* org-crypt broken on Ubuntu 18.04
@ 2018-06-13 17:24 Óscar Fuentes
2018-06-13 19:22 ` Nicolas Goaziou
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Óscar Fuentes @ 2018-06-13 17:24 UTC (permalink / raw)
To: emacs-orgmode
Hello.
Today I noticed that org-crypt is broken on my daily driver.
On a header with the :crypt: tag I invoke org-decrypt-entry, a popup
dialog asks for the password, I type the password and then the
minibuffer shows
GPG error: "Decryption failed", ""
The complete error message on *Messages* is
epg--check-error-for-decrypt: GPG error: "Decryption failed", ""
This is a very recent problem. In dpkg.log I see:
2018-06-12 00:33:00 upgrade gnupg-utils:amd64 2.2.4-1ubuntu1 2.2.4-1ubuntu1.1
2018-06-12 00:33:05 upgrade gnupg:amd64 2.2.4-1ubuntu1 2.2.4-1ubuntu1.1
I tried the latest org-mode (9.1.13) and Emacs from master branch but
the problem persists.
$ gpg --version
gpg (GnuPG) 2.2.4
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/oscar/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: org-crypt broken on Ubuntu 18.04
2018-06-13 17:24 org-crypt broken on Ubuntu 18.04 Óscar Fuentes
@ 2018-06-13 19:22 ` Nicolas Goaziou
2018-06-13 20:11 ` Óscar Fuentes
2018-06-20 2:05 ` Óscar Fuentes
2018-07-26 11:57 ` Óscar Fuentes
2 siblings, 1 reply; 10+ messages in thread
From: Nicolas Goaziou @ 2018-06-13 19:22 UTC (permalink / raw)
To: Óscar Fuentes; +Cc: emacs-orgmode
Hello,
Óscar Fuentes <ofv@wanadoo.es> writes:
> Today I noticed that org-crypt is broken on my daily driver.
>
> On a header with the :crypt: tag I invoke org-decrypt-entry, a popup
> dialog asks for the password, I type the password and then the
> minibuffer shows
>
> GPG error: "Decryption failed", ""
>
> The complete error message on *Messages* is
>
> epg--check-error-for-decrypt: GPG error: "Decryption failed", ""
Could you provide an ECM?
Thank you.
Regards,
--
Nicolas Goaziou
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: org-crypt broken on Ubuntu 18.04
2018-06-13 19:22 ` Nicolas Goaziou
@ 2018-06-13 20:11 ` Óscar Fuentes
2018-06-13 20:20 ` Thibault Polge
0 siblings, 1 reply; 10+ messages in thread
From: Óscar Fuentes @ 2018-06-13 20:11 UTC (permalink / raw)
To: emacs-orgmode
Nicolas Goaziou <mail@nicolasgoaziou.fr> writes:
> Hello,
>
> Óscar Fuentes <ofv@wanadoo.es> writes:
>
>> Today I noticed that org-crypt is broken on my daily driver.
>>
>> On a header with the :crypt: tag I invoke org-decrypt-entry, a popup
>> dialog asks for the password, I type the password and then the
>> minibuffer shows
>>
>> GPG error: "Decryption failed", ""
>>
>> The complete error message on *Messages* is
>>
>> epg--check-error-for-decrypt: GPG error: "Decryption failed", ""
>
> Could you provide an ECM?
What's an ECM?
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: org-crypt broken on Ubuntu 18.04
2018-06-13 20:11 ` Óscar Fuentes
@ 2018-06-13 20:20 ` Thibault Polge
2018-06-13 23:12 ` Óscar Fuentes
0 siblings, 1 reply; 10+ messages in thread
From: Thibault Polge @ 2018-06-13 20:20 UTC (permalink / raw)
To: Óscar Fuentes; +Cc: emacs-orgmode
> What's an ECM?
French for Exemple complet minimal = Minimal Working Example (MWE)[1]
[1]: https://en.wikipedia.org/wiki/Minimal_Working_Example
--
Thibault
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: org-crypt broken on Ubuntu 18.04
2018-06-13 20:20 ` Thibault Polge
@ 2018-06-13 23:12 ` Óscar Fuentes
2018-06-14 5:31 ` Jens Lechtenboerger
2018-06-14 11:57 ` hymie!
0 siblings, 2 replies; 10+ messages in thread
From: Óscar Fuentes @ 2018-06-13 23:12 UTC (permalink / raw)
To: emacs-orgmode
Thibault Polge <thibault@thb.lt> writes:
>> What's an ECM?
