copyq.sec missing on Windows version of Copyq

[PEG71]

Describe the bug
Only copyq.pub is created when activating encryption with the Windows version of Copyq. No copyq.sec. Encryption is working despite the missing file.

To Reproduce

1. go to File, Preferences, Item, Encryption
2. Click on "generate new keys"
3. Enter passe phrase

Expected behavior
I'm expecting to find two key files in the %appdata%\copyq folder: copyq.pub and copyq.sec

Version, OS and Environment
Copyq version 3.9.2
Windows 10 1903
gpg4win 3.1.10

Additional context
I also get this error message when generating the key: gpg keydb_search failed: Permission denied.

[hluk]

Looks like a bug in gpg utility that comes with that specific version of gpg4win.

Also, the encryption/decryption works because the .pub file contains both secret and public keys.

[realchrisolin]

Seeing this same issue in v3.10, gpg4win 3.1.11, and the same Win10 build. copyq.pub is being created, but copyq.sec isn't.

ERROR [2020-02-12 14:14:16.727] :    gpg: can't open 'C:\Users\chris.olin\AppData\Roaming\copyq\copyq.sec': No such file or directory
ERROR [2020-02-12 14:14:16.727] :    gpg: Total number processed: 0

[realchrisolin]

I did some troubleshooting and found that gpg wasn't generating the secret key in both the Windows and Linux builds. Turns out that changes in v2.1+ in how secret keys are stored ultimately broke the %secring control statement. See https://superuser.com/a/1037402, https://www.gnupg.org/faq/whats-new-in-2.1.html#nosecring, and https://www.gnupg.org/documentation/manuals/gnupg/Ephemeral-home-directories.html.

Suffice to say, startGenerateKeysProcess() and probably other parts of the encryption plugin will need to be rewritten from scratch. However, it looks like I was able to get encryption working by turning off the encryption plugin, quitting copyq, deleting any .pub or pub.lock files in the copyq config directory, interactively creating a RSA encrypt key, manually exporting public and secret keys, then finally copying them into the copyq config directory, launching copyq, and turning encryption back on. I was prompted for the secret key passphrase and am no longer seeing errors in the log.

[pts/10] ~  » mkdir gpgtest
[pts/10] ~  » gpg --homedir gpgtest --gen-key
[pts/10] ~  » gpg --homedir gpgtest --list-secret-keys
[pts/10] ~  » gpg --homedir gpgtest --export-secret-keys 12345678 > copyq.sec
[pts/10] ~  » gpg --homedir gpgtest --export 12345678 > copyq.pub                   

[mhercek]

Your approach does not work for me.
CopyQ says No public key.
gpg 2.2.19
CopyQ 3.11.1

[ScriptingDad]

@realchrisolin I've also tried your workaround and I was able to successfully create the certificates but when I actually try to use it copyq seems to be having problems with it. gpg does appear to be in the path and works. Kind of looks like a new issue and if need be I can create a new issue for this.

OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.17134 N/A Build 17134

Version GPG

gpg --version
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5

Errors from logs

ERROR [2020-07-06 09:35:50.945] : ItemEncrypt ERROR: GnuPG stderr:
ERROR [2020-07-06 09:35:50.945] :    gpg: [don't know]: invalid packet (ctb=54)
ERROR [2020-07-06 09:35:50.945] :    gpg: keydb_search_first failed: Invalid packet
ERROR [2020-07-06 09:35:50.945] :    
ERROR [2020-07-06 09:35:51.350] <Server-26856>: Tab “&clipboard”: Failed to save tab (save items to temporary file), file “C:/Users/username/AppData/Roaming/copyq/copyq_tab_JmNsaXBib2FyZA==.dat.tmp”: Unknown error
Warning [2020-07-06 09:35:54.432] <Server-26856>: Tab "&clipboard": Restoring items (previous save failed)
ERROR [2020-07-06 09:35:54.566] <Server-26856>: Tab “&clipboard”: Failed to save tab (save items to temporary file), file “C:/Users/username/AppData/Roaming/copyq/copyq_tab_JmNsaXBib2FyZA==.dat.tmp”: Unknown error
ERROR [2020-07-06 09:36:06.903] : ItemEncrypt ERROR: GnuPG stderr:
ERROR [2020-07-06 09:36:06.903] :    gpg: [don't know]: invalid packet (ctb=54)
ERROR [2020-07-06 09:36:06.903] :    gpg: keydb_search failed: Invalid packet
ERROR [2020-07-06 09:36:06.903] :    gpg: copyq: skipped: Invalid packet
ERROR [2020-07-06 09:36:06.903] :    gpg: [stdin]: encryption failed: Invalid packet
ERROR [2020-07-06 09:36:06.903] :    
Note [2020-07-06 09:36:06.974] <Client-26072>: ScriptError: Exception in command "Encrypt (needs GnuPG)": Failed to execute GPG!
Note [2020-07-06 09:36:06.974] <Client-26072>:    
Note [2020-07-06 09:36:06.974] <Client-26072>:    --- backtrace ---
Note [2020-07-06 09:36:06.974] <Client-26072>:    <eval>() at “throw 'Failed to execute GPG!'”:1
Note [2020-07-06 09:36:06.974] <Client-26072>:    <eval>() at “ plugins.itemencrypted.encryptItems()”:1
Note [2020-07-06 09:36:06.974] <Client-26072>:    --- end backtrace ---
Note [2020-07-06 09:36:07.061] <Server-26856>: Command “Encrypt (needs GnuPG)”
Note [2020-07-06 09:36:07.061] <Server-26856>:    Exit code: 4
Note [2020-07-06 09:36:07.061] <Server-26856>:    ERROR: ItemEncrypt ERROR: GnuPG stderr:
Note [2020-07-06 09:36:07.061] <Server-26856>:    ERROR:    gpg: [don't know]: invalid packet (ctb=54)

