New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gpg: decryption failed: No secret key #92

Closed
fturco opened this Issue Sep 7, 2015 · 49 comments

Comments

Projects
None yet
@fturco

fturco commented Sep 7, 2015

I just installed Qtpass. It correctly sees all my previous accounts but I can't see their contents because of the following red error:

gpg: decryption failed: No secret key

It also doesn't ask me for the master password.

I tried changing settings in Configuration > Programs from "native git/gpg" to "use pass" but Qtpass always returns me the same error.

I'm also able to see my gpg secret key with the following command:

gpg --list-secret-keys
@wgroenewold

This comment has been minimized.

wgroenewold commented Sep 9, 2015

Which options did you set for your GPG keys? @dennisdegreef has a great article about setting keys in GPG: http://www.dennisdegreef.net/2015/07/yubikey-neo-with-pgp-subkeys/

@dennisdegreef

This comment has been minimized.

Contributor

dennisdegreef commented Sep 9, 2015

@fturco Could it be that your terminal is using a custom $GPGHOME environment variable?

@fturco

This comment has been minimized.

fturco commented Sep 9, 2015

The following command returns nothing:

$ echo $GPGHOME
@fturco

This comment has been minimized.

fturco commented Sep 9, 2015

My knowledge of cryptography and GnuPG is quite limited. I don't know how to show options for GPG keys, but the following command output may be interesting:

$ gpg --edit-key XXXXXXXX
gpg (GnuPG) 2.1.7; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/XXXXXXXX
     created: 2013-11-01  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa2048/YYYYYYYY
     created: 2013-11-01  expires: never       usage: E   
[ultimate] (1). Francesco Turco <fturco@fastmail.fm>
@tristan-k

This comment has been minimized.

tristan-k commented Sep 29, 2015

I'm struggling with the same issue.

@dennisdegreef

This comment has been minimized.

Contributor

dennisdegreef commented Sep 29, 2015

@fturco @tristan-k What operating system are you running? May be related? (wild guess)

@tristan-k

This comment has been minimized.

tristan-k commented Sep 29, 2015

I'm using Ubuntu 15.04 64bit.

$ uname -a Linux Ubuntu 3.19.6 #1 SMP Wed Apr 29 11:04:21 MDT 2015 x86_64 x86_64 x86_64 GNU/Linux

@tristan-k

This comment has been minimized.

tristan-k commented Sep 29, 2015

I just tried to use my password-store with just pass and I'm getting the same error. I guess it must be related to my gpg-key then, but I dont have a clue. EDIT: Or maybe not, see this

@annejan

This comment has been minimized.

Member

annejan commented Sep 29, 2015

Are you using Gnome?

It might be the Gnome Keyring https://github.com/IJHack/qtpass/blob/master/FAQ.md

@annejan

This comment has been minimized.

Member

annejan commented Sep 29, 2015

Is gpg or gpg2 set in the [programs] tab in [config] ?

Can you try 'native' with the gpg2 executable set?

@tristan-k

This comment has been minimized.

tristan-k commented Sep 29, 2015

I do use Gnome Keyring but I disabled the autostart with X-GNOME-Autostart-enabled=false in ~/.config/autostart/gnome-keyring-gpg.desktop. I dont know to disable Gnome Keyring in Ubuntu without getting massive issues.

gpg2 is already set in the config. I also tried Use pass without success.

@annejan

This comment has been minimized.

Member

annejan commented Sep 29, 2015

With a bit of luck I can try these things out tonight on a clean Ubuntu VM.

Will keep you updated.

@tristan-k

This comment has been minimized.

tristan-k commented Sep 29, 2015

Thanks! I appreciate your effort.

@fturco

This comment has been minimized.

fturco commented Sep 29, 2015

@dennisdegreef: I use the Parabola GNU/Linux-libre distribution, a derivative of Arch Linux.

@fturco

This comment has been minimized.

fturco commented Sep 29, 2015

@annejan: I get the same error message both under GNOME and under "pure" Openbox.

@annejan annejan added the bug label Oct 2, 2015

@skrzepto

This comment has been minimized.

skrzepto commented Nov 24, 2015

I'm getting the same issue with Fedora 22

@annejan

This comment has been minimized.

Member

annejan commented Nov 24, 2015

Working on it, seems to mostly be a gpg2 or wrong settings for pinentry issue.
But we do have to adres this issue!

@skrzepto

This comment has been minimized.

skrzepto commented Nov 25, 2015

one thing I noticed is that when I decrypt the password file directly using gpg

gpg -d test.gpg

it prompts me for my pass pharase to unlock and successfully shows me whats inside. But when i try again using pass Email/test it fails again

$ pass -c Email/test 
gpg: decryption failed: No secret key

@annejan

This comment has been minimized.

Member

annejan commented Nov 25, 2015

The passphrase dialog, is that a graphical or text-based one?

Unfortunately we can't "wrap" the cli passphrase dialog. Currently qtpass only works with a graphical "pinentry" dialog.