>
> French for Exemple complet minimal = Minimal Working Example (MWE)[1]
>
> [1]: https://en.wikipedia.org/wiki/Minimal_Working_Example
Thanks.
While trying to create a demo file I noticed that decryption works fine
as long as the content was relatively new, while it fails for content
that was encrypted years ago.
I tried setting epg-gpg-program to "gpg" (it is "gpg2" by default) for
encrypting some tests but then decryption worked fine on those tests.
I need to look at org-decrypt-entry works and determine if the problem
is with that function or with epg.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: org-crypt broken on Ubuntu 18.04
2018-06-13 23:12 ` Óscar Fuentes
@ 2018-06-14 5:31 ` Jens Lechtenboerger
2018-06-14 11:57 ` hymie!
1 sibling, 0 replies; 10+ messages in thread
From: Jens Lechtenboerger @ 2018-06-14 5:31 UTC (permalink / raw)
To: Óscar Fuentes; +Cc: emacs-orgmode
On 2018-06-14, Óscar Fuentes wrote:
> While trying to create a demo file I noticed that decryption works fine
> as long as the content was relatively new, while it fails for content
> that was encrypted years ago.
>
> I tried setting epg-gpg-program to "gpg" (it is "gpg2" by default) for
> encrypting some tests but then decryption worked fine on those tests.
Probably you encrypted without integrity protection, which was
always a bad idea but in view of EFAIL attacks has recently gained
lots of attention as Bad Thing. Nowadays GnuPG returns a failure,
you can override that if you know what you are doing.
See there: https://dev.gnupg.org/T3714
Best wishes
Jens
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: org-crypt broken on Ubuntu 18.04
2018-06-13 23:12 ` Óscar Fuentes
2018-06-14 5:31 ` Jens Lechtenboerger
@ 2018-06-14 11:57 ` hymie!
1 sibling, 0 replies; 10+ messages in thread
From: hymie! @ 2018-06-14 11:57 UTC (permalink / raw)
To: emacs-orgmode
In our last episode, the evil Dr. Lacto had captured our hero,
Óscar Fuentes <ofv@wanadoo.es>, who said:
> While trying to create a demo file I noticed that decryption works fine
> as long as the content was relatively new, while it fails for content
> that was encrypted years ago.
"Years ago" ? Sounds like maybe you lost the key?
Can you take the encrypted text, put it into its own file, and
use gpg to decrypt that? If not, it should give you a more robust
verbose message.
--hymie! http://lactose.homelinux.net/~hymie hymie@lactose.homelinux.net
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: org-crypt broken on Ubuntu 18.04
2018-06-13 17:24 org-crypt broken on Ubuntu 18.04 Óscar Fuentes
2018-06-13 19:22 ` Nicolas Goaziou
@ 2018-06-20 2:05 ` Óscar Fuentes
2018-07-26 11:57 ` Óscar Fuentes
2 siblings, 0 replies; 10+ messages in thread
From: Óscar Fuentes @ 2018-06-20 2:05 UTC (permalink / raw)
To: emacs-orgmode
Óscar Fuentes <ofv@wanadoo.es> writes:
> Hello.
>
> Today I noticed that org-crypt is broken on my daily driver.
>
> On a header with the :crypt: tag I invoke org-decrypt-entry, a popup
> dialog asks for the password, I type the password and then the
> minibuffer shows
>
> GPG error: "Decryption failed", ""
>
> The complete error message on *Messages* is
>
> epg--check-error-for-decrypt: GPG error: "Decryption failed", ""
>
> This is a very recent problem. In dpkg.log I see:
>
> 2018-06-12 00:33:00 upgrade gnupg-utils:amd64 2.2.4-1ubuntu1 2.2.4-1ubuntu1.1
>
> 2018-06-12 00:33:05 upgrade gnupg:amd64 2.2.4-1ubuntu1 2.2.4-1ubuntu1.1
>
> I tried the latest org-mode (9.1.13) and Emacs from master branch but
> the problem persists.
Today I upgraded a Debian Testing machine which included gpg 2.2.8 and,
sure enough, now that machine also presents the same problem.