Note [2020-07-06 09:36:07.061] <Server-26856>:    ERROR:    gpg: keydb_search failed: Invalid packet

Note [2020-07-06 09:36:07.061] <Server-26856>:    ERROR:    gpg: copyq: skipped: Invalid packet

Note [2020-07-06 09:36:07.061] <Server-26856>:    ERROR:    gpg: [stdin]: encryption failed: Invalid packet

Note [2020-07-06 09:36:07.061] <Server-26856>:    ERROR:    
Note [2020-07-06 09:36:07.061] <Server-26856>:    ScriptError: Failed to execute GPG!
Note [2020-07-06 09:36:07.061] <Server-26856>:    
Note [2020-07-06 09:36:07.061] <Server-26856>:    --- backtrace ---
Note [2020-07-06 09:36:07.061] <Server-26856>:    <eval>() at “throw 'Failed to execute GPG!'”:1
Note [2020-07-06 09:36:07.061] <Server-26856>:    <eval>() at “ plugins.itemencrypted.encryptItems()”:1
Note [2020-07-06 09:36:07.061] <Server-26856>:    --- end backtrace ---
Note [2020-07-06 09:36:07.061] <Server-26856>:    
Note [2020-07-06 09:36:07.061] <Server-26856>:    1. copyq:  plugins.itemencrypted.encryptItems()

[realchrisolin]

Sorry guys, I just saw these notifications (my github emails route to an inbox I don't often check and I'm even worse about checking github notifications).

@mhercek did you copy the generated keys into the correct config directory? If CopyQ says there's no public key, it stands to reason you missed a step or two.

@ScriptingDad does aptly-dev/aptly#822 (comment) help you? It doesn't look like a CopyQ specific issue

[christianjunk]

On Windows CopyQ 7.0.0 depends mandatorily on a GnuPG version between 2.0.0 and 2.0.4 (see checkGpgExecutable, line 91). The problem is, that the option %secring filename is a no-op for GnuPG 2.1 and later. But this option is part of startGenerateKeysProcess, line 261.

A workaround is to download and install gpg4win-2.0.4.exe, but be aware that this version is from 2010! Like in @realchrisolin answer, I think that the itemencrypted-plugin need to be rewritten.

[mhercek]

Another big security issue is the database containing all copied items is not encrypted.
For that reason I moved to competitive solution.

[realchrisolin]

To elaborate on @christianjunk's comment, changes to the gpg executable that is bundled with gpg4win (and CopyQ depends on for clipboard encryption) has changed since my comment in 2020 -- it is no longer compatible with the itemencrypted plugin and my workaround will not work anymore.

C++ is generally too low level for me, but I was able to mostly follow the plugin code after looking at it and it looks like it's pretty much a wrapper for the gpg binary. I'll try fixing this in the coming days/weeks and submit a PR.

[hluk]

Here is CopyQ with the fix: https://ci.appveyor.com/project/hluk/copyq/builds/48085754/artifacts

Feel free to test it but I recommend to back up your configuration or use the portable zip in a new folder.

Let me know how that works for you.

Thanks to @realchrisolin for providing explanation of the problem and an initial solution! 👍

[realchrisolin]

Here is CopyQ with the fix: https://ci.appveyor.com/project/hluk/copyq/builds/48085754/artifacts

Feel free to test it but I recommend to back up your configuration or use the portable zip in a new folder.

Let me know how that works for you.

Thanks to @realchrisolin for providing explanation of the problem and an initial solution! 👍

I missed this update and didn't see it until yesterday. That artifact had expired by then, but I followed the commit tree and grabbed the installer from https://ci.appveyor.com/project/hluk/copyq/builds/48294675/artifacts. Your fix works, but there's a minor UX issue in getting the keys created. Basically, it can't be done within the Encryption plugin preferences window and the solution isn't straightforward from the UI. The only thing you can do is "Change Password...", which throws the message "gpg: key "copyq" not found: No public key"

There's probably a way to do this within Kleopatra, but the workaround I came up with was to put the following in a text file named key_details.txt:

Key-Type: RSA
Key-Usage: encrypt
Key-Length: 4096
Name-Real: copyq

Then run gpg --batch --gen-key key_details.txt. Much appreciated, man. Glad my comments helped.

[Jaypers]

@realchrisolin
I can confirm it wasn't possible to create a GPG keypair using the Encryption plugin in the preferences window.
Whether a previous keypair existed or not it just kept failing without any indication in the debug logs.

Here is my GPG batch file for creating the keypair, in case anyone else stumbles across this:

# NB the "Name-real" has to be "copyq" !!!
# To generate GPG key pair without CopyQ create a batch file with below contents:
%ask-passphrase
Key-Type: eddsa
Key-curve: ed25519
Key-usage: cert,sign
Subkey-Type: ecdh
Subkey-curve: cv25519
Subkey-usage: encrypt
Name-real: copyq
Expire-Date: 0

# Now run:
#  gpg --batch --gen-key <filename>

Now CopyQ will detect the key and be able to "Change Password" etc.