Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gopass isn't working properly with GPG 2.3.1 and 2.3.2 #2014

Closed
AnomalRoil opened this issue Oct 20, 2021 · 1 comment
Closed

Gopass isn't working properly with GPG 2.3.1 and 2.3.2 #2014

AnomalRoil opened this issue Oct 20, 2021 · 1 comment
Labels
bug Defects gpg GPG related Hacktoberfest pinned
Milestone
1.13.0

Comments

@AnomalRoil
Copy link
Member

It seems we currently have an issue with all versions of Gopass when running on GPG 2.3.2, we confirmed it on two different setups in #1977 and I tried it with older Gopass version and even 1.10.0 isn't working properly.

Thanks to @matthew-brett for noticing.

Here is his setup:

$ gopass version
gopass 1.12.8 (2021-08-28 17:36:37) go1.17 darwin amd64
<root>     -  gpg 2.3.2 - git 2.30.1
Available Crypto Backends: age, gpgcli, plain
Available Storage Backends: fs, gitfs

with everything installed via Homebrew.

With gopass fsck he got:

[] Checking all secrets in store
] 132 / 252 [Gooooooooooooooooooooooooooooooooooooooooooooopass                                             ]  52.38% 
❌ fsck failed on root store: failed to check "account.co-op.co.uk/matthew.brett@gmail.com": failed to read recipient IDs from raw secret: exit status 2

But the file decrypt via gpg:

$ gpg --decrypt account.co-op.co.uk/matthew.brett@gmail.com.gpg
gpg: encrypted with rsa2048 key, ID <my key id>, created 2021-04-28
      "Matthew Brett <matthew.brett@gmail.com>"
<correct password>

Notice that gopass show account.co-op.co.uk/matthew.brett@gmail.com works correctly.

He did not set the throw-keyids GPG config option.

Upon further debugging it appears that:

/usr/local/Cellar/gnupg/2.3.2/bin/gpg --batch --list-only --list-packets --no-default-keyring --secret-keyring /dev/null /Users/mb312/.local/share/gopass/stores/root/account.co-op.co.uk/matthew.brett@gmail.com.gpg

gave:

gpg: invalid marker packet
# off=0 ctb=85 tag=1 hlen=3 plen=268
:pubkey enc packet: version 3, algo 1, keyid 5FD3368ACEA67DAB
	data: [2048 bits]
# off=271 ctb=d4 tag=20 hlen=2 plen=84 new-ctb
:aead encrypted packet: cipher=9 aead=2 cb=21
	length: 84
# off=277 ctb=aa tag=10 hlen=5 plen=2181150457
:marker packet: [invalid]

When he deleted this entry in Gopass, and created a new one in Gopass, with the same password, then running the same command on the new entry file:

gpg: [don't know]: invalid packet (ctb=7e)
gpg: [don't know]: invalid packet (ctb=00)
gpg: [don't know]: invalid packet (ctb=2e)
gpg: packet(13) too large

On my side every thing worked well on GPG 2.2, installed using brew install gnugp@2.2 but it also doesn't work if I use GPG 2.3.2.
@AnomalRoil AnomalRoil mentioned this issue Oct 20, 2021
Closed
@AnomalRoil AnomalRoil pinned this issue Oct 26, 2021
@AnomalRoil AnomalRoil added this to the 1.13.0 milestone Nov 11, 2021
@AnomalRoil AnomalRoil changed the title Gopass isn't working properly with GPG 2.3.2 Gopass isn't working properly with GPG 2.3.1 and 2.3.2 Nov 11, 2021
@AnomalRoil
Copy link
Member Author

Further investigation led me to the following discovery:

GPG 2.3 is not listing the key that encrypted the packets at hand.

For example with GPG 2.2.32 you would get the following:

$ gnupg/2.2.32/bin/gpg --batch --list-only --list-packets --no-default-keyring secgpg2.3.3.gpg
gpg: encrypted with 255-bit ECDH key, ID C5566F8C5ABB4FE7, created 2021-08-02
      "Testing"
# off=0 ctb=84 tag=1 hlen=2 plen=94
:pubkey enc packet: version 3, algo 18, keyid C5566F8C5ABB4FE7
	data: [263 bits]
	data: [392 bits]
# off=96 ctb=d4 tag=20 hlen=2 plen=84 new-ctb
:aead encrypted packet: cipher=9 aead=2 cb=16
	length: 84

Noticed the:

gpg: encrypted with 255-bit ECDH key, ID C5566F8C5ABB4FE7, created 2021-08-02
"Testing"
at the start?

Whereas with GPG 2.3.3 you'd get the following instead:

gnupg/2.3.3_1/bin/gpg --batch --list-only --list-packets --no-default-keyring secgpg2.3.3.gpg
# off=0 ctb=84 tag=1 hlen=2 plen=94
:pubkey enc packet: version 3, algo 18, keyid C5566F8C5ABB4FE7
	data: [263 bits]
	data: [392 bits]
# off=96 ctb=d4 tag=20 hlen=2 plen=84 new-ctb
:aead encrypted packet: cipher=9 aead=2 cb=16
	length: 84

Both exit returning 0, however with GPG in version 2.3.2, you got instead:

gnupg/2.3.2/bin/gpg --batch --list-only --list-packets --no-default-keyring secgpg2.3.3.gpg
gpg: [don't know]: invalid packet (ctb=74)
# off=0 ctb=84 tag=1 hlen=2 plen=94
:pubkey enc packet: version 3, algo 18, keyid C5566F8C5ABB4FE7
	data: [263 bits]
	data: [392 bits]
# off=96 ctb=d4 tag=20 hlen=2 plen=84 new-ctb
:aead encrypted packet: cipher=9 aead=2 cb=16
	length: 84

and it would exit with error code 2 !

So this is the culprit here.

GnuPG 2.3.3 has solved the issue, and the LTS 2.2 versions were never impacted.
It seems GnuPG 2.3.1 and 2.3.2 were concerned.

Solution

Upgrade your GnuPG to 2.3.3+ if you're impacted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Defects gpg GPG related Hacktoberfest pinned
Projects
None yet
Milestone
1.13.0
Development

No branches or pull requests
1 participant
@AnomalRoil