Decryption failed: No Secret Key

143 views
Skip to first unread message

Richard Herbert

unread,
Aug 12, 2021, 1:10:20 AM8/12/21
to mu-discuss
I am new to mu4e. Running mu4e - mu for emacs version 1.4.15. My emacs (spacemacs)is 27.2. 

Mu4e is working but I cannot get encryption to work. I mysync in terminal with

mbsync --config ~/.emacs.d/.mbsyncrc m...@email.ca

This opens a password pop-up for gpg2.1 and I can index and obtain email after opening mu4e. However, when the password expires, I receive an error:

gpg : problem with the agent: No pinentry gpg: decrytion failed: no secret key.

Yes, outgoing mail for mu4e will not popup a password box.

I can get all working without encryption. What did I miss with emacs that prevents emacs from asking for a password? 

Yes, I tried:  (setq epg-pinentry-mode 'loopback)


Tassilo Horn

unread,
Aug 12, 2021, 1:57:07 AM8/12/21
to mu-di...@googlegroups.com, Richard Herbert
Richard Herbert <rherbe...@gmail.com> writes:

Hi Richard,

> Mu4e is working but I cannot get encryption to work. I mysync in
> terminal with
>
> mbsync --config ~/.emacs.d/.mbsyncrc m...@email.ca
>
> This opens a password pop-up for gpg2.1 and I can index and obtain
> email after opening mu4e. However, when the password expires, I
> receive an error:
>
> gpg : problem with the agent: No pinentry gpg: decrytion failed: no secret
> key.

Do you mean that in your .mbsyncrc you have a PassCmd which retrieves
your mail password from some gpg encrypted file and that works from
terminal but not when emacs wants to do it later and the password has
already be expired?

If so, I use the same mechanism which works. I have in .mbsyncrc

--8<---------------cut here---------------start------------->8---
PassCmd +"gpg --decrypt --no-tty --for-your-eyes-only ~/.authinfo.gpg 2> /dev/null | grep imap.fastmail.com | sed 's/.*password \\([^ ]\\+\\).*/\\1/'"
--8<---------------cut here---------------end--------------->8---

and this snipped in my ~/.profile:

--8<---------------cut here---------------start------------->8---
# See (info "(gnupg)Agent Examples") ]

# This (also) needs to be set on every new shell, so needs to go in the shell
# config file. Otherwise pinentry in tmux won't work.
export GPG_TTY=`tty`

unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"
fi
--8<---------------cut here---------------end--------------->8---

On the emacs side, I have

--8<---------------cut here---------------start------------->8---
;; Automatically encrypt files with pgp extension.
(epa-file-enable)

;; Query Passwords via emacs minibuffer. The negative consequence is that
;; it'll error immediately after an unsuccessful attempt instead of allowing up
;; to three tries.
;;
;;(setq epg-pinentry-mode 'loopback)
(setq epg-pinentry-mode 'ask)
--8<---------------cut here---------------end--------------->8---

HTH,
Tassilo

Richard Herbert

unread,
Aug 12, 2021, 3:24:33 AM8/12/21
to mu-discuss
Appreciate your reply.

"Do you mean that in your .mbsyncrc you have a PassCmd which retrieves
your mail password from some gpg encrypted file and that works from
terminal but not when emacs wants to do it later and the password has
already be expired?"

Yes.

In my .mbsyncrc the line at discussion is:

      PassCmd "gpg2 -q --for-your-eyes-only --no-tty -d ~/.emacs.d/.mbsyncpass.gpg"

My .authinfo file contains:

     machine host.name.com login m...@email.ca port ## password “mypasswd”

my .mysyncpass and ,authinfo are encrypted by:

    gpg --output .mbsyncpass.gpg --symmetric .mbsyncpass

    gpg --output ~/.authinfo.gpg --symmetric ~/.authinfo

I have nothing in my .profile related to gpg and I do not have "epa-file-enable" in my .spacemacs file. I have also not set up encryption in my emacs previously.

What do you mean by “this needs to be set in every new shell, so need to go in the shell config file.”. Also, is that a typo with your “automatically encryp files with “pgp” extension”.

I will reiterate that all is working for mu4e except encryption with emacs which is a pain with expiring passwords and sending mail.(without removing encryption from .authinfo).

