Wrong secret key used

Gpg4win help-en
,
1

Hello GnuPG!

We have been experiencing random failed decryption with the message “public key decryption failed: Wrong secret key used”.

Our setup:

  • azure Windows server
  • Microsoft SQL Server 2019 + SSIS
  • gpg4win-4.0.4.exe (gpg.exe 2.3.8)
  • Windows “service” user “ssis_user” - user dedicated to run SSIS packages, not meant to be used for regular use
  • 1 public-private key-pair imported in kleopatra in user “ssis_user” Windows profile
  • running the decryption from SSIS in SQL Server agent job, i.e. SSIS calling a batch file which calls gpg.exe or calling the gpg.exe directly
  • the key’s passphrase is passed to gpg.exe each time, to ensure the passphrase cache does not time out on us
  • sample of gpg call: C:\Program Files (x86)\GnuPG\bin\gpg.exe --batch --pinentry-mode=loopback --passphrase *** --output <File.zip> --decrypt <File.zip>.pgp

When the job runs, SSIS loops through a list of files in a directory and decrypts 1 by 1, “<File.zip>” above being a placeholder for each file.

The problem occurs randomly, as in, the decryption could run fine for a set of files, but on the next run, it would break on any of the files!

We have been able to capture the gpg.exe logs at “guru” debug-level (by using options --log-file and --debug-level) and compared the logs between a successful decryption and a failed decryption (in this case, first and second file in the directory!). We’ve noticed that after the DBG: chan_0x00000??? <- INQUIRE CIPHERTEXT, the second sequence of bytes is different - line 261, bytes 35 35 3a 02 13 vs 35 37 3a ff 4b - see in the attached comparison screenshot. Consequently, the DEK frame on line 263 is completely different!

image
image1389×750 29.5 KB

We have not been able to reproduce it on our local dev machines.

Questions: how is that possible when there’s only 1 set of keys, and the same passphrase is being passed? what are we missing?

Thanks in advance for any kind of guidance in troubleshooting this situation.

PFS

Update: after reviewing a few other logs of successful decryption, we’ve realised that the second sets of bytes and the DEK frame changes with every file. But the same random failure keeps happening. This part of the log is common in all the failures:

DBG: internal_keydb_search: searching keybox (resource 0 of 1)
DBG: internal_keydb_search: searched keybox (resource 0 of 1) => EOF
DBG: [no clock] keydb_search leave (not found)
DBG: [no clock] keydb_release
DBG: [no clock] get_session_key leave
public key decryption failed: Wrong secret key used
decryption failed: Wrong secret key used
2

Hi @owrwe04

can you try upgrading to the latest version of Gpg4win?
Any defects fixed since 4.0.4 (October 2022) would then not affect your situation anymore. :wink:

Best Regards,
Bernhard

3

Hi Bernhard,

Thanks for you reply.

Being in a server environment, it is not that easy for us to just upgrade, but we can definitely put the request in!

In the meantime, is this something other people have reported before me?

Thanks,

PFS

4

Hi @owrwe04,

please put in a request. Especially in a server environment, the software should be up to date and thus upgraded to the currently maintained version. (If you need more assurances, there is GnuPG Desktop (GnuPG Desktop) which is a more business oriented and packaged variant of Gpg4win coming with guaranteed support.)

is this something other people have reported before me?

At least I do not remember. However it seems okay the the cipher text changes each time, because you will have a different file to decrypt I guess and even the same file would lead to a different cipher text each time ot was encrypted. (Of course if you try to decrypt the same encrypted file again it should be the same cipther text.)

The next step to analyse the situation probably is to also set log files and debug levels to gpg-agent, which is the component handling the crypto operations.

Best,
Bernhard