I today encrypted a file and during this I specified that I want both encryption via a symmetric passphrase but also with a GPG key.
But when I try to decrypt the file (either by double-clicking on the file or opening it via the Kleopatra “Decrypt/Verify”) I get a pop-up-box from pinentry-qt with “Please enter the passphrase for decryption”. When I now push the ‘Cancel’ button (or the ‘x’ in the upper right corner of the pop-up) I get a new small window with the information “Decryption of xxxxx.asc canceled.“ and the info “gpg: AES256.OCB encrypted session key” and “gpg: cancelled by user”.
When I however from the command line type the command:
gpg --output xxxxx.zip --decrypt xxxxxx.zip.asc
… and here push the ‘Cancel’ button in the pinentry-qt pop up window I get a new pop-up windows saying:
“Please enter the passphrase to unlock the OpenPGP secret key: ……”
And when I now enter the passphrase for this secret key the file is decrypted without problems.
Short resume:
Kleopatra only prompts for the symmetric key even when the file is encrypted with both symmetric passphrase and a key
The ‘gpg’ command lets me decide whether I want to decrypt the file with the symmetric passphrase or the key (by canceling the pop up for the symmetric key) - and that is of course how it should work
I would classify this as a ‘real error’ in Kleopatra, not just a ‘minor glitch’, since it makes it impossible for GPG4WIN/Kleopatra users (those who aren’t comfortable with using line commands) to decrypt files which are encrypted the way I described above
Please let me here your thoughts and opinions about this
Thanks
Frank
thanks for reporting, you are correct, this looks like a problem for Kleopatra.
I could reproduce with an elder version (4.4.0) and will try with the latest next.
When entering an invalid symmetric password, I get a second prompt for the private key and can decrypt.
As entering a wrong password in the symmetric pinentry brings up the private key dialog for decryption, the priority “normal” (or “low”) seems fine to me.
Thanks again for our feedback and sorry for this inconsistency!
Thank you very much for your reply and finding an existing case about that. Kind of ‘wow’ that this bug has existed since 2024 (with small variations).
I don’t totally agree that it would be ok to set ⚓ T7339 Kleopatra: Cannot decrypt packets with hybrid cipher without using symmetric passphrase to low - even though there is a circumvention almost nobody knows about this circumvention.Some will get past this problem if they (as you did) try with a wrong passphrase, but if that person thinks “I have no idea what the symmetric passphrase is” and therefore cancels the pop up box the user will experience that it isn’t possible for them to decrypt the file via Kleopatra.
I can see that the case in fact has been set to “High” today at 10:24 a.m. so I’m just sharing my thought in case ‘somebody’ is planning to change it to low.
But that is a bit funny / strange. Because when I use the line command ‘gpg –decrypt …’ it already works this way - i.e. I’m first prompted for the symmetric key, and if I either push the cancel button, just push ‘Ok’ without entering a passphrase or if I enter a wrong passphrase and push ‘Ok’ I always get prompted for the gpg key passphrase afterwards.
The problem with the ‘missing second prompt’ only occurs when I try to decrypt a file encrypted this way via Kleopatra. So without knowing anything about Kleopatra internals I would have expected that a fix for Kleopatra was necessary, not for ‘gpg’ itself.
Unfortunately signing up for ‘dev group’ has been disabled for ‘newcomers’ - so in case you agree with ‘my confusion’ could you perhaps write a note regarding this in the thread (I can see that you are monitoring this thread, so you must have a user there )
It is common that changes have to be made to the “lower levels” of the software (gpg and gpgme in this case) to get the frontends to behave more consistently. Niibe knows more about this, he usually does the right thing. Nevertheless I’ve pointed him to your observation in the issue and I am impressed that you are following the development so closely. Thanks for your interest!
