Richard Stallman | 21 Oct 18:40 2012
Picon
Picon

bug#12696: 24.2.50; epa bug with gpg-agent

This bug report will be sent to the Bug-GNU-Emacs mailing list
and the GNU bug tracker at debbugs.gnu.org.  Please check that
the From: line contains a valid email address.  After a delay of up
to one day, you should receive an acknowledgment at that address.

Please write in English if possible, as the Emacs maintainers
usually do not have translators for other languages.

Please describe exactly what actions triggered the bug, and
the precise symptoms of the bug.  If you can, give a recipe
starting from `emacs -Q':

EPA fails when trying to use gpg-agent.  gpg-agent works when I run
gpg from a shell specifying --use-agent.

I tested this in a situation where gpg-agent already had my
passphrase.

I did  emacs -Q; C-x m; inserted `rms' in To field, `Test' as Subject,
and `Testing' as body.  I did M-x epa-mail-encrypt, which encrypted.
Then I did M-x epa-mail-decrypt, and it gave me the error

  epg--check-error-for-decrypt: peculiar error: "Decryption failed", ""

The same test, conducted without the GPG agent, successfully decrypts
(after asking me for my passphrase).

If Emacs crashed, and you have the Emacs process in the gdb debugger,
please include the output from the following gdb commands:
    `bt full' and `xbacktrace'.
(Continue reading)

Daiki Ueno | 25 Oct 11:45 2012

bug#12696: 24.2.50; epa bug with gpg-agent

Richard Stallman <rms <at> gnu.org> writes:

> EPA fails when trying to use gpg-agent.  gpg-agent works when I run
> gpg from a shell specifying --use-agent.
>
> I tested this in a situation where gpg-agent already had my
> passphrase.
>
> I did  emacs -Q; C-x m; inserted `rms' in To field, `Test' as Subject,
> and `Testing' as body.  I did M-x epa-mail-encrypt, which encrypted.
> Then I did M-x epa-mail-decrypt, and it gave me the error
>
>   epg--check-error-for-decrypt: peculiar error: "Decryption failed", ""
>
> The same test, conducted without the GPG agent, successfully decrypts
> (after asking me for my passphrase).

Could you gather the debug log by setting (setq epg-debug t)?
The log will be saved in " *epg-debug*" buffer.

Also the output of "gpg --version" would be helpful.

Thanks,
--

-- 
Daiki Ueno

Richard Stallman | 26 Oct 03:33 2012
Picon
Picon

bug#12696: 24.2.50; epa bug with gpg-agent

Can you reproduce the failure?  What happens when you try?

Here's gpg --version.
gpg (GnuPG) 1.4.9
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Here's the  *epg-debug* buffer contents after the test.

/usr/bin/X11/gpg --no-tty --status-fd 1 --yes --use-agent --enable-progress-filter --command-fd 0
--armor --textmode --output /tmp/epg-output2472DQN --encrypt -r 624DC565135EA668
[GNUPG:] PROGRESS stdin ? 0 0
[GNUPG:] BEGIN_ENCRYPTION 2 7
[GNUPG:] PROGRESS stdin ? 234 0
[GNUPG:] END_ENCRYPTION
/usr/bin/X11/gpg --no-tty --status-fd 1 --yes --use-agent --enable-progress-filter --command-fd 0
--output /tmp/epg-output2472dkZ --decrypt -- /tmp/epg-input2472QaT
[GNUPG:] PROGRESS /tmp/epg-input2472Qa ? 0 822
[GNUPG:] ENC_TO 879A7C37B1B10ED6 16 0
[GNUPG:] USERID_HINT 879A7C37B1B10ED6 Richard Stallman (Chief GNUisance) <rms <at> gnu.org>
[GNUPG:] NEED_PASSPHRASE 879A7C37B1B10ED6 624DC565135EA668 16 0
(Continue reading)

Daiki Ueno | 26 Oct 03:55 2012

bug#12696: 24.2.50; epa bug with gpg-agent

Richard Stallman <rms <at> gnu.org> writes:

> Can you reproduce the failure?  What happens when you try?

I can't reproduce it.  Here, I got:

 Decrypting...done
 Replace the original text? (y or n)  y

in *Messages* and decrypted text in the buffer.

> Here's the  *epg-debug* buffer contents after the test.

Thanks.

> /usr/bin/X11/gpg --no-tty --status-fd 1 --yes --use-agent
> --enable-progress-filter --command-fd 0 --armor --textmode --output
> /tmp/epg-output2472DQN --encrypt -r 624DC565135EA668
> [GNUPG:] PROGRESS stdin ? 0 0
> [GNUPG:] BEGIN_ENCRYPTION 2 7
> [GNUPG:] PROGRESS stdin ? 234 0
> [GNUPG:] END_ENCRYPTION
> /usr/bin/X11/gpg --no-tty --status-fd 1 --yes --use-agent
> --enable-progress-filter --command-fd 0 --output
> /tmp/epg-output2472dkZ --decrypt -- /tmp/epg-input2472QaT
> [GNUPG:] PROGRESS /tmp/epg-input2472Qa ? 0 822
> [GNUPG:] ENC_TO 879A7C37B1B10ED6 16 0
> [GNUPG:] USERID_HINT 879A7C37B1B10ED6 Richard Stallman (Chief
> GNUisance) <rms <at> gnu.org>
> [GNUPG:] NEED_PASSPHRASE 879A7C37B1B10ED6 624DC565135EA668 16 0
(Continue reading)

Richard Stallman | 27 Oct 03:14 2012
Picon
Picon

bug#12696: 24.2.50; epa bug with gpg-agent

    Are you sure that you successfully preset the passphrase for this key?
    If so, how did you do that?

I use the script below to start Emacs.  gpg gives me an error if I
don't enter the passphrase correctly, and asks again.  Thus, when gpg
exits and lets emacs start, I know the passphrase is correct.

Maybe what's needed is to add code to record other data.
In the debug buffer, or in Lisp variables (I could examine them).

#!/bin/sh

eval `gpg-agent --daemon`
gpg --use-agent --output /dev/null --sign /dev/null > /dev/null

emacs -f normal-start

--

-- 
Dr Richard Stallman
President, Free Software Foundation
51 Franklin St
Boston MA 02110
USA
www.fsf.org  www.gnu.org
Skype: No way! That's nonfree (freedom-denying) software.
  Use Ekiga or an ordinary phone call

Richard Stallman | 27 Oct 03:14 2012
Picon
Picon

bug#12696: 24.2.50; epa bug with gpg-agent

I resend this because I got a bounce message from your email address.

    Are you sure that you successfully preset the passphrase for this key?
    If so, how did you do that?

I use the script below to start Emacs.  gpg gives me an error if I
don't enter the passphrase correctly, and asks again.  Thus, when gpg
exits and lets emacs start, I know the passphrase is correct.

Maybe what's needed is to add code to record other data.
In the debug buffer, or in Lisp variables (I could examine them).

#!/bin/sh

eval `gpg-agent --daemon`
gpg --use-agent --output /dev/null --sign /dev/null > /dev/null

emacs -f normal-start

--

-- 
Dr Richard Stallman
President, Free Software Foundation
51 Franklin St
Boston MA 02110
USA
www.fsf.org  www.gnu.org
Skype: No way! That's nonfree (freedom-denying) software.
  Use Ekiga or an ordinary phone call

(Continue reading)

Richard Stallman | 27 Oct 03:14 2012
Picon
Picon

bug#12696: 24.2.50; epa bug with gpg-agent

I resend this hoping your email account is working now.

    Are you sure that you successfully preset the passphrase for this key?
    If so, how did you do that?

I use the script below to start Emacs.  gpg gives me an error if I
don't enter the passphrase correctly, and asks again.  Thus, when gpg
exits and lets emacs start, I know the passphrase is correct.

Maybe what's needed is to add code to record other data.
In the debug buffer, or in Lisp variables (I could examine them).

#!/bin/sh

eval `gpg-agent --daemon`
gpg --use-agent --output /dev/null --sign /dev/null > /dev/null

emacs -f normal-start

--

-- 
Dr Richard Stallman
President, Free Software Foundation
51 Franklin St
Boston MA 02110
USA
www.fsf.org  www.gnu.org
Skype: No way! That's nonfree (freedom-denying) software.
  Use Ekiga or an ordinary phone call

(Continue reading)

Daiki Ueno | 13 Nov 06:53 2012

bug#12696: 24.2.50; epa bug with gpg-agent

Richard Stallman <rms <at> gnu.org> writes:

> I resend this hoping your email account is working now.

Oops, sorry.  It seems that I sent the reply with a wrong From: address.
I often manually rewrite it when sending, to select SMTP server.

>     Are you sure that you successfully preset the passphrase for this key?
>     If so, how did you do that?
>
> I use the script below to start Emacs.  gpg gives me an error if I
> don't enter the passphrase correctly, and asks again.  Thus, when gpg
> exits and lets emacs start, I know the passphrase is correct.
>
> #!/bin/sh
>
> eval `gpg-agent --daemon`
> gpg --use-agent --output /dev/null --sign /dev/null > /dev/null
>
> emacs -f normal-start

From the output of M-x epa-list-keys, it looks like you have two keys
set up (one is DSA used for signing and one is ElGamal used for
encryption):

 - Richard Stallman (Chief GNUisance) <rms <at> gnu.org>
 - 624DC565135EA668 1024bits DSA
	Created: 2001-03-05
	Capabilities: sign certify authentication
	Fingerprint: 6F818B215E159EF3FA26B0BE624DC565135EA668
(Continue reading)

Andreas Schwab | 13 Nov 20:16 2012

bug#12696: 24.2.50; epa bug with gpg-agent

Daiki Ueno <ueno <at> unixuser.org> writes:

> set up (one is DSA used for signing and one is ElGamal used for
> encryption):
>
>  - Richard Stallman (Chief GNUisance) <rms <at> gnu.org>
>  - 624DC565135EA668 1024bits DSA
> 	Created: 2001-03-05
> 	Capabilities: sign certify authentication
> 	Fingerprint: 6F818B215E159EF3FA26B0BE624DC565135EA668
>  - 879A7C37B1B10ED6 1024bits ELGAMAL_E
> 	Created: 2001-03-05
> 	Capabilities: encrypt
> 	Fingerprint: 04C26DD3834A1AB3A3CAB2D4879A7C37B1B10ED6

That is normal, the second one is a subkey of the first one.  Nowadays
gpg always creates such a subkey and it should handle that
transparently.

