.3.1:

    2021-08-20 21:44:42,520 DEBUG gnupg      Thread-10   980 [GNUPG:] ENC_TO 031F36181FE503A2 16 0
    2021-08-20 21:44:42,520 DEBUG gnupg      Thread-10   980 gpg: encrypted with ELG key, ID 031F36181FE503A2
    2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 gpg: public key decryption failed: No secret key
    2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 [GNUPG:] ERROR pkdecrypt_failed 33554449
    2021-08-20 21:44:42,521 WARNING gnupg      Thread-10   651 potential problem: ERROR: pkdecrypt_failed 33554449
    2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 [GNUPG:] BEGIN_DECRYPTION
    2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 [GNUPG:] DECRYPTION_FAILED
    2021-08-20 21:44:42,521 DEBUG gnupg      Thread-10   980 gpg: decryption failed: No secret key
    2021-08-20 21:44:42,524 DEBUG gnupg      Thread-10   980 [GNUPG:] END_DECRYPTION
    2021-08-20 21:44:42,524 DEBUG gnupg      Thread-10   980 gpg: [don't know]: invalid packet (ctb=73)
    2021-08-20 21:44:42,524 DEBUG gnupg      Thread-10   980 [GNUPG:] NODATA 3
    
    
    

    and here’s the behaviour with GnuPG 2.2.19:

    2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] ENC_TO 1A453EB8AC49419F 16 0
    2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 gpg: encrypted with ELG key, ID 1A453EB8AC49419F
    2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] NO_SECKEY 1A453EB8AC49419F
    2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] BEGIN_DECRYPTION
    2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] DECRYPTION_FAILED
    2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 gpg: decryption failed: No secret key
    2021-08-20 20:25:39,629 DEBUG gnupg      Thread-10   980 [GNUPG:] END_DECRYPTION
    
    
    

    And your log shows that your version of GnuPG outputs NO_SECKEY.

    So I might have been bamboozled by the fact that the very latest version behaves differently to older versions. It looks as it you might or might not get ‘no secret key’ depending on the version of GnuPG you run - so I’ll update my test to pass if either of ‘no secret key’ or ‘decryption failed’. Of course the latest GnuPG should output a NO_SECKEY message, but it doesn’t. My test_no_such_key was flawed because it assumed 1.4.22 behaves one way (NO_SECKEY seen), and 2.X behaves another way (no NO_SECKEY seen). I’ll update the test, but you’ll need to be prepared to see decryption failed if GnuPG never outputs a [GNUPG:] NO_SECKEY message (the ones not beginning with [GNUPG:] are ignored by python-gnupg as they don’t conform to a rigid format.

‌