I today encrypted a file and during this I specified that I want both encryption via a symmetric passphrase but also with a GPG key.
But when I try to decrypt the file (either by double-clicking on the file or opening it via the Kleopatra “Decrypt/Verify”) I get a pop-up-box from pinentry-qt with “Please enter the passphrase for decryption”. When I now push the ‘Cancel’ button (or the ‘x’ in the upper right corner of the pop-up) I get a new small window with the information “Decryption of xxxxx.asc canceled.“ and the info “gpg: AES256.OCB encrypted session key” and “gpg: cancelled by user”.
When I however from the command line type the command:
gpg --output xxxxx.zip --decrypt xxxxxx.zip.asc
… and here push the ‘Cancel’ button in the pinentry-qt pop up window I get a new pop-up windows saying:
“Please enter the passphrase to unlock the OpenPGP secret key: ……”
And when I now enter the passphrase for this secret key the file is decrypted without problems.
Short resume:
Kleopatra only prompts for the symmetric key even when the file is encrypted with both symmetric passphrase and a key
The ‘gpg’ command lets me decide whether I want to decrypt the file with the symmetric passphrase or the key (by canceling the pop up for the symmetric key) - and that is of course how it should work
I would classify this as a ‘real error’ in Kleopatra, not just a ‘minor glitch’, since it makes it impossible for GPG4WIN/Kleopatra users (those who aren’t comfortable with using line commands) to decrypt files which are encrypted the way I described above
Please let me here your thoughts and opinions about this
Thanks
Frank
thanks for reporting, you are correct, this looks like a problem for Kleopatra.
I could reproduce with an elder version (4.4.0) and will try with the latest next.
When entering an invalid symmetric password, I get a second prompt for the private key and can decrypt.
As entering a wrong password in the symmetric pinentry brings up the private key dialog for decryption, the priority “normal” (or “low”) seems fine to me.
Thanks again for our feedback and sorry for this inconsistency!
Thank you very much for your reply and finding an existing case about that. Kind of ‘wow’ that this bug has existed since 2024 (with small variations).
I don’t totally agree that it would be ok to set ⚓ T7339 Kleopatra: Cannot decrypt packets with hybrid cipher without using symmetric passphrase to low - even though there is a circumvention almost nobody knows about this circumvention.Some will get past this problem if they (as you did) try with a wrong passphrase, but if that person thinks “I have no idea what the symmetric passphrase is” and therefore cancels the pop up box the user will experience that it isn’t possible for them to decrypt the file via Kleopatra.
I can see that the case in fact has been set to “High” today at 10:24 a.m. so I’m just sharing my thought in case ‘somebody’ is planning to change it to low.
