Unable to lock tomb using GPG

[ravl1084]

I ran into this trying to implement pass-tomb, but even using the command manually causes the same result:

~$ tomb lock /home/rav/password -k /home/rav/password.key -gr myemail@gmail.com -D
tomb [D] Identified caller: rav (1000:1000)
tomb [D] Tomb command: lock /home/rav/password
tomb [D] Caller: uid[1000], gid[1000], tty[/dev/pts/6].
tomb [D] Temporary directory: /tmp/zsh
tomb  .  Commanded to lock tomb password
tomb [D] Tomb found: /home/rav/password
tomb [D] Loop mounted on /dev/loop0
tomb  .  Checking if the tomb is empty (we never step on somebody else's bones).
tomb  .  Fine, this tomb seems empty.
tomb [D] load_key key encrypted with a GnuPG Key
tomb  .  Key encrypted with a GnuPG Key
tomb [D] load_key: /home/rav/password.key
tomb [D] is_valid_key
tomb  .  Key is valid.
tomb  .  Locking using cipher: aes-xts-plain64:sha256
tomb [D] no password needed, using GPG key
tomb [D] get_lukskey
tomb [D] Created tempfile: /tmp/zsh/2292919635194744662
tomb [D] [GNUPG:] ENC_TO 0000000000000000 16 0
tomb [D] gpg: anonymous recipient; trying secret key XXXXXX ...
tomb [D] [GNUPG:] USERID_HINT XXXXXXXXXXXXXXXX My Name <myemail@gmail.com>
tomb [D] [GNUPG:] NEED_PASSPHRASE XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX 16 0
tomb [D] gpg: can't query passphrase in batch mode
tomb [D] [GNUPG:] MISSING_PASSPHRASE
tomb [D] [GNUPG:] BAD_PASSPHRASE XXXXXXXXXXXXXXXX
tomb [D] gpg: encrypted with ELG-E key, ID 00000000
tomb [D] [GNUPG:] NO_SECKEY 0000000000000000
tomb [D] [GNUPG:] BEGIN_DECRYPTION
tomb [D] [GNUPG:] DECRYPTION_FAILED
tomb [D] gpg: decryption failed: secret key not available
tomb [D] [GNUPG:] END_DECRYPTION
tomb [D] get_lukskey returns 1
tomb [E] No valid password supplied.

I have gpg-agent set up and it pops up pinentry-curses correctly when I use pass or mutt. Any ideas why it's not prompting for the key's passphrase?

[roddhjav]

This issue is from pass-tomb.

I was able to reproduce it on a VM that doesn't have a GUI (and therefore doesn't have pinentry-gtk) using an encrypted GPG key. The problem comes from how we call gpg in the key decryption function. In bacth mode, gpg cannot query a passphrase using pinentry-curses (although it works fine with pinentry-gtk).

The solution would be to simply not use the gpg --bacth option in gpg_decrypt. I'm going to implement and test it against all the test. Once done I'll propose a PR for this.

It might take a few time. If you want a fast workaround, simply use pinentry-gtk.

[ravl1084]

I tried installing pinentry-gtk2 and I get the same error, even though pinentry-gtk2 is working for signing e-mail.

[roddhjav]

This is surprising, I did a lot of test with pinentry-gtk2 and encrypted key. That said it was with GPG 2.x maybe GPG 1.x differs. Thanks for the feedback, I'll investigate this too.

[jaromil]

is pass-tomb sourcing tomb to use its same key handling functions?

[roddhjav]

No, pass-tomb only calls tomb. I just wrote a few functions in pass-tomb like is_valid_recipients inspired from the same I wrote for tomb.

pass-tomb is in bash (and has to be in bash ), I don't know if a bash script can source a zsh.

[jaromil]

Ack, ok. No bash cannot source zsh. Then can I close this bug as it seems it only concerns pass-tomb?

[ravl1084]

I first reported this under pass_tomb but even when I try to manually input the tomb commands that pass_tomb automates, I get the same issue. My original post shows the output of tomb lock on a new tomb, when using my GPG key.

