emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed
* org-crypt fails if default key is expired while non-default key is to be used
@ 2023-01-22 17:41 Karl Voit
  2023-01-23 10:16 ` Ihor Radchenko
  0 siblings, 1 reply; 8+ messages in thread
From: Karl Voit @ 2023-01-22 17:41 UTC (permalink / raw)
  To: emacs-orgmode

Hi,

I think I've found a bug with org-crypt:

Org mode version 9.5.5 (release_9.5.5 @
/home/vk/src/external_compilations/emacs/lisp/org/)

GNU Emacs 28.2 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.24.33,
cairo version 1.16.0) of 2023-01-09


SUMMARY:

org-crypt fails to encrypt when org-encrypt-entry is set to a
different key than the default openpgp key and the default key is
expired.


BACKGROUND:

My setup involves an openpgp-key which is specifically used for
org-crypt. This key is not my default key A1234567 which I'm using
for encrypting and singing emails and such.

org-crypt-key is set to this secondary key, let's call it
org-openpgp-key. So the org-crypt setup is correct in that sense
that org-mode should not care about other keys than my
org-openpgp-key.

However, I've had the situation where the default openpgp key
expired on a machine. Please note that my org-openpgp-key did not
expire.

When I invoked org-decrypt-entry, decrypting works like always. Then
I modified something in this heading which is tagged with :crypt:.
On saving that buffer, org-crypt issues an error message:

| Error: (error "GPG error: \"Encrypt failed\", \"Unusable public key:
| A1234567; Exit\"")

This A1234567 key is my default key and not the org-openpgp-key.

org-encrypt-entry is causing this error at:

|	;; Text and key have to be identical, otherwise we
|	;; re-crypt.
|	(if (and (equal crypt-key key)
|		 (string= checksum (sha1 contents)))
|	    (get-text-property 0 'org-crypt-text contents)
|	  (epg-encrypt-string epg-context contents crypt-key)))

After fixing the expiry date of A1234567, org-crypt was working
properly, using the correct org-openpgp-key again.

I do think this is wrong behavior: when the default key is expired
but a specific secondary key is used, encryption should be possible.

-- 
get mail|git|SVN|photos|postings|SMS|phonecalls|RSS|CSV|XML into Org-mode:
       > get Memacs from https://github.com/novoid/Memacs <
Personal Information Management > http://Karl-Voit.at/tags/pim/
Emacs-related > http://Karl-Voit.at/tags/emacs/



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: org-crypt fails if default key is expired while non-default key is to be used
  2023-01-22 17:41 org-crypt fails if default key is expired while non-default key is to be used Karl Voit
@ 2023-01-23 10:16 ` Ihor Radchenko
  2023-01-23 14:58   ` Karl Voit
  0 siblings, 1 reply; 8+ messages in thread
From: Ihor Radchenko @ 2023-01-23 10:16 UTC (permalink / raw)
  To: Karl Voit; +Cc: emacs-orgmode

Karl Voit <devnull@Karl-Voit.at> writes:

> When I invoked org-decrypt-entry, decrypting works like always. Then
> I modified something in this heading which is tagged with :crypt:.
> On saving that buffer, org-crypt issues an error message:
>
> | Error: (error "GPG error: \"Encrypt failed\", \"Unusable public key:
> | A1234567; Exit\"")
>
> This A1234567 key is my default key and not the org-openpgp-key.
>
> org-encrypt-entry is causing this error at:
>
> |	;; Text and key have to be identical, otherwise we
> |	;; re-crypt.
> |	(if (and (equal crypt-key key)
> |		 (string= checksum (sha1 contents)))
> |	    (get-text-property 0 'org-crypt-text contents)
> |	  (epg-encrypt-string epg-context contents crypt-key)))
>
> After fixing the expiry date of A1234567, org-crypt was working
> properly, using the correct org-openpgp-key again.
>
> I do think this is wrong behavior: when the default key is expired
> but a specific secondary key is used, encryption should be possible.

All we do here is calling `epg-encrypt-string' with crypt key obtained
using `org-crypt-key-for-heading', which see.

May I know how exactly did you set `org-crypt-key'? Do you happen to
have CRYPTKEY properties somewhere in your buffer?

