gpg: decryption failed: Bad session key

[uklimaschewski]

I don't know, what I'm doing wrong, I think I followed all the steps you mentioned, but I am getting that error.

You can see the conversation at: ezylang/EvalEx#26

The first error was because of a missing .rultor.yml in my project, after adding one, I now am getting that gpg error and am totally stuck now.

[yegor256]

@uklimaschewski how did you encrypt your files? You should have done it with this command:

$ rultor encrypt -p uklimaschewski/EvalEx settings.xml

right?

[uklimaschewski]

Exactly, I used this for all three files, just as you have described it in your blog.

[yegor256]

@uklimaschewski that's strange... I just checked, this GPG mechanism works fine, see yegor256/rultor-remote#5

[yegor256]

@uklimaschewski I suspect it's an issue with GPG agent. It basically is caching the key between executions. somebody else was using settings.xml.enc some time ago and your build is basically trying to use their decryption key... that's my suspicion, based on this https://bbs.archlinux.org/viewtopic.php?id=151832

[yegor256]

@uklimaschewski trying to fix it in #854

[yegor256]

@uklimaschewski try again please, maybe it will work

[uklimaschewski]

Thank you for your efforts, but it failed again, same error.
I regenerated new PGP keys from scratch, then updated and encoded the files again using rultor, same error.
Here's the log when crypting settings.xml:

uk@ubuntu:~/rultor$ rultor encrypt -p uklimaschewski/EvalEx settings.xml 
+ set -e
+ file=settings.xml
+ enc=settings.xml.enc
+ [ -e settings.xml.enc ]
+ asc=settings.xml.asc
+ [ -e settings.xml.asc ]
+ cd .
+ gpg --symmetric --armor --verbose --batch --no-tty --passphrase rultor-key:uklimaschewski/EvalEx -o settings.xml.enc settings.xml
gpg: using cipher CAST5
gpg: writing to `settings.xml.enc'
+ gpg --keyserver hkp://pool.sks-keyservers.net --verbose --recv-keys 9AF0FA4C
gpg: requesting key 9AF0FA4C from hkp server pool.sks-keyservers.net
gpg: armor header: Version: SKS 1.1.5+
gpg: armor header: Comment: Hostname: keyserver.blazrsoft.com
gpg: pub  2048R/9AF0FA4C 2014-08-17  Rultor.com <gpg@rultor.com>
gpg: key 9AF0FA4C: "Rultor.com <gpg@rultor.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
+ gpg --trust-model always --output settings.xml.asc --batch --no-tty --armor --encrypt --verbose --recipient 9AF0FA4C settings.xml.enc
gpg: using subkey 9A839C3A instead of primary key 9AF0FA4C
gpg: No trust check due to `--trust-model always' option
gpg: reading from `settings.xml.enc'
gpg: writing to `settings.xml.asc'
gpg: RSA/AES256 encrypted for: "9A839C3A Rultor.com <gpg@rultor.com>"
+ rm -f settings.xml.enc
"settings.xml encrypted"

Looks absolutely OK, but decrypting on your side seems to still fail:

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
++ pwd
++ pwd
+ gpg --verbose --keyring=/tmp/rultor-YxjN/.gpg/pubring.gpg --secret-keyring=/tmp/rultor-YxjN/.gpg/secring.gpg --decrypt repo/settings.xml.asc
Version: GnuPG v1.4.11 (GNU/Linux)
gpg: armor header: 
gpg: public key is 9A839C3A
gpg: using subkey 9A839C3A instead of primary key 9AF0FA4C
gpg: using subkey 9A839C3A instead of primary key 9AF0FA4C
gpg: encrypted with 2048-bit RSA key, ID 9A839C3A, created 2014-08-17
      "Rultor.com <gpg@rultor.com>"
gpg: AES256 encrypted data
gpg: original file name='settings.xml.enc'
+ gpg --no-tty --batch --verbose --decrypt --passphrase rultor-key:uklimaschewski/EvalEx settings.xml.enc
Version: GnuPG v1.4.11 (GNU/Linux)
gpg: armor header: 
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: decryption failed: Bad session key

[yegor256]

@uklimaschewski this is a definitely a bug on our side, but I can't figure how to solve it. I'm sure that if you rename your settings.xml to something like a.xml, the bug will disappear. can you try?

