http://bugzilla.suse.com/show_bug.cgi?id=1093836 Manfred Hollstein changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |manfred.h@gmx.net -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1093836 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |astieger@suse.com, | |meissner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1093836 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |astieger@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1093836 http://bugzilla.suse.com/show_bug.cgi?id=1093836#c5 Manfred Hollstein changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(manfred.h@gmx.net | |) | --- Comment #5 from Manfred Hollstein --- (In reply to Andreas Stieger from comment #3)

(In reply to Manfred Hollstein from comment #0)

...

When I click on an encrypted message received from someone whose public key is already stored in my keyring, I now only see the following:

Enigmail: Error - no matching secret found to decrypt message

Someone's public key has nothing to do with decryption. The problem is locating the secret key to decrypt the message, usually your own.

...

From reading the enigmail's changelog, it may be caused by the old gpg2 version (2.0.24-8) available on Leap 42.3.

Which changelog entry is that exactly, please?

https://www.enigmail.net/index.php/en/download/changelog#enig2.0 where it talks about: Support for Web Key Directory (WKD) is implemented. Enigmail will try to download unavailable keys during message composition from WKD. If you use GnuPG 2.2.x, and your provider supports the Web Key Service protocol, you can also use Enigmail to upload your key to WKD. which is just *some* reference (admittedly out of scope) to gpg-2.2 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1093836 http://bugzilla.suse.com/show_bug.cgi?id=1093836#c8 --- Comment #8 from Manfred Hollstein --- (In reply to Andreas Stieger from comment #7)

(In reply to Manfred Hollstein from comment #6)

...

Do you share your $HOME between 42.3, 15.0, Tumbleweed?

Uh, GnuPG is known to get confused between versions and not find the private key anymore. Much the the opposite of enigmail which is known to work with various GnuPG versions. Maybe something went wrong in this dance?

Maybe, but not that I know of. And, as I wrote, gpg2 < 2.0 and enigmail < 2.0 work on Leap 42.3, gpg2 >= 2.2 and enigmail >= 2.0 also work on Leap 15.0 It would be a very pity if such an important piece like gpg2 couldn't be used in a multi-OS environment with a shared home directory... -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1093836 http://bugzilla.suse.com/show_bug.cgi?id=1093836#c16 --- Comment #16 from Manfred Hollstein --- This is getting more and more complex. According to what we have found out so far, I had assumed that the following should work, but it doesn't: 0. This is all on openSUSE Leap 42.3 using gpg2-2.0: 1. Export all my private keys (I have two different ones) as ascii armored files gpg2 -a --export-secret-key "$key" > "$key"-secret-gpg.key.asc 2. Export all the public keys I have a trust relationship with gpg2 -a --export "$key" > "$key"-public-gpg.key.asc 3. Export the owner trustdb gpg2 --export-ownertrust > ownertrust-gpg.txt 4. Log out to terminate all processes potentially using ~/.gnupg 5. Run the following in some vt as normal user "manfred": mkdir -p ~/.OS/os42.3/.gnupg/.backup; chmod 700 ~/.OS/os42.3/.gnupg cp -p "all-exported-files-from-above" ~/.OS/os42.3/.gnupg/.backup/ mv ~/.gnupg ~/.gnupg-SAVE mkdir ~/.gnupg; chmod 700 ~/.gnupg 6. Run the following in some vt as user "root": mount --bind /home/manfred/.OS/os42.3/.gnupg /home/manfred/.gnupg 7. Now log in as user "manfred" again (I use XFCE as a DE): 8. Import the secret keys: for key in ~/.gnupg/.backup/*-secret-*.asc; do gpg2 --import < "$key" done 9. Import the public keys: for key in ~/.gnupg/.backup/*-public-*.asc; do gpg2 --import < "$key" done 10. Import owner trustdb: gpg2 --import-ownertrust < ~/.gnupg/.backup/ownertrust-gpg.txt 11. Define my default GPG key: echo "default-key manfred.h@gmx.net" >> ~/.gnupg/gpg.conf 12. Test with thunderbird and enigmail-1.9.9-9.1: EVERYTHING's OK 13. Upgrade enigmail: sudo zypper in -t patch openSUSE-2018-470 14. Test again with thunderbird and enigmail-2.0.4-12.1: ENCRYPTED E-MAILs CANNOT BE DECRYPTED 15. Downgrade to enigmail-1.9.9-9.1: sudo zypper in --oldpackage enigmail-1.9.9-9.1 16. Test again with thunderbird and enigmail-1.9.9-9.1: WORKS AGAIN AS USUAL, i.e. ENCRYPTED E-MAILs CAN BE DECRYPTED AGAIN Note: I never booted into any other OS during the above commands, hence I always only used gpg2-2.0 from Leap 42.3, hence2 no conversion of the key format should have happened. Do you agree that this should have worked? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1093836 http://bugzilla.suse.com/show_bug.cgi?id=1093836#c19 --- Comment #19 from Manfred Hollstein --- Thanks, Neil! Yes, I have the exact same problem you just described. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1093836 http://bugzilla.suse.com/show_bug.cgi?id=1093836#c24 --- Comment #24 from Manfred Hollstein --- After adding no-mdc-warning to my ~/.OS/os42.3/.gnupg/gpg.conf, the WARNING disappears, but no change wrt/ decrypting the message. I then added "disable-mdc" to gpg.conf, logged out and logged in again, but no change; same result for "force-mdc" (just in case I misunderstood the documentation). I know that I should create a new GPG (rsa 4096 bits) key, but I'm just looking for a way to still be able to decrypt all those old encrypted messages... Anyway, "disable-mdc" or "force-mdc" don't help :( -- You are receiving this mail because: You are on the CC list for the bug.