@skrzepto

This comment has been minimized.

skrzepto commented Nov 25, 2015

its the text-based one

@annejan

This comment has been minimized.

Member

annejan commented Nov 25, 2015

There is currently no sane way to use that in combination with qtpass.

Implementing such a feature would probably introduce a plethora of security issues.

I'll see if there is a way to (via environment variables or such) force the use of a graphical version when using qtpass.
Or in the least warn about incompatibility.

@drtomasso

This comment has been minimized.

drtomasso commented Feb 2, 2016

It must be a problem with pinentry then? I get the same error on a Mac OS X El Capitan. I'm able to decrypt using gpg2 -d test.gpg, but in qtpass:

gpg-agent[17546]: command get_passphrase failed: Inappropriate ioctl for device
gpg: problem with the agent: Inappropriate ioctl for device
gpg: decryption failed: No secret key

It never ask me for the passphrase, shouldn't it to this?

@annejan

This comment has been minimized.

Member

annejan commented Feb 2, 2016

Where did you get the GnuPG from?
homebrew/macports or https://gpgtools.org/ ?

We cannot use the non-graphical pinentry . .
Since wrapping that would expose your passphrase/pin to QtPass, which is very bad from a separation of concerns PoV. Related: #156

GPG has graphical ways to ask for pinentry, which are the preferred way to do this in a graphical environment, however I haven't invested time to try out alternative GPG2 builds on OSX.

@drtomasso

This comment has been minimized.

drtomasso commented Feb 2, 2016

Ah, ok. Installing from gpgtools.org solved my problem. Thanks.

@annejan annejan closed this Feb 2, 2016

@annejan

This comment has been minimized.

Member

annejan commented Feb 15, 2016

Via mail:

Looks like a compatibility issue has arisen between gpg and gpg2 where
gpg-generated keys don't make it into the secure keyring in gpg2.

When I ran gpg -K I saw both keys; when I ran gpg2 -K only the original
key was listed.

A workaround would be to aliased gpg to gpg2 in your .bashrc

@mashdot

This comment has been minimized.

mashdot commented Feb 26, 2016

Recently had pass "break" on me, and this thread is all I could find so far. Running qtpass returns nothing.

~$ pass -c test
gpg: decryption failed: No secret key

But directly using gpg -d .password-store/test.gpg works fine and I can decrypt.

Linux tzara 4.3.0-1-amd64 #1 SMP Debian 4.3.5-1 (2016-02-06) x86_64 GNU/Linux

@annejan

This comment has been minimized.

Member

annejan commented Feb 26, 2016

Could you try the same with gpg2?

It seems the gpg without 2 on the end has some issues with pass..

@mashdot

This comment has been minimized.

mashdot commented Feb 26, 2016

OK so set -x on /usr/bin/pass to get the final command.

~$ gpg2 -d --quiet --yes --compress-algo=none --no-encrypt-to --batch --use-agent /home/mash/.password-store/test.gpg gpg: decryption failed: No secret key

So tried the following which works (note: had to remove --batch --use-agent)...

gpg -d --quiet --yes --compress-algo=none --no-encrypt-to /home/mash/.password-store/test.gpg

In /usr/bin/pass you have...

GPG_OPTS=( "--quiet" "--yes" "--compress-algo=none" "--no-encrypt-to" )
GPG="gpg"
export GPG_TTY="${GPG_TTY:-$(tty 2>/dev/null)}"
which gpg2 &>/dev/null && GPG="gpg2"
[[ -n $GPG_AGENT_INFO || $GPG == "gpg2" ]] && GPG_OPTS+=( "--batch" "--use-agent" )

So for now I have just commented out the gpg2 lines so it always uses gpg.

Thus pass -c test now works for me. Although qtpass still doesn't return anything.

@annejan

This comment has been minimized.

Member

annejan commented Feb 26, 2016

You could try switching to gpg in the "programs" tab in config but we also use the batch features of gpg2 like pass..
Perhaps using qtpass with your patched pass might also work.

I don't think implementing gpg1 compatibility will be a thing I'm likely to add in the forseeable future though.

@mashdot

This comment has been minimized.

mashdot commented Feb 26, 2016

Well running qtpass doesn't do anything. I mean nothing, no program, no error, nada. Tried removing and reinstalling but no joy.

@annejan

This comment has been minimized.

Member

annejan commented Feb 26, 2016

Ahh, that's a whole different issue than.

Could be related to the "single instance" stuff which will soon be fixed.
Or (if set) the hide to systray or menu bar feature.

The application when called just quits and doean't show any error message or anything?

You could try removing the config from ~/.config/IJhack/qtpass (or something close to that, on mobile atm)

If all else fails I'll have a look to see if I can reproduce this error tonight

@mashdot

This comment has been minimized.

mashdot commented Feb 26, 2016

OK thanks, fiddled around ~/.config/IJHack/QtPass.conf and no joy. Tried to remove purge everything and reinstall and still nothing.