[jaromil]

ACK. Can you try separating the flags -gr into -g -r ? Also can you run tests and see if they all pass? They are in extras/tests, thanks

[ravl1084]

I ran the tests:

0 loop devices busy at start
dig     SUCCESS
forge   SUCCESS
lock    SUCCESS
badpass SUCCESS
open    SUCCESS
close   SUCCESS
passwd  SUCCESS
chksum  SUCCESS
bind    SUCCESS
setkey  SUCCESS
recip-dig       SUCCESS
recip-forge     SUCCESS
recip-lock      SUCCESS
recip-open      SUCCESS
recip-close     SUCCESS
recip-passwd    SUCCESS
recip-resize    SUCCESS
recip-setkey    SUCCESS
shared  SUCCESS
shared-passwd   SUCCESS
shared-setkey   SUCCESS
resize  SUCCESS
stgin   SUCCESS
stgout  SUCCESS
stgopen SUCCESS
stgpipe SUCCESS
stgimpl SUCCESS
recip-stgin     SUCCESS
recip-stgout    SUCCESS
recip-stgopen   SUCCESS
recip-stgimpl   SUCCESS
qrenc   SUCCESS
oldnew-2.2      SUCCESS
newold-2.2      SUCCESS
oldnew-2.1      SUCCESS
newold-2.1      SUCCESS
oldnew-2.0.1    SUCCESS
newold-2.0.1    SUCCESS
0 loop devices busy at end

I still get the exact same error as above.

[jaromil]

ACK. Also separating the flags? for instance:

tomb lock /home/rav/password -k /home/rav/password.key -g -r myemail@gmail.com -D

instead of -gr?

[ravl1084]

yes

[ravl1084]

I did some experimenting in my fork, by removing both --batch and --no-tty from the GPG calls in tomb, and now it worked:

~$ tomb lock password -k password.key -g -r myemail@gmail.com -D
tomb [D] Identified caller: rav (1000:1000)
tomb [D] Tomb command: lock password
tomb [D] Caller: uid[1000], gid[1000], tty[/dev/pts/4].
tomb [D] Temporary directory: /tmp/zsh
tomb  .  Commanded to lock tomb password
tomb [D] Tomb found: password
tomb [D] Loop mounted on /dev/loop0
tomb  .  Checking if the tomb is empty (we never step on somebody else's bones).
tomb  .  Fine, this tomb seems empty.
tomb [D] load_key key encrypted with a GnuPG Key
tomb  .  Key encrypted with a GnuPG Key
tomb [D] load_key: password.key
tomb [D] is_valid_key
tomb  .  Key is valid.
tomb  .  Locking using cipher: aes-xts-plain64:sha256
tomb [D] no password needed, using GPG key
tomb [D] get_lukskey
tomb [D] Created tempfile: /tmp/zsh/207432928550725177
tomb [D] [GNUPG:] ENC_TO 0000000000000000 16 0
tomb [D] gpg: anonymous recipient; trying secret key XXXXXXXX ...
tomb [D] [GNUPG:] USERID_HINT XXXXXXXXXXXXXXXX My Name <myemail@gmail.com>
tomb [D] [GNUPG:] NEED_PASSPHRASE XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX 16 0
tomb [D] [GNUPG:] GOOD_PASSPHRASE
tomb [D] gpg: okay, we are the anonymous recipient.
tomb [D] gpg: encrypted with ELG-E key, ID 00000000
tomb [D] [GNUPG:] BEGIN_DECRYPTION
tomb [D] [GNUPG:] DECRYPTION_INFO 2 9
tomb [D] [GNUPG:] PLAINTEXT 62 1489768157 
tomb [D] [GNUPG:] DECRYPTION_OKAY
tomb [D] [GNUPG:] GOODMDC
tomb [D] [GNUPG:] END_DECRYPTION
tomb [D] get_lukskey returns 0
tomb (*) Locking password with password.key
tomb  .  Formatting Luks mapped device.
tomb  .  Formatting your Tomb with Ext3/Ext4 filesystem.
tomb  .  Done locking password using Luks dm-crypt aes-xts-plain64:sha256
tomb (*) Your tomb is ready in password and secured with key password.key

Some notes, pinentry wasn't called, I was just prompted for the passphrase directly on the command line.