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: org-crypt fails if default key is expired while non-default key is to be used
  2023-01-23 10:16 ` Ihor Radchenko
@ 2023-01-23 14:58   ` Karl Voit
  2023-01-24  9:14     ` Ihor Radchenko
  0 siblings, 1 reply; 8+ messages in thread
From: Karl Voit @ 2023-01-23 14:58 UTC (permalink / raw)
  To: emacs-orgmode

Hi Ihor,

* Ihor Radchenko <yantar92@posteo.net> wrote:
> Karl Voit <devnull@Karl-Voit.at> writes:
>
>> When I invoked org-decrypt-entry, decrypting works like always. Then
>> I modified something in this heading which is tagged with :crypt:.
>> On saving that buffer, org-crypt issues an error message:
>>
>> | Error: (error "GPG error: \"Encrypt failed\", \"Unusable public key:
>> | A1234567; Exit\"")
>>
>> This A1234567 key is my default key and not the org-openpgp-key.
>>
>> org-encrypt-entry is causing this error at:
>>
>> |	;; Text and key have to be identical, otherwise we
>> |	;; re-crypt.
>> |	(if (and (equal crypt-key key)
>> |		 (string= checksum (sha1 contents)))
>> |	    (get-text-property 0 'org-crypt-text contents)
>> |	  (epg-encrypt-string epg-context contents crypt-key)))
>>
>> After fixing the expiry date of A1234567, org-crypt was working
>> properly, using the correct org-openpgp-key again.
>>
>> I do think this is wrong behavior: when the default key is expired
>> but a specific secondary key is used, encryption should be possible.
>
> All we do here is calling `epg-encrypt-string' with crypt key obtained
> using `org-crypt-key-for-heading', which see.
>
> May I know how exactly did you set `org-crypt-key'? Do you happen to
> have CRYPTKEY properties somewhere in your buffer?

Sure. My config is on
https://github.com/novoid/dot-emacs/blob/master/config.org and I've
set it with:

(setq org-crypt-key "ABC12345")  ;; I may have to mask this online as well ;-)

: grep -i CRYPTKEY *
... is empty when applied to my Org-mode files.

The only thing to fix my situation was to re-import a non-expired
version of my default OpenPGP sec key.

-- 
get mail|git|SVN|photos|postings|SMS|phonecalls|RSS|CSV|XML into Org-mode:
       > get Memacs from https://github.com/novoid/Memacs <
Personal Information Management > http://Karl-Voit.at/tags/pim/
Emacs-related > http://Karl-Voit.at/tags/emacs/



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: org-crypt fails if default key is expired while non-default key is to be used
  2023-01-23 14:58   ` Karl Voit
@ 2023-01-24  9:14     ` Ihor Radchenko
  2023-01-29 17:37       ` Karl Voit
  0 siblings, 1 reply; 8+ messages in thread
From: Ihor Radchenko @ 2023-01-24  9:14 UTC (permalink / raw)
  To: Karl Voit; +Cc: emacs-orgmode

Karl Voit <devnull@Karl-Voit.at> writes:

>> May I know how exactly did you set `org-crypt-key'? Do you happen to
>> have CRYPTKEY properties somewhere in your buffer?
>
> Sure. My config is on
> https://github.com/novoid/dot-emacs/blob/master/config.org and I've
> set it with:
>
> (setq org-crypt-key "ABC12345")  ;; I may have to mask this online as well ;-)

What is the return value of

(epg-list-keys (epg-make-context nil t t) org-crypt-key)

?

Does it show the right key?

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: org-crypt fails if default key is expired while non-default key is to be used
  2023-01-24  9:14     ` Ihor Radchenko
@ 2023-01-29 17:37       ` Karl Voit
  2023-01-30 13:53         ` Ihor Radchenko
  0 siblings, 1 reply; 8+ messages in thread
From: Karl Voit @ 2023-01-29 17:37 UTC (permalink / raw)
  To: emacs-orgmode

Hi Ihor,

* Ihor Radchenko <yantar92@posteo.net> wrote:
> Karl Voit <devnull@Karl-Voit.at> writes:
>
>>> May I know how exactly did you set `org-crypt-key'? Do you happen to
>>> have CRYPTKEY properties somewhere in your buffer?
>>
>> Sure. My config is on
>> https://github.com/novoid/dot-emacs/blob/master/config.org and I've
>> set it with:
>>
>> (setq org-crypt-key "ABC12345")  ;; I may have to mask this online as well ;-)
>
> What is the return value of
>
> (epg-list-keys (epg-make-context nil t t) org-crypt-key)
>
> ?
>
> Does it show the right key?

It shows:

(#s(epg-key ultimate
            (#s(epg-sub-key ultimate ... nil 1 4096 "ABC12345" 1515327255 nil "AAAAAAAA...ABC12345")
               #s(epg-sub-key ultimate ... nil 1 4096 "FFFFFFF" 1515327255 nil "FFFF.FFFFFFFF"))
            (#s(epg-user-id ultimate "Karl Voit (Internal key for orgmode) <ABC12345@Karl-Voit.at>" nil))))

... with ABC12345 being the correct key for org-crypt and FFFFFFF being my
default OpenPGP key.

