gps 2.2.20 gpg: decryption failed: No secret key

Hi, recently upgraded to gpg 2.2.20 version.
gpg --list-secret-key is listing all the secret keys from /opt/eventapi/.gnupg/pubring.gpg but

“gpg -d file.gpg” is resulting as below,

gpg: public key decryption failed: Permission denied
gpg: decryption failed: No secret key

Even with gpg 2.0.22 the secret keys are retrieved from
/opt/eventapi/.gnupg/secring.gpg.
The passphrase are loaded using “gpg-agent --daemon --allow-preset-passphrase --max-cache-ttl” and it worked properly. But in gpg 2.2.24 , we re trying to enter the passphrase for the secret via preset as above but it is resulting in the below error:
gpg: public key decryption failed: Permission denied
gpg: decryption failed: No secret key
Help needed

Earlier with gpg 2.0 it worked like a charm.

Hi @sudvid78, can you please test to set the home directory for GnuPG? Usually GnuPG is looking for a directory like /home/<username>/.

Hi cklasses, I changed the home directory as below,
export GNUPGHOME=/home/.gnupg,
yet it still failed as below, when tried setting the via gpg preset as in the script below.

gpg: public key decryption failed: Permission denied
gpg: decryption failed: No secret key

However, if I manually enter the passphrase each time as below, it works
gpg --pinentry-mode loopback -d test.gpg

script to cache the passphrase via gpg-preset:

#!/bin/sh
RUNAS_USER=usr
GPG_PASSPHRASE_BIN_PATH=/usr/libexec/gpg-preset-passphrase
[[ "$RUNAS_USER" != "$(id --user --name)" ]] && { echo 'Aborting, not the expected RUNAS_USER.'; exit 1; }
# will only run as usr
killall --user "$RUNAS_USER" gpg-agent 1>/dev/null 2>&1
sleep 2
eval $(gpg-agent --daemon --allow-preset-passphrase --max-cache-ttl 63115200 > ~/.gnupg/.env_vars.txt)
source ~/.gnupg/.env_vars.txt
ps xuf
read -p 'Enter >> PASS  << of the GPG passphrase :' -s PASS; echo
echo; echo
GPG_PASS="$PASS"
echo "$GPG_PASS" | "$GPG_PASSPHRASE_BIN_PATH" --preset XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # sec
echo "$GPG_PASS" | "$GPG_PASSPHRASE_BIN_PATH" --preset XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # ssb

# Do a test-decryption
md5=$(gpg --batch --quiet --decrypt EncryptedTestFile.gpg | md5sum --tag | sed -n -e 's/^.*= //p')

if [ 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' == "$md5" ]
then
  echo "Decryption test OK"
else
  echo "Error decrypting testfile, try running this script again"
fi

When you call gpg --pinentry-mode loopback -d test.gpg you also do it with user usr?
It is clear that in the script gpg tries to access a directory/file without having the correct permissions. When you want to see which file it tries to access you can verify this by looking at the output of gpg --list-keys.

Yes, gpg --pinentry-mode loopback -d test.gpg is also tried with the same user as the script.
I tried with chmod 777 for the entire .gnupg folder and its contents but it still fails with the same issue.
gpg issues the below warn since I gave full permissions for testing
gpg: WARNING: unsafe permissions on homedir

the below is the full output, it identifies the correct id and all, but somehow it fails

gpg: WARNING: unsafe permissions on homedir ‘/home/.gnupg’
gpg: encrypted with 4096-bit RSA key, ID XXXXXXXXXXXXX, created 2024-11-04
“TESTKey#2 (TESTKey#2) xxxx@xx.xx
gpg: public key decryption failed: Permission denied
gpg: decryption failed: No secret key