@krismatthews

This comment has been minimized.

krismatthews commented Apr 30, 2016

I ran into this problem as well, and it turned out to be self inflicted. My ~/.gnupg/gpg-agent.conf specified a pinentry-program that was not installed on my system. :)

@gmp216

This comment has been minimized.

gmp216 commented Oct 21, 2016

I ran into the same problem with pass on the command line (not Qtpass) on Linux -- gpg would decrypt my passwords but the pass command would not. Turns out pass was calling gpg2 and gpg2 stores keys differently than gpg.

Simple fix is to import your secret key into gpg2. Now both gpg and gpg2 can read my secret key and all is well:

$ gpg --export [ID] > public.key
$ gpg --export-secret-key [ID] > private.key
$ gpg2 --import public.key
$ gpg2 --import private.key
$ rm public.key private.key

annejan added a commit that referenced this issue Oct 24, 2016

annejan added a commit that referenced this issue Oct 24, 2016

@alaindanet

This comment has been minimized.

alaindanet commented Feb 23, 2017

@gmp216 Thank you so much for sharing, I had the same problem with pass and your solution worked for me as well.
However, there is just a little typo mistake in your answer which made your fix failed in my first try.

You have just missed the s of keys in the export-secret-keys gpg argument.
The corrected line:
gpg --export-secret-keys [ID] > private.key

@muminoff

This comment has been minimized.

muminoff commented Mar 1, 2017

I got it worked by just killing gpg-agent process.

@gloomytrousers

This comment has been minimized.

gloomytrousers commented Mar 23, 2017

Better commands, which avoid use of temporary files:

gpg --export [ID] | gpg2 --import
gpg --export-secret-keys [ID] | gpg2 --import
@Droogans

This comment has been minimized.

Droogans commented Sep 11, 2017

@muminoff I tried killing gpg-agent like this, but wasn't able to wait long enough for it to complete (about 2 minutes).

I just restarted my machine and it was working again.

@ad-m

This comment has been minimized.

ad-m commented Jan 15, 2018

Better command, which avoid copy&paste key ID:

gpg --export $(cat ~/.password-store/.gpg-id) | gpg2 --import
gpg --export-secret-keys $(cat ~/.password-store/.gpg-id) | gpg2 --import

Thanks @gmp216 to share you fix. It help me too!

@SamHH

This comment has been minimized.

SamHH commented May 5, 2018

Tearing my hair out a bit here, struggling with the same issue. Sorry that this isn't really the right place but it's somehow become the most informative page on the net about this issue with GPG...! 😞

I'm on Arch with GPG version 2.2.6 (both gpg and gpg2 commands) and latest pass. As of a week ago I started getting this decryption failed error, interspersed with the occasional timeout error and the occasional success. It also causes my terminals (tried multiple) to fail to exit without me killing them. I've tried re-exporting/importing the keys (pub + priv), and I've tried killing gpg-agent by various different means, all of this to no success. I even tried reinstalling gnupg, gpgme, pinentry, and pass packages, which was challenging given that Pacman has a dependency on a couple of them! I have restarted multiple times as well. All to no avail. Most curiously, this happens not just with pass but also with plain gpg decryption (gpg -d <file>).

Anyone have any other ideas or steps I can take to debug? Cheers!

Edit: Turns out an update to I presume gpg caused it to no longer automatically know which pinentry application to use. Setting it specifically fixes it, e.g. (at ~/.gnupg/gpg-agent.conf - create it if it's not already there):

pinentry-program /usr/bin/pinentry-gtk-2

Replace that with another equivalent that works for you; this is what it was defaulting to before for me.

@otremblay

This comment has been minimized.

otremblay commented May 8, 2018

I suffer from the same, running on Arch too. This is not a pass problem, it's a gpg problem, apparently.

@kenji21

This comment has been minimized.

Contributor

kenji21 commented Jun 20, 2018

same problem on macOS, without using QtPass (can be reproduced when asking multiple password in parallel (from a python script or shell for example))

@guodong000

This comment has been minimized.

guodong000 commented Aug 16, 2018

@kenji21 use ps aux | grep gpg and find a gpg-agent daemon process. Kill it and retry.

@kenji21

This comment has been minimized.

Contributor

kenji21 commented Aug 20, 2018

I can confirm that killing the agent did fix the issue

@horkko

This comment has been minimized.

horkko commented Sep 12, 2018

I can confirm that killing the agent did fix the issue

Hi,
On Mac OSX using qtpass, I've had the same issue "gpg: decryption failed". Killing gpg-agent and running pass accout/foobar on command line work, also in QtPass.

@metanerd

This comment has been minimized.

metanerd commented Oct 23, 2018

For me decrypting works both with gpg and gpg2 and still fails with pass.

@annejan

This comment has been minimized.

Member

annejan commented Oct 23, 2018

Hi, @metanerd what OS / Distro etc are you running?

And is it failing with pass in the commandline too or only with QtPass using pass as backend?

@metanerd

This comment has been minimized.

metanerd commented Oct 23, 2018

Yeah, sorry to bother you, I think it is another error. I was just using pass and not QtPass.

@annejan

This comment has been minimized.

Member

annejan commented Oct 23, 2018

No worries . .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment