[Bug 914625] New: gpg-2.1.1 is broken and unusable. This breaks kdewallet (if gpg encryption is used)
http://bugzilla.opensuse.org/show_bug.cgi?id=914625 Bug ID: 914625 Summary: gpg-2.1.1 is broken and unusable. This breaks kdewallet (if gpg encryption is used) Classification: openSUSE Product: openSUSE Factory Version: 201501* Hardware: x86-64 OS: SUSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: nrickert@ameritech.net QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 Build Identifier: gpg-2.1.1 (Tumbleweed 20150121) just gives error messages. It seems unable to read my gpg keyring. I am getting messages about invalid packets. KDE fails to open kdewallet, which is using gpg encryption. This appears to be due to the removed support for old RSA keys. However the documentation (at the gnupg.org site) does not say that gpg will fail to run and will not give you a work-around. It seems to imply that the keys will be silently ignored for the present, and eventually removed. I did not have this problem with gnupg-2.1.0. Related: The gnupg site recommends using gpg-1.4 if you need access to old keys. Will opensuse provide gpg-1.4 for those who need it (perhaps named "gpg14" as a command line only tool). I'll note that renaming ".gnupg", and then starting over anew with an empty keyring does work. I am able to import old keys (it skips the RSA keys). But I would have to reconstruct my trust database after doing that. Reproducible: Always -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
--- Comment #3 from Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
--- Comment #4 from Neil Rickert
I would like to set the expectation that if this is what is happening to you, the >issue "broken and unusable" is invalid as filed, and should be changed to >something along the lines of "gnupg 2.1.1 removed support for weak digest >algorithms".
I'll suggest that the output shown in my second attachment (using gnupg 2.1.0) can be reasonably described as "removed support for weak digest algorithms". The output shown in my first attachment (using gnupg-2.1.1) can only be described as broken and useless. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
Andreas Stieger
The output shown in my first attachment (using gnupg-2.1.1) can only be described as broken and useless.
Thank you for providing the information. I have updated the bug summary to be more specific and to the technical point. The specific relevant message part:
gpg --list-keys suse gpg: keydb_search failed: Invalid packet gpg: Oops: keyid_from_fingerprint: no pubkey gpg: keydb_search failed: Invalid packet gpg: error reading key: Invalid packet
The issue is known upstream: http://bugs.g10code.com/gnupg/issue1793 Related?: http://bugs.g10code.com/gnupg/issue1816 Upstream commit claimed to introduce the regression: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=94a54425144e4... Legacy key packet parsing seems to be under active development (last 2d as of writing): http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=09e8f35d3808d... http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=6f3d11d8837b0... A workaround mentioned is to import the public and secret keyrings into a new environment and copy the trust database as follows: mv .gnupg to .gnupg.old gpg --import .gnupg.old/pubring.gpg gpg --import .gnupg.old/secring.gpg cp .gnupg.old/trustdb.gpg .gnupg -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
--- Comment #6 from Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
--- Comment #10 from Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
--- Comment #12 from Neil Rickert
Please report this issue upstream.
I have reported upstream as issue 1847. I attached a small keyring which demonstrates the problem. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
--- Comment #13 from Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
Andreas Stieger
Werner Koch suggested a patch (for issue 1847)
I'm not really setup for building a patched gpg at present. I guess I can download sources. But it will be a few days before I can find time.
Thanks for reporting upstream: http://bugs.g10code.com/gnupg/issue1847 Reopening as an upstream patch is available: http://bugs.g10code.com/gnupg/file559/0001-gpg-Skip-legacy-keys-while-search... Test packages will be built shortly for you to test. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
Andreas Stieger
The latest patch does improve things. But there are still problems.
gpg --list-keys suse ### this now works gpg --list-keys rickert ### this now works.
Good, this will resolve this issue. Pushing to Base:System -> Factory -> Tumbleweed.
However, I still have failures with opening kdewallet:
--- Error when attempting to decrypt the wallet kdewallet using GPG. If you're using a SmartCard, please ensure it's inserted then try again.
GPG error was Decryption failed ---
My kdewallet encryption uses this key: pub dsa1024/46B1EFE1 1999-07-05 uid [ full ] Neil W Rickert
sub elg2048/1F38684E 1999-07-05 As far as I know, that key should be fine. There are some pgp2 signatures on that key, and perhaps that causes the problem.
To me, this kdewallet problem is the main problem. When people upgrade from opensuse 13.2 to opensuse 13.3, some of them are going to find that they cannot access kdewallet.
Please report/clone this as a separate issue against KDE Factory / kde-maintainers to look into the kdewallet part. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
--- Comment #18 from Neil Rickert
Please report/clone this as a separate issue against KDE Factory / kde-maintainers to look into the kdewallet part.
It's a gpg problem, not a KDE problem.
I tried another test. I tried decrypting a file at the command line. I used a
script for reading encrypted mh mail. Here was the relevant part of the
output:
---
gpg: encrypted with 2048-bit ELG key, ID 1F38684E, created 1999-07-05
"Neil W Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
http://bugzilla.opensuse.org/show_bug.cgi?id=914625#c19
René Krell
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
http://bugzilla.opensuse.org/show_bug.cgi?id=914625#c20
Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
http://bugzilla.opensuse.org/show_bug.cgi?id=914625#c21
--- Comment #21 from René Krell
From the point of the distribution maintainers I understand the act of delegating it upstream, because migrating of application-specific configuration files in the user home should be really correctly handled by the application. But I agree, the issue should not be closed as RESOLVED FIXED unless it is fixed upstream.
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
http://bugzilla.opensuse.org/show_bug.cgi?id=914625#c22
--- Comment #22 from Andreas Stieger
It's pretty obvious that upstream doesn't want to do anything. And it is equally obvious that someone at opensuse agrees (and marks the bug as "resolved" when it isn't).
I set the bug as resolved-fixed after your positive feedback in comment #17, and I said so. Your feedback matches the bug summary and my understanding of the original issue. If you have evidence to the contrary on this very specific issue please reopen and provide information. You mentioned further problems which are still bothering you. However a bug tracker is not a helpdesk system. This is why I cut down the original issue to be clearly defined. And I asked you specifically to do this:
Please report/clone this as a separate issue against KDE Factory / kde-maintainers to look into the kdewallet part.
I am not aware of you having done that. This first bug is resolved, and acknowledge that multi-bug problem is not. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
http://bugzilla.opensuse.org/show_bug.cgi?id=914625#c23
--- Comment #23 from Neil Rickert
Please report/clone this as a separate issue against KDE Factory / kde-maintainers to look into the kdewallet part.
No, I did not report as a kdewallet problem, because it was 100% obvious that this was a gpg problem and not a kdewallet problem. I demonstrated that by showing that the same error arose attempting to decrypt an email message in an isolated file using gpg directly. I reported that in my upstream report, to which I provided a link. I'm not interested in a continued argument over this. I accept that if upstream doesn't want to do anything, then there isn't much that can be done about it. I would have preferred the bug to be closed as WONTFIX rather than as fixed. Some other users are likely to run into the problem, just as René did. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=914625
Andreas Stieger
participants (1)
-
bugzilla_noreply@novell.com