Hi, recently upgraded to gpg 2.2.20 version.
gpg --list-secret-key is listing all the secret keys from /opt/eventapi/.gnupg/pubring.gpg but
“gpg -d file.gpg” is resulting as below,
gpg: public key decryption failed: Permission denied gpg: decryption failed: No secret key
Even with gpg 2.0.22 the secret keys are retrieved from
/opt/eventapi/.gnupg/secring.gpg.
The passphrase are loaded using “gpg-agent --daemon --allow-preset-passphrase --max-cache-ttl” and it worked properly. But in gpg 2.2.24 , we re trying to enter the passphrase for the secret via preset as above but it is resulting in the below error:
gpg: public key decryption failed: Permission denied
gpg: decryption failed: No secret key
Help needed
Hi cklasses, I changed the home directory as below, export GNUPGHOME=/home/.gnupg,
yet it still failed as below, when tried setting the via gpg preset as in the script below.
gpg: public key decryption failed: Permission denied
gpg: decryption failed: No secret key
However, if I manually enter the passphrase each time as below, it works gpg --pinentry-mode loopback -d test.gpg
script to cache the passphrase via gpg-preset:
#!/bin/sh
RUNAS_USER=usr
GPG_PASSPHRASE_BIN_PATH=/usr/libexec/gpg-preset-passphrase
[[ "$RUNAS_USER" != "$(id --user --name)" ]] && { echo 'Aborting, not the expected RUNAS_USER.'; exit 1; }
# will only run as usr
killall --user "$RUNAS_USER" gpg-agent 1>/dev/null 2>&1
sleep 2
eval $(gpg-agent --daemon --allow-preset-passphrase --max-cache-ttl 63115200 > ~/.gnupg/.env_vars.txt)
source ~/.gnupg/.env_vars.txt
ps xuf
read -p 'Enter >> PASS << of the GPG passphrase :' -s PASS; echo
echo; echo
GPG_PASS="$PASS"
echo "$GPG_PASS" | "$GPG_PASSPHRASE_BIN_PATH" --preset XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # sec
echo "$GPG_PASS" | "$GPG_PASSPHRASE_BIN_PATH" --preset XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # ssb
# Do a test-decryption
md5=$(gpg --batch --quiet --decrypt EncryptedTestFile.gpg | md5sum --tag | sed -n -e 's/^.*= //p')
if [ 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' == "$md5" ]
then
echo "Decryption test OK"
else
echo "Error decrypting testfile, try running this script again"
fi
When you call gpg --pinentry-mode loopback -d test.gpg you also do it with user usr?
It is clear that in the script gpg tries to access a directory/file without having the correct permissions. When you want to see which file it tries to access you can verify this by looking at the output of gpg --list-keys.
Yes, gpg --pinentry-mode loopback -d test.gpg is also tried with the same user as the script.
I tried with chmod 777 for the entire .gnupg folder and its contents but it still fails with the same issue.
gpg issues the below warn since I gave full permissions for testing
gpg: WARNING: unsafe permissions on homedir