Gpg: public key decryption failed: Wrong secret key used

garaboncias · September 12, 2024, 9:11am

Dear community,
please help, i can’t decrypt a message, however i have the right secret subkey.

$ gpg -d encrypted.asc
gpg: encrypted with rsa4096 key, ID 585B20744DCCC0E0, created 2023-11-05
      "<MY NAME AND EMAIL>"

$ gpg --list-secret-keys 585B20744DCCC0E0
sec>  rsa4096 2023-11-05 [SC] [expires: 2033-11-02]
      C9FA40DC68794345B5DBBCAABDE737DA37CD67EF
      Card serial no. = 0006 23747386
uid           [ultimate] <MY NAME AND EMAIL>
ssb#  rsa4096 2023-11-05 [E] [expires: 2033-11-02]
ssb#  rsa4096 2023-11-07 [S] [expires: 2027-11-07]
ssb>  rsa4096 2023-11-24 [A] [expires: 2033-11-21]

$gpg -d --try-all-secrets encrypted.asc
gpg: encrypted with rsa4096 key, ID 585B20744DCCC0E0, created 2023-11-05
      "<MY NAME AND EMAIL>"
gpg: using "C9FA40DC68794345B5DBBCAABDE737DA37CD67EF" as default secret key for signing
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: public key decryption failed: Wrong secret key used
gpg: decryption failed: Wrong secret key used

bernhard · September 12, 2024, 3:11pm

Hi @garaboncias
did you plug-in the card or token?

Which version of GnuPG are you using and on which platform?

garaboncias · September 12, 2024, 4:05pm

Yes it was plugged in. I use macOS 14.6.1

$ gpg --version
gpg (GnuPG) 2.4.5
libgcrypt 1.10.3
Copyright (C) 2024 g10 Code GmbH

eebb · October 1, 2024, 12:36pm

Might it be that the file contains “” and nothing else? That is only 2 parenthesis? That would look like this.

garaboncias · October 1, 2024, 12:51pm

File contains ascii armored PGP message. “” originally contains my name and email address, which is removed from the post.

eebb · October 1, 2024, 1:11pm

What does

gpg -v -d encrypted.asc

show? Please leave everything as original as possible and substitute the sensitive data, e.g. substitute your name with Foo and your mail address with foo@bar.com, to avoid confusion.

garaboncias · October 1, 2024, 7:09pm

$gpg -v -d encrypted.asc
gpg: enabled compatibility flags:
gpg: public key is 585B20744DCCC0E0
gpg: public key is D753682D6D9310D1
gpg: using subkey 585B20744DCCC0E0 instead of primary key BDE737DA37CD67EF
gpg: encrypted with rsa4096 key, ID 585B20744DCCC0E0, created 2023-11-05
      "Foo <foo@bar.com>"
gpg: using pgp trust model
gpg: using "C9FA40DC68794345B5DBBCAABDE737DA37CD67EF" as default secret key for signing
gpg: Note: signature key 5915CB43C5F4B670 expired 2022-01-19 09:41:03
gpg: Note: signature key 46FDA608C2373CB1 expired 2022-01-19 09:40:35
gpg: public key decryption failed: No secret key
gpg: decryption failed: No secret key

eebb · October 2, 2024, 7:38am

“No secret key” is clear, gpg does not get access to the secret key.

What does gpg-card show? Probably “Error reading card” I would guess.

But I have no experience with macOS and how to get to the core of it there. @cklassen, can you help?

cklassen · October 2, 2024, 9:52am

Currently, I don’t have a system with macOS available to I cannot try to see how it looks like on it. @garaboncias maybe someone on the gnupg-users mailing list can help.

garaboncias · October 11, 2024, 9:31am

Thank you for your help. It turn out Yubico key does not hold secret key:
$gpg-card
[…]
Signature key …: A827177B8B122DE49ED78FF8F7DD8081747973DB
keyref …: OPENPGP.1 (sign,cert)
algorithm …: rsa4096
stored fpr .: C9FA40DC68794345B5DBBCAABDE737DA37CD67EF
created …: 2023-11-05 21:21:27
used for …: OpenPGP
main key .:
fpr …: C9FA40DC68794345B5DBBCAABDE737DA37CD67EF
created …: 2023-11-05 21:21:27
user id …: Foo Bar foo@bar.com>
Encryption key…: [none]
keyref …: OPENPGP.2
algorithm …: rsa4096
Authentication key: A6CEF1107A9BFD1D310C6BEF51C065DEABE3C30A
keyref …: OPENPGP.3 (sign,auth)
algorithm …: rsa4096
stored fpr .: 9177AE61DCE70B44A62CF53CAA5E3E943F67EA8B
created …: 2023-11-24 15:14:23
used for …: OpenPGP
main key .:
fpr …: 9177AE61DCE70B44A62CF53CAA5E3E943F67EA8B
created …: 2023-11-24 15:14:23
user id …: Foo Bar foo@bar.com>

It is strange, because I’m sure I transferred it to the key, that’s why it was removed from my local keychain. Fortunately I can restore it from an off-site backup.

cklassen · October 14, 2024, 8:19am

Were you successful?

garaboncias · October 14, 2024, 8:38am

Yes. Thank you for your help.

What was confusing too, that GPG command line tools and “GPG Keychain” (from GPG utils) use different key database on MacOS.
.gnupg/public-keys.d and .gnupg/private-keys-v1.d vs. .gnupg/pubring.gpg and .gnupg/secring.gpg

cklassen · October 14, 2024, 1:43pm

Great to hear

Thanks for sharing this information. Could be helpful for others!