Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GPG "General error" when decrypting multiple things simultaneously #140

Closed
Tomaszal opened this issue Nov 2, 2022 · 2 comments · Fixed by #141
Closed

GPG "General error" when decrypting multiple things simultaneously #140

Tomaszal opened this issue Nov 2, 2022 · 2 comments · Fixed by #141

Comments

@Tomaszal
Copy link

Tomaszal commented Nov 2, 2022

This issue can be reproduced using the following script (export KEYID variable before running):

#!/bin/bash

FOO="$(echo bar | gpg -r ${KEYID} -e -)"

(echo "${FOO}" | gpg -d) &
(echo "${FOO}" | gpg -d) &
(echo "${FOO}" | gpg -d) && fg

Which results in an output like this (showing only the relevant lines):

gpg: encrypted with 256-bit ECDH key, ID ...
gpg: public key decryption failed: General error
gpg: decryption failed: No secret key
...
gpg: encrypted with 256-bit ECDH key, ID ...
gpg: public key decryption failed: General error
gpg: decryption failed: No secret key
...
gpg: encrypted with 256-bit ECDH key, ID ...
bar
...

As you can see, only one of the three GPG processes successfully decrypts the input, while the other two fail with a "General error". Not sure if it matters, but I'm using a "touch policy: always" decrypting key as a subkey on a master key (setup as shown here), and specifying the master key id for the KEYID.

I discovered this issue when using a Terraform sops provider and defining several sops_file data blocks. Plans with that fail as GPG tries to decrypt several files at a time and runs into this issue, so it impacts real world use. I did find a workaround for that specific issue, as sops lets you define a custom path for the GPG executable. So I wrote a script that would lock the GPG process using flock and pointed SOPS_GPG_EXEC to it:

#!/bin/bash

# Process locking workaround for sops compatibility with piv-agent.
# Point SOPS_GPG_EXEC environmental variable to this script.

(
    # Fail after a minute of waiting.
    flock -x -w 60 200 || exit 60
    gpg "$@"
) 200>/tmp/piv-agent-gpg-lock
@smlx
Copy link
Owner

smlx commented Nov 4, 2022

Thanks for the detailed description and instructions to reproduce the issue!

I think I've got a fix.

@smlx
Copy link
Owner

smlx commented Nov 4, 2022

This Makefile also reproduces the issue when run with make -j8 -O.

.PHONY: decrypt
decrypt: ciphertext decrypt0 decrypt1 decrypt2 decrypt3

.PHONY: decrypt0
decrypt0: ciphertext
	gpg -d ciphertext

.PHONY: decrypt1
decrypt1: ciphertext
	gpg -d ciphertext

.PHONY: decrypt2
decrypt2: ciphertext
	gpg -d ciphertext

.PHONY: decrypt3
decrypt3: ciphertext
	gpg -d ciphertext

ciphertext:
	echo foo | gpg -r $$KEYID -e - > ciphertext

@smlx smlx mentioned this issue Nov 4, 2022
Merged
@smlx smlx closed this as completed in #141 Nov 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: synchronise access to security key hardware smlx/piv-agent
2 participants
@smlx @Tomaszal