I'll try to debug the issue as soon as I have some spare time.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: org-crypt broken on Ubuntu 18.04
2018-06-13 17:24 org-crypt broken on Ubuntu 18.04 Óscar Fuentes
2018-06-13 19:22 ` Nicolas Goaziou
2018-06-20 2:05 ` Óscar Fuentes
@ 2018-07-26 11:57 ` Óscar Fuentes
2018-07-26 22:12 ` do not ignore mdc errors on a permanent basis (was: org-crypt broken on Ubuntu 18.04) Gregor Zattler
2 siblings, 1 reply; 10+ messages in thread
From: Óscar Fuentes @ 2018-07-26 11:57 UTC (permalink / raw)
To: emacs-orgmode
For the record: executing gpg2 from the command line is revealing:
gpg: WARNING: message was not integrity protected
gpg: Hint: If this message was created before the year 2003 it is
likely that this message is legitimate. This is because back
then integrity protection was not widely used.
gpg: Use the option '--ignore-mdc-error' to decrypt anyway.
gpg: decryption forced to fail!
The solution is to add `ignore-mdc-error' to ~/.gnupg/gpg.conf.
Óscar Fuentes <ofv@wanadoo.es> writes:
> Hello.
>
> Today I noticed that org-crypt is broken on my daily driver.
>
> On a header with the :crypt: tag I invoke org-decrypt-entry, a popup
> dialog asks for the password, I type the password and then the
> minibuffer shows
>
> GPG error: "Decryption failed", ""
>
> The complete error message on *Messages* is
>
> epg--check-error-for-decrypt: GPG error: "Decryption failed", ""
>
> This is a very recent problem. In dpkg.log I see:
>
> 2018-06-12 00:33:00 upgrade gnupg-utils:amd64 2.2.4-1ubuntu1 2.2.4-1ubuntu1.1
>
> 2018-06-12 00:33:05 upgrade gnupg:amd64 2.2.4-1ubuntu1 2.2.4-1ubuntu1.1
>
> I tried the latest org-mode (9.1.13) and Emacs from master branch but
> the problem persists.
>
> $ gpg --version
> gpg (GnuPG) 2.2.4
> libgcrypt 1.8.1
> Copyright (C) 2017 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Home: /home/oscar/.gnupg
> Supported algorithms:
> Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
> Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
> CAMELLIA128, CAMELLIA192, CAMELLIA256
> Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> Compression: Uncompressed, ZIP, ZLIB, BZIP2
^ permalink raw reply [flat|nested] 10+ messages in thread
* do not ignore mdc errors on a permanent basis (was: org-crypt broken on Ubuntu 18.04)
2018-07-26 11:57 ` Óscar Fuentes
@ 2018-07-26 22:12 ` Gregor Zattler
0 siblings, 0 replies; 10+ messages in thread
From: Gregor Zattler @ 2018-07-26 22:12 UTC (permalink / raw)
To: emacs-orgmode
Hi Óscar,
* Óscar Fuentes <ofv@wanadoo.es> [2018-07-26; 13:57]:
> For the record: executing gpg2 from the command line is revealing:
>
> gpg: WARNING: message was not integrity protected
> gpg: Hint: If this message was created before the year 2003 it is
> likely that this message is legitimate. This is because back
> then integrity protection was not widely used.
> gpg: Use the option '--ignore-mdc-error' to decrypt anyway.
> gpg: decryption forced to fail!
>
> The solution is to add `ignore-mdc-error' to ~/.gnupg/gpg.conf.
I hope you'll do this only as a temporary meassure. Your could
decrypt and re-encrypt the org-crypt parts in question iff you
are sure, they were encrypted years ago and their contents is ok.
But having this option in ~/.gnupg/gpg.conf otherwise weakens
the security of GnuPG usage considerably.
From the gpg man page:
--ignore-mdc-error
This option changes a MDC integrity protection failure
into a warning. This can be useful if a message is
partially corrupt, but it is necessary to get as much
data as possible out of the corrupt message. However,
be aware that a MDC protection failure may also mean
that the message was tampered with intentionally by an
attacker.
The usage scenario described in the first sentence is clearly a
one time thing. Putting this option in gpg.conf ignores these
kind of errors for all future usage, for risks and side effects
see the second sentence.
Ciao; Gregor
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2018-07-26 22:13 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-13 17:24 org-crypt broken on Ubuntu 18.04 Óscar Fuentes
2018-06-13 19:22 ` Nicolas Goaziou
2018-06-13 20:11 ` Óscar Fuentes
2018-06-13 20:20 ` Thibault Polge
2018-06-13 23:12 ` Óscar Fuentes
2018-06-14 5:31 ` Jens Lechtenboerger
2018-06-14 11:57 ` hymie!
2018-06-20 2:05 ` Óscar Fuentes
2018-07-26 11:57 ` Óscar Fuentes
2018-07-26 22:12 ` do not ignore mdc errors on a permanent basis (was: org-crypt broken on Ubuntu 18.04) Gregor Zattler
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).