Does your suggestion remain unchanged with this new info?

Tassilo Horn

unread,
Aug 12, 2021, 4:54:29 AM8/12/21
to mu-di...@googlegroups.com, Richard Herbert
Richard Herbert <rherbe...@gmail.com> writes:

Hi Richard,

> "Do you mean that in your .mbsyncrc you have a PassCmd which retrieves
> your mail password from some gpg encrypted file and that works from
> terminal but not when emacs wants to do it later and the password has
> already be expired?"
>
> Yes.

Ok, good.

> In my .mbsyncrc the line at discussion is:
>
> PassCmd "gpg2 -q --for-your-eyes-only --no-tty -d
> ~/.emacs.d/.mbsyncpass.gpg"
>
> My .authinfo file contains:
>
> machine host.name.com login m...@email.ca port ## password “mypasswd”
>
> my .mysyncpass and ,authinfo are encrypted by:
>
> gpg --output .mbsyncpass.gpg --symmetric .mbsyncpass
>
> gpg --output ~/.authinfo.gpg --symmetric ~/.authinfo

Looks good, I think.

> I have nothing in my .profile related to gpg and I do not have
> "epa-file-enable" in my .spacemacs file.

Then try it.

> I have also not set up encryption in my emacs previously.
>
> What do you mean by “this needs to be set in every new shell, so need
> to go in the shell config file.”.

That's what's documented in the gpg-agent info docs, see
(info "(gnupg) Agent Examples").

Sorry, I'm no expert here.

> Also, is that a typo with your “automatically encryp files with “pgp”
> extension”.

Yes.

> Does your suggestion remain unchanged with this new info?

Yes, so try putting (epa-file-enable) in your ~/.emacs and the pgp-agent
bits in your shell init file. I have it in ~/.profile and make my
~/.bashrc, ~/.zshrc, and ~/.config/fish/config.fish source ~/.profile so
that I don't have to do that for each shell I might use.

Bye,
Tassilo

Richard Herbert

unread,
Aug 13, 2021, 11:30:08 PM8/13/21
to mu-discuss

I appreciate your suggestions, I am still, though, unable to update email and database while in Mu4e with S-u after my password expires from executing the following in terminal:

  mbsync --config ~/.emacs.d/.mbsyncrc m...@email.ca


I do not SSH in, but I placed the following into both .bashrc and .profile (in ~/):

  GPG_TTY=$(tty)

  export GPG_TTY


I have added the follwing into my dotspacemacs user config:

  (require 'epa-file)

  (epa-file-enable)

  (setq epg pinentry-mode ‘loopback)


There was no effect. My .authinfo.gpg file is:

  machine host.service.name login m...@email.ca port XX password mypassword


My .mbsyncpass.gpg file is:

  mypasswrd


My .mysyncrc file is:

  IMAPAccount m...@email.ca

  Host host.service.name

  User m...@email.ca

  PassCmd "gpg2 -q --for-your-eyes-only --no-tty -d ~/.emacs.d/.mbsyncpass.gpg"

  Port XXX

  SSLType IMAPS

  SSLVersions TLSv1.2

  AuthMechs *

  

  IMAPStore m...@email.ca-remote

  Account m...@email.ca

  

  MaildirStore m...@email.ca-local

  Path ~/maildir/mbsyncmail/

  Inbox ~/maildir/mbsyncmail/INBOX

  SubFolders Verbatim


  Channel m...@email.ca

  Far :m...@email.ca-remote:

  Near :m...@email.ca-local:

  Patterns "INBOX" "Drafts" "Sent"

  Create Near

  Sync All

  Expunge None

  SyncState *


Portions of my dotspacemacs user-config that may be relevant are:

  (setq mu4e-get-mail-command "mbsync -c ~/.emacs.d/.mbsyncrc -a"

  mu4e-update-interval nil)

  (setq smtpmail-auth-credentials "~/.authinfo.gpg")


I am using:

  (emacs) spacemacs 27.2

  Mu4e – mu for emacs version 1.4.15

  OS is Opensuse Tumbleweed

  gpg is GnuPG 2.2.27


The error I see in Mu4e with S-u is:

  gpg: problem with the agent: No pinentry

  gpg: decryption failed: no secret key


As I mentioned before, I encrypted .mbsyncpass and .authinfo with:

  gpg --output .mbsyncpass.gpg --symmetric .mbsyncpass

  gpg --output ~/.authinfo.gpg --symmetric ~/.authinfo


Spacemacs has a .spacemacs.env file as well as a .spacemacs file now. Within the .spacemacs.env I notice the following which may be an issue but it appears to be some sot of default value:

  GPG_TTY=not a tty


I cannot be the only newcomer with pinentry problems. Again, I ask for help.  

Richard

Tassilo Horn

unread,
Aug 14, 2021, 3:46:45 AM8/14/21
to mu-di...@googlegroups.com, Richard Herbert
Richard Herbert <rherbe...@gmail.com> writes:

Hi Richard,

> Spacemacs has a .spacemacs.env file as well as a .spacemacs file now.
> Within the .spacemacs.env I notice the following which may be an issue
> but it appears to be some sot of default value:
>
> GPG_TTY=not a tty

Have you tried commenting out that line, restarting spacemacs, and
trying again?

Also check that the option no-allow-loopback-pinentry isn't set in your
~/.gnupg/gpg-agent.conf.

As a workaround, you can try setting very high expiration TTLs in
~/.gnupg/gpg-agent.conf as so that the agent cache your passphrases
longer. See the options ending in "ttl" in man gpg-agent(1). Of
course, that's only sensible if you are sure nobody can get access your
computer.

> I cannot be the only newcomer with pinentry problems. Again, I ask for
> help.

Can you open your ~/.authinfo.gpg with C-x C-f after the password
expired? I guess, no. In that case I'd ask on some spacemacs forum (or
at least, the gnu-emacs-help mailinglist) to give you a wider audience.

Bye,
Tassilo

Richard Herbert

unread,
Aug 16, 2021, 1:05:22 AM8/16/21
to mu-discuss
Again, your help is appreciated -- solved!

Removing/commenting out "GPG_TTY=not a tty" played havoc with mu4e gpg encryption. For lack of a better explanation, removing that code from .spacemacsenv "disconnects" emacs and mu4e from gnupg. Not a solution.

I have no configuration file within my ~/gnupg. I did find /etc/gnupg/gpgconf.conf in which everything is commented out. I entered changes into command lines that did not show into the gpgconf.conf file. They were:

   gpg-agent no-allow-loopback-pinentry
   gpg-agent allow-loopback-pinentry
   gpg-agent pinentry-timeout 0
   gpg-agent allow-emacs-pinentry
   gpg-agent default-cache-ttl 1800

I also found in YAST software "pinentry-emacs 1.1.1-2.5" which I installed. I has previously installed "pinentry 1.1.1-2.4" from YAST and in emacs I had installed "pinentry 0.1" from an available elpa package. I also, in emacs, executed M-x "auth-source-forget-all-cached". I also went into M-x, customize group with mu4e open and selected auth-source. I then deleted ~/.authinfo from Auth-Sources (I am using ~/authinfo.gpg). 

After a few tries with rebooting a number of times, I can bypass running mbsync from a command line. I need to:

  1. open emacs and C-x C-f to select ~/.emacs.d/mbsyncpass.gpg. This will ask for my gpg password and decrypt mbsyncpass.gpg
  2. open mu4e C-c m (my keybinding) and S-u. 
  3. After composing an email and hitting C-c C-c, I am asked for my password for ~/.authinfo.gpg to send out email. Emacs suggests that I save as .authinfo, but chose "n". Emacs with auth-source remembers my password for authino.gpg for a time that can be set through auth-source group. 

I have not set configuration in gpgconfig.config yet, but I will.

These protocols along with those mentioned earlier (repeated below) resolved my problem - appreciated!!!

   I placed the following in ~/.bachrc and ~/.profile:  
      GPG_TTY=$(tty)
      export GPG_TTY
  and I added to my .spacemacs user config:
    (require 'epa-file)
    (epa-file-enable)
    (setq epg pinentry-mode 'loopback)

I appreciate your help. I posted this follow-up to help other new mu4e-users who may be having pinentry/decryption problems with Mu4e.

Richard
Reply all
Reply to author
Forward
0 new messages