bug#12696: 24.2.50; epa bug with gpg-agent

[Richard Stallman]

This bug report will be sent to the Bug-GNU-Emacs mailing list
and the GNU bug tracker at debbugs.gnu.org. Please check that
the From: line contains a valid email address. After a delay of up
to one day, you should receive an acknowledgment at that address.

Please write in English if possible, as the Emacs maintainers
usually do not have translators for other languages.

Please describe exactly what actions triggered the bug, and
the precise symptoms of the bug. If you can, give a recipe
starting from `emacs -Q':


EPA fails when trying to use gpg-agent. gpg-agent works when I run
gpg from a shell specifying --use-agent.

I tested this in a situation where gpg-agent already had my
passphrase.

I did emacs -Q; C-x m; inserted `rms' in To field, `Test' as Subject,
and `Testing' as body. I did M-x epa-mail-encrypt, which encrypted.
Then I did M-x epa-mail-decrypt, and it gave me the error

epg--check-error-for-decrypt: peculiar error: "Decryption failed", ""

The same test, conducted without the GPG agent, successfully decrypts
(after asking me for my passphrase).


If Emacs crashed, and you have the Emacs process in the gdb debugger,
please include the output from the following gdb commands:
`bt full' and `xbacktrace'.
For information about debugging Emacs, please read the file
/home/rms/emacs-bzr/trunk/etc/DEBUG.


In GNU Emacs 24.2.50.1 (mips64el-unknown-linux-gnu, GTK+ Version 2.12.12)
of 2012-10-20 on chiefs-gnewsense
Bzr revision: 110610 r...@gnu.org-20121021013546-97l6862aw3mmsbd4
System Description: gNewSense mipsel-l

Configured using:
`configure 'CFLAGS=-O0 -g' '--with-gif=no' '--with-tiff=no''

Important settings:
value of $LANG: en_US.UTF-8
locale-coding-system: utf-8-unix
default enable-multibyte-characters: t

Major mode: Emacs-Lisp

Minor modes in effect:
gpm-mouse-mode: t
tooltip-mode: t
mouse-wheel-mode: t
tool-bar-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t
abbrev-mode: t

Recent input:
C-x m r m s C-n C-n C-n C-n T e s t i n g . RET ESC
x e p a SPC m a i l SPC e n c TAB RET y ESC x e p d
DEL a d RET C-x C-f . e m a c s RET C-s e p a d C-n
C-n C-n C-n C-n C-n C-h f RET C-x o TAB RET C-x 1 C-u
C-n C-n C-n TAB RET C-_ ESC f C-h f RET C-x o TAB RET
C-x 1 C-v C-n C-p ESC f C-h f RET C-x o TAB RET x 1
C-_ C-x 1 C-v C-u C-n C-n C-n C-n C-n C-n C-n ESC f
ESC f ESC f ESC f C-h f RET C-x o TAB RET C-x 1 C-u
C-n C-u C-n C-n ESC f C-h f RET C-x o TAB RET C-x 1
C-u C-n C-u C-u C-n C-u C-p C-p C-p C-p ESC f C-h f
RET C-x o TAB RET C-x 1 C-x C-g ESC : ( g e t e v f
DEL v DEL DEL n v SPC " G P G _ A G E N T _ I N F O
" ) RET C-v ESC < ESC x r e p o r t SPC e m a s SPC
DEL c s SPC u g DEL DEL b u g RET

Recent messages:
Undo!
Type C-x 1 to delete the help window.
mouse-2, RET: find function's definition
Type C-x 1 to delete the help window.
mouse-2, RET: find function's definition
Type C-x 1 to delete the help window.
mouse-2, RET: find function's definition
"/tmp/gpg-hfrLmv/S.gpg-agent:14570:1"
Auto-saving...done
Mark set

Load-path shadows:
None found.

Features:
(shadow emacsbug vc-bzr find-func help-mode help-fns misearch
multi-isearch epa-mail epa derived epg epg-config mailalias rmailmm
message sendmail format-spec rfc822 mml easymenu mml-sec mm-decode
mm-bodies mm-encode mailabbrev gmm-utils mailheader mail-parse rfc2231
dired t-mouse time-date rmailedit rmail rfc2047 rfc2045 ietf-drums
mm-util mail-prsvr mail-utils paren cus-start cus-load tooltip
ediff-hook vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar dnd
fontset image regexp-opt fringe tabulated-list newcomment lisp-mode
register page menu-bar rfn-eshadow timer select scroll-bar mouse
jit-lock font-lock syntax facemenu font-core frame cham georgian
utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean
japanese hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev
minibuffer loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote make-network-process
dbusbind dynamic-setting system-font-setting font-render-setting
move-toolbar gtk x-toolkit x multi-tty emacs)

--
Dr Richard Stallman
President, Free Software Foundation
51 Franklin St
Boston MA 02110
USA
www.fsf.org www.gnu.org
Skype: No way! That's nonfree (freedom-denying) software.
Use Ekiga or an ordinary phone call

[Daiki Ueno]

Richard Stallman <r...@gnu.org> writes:

> EPA fails when trying to use gpg-agent. gpg-agent works when I run
> gpg from a shell specifying --use-agent.
>
> I tested this in a situation where gpg-agent already had my
> passphrase.
>
> I did emacs -Q; C-x m; inserted `rms' in To field, `Test' as Subject,
> and `Testing' as body. I did M-x epa-mail-encrypt, which encrypted.
> Then I did M-x epa-mail-decrypt, and it gave me the error
>
> epg--check-error-for-decrypt: peculiar error: "Decryption failed", ""
>
> The same test, conducted without the GPG agent, successfully decrypts
> (after asking me for my passphrase).

Could you gather the debug log by setting (setq epg-debug t)?
The log will be saved in " *epg-debug*" buffer.

Also the output of "gpg --version" would be helpful.

Thanks,
--
Daiki Ueno

[Richard Stallman]

Can you reproduce the failure? What happens when you try?

Here's gpg --version.
gpg (GnuPG) 1.4.9
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2


Here's the *epg-debug* buffer contents after the test.


/usr/bin/X11/gpg --no-tty --status-fd 1 --yes --use-agent --enable-progress-filter --command-fd 0 --armor --textmode --output /tmp/epg-output2472DQN --encrypt -r 624DC565135EA668
[GNUPG:] PROGRESS stdin ? 0 0
[GNUPG:] BEGIN_ENCRYPTION 2 7
[GNUPG:] PROGRESS stdin ? 234 0
[GNUPG:] END_ENCRYPTION
/usr/bin/X11/gpg --no-tty --status-fd 1 --yes --use-agent --enable-progress-filter --command-fd 0 --output /tmp/epg-output2472dkZ --decrypt -- /tmp/epg-input2472QaT
[GNUPG:] PROGRESS /tmp/epg-input2472Qa ? 0 822
[GNUPG:] ENC_TO 879A7C37B1B10ED6 16 0
[GNUPG:] USERID_HINT 879A7C37B1B10ED6 Richard Stallman (Chief GNUisance) <r...@gnu.org>
[GNUPG:] NEED_PASSPHRASE 879A7C37B1B10ED6 624DC565135EA668 16 0
gpg: cancelled by user
[GNUPG:] MISSING_PASSPHRASE
[GNUPG:] BAD_PASSPHRASE 879A7C37B1B10ED6
gpg: encrypted with 1024-bit ELG-E key, ID B1B10ED6, created 2001-03-05
"Richard Stallman (Chief GNUisance) <r...@gnu.org>"
gpg: public key decryption failed: bad passphrase
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_FAILED
gpg: decryption failed: secret key not available
[GNUPG:] PROGRESS /tmp/epg-input2472Qa ? 822 822
[GNUPG:] END_DECRYPTION

[Daiki Ueno]

Richard Stallman <r...@gnu.org> writes:

> Can you reproduce the failure? What happens when you try?

I can't reproduce it. Here, I got:

Decrypting...done
Replace the original text? (y or n) y

in *Messages* and decrypted text in the buffer.

> Here's the *epg-debug* buffer contents after the test.

Thanks.

> /usr/bin/X11/gpg --no-tty --status-fd 1 --yes --use-agent
> --enable-progress-filter --command-fd 0 --armor --textmode --output
> /tmp/epg-output2472DQN --encrypt -r 624DC565135EA668
> [GNUPG:] PROGRESS stdin ? 0 0
> [GNUPG:] BEGIN_ENCRYPTION 2 7
> [GNUPG:] PROGRESS stdin ? 234 0
> [GNUPG:] END_ENCRYPTION
> /usr/bin/X11/gpg --no-tty --status-fd 1 --yes --use-agent
> --enable-progress-filter --command-fd 0 --output
> /tmp/epg-output2472dkZ --decrypt -- /tmp/epg-input2472QaT
> [GNUPG:] PROGRESS /tmp/epg-input2472Qa ? 0 822
> [GNUPG:] ENC_TO 879A7C37B1B10ED6 16 0
> [GNUPG:] USERID_HINT 879A7C37B1B10ED6 Richard Stallman (Chief
> GNUisance) <r...@gnu.org>
> [GNUPG:] NEED_PASSPHRASE 879A7C37B1B10ED6 624DC565135EA668 16 0
> gpg: cancelled by user
> [GNUPG:] MISSING_PASSPHRASE
> [GNUPG:] BAD_PASSPHRASE 879A7C37B1B10ED6

Are you sure that you successfully preset the passphrase for this key?
If so, how did you do that?

Regards,
--
Daiki Ueno

[Richard Stallman]

Are you sure that you successfully preset the passphrase for this key?
If so, how did you do that?

I use the script below to start Emacs. gpg gives me an error if I
don't enter the passphrase correctly, and asks again. Thus, when gpg
exits and lets emacs start, I know the passphrase is correct.

Maybe what's needed is to add code to record other data.
In the debug buffer, or in Lisp variables (I could examine them).


#!/bin/sh

eval `gpg-agent --daemon`
gpg --use-agent --output /dev/null --sign /dev/null > /dev/null

emacs -f normal-start

[Richard Stallman]

I resend this because I got a bounce message from your email address.

[Daiki Ueno]

Richard Stallman <r...@gnu.org> writes:

> I resend this hoping your email account is working now.

Oops, sorry. It seems that I sent the reply with a wrong From: address.
I often manually rewrite it when sending, to select SMTP server.

> Are you sure that you successfully preset the passphrase for this key?
> If so, how did you do that?
>
> I use the script below to start Emacs. gpg gives me an error if I
> don't enter the passphrase correctly, and asks again. Thus, when gpg
> exits and lets emacs start, I know the passphrase is correct.
>

> #!/bin/sh
>
> eval `gpg-agent --daemon`
> gpg --use-agent --output /dev/null --sign /dev/null > /dev/null
>
> emacs -f normal-start

>From the output of M-x epa-list-keys, it looks like you have two keys
set up (one is DSA used for signing and one is ElGamal used for
encryption):

- Richard Stallman (Chief GNUisance) <r...@gnu.org>
- 624DC565135EA668 1024bits DSA
Created: 2001-03-05
Capabilities: sign certify authentication
Fingerprint: 6F818B215E159EF3FA26B0BE624DC565135EA668
- 879A7C37B1B10ED6 1024bits ELGAMAL_E
Created: 2001-03-05
Capabilities: encrypt
Fingerprint: 04C26DD3834A1AB3A3CAB2D4879A7C37B1B10ED6

So you probably need to let gpg-agent remember both.

#!/bin/sh

eval `gpg-agent --daemon`
gpg --use-agent --output /dev/null --sign /dev/null > /dev/null

gpg -r -B1B10ED6 -encrypt < /dev/null | gpg --use-agent --output /dev/null > /dev/null

emacs -f normal-start

Regards,
--
Daiki Ueno

[Andreas Schwab]

Daiki Ueno <ue...@unixuser.org> writes:

> set up (one is DSA used for signing and one is ElGamal used for
> encryption):
>
> - Richard Stallman (Chief GNUisance) <r...@gnu.org>
> - 624DC565135EA668 1024bits DSA
> Created: 2001-03-05
> Capabilities: sign certify authentication
> Fingerprint: 6F818B215E159EF3FA26B0BE624DC565135EA668
> - 879A7C37B1B10ED6 1024bits ELGAMAL_E
> Created: 2001-03-05
> Capabilities: encrypt
> Fingerprint: 04C26DD3834A1AB3A3CAB2D4879A7C37B1B10ED6

That is normal, the second one is a subkey of the first one. Nowadays
gpg always creates such a subkey and it should handle that
transparently.

Andreas.

--
Andreas Schwab, sch...@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."

[Daiki Ueno]

Andreas Schwab <sch...@linux-m68k.org> writes:

> Daiki Ueno <ue...@unixuser.org> writes:
>
>> set up (one is DSA used for signing and one is ElGamal used for
>> encryption):
>>
>> - Richard Stallman (Chief GNUisance) <r...@gnu.org>
>> - 624DC565135EA668 1024bits DSA
>> Created: 2001-03-05
>> Capabilities: sign certify authentication
>> Fingerprint: 6F818B215E159EF3FA26B0BE624DC565135EA668
>> - 879A7C37B1B10ED6 1024bits ELGAMAL_E
>> Created: 2001-03-05
>> Capabilities: encrypt
>> Fingerprint: 04C26DD3834A1AB3A3CAB2D4879A7C37B1B10ED6
>
> That is normal, the second one is a subkey of the first one. Nowadays
> gpg always creates such a subkey and it should handle that
> transparently.

Then, it might be a gpg-agent issue. Currently gpg-agent seems to think
separate passphrase is needed for each subkey.

You can try:

$ eval `gpg-agent --daemon`

$ gpg --use-agent -u <your main key-id> --output /dev/null --sign < /dev/null
# gpg-agent asks passphrase

$ gpg --use-agent -u <your main key-id> --output /dev/null --sign < /dev/null
# gpg-agent DOES NOT ask passphrase

$ gpg --use-agent -r <your main key-id> --output foo.gpg --encrypt < /dev/null
# gpg-agent DOES NOT ask passphrase

$ gpg --use-agent < foo.gpg
# gpg-agent asks passphrase

$ gpg --use-agent < foo.gpg
# gpg-agent DOES NOT ask passphrase

Regards,
--
Daiki Ueno

[Richard Stallman]

Then, it might be a gpg-agent issue. Currently gpg-agent seems to think
separate passphrase is needed for each subkey.

You can try:

I don't understand the significance of the lines that follow:

$ eval `gpg-agent --daemon`

$ gpg --use-agent -u <your main key-id> --output /dev/null --sign < /dev/null
# gpg-agent asks passphrase

$ gpg --use-agent -u <your main key-id> --output /dev/null --sign < /dev/null
# gpg-agent DOES NOT ask passphrase

$ gpg --use-agent -r <your main key-id> --output foo.gpg --encrypt < /dev/null
# gpg-agent DOES NOT ask passphrase

$ gpg --use-agent < foo.gpg
# gpg-agent asks passphrase

$ gpg --use-agent < foo.gpg
# gpg-agent DOES NOT ask passphrase

Are you asking me to try these commands in order to get information
to diagnose the problem?

Are you presenting them as proof of a bug in GPG and gpg-agent?

Something else?

[Daiki Ueno]

Richard Stallman <r...@gnu.org> writes:

> Are you presenting them as proof of a bug in GPG and gpg-agent?

Yes and in previous mail I was saying that you could probably workaround
this by trying decryption as well as signing before starting emacs:

#!/bin/sh

eval `gpg-agent --daemon`

# remember passphrase for signing
gpg --use-agent -u "your key-id" --output /dev/null --sign < /dev/null

# remember passphrase for decryption
gpg -r "your key-id" --encrypt < /dev/null | gpg --use-agent

emacs -f normal-start

Replace "your key-id" with your GPG key ID.

Regards,
--
Daiki Ueno

[Richard Stallman]

> Are you presenting them as proof of a bug in GPG and gpg-agent?

Yes

Could you report the bug to Werner Koch <w...@gnupg.org>, please?

[Richard Stallman]

Your recipe made it work. Thanks.

[Daiki Ueno]

Richard Stallman <r...@gnu.org> writes:

> Could you report the bug to Werner Koch <w...@gnupg.org>, please?

Reported. Closing this bug.