[uklimaschewski]

You mean, for example, rename settings.xml.asc to settings_rultor.xml.asc and change my .rultor.yml to:

decrypt:
  settings.xml: "repo/rultor_settings.xml.asc"
  pubring.gpg: "repo/pubring.gpg.asc"
  secring.gpg: "repo/secring.gpg.asc"
release:
  script: |
    mvn versions:set "-DnewVersion=${tag}"
    git commit -am "${tag}"
    mvn clean deploy --settings /home/r/rultor_settings.xml

[yegor256]

@uklimaschewski rename settings.xml to settings_rultor.xml and encrypt it again. And then change .rultor.yml that way, yes

[uklimaschewski]

Not very much difference:

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
++ pwd
++ pwd
+ gpg --verbose --keyring=/tmp/rultor-Lv2x/.gpg/pubring.gpg --secret-keyring=/tmp/rultor-Lv2x/.gpg/secring.gpg --decrypt repo/rultor_settings.xml.asc
Version: GnuPG v1.4.11 (GNU/Linux)
gpg: armor header: 
gpg: public key is 9A839C3A
gpg: using subkey 9A839C3A instead of primary key 9AF0FA4C
gpg: using subkey 9A839C3A instead of primary key 9AF0FA4C
gpg: encrypted with 2048-bit RSA key, ID 9A839C3A, created 2014-08-17
      "Rultor.com <gpg@rultor.com>"
gpg: AES256 encrypted data
gpg: original file name='rultor_settings.xml.enc'
+ gpg --no-tty --batch --verbose --decrypt --passphrase rultor-key:uklimaschewski/EvalEx settings.xml.enc
Version: GnuPG v1.4.11 (GNU/Linux)
gpg: armor header: 
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: decryption failed: Bad session key

[yegor256]

@uklimaschewski you didn't rename the file, see:

gpg --no-tty --batch --verbose --decrypt --passphrase rultor-key:uklimaschewski/EvalEx settings.xml.enc

You should name your local file as rultor_settings.xml and then encrypt it.

[uklimaschewski]

I did.

1. Rename settings.xml to rultor_settings.xml
2. Encrypted it using: rultor encrypt -p uklimaschewski/EvalEx rultor_settings.xml
3. Today I removed the old settings.xml.asc from the project root and tried again, same error

[yegor256]

@uklimaschewski I still see settings.xml in your build log. But I should see only rultor_settings.xml... looks like you didn't rename it

[uklimaschewski]

I now also changed my .rultor.yml: ezylang/EvalEx@2c02fe7
renaming the settings.xml property name to rultor_settings.xml now changed the log output to:

+ gpg --no-tty --batch --verbose --decrypt --passphrase rultor-key:uklimaschewski/EvalEx rultor_settings.xml.enc
Version: GnuPG v1.4.11 (GNU/Linux)
gpg: armor header: 
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: decryption failed: Bad session key

So, what am I doing wrong? What else can I change?

[yegor256]

@uklimaschewski looks like something is definitely wrong on our side :( I'm investigating...

[uklimaschewski]

Thanks, if I can assist, drop me a notice.

[yegor256]

@uklimaschewski posted a question on SO: http://stackoverflow.com/questions/30318041/gpg-decryption-failed-bad-session-key

[uklimaschewski]

There's a comment on SO

[yegor256]

@uklimaschewski some links I found about this problem:

• http://support.gpgtools.org/discussions/problems/9606-bad-session-key-error-on-previously-encrypted-file
• http://support.gpgtools.org/discussions/problems/11401-bad-session-key-error-on-previously-encrypted-file-symmetric
• https://bbs.archlinux.org/viewtopic.php?id=151832
• http://www.gossamer-threads.com/lists/gnupg/users/48644

None of them help so far... I'll try to provide what that person is asking for, on SO..

[yegor256]

@uklimaschewski in the mean time, could you please update rultor gem (latest version is 0.4), encrypt your settings.xml again and post logs here?