[jaromil]

I'm wondering... what versions of system utils do you have? you can see that easily with tomb -v

[ravl1084]

~$ tomb -v
  Tomb 2.3 - a strong and gentle undertaker for your secrets
  
   Copyright (C) 2007-2017 Dyne.org Foundation, License GNU GPL v3+
   This is free software: you are free to change and redistribute it
   For the latest sourcecode go to <http://dyne.org/software/tomb>
  
   This source code is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
   When in need please refer to <http://dyne.org/support>.
  
  System utils:
  
  Sudo version 1.8.9p5
  cryptsetup 1.6.1
  pinentry-curses (pinentry) 0.8.3
  gpg (GnuPG) 1.4.16 - key forging algorithms (GnuPG symmetric ciphers):
  /usr/bin/gpg
 IDEA 3DES CAST5 BLOWFISH AES AES192 AES256 TWOFISH CAMELLIA128 CAMELLIA192 CAMELLIA256
  
  Optional utils:
  
  /usr/bin/gettext
  dcfldd not found
  wipe not found
  /usr/bin/steghide
  /sbin/resize2fs
  tomb-kdb-pbkdf2 not found
  /usr/bin/qrencode
  swish-e not found
  unoconv not found

[roddhjav]

It should be fixed with #250. By the way, are you sure you are using gpg-agent?

[ravl1084]

I am, it works with mutt and pass. I'll try the latest commit.

[ravl1084]

Here's my test:

~$ tomb dig test.tomb -s 10 -g
tomb  .  Commanded to dig tomb test.tomb
tomb (*) Creating a new tomb in test.tomb
tomb  .  Generating test.tomb of 10MiB
10+0 records in
10+0 records out
10485760 bytes (10 MB) copied, 1.1008 s, 9.5 MB/s
-rw------- 1 rav rav 10M Mar 21 09:03 test.tomb
tomb (*) Done digging test
tomb  .  Your tomb is not yet ready, you need to forge a key and lock it:
tomb  .  tomb forge test.tomb.key
tomb  .  tomb lock test.tomb -k test.tomb.key

~$ tomb forge test.tomb.key -g -r myemail@gmail.com
tomb  .  Commanded to forge key test.tomb.key with cipher algorithm AES256
tomb [W] This operation takes time, keep using this computer on other tasks,
tomb [W] once done you will be asked to choose a password for your tomb.
tomb [W] To make it faster you can move the mouse around.
tomb [W] If you are on a server, you can use an Entropy Generation Daemon.
512+0 records in
512+0 records out
512 bytes (512 B) copied, 898.379 s, 0.0 kB/s
tomb (*) Using the GnuPG key myemail@gmail.com to encrypt the key: test.tomb.key
tomb  .  (You can also change it later using 'tomb passwd'.)
tomb  .  Key is valid.
tomb  .  Done forging test.tomb.key
tomb (*) Your key is ready:
-rw------- 1 rav rav 1.6K Mar 21 09:18 test.tomb.key
rav@drago:~$ tomb lock test.tomb -k test.tomb.key -g -r myemail@gmail.com
tomb  .  Commanded to lock tomb test.tomb

[sudo] Enter password for user rav to gain superuser privileges


tomb  .  Checking if the tomb is empty (we never step on somebody else's bones).
tomb  .  Fine, this tomb seems empty.
tomb  .  Key encrypted with a GnuPG Key
tomb  .  Key is valid.
tomb  .  Locking using cipher: aes-xts-plain64:sha256

You need a passphrase to unlock the secret key for
user: "My Name <myemail@gmail.com>"
2048-bit ELG-E key, ID XXXXXXXX, created 2013-04-09 (main key ID XXXXXXXX)

tomb (*) Locking test.tomb with test.tomb.key
tomb  .  Formatting Luks mapped device.
tomb  .  Formatting your Tomb with Ext3/Ext4 filesystem.
tomb  .  Done locking test using Luks dm-crypt aes-xts-plain64:sha256
tomb (*) Your tomb is ready in test.tomb and secured with key test.tomb.key

The latest commit did allow me to complete this. It did not use pinentry-curses above, but it does when opening the tomb.

[jaromil]

So it seems this issue is fixed as @roddhjav said! I'll close when you confirm.

[ravl1084]

Yes, this is resolved.