-- 
get mail|git|SVN|photos|postings|SMS|phonecalls|RSS|CSV|XML into Org-mode:
       > get Memacs from https://github.com/novoid/Memacs <
Personal Information Management > http://Karl-Voit.at/tags/pim/
Emacs-related > http://Karl-Voit.at/tags/emacs/



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: org-crypt fails if default key is expired while non-default key is to be used
  2023-01-29 17:37       ` Karl Voit
@ 2023-01-30 13:53         ` Ihor Radchenko
  2023-01-30 22:00           ` Karl Voit
  0 siblings, 1 reply; 8+ messages in thread
From: Ihor Radchenko @ 2023-01-30 13:53 UTC (permalink / raw)
  To: Karl Voit; +Cc: emacs-orgmode

Karl Voit <devnull@Karl-Voit.at> writes:

>> What is the return value of
>>
>> (epg-list-keys (epg-make-context nil t t) org-crypt-key)
>>
>> ?
>>
>> Does it show the right key?
>
> It shows:
>
> (#s(epg-key ultimate
>             (#s(epg-sub-key ultimate ... nil 1 4096 "ABC12345" 1515327255 nil "AAAAAAAA...ABC12345")
>                #s(epg-sub-key ultimate ... nil 1 4096 "FFFFFFF" 1515327255 nil "FFFF.FFFFFFFF"))
>             (#s(epg-user-id ultimate "Karl Voit (Internal key for orgmode) <ABC12345@Karl-Voit.at>" nil))))
>
> ... with ABC12345 being the correct key for org-crypt and FFFFFFF being my
> default OpenPGP key.

Ok. What about

(let ((context (epg-make-context nil t t)))
  (epg-decrypt-string context (epg-encrypt-string context "test" (epg-list-keys context org-crypt-key))))

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: org-crypt fails if default key is expired while non-default key is to be used
  2023-01-30 13:53         ` Ihor Radchenko
@ 2023-01-30 22:00           ` Karl Voit
  2023-01-31 10:32             ` Ihor Radchenko
  0 siblings, 1 reply; 8+ messages in thread
From: Karl Voit @ 2023-01-30 22:00 UTC (permalink / raw)
  To: emacs-orgmode

Hi Ihor,

* Ihor Radchenko <yantar92@posteo.net> wrote:
> Karl Voit <devnull@Karl-Voit.at> writes:
>
>>> What is the return value of
>>>
>>> (epg-list-keys (epg-make-context nil t t) org-crypt-key)
>>>
>>> ?
>>>
>>> Does it show the right key?
>>
>> It shows:
>>
>> (#s(epg-key ultimate
>>             (#s(epg-sub-key ultimate ... nil 1 4096 "ABC12345" 1515327255 nil "AAAAAAAA...ABC12345")
>>                #s(epg-sub-key ultimate ... nil 1 4096 "FFFFFFF" 1515327255 nil "FFFF.FFFFFFFF"))
>>             (#s(epg-user-id ultimate "Karl Voit (Internal key for orgmode) <ABC12345@Karl-Voit.at>" nil))))
>>
>> ... with ABC12345 being the correct key for org-crypt and FFFFFFF being my
>> default OpenPGP key.
>
> Ok. What about
>
> (let ((context (epg-make-context nil t t)))
>   (epg-decrypt-string context (epg-encrypt-string context "test" (epg-list-keys context org-crypt-key))))
>

It asks me for the passphrase of the orgmode key (the correct one)
and prints out "test".

-- 
get mail|git|SVN|photos|postings|SMS|phonecalls|RSS|CSV|XML into Org-mode:
       > get Memacs from https://github.com/novoid/Memacs <
Personal Information Management > http://Karl-Voit.at/tags/pim/
Emacs-related > http://Karl-Voit.at/tags/emacs/



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: org-crypt fails if default key is expired while non-default key is to be used
  2023-01-30 22:00           ` Karl Voit
@ 2023-01-31 10:32             ` Ihor Radchenko
  0 siblings, 0 replies; 8+ messages in thread
From: Ihor Radchenko @ 2023-01-31 10:32 UTC (permalink / raw)
  To: Karl Voit; +Cc: emacs-orgmode

Karl Voit <devnull@Karl-Voit.at> writes:

>> Ok. What about
>>
>> (let ((context (epg-make-context nil t t)))
>>   (epg-decrypt-string context (epg-encrypt-string context "test" (epg-list-keys context org-crypt-key))))
>>
>
> It asks me for the passphrase of the orgmode key (the correct one)
> and prints out "test".

We just followed what org-crypt does... And you see no error.
I have no more ideas how to investigate the original failure without a
reproducer.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2023-01-31 10:33 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-22 17:41 org-crypt fails if default key is expired while non-default key is to be used Karl Voit
2023-01-23 10:16 ` Ihor Radchenko
2023-01-23 14:58   ` Karl Voit
2023-01-24  9:14     ` Ihor Radchenko
2023-01-29 17:37       ` Karl Voit
2023-01-30 13:53         ` Ihor Radchenko
2023-01-30 22:00           ` Karl Voit
2023-01-31 10:32             ` Ihor Radchenko

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).