Andreas.

--

-- 
Andreas Schwab, schwab <at> linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Daiki Ueno | 13 Nov 20:53 2012

bug#12696: 24.2.50; epa bug with gpg-agent

Andreas Schwab <schwab <at> linux-m68k.org> writes:

> Daiki Ueno <ueno <at> unixuser.org> writes:
>
>> set up (one is DSA used for signing and one is ElGamal used for
>> encryption):
>>
>>  - Richard Stallman (Chief GNUisance) <rms <at> gnu.org>
>>  - 624DC565135EA668 1024bits DSA
>> 	Created: 2001-03-05
>> 	Capabilities: sign certify authentication
>> 	Fingerprint: 6F818B215E159EF3FA26B0BE624DC565135EA668
>>  - 879A7C37B1B10ED6 1024bits ELGAMAL_E
>> 	Created: 2001-03-05
>> 	Capabilities: encrypt
>> 	Fingerprint: 04C26DD3834A1AB3A3CAB2D4879A7C37B1B10ED6
>
> That is normal, the second one is a subkey of the first one.  Nowadays
> gpg always creates such a subkey and it should handle that
> transparently.

Then, it might be a gpg-agent issue.  Currently gpg-agent seems to think
separate passphrase is needed for each subkey.

You can try:

$ eval `gpg-agent --daemon`

$ gpg --use-agent -u <your main key-id> --output /dev/null --sign < /dev/null
# gpg-agent asks passphrase
(Continue reading)

Richard Stallman | 14 Nov 01:46 2012
Picon
Picon

bug#12696: 24.2.50; epa bug with gpg-agent

    Then, it might be a gpg-agent issue.  Currently gpg-agent seems to think
    separate passphrase is needed for each subkey.

    You can try:

I don't understand the significance of the lines that follow:

    $ eval `gpg-agent --daemon`

    $ gpg --use-agent -u <your main key-id> --output /dev/null --sign < /dev/null
    # gpg-agent asks passphrase

    $ gpg --use-agent -u <your main key-id> --output /dev/null --sign < /dev/null
    # gpg-agent DOES NOT ask passphrase

    $ gpg --use-agent -r <your main key-id> --output foo.gpg --encrypt < /dev/null
    # gpg-agent DOES NOT ask passphrase

    $ gpg --use-agent < foo.gpg
    # gpg-agent asks passphrase

    $ gpg --use-agent < foo.gpg
    # gpg-agent DOES NOT ask passphrase

Are you asking me to try these commands in order to get information
to diagnose the problem?

Are you presenting them as proof of a bug in GPG and gpg-agent?

Something else?
(Continue reading)

Daiki Ueno | 14 Nov 02:30 2012
Picon

bug#12696: 24.2.50; epa bug with gpg-agent

Richard Stallman <rms <at> gnu.org> writes:

> Are you presenting them as proof of a bug in GPG and gpg-agent?

Yes and in previous mail I was saying that you could probably workaround
this by trying decryption as well as signing before starting emacs:

#!/bin/sh

eval `gpg-agent --daemon`

# remember passphrase for signing
gpg --use-agent -u "your key-id" --output /dev/null --sign < /dev/null

# remember passphrase for decryption
gpg -r "your key-id" --encrypt < /dev/null | gpg --use-agent

emacs -f normal-start

Replace "your key-id" with your GPG key ID.

Regards,
--

-- 
Daiki Ueno

Richard Stallman | 14 Nov 08:13 2012
Picon
Picon

bug#12696: 24.2.50; epa bug with gpg-agent

    > Are you presenting them as proof of a bug in GPG and gpg-agent?

    Yes 

Could you report the bug to Werner Koch <wk <at> gnupg.org>, please?

--

-- 
Dr Richard Stallman
President, Free Software Foundation
51 Franklin St
Boston MA 02110
USA
www.fsf.org  www.gnu.org
Skype: No way! That's nonfree (freedom-denying) software.
  Use Ekiga or an ordinary phone call

Daiki Ueno | 15 Nov 03:51 2012

bug#12696: 24.2.50; epa bug with gpg-agent

Richard Stallman <rms <at> gnu.org> writes:

> Could you report the bug to Werner Koch <wk <at> gnupg.org>, please?

Reported.  Closing this bug.

Richard Stallman | 14 Nov 08:14 2012
Picon
Picon

bug#12696: 24.2.50; epa bug with gpg-agent

Your recipe made it work.  Thanks.

--

-- 
Dr Richard Stallman
President, Free Software Foundation
51 Franklin St
Boston MA 02110
USA
www.fsf.org  www.gnu.org
Skype: No way! That's nonfree (freedom-denying) software.
  Use Ekiga or an ordinary phone call


Gmane