[uklimaschewski]

I have updated the gem to 0.4 and encrypted all files again, same result.
Rultor discussion is here: ezylang/EvalEx#28
And here is the encryption log:

uk@ubuntu:~/rultor$ rultor encrypt -p uklimaschewski/EvalEx rultor_settings.xml + set -e
+ file=rultor_settings.xml
+ enc=rultor_settings.xml.enc
+ [ -e rultor_settings.xml.enc ]
+ asc=rultor_settings.xml.asc
+ [ -e rultor_settings.xml.asc ]
+ cd .
+ gpg --version
gpg (GnuPG) 1.4.11
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, 
        CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
+ gpg --symmetric --armor --verbose --batch --no-tty --passphrase rultor-key:uklimaschewski/EvalEx -o rultor_settings.xml.enc rultor_settings.xml
gpg: using cipher CAST5
gpg: writing to `rultor_settings.xml.enc'
+ gpg --keyserver hkp://pool.sks-keyservers.net --verbose --recv-keys 9AF0FA4C
gpg: requesting key 9AF0FA4C from hkp server pool.sks-keyservers.net
gpg: armor header: Version: SKS 1.1.5
gpg: armor header: Comment: Hostname: keyserver.miniskipper.at
gpg: pub  2048R/9AF0FA4C 2014-08-17  Rultor.com <gpg@rultor.com>
gpg: key 9AF0FA4C: "Rultor.com <gpg@rultor.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
+ gpg --trust-model always --output rultor_settings.xml.asc --batch --no-tty --armor --encrypt --verbose --recipient 9AF0FA4C rultor_settings.xml.enc
gpg: using subkey 9A839C3A instead of primary key 9AF0FA4C
gpg: No trust check due to `--trust-model always' option
gpg: reading from `rultor_settings.xml.enc'
gpg: writing to `rultor_settings.xml.asc'
gpg: RSA/AES256 encrypted for: "9A839C3A Rultor.com <gpg@rultor.com>"
+ rm -f rultor_settings.xml.enc
"rultor_settings.xml encrypted"
uk@ubuntu:~/rultor$

[yegor256]

@uklimaschewski I'm not sure, but just guessing. This is what you have locally:

+ gpg --version
gpg (GnuPG) 1.4.11

This is what the server has:

+ gpg --version
gpg (GnuPG) 2.0.22

Maybe that's the problem? Maybe you can try to upgrade your gpg?

[yegor256]

@uklimaschewski this is what I have on my Mac, btw:

$ gpg --version
gpg (GnuPG) 1.4.19

[uklimaschewski]

OK, some good news: I managed to release and upload to sonatype using rultor now.

The gpg version was the solution, I installed gpg2. I needed to tweek my linux a bit, so that it uses gpg2 instead of gpg. Your rultor gem strictly uses the gpg command, there was no possibility to specify gpg2.

After this, only a few corrections were needed to get it running.

1. In your blog, there is an error in the settings.xml. The server id should be oss.sonatype.org, not sonatype. Else you get a HTTP 401 when trying to upload the artifacts.

2. You should mention to add rultor as a collaborator, without it, the push to git will fail.

Thank you for your support!

[yegor256]

@uklimaschewski glad you found the problem and fixed it! Now, I think, it's reasonable to add this version check into rultor gem, to prevent similar problems from happening in the future. Do you know whether it's possible to detect (from command line) whether it's gpg or gpg2?

[uklimaschewski]

hm, I guess most newer Linux installations should have the latest gpg installed. I would say simply check gpg --version and if that version is not correct, check if gpg2 --version returns something reasonable.

[uklimaschewski]

After tweaking around with settings.xml, .rultor.yml and pom.xml, I finally made it to maven central. Thanks for your great tool. Some more complete examples would be nice for java coders like me, who are new to this whole maven central area.

[amihaiemil]

@uklimaschewski Sorry to bother, but how exactly did you update the gpg package to version > 2?
I have the same problem
Ony my machine (ubuntu 16.04) I have both gpg and gpg2...

I would also like to not update to the newest version of gpg (not greater than 2.0.22, I think) because then I have the issue that there is no pubring and secring files anymore, there's just pubring.kbx

[amihaiemil]

@uklimaschewski fixed it.... I was using amihaiemil/repo instead of orgname/repo when encrypting (the repo is under an org, not my name directly). Otherwise, the solution was the same: simply upgrade gpg (mine is 2.1.11)

[uklimaschewski]

Sorry for the delay, @amihaiemil ...
The errors during setup are sometimes very misleading.
I simply installed gpg2 via sudo apt-get install gnupg2 on my Ubuntu.
Then I did
$ sudo mv /usr/bin/gpg /usr/bin/gpg1
$ sudo mv /usr/bin/gpg2 /usr/bin/gpg
$ gpg --version reports the following:
gpg (GnuPG) 2.0.17
libgcrypt 1.5.0
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

[amihaiemil]

@uklimaschewski No worries, thanks for answering :D